SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #34

April 29, 2011

TOP OF THE NEWS

Some Customer Data Permanently Destroyed in Amazon Cloud Crash
Audit Finds FBI's Cyber Security Capabilities Not Maximized
US Federal Authorities Will Remotely Purge Coreflood from PCs with Written Permission

THE REST OF THE WEEK'S NEWS

Sony Admits Data Were Stolen in PSN Breach; Lawsuits Filed
FBI Warns of Fraudulent Wire Transfers to China
Chrome Update Addresses 27 Vulnerabilities
Researcher Finds Holes in Chinese Government Networks
Unprotected Wi-Fi Network Bring False Accusations of Illegal Activity
Government Drops Investigation of Warrantless Wiretapping Whistleblower
Evolution of Cyber Security Competitions

---

*****************************************************************

TRAINING UPDATE

- -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation
http://www.sans.org/security-west-2011/

- -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses.
http://www.sans.org/cyber-guardian-2011/

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses.
http://www.sans.org/virginia-beach-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************** SPONSORED BY ORACLE **************************

REGISTER NOW for the upcoming webcast: Balancing Strong Authentication and Context-aware Security WHEN: Wednesday, May 4th at 1:00 PM ET

Featuring: Mark Karlstrand

Go To: http://www.sans.org/info/76694 ****************************************************************************

---

TOP OF THE NEWS

Some Customer Data Permanently Destroyed in Amazon Cloud Crash (April 28, 2011)

The crash of Amazon's cloud services not only inconvenienced its customers because of web site inaccessibility, but in some cases, data were permanently destroyed. A thorough explanation of the crash has not yet been offered. Two businesses that use Amazon's cloud services managed to continue running undisrupted during the crash because they had taken measures themselves to protect themselves from such an incident.
-http://technolog.msnbc.msn.com/_news/2011/04/28/6549775-amazons-cloud-crash-dest
royed-many-customers-data
-http://www.informationweek.com/news/cloud-computing/infrastructure/229402385
[Editor's Note (Ranum): You can put your data in the cloud - it's getting it back that's the hard part.
(Schultz): Amazon has an excellent reputation as a cloud service provider; I am baffled by what happened. At the same time, there is a huge lesson to be learned here--never, never completely rely on a cloud provider for anything--always have a plan B, as the two businesses mentioned in this story so nicely illustrate. ]

Audit Finds FBI's Cyber Security Capabilities Not Maximized (April 27 & 28, 2011)

According to an audit report from the US Department of Justice inspector general (IG), one-third of 36 agents interviewed lacked the necessary skills to investigate cyber intrusions. The audit examined the FBI's ability to deal with the threat of national cyber security intrusions and finds major faults in the operations of the NCIJTF - the National Cyber Investigative Joint Task Force. Each of the FBI's 56 field offices has at least one cyber squad but the report finds fault in the level of skills those field agents have.
-http://www.csoonline.com/article/680869/doj-report-critical-of-fbi-ability-to-fi
ght-national-cyber-intrusions
The redacted report is posted at:
-http://www.justice.gov/oig/reports/FBI/a1122r.pdf
">
-http://www.justice.gov/oig/reports/FBI/a1122r.pdf

-http://www.scmagazineus.com/audit-doubts-fbis-ability-to-combat-cyberthreats/art
icle/201657/
-http://www.justice.gov/oig/reports/FBI/a1122r.pdf
">
-http://www.justice.gov/oig/reports/FBI/a1122r.pdf

[Editor's Note (Paller): This IG report is particularly defective. The NCIJTF is one of the most valuable and effective organizations the nation has ever had in cyber security -- measured in actual impact. It is a huge success story. The IG's findings are equivalent to saying that the NCIJTF cured cancer but their work is inadequate because they haven't also cured the common cold. Further, the finding that field offices have inadequate forensic and analytical capabilities completely misses the fact that analytical and forensics people with the high skills needed for those jobs are not available anywhere. Every three-letter agency and military organization and major defense contractor has a critical shortage (numbering in the thousands cumulatively) of the forensics hunters and tool builders needed to do cyber analysis at world-class levels. ]

US Federal Authorities Will Remotely Purge Coreflood from PCs with Written Permission (April 27 & 28, 2011)

Over the next month, federal authorities will remove Coreflood botnet malware from some infected PCs remotely. Prior to conducting the remote activity, the Department of Justice will identify the owners of the infected machines, and the owners must submit an authorization form to the FBI. Two weeks, ago, federal authorities obtained a court order allowing them to seize five Coreflood command-and-control servers; the US Marshall's service replaced those servers with others that disabled the malware on most of the infected PCs.
-http://www.computerworld.com/s/article/9216199/Feds_to_remotely_uninstall_Corefl
ood_bot_from_some_PCs?taxonomyId=82
-http://www.technewsworld.com/story/72349.html?wlc=1304020269&wlc=1304033880
-http://www.theregister.co.uk/2011/04/27/coreflood_mass_uninstall/
-http://www.securecomputing.net.au/News/255694,fbi-details-difficulties-defanging
-coreflood-botnet.aspx
-http://www.wired.com/threatlevel/2011/04/coreflood_results/

---

THE REST OF THE WEEK'S NEWS

Sony Admits Data Were Stolen in PSN Breach; Lawsuits Filed (April 28, 2011)

