SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #11

February 08, 2011

TOP OF THE NEWS

Hacktivists Cross the Line in Attack on Security Services Firm
UK Government Systems Under Attack, Says Foreign Secretary
NASDAQ Attacked, But Trading Platform Unaffected

THE REST OF THE WEEK'S NEWS

Mass Filesharing Law Suits Continue
One-third of EU Internet Users Report Malware Infection
Russian Man Pleads Guilty in RBS World Pay Case
Sony Aggressively Pursuing PS3 Jailbreak Code Case
Anti-Piracy Law Firm and Client Both No Longer in Business
Group Proposes Cyber Warfare "Geneva and Hague Conventions"
NIST Issues Draft Documents on Cloud Computing

---

*************************************************************************
TRAINING UPDATE
- -- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

- -- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

- -- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Singapore, Wellington and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************ Sponsored by Adobe Systems ************************
Integrated into every stage of the product lifecycle, the Adobe Secure Product Lifecycle (SPLC) is a rigorous set of industry-leading secure software development best practices, processes, and tools designed to keep your information safe when you use Adobe software. Read to learn more about how building security in helps you to better manage risk.
http://www.sans.org/info/69988
****************************************************************************

---

TOP OF THE NEWS

Hacktivists Cross the Line in Attack on Security Services Firm (February 7, 2011)

A security services company that does classified work for the US government has come under attack. Email messages of executives at HBGary Federal were posted to the Internet by a loosely organized hacking group that calls itself Anonymous. The group also allegedly broke into the Twitter accounts of several HBGary Federal employees and posted offensive comments in their names. Anonymous gained notoriety in recent months for launching distributed denial-of-service (DDoS) attacks against organizations that HBGary Federal's head of security services was quoted in a news story as saying that he had discovered the identities of Anonymous's leaders and planned to share information with the FBI. HBGary co-founder Greg Hoglund noted that Anonymous has ventured into new territory with this action: "Before this, what these guys were doing was technically illegal, but it was in direct support of a government whistleblower. But not, we have a situation where they're committing a federal crime, stealing private data and posting it on a torrent."
-http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/
-http://www.wired.com/threatlevel/2011/02/anonymous-hacks-hbgary/
-http://news.cnet.com/8301-1009_3-20030849-83.html
[Editor's Comment (Northcutt): So many of the stories carried in this edition illustrate that the law and enforcement of the law just can't keep up with technology and technology being used in an inappropriate manner. Yet, there are also so many stories of people being caught and prosecuted (George Hotz, Adrian Assange) where again, the law seems to be trying hard to catch up with technology and ability. Only one group is sure to benefit: lawyers. ]

British Government Systems Under Attack, Says Foreign Secretary (February 4 & 7, 2011)

UK officials now believe that a rash of malware-laden emails that appeared to come from the US White House actually originated in China. The messages arrived in the inboxes of British officials late last year. They included links that could download ZeuS malware onto the users' computers. It had been unclear if the attackers had compromised White house email accounts to send the messages, or if they crafted accounts that looked like they came from the White House. British Foreign Secretary William Hague spoke about cyber attacks on UK government systems at an international security summit in Munich this week.
-http://fcw.com/articles/2011/02/07/alleged-white-house-email-cyberincident-now-c
alled-spoof-attack-from-china.aspx?admgarea=TC_SECCYBERSEC
-http://www.silicon.com/technology/security/2011/02/07/hague-details-cyber-attack
s-on-whitehall-39746929/
-http://www.v3.co.uk/v3/news/2274616/hague-cyber-attack-government

NASDAQ Attacked, But Trading Platform Unaffected (February 5, 6 & 7, 2011)

Attackers managed to gain access to the computer systems of the company that runs the NASDAQ stock exchange, but did not gain access to the portion of the system that manages trading. The attack was discovered after NASDAQ OMX noticed unusual files on US servers. The breach occurred through a web-based application called Director's Desk that allows companies to store and share information.
-http://www.v3.co.uk/v3/news/2274617/hackers-nasdaq-financial-system
-http://www.nytimes.com/2011/02/07/business/07nasdaq.html?scp=4&sq=nasdaq&
;st=cse
-http://www.zdnet.com/blog/security/nasdaq-confirms-servers-hacked-via-web-facing
-application/8087
-http://www.h-online.com/security/news/item/Report-Hackers-break-into-NASDAQ-US-s
tock-exchange-Update-1184318.html
-http://www.computerworld.com/s/article/9208358/Report_Nasdaq_systems_were_hacked
_last_year?taxonomyId=203

---

*************************** Sponsored Links: *****************************
1) Take the 7th Annual Log Management Survey and be entered to win a $250 American Express Gift card. This comprehensive survey has become a leading indicator of how well log management and automation helps organizations with their security and compliance needs. To take our survey, follow this link: http://www.sans.org/info/69993
************************************************************************************

---

THE REST OF THE WEEK'S NEWS

Mass Filesharing Law Suits Continue (February 7, 2011)

In 2010, nearly 100,000 people in the US were sued for alleged illegal filesharing. Of the 80 mass lawsuits filed, 68 are still active; those suits target nearly 71,000 individuals. The practice of mass lawsuits, which allows the copyright holder to avoid the cost of filing suits against every individual, has been called predatory.
-http://www.informationweek.com/news/internet/policy/showArticle.jhtml?articleID=
229201274&subSection=Security

