SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #46

June 10, 2011

UPDATE: Spanish police announced this morning that they have arrested
three alleged members of Anonymous.
http://www.theregister.co.uk/2011/06/10/spain_anonymous_arrests/

---

TOP OF THE NEWS

RSA to Replace SecurID Tokens Upon Request
Judge Says Bank Not Liable/Responsible for Losses from Fraudulent ACH Transactions
World IPv6 Day Turns Up Few Surprises

THE REST OF THE WEEK'S NEWS

Citigroup Acknowledges Data Breach
US $15 Million Seized From Account of Alleged Scareware Scammer
National Security Experts Say Most Cyber Attacks Do Not Justify Use of Force
Oracle Java S7 Update Addresses 17 Vulnerabilities
US Dept. of Commerce Proposes Voluntary Cyber Security Code for Online Businesses
Pennsylvania School District Faces Third Lawsuit Over Laptop Tracking Software
Greek Man Arrested In Connection with Attacks on US and French Government Web Sites
Four Indicted in Skimming Operation
Researcher to Present SCADA Vulnerabilities at August Conference

---

***************************************************************************

TRAINING UPDATE

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 8 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja Developers: Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- Security Impact of IPv6 Summit, Washington DC, July 15-16, 2011
http://www.sans.org/ipv6-summit-2011/

- -- SANS Boston 2011, Boston, MA, August 6-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- -- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 44 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Ottawa and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

******************* SPONSORED BY eEye Digital Security *******************

Free Vulnerability Scanner More than 5000 of your peers already use this tool - eEye's latest free vulnerability scanner, Retina Community. No "trial period" or expiration date, Retina Community scans your network (up to 32 IPs) to identify vulnerabilities (including zero-day), configuration issues, and missing patches across operating systems, applications, devices, and virtual environments. Download it free now.

http://www.sans.org/info/79638

****************************************************************************

---

TOP OF THE NEWS

RSA to Replace SecurID Tokens Upon Request (June 6 & 7, 2011)

RSA Security says it will replace tokens for SecurID customers who ask for replacements. The announcement comes nearly three months after the security company acknowledged a breach that compromised the efficacy of the tokens designed to authenticate users for access to systems. RSA has confirmed that a computer network security breach at US defense contractor Lockheed Martin involved the use of information stolen from RSA in the March breach. Internet Storm Center:
-http://isc.sans.org/tag.html?tag=rsa
-http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/
-http://www.pcworld.com/businesscenter/article/229553/after_hack_rsa_offers_to_re
place_secureid_tokens.html
-http://www.theregister.co.uk/2011/06/06/lockheed_martin_securid_hack/
[Editor's Comment (Schultz): The RSA breaks-ins are likely to be the headline story when cybersecurity events are reviewed at the end of this year. These break-ins have already caused untold anxiety and confusion within the U.S. government as well as within the defense contractor community. Meanwhile, RSA is likely not only to lose millions of dollars in making things as right as possible with its customers, but is also likely to face a barrage of lawsuits.
(Northcutt): Step in the right direction, good for RSA.
(Honan): A number of institutions in Australia are already replacing their tokens especially after a recommendation to do so by the Australian Defence Signals Directorate, the Australian government agency responsible for setting security policies,
-http://www.zdnet.com.au/dsd-tells-agencies-to-replace-rsa-tokens-339316614.htm.
It should be noted that we despite this offer from RSA there is no official confirmation from RSA as to whether data relating to the tokens were compromised. I outline a number of steps to manage the risks resulting from this breach on your network at
-http://www.net-security.org/secworld.php?id=11136]

Judge Says Bank Not Liable/Responsible for Losses from Fraudulent ACH Transactions (June 6, 7, 8 & 9, 2011)

A judge in Maine says that Ocean Bank is not responsible for fraudulent financial transactions that cost a local business more than US $300,000. Magistrate Judge John Rich said that Patco Construction Company should have taken better care to protect account access credentials. In the last several years, US small and medium-sized businesses have lost hundreds of millions of dollars to fraudulent automated clearinghouse (ACH) transfers. Although the judge agreed that the bank's security measures "were not optimal," he said that the law does not require banks to implement the best measures available, and that measures in place at Ocean Bank were comparable to those in place at other banks. The ruling is a recommendation and must be formally adopted by the overseeing judge.
-http://krebsonsecurity.com/2011/06/court-passwords-secret-questions-reasonable-e
banking-security/
-http://www.wired.com/threatlevel/2011/06/bank-ach-theft/
-http://www.theregister.co.uk/2011/06/09/banking_trojan_victim_loses/
-http://www.bankinfosecurity.com/articles.php?art_id=3705
-http://krebsonsecurity.com/wp-content/uploads/2011/06/PatcoRecommendedDecision.p
df
[Editor's Note (Paller): The story here is that although many banks protect individual depositors whose money is stolen through cyber bank fraud, increasingly the banks do not protect businesses - even small businesses you run out of your own homes. ]

