Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #54

July 08, 2011

TOP OF THE NEWS

US Dept. of Energy Labs Targeted in "Sophisticated Cyberattack"
Google Blocks "Spammy" Domain from Web Search Results
US ISPs Agree to Copyright Violator Penalty System
WellPoint Fined US $100,000 Over Delay in Breach Notification

THE REST OF THE WEEK'S NEWS

Data Stolen from Washington Post Jobs Website
Apple Developing Fix for iOS Flaw Used in JailbreakMe Software
Programmer Arrested for Alleged Theft of Trade Secrets
Researchers Identify Pattern to Phony AV Charge Transactions
Three Arrested In Connection with Cyber Attacks on Italian Government and Commercial Sites
As Gravity of Phone Hacking Allegations Grows, News of the World Shuts Down
July's Patch Tuesday to Address 22 Vulnerabilities
Microsoft Releases Wi-Fi Data-Gathering Source Code


*********************** SPONSORED by SANS ****************************

Two-day workshop on the Art and Science of Baking Security into Applications and Networks - listen to techniques leading companies have used which have provided IT architects and engineers knowledge to ensure security is considered in every step of the development life cycle. SANS Baking Security into Applications and Networks Workshop, Washington DC, August 29 -30.

http://www.sans.org/info/81644

*************************************************************************

TRAINING UPDATE

--SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja developers: Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

--SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

--SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

--SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

--SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--Looking for training in your own community?
http:sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Tokyo, Delhi, London and Baltimore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

TOP OF THE NEWS

US Dept. of Energy Labs Targeted in "Sophisticated Cyberattack" (July 6, 2011)

The US Department of Energy (DOE) has taken two research facilities offline in the wake of a cyber attack. On July 1, officials learned that the Pacific Northwest National Laboratory (PNNL) in Richland, Washington, and the Thomas Jefferson Laboratory National Accelerator facility in Newport News, Virginia, were being attacked and took steps to cut off Internet connectivity at the facilities. Officials from the two laboratories as well as from Battelle Memorial Institute, which operates PNNL, are investigating. Earlier this year, Oak Ridge National Laboratory in Tennessee suffered a cyber attack and took the same measures to protect its systems. That incident is believed to be the result of a successful spear phishing attack. http:news.cnet.com/8301-27080_3-20077268-245/sophisticated-attack-targets-two-energy-dept-labs/?tag=mncol;title http:gcn.com/articles/2011/07/06/cyber-attacks-take-2-energy-labs-offline.aspx http:fcw.com/articles/2011/07/06/pnnl-cyber-attack-shuts-down-internet-email.aspx
-http://www.computerworld.com/s/article/9218208/Second_DOE_lab_is_likely_victim_o
f_spear_phishing_attack?taxonomyId=85

-http://www.eweek.com/c/a/Security/DOE-Lab-Shuts-Down-EMail-Web-Access-After-Soph
isticated-CyberAttack-161664/

http:seattletimes.nwsource.com/html/localnews/2015528333_apwanationallabcyberattack2ndldwritethru.html
[Editor's Note (Murray): One can only speculate as to the attack method involved here. However, taken with Lockheed, RSA, and Sony, one can conclude that the cost of successful attack against targets of choice has fallen dangerously low. It is time to get serious. Restrictive policies, even for e-mail, least privilege, even for users, strong authentication, stronger applications, encryption by default, and better monitoring, measurement, and reporting all round.
(Northcutt): I do not know who the policy makers for security at the top level of DOE are, but I love their courage. I still remember the primary adage of our first aid training when I was in the Navy, "STOP THE BLEEDING". Detect, disconnect, clean up, resume operations, I think they point to the strategy we all will have to consider adopting.]

