Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 006 : Dept. of Justice and other Government and Recording Industry Websites Attacked; Koobface Masterminds Named; Botnet Goes Silent; Legislators Dropping Support for PIPA and SOPA

  • From: The SANS Institute
  • Date: Fri Jan 20 15:03:57 2012

Hash: SHA1

SANS NewsBites               January 20, 2012            Vol. 14, Num. 006
  Anonymous Says it Has Taken Down Government and Recording Industry Websites
  Koobface Masterminds Named; Botnet Goes Silent
  Legislators Dropping Support for PIPA and SOPA
    McAfee to Patch Spamming Vulnerability in SaaS Total Protection Service
    Russian Man Extradited from Switzerland to US to Face Charges in Fraud Case
    ACS:Law's Crossley Suspended for Two Years
    US Supreme Court Declines to Consider Student Social Media Free Speech Cases
    Man Arrested and Charged in Federal Reserve Bank of New York Source Code Theft
    Prison Time for Man Who Stole Patient Database From Former Employer
    Israeli-Arab Hacking Continues
    Oracle Criticized for Dragging its Feet on Database Flaw Fixes
    Carberp Trojan Variant Hits Up Facebook Users for 20 euro (US $26)
    Virginia Middle School Students Wreaked Havoc on Blackboard Application

**************************  SPONSORED BY SANS **********************

Needle in a Haystack? Getting to Attribution in Control Systems,
featuring SANS instructor and infrastructure security expert, Matt Luallen
Wednesday, February 22, 2012 at 1:00 PM EDT

 --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012
Gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them. Hear
what works and what doesn't from peer organizations. Network with top
individuals in the field of SCADA security. Return from the summit
with solutions that you can immediately put to use in your
Pre-Summit courses: January 21-25, 2012
Summit: January 26-27, 2012
Post-Summit Courses: January 28-29, 2012
 --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses.  Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
 --SANS Phoenix 2012, Phoenix, AZ  February 13-18, 2012
7 courses.  Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
 --SANS Secure Singapore 2012, Singapore, Singapore  March 5-17, 2012
5 courses. Bonus evening presentations include Introduction to Windows
Memory Analysis; and Why Our Defenses are Failing Us: One Click is All
It Takes ...
SANS Mobile Device Security Summit: The Growing and Constantly
Changing Challenge,
Nashville, TN March 12-15, 2012
Summit: March 12-13, 2012
Post-Summit Courses: March 14-15, 2012
Mobile device security experts and practitioners will discuss the best
approaches to this new and evolving challenge. Organizations who have
developed successful mobile device security programs will share how
they developed and gained management support for their plans.
 --SANS 2012, Orlando, FL  March 23-29, 2012
42 courses.  Bonus evening presentations include Exploiting
Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving
Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
 --SANS Northern Virginia 2012, Reston, VA  April  15-20, 2012
7 courses.  Bonus evening presentations include Linux Forensics for
Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
 --SANS Cyber Guardian 2012, Baltimore, MD  April 30-May 7, 2012
11 courses.  Bonus evening presentations include Ninja Assessments:
Stealth Security testing for Organizations; and Adjusting Our Defenses
for 2012.
 --Looking for training in your own community?
http: Save on On-Demand training (30 full
courses) - See samples at
Plus Bangalore, San Francisco, Stuttgart, Nashville, and Abu Dhabi all
in the next 90 days.
For a list of all upcoming events, on-line and live:

 --Anonymous Says it Has Taken Down Government and Recording Industry Websites
(January 19, 2012)
The loosely organized hacker collective known as Anonymous claims to
have taken down the websites of the US Department of Justice, the FBI,
the Motion Picture Association of America (MPAA), the Recording Industry
Association of America (RIAA) and several other sites in apparent
retaliation of the government's shutdown of On Thursday,
US federal authorities indicted two companies and shut down
[Editor's Note (Pescatore): What most of these successful attacks are
pointing out is a lack of due diligence level of security on the
websites that were impacted. Any website that is of any value to the
business probably has a significant investment in backup servers,
uninterruptible power, etc - but many *don't* have denial of service
protection or secure code development or web application firewalls in
place. Yet, these days web attacks are more likely than environmental
outages for most web servers.]

