SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #49

June 21, 2011

A few hours ago Version 3 of the 20 Critical Security Controls was
released for public comment. This document matters right now because it
provides the underlying validation for the new FISMA continuous
monitoring reporting requirements mandated on June 1 for FY2011, as well
as the methodology that informed the U.S. State Department's hugely
successful cyber risk reduction initiative. It also provides the key
performance metrics agencies and companies are adopting to test the
effectiveness of their security controls. The new version is
cross-mapped with Australia's 35 Top Mitigation Strategies as well as
the NIST 800-53 controls. The 20 Critical Controls will be one of the
key forces shaping the future of cybersecurity management, so it is
probably worth taking the time to read it and send your suggestions.

Review and comment at http://www.sans.org/critical-security-controls/

Alan

---

TOP OF THE NEWS

LulzSec Member Allegedly Arrested
Judge Casts Doubt on Righthaven's Legal Standing to Bring Copyright Lawsuits
SCADA Vulnerabilities in Chinese Weapon Control Systems
MTGox Bitcoin Exchange Suffers Attack
Attackers Exploiting Just-Patched IE Flaw

THE REST OF THE WEEK'S NEWS

Flash Flaw is Being Actively Exploited
Sega Acknowledges Customer Data Stolen
UK Student Facing Extradition for Running Site With Links to Pirated Movies
Virgin Media Warns Users Infected With Spy Eye Trojan
Man Indicted in Domain Name Extortion Scheme
Prison Sentence for Cyber Extortion Scheme

---

************ SPONSORED BY Raytheon Trusted Computer Solutions ***********

OS hardening doesn't need to take hours or even days to complete. Instead of locking down your systems manually, try Security Blanket, the 'one click' hardening tool for Linux and Solaris. Whether you follow prescribed hardening guidelines like DISA STIGs or PCI, or use a custom configuration, Security Blanket has you covered. Free demo available! http://www.sans.org/info/80039

*************************************************************************** TRAINING UPDATE

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 41 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

-- SANS Boston 2011, Boston, MA, August 8-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

-- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

-- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

-- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Melbourne and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

LulzSec Member Allegedly Arrested (June 21, 2001)

A 19 year old UK man named Ryan Clery was arrested in a "pre-planned, intelligence-led" operation. According to the e-crimes unit of Scotland Yard, the raid was linked to the recent intrusion attacks on the websites of the CIA and Britain's Serious Organised Crime Agency (Soca). A Scotland Yard spokesman said: "The arrest follows an investigation into network intrusions and distributed denial of service attacks against a number of international business and intelligence agencies by what is believed to be the same hacking group."
-http://www.theregister.co.uk/2011/06/21/alleged_hacker_held/
-http://www.scmagazineuk.com/teenager-arrested-in-essex-in-relation-to-lulzsec-at
tacks/article/205753/
-http://www.bbc.co.uk/news/technology-13859868
[Editor's Note (Honan): This comes in the wake of groups Anonymous and Lulzsec banding together to form the "Anti-sec" movement and target computer systems of governments, banks and large corporations. Last night the website of SOCA was offline as a result of a DDOS attack
-http://www.bbc.co.uk/news/technology-13848510]

Judge Casts Doubt on Righthaven's Legal Standing to Bring Copyright Lawsuits (June 20, 2011)

Righthaven, a company that has attempted to make a name for itself by suing people for online copyright infringement, is finding the ground crumbling beneath its legal feet. US District Judge Philip Pro has ruled that the reposting of an article did not violate copyright law. The case in question was brought against a man who posted an article from the Las Vegas Review-Journal in its entirety; Righthaven was seeking up to US $150,000 in damages. The company argued that the posting reduced the number of visitors to the original publication's site. Judge Pro also found that Righthaven did not have legal standing to bring the lawsuit. This is not the first time that Righthaven's legal standing to bring a copyright lawsuit has been questioned.
-http://www.wired.com/threatlevel/2011/06/fair-use-defense/
-http://www.vegasinc.com/news/2011/jun/20/righthaven-hit-third-fair-use-loss-over
-r-j-materi/
[Editor's Note (Schultz): I would not be at all surprised if a varient of Stuxnet that targets these vulnerabilities in these systems surfaces sometime in the future. ]

SCADA Vulnerabilities in Chinese Weapon Control Systems (June 20, 2011)

