SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #63

August 09, 2011

Which security products are winning the race in automating the 20
Critical Controls that are now the first security priority at all
organizations with important data? Add your opinion at
http://www.sans.org/critical-security-controls/ and you'll see the
results.
Alan

---

TOP OF THE NEWS

Judge Rules That Bank is Not Liable for Fraudulent Transactions
Indian Government Demanding Access to Monitor Communications
In Wake of SCADA Flaw Demos, NERC Warns Energy Suppliers to Step Up Security
Cyber Challenge Camps in Virginia and Delaware

THE REST OF THE WEEK'S NEWS

DefCon Kids
WordPress Sites Being Used to Poison Google Image Search Results
Data From Sheriff Departments Stolen and Posted Online
Travelodge UK Admits Data Breach
Spam King Surrenders
PhonyAV Activity Drops

---

********************** Sponsored By SANS ********************************

Be entered in a drawing to WIN a $100 American Express gift card. Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences. http://www.sans.org/info/83769

**************************************************************************

TRAINING UPDATE

--SANS Virginia Beach 2011, August 22- September 2, 2011 10 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

--SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

--SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Judge Rules That Bank is Not Liable for Fraudulent Transactions (August 8, 2011)

A US District Court judge in Maine has approved a pending decision recommended by a magistrate stating a commercial bank which protected customers' accounts with minimal authentication is in compliance with federal online banking security requirements. Patco Construction had sued Ocean Bank following a series of fraudulent funds transfers totaling US $588,000. Part of Patco's argument rested on Ocean Bank's allowing the transactions to go through without taking adequate steps to verify their legitimacy. In late May, the magistrate ruled in the bank's favor, and on August 4, a judge made the ruling official. Patco has not decided whether it will appeal the decision. Similar suits are being tried in various federal district courts, but none qualifies as case law, which requires a ruling from an appellate court. For a decision to set a national precedent, a decision would be required from the US Supreme Court.
-http://krebsonsecurity.com/2011/08/judge-nixes-patcos-ebanking-fraud-case/
-http://krebsonsecurity.com/wp-content/uploads/2011/08/dbh_08042011_2-09cv503_pat
co_v_peoples.pdf

Indian Government Demanding Access to Monitor Communications (August 8, 2011)

Blackberry parent company Research in Motion (RIM) is facing yet another deadline from India's government regarding its failure to comply with requirements to make data sent over its network "intercept-friendly." Some are guessing that RIM may be forced to set up a server in the country to give the government the ability to intercept communications. RIM's earlier proposal to provide users' enterprise server IP addresses and the PINs and IMEI numbers of each Blackberry device used by subscribers was deemed unacceptable by India's government. The government also wants the department of telecommunications to "ensure effective monitoring of Twitter and Facebook."
-http://www.theregister.co.uk/2011/08/08/indian_blackberry_crackdown/
-http://timesofindia.indiatimes.com/tech/social-media/Govt-wants-to-monitor-Faceb
ook-Twitter/articleshow/9530919.cms
[Editor's Note (Honan): Given widespread reports that the Blackberry Messenger service was used by those involved in the riots in London and elsewhere in the UK
-http://www.siliconrepublic.com/new-media/item/23066-london-rioters-used/
it will be interesting to see whether the UK and other governments will require similar access to that requested by the Indian government. After RIM announced they would co-operate with the UK police in identifying those who used their service their blog was subsequently hacked by "activists"
-http://www.scmagazineuk.com/blackberry-blog-defaced-and-threats-made-over-co-ope
ration-with-police-over-londonriots/article/209305/
with a message threatening personal information about RIM staff would be leaked to the rioters. ]

In Wake of SCADA Flaw Demos, NERC Warns Energy Suppliers to Step Up Security (August 8, 2011)

The North American Electric Reliability Corporation (NERC) has issued a warning to energy suppliers to strengthen their defenses against cyber attacks. The warning follows the disclosure of a number of vulnerabilities in programmable logic controllers (PLCs) that could be used to attack systems at their facilities.
-http://www.computerweekly.com/Articles/2011/08/08/247546/US-standards-body-issue
s-warning-to-energy-suppliers-over-cyber.htm
-http://www.ft.com/cms/s/2/78f94f14-bec0-11e0-a36b-00144feabdc0.html?ftcamp=rss#a
xzz1UPjgH7bW
[Editor's Note (Pescatore): This essentially illustrates one of the major problems in what is now called "Operational Technology" (vs. Information Technology): apparently there was some assumption that PLCs or other process control systems did *not* have vulnerabilities? Either that, or there was still an assumption that control networks were isolated - even though Conficker, Stuxnet and numerous penetration tests have proven that is rarely, if ever, true. ]

Cyber Challenge Camps in Virginia and Delaware (August 6, 2011)

Eighty-five people participated in an invitation-only US Cyber Challenge Camp last week at J. Sargeant Reynolds Community College in Richmond, Virginia. As in the other camps held this summer, the week culminated in a virtual capture the flag competition. Participants worked in teams to penetrate a system created for the competition. Another camp is running this week at Delaware Technical and Community College in Dover, Delaware. The camps are part of an effort to indentify and cultivate people who have an interest in and talent for cyber security to help build more secure networks and defend them at organizations supporting the country's critical infrastructure, government and private industry.
-http://www2.timesdispatch.com/business/2011/aug/06/tdbiz01-future-cyberguardians
-get-training-ar-1221289/
-http://www.tmcnet.com/usubmit/-reynolds-hosting-national-cyber-camp-/2011/08/05/
5685255.htm
-http://www.uscyberchallenge.org/competitions-camps/cyber-camps/

