SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #52

July 01, 2011

TOP OF THE NEWS

US Cyber Challenge Cyber Camps to Host 260 Students This Summer
Judge Says Google Can be Sued for Sniffing Packets from Unprotected Wi-Fi Networks
Metulji is Largest Documented Botnet
FFIEC Issues New Security Guidance for Financial Institutions

THE REST OF THE WEEK'S NEWS

Government Website Publisher Suffers Data Security Breach
Finnish Court Orders Three Subscribers' Internet Connections Disconnected
Windows Users Do Not Have to Reinstall Windows to Eradicate MBR Rootkit
TDS-4 Rootkit Called "Practically Indestructible"
al-Qaeda Communications Forum Knocked Offline
New Gmail Features Help Protect Users from Phishing Attacks
New DoD Cyber Security Rules for Contractors Proposed
Eleven-Year Sentence for Man Involved in Phishing Ring
New Data Mining Company Probes Social Networks
Data From BioWare Message Board Compromised in Attack

---

****************** SPONSORED BY ForeScout Technologies **************

New ForeScout CounterACT Virtual Appliance ForeScout CounterACT is now available as a virtual appliance. ForeScout CounterACT provides real-time visibility and control over everything on the network - users, devices, applications, smartphones, etc. With ForeScout CounterACT Virtual Appliance, organizations can readily deploy and scale-out CounterACT leveraging their VMware investment. http://www.sans.org/info/80914

*************************************************************************

TRAINING UPDATE

--SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

--SANS Boston 2011, Boston, MA, August 8-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

--SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

--SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

--SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 46 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Melbourne, Tokyo, Delhi and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

US Cyber Challenge Cyber Camps to Host 260 Students This Summer (June 30, 2011)

As part of the US Cyber Challenge, cyber camps are being held at colleges across the US to provide more than 200 college and high school students the opportunity to develop and hone their cyber security skills. The Cyber Challenge aims to identify 10,000 "hunters and tool builders" to enhance the country's cyber security work force. Students must be invited to attend the boot camps; they are selected based on their scores in a variety of competitions. Last year, three schools hosted boot camps for 55 students; this year, 260 students are attending the camps at five colleges, including one in Maryland for high school students.
-http://gcn.com/Articles/2011/06/30/cybersecurity-boot-camps-Cyber-Challenge.aspx
?Page=1
[Editor's Note (Murray): Competition may be a valid way to identify such talent. A public process is not a good way to identify people who may have to work in secret. We needed no competition to identify Marcus Ranum, nor to identify spies. I prefer faculty, mentors, and even peers.
(Paller): Bill Murray's comment illustrates perfectly the two reasons that the competitions of the US Cyber Challenge are the most promising path to finding the 10-30,000 critically needed cyber hunters and tool builders. (1) only one Marcus Ranum exists, and there are few others of his skill level working in the field, so the random method that found him is probably insufficient, and (2) the faculty in 96% of U.S. colleges do not know how to do the work, so they do not have a clue how to teach students to excel as hunters and tool builders; and most don't recognize the talent. The Army and Air Force have discovered that, in fact, NetWars competitions are an elegant and practical way to make cyber education programs far more effective in finding and nurturing the talent they need. The public competitions are finding many talented young people some of whom have already gone to work in the field in very cool jobs they would never have had an opportunity to get without the competitions.
(Pescatore): There is no shortage of existing demand. I'd like to see more direct corporate sponsorship of scholarships to university information security degree programs. ]

Judge Says Google Can be Sued for Sniffing Packets from Unprotected Wi-Fi Networks (June 30, 2011)

