SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #13

February 15, 2011

Cool new program: April 18-19
The National Cybersccurity Innovation Conference (NCIC)
Featuring Real-World Case Studies of Continuous Monitoring for FISMA and
secure cloud computing. NCIC 2011 is the only conference where the
sessions are nearly all users. You get to learn exactly how
organizations have made the transition from wasted FISMA reporting to
continuous monitoring and also how organizations have made cloud
computing far more secure. Email apaller@sans.org if you have a good
case study that which should be included.
More data at http://www.sans.org/cyber-security-innovations-2011/

---

TOP OF THE NEWS

Stuxnet Had Five Targets
BofA Denies Involvement with Plan to Muzzle WikiLeaks
Firefox 4 Beta Incorporates Do Not Track Technology

THE REST OF THE WEEK'S NEWS

Federal Agents Seize 18 Domains Linked to Counterfeit Fashion Accessories
Alleged Nintendo Hacker Arrested in Spain
Image Hosting Site Thwarts Spammers
NSW Ambulance Dispatch System Hit With Malware
Former Microsoft Manager Sued for Allegedly Stealing Cloud Strategy Docs
eHarmony Site Attacked

---

*************************************************************************
TRAINING UPDATE
-- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Singapore, Wellington, Barcelona and Amsterdam all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************ Sponsored by Adobe Systems **********************
The Adobe Product Security Incident Response Team (PSIRT) works to identify the appropriate response plan to all security issues reported on Adobe products. This includes mitigation procedures, patch schedules, and detailed advisories. Learn more about how Adobe PSIRT helps with vulnerability resolution and threat mitigation in our products to help you better manage security threats. http://www.sans.org/info/70683
***************************************************************************

---

TOP OF THE NEWS

Stuxnet Had Five Targets (February 11 & 14, 2011)

According to a report from Symantec, the Stuxnet worm was designed to attack five distinct industrial facilities in Iraq. The attacks were launched from a base of 10 infected machines and were responsible for 12,000 infections. The attacks took place over a 10-month period. Researchers also learned that Stuxnet is structured to store the location and type of machine infected.
-http://www.theregister.co.uk/2011/02/14/stuxnet_targeted_5_factories/
-http://www.nytimes.com/2011/02/13/science/13stuxnet.html?ref=science
-http://www.computerworld.com/s/article/9209160/Stuxnet_struck_five_targets_in_Ir
an_say_researchers?taxonomyId=82
-http://www.wired.com/threatlevel/2011/02/stuxnet-five-main-target/
-http://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Fe
b-2011.pdf
-http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID
=229218562&subSection=Security
[Editor's Comment (Northcutt): Actually, it is better to read this directly from the Symantec paper:
-http://www.symantec.com/connect/blogs/updated-w32stuxnet-dossier-available
-http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa
pers/w32_stuxnet_dossier.pdf]

BofA Denies Involvement with Plan to Muzzle WikiLeaks (February 11, 2011)

A spokesperson for Bank of America (BofA) said that his company has "never seen ... and
[has ]
no interest in" a presentation regarding "proactive tactics" to prevent WikiLeaks and Julian Assange from releasing potentially damaging documents related to a major US bank. The presentation and associated emails were posted to the Internet over the weekend and appear to have been stolen from HBGary by the Anonymous hacking collective. The documents suggest that a US law firm and three data intelligence companies were working together to help BofA stop Assange and WikiLeaks from publishing damaging information.
-http://content.usatoday.com/communities/technologylive/post/2011/02/bofa-denies-
connection-to-proactive-tactics-to-silence-wikileaks/1

Firefox 4 Beta Incorporates Do Not Track Technology (February 10, 2011)

Mozilla has issued the eleventh beta release of Firefox 4, which includes a Do Not Track feature announced last month. When the feature is enabled, each HTTP page request receives information that lets the site know the user does not want to be tracked. Mozilla plans one more beta version of Firefox and expects to release a final version of the browser by the end of this month.
-http://www.computerworld.com/s/article/9208944/Mozilla_adds_Do_Not_Track_to_newe
st_Firefox_4_beta?taxonomyId=84

---

*************************** Sponsored Links: *****************************

1) Win a $250 American Express Gift Card: Take the SANS 2011 Annual Log Management Survey here: http://www.sans.org/info/70688 The results will be released on April 25 and 26 during a two-part live webcast Series, featuring SANS analysts Jerry Shenk and Dave Shackleford, here http://www.sans.org/info/70693 and here http://www.sans.org/info/70698.

2) New SANS Analyst Whitepaper: "Compliance and Security Challenges with Remote Administration," by Dave Shackleford. http://www.sans.org/reading_room/analysts_program/netop-02-2011.pdf For more SANS analysts papers on critical technology topics, visit http://www.sans.org/info/70703.

