SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #52

June 29, 2012

TOP OF THE NEWS

FTC Files Lawsuit Against Wyndham Hotels Over Data Security
New Dept. of Energy CIO Provides Fresh Perspective on Cyber Threat Response
SWAT Team Raids Wrong Home Due to Unprotected Wi-Fi Network
Mac OS X Mountain Lion Moves to Daily Automatic Security Updates

THE REST OF THE WEEK'S NEWS

Advanced Persistent Threats Can Be Beaten; Solutions Are Often Counter-Intuitive and Challenging for Most Defenders
Australian Telco Hacker Sentenced to Two-and-a-Half Years in Prison
New Zealand Judge Rules Megaupload Warrants Invalid
Surfthechannel.com Operator Found Guilty of Conspiracy to Defraud
Cable Modem Hacker Draws Three-Year Prison Term
Alaska's Dept. of Health and Social Services Fined Over HIPAA Violations
Prosecutors Want Prison Time for Man Who Hacked Celebrities' eMail Accounts
Calif. Escrow Company Reaches Settlement With Bank in Fraudulent Transaction Case
Operation Card Shop Nets 24 Arrests for Payment Card Fraud

---

*************************** SPONSORED BY SANS *****************************
New Analyst Paper in the SANS Reading Room: "Streamlining Risk Management with the SANS 20 Critical Security Controls," by senior SANS analyst and co-editor of the 20 controls document, James Tarala.
http://www.sans.org/info/109299
****************************************************************************
TRAINING UPDATE
- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 45 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

- --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- --SANS Boston 2012, Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --SANS Virginia Beach 2012, Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***************************************************************************

---

TOP OF THE NEWS

FTC Files Lawsuit Against Wyndham Hotels Over Data Security (June 26, 27, & 28, 2012)

The US Federal Trade Commission is suing the Wyndham Hotel chain and several of its subsidiaries for failing to protect customers' financial data. The lawsuit arises from a series of breaches that led to the compromise of 600,000 customer payment cards. The data were stored in plaintext. The breach resulted in more than US $10 million of fraudulent transactions. The lawsuit alleges that the defendants misrepresented their security stance to customers and failed to take widely known security precautions, such as installing software patches and fixing known vulnerabilities. Wyndham plans to appeal the charges.
-http://news.cnet.com/8301-1009_3-57460551-83/ftc-sues-wyndham-hotels-over-data-b
reaches/
-http://www.latimes.com/business/la-fi-wyndham-breach-20120626,0,3822917.story
-http://tech.fortune.cnn.com/2012/06/28/ftc-hackers/
-http://www.h-online.com/security/news/item/FTC-sues-Wyndham-Worldwide-over-data-
breaches-1627721.html
-http://www.informationweek.com/news/security/privacy/240002829
-http://www.darkreading.com/database-security/167901020/security/news/240002876/f
tc-takes-on-wyndham-for-security-lapses.html
-http://ftc.gov/os/caselist/1023142/120626wyndamhotelscmpt.pdf
[Editor's Note (Pescatore): Once again the FTC, without requiring new laws or regulations or expertise from the DoD or intelligence community, takes the lead in effective enforcement of shoddy security practices by businesses that impact consumers.
(Ullrich): The news report reads like so many large retail breaches: Hacker finds weak device at a retail location, breaks in, and has access to the entire network. Large distributed networks need to implement controls inside, not just at the perimeter, and the perimeter devices need to be monitored and configured correctly.
(Northcutt): The tragedy is, both sides will end up spending a lot of money on lawyers, magnifying a 10 million dollar loss to a 14 or so million dollar loss.
(Murray): The FTC clearly has the interest of the consumer at heart and is having some impact. Perhaps it is time to increase their budget. ]

New Dept. of Energy CIO Provides Fresh Perspective on Cyber Threat Response (June 26, 2012)

At a Government Technology Research Alliance Forum earlier this month, the US Department of Energy's (DOE) newly-named Chief Information Officer (CIO) Robert Brese spoke of the need to develop a cybersecurity workforce with the skills to respond to cyber threats. Brese noted the importance of moving from a "prevent-and-recover mind-set," toward a prevent-recover-respond framework, while remaining within the boundaries of the law and diplomacy. Brese also talked about creating a system of cyber security interns, much like the medical profession trains its doctors. Brese assumes his new post officially on July 1.
-http://gov.aol.com/2012/06/26/new-energy-cio-stresses-need-for-stronger-cyber-re
sponse/

SWAT Team Raids Wrong Home Due to Unprotected Wi-Fi Network (June 28, 2012)

