SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #27

April 05, 2011

Another cool federal innovation added to the National Cybersecurity
Innovation Conference program (DC, April 18-19): Sandia National
Laboratory will show how the lab is training hundreds of system
administrators to become "human sensors," providing far more effective
early warning of attacks. The sysadmins really like the training; a
sharp contrast with how sysadmins in other agencies feel about the
time-wasting "security training" most are forced to endure. The net
result at Sandia is better security and less wasted time. This
conference (NCIC) has six more high-impact innovations federal and state
agencies have discovered. The other six innovations are listed in the
first item under Training Update below.

Alan

---

TOP OF THE NEWS

Army Says Manning Installed Data Mining Software on SIPRnet Workstation
Appeals Court Upholds Warrantless Laptop Border Searches
Epsilon Breach Compromises Millions of eMail Addresses
Timing is Everything in Net Neutrality Challenge

THE REST OF THE WEEK'S NEWS

Federal Appellate Court to Review Fine in Filesharing Case
RSA Attackers Exploited Flash Vulnerability
Chrome Alerts Users to Unpatched Plug-Ins
Judge Will Allow Articles About NSA Problems as Evidence in Thomas Drake's Trial
Stock Scammer Jailed Again for Currency Exchange Scheme
TV Producer Sues Over Lost Show Files
Malware Masquerades as Adobe Update

---

***************************************************************** TRAINING UPDATE

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 - CISOs and other users (no vendors or consultants) sharing remarkable solutions they found to (1) defense against APT, (2) continuous monitoring, (3) proving the value of security investment and making security strategic, (4) reliable, risk-based decisions on which new tools to buy, (5) finding all their hardware and software across large networks, (6) the most promising automation initiative in security. Plus expert briefings on the most dangerous new attack techniques and the 20 Critical Controls.
http://www.sans.org/cyber-security-innovations-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Army Says Manning Installed Data Mining Software on SIPRnet Workstation (April 4, 2011)

The US Army alleges that Pfc Bradley Manning snuck data mining software onto his Secret Internet Protocol Router Network (SIPRnet) workstation before allegedly downloading hundreds of thousands of documents. The unauthorized software was installed twice: once between February 11 and April 3, 2010 and again in early May 2010. If the allegations prove true, they could strengthen the government's case against Manning. Gaining unauthorized access to sensitive information could be viewed as simple thrill-seeking, but having deliberately installed specialized software indicates premeditation.
-http://www.wired.com/threatlevel/2011/04/manning-data-mining/
[Editor's Note (Pescatore): Military PCs are often claimed to be "locked down," which if true would mean users could *not* install such software. However, the operational realities of PC use often mean that such lock down only existed as a policy, not as an actual control. ]

Appeals Court Upholds Warrantless Laptop Border Searches (April 4, 2011)

A 2-1 decision from the 9th US Circuit Court of Appeals says that US government authorities may seize digital devices at US borders without warrants and keep them for days while searching their contents. The case in question involves a man whose laptops and camera contained child pornography images. ICE agents seized the devices and transported them 170 miles to be searched.
-http://www.wired.com/threatlevel/2011/04/border-search/
-http://www.ca9.uscourts.gov/datastore/opinions/2011/03/30/09-10139.pdf
[Editor's Comment (Northcutt): This is an interesting case and the 4th similar case, so protocol for customs seizure is starting to be established. A forensics note, the pictures were found in unallocated space:
-http://volokh.com/files/cotterman.pdf
-http://cyb3rcrim3.blogspot.com/2009/05/border-search-fails.html
It is worth pointing out that while they found something this time, there have been 6,500 warrantless searches since 2008.
-http://www.wired.com/threatlevel/2010/09/laptop-border-searches/]

Epsilon Breach Compromises Millions of eMail Addresses (April 4, 2011)

