Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #6

January 20, 2012

TOP OF THE NEWS

Anonymous Says it Has Taken Down Government and Recording Industry Websites
Koobface Masterminds Named; Botnet Goes Silent
Legislators Dropping Support for PIPA and SOPA

THE REST OF THE WEEK'S NEWS

McAfee to Patch Spamming Vulnerability in SaaS Total Protection Service
Russian Man Extradited from Switzerland to US to Face Charges in Fraud Case
ACS:Law's Crossley Suspended for Two Years
US Supreme Court Declines to Consider Student Social Media Free Speech Cases
Man Arrested and Charged in Federal Reserve Bank of New York Source Code Theft
Prison Time for Man Who Stole Patient Database From Former Employer
Israeli-Arab Hacking Continues
Oracle Criticized for Dragging its Feet on Database Flaw Fixes
Carberp Trojan Variant Hits Up Facebook Users for 20 euro (US $26)
Virginia Middle School Students Wreaked Havoc on Blackboard Application


************************** SPONSORED BY SANS **********************

Needle in a Haystack? Getting to Attribution in Control Systems, featuring SANS instructor and infrastructure security expert, Matt Luallen http://www.sans.org/info/97061 Wednesday, February 22, 2012 at 1:00 PM EDT

**************************************************************************

TRAINING UPDATE

--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/

--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN March 12-15, 2012 Summit: March 12-13, 2012 Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners will discuss the best approaches to this new and evolving challenge. Organizations who have developed successful mobile device security programs will share how they developed and gained management support for their plans.
http://www.sans.org/mobile-device-security-summit-2012/

--SANS 2012, Orlando, FL March 23-29, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, San Francisco, Stuttgart, Nashville, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

************************************************************************

TOP OF THE NEWS

Anonymous Says it Has Taken Down Government and Recording Industry Websites (January 19, 2012)

The loosely organized hacker collective known as Anonymous claims to have taken down the websites of the US Department of Justice, the FBI, the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA) and several other sites in apparent retaliation of the government's shutdown of Megaupload.com. On Thursday, US federal authorities indicted two companies and shut down Megaupload.com.
-http://www.mercurynews.com/nation-world/ci_19777444?
-http://technolog.msnbc.msn.com/_news/2012/01/19/10193724-anonymous-says-it-takes
-down-fbi-doj-entertainment-sites?chromedomain=usnews

-http://www.washingtonpost.com/business/economy/federal-indictment-claims-popular
-web-site-shared-pirated-material/2012/01/19/gIQA4rDwBQ_story.html

[Editor's Note (Pescatore): What most of these successful attacks are pointing out is a lack of due diligence level of security on the websites that were impacted. Any website that is of any value to the business probably has a significant investment in backup servers, uninterruptible power, etc - but many *don't* have denial of service protection or secure code development or web application firewalls in place. Yet, these days web attacks are more likely than environmental outages for most web servers. ]

Koobface Masterminds Named; Botnet Goes Silent (January 17, 18, & 19, 2012)

Five people have been named as the masterminds behind the Koobface botnet. All five people are Russians. Shortly after the suspects were named, the Koobface network went silent. The suspects have been identified as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk, and Stanislav Avdeiko.
-http://www.theregister.co.uk/2012/01/18/koobface_prime_suspect_outed/
-http://www.h-online.com/security/news/item/Koobface-C-C-goes-silent-after-allege
d-controllers-exposed-1416869.html

-http://www.v3.co.uk/v3-uk/news/2139429/alleged-koobface-gang-exposed
-http://www.eweek.com/c/a/Security/Facebook-Security-Investigators-Unmask-Five-Me
n-Behind-Koobface-Crime-Ring-476256/

-http://www.zdnet.com/blog/facebook/koobface-gang-pulls-server-after-facebook-exp
oses-hackers/7705

[Editor's Comment (Northcutt): An interesting story. A couple of days ago, the Facebook security team said they would release the identities of the Koobface (anagram for Facebook) gang and now they have clearly done it:
-http://betanews.com/2012/01/17/koobface-hackers-are-easily-found-on-facebook-els
ewhere/
]

Legislators Dropping Support for PIPA and SOPA (January 18, 2012)

More US legislators have announced that they are withdrawing their support for the house's Stop Online Piracy Act (SOPA) and the Senate's Protect IP Act (PIPA). Citing concerns that the bills have moved forward too fast and that their provisions were overly-broad and heavy handed, legislators in both houses and on both sides of the aisle are moving away from support of the controversial legislation. Some on those who have withdrawn support were originally co-sponsors of the measures. Wikipedia and other websites went dark on Wednesday, January 18 in protest of the bills.
-http://www.scmagazine.com/senators-change-sides-on-sopapipa-issue/article/223719
/

-http://arstechnica.com/tech-policy/news/2012/01/pipa-support-collapses-with-13-n
ew-opponents-in-senate.ars

[Editor's Note (Murray): Well, it sounded better than it reads. Evening news last night suggested that many legislators were blaming staff for the mess they find themselves in. I am afraid that new Congressional opponents of this obnoxious proposal do not understand it any better now than they did when they supported it. The opposition is populist. The support is from a kitty of tens of millions of dollars. Jingoistic ads supporting the proposal were all over TV today. The race is not always to the swift or the legislation to the MPAA, RIAA, and K Street but that is how the smart money bets.]