Police in Evansville, Indiana sent a SWAT team into a home that was the suspected origin of some threats made against police on an Internet forum. After breaking a door and a window and tossing in flash grenades, police learned that they had targeted the wrong house. Because the threats were traced to an IP address associated with the house's Wi-Fi network, the officers believed they had identified the culprits. However, the Wi-Fi connection was unsecured and the threats had actually come from someone at a different residence who took advantage of the open network connection.
-http://arstechnica.com/tech-policy/2012/06/swat-team-throws-flashbangs-raids-wro
ng-home-due-to-open-wifi-network/
[Editor's Note (Pescatore): Hmmm, I think the Evansville PD needs some education on when and how to rely on IP addresses for accurate geo-location.
(Murray): This is not just about the flimsy evidence that the police had as to the source of the threat but also about proportionate response. Most Internet "threats" are rhetoric and do not justify this kind of response.
(Ullrich): Having a protected wireless access point is a good idea. Having a local police department that understands the issues in attributing cyber crimes is even better. ]

Mac OS X Mountain Lion Moves to Daily Automatic Security Updates (June 26 & 27, 2012)

A preview build of Mac OS X Mountain Lion available to developers and testers will check for software updates over an encrypted connection on a daily basis and install those updates automatically. It appears that the function applies only to Apple's own updates, but the feature could potentially be used to deliver third-party updates through the App Store as well. Some view the shift to automated updating as a sign that Apple is starting to take security more seriously. Earlier versions of OS X check for updates weekly. Mountain Lion is expected to be released in late July.
-http://news.cnet.com/8301-1009_3-57460527-83/mountain-lion-gets-daily-automatic-
updates/
-http://www.itworld.com/security/282576/do-automatic-os-x-security-updates-signal
-sea-change-apple
-http://www.computerworld.com/s/article/9228516/Apple_steals_from_Windows_Update_
playbook_for_OS_X_Mountain_Lion?taxonomyId=85
[Editor's Note (Ullrich): And Apple appears to improve the validation of the updates, even though details are not that clear at this point. Apple also modified and softened its language with respect to OS X's security advantages over other operating systems. Maybe Apple is getting the message that they are a target now. ]

---

************************** Sponsored Link: *************************
1) Security Policy and Management of Mobile Devices: A SANS Survey Help SANS find out how organizations managing risk and compliance around their mobile/employee owned devices by taking the SANS 2nd survey in it's mobility survey series. Take the survey and be entered in our drawing to win one of TWO $200 American Express gift cards! Link: http://www.sans.org/info/109304
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Advanced Persistent Threats Can Be Beaten; Solutions Are Often Counter-Intuitive and Challenging for Most Defenders (June 25, 2012)

An immersion skills development program initially developed for the U.S. defense industrial base brought together the most advanced techniques for blocking targeted intrusions. Many are counterintuitive; most are beyond the skills of most computer security defenders. Without those techniques and the necessary skills organizations are completely open to attack because most commercial tools are impotent against these threats.
-http://www.csoonline.com/article/709239/advanced-persistent-threats-can-be-beate
n-says-expert
Skills Development Program:
-http://computer-forensics.sans.org/training#508

Australian Telco Hacker Sentenced to Two-and-a-Half Years in Prison (June 27 & 28, 2012)

David Cecil has been sentenced to two-and-a-half years in prison for hacking into Australian telecommunications company Platform Networks. He was arrested last year and charged with one count of unauthorized modification of data and 49 counts of accessing restricted data.
-http://www.theregister.co.uk/2012/06/28/plaform_hacker_gets_jail_time/
-http://www.gizmodo.com.au/2012/06/platform-networks-hacker-evil-gets-jail-time/

New Zealand Judge Rules Megaupload Warrants Invalid (June 28, 2012)

A New Zealand High Court judge has ruled that the warrants used to seize physical assets from Megaupload founder Kim Dotcom earlier this year are illegal. Justice Helen Winkelmann wrote that the warrants were overly broad and allowed for the seizure of property beyond that which was relevant to the charges of conspiracy and copyright infringement brought by the US. Authorities in New Zealand are appealing the judge's ruling. Justice Winkelmann also wrote that the US, which is seeking Dotcom's extradition, acted unlawfully when it sent copies of data from seized hard drives to the US.
-http://arstechnica.com/tech-policy/2012/06/mega-victory-kim-dotcom-search-warran
ts-invalid-mansion-raid-illegal/
-http://www.bbc.co.uk/news/technology-18623043
-http://www.computerworld.com/s/article/9228596/New_Zealand_judge_rules_Megauploa
d_search_warrants_were_illegal?taxonomyId=17
-http://www.wired.com/threatlevel/2012/06/megaupload-raids/

