SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #25

March 29, 2011

TOP OF THE NEWS

Raytheon, SAIC Vie With U.S. in 'Fratricide' Over Cyberworkers
Hearing Date Set for WikiLeaks Twitter Data Demand Appeals
Proposed Law in South Korea Would Mandate Security Software on PCs
Australian Government Bans Free Web-Based eMail Services for Employees

THE REST OF THE WEEK'S NEWS

MySQL.com Compromised Through Blind SQL Injection Attack
Finding Fast-Flux Botnets
SEC Considers More Stringent Security Rules for Exchanges
McAfee Study Says Thieves Targeting Corporate Data
Restaurant Group Will Pay US $110,000 to Settle Allegations of Poor Security Practices
Spotify Removes Tainted Ad From Free Music Streaming Site
Mozilla Regrets Silence on Phony SSL Certificates
Google Updates Chrome to Fix Six High Risk Vulnerabilities
US Mobile Phone Users Lax on Security
UK Users Not Wiping Mobile Devices Before Selling Them

---

*****************************************************************

TRAINING UPDATE

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 User-to-user conference featuring outstanding examples of continuous monitoring and security in the cloud.
http://www.sans.org/cyber-security-innovations-2011/

- -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

************************ Sponsored by McAfee, Inc. ***********************

McAfee / Gartner joint on-demand webcast - In this webcast Greg Young of analyst firm Gartner, discusses how virtualization, consumerization of IT and other trends are driving new requirements for more intelligent network security models. Also hear from McAfee's Greg Brown, VP of Network Security as he discusses the latest threat trends seen by McAfee Labs.
http://www.sans.org/info/74248

****************************************************************************

---

TOP OF THE NEWS

Raytheon, SAIC Vie With U.S. in 'Fratricide' Over Cyberworkers

Bloomberg Government's Eric Engleman publishes an analysis of the economic effects of the shortage of technical cybersecurity workers that was first illuminated by the Center for Strategic and International Studies in its December 2010 report: "A Crisis in Cyber Manpower: Technical Proficiency Matters." Bloomberg's new article documents how technology companies such as Booz Allen, Raytheon, and SAIC are competing with each other and the U.S. government for hard-to-find cybersecurity workers, driving up salary costs and spurring corporate acquisitions. "When you have a limited supply of people and a huge demand, salaries go up and people can shop around, and that's fantastic for them but it creates inflation in this area that's not particularly healthy for business," a former DNI associate director now at one of the technology companies told the Bloomberg reporters. Overall 10,000 to 30,000 more technical security people are needed to meet the national need reports Bloomberg. Salaries of the top guns of security, the "hunters and tool builders," have risen as high as $175,000, and companies such as Raytheon are using acquisitions to buy smaller companies in which they pick up 100 to 200 technical cybersecurity workers each time. This article is available through Bloomberg Government to their subscribers.
[Editor's Note (Paller): Interviews with hiring managers at the companies listed in the article help explain exactly who those 10-30,000 people are. At the same time technology companies are fighting for the most technical security experts, they are reducing the number of information security compliance people. One hiring manager reported that his organization is eliminating the jobs of 250 people engaged in certification and accreditation (C&A) but he expects 15%-30% of them will be able to build a new career by mastering the hands-on technical security skills that are in high demand. ]

Hearing Date Set for WikiLeaks Twitter Data Demand Appeals (March 25, 2011)

Three people associated with WikiLeaks are appealing a ruling that grants federal prosecutors access to records of their Twitter use. The legal team for the three maintains that the ruling violates a federal statute and the US Constitution's First Amendment rights to free speech and association. The filing seeks to overturn the earlier ruling. The US Justice Department is seeking the Twitter records as part of a grand jury investigation into WikiLeaks and its disclosure of classified UG government information. A hearing is set for April 22.
-http://www.wired.com/threatlevel/2011/03/wikileaks-twitter-again/
-http://news.cnet.com/8301-31921_3-20047315-281.html
-http://www.wired.com/images_blogs/threatlevel/2011/03/objection.pdf

Proposed Law in South Korea Would Mandate Security Software on PCs (March 24, 2011)

Proposed legislation in South Korea would require users to have security software on their PCs. The Korea Communications Commission (KCC) would have the authority to decide which security products are acceptable and which are not, which means the security solution providers would be wooing the government rather than users. The KCC would also have the authority to "examine the details of the business, records, documents and others' of those believed to be out of compliance with the security software mandate. Dancho Danchev, the article's author, points out that security software "only mitigates a certain percentage of the risk ...
[and that ]
multiple independent reports and tests show that despite users running antivirus software, they still get infected with malware."
-http://www.zdnet.com/blog/security/zombie-pc-prevention-bill-to-make-security-so
ftware-mandatory/8487
[Editor's Note (Pescatore): Mandating technology through regulations is good for those selling the technology, almost always bad for those forced to buy it. ]