A federal judge in California has ruled that Google can be sued for collecting data packets from unprotected wireless networks while gathering images and information for its Street View feature. US District Judge James Ware is presiding over about a dozen combined lawsuits filed against Google over the issue. "The court finds that the plaintiffs plead facts sufficient to state a claim for violation of the Wiretap Act." Google was seeking to dismiss the cases, saying that intercepting data from unsecured wireless networks is not illegal, comparing open wireless networks to AM/FM radio and police band radio. Judge Ware did not agree, saying that the law applies to traditional radio networks, but not to unencrypted wireless networks. Google also maintained that it did not realize it was sniffing the packets until its practices were questioned by German authorities.
-http://www.wired.com/threatlevel/2011/06/google-wiretap-breach/
[Editor's Note (Pescatore): There is a long history of why eavesdropping on unprotected communications is still eavesdropping. Good to see at least this first level of the courts upholding that. There is also generally precedent for "well, even it is illegal I didn't know I was doing" defenses being overturned, as well. ]

Metulji is Largest Documented Botnet (June 29 & 30, 2011)

The FBI and other law enforcement authorities around the world are investigating a botnet that reportedly comprises tens of millions of PCs in 172 countries. Dubbed Metulji, which is Slovenian for butterfly, it is believed to be the largest documented botnet. The malware used to infect computers and make them part of the network is the same as that used by the Mariposa botnet. Metulji spreads through USB sticks and can hide in places on PCs that make it difficult to detect. It is polymorphic, which means it is constantly changing its digital signature.
-http://www.csmonitor.com/USA/2011/0629/Biggest-ever-criminal-botnet-links-comput
ers-in-more-than-172-countries
-http://www.scmagazineuk.com/mariposa-inspired-butterfly-botnet-reported-as-havin
g-infected-computers-globally/article/206449/
-http://www.bloomberg.com/news/2011-06-30/fbi-probes-botnet-infecting-millions-of
-computers.html
[Editor's Note (Murray): It seems very unlikely that there is enough sharing, across borders, via thumb drives to create the world's largest botnet. Either there is another vector, or it is not very large. ]

FFIEC Issues New Security Guidance for Financial Institutions (June 29, 2011)

The Federal Financial Institutions Examination Council has issued new guidance for banks and other financial institutions regarding authenticating online users. The report recommends "perform
[ing ]
periodic risk assessments considering new and evolving threats to online accounts and adjust
[ing ]
... customer authentication, layered security, and other controls as appropriate in response to identified risks." Layered security is described as "the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control." Recommendations include the use of fraud detection and monitoring systems; dual customer authorization; out-of-band verification; and a list of approved payees submitted by customers.
-http://www.digitalidnews.com/2011/06/29/ffiec-releases-banking-authentication-gu
idance
-http://www.scmagazineus.com/ffiec-guidance-addresses-corporate-account-takeover/
article/206430/
-http://www.bankinfosecurity.com/podcasts.php?podcastID=1153
[Editor's Note (Pescatore): Most of the wording seems aimed at protecting financial institutions, not their customers. But there's a line from an old labor union song "Drops of water turn a mill, singly none, singly none." It will take a lot more drops of water to dislodge reusable passwords, which is the root of the problem.
(Ranum): "Risk assessments" and layered security have proven insufficient to solve the problem of transitive trust. What is needed is design discipline that the FFIEC has not shown the willpower to enforce.
(Murray): Those security professionals who were hoping that the FFIEC would make our job easier can only be disappointed. Perhaps it was too much to hope that five regulatory bodies would be able to agree on constructive guidance. While the guidance does not mandate the right practice, it does permit it. It is clear that we did not serve Patco, Ocean Bank, Experi-Metal, or Comerica well. We must use the freedom left to us by the new guidance to ensure that our principals rise above the state of the practice to approach the state of the art.
(Northcutt): My free Gmail account has two different out of band mechanisms to protect the account, an app for my Android phone and one time "passwords". My bank account (which has an online component) asks a security question, "What was the name of your first pet?". When I was filling in the application for the bank account the person questioned me, "What do you mean you do not have a home phone; you only have a cell phone?" One of these two providers is out of step with reality, guess which one. ]

---

*************************** SPONSORED LINK *******************************

1) Earn a Master's Degree in Security Engineering or in Security Management at SANS Technology Institute (STI). Apply today! http://www.sans.org/info/80919

