SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #42

May 25, 2012

TOP OF THE NEWS

China Arrests 160 in Connection with Personal Data Theft
FBI Unit Helps Wiretapping Stay On Top of Tech Developments
SpyEye Variant Uses Webcams and Microphones to Harvest Information

THE REST OF THE WEEK'S NEWS

Lawmakers Want DOJ to Reopen Google Wi-Fi Data Collection Investigation
Google Updates Chrome 19
Bredolab Creator Draws Four-Year Prison Sentence
Yahoo's Axis Browser Debuts with A Few Gaffes
Drug Charges Dropped Over Warrantless GPS Surveillance
Google to Warn Search Engine Users Infected with DNSChanger
Electronic Communication Record Interception On the Rise in Ireland
Students Expelled, Facing Felony Charges Over Threats on Twitter
Proposed New York Legislation Flies in Face of First Amendment

---

************************* SPONSORED BY SANS *****************************
SEC575 Webcast Series: Session 1: A Taste of SANS Security 575 - Invasion of the Mobile Phone Snatcher. SANS is pleased to bring you an all new course designed specifically for helping organizations securely deploy, manage and test the security of mobile devices. In this first installment of our Taste of SANS Security 575 series. Friday, June 01, 2012 at 1:00 PM EDT.
http://www.sans.org/info/105990
**************************************************************************
TRAINING UPDATE
- - --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- - --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- - --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- - --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- - --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- - --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- - - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Malaysia, Bangkok, Boston, and San Antonio all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************************

---

TOP OF THE NEWS

China Arrests 160 in Connection with Personal Data Theft (May 24, 2012)

Authorities in China have arrested 160 people in connection with the theft of personal information of others. In April, 1,700 similar arrested were made. The operation also involved shutting down 13 online forums in which stolen personal data were traded.
-http://www.bbc.co.uk/news/technology-18189980

FBI Unit Helps Wiretapping Stay On Top of Tech Developments (May 22, 2012)

The FBI's Domestic Communications Assistance Center (DCAC) was reportedly created to develop technology that will help law enforcement eavesdrop on communications, including wireless and Internet communications. DCAC has staff members from the FBI, the US Marshals Service, and the Drug Enforcement Agency and was created in response to the rapidly evolving technology that has made it more and more difficult for law enforcement to keep pace. DCAC "will not be responsible for the actual execution of any electronic surveillance court orders and will not have any direct operational or investigative role."
-http://news.cnet.com/8301-1009_3-57439734-83/fbi-quietly-forms-secretive-net-sur
veillance-unit/

SpyEye Variant Uses Webcams and Microphones to Harvest Information (May 22, 2012)

A new variant of the SpyEye Trojan horse program uses webcams and microphones to spy on its targets. SpyEye was developed to steal online banking information. Although SpyEye's original author is not developing the malware anymore, cyber criminals are able to take advantage of its architecture, which allows for plug-ins. This most recently detected variant uses a plug-in called flashcamcontrol.dll, which employs Flash Player to help harvest data. The microphone component is valuable to cyber thieves because in some instances, banks telephone their customers who are conducting online transactions, and during these conversations, the customers are likely to divulge personal information which could later be used to conduct online banking fraud.
-http://www.computerworld.com/s/article/9227387/Banking_malware_spies_on_victims_
by_hijacking_webcams_microphones_researchers_say?taxonomyId=83

---

********************** SPONSORED LINK ********************************
1) Attend SANSFIRE - July 6-15 in Washington DC at the Hilton Washington & Towers http://www.sans.org/info/105995
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Lawmakers Want DOJ to Reopen Google Wi-Fi Data Collection Investigation (May 24, 2012)

Two US legislators are calling for the US Department of Justice (DOJ) to reopen its investigation into Google's wireless data-gathering. A largely unredacted version of a US Federal Communications Commission (FCC) report on its investigation suggested that Google was not fully cooperative during the investigation. In a letter to US Attorney General Eric Holder, the Congressmen asked that the DOJ investigate the possibility that Google violated federal wiretapping laws.
-http://www.computerworld.com/s/article/9227480/Lawmakers_call_on_DOJ_to_reopen_i
nvestigation_into_Google_Wi_Fi_spying?taxonomyId=17
In a separate story, Google is facing criticism over what has been viewed as incomplete responses to European data regulators' concerns about its unified privacy policy. Google has been given a new deadline of June 8, 2012, to provide clear responses to the concerns.
-http://www.v3.co.uk/v3-uk/news/2179670/google-slammed-incomplete-answers-europea
n-watchdogs-privacy-fears

Google Updates Chrome 19 (May 24, 2012)

Google has released an update for Chrome, bringing the most current stable version of its browser to v.19.0.1084.52. The update addresses nine security flaws; it affects Chrome for Linux, Windows, and Mac OS X. Several of the flaws lie in the way Chrome handles memory, including out-of-bound reads and use-after-free conditions. The newest version of Chrome 19 does not contain any new features.
-http://www.h-online.com/security/news/item/Google-releases-security-update-for-C
hrome-19-1583427.html

Bredolab Creator Draws Four-Year Prison Sentence (May 23 & 24, 2012)

The man who created and spread the malware known as Bredolab has been sentenced to four years in prison. An Armenian court found Georgiy Avanesov guilty of computer sabotage. Bredolab spread through a combination of automated and phishing attacks and reportedly infected more than 30 million computers. Machines compromised by Bredolab became part of a botnet which was used to send spam, advertise phony anti-virus software, conduct attacks on websites, steal information, and infect computers with more malware. The Bredolab botnet reportedly earned Avanesov 100,000 euros (US $125,000) a month. Avanesov's sentence is the first cyber crime sentence ever handed down in Armenia.
-http://www.bbc.co.uk/news/technology-18189987
-http://news.cnet.com/8301-1009_3-57440553-83/notorious-bredolab-virus-creator-is
-sentenced-to-prison/
-http://www.wired.com/threatlevel/2012/05/bredolab-botmaster-sentenced/

