SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #28

April 08, 2011

TOP OF THE NEWS

Chrome Will Warn Users of Suspicious Downloads
Epsilon Received Warning of Potential Breach Months Ago
Government Shutdown Raises Cyber Security Questions

THE REST OF THE WEEK'S NEWS

Microsoft's April Update to Address 64 Vulnerabilities
Gonzalez Seeks to Have Guilty Plea and Sentence Thrown Out
Regional Winners to Meet in Collegiate Cyber Security Competition Finals
Free Pandora App Shares User Data
New Security Tool Will Enhance Troops' Computing Experience
Legislators Consider Methods of Combating Piracy
The Hartford Servers Infected with Password-Stealing Malware
Former Gucci Employee Charged for Alleged Attack on Network

---

*****************************************************************

TRAINING UPDATE

-- The National Cybersecurity Innovation Conference, April 18-19, 2011 - CISOs and other users (no vendors or consultants) sharing remarkable solutions they found to (1) defense against APT, (2) continuous monitoring, (3) proving the value of security investment and making security strategic, (4) reliable, risk-based decisions on which new tools to buy, (5) finding all their hardware and software across large networks, (6) the most promising automation initiative in security. Plus expert briefings on the most dangerous new attack techniques and the 20 Critical Controls.
http://www.sans.org/cyber-security-innovations-2011/

-- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

-- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

-- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************* SPONSORED BY WinMagic Inc. *************************

WinMagic SecureDoc offers a comprehensive full-disk encryption solution for Windows, Mac, and Linux platforms and removable media (USB thumb drives, CD/DVDs, SD Cards). The central administration console simplifies enterprise management of encrypted devices, user permissions, and encryption keys. SecureDoc manages Intel Anti-theft Technology, SEDs, advanced Lenovo technologies, and exclusively offers pre-boot networking. Evaluate SecureDoc today.

http://www.sans.org/info/75134

****************************************************************************

---

TOP OF THE NEWS

Chrome Will Warn Users of Suspicious Downloads (April 6 & 7, 2011)

Google plans to add a feature to its Chrome browser to warn users when they are downloading a file that is suspected to contain malware. The feature will rely on Google's Safe Browsing service; if a user tries to download an EXE file with a URL that appears on the Safe Browsing blacklist, the user will receive a message that reads "This file appears to be malicious. Are you sure you want to continue?" Users will have the option of going ahead and downloading the questionable file if they choose. The new service will be tested with a subset of Chrome users running the dev version of the browser before being incorporated into the stable version of Chrome.
-http://www.h-online.com/security/news/item/Chrome-to-block-downloads-of-hazardou
s-exe-files-1222643.html
-http://www.computerworld.com/s/article/9215593/Chrome_tips_users_to_dangerous_Wi
ndows_downloads?taxonomyId=17
-http://www.msnbc.msn.com/id/42456782/ns/technology_and_science-security/
-http://www.eweek.com/c/a/Security/Google-Chrome-Security-Feature-Targets-Driveby
-Downloads-651449/

Epsilon Received Warning of Potential Breach Months Ago (April 7, 2011)

The data breach at Epsilon was likely due to a spear phishing attack, something the company was warned about several months ago. An Epsilon technology partner, Return Path, sent out a warning in November 2010 after an employee fell for a phishing attack, exposing thousands of email addresses to the attackers. Ironically, the type of information stolen during the attack could be used to launch spear phishing attacks against customers of some of the 2,500 companies on whose behalf Epsilon sends out email.
-http://www.itnews.com.au/News/253712,epsilon-breach-used-four-month-old-attack.a
spx
-http://news.cnet.com/8301-27080_3-20051796-245.html?tag=mncol;title
-http://www.computerworld.com/s/article/9215605/Epsilon_a_victim_of_spear_phishin
g_attack_says_report?taxonomyId=17
In a separate but related story, the better Business Bureau is reporting that some of the information stolen from Epsilon is already being used in a spear phishing attack. The attack targets customers of Chase Online Banking.
-http://www.eweek.com/c/a/Security/Chase-Bank-Phish-Emails-May-Be-First-PostEpsil
on-Scam-851226/
-http://www.bbb.org/us/article/bbb-warns-of-phishing-email-received-from-epsilon-
data-breach-26572
[Editor's Note (Schultz): Epsilon's apparent security letdown is likely to result in considerable customer fraud. I have already received two phishing messages, one asking me to renew my Visa account information, the other (sent a day later) saying that my Chase account has now been locked for the sake of security and that I must go through steps listed in the message to unlock my account. The messages were sent from an address in Hungary. I am sure many customers will fall for these messages.
(Honan): This breach has led to calls in some countries, such as Australia, for the introduction of mandatory breach disclosure laws.
-http://www.itnews.com.au/News/253753,epsilon-does-phishing-constitute-harm.aspx]

Government Shutdown Raises Cyber Security Questions (April 7, 2011)

The Department of Homeland Security (DHS) says that should the government shut down, DHS personnel and contractors responsible for cyber security will not be furloughed. Federal law dictates that in the event of a government shutdown, all activity must stop except that "necessary for the safety of human life or protection of property." Adversaries might view a shutdown as an opportunity to launch a cyber attack because of the perception that there is inadequate staffing. White House officials say that most federal websites will go offline during a shutdown. Those that stay online will be those that fall under the exceptions listed above.
-http://www.govinfosecurity.com/articles.php?art_id=3512
-http://www.nextgov.com/nextgov/ng_20110407_1172.php?oref=topnews
-http://fcw.com/articles/2011/04/07/federal-websites-may-be-unattended-or-go-dark
-during-furloughs.aspx

---

************************** SPONSORED LINK ********************************

1) New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT. Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston. http://www.sans.org/info/75139