Australian Government Bans Free Web-Based eMail Services for Employees (March 24, 2011)

Government workers in Australia will no longer be able to use free web-based email services like Gmail and Hotmail. The government made the blanket decision following a report from Australia's Federal Auditor-General recommending that "agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services." For situations in which government employees require access to these services, the auditor recommended the use of single, stand-alone desktops. The ban will take effect on July 1, 2011.
-http://www.zdnet.com.au/pm-s-dept-vows-to-block-hotmail-gmail-339311898.htm
-http://thehill.com/blogs/hillicon-valley/technology/151703-australian-government
-bans-free-email-services-over-security-concerns

---

************************** SPONSORED LINKS *******************************

1) New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT. Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston. http://www.sans.org/info/74253

2) In Case you missed it! Web 2.0 Security: Same Old But Different FEATURING: Johannes Ullrich & Eric Crutchlow http://www.sans.org/info/74258 Sponsored By: SONICWALL http://www.sonicwall.com/

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

MySQL.com Compromised Through Blind SQL Injection Attack (March 28, 2011)

Attackers broke into Oracle's customer website for SQL, MySQL.com, over the weekend using a blind SQL injection attack. The intruders posted information taken from the site, including usernames and password hashes. The unknown attackers also published information about the structure of the databases on the website.
-http://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQ
L_injection_attack?taxonomyId=17
-http://www.h-online.com/security/news/item/MySQL-allegedly-hacked-via-SQL-inject
ion-1216281.html
[Editor's Note (Pescatore): You know how Public Health departments force restaurants to close for a period of time after they have a sewage backup or roach infestation? I'd like to see similar things happen to commerce websites after they are shown to be vulnerable to well known attacks. ]

Finding Fast-Flux Botnets (March 28, 2011)

Researchers at Texas A&M University say they have developed a method of finding domain fluxing botnets. In their paper "Detecting Algorithmically Generated Malicious Domain Names," describe their methodology for detecting alphanumeric patterns in domain names that are generated algorithmically instead of domain names generated by humans.
-http://www.csoonline.com/article/678319/new-method-finds-botnets-that-hide-behin
d-changing-domains
-http://www.ece.tamu.edu/~reddy/papers/imc2010-yadav.pdf

SEC Considers More Stringent Security Rules for Exchanges (March 28, 2011)

A growing concern about cyber security prompted by last year's "flash crash" and other security breaches has prompted the US Securities and Exchange Commission (SEC) to consider establishing internal security rules for stock exchanges that could result in sanctions for non-compliance. Exchanges would be required to have in place technology that would ensure their continued and reliable operation in the face of "a volatile flash-crash-like market." They may also be required to undergo annual third-party audits and face increased pressure to disclose security breaches. Presently, there are guidelines but not rules, so there is no incentive for accountability.
-http://www.marketwatch.com/story/hacking-flash-crash-drives-sec-rule-effort-2011
-03-28?pagenumber=2
[Editor's Note (Pescatore): There is definitely room in that world for more transparency and accountability. Trying to require certain types of technology is always a losing strategy for regulators, though.
(Schultz): I'm surprised that by all appearances the SEC is not worried about recent break-ins (ostensibly from China) into Fortune 500 companies' computers that held financial information. Obtaining such information would give someone the equivalent of insider knowledge in making stock transactions.]

McAfee Study Says Thieves Targeting Corporate Data (March 28, 2011)

According to a study from McAfee, cyber thieves are increasingly targeting intellectual property. Some attackers are specializing in stealing data from corporate computer systems. In particular, information thieves seem to be looking for trade secrets, research and development reports, marketing plans and source code. The report also noted that many companies are not taking adequate measures to protect information and are not going public with news of data security breaches. Of the companies that reported experiencing a data security breach, just half said they had taken steps to improve cyber security.
-http://www.bbc.co.uk/news/technology-12864666
-http://www.huffingtonpost.com/2011/03/28/mcafee-cybersecurity-study_n_840836.htm
l

Restaurant Group Will Pay US $110,000 to Settle Allegations of Poor Security Practices (March 28, 2011)

