SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #50

June 24, 2011

DHS will unveil a very cool new way to measure the security of software
in a meeting Monday afternoon at 1 PM in McLean, open to their software
assurance working groups. They have also opened it up to others on a
space-available basis. It's in a building that requires data on who is
there so if you want to come send name, title, organization and
nationality to me (apaller@sans.org) with subject "DHS Software Security
Announcement" and I'll get you on the list and get the exact location
for you. Please don't ask for a place unless you really will attend.

Alan

---

TOP OF THE NEWS

Conflicts Inside The Anonymous Group
EU Banks and Other Businesses Will be Required to Report Serious Data Breaches
Australia's New Data Retention Law
Dutch Parliament Approves Net Neutrality Bill

THE REST OF THE WEEK'S NEWS

Guilty Plea in Missouri University Data Theft Case
Major Advances in Mass Web Site Poisoning -- All Bad
Two-Year Suspended Sentence for Hacking Former Employer's Network
Fifth Certificate Authority Suffers Breach
iPad User Data Hacker Pleads Guilty
UK Teen Charged in SOCA Website Attack
Two Scareware Rings Busted in Worldwide Operation
Confiscated Servers Take Down Sites Unrelated to Investigation
EFF No Longer Accepting Donations Through Bitcoin
European Commission Tells Web Companies to Finalize Do-Not-Track Standard
FBI Shuts Down Server Used Against Coreflood Botnet
Mozilla Releases Updates for Firefox and Thunderbird

---

******************* SPONSORED By ForeScout Technologies *******************

New ForeScout CounterACT Virtual Appliance ForeScout CounterACT is now available as a virtual appliance. ForeScout CounterACT provides real-time visibility and control over everything on the network - users, devices, applications, smartphones, etc. With ForeScout CounterACT Virtual Appliance, organizations can readily deploy and scale-out CounterACT leveraging their VMware investment. Go to http://www.sans.org/info/80249

***************************************************************************

TRAINING UPDATE

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- -- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 46 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Melbourne and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Conflicts Inside The Anonymous Group (June 23, 2011)

An illuminating look at what goes on inside Anonymous with particular focus on the Dutch man who admits taking part in several attacks, but had a change of heart as some hackers adopted increasingly aggressive tactics. "People are starting to grow tired of" the hackers, he said in an interview. "People are also starting to realize that Anonymous is a loose cannon."
-http://online.wsj.com/article/SB10001424052702304887904576399871831156018.html

EU Banks and Other Businesses Will be Required to Report Serious Data Breaches (June 20, 21 & 22, 2011)

European Union Justice Commissioner and Vice-President of the European Commission Viviane Reding has said that financial institutions and other businesses will be compelled to disclose serious data security breaches. EU telecommunications companies and ISPs already have mandatory breach notification requirements in place. The new requirements will affect all businesses that store customer data.
-http://www.h-online.com/security/news/item/EU-to-compel-banks-to-admit-serious-d
ata-breaches-1265410.html
-http://www.zdnet.co.uk/news/security-management/2011/06/21/business-must-report-
data-breaches-to-public-eu-says-40093172/?s_cid=938
-http://www.theregister.co.uk/2011/06/21/viviane_reding_data_breaches_mandatory_n
otification/
-http://www.v3.co.uk/v3-uk/news/2080208/uk-firms-mandatory-breach-notification-re
gime
[Editor's Note (Pescatore): There is always the risk that breach notices as catharsis will sap attention from avoiding breaches, but the experience in the US is that CEOs hate bad publicity - and telling your customers "sorry, we let thieves have your sensitive data" is the worst kind of publicity.
(Schultz): The EU may demand that financial institutions and other businesses report serious data security breaches, but I wonder if they will. There has been a pronounced trend in Europe to withhold information about security incidents, let alone data security breaches. ]

Australia's New Data Retention Law (June 23, 2011)

New legislation in Australia will require Internet service providers (ISPs) and other telecommunications carriers to retain data at the request of law enforcement authorities. Retention requests may be made without a warrant, but the authorities will need to obtain warrants to view the information. The legislation will "allow Australia to sign the Council of Europe Convention on Cybercrime treaty." Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=11074
-http://www.theregister.co.uk/2011/06/23/australia_laws_fight_cybercrime/
-http://www.computerworld.com.au/article/391208/challenges_remain_convention_cybe
rcrime_framework_unisys/

