SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #8

January 28, 2011

Solutions to ten of the toughest security problems are the target of the National Cybersecurity Innovation Awards. Just the list of hard problems is interesting reading. See story in REST OF THE WEEK'S NEWS below. Deadline February 11.

A new cyber security careers video features Congressman Mac Thornberry (the man chosen by the Speaker of the House to coordinate Congressional cybersecurity initiatives) and high school kids announcing the US Cyber Challenge high school competition and calling on kids to "Take the Challenge." Appears to be an effective way to get high school kids engaged. It will be on YouTube shortly but you can see it early at http://vimeo.com/19286247.

Alan

---

TOP OF THE NEWS

Facebook Bolsters Security
U.S. Banks to Get Updated Online Authentication Guidelines
US Lawmaker Seeks to Protect Device Location Privacy
Scotland Yard Arrests Five in Connection with DDoS Attacks in Support of WikiLeaks

THE REST OF THE WEEK'S NEWS

Innovative Approaches to Hard Security Problems - Awards
FTC Wins US $8.2 Million Settlement in Phony AV Software Case
Most Illegal Content Uploaded by Just 100 Users
Authorities Seize Equipment in PS3 Hacking Case
South African Newspaper Takes Down Website to Protect Users From Malware
ACS: Law Drops Anti-Piracy Litigation
No Evidence of Connection Between Manning and Assange

---

************************** Sponsored By Netop *************************
Employees, partners and system vendors may all be administering your systems. If those systems house sensitive data, multiple compliance issues arise around access, roles and encryption. In this webcast, senior SANS Analyst Dave Shackleford discusses compliance challenges posed by remote administration and what to do about them.

http://www.sans.org/info/69663
*************************************************************************

TRAINING UPDATE

-- North American SCADA Security 2011, Lake Buena Vista, FL, February 23-March 2 With special DHS/INL and NERC workshops plus hands-on immersion training.
http://www.sans.org/north-american-scada-2011/

-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
http://www.sans.org/phoenix-2011/

-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
http://www.sans.org/appsec-2011/

-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
http://www.sans.org/sans-2011/

-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
http://www.sans.org/sydney-scada-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Singapore, Wellington and Barcelona all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
****************************************************************************

---

TOP OF THE NEWS

Facebook Bolsters Security (January 26, 2011)

Facebook is now offering improved security measures, just hours after an odd posting on the Facebook fan page appeared in Facebook founder Mark Zuckerberg's name. Facebook maintained that a bug was to blame for the problem. Facebook users are now able to choose to access their pages over HTTPS, which should help prevent having their accounts hijacked or snooped on over wireless connections. Previously, Facebook used HTTPS only to send user passwords to the company. Users must manually enable SSL activation in their Facebook account settings, and it does not work with all third-party Facebook applications. It is available in the US, but has not yet been rolled out worldwide.
-http://www.wired.com/threatlevel/2011/01/facebook-https/
-http://www.h-online.com/security/news/item/Facebook-now-SSL-encrypted-throughout
-1178190.html
-http://www.computerworld.com/s/article/9206524/Facebook_unveils_security_tools_a
fter_Zuckerberg_8217_s_page_hacked?taxonomyId=17

[Editor's Note (Pescatore): For individual users, SSL everywhere is generally a good thing. For enterprises who want to allow Facebook access but still be able to make sure that sensitive or inappropriate content is streaming out the door, SSL means either losing visibility or making sure proxy approaches are in use that maintain visibility. ]

U.S. Banks to Get Updated Online Authentication Guidelines (January 25, 2011)

The Federal Financial Institutions Examination Council (FFIEC) plans to issue new online transaction authentication guidelines for banks. The guidelines will clarify existing recommendations. The earlier version of the guidelines called on banks to use two-factor authentication, but allowed the institutions to choose their own methods. Some chose measures that did little or nothing to improve security, so the updated guidelines will make it clear what steps the banks need to take. Cyber theft through online transactions has been on the rise over the last few years; the criminals have been targeting small and medium-sized businesses. The thefts have also drawn attention to the need to implement transaction monitoring controls and fraud alert systems.
-http://www.computerworld.com/s/article/9206158/Banks_may_soon_require_new_online
_authentication_steps?taxonomyId=82
-http://www.bankinfosecurity.com/articles.php?art_id=3282

[Editor's Note (Schultz): Updated FFIEC guidelines will help banks in this endeavor, but only if they take protecting transactions much more seriously.
(Northcutt): Timing of this is very good. NIST forced the retirement of a large number of weaker crypto algorithms at the end of 2010, so now is a great time for financial organizations to quit using the name of people's pet as two factor authentication:
-http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf]

