SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #59

July 26, 2011

Surprise resource on cyber forensics: At least it surprised me.
While searching for a deeper description of the cyber "kill chain," I
came across the 4-part series of articles on "intelligence-driven
response" (aka "defense informed by offense") that was well written and
extraordinary in the depth of understanding it reflected. That series
by Lockheed's Intel Fusion Team Lead, Mike Cloppert, was part of a rich
collection of in-depth, original articles relevant to investigating and
understanding cyber attacks (150 on cyber evidence analysis, 90 on
evidence acquisition, 18 on reverse engineering, and many more). But the
surprise for me was that all those articles are part of the Computer
Forensics community sharing project run by Rob Lee, director of the
Forensics program at SANS. I had no idea it existed. You'll find the
whole thing at computer-forensics.sans.org and Mike's articles and many
more are under the "Community" button at the top of the page.

Alan

---

TOP OF THE NEWS

GAO Report: DOD Faces Challenges In Its Cyber Activities
Escrow Company Suing Bank Over Fraudulent Transactions
Judge Reduces Thomas-Rasset's File Sharing Verdict to US $54,000

THE REST OF THE WEEK'S NEWS

Governor O'Malley Recognizes Maryland Winners of US Cyber Foundations Competition
Chinese Authorities Close Two Phony Apple Stores in Kunming
US-CERT Director Resigns
UK Cyber Security Challenge
Man Sentenced for Malware Spread Over Peer-to-Peer Network
Investigation Links IMF Cyber Attack to China
Ten-Year Sentence for Credit Card Fraud Scheme
Florida Makes Millions Selling DMV Data
Comcast Will Fix Firefox Homepage Problem

---

********************** Sponsored By SANS *******************************

Two-day workshop on the Art and Science of Baking Security into Applications and Networks - listen to techniques leading companies have used which have provided IT architects and engineers knowledge to ensure security is considered in every step of the development life cycle. SANS Baking Security into Applications and Networks Workshop, Washington DC, August 29 -30, http://www.sans.org/info/82809

**************************************************************************

TRAINING UPDATE

--SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

--SANS Virginia Beach 2011, August 22- September 2, 2011 10 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

--SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

--SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************************************************************** TOP OF THE NEWS

---

TOP OF THE NEWS

GAO Report: DOD Faces Challenges In Its Cyber Activities (July 25, 2011)

Although the Department of Defense (DOD) may cultivate a reputation of being the best equipped of the government agencies to defend against cyber security threats, a report from the US Government Accountability Office (GAO) notes that "keeping pace with the magnitude of cyber security threats DOD faces currently and will face in the future is a daunting prospect. While the US may dominate in land, sea and air presence, the costs and technology required for adversaries to enter cyber space are far lower. The report applauds the DOD's creation of the US Cyber Command, but says that "it is too early to tell whether this will provide the necessary leadership and guidance DOD requires to address cyber security threats." The GAO report pointed out areas in which the DOD needs to improve coordination, illustrating the problem with a 2008 cyber infection that prompted directives from a variety of military and civilian organizations, none of which were coordinated with any of the others.
-http://www.govinfosecurity.com/articles.php?art_id=3892
-http://www.washingtonpost.com/blogs/checkpoint-washington/post/gao-faults-pentag
on-cyber-operations/2011/07/25/gIQAUcQOZI_blog.html
-http://www.gao.gov/new.items/d1175.pdf
-http://www.networkworld.com/community/node/76864
[Editor's Note (Pescatore): The GAO report mostly focuses on the lack of hierarchical, top down control of cybersecurity across DoD but this is like saying we need more battleships to fight modern wars. ]

Escrow Company Suing Bank Over Fraudulent Transactions (July 19 & 25, 2011)

A California escrow company is suing its former bank, alleging that Professional Business Bank was negligent and did not fulfill the terms of its online banking contract. Village View Escrow lost more than US $465,000 to fraudulent wire transfers in March 2010. Village View had a contract with Professional Business Bank that stated that electronic transfers must be authorized by two company employees and a phone call from certain company telephone numbers before they were permitted to proceed. Professional Business Bank apparently outsourced some of its online banking functions to a company that required little more than a username and password. The cyber thieves conducted 26 wire transfers to 20 accounts around the world with which the escrow company had no legitimate business.
-http://krebsonsecurity.com/2011/07/calif-co-sues-bank-over-465k-ebanking-heist/
-http://www.darkreading.com/smb-security/167901073/security/attacks-breaches/2310
02153/yet-another-bank-sued-by-a-small-business-for-fraudulent-hacker-transfers.
html
-http://docs.ismgcorp.com/files/external/1st-Amend-Complaint.pdf

