SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #40

May 20, 2011

Just 13 days until the early registration deadline for SANSFIRE 2011
(Washington, DC) saving you $400. 27 full-week immersion courses and a
dozen new short courses. Plus the free SANS @NIGHT presentations at
SANSFIRE are better than regular presentations at most other conferences
because they tell "what have we just learned" updates from the handlers
at the Internet Storm Center.
Info at: http://www.sans.org/sansfire-2011
Alan

---

TOP OF THE NEWS

Senators Want Laws to Address Smartphone Data Privacy
Researchers Cancel Presentation on SCADA Vulnerabilities
Proposed Update to Electronic Surveillance Law Addresses Cloud Privacy Concerns
Reitinger Confident His Team Will Successfully Implement Cybersecurity Plans at DHS

THE REST OF THE WEEK'S NEWS

Sony Treading Carefully After PSN Relaunch
Google Rolling out Fix for Android Vulnerability
P2P Monitoring Company Leaks Data
Terry Childs Completes Prison Sentence, Now Must Pay US $1.5 Million
Suspended Sentence for Stealing Log-in Credentials
SpyEye Targets Verizon Customers
South Korean Financial Authority Will Penalize Hyundai Capital Over Breach

INVITATION: GET INVOLVED IN SCORE

Get Involved in SCORE

---

*****************************************************************

TRAINING UPDATE

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- -- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 5 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 43 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, London, Austin, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************* SPONSORED BY Symantec ***************************

Modern malware rarely strikes the same way twice. Today's malicious code rapidly mutates, bypassing traditional defenses. Traditional antivirus approaches no longer work. Download the Symantec Endpoint Protection 12 beta to see how Symantec can help mitigate threats today and tomorrow for both small businesses and the largest enterprises. http://www.sans.org/info/77844

****************************************************************************

---

TOP OF THE NEWS

Senators Want Laws to Address Smartphone Data Privacy (May 19, 2011)

US legislators are calling for laws that protect smartphone users from having their location tracked. Senators Jay Rockefeller (D-WVa.) and John Kerry (D-Mass.) told the Senate Commerce, Science and Transportation Committee Subcommittee on Consumer Protection that there needs to be legislation that gives consumers control of their location information on smartphones and personal data on the Internet. They also said that the smartphone app market needs to be regulated; because this particular sector of the market is expanding so rapidly, "many consumers do not understand the privacy implications of their actions."
-http://www.bloomberg.com/news/2011-05-19/google-s-davidson-defends-company-s-use
-of-mobile-location-data.html
-http://www.computerworld.com/s/article/9216864/Senators_New_smartphone_tracking_
law_needed?taxonomyId=17
[Editor's Note (Pescatore): I really don't think new laws are needed, the FTC is doing a good job chasing this kind of stuff down. Increase the FTC funding to enforce existing regulations would be much better than more laws at the same time enforcement budgets are being cut. ]

Researchers Cancel Presentation on SCADA Vulnerabilities (May 18 & 19, 2011)

A scheduled presentation about vulnerabilities in certain supervisory control and data acquisition (SCADA) products has been cancelled. The presentation on flaws in the programmable logic controllers in certain Siemens products was to have been made on Wednesday, May 18 at the Takedown Security conference in Texas. However, Siemens and the US Department of Homeland Security (DHS) contacted the presenters and asked them to postpone presenting the information until Siemens has time to issue a fix.
-http://www.wired.com/threatlevel/2011/05/siemens-scada-vulnerabilities/
-http://www.computerworld.com/s/article/9216867/
-http://www.theregister.co.uk/2011/05/19/scada_vuln_talk_cancelled/
-http://news.cnet.com/8301-27080_3-20064112-245.html?tag=mncol;title

Proposed Update to Electronic Surveillance Law Addresses Cloud Privacy Concerns (May 17 & 18, 2011)

