SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #29

April 12, 2011

TOP OF THE NEWS

SEC Fines Three for Failing to Protect Customer Data
Federal Prosecutors Respond to WikiLeaks Associates' Objections to Demand for Twitter Records
Tech Companies Challenging France's Data Retention Law

THE REST OF THE WEEK'S NEWS

Cyber Quest Competition Offers Chance for Recognition and to Win Scholarships for Cyber Camp
University of Washington Wins Collegiate Cyber Defense Competition
Sony PlayStation Suit Dropped After Settlement Reached
Adobe Warns of Zero-Day Flaw in Flash
New Ransomware Claims Users Need to Call to Reactivate Windows
Three Arrested in Connection with SpyEye Scheme
Prison Time for Tax Fraud Schemers
Russian Security Agency Says It's Hard to Monitor Citizens Who Use Encrypted Services
Senator Calls for Investigation Into Epsilon Breach

---

*****************************************************************

TRAINING UPDATE

- -- The National Cybersecurity Innovation Conference, April 18-19, 2011 - CISOs and other users (no vendors or consultants) sharing remarkable solutions they found to (1) defense against APT, (2) continuous monitoring, (3) proving the value of security investment and making security strategic, (4) reliable, risk-based decisions on which new tools to buy, (5) finding all their hardware and software across large networks, (6) the most promising automation initiative in security. Plus expert briefings on the most dangerous new attack techniques and the 20 Critical Controls.
http://www.sans.org/cyber-security-innovations-2011/

- -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011 11 courses. Bonus evening presentations include Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/northern-virginia-2011/

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************** SPONSORED BY Entrust Technologies *******************

Entrust Discovery

Quickly find, inventory and manage digital certificates across your organization. Entrust Discovery helps find, inventory and manage digital certificates across diverse systems and environments. By identifying and evaluating deployed digital certificates, Entrust Discovery helps organizations avoid compliance ramifications, costly outages or even losses from data breach. Learn More http://www.sans.org/info/75774

****************************************************************************

---

TOP OF THE NEWS

SEC Fines Three for Failing to Protect Customer Data (April 11, 2011)

The US Securities and Exchange Commission (SEC) has fined former employees of broker-dealer GunnAllen Financial for failing to adequately protect customer data. The company was liquidated in November 2010; the SEC maintains that GunnAllen former president Frederick O. Kraus and former national sales manager David C. Levine broke privacy rules when Kraus authorized Levine to take information about 16,000 clients with him to his new job; the data were transferred on a thumb drive. Kraus and Levine were fined US $20,000 each. Former chief compliance officer Mark A. Ellis was fined US $15,000 for failing "to ensure that the firm's policies and procedures were reasonably designed to safeguard confidential customer information." The case is the first in which people have been fined solely for violating the SEC's Safeguard Rule, or Regulation S-P, which requires financial advisers and institutions under SEC jurisdiction to protect customer data and give customers the opportunity to opt out of having their information shared with unaffiliated third parties.
-http://www.informationweek.com/news/security/privacy/229401339
[Editor's Note (Pescatore): Good to see some enforcement of this, but sales folks taking customer records from their current job to their next job is such a common practice. Of course, most of that customer info is also on LinkedIn...
(Schultz): It is about time that there is corporate employee accountability (and punishment) when data security breaches occur. ]

Federal Prosecutors Respond to WikiLeaks Associates' Objections to Demand for Twitter Records (April 8 & 9, 2011)

Federal prosecutors responded to the objections of three WikiLeaks associates who are fighting an order that would give the prosecutors access to their Twitter account information. The government is not seeking the content of the messages, but the IP addresses they used to access Twitter and email addresses they provided when registering. On March 11, 2011, a magistrate judge approved the demand for the records. The three associates filed an appeal on March 25. The federal prosecutors said that the WikiLeaks associates' claim that the demand for the information violates their constitutional rights is baseless.
-http://www.wired.com/threatlevel/2011/04/wikileaks-twitter-feds/
-http://www.theregister.co.uk/2011/04/09/twitter_dragnet_wikileaks/
-http://files.cloudprivacy.net/goverment_opp.pdf

Tech Companies Challenging France's Data Retention Law (April 8, 2011)