Dutch Parliament Approves Net Neutrality Bill (June 23, 2011)

The Dutch Parliament has approved a law that would prohibit mobile operators from blocking or charging extra for VoIP calls. The legislation would also require websites and online advertisers to obtain "explicit consumer consent" prior to installing cookies on users' devices. The bill now goes to the Dutch senate, where it is expected to pass easily. The law would make the Netherlands the first member of the European Union to pass a net neutrality law, and just the second country in the world to do so; a net neutrality law passed in Chile last year took effect last month.
-http://www.bbc.co.uk/news/technology-13886440
-http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/dutch-mps-vote-thr
ough-eus-first-net-neutrality-law-10022866/
-http://www.networkworld.com/news/2011/062311-net-neutrality-dutch.html

---

*************************** SPONSORED LINKS ******************************

1) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/info/80254

2) McAfee and Brocade release results of 2011 Data Center Survey. Click here to learn more. http://www.sans.org/info/80259

3) Sign up for SANS Webcast on 6/30: Practical Use of the Next-Generation Firewall to Control Advanced Malware sponsored by Palo Alto Networks. Go to http://www.sans.org/info/80264

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Guilty Plea in Missouri University Data Theft Case (June 23, 2011)

A Missouri man has pleaded guilty to "computer hacking conspiracy and computer intrusion" for his role in a scheme that preyed on the personal information of faculty, staff, students and alumni of the University of Central Missouri. Daniel J. Fowler and an accomplice, Joseph A. Camp, used a variety of tricks to get people to install malware on their computers. Once the machines were infected, Fowler and Camp stole and tried to sell personal information of faculty and alumni, attempted to alter grades, and stole money from other students' accounts.
-http://www.theregister.co.uk/2011/06/23/computer_hacking_guilty_plea/
-http://www.justice.gov/usao/mow/news2011/fowler.ple.html
Indictment:
-http://regmedia.co.uk/2011/06/23/fowler_camp_indictment.pdf
[Editor's Comment (Northcutt): This is a good story for awareness talks about the danger of using a PC in a public area. You have to assume a keystroke logger will be installed, and any private information that you type will be harvested.
-http://www.techrepublic.com/blog/10things/10-things-you-should-do-to-protect-you
rself-on-a-public-computer/322]

Major Advances in Mass Web Site Poisoning All Bad

Byron Acohido of USA Today reports that a group of hackers has developed new ways of poisoning thousands of small business web sites. They make it significantly more difficult to detect websites they've poisoned, and much more cumbersome to clean up, using a new method for embedding java scripts in the poisoned sites. One analyst says Google has found and black-listed only 20% of the infected sites.
-http://content.usatoday.com/communities/technologylive/post/2011/06/new-mass-mes
hing-attack-poisoning-small-business-web-sites/1

Two-Year Suspended Sentence for Hacking Former Employer's Network (June 22 & 23, 2011)

Walter Powell was given a two year suspended prison sentence for breaking into his former employer's computer network and replacing a former boss's presentation with pornography. Powell, who was fired from his job as IT manager at Baltimore Substance Abuse Systems in 2009, pleaded guilty to unlawful access to a computer, causing it to malfunction and to possessing a pass code without authorization. Powell was ordered to perform 100 hours of community service and will serve three years of probation. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=11086
-http://www.siliconrepublic.com/strategy/item/22350-sacked-it-manager-hacks/
-http://news.cnet.com/8301-17852_3-20073463-71/disgruntled-it-guy-slips-porn-into
-ceos-powerpoint/
Baltimore Sun story from Powell's September 2010 indictment:
-http://weblogs.baltimoresun.com/news/crime/blog/2010/09/employee_charged_with_ha
cking.html

Fifth Certificate Authority Suffers Breach (June 23, 2011)

The security of a fifth certificate authority was breached earlier this month. While the attackers do not appear to have gained access to information that would allow them to issue valid certificates to themselves, the company, StartSSL, has indefinitely suspended issuing digital certificates. StartSSL says that existing certificates have not been compromised. In the past several months, several other certificate authorities have been attacked. A compromise at Comodo resulted in cyber thieves stealing valid certificates for some highly visible domains, including Google and Skype. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=11071
-http://www.eweek.com/c/a/Security/Another-Certificate-Authority-Compromised-No-F
ake-SSL-Certificates-Issued-107625/
[Editor's Note (Pescatore): The CA/Browser Forum has been very slow to move in doing anything to make any meaningful changes in CA security practices. More than 4 years ago they introduced Extended Validation certificates in an attempt to have some form of high price/high trust certificates, but it wasn't until after the Comodo incident in April that the CA/Browser Forum issued a draft of baseline requirements for improving CA security for public comment. ]

iPad User Data Hacker Pleads Guilty (June 23, 2011)