US Senator Patrick Leahy (D-Vermont) has introduced legislation that would reform electronic surveillance law. The Electronic Communications Privacy Act Amendments Act would require US law enforcement agencies to obtain probable cause warrants prior to accessing data stored with third-party providers, an increasingly timely issue with the growing popularity of cloud services. The ECPA, enacted in 1986, allows law enforcement agencies to access certain email and files stored in the cloud for more than 180 days with a subpoena. The proposed legislation would also require warrants when law enforcement agencies want to obtain geolocation information of mobile phone users.
-http://www.computerworld.com/s/article/9216796/Senator_introduces_electronic_sur
veillance_reform_bill?taxonomyId=17
-http://www.wired.com/threatlevel/2011/05/cloud-content-warrants/
-http://thehill.com/blogs/hillicon-valley/technology/161903-industry-privacy-advo
cates-praise-digital-privacy-bill
[Editor's Note (Honan): The US government's ability to access data held on US providers' systems raises a lot of concerns with CISOs outside of the US. Despite setting up regional only clouds, such as European clouds to meet with EU Data Protection requirements, many European companies are looking at non-US providers over fears their data could be accessed under the US Patriot Act. The following article from "ZDNET USA PATRIOT Act: The myth of a secure European cloud?" gives a good overview of the issues
-http://www.zdnet.com/blog/igeneration/usa-patriot-act-the-myth-of-a-secure-europ
ean-cloud/8807
(Schultz): Law enforcement access to data in the cloud is yet another of many very serious issues concerning data confidentiality in the cloud. Data security issues comprise the number one security risk in connection with cloud services. ]

Reitinger Confident His Team Will Successfully Implement Cybersecurity Plans at DHS (May 19, 2011)

Top DHS cyber security official Philip Reitinger will step down from his position as Deputy Undersecretary of the National Protection and Programs Directorate and Director of the National Cyber Security Center on June 3, 2011. In his time at DHS, Reitinger has been instrumental in nearly tripling agency cyber security staff. He is also responsible for helping create cyber security legislation that would give DHS increased authority, including oversight of cyber security at civilian federal agencies. Reitinger will testify at three hearings regarding the proposed legislation before his departure. He is confident that his team will implement plans. One name that has been cited as a potential successor to Reitinger is former Air Force CIO John Gilligan.
-http://thehill.com/blogs/hillicon-valley/technology/162279-top-dhs-cyber-securit
y-official-explains-departure
-http://www.nextgov.com/nextgov/ng_20110519_5961.php?oref=topnews
-http://www.theatlantic.com/technology/archive/2011/05/homeland-securitys-top-cyb
ersecurity-official-resigns/239136/
[Editor's Note (Paller): Gilligan is a brilliant choice for leadership in cyber at DHS. No one else in government has shown that security can be radically improved while lowering costs - an absolute necessity in the coming era of tight budgets. If the White House and DHS choose a proven operational leader like Gilligan, they will be demonstrating that they believe cybersecurity is important enough to take action to make the government's internal cybersecurity a model of effectiveness for the critical infrastrucuture. ]

---

THE REST OF THE WEEK'S NEWS

Sony Treading Carefully After PSN Relaunch (May 18, 2011)

In the midst of restoring its PlayStation network (PSN), Sony had to take part of it offline for a short while on May 18 due to an issue that could have allowed people to take over other users' accounts. The online sign-in feature for PSN, Qriocity and other sites remains unavailable; users may reset their passwords on their PS3 consoles. Despite reports to the contrary, Sony says PSN did not suffer another attack.
-http://www.computerworld.com/s/article/9216834/Sony_takes_down_part_of_PlayStati
on_Network_after_URL_error?taxonomyId=17
-http://www.informationweek.com/news/security/attacks/229502476
-http://www.theregister.co.uk/2011/05/18/sony_playstation_account_hijacking/
-http://www.bbc.co.uk/news/technology-13454201
-http://www.reuters.com/article/2011/05/18/us-sony-idUSTRE74C70420110518
[Editor's Note (Pescatore): If they really want to tread carefully, they should remove all requirements for credit cards to be used until they have had a ground up review and can be positive they will not put customers at risk.
(Honan): Looks like one of Sony's servers, not part of the PSN, got hacked and is serving up a Phishing site
-http://www.theregister.co.uk/2011/05/20/sony_phishing/]