One-third of EU Internet Users Report Malware Infection (February 7, 2011)

One-third of Internet users in the European Union experienced malware infections, according to statistics gathered by the EU. The countries with the highest rates of infection were Bulgaria, where 58 percent of users reported infections, and Malta, Slovakia, Hungary and Italy, where about half of all users reported infections. Those with the lowest rates were Ireland and Austria, with about a 15 percent infection rate. The statistics were compiled by users reporting infections, so the actual rate of infection is likely to be even higher. Eighty-four percent of the more than 200,000 people surveyed said they have some sort of anti-malware technology in place.
-http://www.v3.co.uk/v3/news/2274618/eu-safer-internet-day-cyber
-http://www.reuters.com/article/2011/02/07/uk-life-eu-virus-idUSLNE71605W20110207

Russian Man Pleads Guilty in RBS World Pay Case (February 7, 2011)

A Russian man has pleaded guilty to stealing US $10 million from RBS World Pay (formerly a division of Royal Bank of Scotland). Yevgeny Anikin is believed to be part of a group that orchestrated a complex cyber heist involving simultaneous fraudulent withdrawals from ATMs in Europe, the US and Asia. The scheme involved breaking into bank systems and raising the maximum daily withdrawal limit on the targeted accounts. The trial is being held in Siberia. Another man involved in the scheme was sentenced to six years in prison by a court in St. Petersburg, Russia.
-http://www.net-security.org/secworld.php?id=10543
-http://ca.reuters.com/article/technologyNews/idCATRE7162J920110207
[Editor's Note (Honan): Unfortunately it appears that although Anikin pleaded guilty he has avoided jail with a suspended sentence. The leniency of the sentencing highlights the challenges faced in the international fight against these criminals.
-http://www.zdnet.com/blog/security/hacker-3-escapes-jail-time-in-rbs-worldpay-at
m-heist/8096]

Sony Aggressively Pursuing PS3 Jailbreak Code Case (February 7, 2011)

Sony is threatening legal action against people who have posted or otherwise distributed jailbreak code for its PlayStation 3 (PS3) gaming console. The company has also demanded that a federal judge order Google to hand over IP addresses and other information that could identify people who have viewed and or commented on a PS3 jailbreak video on YouTube, and that Twitter surrender the identities of people who released a limited version of the jailbreak late last year. All the demands are part of pre-trial discovery in Sony's case against George Hotz, who allegedly published the code and video in January.
-http://www.wired.com/threatlevel/2011/02/sony-lawsuit-factory/
-http://www.wired.com/images_blogs/threatlevel/2011/02/googlehotz.pdf
-http://www.wired.com/images_blogs/threatlevel/2011/02/hotzexpedition.pdf

Anti-Piracy Law Firm and Client Both No Longer in Business (February 4 & 7, 2011)

ACS:Law, the UK firm that has made headlines for sending threatening letters to suspected illegal filesharers, has shut down, according to TorrentFreak. The move comes just before an important court ruling. ACS:Law had brought 27 cases to court, but then attempted to drop the cases before evidence was heard. The defendants' legal representatives do not want the case dropped, as their clients hope to recover damages. Documents show that ACS:Law and its only piracy client, Media CAT, which licenses pornography, but shut down as of January 31, 2011. ACS:Law owner Andrew Crossley had recently said that his firm was planning to stop piracy litigation after he and his family were threatened. Crossley remains under investigation regarding the letters. An investigation by the UK Information Commissioner's Office into a breach that led to the exposure of personal information of thousands of people through the ACS:Law website could also result in a fine.
-http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/acslaw-chief-still
-being-investigated-over-letters-10021635/
-http://www.pcpro.co.uk/news/365029/file-sharing-lawyers-acs-law-shuts-down
-http://www.smh.com.au/technology/technology-news/filesharing-case-hunter-becomes
-the-hunted-20110207-1ajb6.html

Group Proposes Cyber Warfare "Geneva and Hague Conventions" (February 4 & 7, 2011)

The EastWest Institute presented a proposal for Geneva and Hague Convention equivalents for cyber warfare at the Munich Security Conference. The proposal is the product of a joint initiative between the US and Russia.
-http://it.tmcnet.com/topics/it/articles/142439-eastwest-calls-rendering-geneva-h
ague-conventions-cyberspace.htm
-http://blogs.wsj.com/tech-europe/2011/02/04/calls-for-geneva-convention-in-cyber
space/
-http://www.v3.co.uk/v3/news/2274601/cyber-war-rules-engagement
-http://www.theregister.co.uk/2011/02/04/cyberwar_rules_of_engagement/
-http://news.bbc.co.uk/2/hi/programmes/newsnight/9386445.stm

NIST Issues Draft Documents on Cloud Computing (February 3 & 4, 2011)

The National Institute of Standards and Technology (NIST) has issued two draft documents regarding cloud computing. Special Publication 800-145 defines cloud computing, while Special Publication 800-144 establishes security and privacy guidelines for cloud computing deployment. NIST will accept comments on the documents through February 28, 2011.
-http://www.informationweek.com/news/government/cloud-saas/showArticle.jhtml?arti
cleID=229201197&subSection=Security
-http://www.computerworld.com/s/article/9207964/NIST_report_aims_to_help_U.S._age
ncies_deploy_cloud_apps
-http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definiti
on.pdf
-http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computin
g.pdf

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/