 --Koobface Masterminds Named; Botnet Goes Silent
(January 17, 18, & 19, 2012)
Five people have been named as the masterminds behind the Koobface
botnet. All five people are Russians.  Shortly after the suspects were
named, the Koobface network went silent.  The suspects have been
identified as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach,
Syvatoslav Polinchuk, and Stanislav Avdeiko.
[Editor's Comment (Northcutt): An interesting story. A couple of days
ago, the Facebook security team said they would release the identities
of the Koobface (anagram for Facebook) gang and now they have clearly
done it: ]

 --Legislators Dropping Support for PIPA and SOPA
(January 18, 2012)
More US legislators have announced that they are withdrawing their
support for the house's Stop Online Piracy Act (SOPA) and the Senate's
Protect IP Act (PIPA). Citing concerns that the bills have moved forward
too fast and that their provisions were overly-broad and heavy handed,
legislators in both houses and on both sides of the aisle are moving
away from support of the controversial legislation. Some on those who
have withdrawn support were originally co-sponsors of the measures.
Wikipedia and other websites went dark on Wednesday, January 18 in
protest of the bills.
[Editor's Note (Murray): Well, it sounded better than it reads.  Evening
news last night suggested that many legislators were blaming staff for
the mess they find themselves in.  I am afraid that new Congressional
opponents of this obnoxious proposal do not understand it any better now
than they did when they supported it.  The opposition is populist.  The
support is from a kitty of tens of millions of dollars.  Jingoistic ads
supporting the proposal were all over TV today.  The race is not always
to the swift or the legislation to the MPAA, RIAA, and K Street but that
is how the smart money bets. ]

**************************  SPONSORED LINKS  ***************************
1) Take the SANS 8th Annual Log and Event Management Survey and be
entered to win a $250 American Express gift card. Follow this link to
the survey:

2) Take the SANS First Annual Mobility Survey and be entered to win a
$250 American Express gift card.  Follow this link to the survey:

 --McAfee to Patch Spamming Vulnerability in SaaS Total Protection Service
(January 18 & 19, 2012)
McAfee plans to patch a flaw in its SaaS Total Protection Service that
puts users at risk of being hijacked by spammers. The issue gained
publicity when a couple who own a business discovered that their server
was sending out spam. The flaw lies in McAfee's RumorServer relay
service. The patch is due out by the end of the day on Thursday, January 19.

 --Russian Man Extradited from Switzerland to US to Face Charges in Fraud Case
(January 18, 2012)
A Russian man has been extradited from Switzerland to the US to face
charges of conspiracy, mail fraud, wire fraud, computer fraud,
aggravated identity theft, and securities fraud. Vladimir Zdorovenin is
the alleged mastermind of a credit card theft and stock manipulation
scheme. His son, Kirill Zdorovenin, is believed to have been involved
as well, but he remains at large. The Russian constitution does not
allow for extradition of its citizens, which is why the elder Zdorovenin
was apprehended while in Switzerland.

 --ACS:Law's Crossley Suspended for Two Years
(January 18, 2012)
The UK Solicitors' Regulation Authority (SRA) has suspended Andrew
Crossley for two years. Crossley, through his firm ACS:Law, engaged in
speculative invoicing, sending out thousands of letters to people who
had allegedly participated in illegal filesharing, seeking settlement
payments in lieu of going to court. When a number of cases finally did
go to court, the plan's flaws became evident. Crossley was also ordered
to pay GBP 76,000 (US $118,000).

 --US Supreme Court Declines to Consider Student Social Media Free Speech Cases
(January 17, 2012)
The US Supreme Court has declined to review cases involving social media
and free speech issues surrounding schools and punishment. In two of the
cases, lower courts had ruled that students who had set up phony social
media profiles for their principals could not be punished. In another,
the lower court had allowed punishment of a student for making fun of a
classmate online. Those bringing the cases before the court hoped that
they would receive some guidance, because a 1969 ruling says that
schools may not punish non-disruptive political speech and a 1986 ruling
says that school administrators may punish students for lewd or vulgar
[Editor's Note (Murray): Young people often interpret the idea of "free
speech" to mean that no authority can censure of sanction them for what
they say.  However, while the First Amendment restricts what the state
can do, they can still be punished by non-state actors such as parents,
churches, and some schools.  "Public" schools may be problematic when
they attempt to implement government policy.]