Google Rolling out Fix for Android Vulnerability (May 18 & 19, 2011)

Google is rolling out a fix for a vulnerability in the majority of Android phones that allows attackers to access and modify users' Google contacts and calendar when they are being accessed over unsecured Wi-Fi networks. The flaw affects versions 2.3.3 and earlier of the Android platform, which is running on 99.7 percent of Android devices. The fix does not require action from users; it will be pushed out automatically.
-http://www.washingtonpost.com/blogs/faster-forward/post/google-fixing-android-se
curity-flaw/2011/05/18/AF8FkZ6G_blog.html?wprss=faster-forward
-http://www.theregister.co.uk/2011/05/18/google_android_security_fix/
-http://www.bbc.co.uk/news/technology-13454198

P2P Monitoring Company Leaks Data (May 17, 18 & 19, 2011)

A company that helps the French government with its anti-piracy efforts has come under cyber attack. Trident Media Guard monitors filesharing networks for illegal activity to help the government with its three-strikes anti-piracy policy. Hadopi, the French government agency responsible for enforcing the filesharing policy, has temporarily suspended its connection with TMG after the company suffered an attack that compromised sensitive information. The leaked information reportedly includes the IP addresses of some suspected illegal filesharers.
-http://www.infosecurity-magazine.com/view/18069/french-piracy-monitoring-firms-w
ebsite-hacked/
-http://www.scmagazineuk.com/french-p2p-monitoring-firm-hit-by-hackers/article/20
3122/
-http://www.wired.com/threatlevel/2011/05/tmg/
-http://www.theregister.co.uk/2011/05/17/french_piracy_monitor_hacked/
-http://www.h-online.com/security/news/item/Report-data-leak-slows-French-copyrig
ht-agency-1245914.html

Terry Childs Completes Prison Sentence, Now Must Pay US $1.5 Million (May 18 & 19, 2011)

Terry Childs, the former San Francisco Department of Technology network engineer who used passwords to lock users out of a city government computer network, has been ordered to pay nearly US $1.5 million to the city for costs incurred because of the lockout. The network was inaccessible for 12 days in July 2008. Childs has completed his prison sentence and is now on parole.
-http://www.theregister.co.uk/2011/05/18/sf_bofh_damages/
-http://www.sfgate.com/cgi-bin/blogs/crime/detail?entry_id=89240&tsp=1
-http://www.v3.co.uk/v3-uk/silicon-valley-sleuth-blog/2072106/rogue-san-francisco
-administrator-gbp15m-fine
-http://abcnews.go.com/Technology/wireStory?id=13634087

Suspended Sentence for Stealing Log-in Credentials (May 18, 2011)

UK university student Paul McLouglin received an eight-month suspended sentence for using a Trojan horse program to gain access to people's computers. McLouglin tricked users into downloading the malware by disguising it as a code-generation key for online gaming and making it available on a filesharing network. The Trojan, Istealer, harvests online account login credentials and uploads them to a remote server. Authorities say that McLouglin accessed at least 20 accounts through information he obtained with the malware.
-http://www.theregister.co.uk/2011/05/18/gaming_trojan_conviction/

SpyEye Targets Verizon Customers (May 18, 2011)

Users whose computers were infected with the SpyEye Trojan horse program may have exposed their personal information to attackers. The malware waits until users log into certain sites, in this case Verizon, then serves up a form asking for sensitive information such as Social security numbers (SSNs) and credit card data. Because users have already logged in to the site on their own, they are more likely to trust that the requests for information are legitimate. The attacks targeting Verizon customers occurred between May 7 and 13.
-http://redtape.msnbc.msn.com/_news/2011/05/19/6672216-verizon-wireless-customers
-targeted-in-nearly-invisible-trojan-horse-scam