A security breach at US marketing company Epsilon Data Management appears to have compromised millions of email addresses. Epsilon sends email on behalf of more than 2,500 clients. Many of the companies have contacted their customers to notify them of the breach and the possibility that they may receive spam or malicious email that attempts to get them to disclose more sensitive information. Epsilon said the only information taken was names and associated email addresses. Affected companies include American Express, Citibank, The College Board, and BestBuy.
-http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishi
ng/
-http://www.computerworld.com/s/article/9215467/Expect_targeted_attacks_after_mas
sive_Epsilon_email_breach_say_experts?taxonomyId=17
-http://www.washingtonpost.com/blogs/faster-forward/post/epsilon-mail-marketing-f
irm-exposes-millions-of-names-addresses/2011/04/04/AFEPbabC_blog.html
-http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-1
54971/
-http://www.bbc.co.uk/news/technology-12958925
-http://www.h-online.com/security/news/item/Millions-of-email-addresses-exposed-i
n-Epsilon-breach-1221307.html
[Editor's Note (Pescatore): The real lesson to be learned is that companies are still responsible to their customers for incidents like this, even if the fault lies with an outsourcer. ]

Timing is Everything in Net Neutrality Challenge (April 4, 2011)

Two legal challenges to the US Federal Communications Commission (FCC) net neutrality rules have been dismissed for technical reasons. The US Court of Appeals for the District of Columbia said that the suits, brought by Verizon Communications and mobile service provider Metro PCS, were filed prematurely because the FCC's rules have not yet been published in the Federal Register. Verizon plans to refile the suit once the rules have been published. The rules prohibit broadband providers from selectively throttling web traffic.
-http://www.usatoday.com/tech/news/2011-04-04-fcc-internet-rules_N.htm?loc=inters
titialskip
-http://www.computerworld.com/s/article/9215474/Update_Appeals_court_knocks_down_
Verizon_net_neutrality_challenge?taxonomyId=17

---

************************** SPONSORED LINKS *******************************

1) New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT. Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston. http://www.sans.org/info/74533

2) In Case you missed it! Web 2.0 Security: Same Old But Different FEATURING: Johannes Ullrich & Eric Crutchlow http://www.sans.org/info/74538 Sponsored By: SONICWALL http://www.sonicwall.com/

3) Industrial Defender is the global leader in Automation System Security Management, assuring the availability, reliability and security of critical infrastructure. http://www.sans.org/info/74543

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Federal Appellate Court to Review Fine in Filesharing Case (April 4, 2011)

The First US Circuit Court of Appeals in Boston is reviewing a filesharing lawsuit that resulted in Boston University graduate student Joel Tenenbaum being fined US $67,500. Tenenbaum's legal team is seeking to have the fine reduced or even thrown out; the Recording Industry Association of America (RIAA) is seeking to have the fine increased. Tenenbaum was initially fined US $675,000 in 2009, but last year, a district court judge reduced the amount by a factor of ten. A judgment from the appellate court is likely to be issued later this year.
-http://www.boston.com/news/local/breaking_news/2011/04/student_challen.html
-http://www.computerworld.com/s/article/9215485/Federal_court_to_review_67_500_mu
sic_piracy_fine?taxonomyId=17

RSA Attackers Exploited Flash Vulnerability (April 1, 2 & 4, 2011)

RSA has said that the attackers who managed to infiltrate RSA systems and steal information gained their initial toehold in the network through a flaw in Adobe Flash Reader. Attackers targeted a group of RSA employees with a phishing attack in which emails with Excel attachments contained an exploit that placed backdoors on systems through the Flash flaw. Adobe has already released a fix for the Flash vulnerability. The malware placed on the compromised systems through the Flash flaw is a Trojan that launched privilege elevation attacks to access administrator accounts. RSA has not specified what data the attackers stole.
-http://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/
-http://www.zdnet.co.uk/blogs/mapping-babel-10017967/rsa-hack-targeted-flash-vuln
erability-10022143/
-http://www.v3.co.uk/v3-uk/news/2039746/rsa-details-secureid-attack-methodology
-http://www.scmagazineus.com/flash-zero-day-social-engineering-enable-rsa-securid
-hack/article/199836/