Daniel Spitler has pleaded guilty to conspiracy to gain unauthorized access to computers and to identity theft for stealing and publishing personal information of 120,000 iPad users in June 2010. A second man, Andrew Auernheimer, is still negotiating a plea agreement. Spitler's agreement will likely bring him a sentence of 12 to 18 months, although he could face a sentence of up to five years. The attackers wrote a script that guessed integrated circuit card identifier (ICC-ID) numbers of iPads and queried the AT&T website until it returned an associated email address. Several high profile figures had their personal information exposed in the incident.
-http://www.pcworld.com/article/230991/atandt_ipad_hacker_pleads_guilty.html
-http://www.bloomberg.com/news/2011-06-23/at-t-computer-hacker-pleads-guilty-in-i
pad-data-case-u-s-says.html
-http://www.scmagazineus.com/one-of-two-responsible-for-att-ipad-breach-pleads-gu
ilty/article/206006/

UK Teen Charged in SOCA Website Attack (June 22, 2011)

Law enforcement officials in the UK have formally charged 19-year-old Ryan Cleary who is believed to be involved with a distributed denial-of-service (DDoS) attack on the British Serious Organized Crime Agency (SOCA) website and similar attacks against music industry sites. Cleary was arrested late Monday. The group LulzSec, which has been grabbing headlines for a series of attacks against various sites, has claimed responsibility for the SOCA attack, which has authorities hoping that Cleary's arrest will lead them to other group members. LulzSec has made several statements on Twitter distancing itself from Cleary. The charges include conspiring to construct a botnet, and making, adapting, supplying or offering to supply a botnet.
-http://www.bbc.co.uk/news/technology-13879678
-http://www.theregister.co.uk/2011/06/22/ryan_cleary_charged/
-http://www.computerworld.com/s/article/9217858/U.K._police_charge_hacker_linked_
to_LulzSec?taxonomyId=17

Two Scareware Rings Busted in Worldwide Operation (June 22 & 23, 2011)

Law enforcement authorities seized servers and bank accounts in raids at various locations around the world, targeting two different scareware crime rings as part of an investigation dubbed Operation Trident Tribunal. The groups had earned a combined US $74 million from their operations. The raids on homes and server farms in the US were coordinated with similar raids by authorities in the UK, Netherlands, Latvia, Lithuania, Germany, France and Sweden.
[Brian Krebs did a very nice piece highlighting that the Security Service of Ukraine claim the criminals used Conficker to deploy the scareware which was then used to defraud the victims
-http://krebsonsecurity.com/2011/06/72m-scareware-ring-used-conficker-worm/]

-http://www.wired.com/threatlevel/2011/06/scareware-raid/
-http://www.h-online.com/security/news/item/FBI-shuts-down-72M-scareware-ring-126
6520.html
-http://www.bbc.co.uk/news/technology-13887152
-http://www.theregister.co.uk/2011/06/23/fbi_scareware_arrests/
-http://www.fbi.gov/news/pressrel/press-releases/department-of-justice-disrupts-i
nternational-cybercrime-rings-distributing-scareware
-http://www.v3.co.uk/v3-uk/news/2081085/fbi-seizes-servers-operation-trident-trib
unal-scareware-crackdown
[Editor's Note (Honan): Well done to all involved in this operation. It is heartening amidst all the headlines focusing on criminals breaking into systems to see cooperation like this amongst different law enforcement agencies resulting in arrests and hopefully convictions. ]

Confiscated Servers Take Down Sites Unrelated to Investigation (June 22, 2011)

