Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 17 : Both London Stock Exchange and Morgan Stanley victimized by cyber attacks; Collegiate Cyber Quest competition opens today

  • From: The SANS Institute
  • Date: Wed Mar 02 10:13:28 2011

Hash: SHA1

College students with cyber skills - register today for the first
national Cyber Quest competition sponsored by the US Cyber Challenge.
This on-line competition features a target website with numerous
vulnerabilities where your job is to find the vulnerabilities and
application configuration and implementation flaws. Top scorers earn
cash prizes. There is no cost for this first round, and it will give you
practice for the all-important late-April Cyber Quest that qualifies you
for invitations to the national US Cyber Camps. Registration opened at
8 AM on Tuesday March 1. The competition runs March 16-23, but don't try
to register at the last moment. Register at

The Leading Edge: The NCIC (National Cybersecurity Innovation
Conference) in Washington features users who have found surprisingly
effective solutions to three of the most difficult current cybersecurity
challenges: (1) rapidly isolating advanced persistent threat infections
inside major networks, (2) securing private clouds, and (3) measuring
and reducing cyber risk with continuous monitoring.  Information at:


SANS NewsBites                March 1, 2011              Vol. 13, Num. 017
  Morgan Stanley Was Victim of Aurora Attacks
  Malware on London Stock Exchange Site
  Legislator Calls for Secure Default Web Pages
  HHS Stepping Up HIPAA Privacy Rules Enforcement
    Burglary at Vodafone Facility Caused Service Outage
    US Immigration Computer System Vulnerable to Insider Threats
    Google Investigating Problem That Reset 150,000 Gmail accounts
    Erasing Data on SSDs Proves Difficult
    Modified Android App Sends Surreptitious Text Messages to Premium Numbers
    Irish Police Arrest Man in ATM Skimming Case
    Trojan Modified to Target Macs
    US House Committee hears testimony on Cyber Threat Faced by US
    SANS Technology Institute Paper of the Month: Assessing Privacy
      Risks from Flash Cookies

 -- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011
7 courses.  Bonus evening presentations and special events includes
The Road to Sustainable Security
 -- SANS 2011, Orlando, FL, March 26-April 4, 2011
40 courses.  Bonus evening presentations and special events include
Hiding in Plain Sight: Forensic Techniques to Counter the Advanced
Persistent Threat; and Law and the Public's Perception of Data
 --  The National Cybersecurity Innovation Conference, April 18-19, 2011
User-to-user conference featuring outstanding examples of continuous
monitoring and security cloud.
 --  "Combating Malware in the Enterprise" course at SANS (SEC569).
How do you fight off malware when you have thousands of hosts?
Learn the answers in Orlando in March:
 -- 2011 Asia Pacific SCADA and Process Control Summit, Sydney,
Australia, March 31-April 7, 2011
 -- SANS Northern Virginia 2011, Reston, VA, April 15-23, 2011
11 courses.  Bonus evening presentations include Cyberwar or Business
as Usual?  The State of US Federal CyberSecurity Efforts
 --  The National Cybersecurity Innovation Conference, April 18-19, 2011
User-to-user conference featuring outstanding examples of continuous
monitoring and security cloud.
 -- SANS Security West 2011, San Diego, CA, May 3-12, 2011
23 courses.  Bonus evening presentations include The Emerging Security
Threat Panel Discussion; and Emerging Trends in Data Law and
 -- Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Singapore, Wellington, Barcelona, Amsterdam and Brisbane all in
the next 90 days.
For a list of all upcoming events, on-line and live:

*********************  Sponsored by Clearwell Systems  *************************

REGISTER NOW for the upcoming March 2, 2011 Webcast: Internal
Investigation Best Practices: How Automated Analysis Streamlines Digital
FEATURING: Matthew Nelson, Esq. Senior E-Discovery Counsel, Clearwell Systems
Go to:
Start Time: 1:00 PM EST (1800 UTC/GMT)

 --Morgan Stanley Was Victim of Aurora Attacks
(February 28, 2011)
The same group of attackers that broke into Google's computer systems
also attacked systems at Morgan Stanley.  The Aurora attacks, as they
came to be known, started in June 2009 and continued for about six
months and targeted more than 200 companies.  The attacks were conducted
through servers based in China.  Information about the attack was
discovered in email messages stolen from HBGary and leaked to the
Internet. Morgan Stanley hired HBGary to help with suspected cyber
security breaches that aimed to steal sensitive internal information.
While looking into those attacks, HB Gary discovered that Morgan Stanley
had been the victim of the Aurora attacks as well. 