Judge Reduces Thomas-Rasset's File Sharing Verdict to US $54,000 (July 22, 2011)

Calling the original amount "appalling," US District Court Judge Michael Davis has reduced a US $1.5 million jury verdict against Jammie Thomas-Rasset to US $54,000. This is the third trial in a case brought by the Recording Industry Association of America (RIAA) against Thomas-Rasset for sharing 24 songs over KaZaA. Thomas-Rasset is the first person the RIAA took to court over illegal filesharing. Although the RIAA maintained that judges do not have the authority to lower jury verdict cases involving the Copyright Act, Judge Davis said that his decision was made in the interest of fairness; the verdict was "so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable."
-http://www.wired.com/threatlevel/2011/07/kazaa-verdict-slashed/
-http://news.cnet.com/8301-31001_3-20081934-261/jammie-thomas-judgment-lowered-fr
om-$1.5-million-to-$54000/
[Editor's Note (Schultz): The ruling seems fair; the fact that Jammie Thomas-Rasset faced bankruptcy for sharing a couple dozen files does not seem right. At the same time, however, the fact that she has denied responsibility for the file sharing activity is disturbing. ]

---

*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/82814

2) New Paper in the SANS Reading room! Controlling Access, Authentication and Data on the End Point: A Review of DigitalPersona Pro 5.1 for Enterprises, written by senior SANS analyst, Jim D. Hietala. http://www.sans.org/info/82819 Also check out the associated webcast here: http://www.sans.org/info/82824

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Governor O'Malley Recognizes Maryland Winners of US Cyber Foundations Competition (July 26, 2011)

Governor Martin O'Malley took time out to honor Maryland winners of the 2011 Spring Cyber Foundations National Competition. The competition, coordinated by the U.S. Cyber Challenge, is a national online contest to identify talented high school students with the skills to pursue advanced education and job opportunities in the cyber security field, one of the most in-demand career fields.
-http://www.benzinga.com/pressreleases/11/07/p1803362/maryland-governor-martin-om
alley-recognizes-winners-of-u-s-cyber-challe

Chinese Authorities Close Two Phony Apple Stores in Kunming (July 25, 2011)

Officials in China have shut down two phony Apple stores in the wake of a blogger's story that publicized their presence. Trade officials launched an investigation; five stores claiming to be Apple retail outlets were discovered in Kunming, China. Two of the operations lacked official business licenses and were ordered to suspend operations pending the outcome of an investigation by the Chinese government.
-http://www.bbc.co.uk/news/technology-14273444
-http://content.usatoday.com/communities/ondeadline/post/2011/07/china-shuts-2-ph
ony-apple-stores-but-3-others-stay-open/1
-http://www.washingtonpost.com/business/china-to-investigate-unauthorized-apple-s
tores/2011/07/25/gIQAeIAnYI_gallery.html
-http://www.wired.com/epicenter/2011/07/china-closes-apple-stores/

US-CERT Director Resigns (July 25, 2011)

Randy Vickers resigned his position as director of the US Computer Emergency Readiness Team (US-CERT) on Friday, July 22, effective July 25. No reason was given for Vickers' abrupt departure. He became director in April 2009; prior to that, he was deputy director. Current deputy director Lee Rock will serve as interim director until a new director is named. Vickers's resignation comes in the wake of a string of cyber attacks on government agency and contractor computer networks. DHS has not commented on Vickers's departure. There is speculation that the job may prove frustrating because of "turf wars" with DOD and because "US-CERT is insufficiently empowered right now. They are just firefighters."
-http://www.informationweek.com/news/government/leadership/231002548
-http://thehill.com/blogs/hillicon-valley/technology/173373-top-dhs-cyber-officia
l-steps-down
-http://www.computerworld.com/s/article/9218636/Director_of_US_CERT_quits_abruptl
y

UK Cyber Security Challenge (July 22 & 25, 2011)

The UK Cyber Security Challenge has begun. Participants will compete in network defense and packet capture analysis events. The winners of this round, which is conducted online, will be invited to an in-person competition to be held in early 2012.
-http://www.computerweekly.com/Articles/2011/07/22/247372/UK-Cyber-Security-Chall
enge-gears-up-for-second-year-of.htm
-http://www.scmagazineuk.com/cyber-security-challenge-competitions-sponsored-by-s
ans-and-qinetiq-begin-this-week/article/208273/