************************** SPONSORED LINKS ***************************
1) Take the SANS 8th Annual Log and Event Management Survey and be entered to win a $250 American Express gift card. Follow this link to the survey:http://www.sans.org/info/96596

2) Take the SANS First Annual Mobility Survey and be entered to win a $250 American Express gift card. Follow this link to the survey: http://www.sans.org/info/96601
************************************************************************

THE REST OF THE WEEK'S NEWS

McAfee to Patch Spamming Vulnerability in SaaS Total Protection Service (January 18 & 19, 2012)

McAfee plans to patch a flaw in its SaaS Total Protection Service that puts users at risk of being hijacked by spammers. The issue gained publicity when a couple who own a business discovered that their server was sending out spam. The Flaw lies in McAfee's RumorServer relay service. The patch is due out by the end of the day on Thursday, January 19.
-http://www.bbc.co.uk/news/technology-16627713
-http://news.cnet.com/8301-1009_3-57361542-83/mcafee-to-plug-spammer-hole-this-we
ek/

Russian Man Extradited from Switzerland to US to Face Charges in Fraud Case (January 18, 2012)

A Russian man has been extradited from Switzerland to the US to face charges of conspiracy, mail fraud, wire fraud, computer fraud, aggravated identity theft, and securities fraud. Vladimir Zdorovenin is the alleged mastermind of a credit card theft and stock manipulation scheme. His son, Kirill Zdorovenin, is believed to have been involved as well, but he remains at large. The Russian constitution does not allow for extradition of its citizens, which is why the elder Zdorovenin was apprehended while in Switzerland.
-http://www.theregister.co.uk/2012/01/18/russian_cybercrime_suspect_deported/
-http://www.fbi.gov/newyork/press-releases/2012/manhattan-u.s.-attorney-and-fbi-a
ssistant-director-in-charge-announce-extradition-of-russian-citizen-to-face-char
ges-for-international-cyber-crimes

ACS:Law's Crossley Suspended for Two Years (January 18, 2012)

The UK Solicitors' Regulation Authority (SRA) has suspended Andrew Crossley for two years. Crossley, through his firm ACS:Law, engaged in speculative invoicing, sending out thousands of letters to people who had allegedly participated in illegal filesharing, seeking settlement payments in lieu of going to court. When a number of cases finally did go to court, the plan's flaws became evident. Crossley was also ordered to pay GBP 76,000 (US $118,000).
-http://www.bbc.co.uk/news/technology-16616803
-http://www.guardian.co.uk/technology/2012/jan/18/acslaw-solicitor-internet-pirac
y-suspended?newsfeed=true

US Supreme Court Declines to Consider Student Social Media Free Speech Cases (January 17, 2012)

The US Supreme Court has declined to review cases involving social media and free speech issues surrounding schools and punishment. In two of the cases, lower courts had ruled that students who had set up phony social media profiles for their principals could not be punished. In another, the lower court had allowed punishment of a student for making fun of a classmate online. Those bringing the cases before the court hoped that they would receive some guidance, because a 1969 ruling says that schools may not punish non-disruptive political speech and a 1986 ruling says that school administrators may punish students for lewd or vulgar speech.
-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2012/01/17/bloomberg_articlesLX
Y7590YHQ0X01-LXY75.DTL

-http://www.wired.com/threatlevel/2012/01/scotus-student-social-media/
[Editor's Note (Murray): Young people often interpret the idea of "free speech" to mean that no authority can censure of sanction them for what they say. However, while the First Amendment restricts what the state can do, they can still be punished by non-state actors such as parents, churches, and some schools. "Public" schools may be problematic when they attempt to implement government policy. ]

Man Arrested and Charged in Federal Reserve Bank of New York Source Code Theft (January 18 & 19, 2012)

A man who had worked as a contract programmer on proprietary source code for the Federal Reserve Bank of New York has been charged with stealing that code, which is valued at US $9.5 million. Bo Zhang has been arrested. He allegedly took the code last summer while working under contract at an access controlled repository. Zhang allegedly copied the code onto an external hard drive. If he is convicted, he could face up to 10 years in prison. The software, Government-wide accounting and Reporting Program, or GWA, is used to track US government finances. He has stated that he used the code in a private business in which he trains people as programmers.
-http://www.theregister.co.uk/2012/01/19/feds_arrest_programmer_for_software_thef
t/

