SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #101

December 23, 2011

TOP OF THE NEWS

Hackers Stole eMail From US Chamber of Commerce
Software Flaw Partially to Blame for 2008 Qantas Emergency

THE REST OF THE WEEK'S NEWS

LAPD Will Not Move to Google Cloud
DARPA Project Will Monitor Troops' eMail to Detect Insider Threats
Podcast: Carrier IQ is Not a Keylogger
EPIC Seeks Information About DHS Social Media Monitoring Program Under FOIA
Mozilla Releases (and Re-Releases) Firefox 9
Sykipot Variant Was Used in Attempt to Steal Drone Information
Microsoft Investigating Report of 64-bit Windows 7 Memory Corruption Flaw
Iran's Claim of GPS Hack on Drone Called Into Doubt
Legal Experts Add Their Voices to Arguments Against SOPA
Firefox Extension Evades Proposed SOPA Blocking Technique
Moxie Marlinspike Answers Readers' Questions

---

********************* Sponsored BY Silicium Security *******************

Worried about targeted attacks and APT? Find what AV misses with Silicium's ECAT Enterprise Compromise and Assessment Tool - signature-less malware detection. See ECAT in action, then download our whitepaper, APT in the Enterprise: http://www.sans.org/info/94924

**************************************************************************

TRAINING UPDATE

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
http://www.sans.org/singapore-2012/

- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Why Our Defenses Are failing Us: One Click is all It Takes ...; Evolving Threats; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/sans-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

---

TOP OF THE NEWS

Hackers Stole eMail From US Chamber of Commerce (December 21, 2011)

According to a report in The Wall Street Journal, unidentified sources say that hackers who are in some way connected with the Chinese government have stolen email from four employees at the UIS Chamber of Commerce. All four targeted employees work on Asian policy. The attackers had access to the network for more than a year when their presence was detected and blocked in May 2010. More than 300 email addresses were affected. Six weeks' worth of email messages were stolen, including trade policy documents and trip schedules. The breach was detected by the FBI, which noticed data flowing from their network to Chinese servers. The Chamber of Commerce reported it disconnected affected computers and destroyed some of them, then deployed technology aimed at quickly detecting and deterring future attacks.
-http://www.eweek.com/c/a/Security/Hackers-Stole-Emails-From-Employees-in-Chamber
-of-Commerce-Breach-744336/
-http://www.computerworld.com/s/article/9222924/Update_Chinese_hackers_breached_U
.S._Chamber_of_Commerce?taxonomyId=17
-http://www.h-online.com/security/news/item/Massive-hacker-attack-on-US-Chamber-o
f-Commerce-1399847.html
-http://www.scmagazineus.com/us-chamber-of-commerce-targeted-in-data-heist/articl
e/220439/
-http://news.cnet.com/8301-1009_3-57346035-83/chinese-hackers-target-u.s-chamber-
of-commerce-report-says/
[Editor's Note (Murray): I have about had it with "unidentified sources" talking about "hackers who are in some way connected with the Chinese government." This kind of fear mongering is not helpful.
(Paller): Bill Murray's concern, echoed often by Marcus Ranum, is valid, in general. But in this case, there is a joint U.S. law-enforcement/military center that has very, very good signatures for these attacks. The signatures are directly traceable all the way back to the servers in Guong Dong province in China where the first Titan Rain attacks were launched. Those Chinese servers (operated by military staff or equally disciplined personnel) were infiltrated and when they were receiving stolen data from sensitive US sites, they alerted personnel here who captured the stolen information. To me, however, the scandal in the Chamber of Commerce hack is that an organization that purports to represent the interests of American industry failed to make the attack public for more than a year. Hiding these attacks gives other executives a false sense of security and leads to long delays in doing what is needed to stop them. And we do know how to stop the vast majority of them. ]

Software Flaw Partially to Blame for 2008 Qantas Emergency (December 21, 2011)