Man Sentenced for Malware Spread Over Peer-to-Peer Network (July 21 & 22, 2011)

A judge in Japan has sentenced a man to two-and-a-half years in prison for writing malware that spread over the Winny peer-to-peer file sharing network. Masato Nakatsuji was already on probation for a similar offense when he was nabbed for the "ika-tako," or "squid-octopus" malware. Nakatsuji had received a two-year suspended sentence in 2008 for spreading malware by attaching it to anime images. The 30-month sentence is for property destruction; the malware replaced files on people's computers with a cartoon image of an octopus.
-http://www.theregister.co.uk/2011/07/22/japan_jails_vxer/
-http://www.yomiuri.co.jp/dy/national/T110720005908.htm
[Editor's Note (Murray): Hacking is addictive behavior. The risk of being caught is part of the thrill. Recidivism is very high. ]

Investigation Links IMF Cyber Attack to China (July 22, 23 & 24, 2011)

People close to the investigation of the cyber attack on an International Monetary Fund (IMF) computer network say that evidence suggests that the attacks were conducted by spies with ties to China. The IMF disclosed the breach on June 8. A list of stolen documents was reportedly compiled by the middle of July as was an "operation impact assessment." The evidence includes methods of attack and electronic footprints. Publicly, the IMF issued a statement saying "We are not prepared to finger point at this time."
-http://www.bloomberg.com/news/2011-07-21/spies-connected-to-china-said-to-have-c
arried-out-hacking-of-imf-computers.html
-http://www.financialexpress.com/news/inquiry-fuels-suspicion-of-beijing-role-in-
cyberattack-on-imf/821661/0
-http://www.irishtimes.com/newspaper/finance/2011/0723/1224301203664.html

Ten-Year Sentence for Credit Card Fraud Scheme (July 22, 2011)

A US Federal Judge has sentenced Rogelio Hackett, Jr., to 10 years in prison for his role in a scheme that compromised 675,000 credit card accounts and brought in US $36 million. He was also ordered to pay a fine of US $100,000. According to a court filing, Hackett admitted to trafficking in stolen credit card data; he obtained the information by breaking into businesses' computer networks and stealing credit card databases, or by purchasing the information through carder forums. He admitted to selling credit card data, manufacturing phony credit cards and using credit card information to make purchases.
-http://www.darkreading.com/security/client-security/231002456/hacker-sentenced-i
n-virginia-to-10-years-in-prison-for-stealing-675-000-credit-card-numbers-leadin
g-to-36-million-in-losses.html

Florida Makes Millions Selling DMV Data (July 22, 2011)

Last year, the state of Florida made more than US $60 million from selling information held by the Department of Highway Safety and Motor Vehicles. It is legal in Florida to sell the data, which include names, addresses, dates of birth and vehicles registered. The data are available to employers and insurance companies, but the state is also selling them to companies that collect personal data and sell them to others. The companies purchasing the information from the state must sign contracts promising not to use the information to harass people. The state does not sell Social security numbers (SSNs) or driver's license numbers. Judges and law enforcement officers may request that their information not be sold.
-http://www.local10.com/news/28600374/detail.html
-http://www.cbsnews.com/stories/2011/07/21/national/main20081394.shtml
[Editor's Note (Murray): Most states sell this data under enabling legislation, passed in the sixties, encouraged by the motor vehicle administrators, to finance automation. While necessary and efficient, at the time information technology was very expensive. Many, not to say most, states preferred this method of finance to raising license fees. Privacy concerns were not as high as now. I doubt that we would pass such laws today. ]
Editor's Note (Ranum - joking): I hope Anonymous reads this. ]

Comcast Will Fix Firefox Homepage Problem (July 21, 2011)

Comcast has acknowledged that the software that new users are required to install to begin service with the Internet service provider (ISP) interferes with Firefox on Mac computers by permanently resetting users' homepages to Comcast.net. A Comcast spokesperson said that the company is fixing installation software to address the problem and that the permanent change of the home page was not intentional. Ryan Parman, a blogger, published step-by-step instructions for eliminating Comcast's highjacking of the homepage.
-http://krebsonsecurity.com/2011/07/comcast-hijacks-firefox-homepage-well-fix/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/