 --Man Arrested and Charged in Federal Reserve Bank of New York Source Code Theft
(January 18 & 19, 2012)
A man who had worked as a contract programmer on proprietary source code
for the Federal Reserve Bank of New York has been charged with stealing
that code, which is valued at US $9.5 million. Bo Zhang has been
arrested. He allegedly took the code last summer while working under
contract at an access controlled repository. Zhang allegedly copied the
code onto an external hard drive. If he is convicted, he could face up
to 10 years in prison. The software, Government-wide accounting and
Reporting Program, or GWA, is used to track US government finances. He
has stated that he used the code in a private business in which he
trains people as programmers.

 --Prison Time for Man Who Stole Patient Database From Former Employer
(January 17, 2012)
An Atlanta, Georgia, man has been sentenced to 13 months in prison for
breaking into a former employer's patient database and stealing the
information. Eric McNeal is an information technology specialist who had
worked for the APA medical practice in Atlanta. When he left in November
2009 to work for a similar practice in the same building, he broke into
APA's computer system from his home, downloaded the patient database and
deleted all the information from APA's system. McNeal began recruiting
the patients, by mail, to move to the new practice where he was

 --Israeli-Arab Hacking Continues
(January 19, 2012)
The Central Bank of the United Arab Emirates was targeted in a cyber
attack late this week, an apparent retaliatory action conducted by
Israeli hackers. The back-and-forth cyber attacks have been going on for
more than a week. A group calling itself the IDF Team knocked the UAE
bank offline. In a separate attack, details of 4,800 credit card
accounts belonging to account holders in Saudi Arabia were posted to the
Internet. The Saudi Stock Exchange and Abu Dhabi Securities Exchange
were also hit by cyber attacks. Earlier this week, hackers took down the
websites of Israeli airline El Al and the Tel Aviv Stock Exchange.

 --Oracle Criticized for Dragging its Feet on Database Flaw Fixes
(January 19, 2012)
Oracle is drawing criticism for its apparent lack of attention to fixing
database vulnerabilities. The company's most recent Critical Patch
Update, released on Tuesday, January 17, included 78 fixes, but,
excluding fixes for MySQL, just two of the fixes were for database
issues. This is despite a backlog of reported and unaddressed flaws that
dates back to 2009, some of which are privilege elevation
vulnerabilities. The slowness could possibly be attributed the lack of
haste with which administrators apply database patches; Oracle may feel
no hurry because the fixes are not immediately applied.

 --Carberp Trojan Variant Hits Up Facebook Users for 20 euro (US $26)
(January 18 & 19, 2012)
A new variant of the Carberp Trojan horse program is targeting Facebook
users. Once a machine is infected, users who try to go to any Facebook
page are instead redirected to a page telling them that their Facebook
account is "temporarily locked." They are asked for personal
information, including email and passwords, and also for an e-cash
voucher in the amount of 20 euro (US $26), which will allow confirmation
of their identity and allow them to access the account. The users are
told that the e-cash voucher amount will be added to their Facebook
account balance, but of course, it is not.

 --Virginia Middle School Students Wreaked Havoc on Blackboard Application
(January 13, 2012)
Authorities in Virginia say that two Fairfax county middle school
students managed to get their hands on passwords that allowed them
access to an application used throughout the county school district. The
two boys allegedly erased content from Blackboard, which teachers use
to post assignments, have discussions, and communicate with parents. It
also appears that the students used Blackboard to send offensive
messages to students; the messages were spoofed so that they appeared
to come from teachers. Blackboard has been the site of trouble in the
district before. In 2010, a nine-year-old student erased content and
changed administrators' passwords.
[Editor's Note (Pescatore): Google has taken some small steps in
encouraging Google apps users to use "two step verification" as a fairly
painless way of moving away from reusable passwords as the sole means
of authentication. Any software sold into schools, power plants, fast
food retail, etc. ought to be offering the same capabilities - ideally
as the default, with admin explicit action required to drop back to
reusable passwords.]

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses ( and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit

Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools -


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.