Several large technology companies are reportedly challenging the French government's requirement that service providers, web mail providers, ecommerce companies and online video and music sites retain information about users for a year. The data they are required to store and to provide the government on demand include user names, passwords, IP addresses, and financial transaction information. The requirement was established by a February 25, 2011 decree that updates the Legal Regime for eCommerce Trust (LCEN). The decree is being challenged by the French Association of Community Internet Services (ASIC), whose members include eBay, Facebook and Google. LCEN says the decree was formulated without consulting the European Commission and that retaining the information poses a greater risk of data security breaches.
-http://www.informationweek.com/news/security/privacy/229401245
-http://www.scmagazineuk.com/google-and-facebook-challenge-french-government-on-p
ersonal-data-law/article/200221/
-http://www.bbc.co.uk/news/technology-12983734

---

************************** SPONSORED LINKS *******************************

1) New SANS Analyst Program Webcast: Debunking Continuous Monitoring Myths, May 17, 1PM EDT. Learn what holds organizations back from implementing continuous monitoring and where to get started. Featuring Eugene E. Schultz and Steve Johnston. http://www.sans.org/info/75779

2) In Case you missed it! Web 2.0 Security: Same Old But Different FEATURING: Johannes Ullrich & Eric Crutchlow http://www.sans.org/info/75784 Sponsored By: SONICWALL http://www.sonicwall.com/

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Quest Competition Offers Chance for Recognition and to Win Scholarships for Cyber Camp (April 11, 2011)

The US Cyber Challenge Cyber Quest Competition offers motivated individuals age 18 and older the opportunity to earn an invitation to a week-long Cyber Camp this summer where they will receive training from experts as well as scholarship, internship and employment opportunities. Registration for the April Cyber Quest is now open; the competition ends May 1. Participants will have 24 hours to complete an online quiz based on analysis of a packet capture file. The winners will be determined by who scores the most points in the shortest amount of time.
-http://www.prweb.com/releases/2011/4/prweb8292905.htm

University of Washington Wins Collegiate Cyber Defense Competition (April 11, 2011)

A team from the University of Washington, representing the Pacific Northwest region, outperformed eight other teams to take top honors at the 6th National Collegiate Cyber Defense Competition in San Antonio, Texas over the weekend. Texas A&M University placed second and the University of Louisville placed third. The teams had to operate and maintain a business network while under attack from a red team.
-http://seattletimes.nwsource.com/html/localnews/2014746226_uwcyberwin12m.html
-http://www.prnewswire.com/news-releases/2011-national-collegiate-cyber-defense-c
ompetition-champion-crowned-119603669.html
-http://www.bizjournals.com/sanantonio/blog/2011/04/university-of-washington-wins
-national.html
[Editor's Note (Honan): Congratulations to the team from the University of Washington. Defending a network is much more difficult than breaking into one and competitions like this should be used more to ensure those coming into manage and defend our networks have the appropriate skills and experience. ]

Sony PlayStation Suit Dropped After Settlement Reached (April 11, 2011)

Sony has dropped its lawsuit against George Hotz, who posted jailbreak code for Sony's PlayStation 3 gaming console to the Internet. In return, Hotz has agreed to never again engage in "reverse engineering, decompiling or disassembling any" Sony product. Hotz also reportedly agreed not to "bypass, disable, or circumvent any encryption, security or authentication mechanism." If he violates the terms of the agreement, Hotz could be fined US $10,000 for each instance. Sony accused Hotz of violating the Digital Millennium Copyright Act (DMCA) and other laws for publishing information that allowed PS3 owners to more fully control their gaming consoles.
-http://ingame.msnbc.msn.com/_news/2011/04/11/6451695-sony-and-hacker-geohot-call
-a-truce-in-bitter-legal-battle
-http://blog.us.playstation.com/2011/04/11/settlement-in-george-hotz-case/
-http://www.wired.com/threatlevel/2011/04/sony-settles-ps3-lawsuit/
-http://www.wired.com/images_blogs/threatlevel/2011/04/geohotaccord.pdf

Adobe Warns of Zero-Day Flaw in Flash (April 11, 2011)