 --Malware on London Stock Exchange Site
(February 28, 2011)
The website of the London Stock Exchange (LSE) was infected with malware
that appears to have come from third-party advertisements.  The malware
urged site visitors to download useless security software products and
in some cases, merely visiting the site was enough to compromise
people's computers.  More than 360 pages on the site have reportedly
hosted malware over the last three months. LSE has disabled the
advertisements responsible for the malware.

 --Legislator Calls for Secure Default Web Pages
(February 28, 2011)
Senator Charles Schumer (D-NY) is calling on online companies to switch
their default pages from HTTP to HTTPS to help protect users who connect
to the Internet through public Wi-Fi hot spots.  The advent of programs
like Firesheep makes it easy for people with little or no technical
skill to steal sensitive information, including login credentials and
financial account information. 
[Editor's Note (Pescatore): This is why good politicians don't make good
security system engineers. Not that SSL as the default is necessarily a
bad thing, but the very first dollar of web security improvement funds
should go to all those online companies vastly improving the security
of their web sites. WiFi snooping requires physical proximity, hacking
into web sites for direct attacks or establishing botnet infector sites
is a much, much higher risk.]

 --HHS Stepping Up HIPAA Privacy Rules Enforcement
(February 23 & 25, 2011)
The US Department of Health and Human Services (HHS) appears to  be
getting serious about enforcing Health Insurance Portability and
Accountability Act (HIPAA) privacy rules.  HHS has imposed enforcement
actions against two organizations for HIPAA privacy violations.  Cignet
Health was charged a civil monetary penalty of US $4.3 million for
failing to provide patients access to their own medical records and
failing to cooperate with an HHS investigation into the matter.  When
Cignet finally sent boxes of records to the US Justice Department, they
included records for the 41 individuals who had requested their records
as well as records of 4,500 other people.  Massachusetts General
Hospital will pay HHS US $1 million for the exposure of personal
information of 192 patients when documents were left on a subway in
March 2009.  HHS appears to be getting serious about enforcing HIPAA
privacy rules.  Both incidents are the result of business process
failures rather than technology failures.
[Editor's Comment (Pescatore): August 2011 will be HIPAA's 15th
birthday, or 105th in Internet years. I'd like to believe HHS is finally
getting serious about enforcement but there has actually seemed to be
equal, if not greater, evidence of movement in the opposite direction
in order to reduce security to ease the path to electronic health
records. Interesting that the biggest fine here is because Cignet
*withheld* access to health records!
(Northcutt): Is it April 1? OK, I need help from an expert, my tally is
this would be the 4th and 5th HIPAA organizational enforcements since
1996. Who knows? If you can provide authoritative information please
drop a note to stephen@xxxxxxxx.]

***************************  Sponsored Links:  *****************************
1) Sponsored by SANS Technology Institute Courses at SANS Northern Virginia
The SANS promise is that on your first day back at work after a SANS
training, you'll be able to put into practice the skills you learned.
At SANS Northern Virginia 2011 select from among our hands-on courses
with confidence, knowing you'll gain skills and learn tips and tricks
for use in the workplace!

2) Advance planning is the key to success. Add SANS Ottawa 2011 to your
calendar now!

3) This is your last chance to take the SANS Log Management Survey and
be entered to Win a $250 American Express Gift Card. Go here to take the


 --Burglary at Vodafone Facility Caused Service Outage
(February 28, 2011)
A physical break-in at a Vodafone technical facility in Basingstoke, UK,
caused thousands of customers to temporarily lose service.  The thieves
stole computer equipment and network hardware.  Vodafone says that the
security of customers' personal information was not affected by the
theft.  Vodafone is working to restore service to those affected by the
outage.  Several hundred thousand customers are believed to have been

