Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #18

March 04, 2011

TOP OF THE NEWS

Manning Faces New Charges, Including Capital Offense
Google Pulls Infected Apps From Android Marketplace
Firefox, Chrome Updates Ahead of Hacking Contest
Solid State Drive Firmware Destroys Data

THE REST OF THE WEEK'S NEWS

Gmail Accounts Nearly All Restored
Microsoft to Patch Four Flaws on March 8
Cyber Crime Forum Leaders Sentenced
WordPress Targeted by Massive DDoS Attack
Former Employee Gets House Arrest for Breaking Into Company Network
Seven-Year Sentence for Premium Number Modem Dialing Scheme


*****************************************************************
TRAINING UPDATE

- -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

- -- SANS 2011, Orlando, FL, March 26-April 4, 2011 40 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/">http://www.sans.org/cyber-security-innovations-2011/

- -- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security cloud.
http://www.sans.org/cyber-security-innovations-2011/">http://www.sans.org/cyber-security-innovations-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Singapore, Wellington, Barcelona, Amsterdam and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************** Sponsored by SANS *****************************
Sponsored by SANS Technology Institute Courses at SANS Ottawa Did you know the most successful professionals have solid short term plans for 6 months to a year ahead? Start planning now to get approval to attend SANS Ottawa 2011 August 28 - September 2, 2011. Choose from vigorous Audit, Security, or Forensics courses, taught by some of our best instructors. http://www.sans.org/info/69713
****************************************************************************

TOP OF THE NEWS

Manning Faces New Charges, Including Capital Offense (March 2, 2011)

Bradley Manning, the soldier believed to have leaked cables to Wikileaks, has been charged by the US government with 22 new counts, including two counts of computer fraud, eight counts of transmitting defense information in violation of the Espionage Act, five other charges of violating Army computer security regulations and one count of wrongfully causing intelligence to be published on the internet knowing it would be accessible to the enemy. The last count is a capital offense. While the government's prosecution team said it does not plan to ask for the death penalty, the final decision of whether or not to impose the death penalty rests with the convening authority.
-http://www.wired.com/threatlevel/2011/03/bradley-manning-more-charge/

Google Pulls Infected Apps From Android Marketplace (March 2 & 3, 2011)

Google has removed more than 50 apps from Android Market after discovering they had been infected with malware. The malware has the capability of gaining root access to infected devices and stealing information. Users had downloaded between 50,000 and 200,000 copies of the infected apps before they were pulled. They were all infected with the same malware and had been available on Android market for about four days. Another malware-infected app made news recently, but that one, called Steamy Window, was offered on a third-party site rather than Android Market. Although Google has the capacity to automatically uninstall apps from the phones, it has not initiated that procedure yet in this case.
-http://www.bbc.co.uk/news/technology-12633923
-http://www.computerworld.com/s/article/9212598/Google_yanks_over_50_infected_app
s_from_Android_Market?taxonomyId=17

-http://www.wired.com/threatlevel/2011/03/android-malware/
[Editor's Note (Pescatore): Google takes a much more "buyer beware" approach with the Android Market than Apple does with its App Store. I think there is a lot of app fatigue out there - having 1,000 choices in bird war games vs. 1,010 choices is preferred by most if they can be sure none of the games are really password stealers or bot malware. ]

Firefox, Chrome Updates Ahead of Hacking Contest (March 1, 2 & 3 2001)

In preparation for the Pwn3Own contest next week at the CanSecWest Security, Mozilla and Google have issued updates for their browsers. Mozilla's update for Firefox fixed 11 security issues. Google's update for Chrome fixed 19 security issues. Apple is likely to issue an update for its Safari browser before the contest, which offers cash prizes for finding vulnerabilities in the browsers. Microsoft does not plan to update Internet Explorer (IE) before the contest.
-http://www.h-online.com/security/news/item/Mozilla-issues-Firefox-Thunderbird-se
curity-updates-1200543.html