Google Blocks "Spammy" Domain from Web Search Results (July 6, 2011)

Websites with URLs ending in.co.cc will no longer appear in Google search results because the company has decided that too many sites in that domain "are spammy or low-quality." The move was made to protect users. So far, more than 11 million sites have been removed from search engine results. The .cc.co domain is privately owned by a company that lets people resister 15,000 domains for US $1,000.
-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/07/06/businessinsider-goog
le-blasts-an-entire-domain-from-its-search-results-for-being-too-spammy-2011-7.D
TL

-http://www.theregister.co.uk/2011/07/06/google_cans_11m_dot_co_dot_cc_sites/

US ISPs Agree to Copyright Violator Penalty System (July 7, 2011)

Major US Internet service providers (ISPs) have agreed to a system that could allow them to disrupt Internet service for habitual copyright violators. Among the providers participating are Comcast, Time Warner and Verizon. The ISPs will issue warnings at first, but after six violations, the plan calls on the providers to take steps such as reducing Internet speed or redirecting users to "educational" pages about copyright infringement. The plan does not directly call for cutting off access altogether, although the services may do that if they choose. The agreement has the backing of the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). Critics of the agreement have expressed concern that users' Internet access could be cut off with no judicial review.
-http://www.wired.com/threatlevel/2011/07/disrupting-internet-access/
http:news.cnet.com/8301-31001_3-20077659-261/should-you-fear-new-isp-copyright-enforcers/
[Editor's Note (Pescatore): There are a lot of good societal reasons why the Internet "pipes" should be cleaner, but "clean" is one of those "you know it when you see it" kind of issues that societies need to define. In this case a clear definition of "copyright violation" is needed. A much easier and more valuable-to-society version of clean pipes would be for the carriers to routinely block known malware and known address spoofing and the like.
(Northcutt): I like the focus on moderation, six warnings seems reasonable.
(Murray): The proof of this pudding will be in the eating. I would like to think that these procedures are based upon experience with what is happening and how effective the procedures will be, I think that the threshold is sufficiently high to avoid false positives. ]

WellPoint Fined US $100,000 Over Delay in Breach Notification (July 6, 2011)

Health insurance company WellPoint will pay the state of Indiana US $100,000 for an incident in which it delayed notifying consumers and the attorney general's office of a data security breach that compromised personally identifiable information of more than 32,000 people. The breach occurred between October 23, 2009 and March 8, 2010; people's records were accessible online during that entire time. WellPoint was informed of the situation on February 22, 2010, but did not begin notifying consumers until June 28, 2010. The exposed information includes Social Security numbers (SSNs), health records and financial data.
-http://www.infosecurity-us.com/view/19221/wellpoint-dishes-out-100000-to-indiana
-for-potential-data-breach/

-http://www.govinfosecurity.com/articles.php?art_id=3824&search_keyword=wellp
oint&search_method=exact



*************************** SPONSORED LINKS ******************************

1) Earn your Master's Degree at SANS Technology Institute (STI). Take classes in Information Security Management (MSISM) or Information Security Engineering (MSISE). Apply today! http://www.sans.org/info/81649

2) REGISTER NOW for the upcoming 7/14/11 Webcast: Protecting Access and Data: A Review of DigitalPersona Pro Version 5.1 Start Time: 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info/81654

****************************************************************************

THE REST OF THE WEEK'S NEWS

Data Stolen from Washington Post Jobs Website (July 7, 2011)

The Washington Post says that its Jobs website was accessed by an unauthorized third party. The incident appears to have compromised roughly 1.3 million accounts. The attacks, which occurred on June 27 and 28, compromised user IDs and email addresses but no passwords or other personal data. The Post said it "quickly identified the vulnerability and shut it down." Users are being warned that they could receive spam as a result of the attacks.
-http://www.h-online.com/security/news/item/Washington-Post-jobs-site-breached-12
75228.html

-http://www.washingtonpost.com/business/economy/posts-jobs-section-hacked-exposin
g-16-million-user-ids-e-mail-addresses/2011/07/06/gIQAy1eP1H_story.html

-http://www.computerworld.com/s/article/9218230/Washington_Post_reports_data_brea
ch_on_job_ads_section?taxonomyId=17

