SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #23

March 22, 2011

Outstanding Journalism in Cybersecurity
A new section begins in NewsBites featuring articles that reflect
outstanding original research and tell great stories. This week we
feature Brian Krebs' just-published story about the Microsoft takedown
of Rustock's servers (almost entirely US based, surprisingly), and Riley
and Stone's BusinessWeek story of what really happened in the HBGary
hacking and who was involved.
We'll include this section whenever we find original, in-depth,
well-written stories that help you better understand the world of
cybersecurity.
Alan

---

TOP OF THE NEWS

Google Claims Chinese Government is Interfering with Gmail
French Regulator Fines Google Over Street View Data Collection
PHP Server Breach Raises Code Integrity Concerns

THE REST OF THE WEEK'S NEWS

Adobe Patches Zero-Day Flaw in Reader
Companies Lose Business Following Data Breaches
Man Charged in Connection with Botnet Pump-and-Dump Scheme
Phishing Attack Evades Filters
OMB Report on Federal Agency FISMA Compliance
Nine-Year Sentence for Breaking Into Medical Center Computers
Eight-Year Sentence for Theft of Proprietary Code
Radio/Web Geek Offers Inside View Of Attacks On Libya

GREAT CYBER STORIES

(Krebs) Microsoft Takedown of Rustock Botnet May Be A Game Changer
(Riley and Stone) The HBGary Story: Hacker vs. Hacker

EXTRA

RSA Breach "Not a Game-Changer"

---

*****************************************************************
TRAINING UPDATE
- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security in the cloud.
http://www.sans.org/cyber-security-innovations-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********** Sponsored by Raytheon Trusted Computer Solutions **************

Raytheon Trusted Computer Solutions (RTCS) announces a new licensing option for Security Blanket, the premier automated OS lock down tool for Linux(R) (including RHEL 6) and Solaris?. RTCS has expanded the licensing options to include a one-time use license at a 60% savings from the Enterprise license price. Register today for a FREE product demonstration. http://www.sans.org/info/73098

****************************************************************************

---

TOP OF THE NEWS

Google Claims Chinese Government is Interfering with Gmail (March 21, 2011)

Google says that Chinese authorities are interfering with its Gmail service. Gmail users are reporting difficulty using the webmail service in that country. Google says the interference appears to have been designed to make it look like the problems are in Google's own systems, but the company has conducted thorough checks and found no problems on its side.
-http://www.eweek.com/c/a/Messaging-and-Collaboration/Google-China-Blocking-Gmail
-to-Counter-Jasmine-Revolution-577863/
-http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=
229301361&cid=RSSfeed_IWK_All
[Editor's Note (Schultz): One would think that ICANN would be closer than it currently is to taking some kind of action against China for its plethora of malicious activity. ]

French Regulator Fines Google Over Street View Data Collection (March 21, 2011)

France's National Commission for Information Freedom (CNIL) has fined Google 100,000 Euros (US $142,000) for the company's inadvertent collection of personal data from unprotected Wi-Fi networks. (Google collected the data while gathering information for its Street View maps feature.) CNIL called Google's activity an "unfair collection" of data and maintains that Google benefitted financially from the information it collected.
-http://www.scmagazineuk.com/google-fined-100000-by-french-regulator-over-street-
view-data-collection/article/198791/
-http://www.computerworld.com/s/article/9214864/French_panel_fines_Google_142K_fo
r_Street_View_collection_of_Wi_Fi_data?taxonomyId=17
-http://www.bbc.co.uk/news/technology-12809076
[Editor's Note (Schultz): A fine of only USD 142,000 is quite a bargain considering the magnitude of the problem that the collection of personal data caused. ]

PHP Server Breach Raises Code Integrity Concerns (March 21, 2011)

Developers say that attackers broke into a PHP wiki developer server (wiki.php.net) and stole access information for several accounts. No other servers appear to have been accessed in the attack, but developers are concerned that PHP source code could be compromised because the information that was stolen would allow the attackers to access the PHP repository. They conducted a detailed code audit and have not found any changes. The compromised machine was wiped and all SVN accounts were forced to get new passwords.
-http://www.h-online.com/security/news/item/PHP-developer-wiki-server-hacked-1211
874.html
-http://www.scmagazineuk.com/the-php-group-confirms-that-its-wikiphpnet-box-was-h
acked-over-the-weekend/article/198786/

---

*************************** Sponsored Links: *****************************

1) McAfee Next Generation Network Security A range of complimentary resources for your review and download http://www.sans.org/info/73103