3) Early Bird Discount $400! Register early for additional savings at the beautiful Hyatt Regency! http://www.sans.org/info/69748
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Federal Agents Seize 18 Domains Linked to Counterfeit Fashion Accessories (February 14, 2011)

Agents of the US government have seized an additional 18 domains that have been linked to piracy, bringing the total seized under Operation in Our Sites to nearly 120. The sites affected today allegedly sold counterfeit jewelry, handbags and other fashion accessories. The action was taken with no advance warning to the sites. Two weeks ago, the same agencies seized 10 domains associated with providing pirated sporting event content.
-http://www.wired.com/threatlevel/2011/02/eighteen-domains-seized/
-http://www.ice.gov/news/releases/1102/110214washingtondc.htm

Alleged Nintendo Hacker Arrested in Spain (February 14, 2011)

Authorities in Spain have arrested a man who allegedly broke into a database, stole customer information and threatened to expose the company's poor cyber security if the company did not comply with his demands, which have not been disclosed. The breach compromised personally identifiable information of 4,000 users. When Nintendo did not respond to his demands, the man allegedly leaked some of the information online.
-http://www.bbc.co.uk/news/technology-12456922
-http://www.pcworld.com/businesscenter/article/219598/spanish_police_arrest_alleg
ed_nintendo_hacker.html

Image Hosting Site Thwarts Spammers (February 13 & 14, 2011)

After image hosting website Image Shack became aware that spammers were using certain images to get users to click on potentially malicious links, they figured out a method to replace many of those images with others that alert users that they are being scammed and warn them not to click on the images or conduct any business with the site advertised. Within an hour of the suspect images being reported, Image Shack switched them out for the warnings.
-http://www.bbc.co.uk/news/technology-12450348
-http://krebsonsecurity.com/2011/02/imageshack-swaps-spam-pages-for-scam-alerts/
[Editor's Comment (Northcutt): The notorious spammer Kuvayev is credited with the invention of sending spam as image files to avoid Bayesian filtering for spam. If a few more image hosting sites follow in Image Shack's footsteps the Internet could be a better place.
-http://krebsonsecurity.com/2010/08/spam-king-leo-kuvayev-jailed-on-child-sex-cha
rges/
-http://www.process.com/precisemail/bayesian_filtering.htm]

NSW Ambulance Dispatch System Hit With Malware (February 13 & 14, 2011)

The Computer Aided Dispatch System for New South Wales (Australia) ambulances was recently infected with malware. Staff members managed calls manually and others worked to remove the offending code from the computer system. The general manager of operations said it did not appear that any emergency calls were delayed. The system had been restored and was running as usual as of Monday afternoon. The infection is likely to have been transmitted through an infected USB drive.
-http://www.smh.com.au/technology/security/nsw-ambulance-service-recovers-from-co
mputer-virus-20110214-1ate0.html
-http://www.theregister.co.uk/2011/02/13/ambulance_system_virus/

Former Microsoft Manager Sued for Allegedly Stealing Cloud Strategy Docs (February 10 & 11, 2011)

Attorneys for Microsoft have filed a motion in Washington State Superior Court alleging that former market development manager Matt Miszewski lied about keeping a significant number of documents related to the company's cloud computing and customer relationship management (CRM) services. Microsoft sued Miszewski in January for violating non-compete and confidentiality agreements after he accepted a new position at salesforce.com, a rival company in the cloud computing and CRM markets. The judge issued a restraining order blocking Miszewski's move to the new company. Miszewski told Microsoft that he took only personal items when he resigned on December 3, 2011, but pre-trial discovery turned up the 25,000-page cache of documents.
-http://www.computerworld.com/s/article/9209119/Microsoft_accuses_former_manager_
of_stealing_600MB_of_confidential_docs?taxonomyId=144
-http://blog.seattlepi.com/microsoft/2011/02/10/microsoft-has-well-grounded-fear-
ex-exec-would-share-secrets/

eHarmony Site Attacked (February 10, & 11 2011)

An attack on an advice site for Internet dating site eHarmony has prompted the company to urge users to change their passwords. The attack is believed to have been perpetrated by an attacker from Argentina who recently conducted a similar attack on the PlentyOfFish Internet dating site. The hacker used an SQL injection attack on a secondary eHarmony website, eHarmony Advice, to gain access to a file that contained user names, email addresses and hashed passwords. eHarmony said that the database that was breached is separate from the dating site database.
-http://krebsonsecurity.com/2011/02/eharmony-hacked/
-http://www.scmagazineus.com/eharmony-advice-site-hacked-to-expose-user-informati
on/article/196216/
-http://www.pcmag.com/article2/0,2817,2380120,00.asp

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/