South Korean Financial Authority Will Penalize Hyundai Capital Over Breach (May 18, 2011)

South Korea's Financial Supervisory Service (FSS) will impose a penalty on Hyundai Capital Services Inc. for failing to take adequate precautions with computer system maintenance. Between March 6 and April 7 of this year, attackers broke into Hyundai Capital computer systems, stole sensitive customer information and threatened to post it to the Internet if they were not paid 500 million won (US $462,000) cash. According to the FSS, the breach affected 1.75 million customers. The FSS will send the case to its disciplinary decision committee to determine what the penalty will be.
-http://english.yonhapnews.co.kr/business/2011/05/18/55/0503000000AEN201105180035
00320F.HTML
-http://www.koreatimes.co.kr/www/news/biz/2011/05/123_87197.html

---

INVITATION: GET INVOLVED IN SCORE

INVITATION: Get Involved with SCORE Want to get more involved with SANS? Want to share your IT Security knowledge? Join the SANS Security Consensus Operational Readiness Evaluation (SCORE) Project! Help SCORE make the online world a safer place. SCORE guides recently added/updated include: -Installing RedHat/CentOS -Malicious File Investigation Procedures -Rootkits Investigation Procedures We are currently looking for contributors and authors in the following technical areas (If your area is not in this list and you'd like to contribute, don't be afraid to contact us with your idea.): -Microsoft Windows 7 Security -OS X (iPad/iPhone) Security -OS X Security -Microsoft Windows 2008 Server Security -Virtual Machines -How/Where Trojans hide -Ubuntu Linux -Redhat Linux -General Linux -Cloud Security -Rootkits -Malware Analysis Static -Malware Analysis Dynamic -Using Olly Debug for malware analysis -Using IDA Pro for malware analysis -MySQL Security -Webserver Security and Testing -Juniper JunOS -PostgreSQL If you are a subject matter expert or aspiring to be one, are interested in becoming more involved in the security community (specifically SANS) and/or would like to have the opportunity to benefit from contributing to projects of this type, please email the following information to the SCORE project lead - Darren Bennett (dlbennett@gmail.com).

- ------------------------------------------------------------------------ Name: Area(s) of expertise: Contact information (Email): Availability: - ------------------------------------------------------------------------

While I haven't been asked this question; I'd personally be asking "What's in it for me?" The following is a list of benefits for contributing to SCORE:

*Helping to increase security awareness. *Having your name credited as an author (or contributor) on one of the projects. *Networking. This is a great way to meet other security experts and share information. *CPE's for CISSP credits. *Recognition within the security community. *Becoming more involved with a great organization SANS!

To see some examples of popular SCORE checklists, checkout the following:

The SCORE RedHat/CentOS Checklist

-http://www.sans.org/score/redhatchecklist.php


The SCORE Oracle Checklist (V3.1)
- -
-http://www.sans.org/score/oraclechecklist.php


The SCORE OSX Checklist **
- -
-http://www.sans.org/score/macosxchecklist.php


The SCORE Windows 2000/XP DSS Auditing Checklist **
- -
-http://www.sans.org/score/win2k_xp_checklist.php


** This list is popular and could use updating. If you are a subject matter expert in this area, please let me know!
- -
-http://www.sans.org/score/index.php


(Security Consensus Operational Readiness Evaluation)

I look forward to hearing from you! Please email me the information requested above and I will put you in contact with other team members, the team leader or the SANS contact you will be working with. Do not hesitate to email me with questions or suggestions.

"Opportunity is missed by most people because it is dressed in overalls and looks like work." - Thomas A. Edison V/r, Darren Bennett

dlbennett@gmail.com

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/