SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #60

July 29, 2011

TOP OF THE NEWS

Britain's Phone Hacking Inquiry Opened
Court Orders BT to Block Site Linked to Digital Piracy
Breach Compromises Personal Data of 35 Million South Koreans

THE REST OF THE WEEK'S NEWS

Australian Attacker Denied Bail
Trojan Variant Trick Users Into Transferring Funds Out Of Online Banking Accounts
Former HBGary CEO Will Not Speak at DEFCON
Senate Subcommittee Told NSA Phone Location Data Tracking is "Complex Question"
Arrested LulzSec Suspect May Be Red Herring
Black Hat Talk Will Demonstrate "War Texting" To Hack GSM and Cellular Networks
RSA Parent Company Spent US $66 Million in Q2 to Address Cyber Attack
DHS Concerned That Stuxnet Variant Could Target Critical Infrastructure
FBI Raids Connected to Anonymous Based on IP Addresses Used in PayPal DDoS Attack
Bettor Late Than Never

---

********************** Sponsored By SANS *******************************

Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences.

Complete this survey and be entered in a drawing to win a $100 American Express gift card. http://www.sans.org/info/83039

**************************************************************************

TRAINING UPDATE

--SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

--SANS Virginia Beach 2011, August 22- September 2, 2011 10 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

--SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

--SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

---

TOP OF THE NEWS

Britain's Phone Hacking Inquiry Opened (July 29, 2011)

An inquiry into Britain's phone hacking scandal has officially begun; Lord Justice Brian Leveson said that public hearings will commence in September. The inquiry was ordered by Prime Minister David Cameron. The inquiry will examine ethics and regulation not only of the British press, but of the BBC and social media as well. The breadth and depth required of such an inquiry lead some to doubt that a report will be ready in a year's time.
-http://www.abc.net.au/news/2011-07-29/british-phone-hacking-inquiry-opens/281500
8?section=world
-http://www.irishtimes.com/newspaper/world/2011/0729/1224301562415.html
-http://www.independent.co.uk/opinion/leading-articles/leading-article-there-must
-be-no-delay-2327708.html
[Editor's Note (Pascatore): This should really be called Britain's "Voice Mail Bad Password Scandal" but it also triggers a reminder that users need to be continually reminded *not* to use their work passwords on non-work systems.
(Murray): The offense was "voice-mail abuse," not "phone hacking." It had nothing to do with phones and it did not rise to the level of hacking. What will we call it when someone really hacks a phone? ]

Court Orders BT to Block Site Linked to Digital Piracy (July 28, 2011)

A group of film studios represented by the Motion Picture Association (MPA), the international arm of the Motion Picture Association of America (MPAA), has won a court order against British ISP BT to block the Newzbin2 filesharing website. A British High Court judge has ordered BT to block users' access to the members-only website that offers links to movies and television programs available on Usenet boards.
-http://www.eweek.com/c/a/Cloud-Computing/Hollywood-Wins-Court-Order-to-Force-BT-
to-Block-Pirate-Site-Newzbin2-610329/
-http://www.bbc.co.uk/news/technology-14322957
-http://www.zdnet.co.uk/news/compliance/2011/07/28/film-studios-win-newzbin2-bloc
king-case-against-bt-40093554/
-http://www.scmagazineuk.com/bt-ordered-to-block-newzbin-2-file-sharing-site-in-l
andmark-ruling/article/208534/
Newzbin2 response:
-http://www.bbc.co.uk/news/technology-14293730
[Editor's Note (Honan): BT has responded to this ruling and says that, while it will abide with the ruling, every new case will require a court order
-http://www.theregister.co.uk/2011/07/29/bt_on_web_blocking/]

Breach Compromises Personal Data of 35 Million South Koreans (July 28, 2011)

A data security breach at South Korea's SK Communications has compromised the personal information of 35 million online users. The attack reportedly occurred in July 26. The breach is believed to have affected users of Nate, a popular search engine, and Cyworld, a social networking site with an estimated 25 million members. Both Nate and Cyworld are run by SK Communications. Police plan to investigate the incident. The compromised data include names, email addresses, resident registration numbers and passwords.
-http://www.koreaherald.com/national/Detail.jsp?newsMLId=20110728000881
-http://www.reuters.com/article/2011/07/28/us-hackers-attack-idUSTRE76R19M2011072
8
-http://www.v3.co.uk/v3-uk/news/2097621/china-accused-massive-hack-exposes-detail
s-35m-south-koreans

---

*************************** SPONSORED LINKS ******************************

1) IN CASE YOU MISSED IT...Analyst Webcast: Protecting Access and Data: A Review of DigitalPersona Pro Version 5.1 To view now, go to: http://www.sans.org/info/83044

2) New Paper in the SANS Reading room! Controlling Access, Authentication and Data on the End Point: A Review of DigitalPersona Pro 5.1 for Enterprises, written by senior SANS analyst, Jim D. Hietala. http://www.sans.org/info/83049 Also check out the associated webcast here: http://www.sans.org/info/83054