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Government Website Publisher Suffers Data Security Breach (June 30, 2011)

A company that publishes several US government news websites has suffered a cyber attack, exposing personal subscriber information, including that of some military personnel. Gannett Government Media said the attack occurred on June 7. The compromised information includes names and user IDs, passwords, email addresses and military duty status. The passwords appear not to have been encrypted.
-http://www.scmagazineus.com/breach-at-gannett-subsidiary-yields-data-on-subscrib
ers/article/206418/
-http://www.theregister.co.uk/2011/06/30/military_personnel_data_breach/

Finnish Court Orders Three Subscribers' Internet Connections Disconnected (June 29 & 30, 2011)

A court in Finland has ordered an Internet service provider (ISP) to disconnect three users from the Internet for alleged violations of copyright law. The subscribers received no warning notices. The three individuals are believed to be users of The Pirate Bay website. The order follows a lawsuit filed by the Copyright Information and Anti-Piracy Centre and the International Federation of the Phonographic Industry earlier this year.
-http://www.theinquirer.net/inquirer/news/2082827/finnish-court-isps-disconnect-f
ilesharers
-http://www.siliconrepublic.com/comms/item/22455-court-in-finland-orders/
[Editor's Note (Murray): It is now clear that, however Internet libertarians may feel about it, we need government to police the Internet. However, we do not want the police to govern the Internet. I favor procedures that involve the courts. ]

Windows Users Do Not Have to Reinstall Windows to Eradicate MBR Rootkit (June 30, 2011)

Microsoft says that removing the MBR rootkit from computers does not require users to reinstall Windows. The Trojan, known as Popureb, burrows deep into the master boot record (MBR), making removal difficult. Microsoft initially said that users would have to reinstall Windows to ensure that their PCs were effectively wiped of the malware, but now the company says that users can repair their computers by fixing the MBR with the Windows Recovery Console. Most experts agree with Microsoft's revised advice, but at least one says that the only way to ensure that the malware is completely gone is to reinstall Windows.
-http://www.computerworld.com/s/article/9218062/Microsoft_clarifies_MBR_rootkit_r
emoval_advice?taxonomyId=17

TDS-4 Rootkit Called "Practically Indestructible" (June 29, 2011)

The TDSS rootkit has infected more than 4.5 million PCs in just three months. The malware allows its authors to push keystroke loggers, adware and other undesirables onto the machines. TDSS has been around since 2008 and still manages to evade detection by antivirus software. This version of the rootkit is being identified as TDS-4; earlier versions were known as Alureon and TDL. It also has the capability to infect 64-bit versions of Windows. Experts are saying that the botnet created through TDL-4 is "practically indestructible."
-http://www.theregister.co.uk/2011/06/29/tdss_alureon_advances/
-http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say
_researchers?taxonomyId=17
-http://www.bbc.co.uk/news/technology-13973805

al-Qaeda Communications Forum Knocked Offline (June 29 & 30, 2011)

According to a terrorism expert, cyber attackers have temporarily obstructed al-Qaeda's ability to communicate with members over the Internet. The Internet forum known as al-Shamukh was taken down in an attack on both the site and a related server. The "well coordinated" attack bears the hallmarks of a Western state-sponsored action. This is not the first time al-Qaeda's Internet communications have been tampered with. A recent report related that last year, directions for manufacturing a bomb in an al-Qaeda online publication were replaced with cupcake recipes.
-http://www.msnbc.msn.com/id/43584213/ns/us_news-security/
-http://www.cbsnews.com/stories/2011/06/29/501364/main20075647.shtml
-http://www.telegraph.co.uk/technology/news/8608928/Al-Qaeda-propaganda-forum-for
ced-offline.html
-http://www.theregister.co.uk/2011/06/30/patriot_hackers_disrupt_al_q/
[Editor's Note (Schultz): I expect that events such as the one in this story will soon become commonplace. From a national security point of view, there is much to gain and little to lose by launching cyberattacks against enemies. ]