World IPv6 Day Turns Up Few Surprises (June 9, 2011)

The 24-hour World Ipv6 Day appears to have done what it was supposed to do - identify areas that need attention as the migration from IPv4 to IPv6 takes place over the next few years. More than 400 organizations tested the next generation standard on their websites. IPv6 provides vastly greater address space than the current IPv4 protocol.
-http://www.computerworld.com/s/article/9217459/World_IPv6_Day_draws_attention_to
_security_issues_with_new_protocol
-http://www.networkworld.com/community/blog/world-ipv6-day-doubles-ipv6-traffic-s
pecial-microsoft-patch
-http://arstechnica.com/web/news/2011/06/world-ipv6-day-went-mostly-smoothly-with
-a-few-surprises.ars
-http://www.eweek.com/c/a/IT-Infrastructure/World-IPv6-Day-Ends-Everyone-Goes-Bac
k-to-IPv4-892166/
[Editor's Note (Ullrich): The Internet Storm Center (ISC) website had a significant increase in incoming IPv6 connections. But likely everybody else reported, we didn't see any problems. And if you have any responsibility for IPv6, check out the Security Impact of IPv6 Summit, Washington DC, July 15-16, 2011
-http://www.sans.org/ipv6-summit-2011/
(Honan): Arbor Networks has a good analysis of what they observed during the day with a number of links to some other good resources
-http://asert.arbornetworks.com/2011/06/world-ipv6-day-final-look-and-wagons-ho/.
The key message coming from most commentators is that we face significant challenges regarding IPv6 and security. If you have not looked at those issues yet I highly recommend that you start preparing now for the inevitable change that is coming. ]

---

*************************** SPONSORED LINKS ******************************

1) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/info/79643

2) McAfee and Brocade release results of 2011 Data Center Survey. Click here to learn more. http://www.sans.org/info/79648http://www.sans.org/info/79363

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Citigroup Acknowledges Data Breach (June 9, 2011)

Citigroup says that cyber attackers may have compromised account details for approximately 210,000 of its credit card customers. The breach affected Citi Account Online systems; the compromised data include names, email addresses and account numbers, but PINs, card security codes (CVVs) and other data are held on different systems (and apparently were not affected by the intrusion ]
. The breach was discovered during "routine monitoring," and occurred last month. Citigroup is contacting affected customers to notify them of the breach.
-http://www.theregister.co.uk/2011/06/09/citibank_hack_attack/
-http://www.bbc.co.uk/news/technology-13711528
-http://www.computerworld.com/s/article/9217486/Citigroup_breach_exposed_data_on_
210_000_customers?taxonomyId=17

US $15 Million Seized From Account of Alleged Scareware Scammer (June 9, 2011)

Federal authorities have confiscated nearly US$15 million from a Swiss bank account belonging to a man who allegedly ran a highly profitable scareware scheme and sold phony security software. Shaileshkumar "Sam" Jain has been indicted and charged with wire fraud, mail fraud and trafficking of counterfeit goods. The scheme involved spam and Internet advertising to spread the scareware and sell the bogus software. Jain is currently at large outside the US.
-http://www.theregister.co.uk/2011/06/09/federal_seizure/
-http://www.networkworld.com/news/2011/060911-scareware-mogul.html

National Security Experts Say Most Cyber Attacks Do Not Justify Use of Force (June 8, 2011)

In a session titled Vulnerability Assessment: Lessons from Four Cyber Events, a panel of four national security experts at the Center for Strategic and International Studies (CSIS) Global Security Forum 2011 on June 8, 2011 discussed when an event justifies military response. The discussion follows just days after the US Department of Defense said that it could use force in response to certain cyber attacks. An audio recording to the session is available on the CSIS site below.
-http://www.computerworld.com/s/article/9217456/Experts_Few_cyberattacks_are_caus
e_for_major_retaliation?taxonomyId=17
-http://csis.org/event/global-security-forum-2011-vulnerability-assessment-lesson
s-four-cyber-events

Oracle Java S7 Update Addresses 17 Vulnerabilities (June 8, 2011)

On Wednesday, June 8, Oracle released an update to address 17 flaws In Java SE. All 17 vulnerabilities could be exploited to execute code remotely without authentication. Nine of the vulnerabilities were given a 10 out of 10 security risk. The update is available for Windows, Linux and Solaris; Apple users will not have a fix until Apple issues an update to address the flaws.
-http://www.eweek.com/c/a/Security/Oracles-Java-Update-Fixes-17-Remote-Execution-
Vulnerabilities-549494/
-http://www.infoworld.com/d/application-development/oracle-fixes-17-bugs-in-java-
security-update-488
-http://www.theregister.co.uk/2011/06/08/java_security_update/