Sony says that the credit card information stolen in a security breach of its PlayStation network (PSN) was encrypted. Other information, including names and associated email addresses, was not encrypted. Sony took the PSN down on Friday, April 22, three days after discovering the intrusion, but did not acknowledge that user data were stolen until the evening of Tuesday, April 26. As many as 77 million customers may be affected by the breach. Lawsuits have been filed against Sony over the situation. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=10768
-http://www.pcmag.com/article2/0,2817,2384561,00.asp
-http://www.informationweek.com/news/security/attacks/229402362
-http://www.bbc.co.uk/news/technology-13192359
-http://www.bloomberg.com/news/2011-04-28/sony-faces-lawsuit-regulators-scrutiny-
over-playstation-user-data-breach.html
-http://www.scmagazineus.com/sony-confirms-playstation-network-cards-were-encrypt
ed/article/201655/
[Editor's Note (Pescatore): The credit card information may have been encrypted, but there were quotes that a Sony admin password had been compromised - were the data encryption keys compromised, as well?
(Honan): There are reports, yet to be confirmed, that up to 2.2 million credit cards have actually been compromised despite Sony's claims.
-http://www.siliconrepublic.com/digital-life/item/21595-psn-hackers-took-2-2/
-http://bits.blogs.nytimes.com/2011/04/28/hackers-claim-to-have-playstation-users
-card-data/]

FBI Warns of Fraudulent Wire Transfers to China (April 26 & 27, 2011)

The FBI has issued a fraud alert warning of unauthorized wire transfers to China. Between March 2010 and April 2011, the FBI noted 20 incidents of fraudulent wire transfers ranging from US $50,000 to US $985,000. In all, cyber thieves have stolen US $20 million from US businesses using these fraudulent wire transfers. The money has been sent to companies in China near the Russian border. Online banking credentials were stolen to conduct the fraudulent transactions. The FBI recommends that banks alert business customers of suspicious wire transfers going to any of the cities on a list specified in the alert and that all transfers to those locations be carefully scrutinized.
-http://krebsonsecurity.com/2011/04/fbi-20m-in-fraudulent-wire-transfers-to-china
/
-http://www.informationweek.com/articles/229402300
-http://www.scmagazineus.com/fbi-warns-of-millions-lost-in-fraudulent-transfers-t
o-china/article/201573/
-http://www.v3.co.uk/v3-uk/news/2046033/fbi-warns-phishing-funds-flowing-china
-http://www.ic3.gov/media/2011/ChinaWireTransferFraudAlert.pdf

Chrome Update Addresses 27 Vulnerabilities (April 27, 2011)

Google has updated its Chrome browser, bringing the stable build of Chrome to version 11 for Windows, Mac OS X and Linux. The update addresses 27 vulnerabilities, for which Google paid out US $16,000 in bounties to 11 researchers who had reported 17 of the flaws. None of the vulnerabilities received a critical rating; 18 were rated high severity.
-http://www.eweek.com/c/a/Security/Google-Pays-16500-for-27-Chrome-Bugs-347739/
-http://www.computerworld.com/s/article/9216220/Google_patches_27_Chrome_bugs_pay
s_out_record_bounties?taxonomyId=85

Researcher Finds Holes in Chinese Government Networks (April 26, 2011)

Although China is often cast as the perpetrator in cyber attacks, one researcher has found that numerous Chinese government networks are vulnerable to attacks. Attackers have gained access to a database holding personal information, including names, passport numbers and results of psychological tests, of 11,000 people, some of whom are American citizens. Many of the Americans were not aware that their personal data were being held in the database, which is maintained by an agency in China that recruits foreign specialists for work. Other vulnerabilities in government systems could be exploited to eavesdrop on offices. The flaws were discovered by a US researcher.
-http://www.washingtontimes.com/news/2011/apr/26/chinese-databases-exposed-to-hac
kers/

Unprotected Wi-Fi Network Bring False Accusations of Illegal Activity (April 26, 2011)

A Buffalo, New York man found himself the object of a home raid by federal agents who accused him of downloading child pornography over his wireless network. Only after taking a desktop computer, iPads and iPhones from the home and examining them over a few days did federal agents clear the man of suspicion and pin the crime on a neighbor who had accessed the unprotected Wi-Fi network. The story is not unique; a similar incident occurred in Florida. The stories drive home the importance of home users securing their wireless routers.
-http://www.msnbc.msn.com/id/42740201/ns/technology_and_science-wireless/
-http://www.theregister.co.uk/2011/04/26/open_wifi_networks/

Government Drops Investigation of Warrantless Wiretapping Whistleblower (April 26, 2011)

The US government is no longer pursuing its investigation of a former Justice Department attorney who leaked information about the existence of the George W. Bush administration's warrantless wiretapping program at the National Security Agency (NSA). Thomas Tamm told the New York Times about the program's existence in 2004; the paper broke the story in December 2005.
-http://www.wired.com/threatlevel/2011/04/tamm/

Evolution of Cyber Security Competitions (April 2011)

The dearth of skilled cyber security professionals affects all sectors of the economy that depend on computers to function smoothly. Cyber security competitions help raise the visibility of the career path and identify raw talent that can be honed into a force of cyber security professionals with the necessary skills to protect and defend systems into the future. Cyber security competitions have evolved from events at hacker conferences to games of virtual capture the flag to Collegiate Cyber Defense Competitions and Cyber Boot Camps. Industry can help by sponsoring competitions, in-kind support and team participation.
-http://www.pymnts.com/educating-the-next-generation-of-security-professionals/
[Editor's Note (Honan): Each year at the Irish CERT's conference we run a cyber challenge competition, HackEire www.hackeire.com, which is based on the SANS 504 training course. It always generates a lot of interest in those wishing to practise and hone their skills but also interestingly in the business people who attend the conference to observe and learn how systems are attacked.]

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/