-http://www.computerworld.com/s/article/9212479/Mozilla_follows_Google_patches_Fi
refox_as_prep_for_Pwn2Own?taxonomyId=17

-http://www.h-online.com/security/news/item/19-vulnerabilities-Chrome-9-update-pr
oves-expensive-for-Google-1199922.html

-http://www.computerworld.com/s/article/9212079/Google_patches_19_Chrome_bugs_wee
k_before_Pwn2Own_hacking_contest?taxonomyId=82

-http://www.computerworld.com/s/article/9213018/Apple_to_patch_Safari_before_Pwn2
Own_say_researchers?taxonomyId=17

-http://www.computerworld.com/s/article/9213078/Microsoft_won_t_patch_IE_before_P
wn2Own?taxonomyId=17

[Editor's Note (Schultz): Microsoft has done a great job of improving the security of Internet Explorer over the last few years. I would not be surprised if IE emerged as the winner of the upcoming Pwn3Own contest. ]

Solid State Drive Firmware Destroys Data (March 1 & 2, 2011)

Researchers in Australia have published a study that calls into question the integrity of data stored on solid state drives (SSDs) as reliable evidence in court. The researchers found that data stored on SSDs are subject to "self-corrosion" through firmware with purging algorithms that conduct "garbage collecting" on files marked for deletion. The firmware is designed to optimize data storage efficiency on the drives. While the findings of this research appear at first glance to be at odds with a study that said it is difficult to satisfactorily purge data from SSDs, both studies call into question the reliability of either process.
-http://www.cio.com.au/article/378293/ssd_firmware_destroys_digital_evidence_rese
archers_find/

-http://www.theregister.co.uk/2011/03/01/self_destructing_flash_drives/
[Editor's Comment (Northcutt): Solid state drives offer great advantages, but we do not know as much about how they work as we should. I found a link that helped me start to understand the issues. I am not picking sides and not saying these presentations are 100% accurate, though Scott Moulton is a brilliant guy, but I was going for the general gist:
-http://www.myharddrivedied.com/presentations-resources/solid-state-drives-will-r
uin-forensics
]


*************************** Sponsored Links: *****************************

1) Only 2 weeks left to receive your $250 Early Bird Discount: SANS North Virginia 2011 http://www.sans.org/info/69698

2) This is your last chance to take the SANS Log Management Survey and Be Entered to Win a $250 American Express Gift Card. Go here to take the survey: http://www.sans.org/info/71884

****************************************************************************

THE REST OF THE WEEK'S NEWS

Gmail Accounts Nearly All Restored (March 3, 2011)

Five days after a problem caused some Gmail accounts to appear to be emptied of their stored communication, Google says that nearly all affected accounts have been restored. Over the weekend a small percentage of Gmail users reported that their emails were missing or that they could not even log in to their accounts. A Google engineer says the problem can be traced to "a storage software update." The accounts that have not yet been completely restored are those of "power users," who have unusually voluminous inboxes.
-http://www.csmonitor.com/Innovation/Horizons/2011/0303/Gmail-is-down-Not-anymore
-Google-says.

-http://www.v3.co.uk/v3/news/2275096/gmail-email-cloud

Microsoft to Patch Four Flaws on March 8 (March 3, 2011)

Microsoft plans to issue three security bulletins on Tuesday, March 8, to address a total of four vulnerabilities. One of the bulletins is rated critical; the other two are rated important. The bulletins will describe fixes for flaws in Windows and Office, as well as a dynamic link library (DLL) hijacking vulnerability in the Microsoft Groove application. The bulletins do not offer fixes for Internet Explorer (IE); Microsoft has maintained a practice of issuing IE updates only in even-numbered months.
-http://www.microsoft.com/technet/security/Bulletin/MS11-mar.mspx
-http://www.computerworld.com/s/article/9213078/Microsoft_won_t_patch_IE_before_P
wn2Own?taxonomyId=17