As part of Operation Trident Tribunal, the FBI seized an unspecified number of servers belonging to web hosting company DigitalOne. The company, based in Switzerland, rents space for some of its servers at a Virginia data center, which is where the raid took place in the early morning hours of Tuesday, June 21. The server confiscations caused about 120 sites, including that of DigitalOne itself, to be unavailable. The action was due to the FBI's focus on one particular company; the majority of the sites taken offline were unrelated to the target. DigitalOne specializes in providing a certain type of server that can hold large amounts of data.
-http://latimesblogs.latimes.com/technology/2011/06/fbi-raids-server-knocks-hundr
eds-of-companies-offline-.html
-http://www.pcmag.com/article2/0,2817,2387447,00.asp
-http://www.zdnet.com/blog/datacenter/fbi-throws-a-scare-into-datacenter-service-
providers/884

EFF No Longer Accepting Donations Through Bitcoin (June 22, 2011)

In the wake of the attack on the Bitcoin exchange MTGox, the Electronic Frontier Foundation (EFF) has said it will no longer take donations through Bitcoin. While not a member of the virtual currency trading group itself, the EFF had taken donations through a Bitcoin account established by an anonymous third party. The EFF cited Bitcoin's "untested legal concerns related to securities law, the Stamp Payments Act, tax evasion, consumer protection and money laundering" as reasons for its decision. MTGox is calling the attack a "force majeure," which allows it to take the extraordinary measure of rolling back transactions to pre-attack conditions.
-http://www.theregister.co.uk/2011/06/22/eff_drops_bitcoin/
-http://www.techdirt.com/articles/20110621/02402314783/eff-drops-bitcoin-over-con
cerns-about-legality.shtml
[Editor's Comment (Northcutt): I almost lost $500.00 this week purchasing an e-gift certificate from Home Depot. The gift certificate was emailed to a contractor's email account, however the contractor had lost access to the account. Once the gift certificate is emailed, it cannot be canceled. The credit card issuer, Bank of America, declined to dispute the charge. Fortunately Home Depot elected to stand by their product. However, it was a painful reminder how easy it is to lose digital cash. If you know of other examples, please drop a note to stephen@sans.edu. ]

European Commission Tells Web Companies to Finalize Do-Not-Track Standard (June 22 & 23, 2011)

The European Commission has told web companies that they have until next June to finalize a do-not-track (DNT) standard. Some companies say they are honoring a DNT standard, and some browsers have deployed the technology. But digital agenda commissioner Neelie Kroes said, "Citizens need to be sure what exactly companies commit to if they say they honor DNT," and that if there is not "a speedy and satisfactory development,
[she ]
will not hesitate to employ all available means to ensure ... citizens' right to privacy."
-http://www.zdnet.co.uk/news/security-management/2011/06/22/eu-warns-web-firms-ov
er-do-not-track-timescale-40093187/?s_cid=938
-http://www.out-law.com/page-12022

FBI Shuts Down Server Used Against Coreflood Botnet (June 21 & 23, 2011)

The FBI has shut down a server it used to send commands disabling Coreflood malware on infected computers. The reach of Coreflood "has been reduced by more than 95 percent through a combination of victim notification, coordination with ISPs and antivirus vendors, and the operation of the substitute server." The FBI has issued 19,000 uninstall commands to scrub infected computers after obtaining the owners' written consent. No problems associated with the Coreflood uninstall process have been reported.
-http://krebsonsecurity.com/2011/06/fbi-scrubbed-19000-pcs-snared-by-coreflood-bo
tnet/
-http://krebsonsecurity.com/wp-content/uploads/2011/06/U-Keller-declaration.pdf
-http://www.computerworld.com/s/article/9217883/Feds_claim_victory_over_Coreflood
_botnet?taxonomyId=17

Mozilla Releases Updates for Firefox and Thunderbird (June 21 & 23, 2011)

Mozilla has issued updates for its Firefox browser and Thunderbird email client to address a number of security issues. The Firefox 5 release addresses eight flaws, five of which Mozilla has rated critical. One of the vulnerabilities, which affects Firefox versions 4.0.1 and earlier, is an integer overflow flaw in a JavaScript Array object that could be exploited to execute code or cause a crash through memory corruption. Mozilla has also issued an update for Firefox 3.6.x that addresses nearly 20 flaws. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=11080
-http://www.h-online.com/security/news/item/Firefox-and-Thunderbird-updates-patch
-security-holes-1264744.html
-http://www.eweek.com/c/a/Desktops-and-Notebooks/Firefox-5-Browser-Launches-Boast
ing-Tweaks-Security-Privacy-383151/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/login