 --US Immigration Computer System Vulnerable to Insider Threats
(February 28, 2011)
According to a report from the Department of Homeland Security (DHS)
Office of the Inspector General (OIG), the US Citizenship and
Immigration Services' (USCIS) processing system is vulnerable to insider
threats.  The OIG brought in a third-party group from Carnegie Mellon
University's software engineering institute to evaluate insider threats
on systems at USCIS.
[Editor's Note (Pescatore): As long as casinos and gambling continue to
be a huge industry, you can be sure that social engineering attacks will
always succeed - people will be people. As long as people act like
people and have to collaborate with other people to get the job done,
there will be vulnerability to insider threats. The report seems to
over-rely on awareness and education but does have good recommendations
on employee screening and database activity monitoring.
(Schultz): Sorry, but it should come as no surprise that anyone or
anything anywhere is subject to insider threats. I just hope that the
DHS's OIG didn't have to spend too much money to reconfirm that this
universally known threat exists.
(Honan): In reality every computer system is vulnerable to insider
threats and not just those of the US Citizen and Immigration Service.
CERT/CC has made some interesting material on countering the insider
threat available at
(Ranum): Does anyone here know of ANY computer system that is not
vulnerable to insider threats? This is absurd.
(Northcutt): Recommendation 8: Consistently enforce exit procedures and
Recommendation 11: enforce a requirement for individual accounts on
critical systems were the ones that raised my blood pressure.]

 --Google Investigating Problem That Reset 150,000 Gmail accounts
(February 28, 2011)
Google is looking into a problem with Gmail that emptied the inboxes of
a small percentage of users over the weekend.  Some users have had their
information restored; Google engineers are working on the problem.
About 150,000 accounts appear to have been reset, meaning that users
cannot access their stored emails, attachments and chat logs.

 --Erasing Data on SSDs Proves Difficult
(February 28, 2011)
A study published by researchers at the University of California at San
Diego says that it is more difficult to erase data from solid state
drives (SSDs) than from hard disk drives (HDDs).  On some SSDs,
overwriting the data several times can make it inaccessible, but some
techniques proved more successful than others.  Techniques for
sanitizing hard drives may not work well on SSDs because their internal
architecture is so different.  Cryptographic erasure, which involves
encrypting the device so that users must provide a password to use it,
and when the device is ready to be retired, deleting the cryptographic
keys on the SSD, appears to be quite effective.
[Editor's Note (Honan): It should be noted that the report highlights
the same issue with sanitizing data on USB keys.  Yet another reason to
ensure that any data copied onto USB devices are properly encrypted.]

 --Modified Android App Sends Surreptitious Text Messages to Premium Numbers
(February 28, 2011)
Hackers have modified an app for the Android phone operating system to
include a Trojan horse backdoor function.  The tweaked app, called
Steamy Window, has been made available through third-party app stores.
It has the capability to install other applications, tinker with the
device browser's bookmarks, surf to websites and send text messages
without user interaction.  The text messages are sent to premium rate
numbers, for which those behind the malware receive commissions.  The
modified app also blocks alerts telling phone users that they've
exceeded their quota of texts.

 --Irish Police Arrest Man in ATM Skimming Case
(February 28, 2011)
A Moldovan man was arrested in Limerick, Ireland for his alleged role
in a scheme that stole money from private and business bank accounts.
During a raid at the suspect's home, law enforcement officials
discovered ATM skimming devices and equipment used to manufacture cloned
payment cards.  The raid and arrest follow a two-year investigation.

 --Trojan Modified to Target Macs
(February 25 & 28, 2011)
A Trojan horse program that targets Windows machines has been modified
to infect Macs.  The malware can force a shutdown of infected computers,
run arbitrary shell commands and add text to desktops.  It can also
generate pop-up dialog boxes that request the computer's Administrator
Password.  The malware, known as BlackHole RAT, generates a message upon
reboot that informs the user that the machine is infected, and notes
that while it is currently under development, there will be additional
features in the future.  It is based on the darkComet Trojan for

 --US House Committee hears testimony on Cyber Threat Faced by US
(February 11, 2011)
In testimony before the US House Permanent Select Committee on
Intelligence, CIA Director Leon Panetta and Director of National
Intelligence James Clapper spoke of the increased threats the US faces
from cyber attacks.  Clapper said the "threat is increasing in scope and
scale."  Among the threats faced recently are attempted intrusions
against Defense Department computers, attacks against systems of high
profile companies, and the exposure of sensitive information through
WikiLeaks.  Panetta said that other countries are developing the
capacity to bring down multiple elements of US critical infrastructure,
which "could paralyze this country."  He spoke of the need to develop
not only defense against such attacks, but a system that would warn that
such attacks were imminent.

 --SANS Technology Institute Paper of the Month: Assessing Privacy Risks
    from Flash Cookies
(February 21, 2011)
This paper was developed by students Stacy Jordan and Kevin Fuller as
part of the SANS Technology Institute Masters Program.  It includes an
analysis of flash cookies; a description of the risks of using flash
cookies; and technical approaches for detecting, removing, managing and
analyzing flash cookies.

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and
the author/co-author of books on Unix security, Internet security,
Windows NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.