US Lawmaker Seeks to Protect Device Location Privacy (January 26, 2011)

A US legislator plans to introduce a bill that would require law enforcement agencies to obtain a warrant before requesting location-based data from mobile devices. Senator Ron Wyden (D-Oregon) is concerned about citizens' privacy.
-http://news.cnet.com/8301-31921_3-20029677-281.html
-http://www.computerworld.com/s/article/9206538/Senator_wants_privacy_protections
_for_device_location?taxonomyId=17

[Editor's Note (Pescatore): This is one of those "on the other hand" kind of issues. In the wired phone days the US evolved to allow law enforcement to record called/calling numbers without a warrant, which essentially meant knowing physical location. OTOH, getting physical location of a moving cellphone means getting tracking information which in most cases required getting a warrant. OTOH, "Silver Alerts" to find wandering Alzheimer patients make great use of cellular location data to more quickly find missing people. There is not right or wrong here - societies have to individually work out their compromises. ]

Scotland Yard Arrests Five in Connection with DDoS Attacks in Support of WikiLeaks (January 27, 2011)

Authorities in the UK have arrested five people between the ages of 15 and 26 in connection with Scotland Yard's investigation into distributed denial-of-service (DDoS) attacks launched by the loosely organized hacking collective known as Anonymous. The men are expected to be charged under the UK's Computer Misuse Act. The group has launched attacks focused on companies that had cut financial services to WikiLeaks, such as PayPal, Visa and MasterCard.
-http://www.bbc.co.uk/news/technology-12299137
-http://www.computerworld.com/s/article/9206623/UK_police_arrest_five_Anonymous_W
ikiLeaks_defenders?taxonomyId=17
-http://www.theregister.co.uk/2011/01/27/anon_hacking_suspects_uk_arrest/

---

*************************** Sponsored Links: *****************************
1) New Whitepaper in the SANS Reading Room: Securing Energy Control Systems from Terrorists and Cyberwarriors, by SCADA security expert, Jonathan Pollet: http://www.sans.org/info/69668 Please also listen to our associated webcast here: http://www.sans.org/info/69673

2) Warm desert, cool instructors, and hot courses. Only 29 Days until SANS Phoenix 2011 begins! http://www.sans.org/info/69694

3) Register early for the Early Bird discount of $400! SANS Northern Virginia 2011. http://www.sans.org/info/69698
************************************************************************************

---

THE REST OF THE WEEK'S NEWS

Innovative Approaches to Hard Security Problems - Awards (January 28, 2011)

Nominations are being sought for innovative solutions to a dozen hard security problems that have been explicitly described by CIOs and other senior federal officials. A national competition is seeking such solutions, and the finalists will be featured at the National Cybersecurity Innovation Workshop in Washington, April 18-19. The finalists will also be featured in the press so that they can gain rapid adoption. To read the problems and learn how to submit a nomination, see:
-http://www.sans.org/cyber-innovation-awards/

FTC Wins US $8.2 Million Settlement in Phony AV Software Case (January 27, 2011)

The US Federal Trade Commission (FTC) has reached an agreement with father and son team Maurice and Marc D'Souza, who used deceptive advertising to trick Internet users into downloading bogus antivirus software. The D'Souzas will forfeit US $8.2 million as part of the settlement. The money will be used to reimburse people who were duped into buying the worthless software, which went by names such as Winfixer, Drive Cleaner and Antivirus XP. The D'Souzas used an "elaborate ruse" to trick websites into running the ads that manipulated users into buying their products.
-http://www.pcworld.com/businesscenter/article/217987/alleged_scareware_vendors_t
o_pay_82_million_to_ftc.html
-http://www.theregister.co.uk/2011/01/27/scareware_mongers_fined/

Most Illegal Content Uploaded by Just 100 Users (January 27, 2011)

According to researchers from Germany, Spain and the US, 100 peer-to-peer network users are responsible for uploading the majority of illegal content downloaded by other users. The researchers looked at 55,000 files available for downloading on The Pirate Bay and Mininova websites, and found that two groups were responsible for most of the uploads. One group, called "fake publishers," are either working on behalf of copyright holders to disseminate phony copies to protect their clients' property, or they are attackers, who hide malware in the phony files. The actual uploaded pirated content can be traced to about 100 users who are motivated by profit. Because such a small group of people appears to be responsible for the availability of so many files for download, copyright holders may be able to devise schemes that would discourage their behavior.
-http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articl
eID=229100374&subSection=Security

