SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #53

July 05, 2011

TOP OF THE NEWS

ICE Says US Will Seek Extradition of Copyright Violators
Fox News Twitter Account Hacked
Interview with RSA CSO Eddie Schwartz

THE REST OF THE WEEK'S NEWS

IE Flaw Reportedly Exploited Prior to Patch Release
PlayStation Network Services in Japan to be Fully Restored This Week
Apple Site Data Stolen
Dropbox CEO Sends Letters of Apology for and Clarification of Breach
Worm Spreads Through Chinese Micro Blogging Service Sina Weibo

---

******************* SPONSORED by DigitalPersona, Inc. *****************

REGISTER NOW for the upcoming Analyst Webcast: Protecting Access and Data: A Review of DigitalPersona Pro Version 5.1 NEW DATE - Thursday, July 14, 2011 Start Time: 1:00 PM EDT (1700 UTC/GMT) Featuring: Jim Hietala & Fabio Santini http://www.sans.org/info/81149

*************************************************************************

TRAINING UPDATE

- --SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- --SANS Boston 2011, Boston, MA, August 8-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- --SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 46 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Tokyo, Delhi and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

ICE Says US Will Seek Extradition of Copyright Violators (July 3 & 4, 2011)

In a test case, the US is demonstrating it could seek to extradite people from other countries if they operate websites that violate US copyright laws. Erik Barnett, assistant deputy director of the US Immigration and Customs Enforcement (ICE) agency, says that if a website is in violation of US copyright law, they will go after the site's operator even if the servers are not in the US and the site itself has no link to the US. ICE also plans to target people who operate sites that provide links to pirated content as well. Barnett noted that "by definition, almost all copyright infringement and trademark violation is transnational."
-http://www.telegraph.co.uk/technology/internet/8615253/British-website-owners-ta
rgeted-by-US-anti-piracy-officials.html
-http://www.guardian.co.uk/technology/2011/jul/03/us-anti-piracy-extradition-pros
ecution
[Editor's Comment (Northcutt): In the test case, Richard O'Dwyer, a British citizen, ran a web site offering unlicensed films and TV shows. ICE is alleging that the domain name system is managed in the U.S., giving ICE jurisdiction. ]

Fox News Twitter Account Hacked (July 4, 2011)

Hackers gained access to the Fox News Twitter account and posted several messages with phony stories saying that President Obama had been assassinated. A group calling itself The Script Kiddies has reportedly claimed responsibility for the attack. Fox News is investigating and has reported the incident to the US Secret Service. Fox is also seeking answers from twitter about how the attack could have occurred. It is possible that the attackers gained access to a legitimate password, which would have raised no red flags for Twitter.
-http://www.computerworld.com/s/article/9218113/Fox_Twitter_account_hacked_claims
_Obama_shot_in_Iowa?taxonomyId=17
-http://www.bbc.co.uk/news/technology-14012294
-http://news.cnet.com/8301-30685_3-20076650-264/fox-news-reports-twitter-hack-to-
secret-service/?tag=mncol;title
-http://www.msnbc.msn.com/id/43631406/ns/technology_and_science-security/

Interview with RSA CSO Eddie Schwartz (July 1, 2011)

RSA's newly-appointed chief security officer (CSO) Eddie Schwartz talks with GovInfoSecurity journalist Eric Chabrow about steps he is taking to address security concerns at the company. Earlier this year, RSA acknowledged a breach that compromised the seeds for the company's SecurID two-factor authentication token products. Among the issues Schwartz is focusing on is shortening the amount of time an intruder can be in a company system without being detected. He acknowledged that cyber attacks are "a fact of life that we all have to come to grips with."
-http://www.govinfosecurity.com/podcasts.php?podcastID=1178
[Editor's Note (Schultz): Eddie Schwartz's statement is correct. It would have been even better if he had said that attackers are so much more proficient in attacking systems than is the white hat community in defending them, that it is now necessary to assume that your network is compromised and start risk mitigation efforts accordingly. ]

---

*************************** SPONSORED LINKS ******************************

1) New ForeScout CounterACT Virtual Appliance ForeScout CounterACT is now available as a virtual appliance. ForeScout CounterACT provides real-time visibility and control over everything on the network - users, devices, applications, smartphones, etc. With ForeScout CounterACT Virtual Appliance, organizations can readily deploy and scale-out CounterACT leveraging their VMware investment. http://www.sans.org/info/81154

2) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. hhttp://www.sans.org/info/81164

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

IE Flaw Reportedly Exploited Prior to Patch Release (July 4, 2011)

A vulnerability in Internet Explorer (IE) for which Microsoft issued a patch in June was being exploited in the wild before the bulletin containing the fix was released. The remote code execution flaw was fixed in MS11-050, which addresses 11 privately reported vulnerabilities in IE. The flaw was being exploited to place a Trojan horse program on vulnerable machines.
-http://www.scmagazineuk.com/internet-explorer-flaw-was-being-actively-exploited-
ahead-of-last-patch-tuesday/article/206743/
-http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx

PlayStation Network Services in Japan to be Fully Restored This Week (July 4, 2011)

Sony says that it is restoring PlayStation network services in Japan, more than 10 weeks after the company cut off services around the world in the wake of an immense security breach. Japan is the last country to have PlayStation network services fully restored. Services are expected to be available there as of July 6. The PlayStation Network breach affected an estimated 77 million users. A separate breach of Sony's Online Entertainment PC games network affected 25 million users; that breach was discovered in May. In a related story, a shareholder at Sony's annual meeting in Tokyo, asked CEO Howard Stringer to step down; Stringer did not respond to the request.
-http://www.computerworld.com/s/article/9218112/Sony_to_complete_global_resumptio
n_of_PlayStation_Network?taxonomyId=84
-http://www.msnbc.msn.com/id/43632962/ns/technology_and_science-games/
-http://ingame.msnbc.msn.com/_news/2011/06/28/6965607-sony-ceo-asked-to-step-down
-on-heels-of-hacking-fiasco
-http://techland.time.com/2011/06/28/sony-hacks-ceo-asked-to-step-down-by-shareho
lder-refuses/

Apple Site Data Stolen (July 3 & 4, 2011)

Attackers have posted user names and passwords that they say is for an Apple website. The group claiming responsibility for the hack is believed to have ties to groups that have gained attention for attacks on high profile companies over the past several months. While the attack may appear tame in comparison to others, the data were posted along with a message that indicated Apple may be a future target of hackers.
-http://www.zdnet.com/blog/apple/antisec-posts-passwords-from-apple-survey-server
-updated-5x/10498?tag=content;selector-blogs
-http://news.cnet.com/8301-1009_3-20076688-83/hackers-target-apple-server/?tag=mn
col;title
-http://www.computerworld.com/s/article/9218114/Hackers_claim_Apple_online_data_w
as_compromised?taxonomyId=17
-http://www.theregister.co.uk/2011/07/04/apple_website_security/
-http://www.guardian.co.uk/technology/2011/jul/04/hacking-twitter-feed-fix-news

Dropbox CEO Sends Letters of Apology for and Clarification of Breach (June 30, 2011)

Dropbox CEO Drew Houston sent letters to customers affected by a recent security breach at the cloud storage company. The letter said that intruders logged in to "fewer than a hundred" Dropbox accounts and appear to have downloaded data. No settings or files were modified. The breach took place during a code update that contained a flaw in the authentication mechanism.
-http://www.zdnet.com/blog/apple/dropbox-ceo-lone-hacker-downloaded-data-from-few
er-than-a-hundred-accounts/10476
[Editor's Comment (Northcutt): The heck with Dropbox. (Is it time to drop Dropbox?) I just read their Terms of Service as of July 15 which say they can create derivative works from anything I post on their service:
-http://www.dropbox.com/terms]

Worm Spreads Through Chinese Micro Blogging Service Sina Weibo (June 28 & 30, 2011)

Sina Weibo, a Chinese micro blogging service similar to Twitter, has reportedly been infected with a worm. The worm spreads through messages which are accompanied by links that, when clicked, cause the user's account to repost and send out the same message. The worm managed to infect more than 30,000 users before Sina Weibo identified and deleted the account believed to be responsible for the malware.
-http://www.computerworld.com/s/article/9218052/Worm_hits_popular_Chinese_Twitter
_like_service?taxonomyId=17
-http://www.penn-olson.com/2011/06/28/sina-weibo-virus-attack/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/login