US Dept. of Commerce Proposes Voluntary Cyber Security Code for Online Businesses (June 8, 2011)

A report from the US Department of Commerce proposes the development of a set of voluntary cyber security standards for non-critical infrastructure entities, what it is calling the "Internet and Information Innovation Sector." The report does not offer much in the way of specific details about the proposed code, but does recommend the adoption of the Domain Name System Security protocol extensions.
-http://www.nextgov.com/nextgov/ng_20110608_8211.php?oref=topnews
-http://thehill.com/blogs/hillicon-valley/technology/165403-obama-administration-
proposes-voluntary-cybersecurity-standards-for-web-firms
-http://www.theregister.co.uk/2011/06/08/doc_security_paper/
-http://www.computerworld.com/s/article/9217444/U.S._agency_calls_for_new_cyberse
curity_standards?taxonomyId=17
-http://www.commerce.gov/news/press-releases/2011/06/08/commerce-department-propo
ses-new-policy-framework-strengthen-cybersec

Pennsylvania School District Faces Third Lawsuit Over Laptop Tracking Software (June 8, 2011)

The Lower Merion School District in Ardmore, Pennsylvania is facing a third lawsuit over its use of tracking and security software on laptops distributed to students. The school district was sued in February 2010 by the family of Blake Roberts; the district paid Roberts US $175,000 for taking pictures and screenshots with the computer while it was in his home. The district settled a second lawsuit brought last year by another student for US $10,000. A new lawsuit, filed on June 6, 2011 by Joshua Levin, a 2009 high school graduate, alleges that the school district violated his civil rights and privacy when it remotely used the built-in camera in the laptop to take more than 8,000 pictures and screenshots. A spokesperson for the school district says that Levin's case is "solely motivated by monetary interests."
-http://www.wired.com/threatlevel/2011/06/webcam-scandal-resurfaces/
-http://www.computerworld.com/s/article/9217439/Penn._school_district_hit_with_ne
w_Mac_spying_lawsuit?taxonomyId=17
[Editor's Comment (Ranum): That's an utterly bizzare response to a lawsuit: "they just are in it for the money." And, why not? What the school district did seems incredibly stupid, and left them open to such punitive damages. What about the word "punitive" does not compute, Mr Spokesman? The idea is to show why it's a bad idea, since, apparently, that's the only way some people learn.
(Northcutt): 8,000 pictures and screenshots posted without permission would make me consider filing suit for other than "monetary interests". If true, how can they possibly justify that level of privacy invasion of an underage kid? ]

Greek Man Arrested In Connection with Attacks on US and French Government Web Sites (June 8, 2011)

Greek law enforcement authorities have arrested an 18-year-old on charges of computer fraud, forgery, data use and violations for allegedly breaking into websites at Interpol and French and US government entities, including the FBI and the Pentagon. The man is also suspected of conducting distributed denial-of-service (DDoS) attacks against websites between February 2008 and February 2009, when he was 16.
-http://articles.cnn.com/2011-06-08/world/greece.hacker.arrest_1_greek-police-fbi
-hacker-credit-cards?_s=PM:WORLD
-http://www.computerworld.com/s/article/9217453/Greek_police_arrest_teen_on_hacki
ng_charges?taxonomyId=17
-http://www.theregister.co.uk/2011/06/08/greek_police_arrest_pentagon_hack_suspec
t/

Four Indicted in Skimming Operation (June 7, 2011)

US federal prosecutors have indicted four men in connection with a skimming operation that stole more than US $1.5 million from bank accounts. The men, three from Romania and one from Austria, allegedly used magnetic stripe information and PINs stolen with keyboard overlays to clone payment cards. Accounts at Citibank and JP Morgan Chase were among those affected. The group allegedly conducted their scheme at banks in Manhattan, Chicago and Miami.
-http://www.computerworld.com/s/article/9217399/Four_indicted_in_1.5M_ATM_skimmin
g_operation?taxonomyId=17
-http://www.theregister.co.uk/2011/06/07/atm_skimming_indictment/

Researcher to Present SCADA Vulnerabilities at August Conference (June 6, 2011)

The researcher who pulled his presentation about vulnerabilities in Siemens SCADA products from a talk scheduled for a May conference in Dallas says he will present his findings at the Black Hat conference in Las Vegas, Nevada in August. Dillon Beresford cancelled his presentation at the conference last month after learning that Siemens had not yet fixed the vulnerabilities in its S7 programmable logic controller that he was going to talk about. NSS Labs, the company where Beresford works, expects Siemens to release fixes for the vulnerabilities before the conference.
-http://www.pcworld.com/businesscenter/article/229544/after_delay_hacker_to_show_
flaws_in_siemens_industrial_gear.html

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/login