More than 100 people were injured on a Qantas flight in October 2008 when the plane took two deep dives following the failure of an on-board flight monitoring computer component. The failure caused the autopilot to disconnect. The incident was attributed to the failure of a particular monitoring device that keeps track of the craft's position, altitude, and angle of attack. However, the final report on the incident indicates that it was aggravated by a programming error in the flight computers, which did not compensate for the failing module's bad data output. The flight computers were attempting to correct the plane's angle of attack when they initiated the dives. The pilots switched to manual controls and made an emergency landing at a nearby Air Force base. The plane's manufacturer has revised the angle of attack algorithm to compensate for similar failures.
-http://www.informationweek.com/news/security/app-security/232300919
[Editor's Note (Murray): We need to do a better job of teaching engineering to software developers. They clearly need to learn to specify impermissible failure modes and there alternatives (e.g., halt before leaking, disengage before pushing the flight envelope.)
(Paller): Sadly, the National Science Foundation, CISE division, that funds more than 80% of all computer science research does not agree that software developers have to learn security engineering. The CISE leaders have consistently ignored and deflected requests from Congressional staffers and military organizations to ensure those who graduate from NSF-supported programs, with software focus, know how to write safe code and design defensible systems. The NSF managers seem to be excited only about funding research that leads to publishing arcane papers that grant their cronies back at their universities tenure or supply ultra-low-paid graduate student labor. ]

---

************************ SPONSORED LINK **********************************

1) Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/94929

2) Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012! Follow this link to the survey: http://www.sans.org/info/94934

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

LAPD Will Not Move to Google Cloud (December 22, 2011)

The city of Los Angeles has called off plans to migrate its police department (LAPD) to Google cloud services. The applications do not offer the level of security the FBI requires to protect the law enforcement data. The rest of the city will migrate to the Google Apps for Government platform.
-http://www.computerworld.com/s/article/9222932/Plans_to_migrate_LAPD_to_Google_s
_cloud_apps_dropped?taxonomyId=17
[Editor's Note (Pescatore): There is a lot of fingerpointing going on here, but since the issues around needing to separate law enforcement systems/data from public systems/data have been well understood for a long, long time, it is hard to see how there could have been any realistic expectation that the same email system (at the same price) would have worked for both. One size doesn't fit all - police cars tend to have different requirements than the cars driven by local government restaurant inspectors, too... ]

DARPA Project Will Monitor Troops' eMail to Detect Insider Threats (December 21, 2011)

The US Defense Department (DoD) plans to start monitoring troops' email messages to help detect potential insider threats. A Defense Advanced Research Projects Agency (DARPA) project will develop "a suite of algorithms that can detect multiple types of insider threats by analyzing massive amounts of data." DoD is seeking to thwart incidents similar to the Bradley Manning document leak scandal and the November 2009 shooting at Fort Hood. The program is called Anomaly Detection at Multiple Scales.
-http://www.navytimes.com/news/2011/12/military-darpa-email-surveillance-122111w/

Podcast: Carrier IQ is Not a Keylogger (December 5 & 21, 2011)

Carrier IQ does not record all keystrokes, despite many media reports to the contrary. Researcher Dan Rosenberg conducted analysis of the software and found that it has no mechanism to record SMS messages, email, or web pages content.
-http://spectrum.ieee.org/podcast/telecom/security/carrier-iq-myth-versus-reality
-http://news.cnet.com/8301-31921_3-57336801-281/carrier-iq-analysis-finds-no-evid
ence-of-keylogger/

EPIC Seeks Information About DHS Social Media Monitoring Program Under FOIA (December 21, 2011)

The Electronic Privacy Information Center (EPIC) has filed a lawsuit seeking information about the Department of Homeland Security's (DHS) program to monitor social networking media. The lawsuit, filed under the Freedom of Information Act (FOIA), is specifically seeking details about DHS's "Publicly Available Social Media Monitoring and Situational Awareness Initiatives" and also about "contracts, proposals, and communications between the federal government and third parties" regarding the use of the data. EPIC made the initial FOIA request in April 2011, but did not receive any documents. The lawsuit alleges several violations of FOIA.
-http://www.nextgov.com/nextgov/ng_20111221_9225.php?oref=topnews
-http://epic.org/privacy/socialnet/EPIC-v-DHS-Soc-Media-Monitoring-Complaint-FINA
L.pdf

Mozilla Releases (and Re-Releases) Firefox 9 (December 21 & 22, 2011)

