SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #64

August 16, 2011

The critical shortage of world-class technical cyber manpower in the
U.S. was recognized this week in the new strategy for cybersecurity
education released by NIST. At the same time, two national competitions
were announced - one for high school and one for college students. The
college competition is described in the first story. The high school
competition is described at
http://www.uscyberchallenge.org/competitions-camps/cyber-foundations/registratio
n/index.cfm

Alan

PS The best solution I have ever seen for ensuring security engineering
is baked into every new system and application will be presented by
Cisco, where it is really working, at the Security Architecture workshop
in DC August 29-30
http://www.sans.org/baking-security-applications-networks-2011/

---

TOP OF THE NEWS

US Cyber Challenge Cyber Quest Registration Opens
NIST Issues Flawed National Strategy for Cybersecurity Education
Fifteen-Month Sentence for Using Information Found Online to Drain Bank Accounts

THE REST OF THE WEEK'S NEWS

Malicious Android Application Answers Calls
Adobe Gives Nod to Researcher for 80 Flash Bugs
BART Site Breached, Data Stolen in Response to Disruption of Mobile Service
Prison Sentence for Man Running Video Stores Filled with Pirated Disks
More Fake Apple Stores Found in Kunming
Firefox Aurora Will Block Add-Ons Until Explicitly Approved
South Korean Data Breach Conducted Through Infected Software Update Server

---

***************** Sponsored By Core Security Technologies ****************

Sign Up TODAY for SANS Special Webcast: SANS Security 660 Series: Return-Oriented Programming and Exploitation with Stephen Sims on 8/22 at 1:00 PM ET. Go to: http://www.sans.org/info/84484

**************************************************************************

TRAINING UPDATE

--SANS Virginia Beach 2011, August 22- September 2, 2011 10 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

-- The National Security Architecture Workshop, DC, Aug. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle,
http://www.sans.org/baking-security-applications-networks-2011/

--SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

--SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

-- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training
http://www.sans.org/ncic-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

US Cyber Challenge Cyber Quest Registration Opens (August 15, 2011)

Registration for the third US Cyber Challenge Cyber Quest competition is now open. Top performers in the Cyber Quests will be invited to participate in SANS NetWars and Fall Cyber Camps. Registration runs through September 8, 2011, and is open to US citizens. Cyber Quests are online quizzes based on network packet capture files. The competition runs from August 29, 2011 through September 9, 2011.
-http://www.digitaljournal.com/pr/391510
-http://www.allvoices.com/news/9975320-us-cyber-challenge-launches-third-cyber-qu
est-contest
-http://www.uscyberchallenge.org/
-http://www.gsnmagazine.com/node/24216?c=cyber_security

NIST Issues Flawed National Strategy for Cybersecurity Education (August 12 & 15, 2011)

The National Institute of Standards and Technology (NIST) has released a roadmap for building the country's cyber security workforce. The National Initiative for Cybersecurity Education (NICE) aims "to enhance the overall cybersecurity posture of the United States by accelerating the availability of educational and training resources designed to improve the cyber behavior, skills, and knowledge of every segment of the population." However a fatal flaw in the strategy is nearly certain to cause it never to meet the nation's needs unless it is sharply modified.
-http://wiredworkplace.nextgov.com/2011/08/expert_flags_flaw_in_cyber_workforce_p
lan.php
-http://www.nextgov.com/nextgov/ng_20110812_1335.php
-http://www.infosecurity-us.com/view/20108/nist-proposes-national-cybersecurity-e
ducation-and-training-plan/s
-http://csrc.nist.gov/nice/documents/nicestratplan/Draft_NICE-Strategic-Plan_Aug2
011.pdf

Fifteen-Month Sentence for Using Information Found Online to Drain Bank Accounts (August 15, 2011)

Iain Wood has been sentenced to 15 months in prison for using information his Facebook friends had posted online to steal money from their bank accounts. Wood stole more than GBP 35,000 (US $57,000) from his neighbors between June 2008 and June 2010, when he was caught. He used the information he found online, including birth dates and mother's maiden names, to answer security questions that allowed him to access people's bank accounts.
-http://www.v3.co.uk/v3-uk/news/2101874/geordie-facebook-fraudster-months-stealin
g-gbp35
-http://www.zdnet.com/blog/facebook/fraudster-jailed-for-stealing-57000-by-levera
ging-facebook/2652

---

*************************** SPONSORED LINKS ******************************

1) Trade in your current NAC solution for ForeScout CounterACT Virtual Appliance today! Limited time promotional offer. http://www.sans.org/info/84489

2) Need assistance turning your SANS training into tangible risk reduction? Contact Infogressive today to work with our team of GIAC certified consultants. http://www.sans.org/info/84504

3) Be entered in a drawing to WIN a $100 American Express gift card. Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences. http://www.sans.org/info/84509

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Malicious Android Application Answers Calls (August 15, 2011)