[Editor's Note (Cole): Today it is all about the data and data theft attacks will continue to increase. It is important that organizations identify their critical information and implement some level of data classification. Once this is done, outbound traffic leaving the organization needs to be tracked very closely. Pay special attention to encrypted traffic. Unauthorized encrypted traffic is one of the common methods attackers use to blind an organization's network security devices. Encryption detectors should be placed on the network to identify traffic that is encrypted by an attacker. ]

Authorities Seize Equipment in PS3 Hacking Case (January 27, 2011)

Authorities have seized computers and other equipment belonging to a man who allegedly devised a way to circumvent copy protection measures on a Sony PS3 that he owned. The judge who ordered the seizure of the equipment also issued a temporary restraining order prohibiting the man, who uses the online name Geohot, from publishing the tools he used. Sony maintains that bypassing the copy protection measures is a violation of the Digital Millennium Copyright Act (DMCA).
-http://www.theregister.co.uk/2011/01/27/sony_ps3_tro_awarded/

[Editor's Comment (Northcutt): Hmmmm, this is messy. Because New Jersey resident George Hotz uses Twitter, California thinks they can issue a TRO AND seize his equipment?
-http://www.theregister.co.uk/2011/01/14/no_playstation_hacker_order/
This is only a minor victory for Sony; Judge Susan Illston wants a more in depth briefing February 11, 2011.
-http://macnn.com/rd/192139==http://psx-scene.com/forums/attachments/f6/24831d129
6152940-temporary-restraining-order-issued-sony-vs-geohot-gov-uscourts-c
and-235965-51-0-pdf And, this seems to be very similar to the US Copyright Office decision to allow owners to jailbreak iPhones:
-http://www.theregister.co.uk/2010/07/26/dmca_exemptions/
And nothing short of a total redesign of the PS3 is going to keep that key Secret. At Chaos Computer Congress the PS3 briefing was called PS3 an Epic Fail for a reason:
-http://www.crunchgear.com/2010/12/30/chaos-communication-congress-ps3-securi
ty-an-%E2%80%98epic-fail%E2%80%99-dongle-less-hacking-solution-now-possible/ Maybe Sony should stick to rootkits:
-http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal]

South African Newspaper Takes Down Website to Protect Users From Malware (January 26, 2011)

Following relentless cyber attacks, the website of South African newspaper The Mail & Guardian has been taken down to implement security improvements. Editors said that the site was being inundated with attacks that appeared to emanate from Russia and that tried to steal site visitors' information. Rather than expose users to the malware, the decision was made to take the site down. They hope to have the site available soon.
-http://www.theregister.co.uk/2011/01/26/mail_and_guardian_hack_attack/

[Editor's Note (Honan): This story, and the recent story about the Lush UK website hack, should serve as examples to organisations looking to implement systems or websites without conducting appropriate risk management exercises and implementing appropriate security measures. A classic personification of Benjamin Franklin's saying "An ounce of prevention is worth a pound of cure" ]

ACS: Law Drops Anti-Piracy Litigation (January 25, 2011)

ACS:Law, the UK firm that made headlines for pursuing alleged illegal filesharers, has dropped more than two dozen cases it had brought on behalf of copyright holder MediaCAT. ACS:Law lead solicitor Andrew Crossley said he made the decision to drop the litigation after receiving death threats. ACS:Law has sent thousands of generic warning letters to people believed to be involved in illegal filesharing. It also came under scrutiny last year when, following an attack on its website, the names and other personal information of people who received letters from the firm were exposed. The letters offered the recipients the choice of paying GBP 500 (US $800) or going to court.
-http://www.guardian.co.uk/technology/2011/jan/25/acslaw-ceases-filesharing-claim
s
-http://www.bbc.co.uk/news/technology-12253746

No Evidence of Connection Between Manning and Assange (January 24 & 25, 2011)

Unnamed Pentagon sources told NBC news that investigators have been unable to find evidence linking Pfc. Bradley Manning to Julian Assange. Evidence appears to support assertions that Manning downloaded documents and passed them to another party, but there is no evidence showing that that party was WikiLeaks or Julian Assange. Manning was arrested after Adrian Lamo gave US authorities logs of chats the two men had in which Manning allegedly admitted to taking the documents. The chat logs indicate that Manning was planning to erase evidence from his computer that would link his activity to Assange and WikiLeaks.
-http://www.msnbc.msn.com/id/41241414/ns/us_news-wikileaks_in_security/
-http://www.wired.com/threatlevel/2011/01/manning-and-assange/

---

************************************************************************

The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is a security professional currently involved in independent security research.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).


Alan Paller is director of research at the SANS Institute.


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/