Apple Developing Fix for iOS Flaw Used in JailbreakMe Software (July 7, 2011)

Apple is working on a fix for flaws in its iOS that could be exploited to steal confidential information from vulnerable devices. The flaws affect iPhones, iPads, and certain models of iPod touch. The vulnerability is used by software available through the JailbreakMe website, where users can remotely jailbreak their iOS devices. The developer responsible for JailbreakMe has also released a patch for a PDF handling flaw, which, ironically, can only be installed on devices that are jailbroken. The vulnerability lies in the way iOS parses fonts in Safari mobile.
-http://www.informationweek.com/news/231001147
-http://www.computerworld.com/s/article/9218233/Apple_developing_fixes_for_danger
ous_iOS_vulnerabilities?taxonomyId=17

-http://www.h-online.com/security/news/item/Public-exploit-puts-iPhone-users-at-r
isk-1275364.html

-http://www.scmagazineus.com/new-ipad-2-jailbreak-tool-leverages-ios-flaw/article
/206914/

-http://www.scmagazineuk.com/flaws-in-apple-ios-can-be-exploited-by-a-malicious-p
df/article/206926/

[Editor's Note (Murray): Checking inputs is difficult. Including a browser as part of the OS is dangerous. Both of these statements are supported the German authorities that assert that these vulnerabilities have reappeared over four years. http:m.gizmodo.com/5818823/german-government-warns-of-four+year-old-iphone-malware-threat ]
Editor's note (Pescatore): Jailbreaking an Apple devices is just the equivalent of rootkitting a Windows PC - the hype over the term has gone way over the top. Just as Microsoft made acquisitions and spent lots of development time making it harder to rootkit Windows, Apple will have to do the same. What Apple really needs to do is focus on making sure more vulnerabilities are found in the OS code and in app code *before* they get released. ]

Programmer Arrested for Alleged Theft of Trade Secrets (July 7, 2011)

US law enforcement authorities have arrested a man for alleged theft of proprietary software. Chunlai Yang had worked as a senior software engineer for CME group, which makes commodity derivative market trading platforms. CME says they have been monitoring Yang's computer use and noticed that he downloaded files containing proprietary source code. He was arrested in a raid on CME's offices and has been charged with theft of trade secrets. The FBI said that Yang had email contact with an organization in China; one of the messages included an attachment that contained proprietary code. Yang is a naturalized US citizen.
-http://www.theregister.co.uk/2011/07/07/chinese_espionage_arrest/
-http://www.fbi.gov/chicago/press-releases/2011/libertyville-man-arrested-for-the
ft-of-trade-secrets-from-cme-group

Researchers Identify Pattern to Phony AV Charge Transactions (July 6, 2011)

Researchers from the University of California, Santa Barbara (UCSB) spent months infiltrating phony anti-virus networks. Among their findings was a curious pattern to credit card processing that banks could potentially use to identify the Internet fraudsters and refuse to process their transactions. The pattern arises from the phony antivirus groups' efforts to stay below the banks' radar with regard to chargeback levels. Journalist Brian Krebs has also identified five banks in Cyprus, Israel, the Czech Republic and Azerbaijan that process payments for the shady groups. http:krebsonsecurity.com/2011/07/which-banks-are-enabling-fake-av-scams/

Three Arrested In Connection with Cyber Attacks on Italian Government and Commercial Sites (July 6, 2011)

Authorities in Italy and Switzerland have questioned 15 people and arrested three in connection with the activities of the Anonymous hacking collective. These particular individuals are believed to have been involved in a series of cyber attacks on Italian government and commercial websites.
-http://www.v3.co.uk/v3-uk/news/2084294/police-suspected-anonymous-italy
-http://www.computerworld.com/s/article/9218212/Police_raid_Italian_branch_of_Ano
nymous?taxonomyId=82