Researchers have detected a malicious Android application that pretends to be the Google+ social networking platform. Once installed as Google++, the application has the ability to steal data and answer and record incoming calls. The application requires that users manually install it. The stolen data, including text messages, call logs and GPS locations, appears to be sent to a remote server in China.
-http://www.scmagazineus.com/new-android-spyware-answers-incoming-calls/article/2
09639/
[Editor's Note (Murray): The real issue here is not this program but rather why are we going down this path again. It may be inadvertent, Google may think they are responding to the market, but do we really need to have half of our mobile computing devices running naked in a hostile environment. ]

Adobe Gives Nod to Researcher for 80 Flash Bugs (August 15, 2011)

Adobe has acknowledged that 80 bugs addressed in the most recent release of Flash Player were submitted by a Google researcher. Tavis Ormandy last week maintained that he had submitted 400 Flash bugs to Adobe, but both Google and adobe have posted blogs explaining how the figure of 80 bugs came to be agreed upon.
-http://www.computerworld.com/s/article/9219208/Adobe_admits_Google_fuzzing_repor
t_led_to_80_code_changes_in_Flash_Player?taxonomyId=17
-http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html
-http://googleonlinesecurity.blogspot.com/2011/08/fuzzing-at-scale.html
[Editor's note (Murray): Instead of disputing the number, Adobe should be trying to identify what they are doing fundamentally wrong. Whether there are 400 or 80, there must be a pattern here somewhere. ]

BART Site Breached, Data Stolen in Response to Disruption of Mobile Service (August 12 & 15, 2011)

San Francisco transit police cut off mobile phone service to people riding commuter trains on Thursday evening in the hopes of thwarting a planned protest. While the trains were underground, passengers were unable to use their cell phones; one passenger called "shutting down 911 service ... extremely irresponsible." Bay Area Rapid Transit (BART) authorities initially said they had asked mobile service providers to sever the service, but later acknowledged that they had caused the disruption themselves by cutting off power to the underground service towers. The action has met with criticism from civil liberties groups; a 1967 California Supreme Court case "ruled that a city couldn't prohibit nondisruptive political activity inside a railroad station." Others have said that the action would likely stand up in court. The US Federal Communications Commission (FCC) is looking into the incident. BART has said that it may repeat its action on Monday, August 15 to thwart another protest that is rumored to be scheduled for that evening. BART's website has been attacked in protest and information taken from the site posted to the Internet. The protest was being organized in response to a fatal shooting by BART police last month of a man who was wielding a knife.
-http://www.computerworld.com/s/article/9219158/SF_Bay_Area_transit_police_cut_mo
bile_service_to_thwart_protest?taxonomyId=17
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2011/08/15/MNTC1KNC27.DTL
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2011/08/15/MNIC1KNC1U.DTL
-http://www.msnbc.msn.com/id/44139412/ns/technology_and_science-security/#.TklsnG
HQp8E
-http://www.wired.com/threatlevel/2011/08/subway-internet-shuttering/

Prison Sentence for Man Running Video Stores Filled with Pirated Disks (August 12, 2011)

A California man has been sentenced to 18 months in prison for operating video stores in which most of the offerings were pirated. Yan Akhumov's scheme was discovered when police responded to a call at one of his shops where a customer was making a scene because the DVD she had rented did not play. In 2007, Akhumov was visited by FBI agents who told him to stop trading in pirated CDs and DVDs. In all, authorities seized more than 55,000 disks that appeared to contain pirated content.
-http://www.wired.com/threatlevel/2011/08/copyright-scofflaw-imprisoned/
-http://www.wired.com/images_blogs/threatlevel/2011/08/vidchargingdoc.pdf

More Fake Apple Stores Found in Kunming (August 12, 2011)

In the weeks following the publication of a blog entry describing what appeared to be phony Apple stores in the city of Kunming, China, authorities have conducted a thorough investigation that turned up a total of 22 phony Apple stores in that city.
-http://www.bbc.co.uk/news/technology-14503724

Firefox Aurora Will Block Add-Ons Until Explicitly Approved (August 12, 2011)

A feature in the soon-to-be-released pre-beta version of the Firefox Aurora browser will block third-party add-ons until users specifically choose to allow them. Every time the browser starts, it will look for new add-ons; if any are detected, they will be disabled. Users will then see a dialog box asking them if they want to allow the add-on(s). In addition, the first time users start the new browser, they will see a dialog box asking them if they want to allow third-party add-ons that have been previously installed.
-http://www.theregister.co.uk/2011/08/12/mozilla_addon_blocking/

South Korean Data Breach Conducted Through Infected Software Update Server (August 12, 2011)

The breach that compromised personally identifiable information of 35 million South Koreans was launched through a server belonging to software provider ESTsoft. The attackers appear to have planted malicious code on the server used to update the ALZip compression application, which managed to infect more than 60 PCs as SK Communications. Once those machines became infected, the attackers used them to access a database for SK's Cyworld social networking site, which they plundered for the information, including names, user IDs and hashed passwords.
-http://www.esecurityplanet.com/headlines/article.php/3938556/ESTsoft-Update-Serv
er-Used-to-Push-Malware.htm
-http://www.theregister.co.uk/2011/08/12/estsoft_korean_megahack/

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/