The Briar Group LLC, which runs a number of restaurants in the Boston area, has agreed to pay US $110,000 to settle allegations that it did not take adequate precautions to protect customers' personal information and placed at risk of compromise information on tens of thousands of payment cards. The Briar Group was the target of a data security breach in April 2009; malware that had been surreptitiously placed on the company's computer systems was not removed until December 2009. The Massachusetts attorney general filed a lawsuit as a result. According to the lawsuit, the Briar Group did not change default usernames and passwords on its point-of-sale computer system; did not have adequate security for its wireless network; and accepted credit card information from customers after learning of the breach.
-http://www.boston.com/business/ticker/2011/03/restaurant_grou.html
[Editor's Note (Schultz): The threat of fines promises to be one of the few truly effective motivators for companies to implement adequate data security controls, but fines as little as the one that was levied on the Briar Group are likely to have little or no effect. ]

Spotify Removes Tainted Ad From Free Music Streaming Site (March 28, 2011)

Spotify has apologized for an attack that exposed users of the free version of its music streaming service in Europe to malware through tainted advertisements. The ads served content that attempted to infect users' machines with scareware. Spotify disabled third-party advertisements on Friday, March 25 after learning of the problem. The company isolated and removed the offending ad, and service was back to normal in the next few days. Users of Spotify's paid music streaming service were not affected.
-http://www.theregister.co.uk/2011/03/28/spotify_tainted_ad_follow_up/
[Editor's Note (Pescatore): "Malvertising" is definitely on the rise. It is a complicated ecosystem; the online advertising industry needs to move forward and increase the standard of practices against this. ]

Mozilla Regrets Silence on Phony SSL Certificates (March 25, 2011)

Mozilla said that deciding not to publish information about fraudulently obtained SSL certificates "was the wrong decision." Mozilla learned of the incident before it was publicly disclosed, but decided to remain mum. The company now says "We should have informed Web users more quickly about the threat and the potential mitigations as well as their side-effects."
-http://www.computerworld.com/s/article/9215077/Mozilla_regrets_keeping_quiet_on_
SSL_certificate_theft?taxonomyId=82
-http://www.h-online.com/security/news/item/SSL-meltdown-Mozilla-admits-mistakes-
in-its-information-policy-1216000.html
[Editor's Comment (Northcutt): Nifty hack supposedly by Iran to supposedly spy on its supposed citizens, but despite claims otherwise, this is about disclosure policy and the right thing to do was get Chrome, Firefox and IE to blacklist the certs before announcing the theft. This site is dated, but the arguments have not changed much in ten years:
-http://www.wild.lib.fl.us/bib/disclosure-by-date.html]

Google Updates Chrome to Fix Six High Risk Vulnerabilities (March 25, 2011)

Google has updated its Chrome browser to address six vulnerabilities, all of which have been rated high security risks. Chrome 10.0.648.204 also includes two additions to its blacklist due to the phony SSL certificates issued by a Comodo reseller. Google has locked down its bug tracking database to block access to technical details of the flaws it has just patched, which is standard practice for the company. Google waits weeks or even months to allow users to update their systems before making that information public. Google pushes Chrome updates out silently.
-http://www.h-online.com/security/news/item/Chrome-10-update-patches-security-vul
nerabilities-1215069.html
-http://www.computerworld.com/s/article/9215070/Google_patches_6_serious_Chrome_b
ugs?taxonomyId=85
-http://www.v3.co.uk/v3-uk/news/2037599/google-patches-flaws-chrome-update

US Mobile Phone Users Lax on Security (March 28, 2011)

A survey conducted by the Ponemon Institute on behalf of ACVG says that mobile phone users in the US are lax on mobile phone security. Nearly 84 percent of those surveyed use the same phone for both business and personal matters. Many people also make purchases over their mobile phones. Few consumers use phone-locking passwords and many use the same password for multiple apps.
-http://www.cnn.com/2011/TECH/mobile/03/28/survey.security.mashable/index.html

UK Users Not Wiping Mobile Devices Before Selling Them (March 22, 23 & 28, 2011)

An investigation commissioned by data protection company CPP Group found that many people in the UK who sell their old smartphones and SIM cards are failing to wipe the devices of sensitive personal data. More than half of the devices examined for the study were found to contain credit card PINs, bank account information, and login information for social networking sites. The information was gathered from 35 used phones and 50 used SIM cards. Users selling old phones should perform a factory reset. Unless old SIM cards are being transferred to another of the owner's devices, they should be destroyed.
-http://www.securecomputing.net.au/News/252550,secondhand-smartphones-sold-with-b
ank-details.aspx
-http://www.zdnet.co.uk/news/security-management/2011/03/23/study-second-hand-pho
nes-often-contain-personal-data-40092236/
-http://www.msnbc.msn.com/id/42219052/ns/technology_and_science-security/
-http://www.theregister.co.uk/2011/03/22/sensitive_data_ebayed_mobiles/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/