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Australian Attacker Denied Bail (July 26 & 28, 2011)

An Australian man who allegedly attacked and gained control of a broadband provider's network has been denied bail because police fear that he could destroy evidence in a matter of seconds if he did not remain in custody. David Noel Cecil faces 48 charges of unauthorized access to data and one charge of unauthorized modification of data. Police said that Cecil's attack on a National Broadband Network service provider could have caused serious damage. Cecil also allegedly hacked into networks of other businesses.
-http://www.smh.com.au/technology/security/alleged-web-invader-could-wipe-evidenc
e-20110727-1i073.html
-http://www.theregister.co.uk/2011/07/27/evil_refused_bail/
-http://www.businessweek.com/ap/financialnews/D9ONMQPO0.htm

Trojan Variant Trick Users Into Transferring Funds Out Of Online Banking Accounts (July 28, 2011)

A newly-detected Trojan horse program waits until users access their online bank accounts, then tells them that a credit has been made to their account in error. It then informs them their account is frozen until they authorize the transfer of the funds back out of the account. The malware alters the appearance of users' balances and offers them pre-populated transfer forms. This Trojan bears similarities to another known as the URL Zone Trojan, which manipulates the balances users see in their online banking accounts to appear normal even after they have been drained of funds.
-http://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/
In a separate but related story, the people behind the SpyEye Trojan have been tweaking the malware to behave in ways that more closely resemble real people's actions on banking websites.
-http://www.computerworld.com/s/article/9218645/SpyEye_Trojan_defeating_online_ba
nking_defenses?taxonomyId=83
[Editor's Comment (Northcutt): It is just going to get worse and worse as the criminals build better and better social engineering simulations and regular people get hurt. Now that screenshot malware like this is available, we need to add it to security awareness programs. ]

Former HBGary CEO Will Not Speak at DEFCON (July 27 & 28, 2011)

Former CEO of HBGary Federal, Aaron Barr, has scrapped a planned appearance on a panel at DEFCON after his former employers threatened to take legal action against him. The panel, titled "Aaron Barr, Anonymous and Ourselves," will go on as planned, but without Barr. The group Anonymous hacked into an HBGary server in February after Barr had threatened to release information about Anonymous at a February conference. That talk was cancelled. Barr resigned from HBGary after the Anonymous attack.
-http://www.scmagazineus.com/former-hbgary-federal-ceo-bows-out-of-defcon-talk/ar
ticle/208508/
-http://www.theregister.co.uk/2011/07/28/ex_hbgary_boss_cancels_blackhat_gig/
CSO Online Senior Editor Bill Brenner thinks that "companies that get spooked
[by possible disclosures at DEFCON ]
make a big mistake by calling in the lawyers. It's better to let someone speak, then be ready with a strong counter-argument."
-http://blogs.csoonline.com/1619/defcon_aaron_barr_and_legal_garbage?source=CSONL
E_nlt_update_2011-07-28
[Editor's Note (Schultz): I'm pulling the punches as I say this, but I do not see HBGary as any kind of role model when it comes to information security practices. ]

Senate Subcommittee Told NSA Phone Location Data Tracking is "Complex Question" (July 27 & 28, 2011)

The subject of the National Security Agency (NSA) tracking US citizens through mobile-device location data arose during a hearing of the Senate Select Committee on Intelligence, which was part of the process of determining whether NSA general counsel Matthew Olsen should become head of the National Counterterrorism Center. Olsen said there could be circumstances under which the NSA would have the authority to use mobile device location data to track US citizens within the US. Olsen said the powers to do so were granted under the Patriot Act. He noted that "it is a very complex question." A memo clarifying the issue is expected to be prepared for committee members.
-http://www.informationweek.com/news/government/security/231002852
-http://www.nextgov.com/nextgov/ng_20110727_7900.php?oref=topnews
[Editor's Note (Murray): I was watching a senate committee hearing this am when the bureaucrat told the senator that it was "complex." The senator said, "That means no one is accountable." ]

Arrested LulzSec Suspect May Be Red Herring (July 27 & 28, 2011)

Law enforcement authorities in Britain have arrested a man who is believed to be the spokesperson of LulzSec, a group that claimed responsibility for a number of high-profile cyber attacks earlier this year. The 19-year-old, who allegedly uses the online moniker "Topiary," was arrested in the Shetland Islands and is being transported to London. Rumors are now circulating that the man arrested was framed to take the focus away from the real "Topiary."
-http://www.theregister.co.uk/2011/07/27/lulzsec_arrest/
-http://content.met.police.uk/News/Man-arrested-in-ecrime-investigation/126026933
3921/1257246745756
-http://www.wired.com/threatlevel/2011/07/topiary-bust/
-http://www.bbc.co.uk/news/uk-14315442
-http://www.theregister.co.uk/2011/07/28/topiary_arrest_rumor/
-http://www.v3.co.uk/v3-uk/news/2097814/lulzsec-suspect-innocent-hacking-warns-po
lice
-http://www.washingtonpost.com/blogs/faster-forward/post/report-scotland-yard-arr
ested-the-wrong-hacker/2011/07/28/gIQAhekLfI_blog.html
[Editor's Note (Murray): When the FBI kicked in the door of my soon to be client, the first thing they asked him was "Are you so-and-so@aol.com?" When he answered yes, they cuffed him and took him away. He too claimed that he had been set up by others in the game. Had he been able to name them, he might not have gone to jail. ]