-http://news.cnet.com/8301-27080_3-57361559-245/man-charged-with-stealing-ny-fed-
reserve-bank-source-code/

-http://www.msnbc.msn.com/id/46048400/ns/us_news/

Prison Time for Man Who Stole Patient Database From Former Employer (January 17, 2012)

An Atlanta, Georgia, man has been sentenced to 13 months in prison for breaking into a former employer's patient database and stealing the information. Eric McNeal is an information technology specialist who had worked for the APA medical practice in Atlanta. When he left in November 2009 to work for a similar practice in the same building, he broke into APA's computer system from his home, downloaded the patient database and deleted all the information from APA's system. McNeal began recruiting the patients, by mail, to move to the new practice where he was employed.
-http://www.informationweek.com/news/healthcare/security-privacy/232400459

Israeli-Arab Hacking Continues (January 19, 2012)

The Central Bank of the United Arab Emirates was targeted in a cyber attack late this week, an apparent retaliatory action conducted by Israeli hackers. The back-and-forth cyber attacks have been going on for more than a week. A group calling itself the IDF Team knocked the UAE bank offline. In a separate attack, details of 4,800 credit card accounts belonging to account holders in Saudi Arabia were posted to the Internet. The Saudi Stock Exchange and Abu Dhabi Securities Exchange were also hit by cyber attacks. Earlier this week, hackers took down the websites of Israeli airline El Al and the Tel Aviv Stock Exchange.
-http://www.tgdaily.com/security-features/60896-hackers-hit-uae-central-bank-webs
ite

-http://www.thenational.ae/news/world/middle-east/israeli-hackers-release-arab-cr
edit-card-details-in-cyber-attacks

Oracle Criticized for Dragging its Feet on Database Flaw Fixes (January 19, 2012)

Oracle is drawing criticism for its apparent lack of attention to fixing database vulnerabilities. The company's most recent Critical Patch Update, released on Tuesday, January 17, included 78 fixes, but, excluding fixes for MySQL, just two of the fixes were for database issues. This is despite a backlog of reported and unaddressed flaws that dates back to 2009, some of which are privilege elevation vulnerabilities. The slowness could possibly be attributed the lack of haste with which administrators apply database patches; Oracle may feel no hurry because the fixes are not immediately applied.
-http://www.darkreading.com/database-security/167901020/security/news/232500045/o
racle-cpu-contains-lowest-number-of-database-fixes-ever.html?itc=edit_stub

Carberp Trojan Variant Hits Up Facebook Users for 20 euro (US $26) (January 18 & 19, 2012)

A new variant of the Carberp Trojan horse program is targeting Facebook users. Once a machine is infected, users who try to go to any Facebook page are instead redirected to a page telling them that their Facebook account is "temporarily locked." They are asked for personal information, including email and passwords, and also for an e-cash voucher in the amount of 20 euro (US $26), which will allow confirmation of their identity and allow them to access the account. The users are told that the e-cash voucher amount will be added to their Facebook account balance, but of course, it is not.
-http://www.theregister.co.uk/2012/01/18/carberp_steals_e_cash_facebook/
-http://www.h-online.com/security/news/item/Bot-blackmails-Facebook-users-1417073
.html

-http://www.v3.co.uk/v3-uk/news/2139895/carberp-malware-targets-facebook-users
-http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabi
lities/232500102/new-version-of-carberp-trojan-targets-facebook-users.html?itc=e
dit_stub

Virginia Middle School Students Wreaked Havoc on Blackboard Application (January 13, 2012)

Authorities in Virginia say that two Fairfax county middle school students managed to get their hands on passwords that allowed them access to an application used throughout the county school district. The two boys allegedly erased content from Blackboard, which teachers use to post assignments, have discussions, and communicate with parents. It also appears that the students used Blackboard to send offensive messages to students; the messages were spoofed so that they appeared to come from teachers. Blackboard has been the site of trouble in the district before. In 2010, a nine-year-old student erased content and changed administrators' passwords.
-http://www.washingtonpost.com/local/education/fairfax-officials-2-lake-braddock-
students-stole-passwords-erased-school-data/2012/01/13/gIQArRuExP_story.html?tid
=pm_local_pop

[Editor's Note (Pescatore): Google has taken some small steps in encouraging Google apps users to use "two step verification" as a fairly painless way of moving away from reusable passwords as the sole means of authentication. Any software sold into schools, power plants, fast food retail, etc. ought to be offering the same capabilities - ideally as the default, with admin explicit action required to drop back to reusable passwords. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/