New Gmail Features Help Protect Users from Phishing Attacks (June 29 & 30, 2011)

Google has added features to Gmail to help protect users from phishing schemes. Users will now be shown more information about email they receive to help them decide whether or not the message is from who claims to have sent it. The additional information will come from analysis of data in the message's header. The new features will also let users know when email has been sent by a third party on behalf of the sender, and will show the sender's address on all messages when user has not sent email to that address before or the address is not in user's contact list.
-http://www.zdnet.com/blog/security/gmail-adds-features-to-thwart-phishing-attack
s/8941?tag=mantle_skin;content
-http://www.computerworld.com/s/article/9218070/Google_boosts_Gmail_s_anti_phishi
ng_feature?taxonomyId=17
-https://mail.google.com/support/bin/answer.py?answer=1311182

New DoD Cyber Security Rules for Contractors Proposed (June 29, 2011)

A proposed rule published in the Federal Register on June 29 would require federal contractors whose systems hold unclassified Defense Department data to take steps to protect that information from access by unauthorized parties and to notify DoD of any breaches. The proposed rule seeks to amend the Defense Federal Acquisition Regulation Supplement. Public comments will be accepted through August 29, 2011.
-http://fcw.com/articles/2011/06/29/dod-proposed-cybersecurity-requirements-for-c
ontractors.aspx
[Editor's Note (Pescatore): So, before this rule the DoD did *not* put any requirements on contractors to protect unclassified information? The DoD contractor I worked for back in the 80s and 90s sure wasted a lot of money protecting FOUO and other SBU information. ]

Eleven-Year Sentence for Man Involved in Phishing Ring (June 28, 2011)

Kenneth Lucas II, who was in charge of the US branch of an International phishing operation, has been sentenced to 11 years in prison. In 2009, more than 100 people were arrested in connection with what is known as Operation Phish Phry. Some of those involved used phishing tactics to steal bank account information that was then used to siphon funds. Lucas and two co-conspirators arranged for money mules to receive the stolen money, deposit it in their accounts and send it on to accounts outside the US. In all, the scheme stole more than US $1 million from its victims.
-http://www.scmagazineus.com/us-lead-on-huge-phishing-ring-receives-13-years-in-p
rison/article/206321/

New Data Mining Company Probes Social Networks (June 27 & 29, 2011)

The Social Intelligence Corporation is a company created to provide background information on job applications to potential employers. The site plans to retain the data it gathers for seven years. The company scours the Internet for information people have posted to social networking sites. The Federal Trade Commission (FTC) recently dropped an investigation into the Social Intelligence Corporation after determining that the company's practices did not violate the Fair Credit Reporting Act as long as applicants are informed when they are not selected for a position based on information in the company's report.
-http://www.dailymail.co.uk/sciencetech/article-2008231/How-youve-EVER-said-inter
net-seen-employers-government-approves-Social-Intelligence-Corp.html
-http://www.forbes.com/forbes/2011/0718/features-facebook-social-media-google-des
troy-job-search.html
[Editor's Note (Ranum): "What happens on the web - stays on the web. Forever."
(Murray): We are creating a new class, those who are unemployable because they cannot escape the record they made as teen-agers.]

Data From BioWare Message Board Compromised in Attack (June 24, 2011)

Video game maker Electronic Arts recently suffered a cyber attack on a server linked to a message board; customer information was stolen. The compromised data include names, email addresses, encrypted passwords and birth dates, but no financial data or Social Security numbers (SSNs) were taken. The breach affected the BioWare Neverwinter Nights message board. Electronic Arts is notifying affected users by email.
-http://www.washingtonpost.com/blogs/faster-forward/post/electronic-arts-bioware-
server-hacked/2011/06/24/AGml2XjH_blog.html
-http://money.cnn.com/2011/06/24/technology/electronic_arts_hack/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/login