2) REGISTER NOW FOR Web 2.0 Security: Same Old But Different WHEN: Thursday, March 24, 2011 at 1:00 PM EDT (1700 UTC/GMT) FEATURING: Johannes Ullrich & Eric Crutchlow http://www.sans.org/info/73108 Sponsored By: SONICWALL http://www.sonicwall.com/

3) New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT -- Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston. http://www.sans.org/info/73113

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Adobe Patches Zero-Day Flaw in Reader (March 21, 2011)

Adobe released fixes for a zero-day vulnerability in Reader and Acrobat and in its Flash player. Last week, Adobe acknowledged that the vulnerability was being actively exploited and said it would issue patches for the flaw this week. Chrome has already pushed out a fix for the Flash vulnerability to its users.
-http://www.computerworld.com/s/article/9214874/Adobe_patches_Flash_zero_day_bug_
in_Reader?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2035884/adobe-rolls-flash-patches-fix-zero-day-fl
aw
The patches: Reader -
-http://www.adobe.com/support/security/bulletins/apsb11-06.html
Flash -
-http://www.adobe.com/support/security/bulletins/apsb11-05.html

Companies Lose Business Following Data Breaches (March 21, 2011)

A study conducted by the Ponemon Institute on behalf of Symantec, 37 percent of data loss cases reported in the UK in 2010 involved system failures; that figure is seven percent higher than it was in 2009. The study also found that the average cost of data breaches for large UK companies in 2010 was GBP 1.9 million (US $3.1 million), an increase of 13 percent from 2009. The report also found that companies that suffer computer breaches experience significant financial repercussions in lost business.
-http://www.scmagazineuk.com/system-failure-is-seen-as-a-greater-concern-than-neg
ligence-as-cost-of-average-data-breach-to-organisations-reaches-19-million/artic
le/198789/
-http://www.bbc.co.uk/news/technology-12789569
-http://www.silicon.com/technology/security/2011/03/21/data-breaches-loss-of-busi
ness-biggest-cost-39747175/
[Editor's Comment (Northcutt): Well, time will tell on the question of lost business, RSA is the security division of EMC and it looks like EMC stock has been climbing for the past few days.]

Man Charged in Connection with Botnet Pump-and-Dump Scheme (March 21, 2011)

A Texas man has been charged with conspiracy to commit securities fraud for his role in an alleged pump-and-dump scheme. Christopher Rad and his accomplices allegedly used the network of infected computers to send out spam promoting penny stocks in an effort to inflate their prices and profit from the artificially elevated value. In addition, hackers hijacked into brokerage accounts and used them to purchase the stocks to create the illusion that there was a demand for those securities. Rad allegedly acted as a middleman between people wanting to tout the stocks and the operators of the botnet. Rad's alleged accomplice, James Bragg, pleaded guilty to charges related to the scheme in October 2010.
-http://www.computerworld.com/s/article/9214884/Man_charged_with_hiring_pump_and_
dump_spam_botnet?taxonomyId=17
-http://www.google.com/hostednews/afp/article/ALeqM5j5FXMVI3hQtPjTSjt-PleYqXfHWw?
docId=CNG.a807bd69f3debaa7a6b4ca2383f9500b.1211

Phishing Attack Evades Filters (March 19, 2011)

The US Computer Emergency Response Team (US-CERT) has warned of a sophisticated phishing attack that targets customers of several financial institutions, including Bank of America, PayPal and Lloyds. This particular attack manages to evade filters designed to identify phishing sites. The phishing emails arrive with HTML attachments.
-http://www.v3.co.uk/v3-uk/news/2035559/-cert-warns-phishing-attacks
-http://www.theinquirer.net/inquirer/news/2035632/paypal-hit-sophisticated-phishi
ng-attack
-http://www.us-cert.gov/current/index.html#ongoing_phishing_attack

OMB Report on Federal Agency FISMA Compliance (March 18, 2011)

According to the Fiscal Year 2010 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002, cyber attacks against federal networks increased 40 percent in 2010. Agencies reported nearly 42,000 cyber incidents in 2010; in 2009, 30,000 incidents were reported. The report from the Office of Management and Budget (OMB) details agency compliance with Federal Information Security Management Act (FISMA) mandates. The report notes that agencies are beginning to deploy real-time scanners to monitor anomalies. The report says that 66 percent of IT assets at major federal agencies have automated surveillance tools. Most of the agencies are not using smart cards for system access, despite it being a requirement. As of October 1, 2011, agencies that have not installed electronic ID card readers on facilities and systems will have funds for other projects denied.
-http://www.nextgov.com/nextgov/ng_20110318_4179.php
-http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/FY10_FISMA.pd
f