Mozilla issued Firefox 9.0.1 just one day after releasing Firefox 9. A bug in the first released version was reportedly causing crashes on some computers. The newest version of the browser is touted to process JavaScript as much as 36 percent faster than Firefox 8. Firefox 9 also comprises fixes for a half-dozen security issues, four of which were rated critical. At the same time, Mozilla released version 9.0 of its Thunderbird email and news client.
-http://www.computerworld.com/s/article/9222972/Mozilla_re_releases_Firefox_9_bac
ks_out_fix_causing_crashes?taxonomyId=17
-http://www.computerworld.com/s/article/9222925/Mozilla_launches_Firefox_9_speeds
_up_JavaScript?taxonomyId=17
-http://www.h-online.com/security/news/item/Mozilla-updates-Thunderbird-to-versio
n-9-0-1400073.html
-http://www.h-online.com/open/news/item/Firefox-9-improves-JavaScript-performance
-1398633.html
Thunderbird Release Notes:
-http://www.mozilla.org/en-US/thunderbird/9.0/releasenotes/
Firefox Release Notes
-https://www.mozilla.org/en-US/firefox/9.0/releasenotes/
[Editor's Note (Murray): Not to worry. I can get a free plug-in from NoScript to keep Firefox from processing JavaScript at all. ]

Sykipot Variant Was Used in Attempt to Steal Drone Information (December 21, 2011)

Analysis of the Sykipot variant that was used in recent spear phishing attacks against US military contractors indicates that it was designed to steal data pertaining to US military unmanned aircraft, among other things. The spear phishing messages contained malicious PDF files that took advantage of an unpatched vulnerability in Adobe Reader. Adobe has since released a fix for the flaw.
-http://www.informationweek.com/news/security/attacks/232300940

Microsoft Investigating Report of 64-bit Windows 7 Memory Corruption Flaw (December 20,21, & 22 2011)

A critical memory corruption flaw in 64-bit versions of Windows 7 could be exploited to crash systems. Proof-of-concept exploit code has been released; it entails opening a specially-crafted iFrame with an unusually large height value in Apple's Safari web browser. Attackers could also use the vulnerability to inject kernel-level code into computers. The flaw does not affect 32-bit versions of Windows 7. Microsoft is investigating the issue, which appears to lie in an error in the win32k.sys.
-http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabi
lities/232301014/possible-new-zero-day-windows-7-flaw-under-investigation.html
-http://www.theregister.co.uk/2011/12/21/win_7_bug_crash_risk/
-http://news.cnet.com/8301-1009_3-57345683-83/microsoft-reviewing-reported-window
s-7-safari-hole/
-http://www.scmagazineus.com/researcher-finds-microsoft-windows-7-security-bug/ar
ticle/220253/

Iran's Claim of GPS Hack on Drone Called Into Doubt (December 21, 2011)

Analysts say that an Iranian engineer's claims that the country's military captured a US drone aircraft by hacking its GPS are far-fetched. Initial reports claimed that the RQ-170 Sentinel had been shot down, but a recent report maintained that the drone had been tricked into landing in Iran through a spoofing attack on the aircraft's GPS receivers. The unnamed Iranian engineer said that the attack had been developed by reverse-engineering navigation systems on previously captured US drones. The analysts say that such an attack on the GPS navigation system would require precision targeting of the craft and an extraordinarily powerful GPS signal.
-http://www.theregister.co.uk/2011/12/21/spy_drone_hijack_gps_spoofing_implausibl
e/

Legal Experts Add Their Voices to Arguments Against SOPA (December 20, 2011)

Legal experts have joined those who are speaking out about the dangers of passing the US House's Stop Online Piracy Act (SOPA) and the Senate's Protect Intellectual Property Act (PIPA). An essay in the Stanford Law Review says that the legislation will harm the DNS system, thwart attempts at improving cyber security, and violate the constitutional right of free speech. Legislators are also starting to voice concerns about the lack of technical expertise offered about the bills and the speed with which they are being pushed through to votes.
-http://www.theregister.co.uk/2011/12/20/us_ip_fail_internet_constitution/
Stanford Law Review essay:
-http://www.stanfordlawreview.org/online/dont-break-internet

Firefox Extension Evades Proposed SOPA Blocking Technique (December 22, 2011)

There is now an extension for Firefox that circumvents the blocks that could be put in place by proposed anti-piracy legislation. The developer says that "this program is a proof of concept that SOPA will not help prevent piracy, ...
[because ]
if SOPA is implemented, thousands of similar and more innovative programs and services will sprout up to provide access to the websites."
-http://www.scmagazine.com.au/News/285176,firefox-add-on-circumvents-sopa-blockin
g.aspx

Moxie Marlinspike Answers Readers' Questions (December 19, 2011)

-http://interviews.slashdot.org/story/11/12/19/179256/moxie-marlinspike-answers-y
our-questions?utm_source=headlines&utm_medium=email

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/