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft's April Update to Address 64 Vulnerabilities (April 7, 2011)

On Tuesday April 12, Microsoft plans to release fixes for 64 vulnerabilities. The patches will come in 17 security updates, nine of which have maximum severity ratings of critical. The updates will address flaws in Windows, Office, Internet Explorer, Windows graphics framework and other products. Microsoft usually releases larger numbers of updates in even numbered months; this month's batch marks a record for vulnerabilities fixed and ties the record, set in December 2010, for the number of updates released. Among the flaws that will be addressed are some for which security advisories have already been released, including the SMB issue and the MHTML vulnerability in Windows.
-http://www.computerworld.com/s/article/9215615/Microsoft_sets_mammoth_Patch_Tues
day_will_fix_64_flaws?taxonomyId=17
-http://www.zdnet.com/blog/security/patch-tuesday-heads-up-17-bulletins-64-vulner
abilities/8516
-http://www.microsoft.com/technet/security/Bulletin/MS11-apr.mspx

Gonzalez Seeks to Have Guilty Plea and Sentence Thrown Out (April 7, 2011)

The mastermind behind the massive cyber theft of credit card information from TJX, Heartland Payment Systems, Office Max and other companies is seeking to withdraw his guilty plea. Albert Gonzalez wants a federal judge to throw out his pleas and his 20-year prison sentence; he maintains that the government authorized his activities. The government does not dispute that while stealing the data, Gonzalez was an undercover Secret Service informant. In this action, Gonzalez is acting as his own attorney.
-http://www.wired.com/threatlevel/2011/04/gonzalez-plea-withdrawal/

Regional Winners to Meet in Collegiate Cyber Security Competition Finals (April 7, 2011)

The finals of the National Collegiate Cyber Defense Competition (NCCDC) will take place April 8-10 in San Antonio, TX. Nine teams of college students will compete in an event that tests network infrastructure management while under attack from a Red Team. NCCDC has grown from five teams six years ago to more than 100 teams participating in regional competitions to win a spot in this year's finals.
-http://www.utsa.edu/today/2011/04/cybersecfinals.html
-http://www.mysanantonio.com/default/article/U-S-needs-many-more-cybersecurity-ex
perts-1325830.php

Free Pandora App Shares User Data (April 5, 6 & 7, 2011)

Online music service Pandora has acknowledged being served with a subpoena demanding documents related to information sharing practices. The subpoena appears to be connected to a federal grand jury investigation into information sharing practices of apps that run on Apple and Android mobile platforms. A report recently found that a Pandora smartphone app shares user information with advertisers. The shared data include age, gender, geographic location, birth date and device ID.
-http://www.informationweek.com/news/229401147
-http://www.theregister.co.uk/2011/04/06/pandora_smartphone_privacy/
-http://www.informationweek.com/news/security/privacy/229400941

New Security Tool Will Enhance Troops' Computing Experience (April 6, 2011)

US troops stationed in the Middle East are expected to begin using copies of the Unified Golden Master, a disk that standardizes security settings on Windows computers. In combat operations, there is often inadequate staff to ensure that computers are kept patched and secured; this tool will eliminate the need to fine tune more than 1,200 settings. It also includes a trio of features that will help prevent malware from making its way onto the computers.
-http://www.nextgov.com/nextgov/ng_20110406_5909.php

Legislators Consider Methods of Combating Piracy (April 6, 2011)

At a US House Judiciary Committee Internet subcommittee hearing, several US legislators suggested that search engines filter search results so they do not include websites that violate copyright law and trade in counterfeit goods. Google senior VP and general counsel Kent Walker says his company does take steps to minimize the presence of such sites and has shut down a large number of accounts for trying to use sponsored links to advertise counterfeit merchandise, but that Google does not want to decide which sites should be left out of search results. Walker suggested that rather than trying to remove the offending sites from search results, the focus should turn to the advertising and financial activity that support the sites.
-http://www.computerworld.com/s/article/9215580/Lawmakers_question_whether_search
_engines_aid_piracy?taxonomyId=17

The Hartford Servers Infected with Password-Stealing Malware (April 6 & 7, 2011)

The Hartford insurance company has notified approximately 300 employees, contractors and customers of a security breach in which attackers managed to install password-stealing malware known as Qakbot on some of the company's servers. The attack was discovered in February 2011; fewer than 19 customers were affected. The Hartford sent letters to people who had logged in to an infected server between February 22 and 28, 2011.
-http://www.pcworld.com/businesscenter/article/224471/windows_servers_hacked_at_t
he_hartford_insurance_company.html
-http://it.tmcnet.com/topics/it/articles/162069-hartford-insurance-company-falls-
victim-hack-attack.htm
[Editor's Note (Pescatore): The press loves big numbers, so incidents like the Epsilon compromise get lots of attention. But there are huge numbers of compromises like this one happening that are much more targeted and often actually more damaging than many of the large scale attacks because they go undetected longer. Qakbot had some really sophisticated variants that actually only forward targeted credentials out to command and control/drop sites, reducing its "noise" level even more. ]

Former Gucci Employee Charged for Alleged Attack on Network (April 5, 2011)

A computer network engineer fired by Gucci in May, 2010 has been charged with launching an attack against a Gucci network in November 2010. Sam Chihlung Yin allegedly shut down servers, deleted information, causing US $200,000 in damages and lost productivity. Access to some data was interrupted temporarily, but other data were permanently lost. Yin allegedly gained access to the network through a VPN account he had established while still employed by Gucci.
-http://www.theregister.co.uk/2011/04/05/gucci_bofh_revenge_hack/
-http://www.informationweek.com/news/security/NAC/229400909

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/