The US Department of Homeland Security (DHS) has warned that supervisory control and data acquisition (SCADA) systems used to operate Chinese weapons systems are vulnerable to attacks. The warning appeared in an advisory from the DHS Industrial Control Systems Cyber Emergency Response Team (ISC-CERT). The vulnerabilities affect Sunway ForceControl and pNetPower SCADA/HMI applications. The vulnerabilities were discovered by NSS Labs researcher Dillon Beresford.
-http://www.eweekeurope.co.uk/news/chinese-weapon-systems-vulnerable-to-scada-hac
k-32020
-http://www.h-online.com/security/news/item/Critical-vulnerability-in-industrial-
control-software-1263040.html
[Editor's Note (Honan): These Scada systems are also used in other industries and not just in Chinese weapon control systems. It is also worth noting that the ICS-CERT "co-ordinated with the researcher, China National Vulnerability Database (CNVD), and Sunway to ensure full remediation of the reported vulnerabilities. ]

MTGox Bitcoin Exchange Suffers Attacks (June 20, 2011)

Bitcoin virtual currency exchange MTGox was the target of a cyber attack that compromised usernames, email addresses and hashed passwords of more than 61,000 traders. The information was posted to the Internet. The price of Bitcoin crashed early on Monday, June 20, when an unusually large sell order was placed from a compromised account. MTGox plans to roll back all transactions that occurred after the fraudulent sell order. The Internet Storm Center posted Lenny Zeltser's terrific explanation of the attack:
-http://isc.sans.edu/diary.html?storyid=11059
-http://www.scmagazine.com.au/News/261016,bitcoin-exchange-hacked-61000-accounts-
published.aspx
-http://www.wired.com/threatlevel/2011/06/gox/
-http://arstechnica.com/tech-policy/news/2011/06/bitcoin-price-plummets-on-compro
mised-exchange.ars
-http://www.zdnet.com/blog/security/bitcoin-market-flash-crash-and-database-leak-
from-mtgox/8811
-http://www.pcmag.com/article2/0,2817,2387279,00.asp
-http://www.theatlantic.com/national/archive/2011/06/after-the-crash-whats-next-f
or-bitcoin/240696/
-http://blogs.forbes.com/timworstall/2011/06/20/so-thats-the-end-of-bitcoin-then/
[Editor's Comment (Northcutt): Hmmm, I thought the whole premise is that you can't roll back a transaction? Anyway, this reminds me of Digicrash, er uh, Digicash. It is amazing, but the SecondLife Linden Exchange seems to be the most stable of these systems so far.
-http://cryptome.org/jya/digicrash.htm
(Honan): This story about $500,000 being stolen from a hacked Windows PC may also have had an impact on the values.
-http://www.pcworld.com/article/230377/worlds_first_virtual_heist_bitcoin_user_lo
ses_500000.html]

Attackers Exploiting Just-Patched IE Flaw (June 17, 2011)

One of the vulnerabilities Microsoft patched in a security bulletin on Tuesday June 14 is now being actively exploited. The fix for the Timed Interactive Multimedia Extensions memory corruption flaw was included in a cumulative fix for Internet Explorer (IE). The flaw affects IE 6, 7 and 8, but the exploit detected in the wild appears to affect just IE 8.
-http://www.scmagazineus.com/exploits-begin-for-patched-internet-explorer-bug/art
icle/205558/

---

*************************** SPONSORED LINKS ******************************

1) Download the Symantec Endpoint Protection 12 Beta for unrivaled security and blazing performance. http://www.sans.org/info/80044

2) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/info/80049

3) Sign up for SANS Webcast:Practical Use of the Next-Generation Firewall to Control Advanced Malware sponsored by Palo Alto Networks. Go to http://www.sans.org/info/80054

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Flash Flaw is Being Actively Exploited (June 20, 2011)

Attackers are actively exploiting a vulnerability in Flash Player for which Adobe issued a patch last week. The flaw is being exploited through drive-by attacks on legitimate websites as well as through spear phishing attacks. The attacks infiltrate users' computers "in the background," leaving them unaware that their machines have been infected with malware. Adobe's director of product security and privacy Brad Arkin acknowledged that attackers are likely targeting Flash because of its ubiquity. Adobe has been focusing on getting out-of-cycle fixes released quickly when attacks exploiting zero-day flaws are detected in the wild.
-http://www.computerworld.com/s/article/9217758/Attackers_exploit_latest_Flash_bu
g_on_large_scale_says_researcher?taxonomyId=17

Sega Acknowledges Customer Data Stolen (June 19 & 20, 2011)