-http://www.theregister.co.uk/2011/07/06/swiss_italian_police_anonymous_roundup/

As Gravity of Phone Hacking Allegations Grows, News of the World Shuts Down (July 5 & 7, 2011)

News of the World (NoTW), Britain's 168-year-old, best-selling Sunday newspaper, will publish its final edition on Sunday, July 10. James Murdoch made the announcement to the publication's employees following increasingly serious allegations of mobile phone voicemail hacking. Scotland Yard has re-opened an investigation into allegations that people working for NoTW broke into the voicemail box of a school girl who was later found murdered and deleted messages. The action was reportedly taken, when Milly Dowler disappeared in March 2002, to free up space for additional messages, but it also falsely raised her parents' hopes that she was still alive and interfered with the investigation into her murder. NoTW has faced similar phone hacking charges in the past, but these mainly focused on celebrities and other high profile individuals. There are also allegations reporters broke into the voicemail boxes of victims of the July 7th bombing in London and to those of families of UK soldiers who were killed in Iraq and Afghanistan. These additional allegations have further outraged many in the UK.
-http://www.theregister.co.uk/2011/07/05/notw_phone_hack_dowler_allegations/
-http://www.guardian.co.uk/media/2011/jul/07/news-of-the-world-rupert-murdoch
-http://www.v3.co.uk/v3-uk/news/2086727/phone-hacking-online-campaign-bring-news-
world

-http://www.dailymail.co.uk/news/article-2012318/News-World-close-James-Murdochs-
statement-full.html

[Editor's Note (Honan): The issues raised in this story strongly highlights the need for better education and awareness surrounding the security of smartphones and mobile devices. Most of the "hacks" relating to this story were facilitated by gaining access to the voice mail box using the default PIN code supplied by the phone provider or the PIN codes were easy to guess. This should be an opportunity for you to encourage your work colleagues to ensure they have changed the default PIN code for their voicemail and also to promote other security practises when using their mobile device. For readers in the UK the Telegraph newspaper provides a good overview by carrier as to how you can change the voicemail PIN code.
-http://www.telegraph.co.uk/news/uknews/phone-hacking/8622582/Phone-hacking-how-t
o-change-your-voicemail-password.html
]

July's Patch Tuesday to Address 22 Vulnerabilities (July 7, 2011)

Microsoft plans to address 22 vulnerabilities in four security bulletins next week. Just one of the bulletins is rated critical; the other three are rated important. This month's release marks an unusually high number of fixes for an odd-numbered month, when Microsoft usually offers a smaller volume of security updates. The bulletins address flaws in Microsoft Windows and in Microsoft Visio 2003. The updates will be released on Tuesday, July 12 at approximately 1PM ET.
-http://www.microsoft.com/technet/security/Bulletin/MS11-jul.mspx
-http://www.computerworld.com/s/article/9218250/Microsoft_plans_22_patches_for_Wi
ndows_Office_next_week?taxonomyId=17

-http://www.eweek.com/c/a/Midmarket/Microsoft-Plans-Fixes-for-22-Bugs-in-July-Pat
ch-Tuesday-Update-845364/

Microsoft Releases Wi-Fi Data-Gathering Source Code (July 5, 2011)

Microsoft has released "relevant portions" of the source code it uses to gather Wi-Fi data to quell consumers' privacy concerns. The data are used to support location-based services, such as those for Windows Phone 7 and Bing. In an effort to quell public concern about privacy issues, Microsoft Microsoft has released "relevant portions" of the source code it uses to gather Wi-Fi data.
-http://www.h-online.com/security/news/item/Microsoft-releases-Wi-Fi-data-collect
ion-source-code-1273878.html

-http://www.theregister.co.uk/2011/07/05/microsoft_wifi_code_released/
[Editor's Note (Pescatore): Transparency is better than opaqueness, but collecting less information unless the user expressly opts in is where this needs to go. (Murray): Being proactive and candid should avoid a lot of unwarranted suspicion. ]


************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/login