-http://news.cnet.com/8301-27080_3-20038964-245.html
-http://www.zdnet.com/blog/security/ms-patch-tuesday-heads-up-critical-flaws-in-w
indows-office/8288

Cyber Crime Forum Leaders Sentenced (March 2 & 3, 2011)

Four members of the GhostMarket.net cyber crime forum, including the group's founder, have been convicted of computer offenses. The leader, Nicholas Webber, was sentenced to five years in prison. GhostMarket offered a setting for people to buy and sell stolen financial account and personal information; buy and sell malware, phishing kits; and get cyber crime tutorials. This organization may have had up to 8,000 members. Police found more than 130,000 stolen credit card numbers of computers they seized as part of the investigation. One of Webber's co-defendants, Gary Paul Kelly, reportedly created a ZeuS botnet that infected 15,000 machines around the world. Kelly received a five-year sentence. Other accomplices were sentenced as well. Ryan Thomas was sentenced to four years, Ricardo Shakira was sentenced to 18 months, and Samantha Worley was given a sentence of community service.
-http://www.v3.co.uk/v3/news/2275098/cyber-crim-ghostnet-online
-http://www.zdnet.co.uk/news/security-threats/2011/03/03/teenage-ghostmarket-king
pin-sentenced-to-jail-40092014/

-http://www.theregister.co.uk/2011/03/03/uk_carders_jailed/
-http://www.bbc.co.uk/news/world-europe-guernsey-12625869

WordPress Targeted by Massive DDoS Attack (March 3, 2011)

Web host WordPress was the target of a massive distributed denial-of-service (DDoS) attack on Thursday, March 3. WordPress is widely used as a blog platform and many websites use it as well. The attack focused on three WordPress data centers and is the largest the company has experienced.
-http://www.eweek.com/c/a/Security/WordPresscom-Hit-by-Extremely-Large-Denial-of-
Service-Attack-618818/

-http://news.cnet.com/8301-1009_3-20038874-83.html?tag=mncol;title
-http://www.theregister.co.uk/2011/03/03/wordpress_ddos_attack/
[Editor's Note (Pescatore): If WordPress has to pay back to customers because of missed SLAs, they will likely find that investing in pro-active DDoS prevention services would show an immediate positive ROI. ]

Former Employee Gets House Arrest for Breaking Into Company Network (March 1, 2011)

A California woman who admitted to accessing her former employer's computer network and posting confidential information to the Internet will serve 60 days of home detention and one year of probation. Ming Shao avoided prison time for her actions. She was able to access the sensitive data belonging to her former employer, PanTerra Networks, through two employee email accounts for several months following her dismissal from the company in August 2009. Shao pleaded guilty to one count of felony computer intrusion.
-http://www.theregister.co.uk/2011/03/01/sacked_employee_sentenced/
[Editor's Note (Honan): The fact that Ming Shao was able to access sensitive data belonging to PanTerra Networks by accessing employee email accounts for several months after her dismissal, should serve as a lesson on why you should have an effective password management program in effect in your organisation which forces users to regularly change their passwords. ]

Seven-Year Sentence for Premium Number Modem Dialing Scheme (March 1, 2011)

A New Hampshire man who infected computers with malware that forced them to call premium rate phone numbers has been sentenced to nearly seven years in prison. Asu Pala and his co-conspirators established the numbers in Germany, then infected computers in that country with malware that forced the modems to dial the numbers. Pala made US $8 million from the scheme. Pala began cooperating with US government officials in their investigation into the case in 2009, which took some time off his sentence. If he had succeeded in helping the FBI capture the two men who had initially approached him and proposed the scheme, his sentence would have been even shorter.
-http://www.bostonherald.com/jobfind/news/technology/view/2011_0301nh_man_gets_pr
ison_sentence_in_computer_hacking_case/srvc=home&position=also

-http://www.computerworld.com/s/article/9212418/Man_gets_7_years_for_forcing_mode
ms_to_call_premium_numbers?taxonomyId=17



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/