Sega, the video game company, says one of its databases has been hacked, exposing sensitive personal information of 1.3 million Sega customers. The Sega Pass website database contains customers' names, dates of birth, email addresses and encrypted passwords. Sega has notified affected customers of the breach. Payment information appears to be unaffected by the attack. Because of the information compromised, customers were warned to be on the lookout for suspicious communications seeking more personal data. The Sega pass website has been temporarily disabled while Sega investigates the incident; the company has reset all user passwords. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=11065
-http://www.computerworld.com/s/article/9217747/Reports_Sega_customer_database_ha
cked?taxonomyId=17
-http://www.bbc.co.uk/news/technology-13829690
-http://www.scmagazineuk.com/lulzsec-says-it-was-not-responsible-for-sega-hack-as
-it-marks-1000-tweets-with-mission-statements/article/205644/

UK Student Facing Extradition for Running Site With Links to Pirated Movies (June 17 & 20, 2011)

A UK student who allegedly ran a website that contained links to other sites hosting pirated content is facing extradition to the US to face charges of conspiracy to commit copyright infringement and criminal copyright infringement. A British court granted Richard O'Dwyer bail, the terms of which prohibit him from entering airports and other ports and from applying to register new domain names. If he is extradited and convicted of the charges in the US, O'Dwyer could face a five year prison sentence. O'Dwyer's lawyer says the extradition demands violate his client's human rights. O'Dwyer's website was hosted in the UK and UK laws pertinent to the situation already exist. If he is extradited, O'Dwyer would face harsher penalties.
-http://www.scmagazine.com.au/News/261008,student-faces-us-copyright-extradition.
aspx
-http://www.zdnet.co.uk/news/regulation/2011/06/16/student-faces-extradition-to-u
s-for-hosting-links-40093132/?tag=mantle_skin;content
-http://www.telegraph.co.uk/technology/8580390/Expert-British-law-has-allowed-lin
king-to-pirated-material.html
-http://www.guardian.co.uk/law/2011/jun/17/student-file-sharing-tvshack-extraditi
on

Virgin Media Warns Users Infected With Spy Eye Trojan (June 17, 2011)

Internet service provider (ISP) Virgin Media has warned about 1,500 customers that their computers have been infected with the SpyEye Trojan horse program. Virgin has provided the customers with advice from the UK's Serious Organised Crime Agency (SOCA) for cleaning their computers.
-http://www.scmagazineuk.com/virgin-media-warns-customers-about-spyeye-trojan-as-
1500-users-found-to-be-part-of-botnet/article/205509/
-http://www.infosecurity-magazine.com/view/18785/virgin-media-works-with-soca-on-
1500-spyeye-infections-/
-http://www.eweekeurope.co.uk/news/virgin-media-warns-customers-of-spyeye-infecti
on-31982
[Editor's Comment (Northcutt): ISPs helping to notify their users may be the only way we can start to manage SpyEye, Sunspot etc.
(Honan): Well done to Virgin Media for taking this proactive step in reducing the amount of infected PCs on the Internet, hopefully other ISPs will follow their example. ]

Man Indicted in Domain Name Extortion Scheme (June 17, 2011)

A federal grand jury in San Jose, California has indicted an Indian man on charges of computer hacking and extortion for allegedly breaking into and taking over the MyDomain.com account of oDesk. Chetan Suresh Bendale allegedly changed the passwords and administrative contact for the Redwood City, California-based technology staffing company and threatened to expose the company's information unless he was paid US $1 million. US authorities plan to seek extradition.
-http://www.mercurynews.com/breaking-news/ci_18292674?nclick_check=1
-http://www.computerworld.com/s/article/9217739/Man_charged_with_1M_extortion_hac
k_at_oDesk?taxonomyId=17

Prison Sentence for Cyber Extortion Scheme (June 17, 2011)

A German man has been sentenced to nearly three years in prison for his role in a cyber extortion scheme against six gambling websites prior to last year's World Cup tournament. The unnamed man was also ordered to pay 350,000 Euros (US $502,000). He reportedly hired a botnet and threatened to launch distributed denial-of-service (DDoS) attacks against the gambling sites unless they paid him 2,500 Euros (US $3,600). He collected a total of 5,000 Euros from three of the sites; the other sites did not give in to his demands.
-http://www.theregister.co.uk/2011/06/17/german_bookmaker_ddoser_jailed/
-http://www.net-security.org/secworld.php?id=11174

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/