Nine-Year Sentence for Breaking Into Medical Center Computers (March 18, 2011)

A Texas man has been sentenced to just over nine years in federal prison for breaking into 14 computers at a Dallas medical clinic. Jesse William McGraw installed malicious code and uninstalled security features on some of the compromised machines. Some of the computers contained patient information and some controlled the clinic's HVAC (heating, ventilating and air conditioning) systems. McGraw intended to use the compromised machines to launch further attacks. McGraw was apprehended after boasting about his activity online. McGraw had been working as a security guard at the clinic.
-http://blogs.dallasobserver.com/unfairpark/2011/03/hacker_known_as_ghostexodus_s
e.php
-http://www.wired.com/threatlevel/2011/03/ghostexodus-2/
[Contributor's Note (Chris Mohan): Wesley McGrew, the security researcher who reported the hack to the FBI has his own take here:
-http://www.mcgrewsecurity.com/2011/03/18/ghostexodus-sentenced-to-9-years-2-mont
hs/]

Eight-Year Sentence for Theft of Proprietary Code (March 18, 2011)

A former programmer for Goldman Sachs has been sentenced to eight years in prison for stealing proprietary code from the investment company. Sergey Aleynikov developed high-frequency trading software for Goldman Sachs. He worked at the firm from 2007 to June 2009. He transferred a significant amount of the code to servers in Germany in July 2009. The following month, he met with a startup developing high-frequency trading software. He had taken steps to erase his tracks; his activity was discovered when Goldman Sachs began monitoring HTTPS transfers after noticing suspicious network activity.
-http://www.wired.com/threatlevel/2011/03/aleynikov-sentencing/
-http://www.theregister.co.uk/2011/03/18/programmer_sentenced/

Radio/Web Geek Offers Inside View Of Attacks On Libya (March 22, 2011)

A Dutch former military guy who is also a combination radio/Web geek is tracking, translating and tweeting minute-by-minute coverage of the U.N. air war over Libya. In the process he's demonstrating how civilians with inexpensive equipment, a little bit of knowledge and a lot of dedication can make a big difference in world affairs.
-http://www.itworld.com/security/140829/radioweb-geek-offers-inside-view-attacks-
libya
[Editor's Note (Ranum): With the military not encrypting communication, there is a serious possibility of nasty "chickens coming home to roost." ]

---

GREAT CYBER STORIES

Microsoft Takedown of Rustock Botnet May Be A Game Changer (March 21, 2011)

Microsoft's takedown of the Rustock botnet once again exposed some ugly truths about the botnet business: Organized criminals still feel comfortable hosting their command and control networks on U.S. servers, which are some of the fastest, cheapest and most reliable on the planet. All but two of the 100 or so control networks for Rustock were based at US ISPs, some operating with impunity for more than year. This story delves deeper into this dynamic, and examines the novel legal methods Microsoft used to seize hard drives and IP addresses from these hosting providers.
-http://krebsonsecurity.com/2011/03/homegrown-rustock-botnet-fed-by-u-s-firms/

The HBGary Story: Hacker vs. Hacker (March 10, 2011)

"Greg Hoglund's nightmare began on Super Bowl Sunday. (Hoglund runs HBGary) ... Hoglund logged into his corporate account on Google and confirmed his fears. He couldn't get in. Someone had changed the password and locked him out of his own e-mail system." So begins a fascinating and bracing tale of Anonymous' theft and publishing of thousands of HBGary's emails. The players affected are a story in themselves - from Washington law firms to the US Chamber of Commerce and several huge American companies.
-http://www.businessweek.com/magazine/content/11_12/b4220066790741.htm

---

EXTRA

RSA Breach "Not a Game-Changer" (March 20, 2011)

In this podcast interview, Stephen Northcutt discusses the recent breach at RSA that affects its SecurID product. Northcutt says that RSA's announcement about the incident does not provide enough information for effective analysis. He adds that the breach is "not a game-changer
[and ]
anybody who says it is is an alarmist." Northcutt advises RSA users not to panic and to use an additional layer of security if they feel integrity of their tokens is compromised.
-http://www.govinfosecurity.com/podcasts.php?podcastID=1050

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/