---

*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/83774

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DefCon Kids (August 8, 2011)

For the first time, DefCon offered a track for children ages eight to 16 at its Las Vegas, Nevada conference. The participants heard talks from US federal agents hoping to guide them down the right path. A parent of one participant said that the "instructors ... focused on the benefits of gaining a real understanding of the technologies involved and when appropriate discussed the moral and ethical questions involved." One of the participants in the two-day event discovered a loophole in certain games; having grown weary of waiting for crops to grow on farm games, she found that by disconnecting a tablet or phone from WiFi and advancing the clock slightly, the applications could be tricked into speeding up the crops' growth.
-http://www.bbc.co.uk/news/technology-14443001
-http://lastwatchdog.com/defcon-kids-guidance-vegas-hackers-conference/
-http://www.pcworld.com/businesscenter/article/237503/defcon_for_kids_raising_a_n
ew_generation_of_hackers.html
-http://www.cbsnews.com/8301-501465_162-20089444-501465.html
-http://download.cnet.com/8301-2007_4-20089152-12/10-year-old-hacker-finds-zero-d
ay-flaw-in-games/?tag=mncol;txt

WordPress Sites Being Used to Poison Google Image Search Results (August 8, 2011)

Sites using the WordPress blogging platform are being manipulated to poison Google images search results with malicious code that redirect users to sites that try to infect their computers with malware. As of Friday, August 5, less than five percent of WordPress sites appear to have been affected. Internet Storm Center Reports:
-http://isc.sans.edu/diary/More+on+Google+image+poisoning/10822
-http://isc.sans.edu/diary/Image+search+can+lead+to+malware+download/10759
-http://isc.sans.edu/diary.html?storyid=11323
General news reports:
-http://www.theregister.co.uk/2011/08/08/wordpress_hijack_poisons_google_image/

Data From Sheriff Departments Stolen and Posted Online (August 6, 7 & 8, 2011)

A group of cyber attackers operating under the umbrella of the Anonymous collective have released a 10GB cache of data taken from US law enforcement agencies' computer networks. The data exposure appears to be a retaliatory action for the arrests of people who were allegedly involved in earlier cyber attacks. The compromised information includes Social Security numbers (SSNs), email messages, information about stolen credit cards and informant data. The data appear to have been taken two weeks ago from servers at Brooks-Jeffrey, an Arkansas-based company that hosts sheriff association websites.
-http://gcn.com/articles/2011/08/08/antisec-hack-74-sheriffs-data.aspx?admgarea=T
C_SECCYBERSSEC
-http://www.eweek.com/c/a/Security/Anonymous-LulzSec-Dump-Data-from-70-Sheriffs-O
ffices-547474/
-http://news.cnet.com/8301-27080_3-20089054-245/antisec-hackers-post-stolen-polic
e-data-as-revenge-for-arrests/
-http://www.computerworld.com/s/article/9218961/AntiSec_hackers_dump_data_after_h
acking_police_websites
[Editor's Note (Honan): The US Department of Homeland Security has issued a briefing paper on Anonymous and similar groups outlining future potential targets
-http://info.publicintelligence.net/NCCIC-Anonymous.pdf]

Travelodge UK Admits Data Breach (August 5, 2011)

Travelodge UK has acknowledged that its customer database was breached and some of the information used to send customers spam offering "work at home" opportunities. Customers began complaining about the unwanted messages in June. The company says that "no financial data has been stolen, accessed or compromised." The breach affected "a small number of customers' names and email addresses." Travelodge has taken pains to assure customers that the company did not sell their personal information, but did not offer many details about the incident. The Information Commissioner's Office has been informed.
-http://www.theregister.co.uk/2011/08/05/travelodge_email_snafu/

Spam King Surrenders (August 5, 2011)

Sanford Wallace, a.k.a. "the Spam King," has surrendered to federal law enforcement agents in California. Wallace has been charged with sending millions of spam messages to Facebook users. He allegedly tricked users into submitting their account login details. An estimated 500,000 Facebook accounts were compromised. Once he had access to compromised accounts, he accessed their friends lists and posted junk messages on their walls. Facebook won a US $711 million judgment against Wallace in 2009. Wallace faces charges of electronic mail fraud, intentional damage to a protected computer and criminal contempt. He has been released after posting US $100,000 bail.
-http://www.bbc.co.uk/news/world-us-canada-14428730
-http://www.theregister.co.uk/2011/08/05/spamford_wallace_indicted/

PhonyAV Activity Drops (August 3 & 4, 2011)

Scareware purveyors are experiencing a downturn in business after the activity gained attention from the security community and law enforcement agencies around the world. Some of the phony anti-virus companies experienced difficulty getting credit card processors to handle their transactions. Over the past several weeks, McAfee has noted a significant drop in the number of customers reporting scareware infections. Journalist Brian Krebs observed that the payment processors' refusal to allow shady transactions is a double-edged sword; people whose computers are already infected with the malware most commonly clear up their infections by paying the scammers.
-http://krebsonsecurity.com/2011/08/huge-decline-in-fake-av-following-credit-card
-processing-shakeup/
-http://krebsonsecurity.com/2011/08/fake-antivirus-industry-down-but-not-out/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/