Yahoo's Axis Browser Debuts with A Few Gaffes (May 23, 2012)

On Wednesday, May 23, Yahoo launched a new browser called Axis, which is a standalone browser on iPhone and iPad and a browser extension on Chrome, Firefox, Internet Explorer, and Safari. The company neglected to include an explanation of its terms of service. It was also found that the Yahoo Axis Chrome extension leaks its private certificate file; this issue could be exploited to create counterfeit extensions.
-http://www.h-online.com/security/news/item/Yahoo-released-private-certificate-wi
th-new-extension-1583522.html
-http://news.cnet.com/8301-1009_3-57440597-83/yahoo-fumbles-security-in-axis-brow
ser-launch/
-http://www.usatoday.com/tech/columnist/edwardbaig/story/2012-05-23/yahoo-axis-we
b-browser/55176378/1
[Editor's Note (Pescatore): I think Yahoo needs to improve its QA process, both in release of software products and in the QA of resumes of prospective new executives... ]

Drug Charges Dropped Over Warrantless GPS Surveillance (May 23 & 24, 2012)

A man being prosecuted on drug charges in Kentucky saw his case thrown out after the judge ruled a 150-pound cache of marijuana was inadmissible evidence because Drug Enforcement Agency (DEA) investigators used a GPS device to track the suspect's movements without a warrant. Robert Dale Lee had prior drug-related convictions when DEA investigators placed the device on his car. Witnesses said that Lee was transporting drugs from Illinois to Kentucky. When The GPS device indicated that Lee had driven to Chicago and returned to Kentucky, the DEA told state troopers that he was likely transporting marijuana, and he was pulled over for an alleged seat belt violation; a drug-sniffing dog accompanying the state trooper discovered the stash.
-http://www.wired.com/threatlevel/2012/05/marijuana-tossed-in-gps-case/
-http://www.computerworld.com/s/article/9227467/Judge_orders_drug_evidence_suppre
ssed_in_warrantless_GPS_tracking_case?taxonomyId=17
[Editor's Note (Murray): One hates to see this. That said, "Guys, warrants just are not that hard." Judges will often issue them on the basis of nothing more than "testimony of an unidentified paid informant." ]

Google to Warn Search Engine Users Infected with DNSChanger (May 23, 2012)

Google is warning users whose computers are infected with the DNSChanger malware when they use its search engine. Users whose computers are found to be infected are provided a link to directions for removing the malware from their computers. DNSChanger initially redirected users to sites with advertisements the attackers wanted them to view. Authorities seized the malicious servers and replaced them with their own, which redirect users to the proper sites, but the court order allowing them to operate those servers expires on July 9, 2012; any infected computers will not be able to reach the Internet after the servers cease to be active.
-http://www.h-online.com/security/news/item/Google-warns-DNSChanger-victims-15830
37.html
-http://www.msnbc.msn.com/id/47537422/ns/technology_and_science-security/
[Editor's Note (Pescatore); This *can* be a good thing, but there is a huge potential for this to amplify the widespread havoc wreaked by the Fake AV style malware. The average user can't tell the difference when multiple sites start telling them "Danger, Danger, click here!!" ]

Electronic Communication Record Interception On the Rise in Ireland (May 23, 2012)

According to statistics released by Ireland's Department of Justice, Gardai (the Irish national police force), the Defence Forces, and Revenue Commissioners made nearly 15,000 requests for records from telecommunications companies in 2010, an average of more than 40 requests every day.
-http://www.irishexaminer.com/ireland/invasion-of-privacy-194939.html
[Editor's Note (Honan): Under the Data Retention Act such requests are controversially retained by the telecom and ISP providers for up to two years. Interestingly the report shows that most requests came within 3 months of any crimes being committed which may reinforce those who claim that two years retention of such data is excessive. ]

Students Expelled, Facing Felony Charges Over Threats on Twitter (May 23, 2012)

Two Connecticut high school students have been expelled and arrested for making threats on Twitter. Police say neither threat was credible. Both students, a junior and a sophomore, attend the same high school, but the threats were not related. They are facing felony charges for their actions, which they say were intended to be jokes. While the punishments may seem extreme, a member of the police department there said, "Someone needs to say to these kids that if you post something, you're going to be held responsible."
-http://digitallife.today.msnbc.msn.com/_news/2012/05/23/11833159-students-arrest
ed-expelled-for-making-violent-twitter-threats?lite

Proposed New York Legislation Flies in Face of First Amendment (May 22, 2012)

Legislation proposed in both chambers of the New York State legislature would require new York-based websites, including blogs and newspapers, to remove comments posted anonymously unless the person posting the comment agrees to provide his or her name. The lawmakers behind the proposed bills say they aim to curb cyber bullying and "baseless political attacks." Critics say the laws are a clear violation of the First Amendment. Wired journalist David Kravets observes that "the bill has no identification requirement for those who request the takedown of anonymous content."
-http://www.wired.com/threatlevel/2012/05/anonymous-online-speech-ban/
-http://news.cnet.com/8301-1009_3-57440152-83/proposed-ny-ban-on-anonymous-posts-
comes-under-fire/
[Editor's Note (Pescatore): I believe the T shirt industry has created a lobbying fund to sponsor legislation that would require anyone attending a public event to wear a T-shirt with their name across the front and back... ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/