Surfthechannel.com Operator Found Guilty of Conspiracy to Defraud (June 27 & 28, 2012)

The man who owns and operates Surfthechannel.com, a site that provided links to streaming films and television programs, has been found guilty of facilitating copyright infringement. UK Prosecutors did not charge Anton Vickerman with copyright offences, but he was found guilty of conspiracy to defraud and could face up to 10 years in prison. A group of film and television distributors say that the site at one point attracted more than 400,000 visitors a day and earned advertising revenue of more than GBP 35,000 (US $54,360) a month.
-http://www.guardian.co.uk/technology/2012/jun/28/man-convicted-website-links-tv-
video?newsfeed=true
-http://www.bbc.co.uk/news/uk-england-18614670

Cable Modem Hacker Draws Three-Year Prison Term (June 28, 2012)

A federal judge in Boston has sentenced Ryan Harris to three years in prison for selling hacked cable modems that allowed people to receive Internet service without paying for it. Harris was convicted of wire fraud earlier this year. The rooted modems allowed purchasers to get free internet service, or to bypass limits imposed by their subscriptions.
-http://www.wired.com/threatlevel/2012/06/ryan-harris-sentencing/

Alaska's Dept. of Health and Social Services Fined Over HIPAA Violations (June 27, 2012)

Alaska's Department of Health and Social Services (DHSS) has been fined US $1.7 million for violations of the Health Insurance Portability and Accountability Act's (HIPAA) Security Rule. In October 29, thieves stole a USB stick that held personally identifiable information of 500 Medicaid beneficiaries in Alaska. Health care organizations are required to report to the US Department of Health and Human Services' Office for Civil Rights (OCR) any security breaches that affect 500 or more people. The fine imposed on the Alaska agency was determined not by the number of records involved, but by the lax information security measures it had in place at the time, as discovered during an investigation. This is the OCR's first enforcement against a state agency.
-http://www.scmagazine.com/alaska-agency-must-pay-17m-after-500-person-breach/art
icle/247697/

Prosecutors Want Prison Time for Man Who Hacked Celebrities' eMail Accounts (June 27, 2012)

US federal prosecutors are seeking prison time and a fine for the man who accessed email accounts of several celebrities. Christopher Chaney changed the settings on the compromised accounts so all email would be forwarded to him; he also stole photographs and other personal information through the accounts. The US Attorney is asking for a 71-month prison sentence and a fine of US $150,000, as well as $66,200 in compensation to one of the victims.
-http://www.scmagazine.com/feds-recommend-jail-fines-for-scarlett-johansson-hacke
r/article/247726/

Calif. Escrow Company Reaches Settlement With Bank in Fraudulent Transaction Case (June 26, 2012)

A California escrow company that was the victim of online banking fraud has reached a settlement with its bank. Professional Business Bank will cover the amount of money lost to the thieves plus interest as well as attorney's fees for Village View Escrow, Inc. Village View sued the bank last June, alleging that it was negligent because it protected customer accounts with nothing more than usernames and passwords. Initially, more than US $465,000 was stolen through fraudulent wire transfers made to individuals who had no prior business with Village View. The escrow company was able to recover some of the funds but was left with a loss of nearly US $400,000; the company's owner took out a personal loan at 12 percent interest to cover the loss.
-http://krebsonsecurity.com/2012/06/bank-settles-with-calif-cyberheist-victim/

Operation Card Shop Nets 24 Arrests for Payment Card Fraud (June 26, 27, & 28, 2012)

Authorities in several countries arrested a total of 24 people in connection with a forum that specialized in credit card fraud. Federal investigators set up the Carder Profit forum two years ago as part of an operation that gathered evidence to arrest the alleged perpetrators. One suspect was arrested when he tried to use compromised cards to withdraw funds from an ATM. Eleven suspects were arrested in the US, six in the UK; other arrests were made in Bosnia, Bulgaria, Norway, and Germany.
-http://www.theregister.co.uk/2012/06/27/carder_forum_fbi_sting/
-http://krebsonsecurity.com/2012/06/carderprofit-forum-sting-nets-26-arrests/
-http://www.computerworld.com/s/article/9228547/24_arrested_in_international_onli
ne_carding_crackdown?taxonomyId=17
-http://www.wired.com/threatlevel/2012/06/operation-card-shop/
-http://news.cnet.com/8301-1009_3-57460877-83/fbi-cybercrime-sting-leads-to-24-ar
rests/
-http://www.justice.gov/usao/nys/pressreleases/june12/cardshoparrests.html

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/