Chrome Alerts Users to Unpatched Plug-Ins (April 1, 2011)

The newest version of Google's Chrome web browser notifies users when their plug-ins are out-of-date. In Chrome version 10, only up-to-date plug-ins will be permitted to run on their own. Some widely used plug-ins, like Flash Player, QuickTime and Reader, are used as vectors of attack for malware.
-http://www.scmagazineus.com/new-google-chrome-version-notifies-of-unpatched-plug
-ins/article/199821/

Judge Will Allow Articles About NSA Problems as Evidence in Thomas Drake's Trial (March 31, 2011)

The judge in the trial of former National Security Agency (NSA) employee Thomas Drake says he will allow articles from the Baltimore Sun about problems at the NSA to be admitted as evidence. However, District Judge Richard D. Bennett said he would not allow former Sun journalist Siobhan Gorman to be called as a witness. In April 2010, Drake was indicted under the Espionage Act for allegedly retaining classified NSA documents to share with a reporter. He has pleaded not guilty to the charges. Gorman wrote a series of articles for the Sun in 2006 and 2007 that detailed problems with NSA anti-terrorism technology programs.
-http://www.baltimoresun.com/news/maryland/bs-md-drake-hearing-20110331,0,3107857
.story
-http://www.westport-news.com/news/article/Motion-to-drop-charges-in-NSA-leaks-ca
se-denied-1316478.php

Stock Scammer Jailed Again for Currency Exchange Scheme (March 31, 2011)

Van T. Dinh, who as a teenager served 13 months in prison for a stock-trading scheme, has now been sentenced to three years in prison for breaking into an administrator account at a New York currency exchange and stealing more than US $100,000. Dinh was also ordered to pay US $125,000 in restitution and serve three years of federal probation following completion of his prison term. In 2003, Dinh broke into stock traders' accounts and used the access to help rid himself of a bad investment though fraudulent purchases.
-http://www.wired.com/threatlevel/2011/03/dinh-2/
-http://www.theregister.co.uk/2011/04/01/stock_trading_teen_hacker_jailed/

TV Producer Sues Over Lost Show Files (March 31, 2011)

The creators of children's television program Zodiac Island say that a disgruntled former employee at their data hosting company deleted more than 300GB of video files, erasing an entire season of the show. The Wisconsin ISP, CyberLynk, fired Michael Scott Jewson in February 2009. A month later, Jewson allegedly logged into CyberLynk's computer systems and deleted data stored on an FTP server. Although CyberLynk was supposed to have backed up the stored data, the backup system "had failed and/or was not properly instituted," according to the lawsuit filed by WeR1 World Network, the show's creator. WeR1 is suing CyberLynk and Jewson for damages.
-http://www.computerworld.com/s/article/9215417/Lawsuit_claims_fired_data_center_
worker_wiped_out_TV_show?taxonomyId=17
-http://www.latimes.com/entertainment/sns-rt-television-us-zodiactre72u7xk-201103
31,0,7230801.story
[Editor's Note (Schultz): This incident involved an ISP. Now think what could happen if and when a disgruntled former employee of a major cloud storage provider were to do the same thing. The outcome is almost unfathomable. ]

Malware Masquerades as Adobe Update (March 31, 2011)

A phishing attack is spreading in the guise of an Adobe Acrobat Reader update. The email provides a link for recipients to click; the domain name of the website it leads to contains the word "adobe," ostensibly in the hope of lulling the users into a false sense of security. While on the site, users are asked for credit card information and other personal data. The request for credit card information should alert users to the suspicious nature of the site, as Adobe Reader is a free product. However, Adobe really does offer a paid version of Acrobat that allows users to create and edit PDF files, so some users could be tricked.
-http://news.cnet.com/8301-1009_3-20049199-83.html?tag=mncol;title

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/