Black Hat Talk Will Demonstrate "War Texting" To Hack GSM and Cellular Networks (July 25, 26 & 27, 2011)

Researchers say they have figured out how to hack the software that allows cell phones to remotely start and unlock cars. The researchers plan to present their findings at the Black Hat security conference in Las Vegas in August. The researchers have dubbed their method "war texting." The researchers reverse engineered Global System for Mobile Communications (GSM) technology. They established their own GSM network to monitor and to detect codes necessary to send commands to the cars linked to the system. While the issue is obviously problematic for car owners, there is also the possibility that the same technology could be used to gain access to supervisory control and data acquisition (SCADA) systems, which also use GSM networks to transmit commands.
-http://www.computerworld.com/s/article/9218685/_War_texting_lets_hackers_unlock_
car_doors_via_SMS?taxonomyId=17
-http://www.theregister.co.uk/2011/07/27/war_texting_hack/
-http://news.cnet.com/8301-27080_3-20083906-245/expert-hacks-car-system-says-prob
lems-reach-to-scada-systems/
-http://www.darkreading.com/security/news/231002602/war-texting-attack-hacks-car-
alarm-system.html
[Editor's Note (Schultz): This kind of posturing is *way* over the top. Let exploits be what they really are--period. And let's give the real credit for seminal research into the risk of obtaining unauthorized access to car computer control systems to the University of Washington and the University of California-San Diego. ]

RSA Parent Company Spent US $66 Million in Q2 to Address Cyber Attack (July 26 & 27, 2011)

RSA parent company EMC spent US $66 million in the second quarter of 2011 to deal with the cyber attack that compromised the integrity of RSA security tokens. EMC provided transaction monitoring for corporate customers concerned about the security of their tokens; the company also offered replacement tokens to companies that requested them. In a conference call regarding the company's financial results, EMC executive VP David Goluden offered additional information about the attack, saying that customers were notified within hours after the company became aware of the breach, and that the company suspects that the intruders were targeting defense and government information, not financial information. That assumption would be borne out if the breach did, as some have suggested, lead to attempted attacks on computer systems at US defense contractors Lockheed Martin and another on L3 Communications.
-http://www.washingtonpost.com/blogs/post-tech/post/cyber-attack-on-rsa-cost-emc-
66-million/2011/07/26/gIQA1ceKbI_blog.html
-http://www.theregister.co.uk/2011/07/27/rsa_security_breach/
[Editor's Note (Pescatore): That cost will, of course, continue to go up but probably even at that level is probably 5-10x more than it would cost to avoid the incident. ]

DHS Concerned That Stuxnet Variant Could Target Critical Infrastructure (July 26, 2011)

In testimony before the House Subcommittee on Oversight and Investigations, acting assistant secretary for the Department of Homeland security (DHS) Office of Cybersecurity and Communications Bobbie Stempfley said that DHS is concerned that a Stuxnet variant could be used to attack elements of US critical infrastructure. Stempfley noted that "copies of the Stuxnet code, in various ... iterations, have been publicly available for some time now." Researchers who plumbed the depths of Stuxnet code have remarked that it would not be difficult to tweak the malware to target systems other than those targeted in last year's attack.
-http://www.wired.com/threatlevel/2011/07/dhs-fears-stuxnet-attacks/
[Editor's Note (Pescatore): This is one of the "mutually assured destruction" aspects of authorized use of malware- you are also arming potential enemies. It is not like a bomb that destroys itself on impact, it can be much more like the evil robot that turns around starts believing its creator looks mighty tasty. ]

FBI Raids Connected to Anonymous Based on IP Addresses Used in PayPal DDoS Attack (July 26, 2011)

FBI raids on the homes of people suspected of being part of the Anonymous hacking collective are being fueled by a list obtained from PayPal of the 1,000 IP addresses that sent the greatest amount of protest traffic during a distributed denial-of-service (DDoS) attack against the online payment processor late last year.
-http://www.wired.com/threatlevel/2011/07/op_payback/
[Editor's Note (Murray): One messes with PayPal at one's peril. At a minimum, one should use a proxy. ]

Bettor Late Than Never (July 26, 2011)

An online gambling site is warning users of a data security breach more than a year-and-a-half after the fact. BET24.com suffered an attack in December 2009, but is just now notifying customers. Compromised data include names, addresses, email addresses and encrypted credit card information. BET24 acknowledged that the information has been used fraudulently on its website and that users have been reimbursed. BET24 conducted a security audit following the attack and reset some user passwords.
-http://www.theregister.co.uk/2011/07/26/bet24_security_breach/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/