Adobe has issued a warning of a zero-day vulnerability in Flash Player that is being actively exploited in targeted attacks. The vulnerability can be used to take control of computers or to cause them to crash. The attack is spreading as a Flash (.swf) file embedded in a Microsoft Word (.doc) file that arrives as an attachment. Adobe did not say when a patch will be available. Internet Storm Center:
-http://isc.sans.edu/diary/Yet+another+Adobe+Flash+Reader+Acrobat+0+day/10696
-http://news.cnet.com/8301-27080_3-20052894-245.html?tag=mncol;title
-http://www.zdnet.com/blog/security/adobe-warns-of-new-flash-player-zero-day-atta
ck/8524
-http://www.computerworld.com/s/article/9215721/Adobe_confirms_critical_Flash_zer
o_day_bug
[Editor's Note (Ullrich): In the past, I have observed users using Flash games embedded in Excel and Word documents to bypass corporate controls to prevent users from running these games. It may be a good awareness item to note the particular danger of these embedded flash files. ]

New Ransomware Claims Users Need to Call to Reactivate Windows (April 11, 2011)

Ransomware that claims users need to reactivate Windows has been detected. The malware displays a message telling users that their copy of Windows is locked and that they must dial an international telephone number to reactivate it. The message claims that the call is free, but it actually runs up inflated charges quickly. The number provided to unlock frozen systems is 1351236.
-http://www.computerworld.com/s/article/9215711/Ransomware_squeezes_users_with_bo
gus_Windows_activation_demand?source=CTWNLE_nlt_pm_2011-04-11
[Editor's Note (Northcutt): Sounds like a great tip of the day, security awareness opportunity, something like: It's fake! Microsoft has never required anyone to make a phone call to activate or reactivate Windows, and then follow with the story above. ]

Three Arrested in Connection with SpyEye Scheme (April 11, 2011)

Police in the UK have arrested three men in connection with malware that was used to steal online banking account access credentials. The charges against them include conspiracy to cause unauthorized modifications to computers, conspiracy to defraud and concealing proceeds from crime. The investigation culminating in the arrests began in January and focused on the use of a variant of SpyEye, which steals sensitive information and sends it to a remote server.
-http://www.theregister.co.uk/2011/04/11/spyeye_arrests/
-http://www.computerworld.com/s/article/9215682/UK_police_arrest_three_men_over_S
pyEye_malware?taxonomyId=17

Prison Time for Tax Fraud Schemers (April 8 & 11, 2011)

A former bank business manager in the UK has been sentenced to 39 months in prison for his role in a scheme that used a Trojan horse program to steal GBP 3.2 million (US $5.2 million) through tax fraud. The manager, Nikola Novakovic, and an accomplice, Oleg Rozputnii, together registered more than 1,050 fictitious taxpayers on the Tax Self Assessment system and claimed millions in fraudulent refunds, laundering the money through two hundred bank accounts. The information the pair required for the scam was obtained with the help of unspecified malware. Rozputnii was sentenced to 45 months in prison; because he is an illegal immigrant from Ukraine, he also faces deportation. A third person, Dmytro Shepel, was also involved in the scheme; he was sentenced to 42 months in prison.
-http://www.theregister.co.uk/2011/04/11/virus_powered_tax_scam/
-http://nds.coi.gov.uk/content/Detail.aspx?ReleaseID=419103&NewsAreaID=2

Russian Security Agency Says it's Hard to Monitor Citizens Who Use Encrypted Services (April 9 & 11, 2011)

The Kremlin will not ban Skype, Gmail and Hotmail, despite a recommendation to do so from the country's Federal Security Service (FSB) because the services threaten national security. FSB says the services make it challenging to monitor citizens because they use encryption that is difficult to break.
-http://www.msnbc.msn.com/id/42510490/ns/technology_and_science-security/
-http://www.v3.co.uk/v3-uk/news/2042281/russian-security-services-complain-gmail-
hotmail-skype

Senator Calls for Investigation Into Epsilon Breach (April 7, 2011)

US Senator Richard Blumenthal (D-Connecticut), has asked the Attorney General's office to investigate the Epsilon data security breach. The email provider sends 40 billion messages a year on behalf of its clients; Epsilon says that about 50 clients were impacted by the breach, meaning the names and email addresses of individuals who have agreed to receive messages from those companies were compromised. Senator Blumenthal asked Attorney General Eric Holder to look into the possibility of civil or criminal liability for the breach. He also asked Epsilon to provide more information about the incident.
-http://gcn.com/articles/2011/04/07/epsilon-hack-investigation-us-attorney-genera
l.aspx

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/