SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #103

December 30, 2011

TOP OF THE NEWS

Appeals Court Upholds Constitutionality of FISA
Duqu and Stuxnet Developed by the Same Team, Say Kaspersky Analysts

THE REST OF THE WEEK'S NEWS

Stratfor Website Still Offline
GoDaddy Boycott
US-CERT Warns of Vulnerability in WPS Standard
Microsoft Issues Patch for ASP.NET Hash Collision Vulnerability; Flaw Affects Many Web App Platforms
DHA and Idaho Nat'l Lab Receive Innovation Award for Control System Security Training Program
NIST Issues BIOS Lockdown Guidance
Phishing Attacks Target US Military Personnel

---

********************** SPONSORED BY SANS *******************************

What devices are accessing what resources and by whom?
Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012!
Follow this link to the survey: http://www.sans.org/info/95739

**************************************************************************

TRAINING UPDATE

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
http://www.sans.org/singapore-2012/

- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click is all It Takes ...; Evolving Threats; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/sans-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

************************************************************************

---

TOP OF THE NEWS

Appeals Court Upholds Constitutionality of FISA (December 29, 2011)

9th US Circuit Court of Appeals said that 2008's Foreign Intelligence Surveillance Act (FISA), which granted telecommunications companies immunity to aiding the National Security Agency (NSA) with wiretapping efforts, is constitutional. The three judge panel upheld a lower court ruling. The appeal was a consolidation of 33 separate lawsuits filed against telecommunications companies on behalf of their customers. In a separate ruling, the same panel of judges revived a lawsuit challenging the warrantless surveillance program.
-http://www.businessweek.com/news/2011-12-29/surveillance-law-upheld-while-lawsui
t-allowed-to-proceed.html
-http://www.washingtonpost.com/national/appeals-court-revives-telecom-customers-l
awsuit-accusing-feds-over-warrantless-wiretapping/2011/12/29/gIQATds5OP_story.ht
ml
-http://www.wired.com/threatlevel/2011/12/dragnet-surveillance-case/

Duqu and Stuxnet Developed by the Same Team, Say Kaspersky Analysts (December 29, 2011)

New research from Kaspersky Labs suggests that Stuxnet and Duqu malware were likely developed by the same team and may date back to 2007. Researchers are calling the common malware platform on which the two, and possibly others, were created as "Tilded" because many of the file names start with "~d." Stuxnet made its way into the public eye in June 2010, when it was detected on equipment that was part of Iran's nuclear program. Duqu was detected in September 2011 and appears to be tailored to steal industrial control design documents.
-http://www.informationweek.com/news/security/vulnerabilities/232301131
-http://www.zdnet.co.uk/blogs/mapping-babel-10017967/kaspersky-stuxnet-and-duqu-b
uilt-by-same-team-10025107/
[Editor's Comment (Northcutt): The coincidences just keep coming:
-http://www.pbs.org/wgbh/pages/frontline/tehranbureau/2011/07/iranian-scientist-a
ssassinated-in-tehran-nature-of-his-work-unclear.html
-http://www.bbc.co.uk/news/world-middle-east-15960456
-http://articles.cnn.com/2011-02-26/world/iran.nuclear_1_bushehr-reactor-bushehr-
plant-russian-built-plant?_s=PM:WORLD]

---

************************** SPONSORED LINK ****************************

1) Take the SANS 8th Annual Log and Event Management Survey

Be a part of this industry leading survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/95744

************************************************************************

---

THE REST OF THE WEEK'S NEWS

Stratfor Website Still Offline (December 28 & 29, 2011)

The Stratfor website is likely to remain offline until sometime in early January, according to email messages sent to subscribers. Stratfor has been offline since December 24. The site's relaunch has been put off "until a thorough review and adjustment by outside experts can be completed." Attackers, believed to be associated with the Anonymous hacking collective, stole client information from a Stratfor database earlier this month. Some of the data have been posted to the Internet. There were reports of the stolen credit card information being used to make charitable donations. It is unlikely that the charities will be permitted to keep the funds. Law enforcement agents are investigating the attack. It appears that the attackers may be targeting people who have spoken out in defense of Stratfor as well.
-http://www.bbc.co.uk/news/technology-16352891
-http://www.zdnet.co.uk/blogs/mapping-babel-10017967/stratfor-keeps-website-offli
ne-after-hack-10025103/
-http://news.cnet.com/8301-1009_3-57348995-83/report-details-extent-of-anonymous-
hack-on-stratfor/
-http://www.nextgov.com/nextgov/ng_20111228_9877.php?oref=topnews
-http://techland.time.com/2011/12/27/speak-out-and-you-may-be-targeted-warns-brea
ched-security-firm-stratfor/

GoDaddy Boycott (December 27 & 29, 2011)

Despite GoDaddy's decision to remove itself from the list of SOPA supporters, a boycott of the domain registrar appears to be going ahead as planned. GoDaddy's name appeared on a Congressional list of supporters of the controversial anti-piracy legislation. Tech companies opposing SOPA include Facebook, Google, and Twitter. Supporters include Sony, Comcast, and Dell. GoDaddy's withdrawal of support for SOPA may have been too little too late, as users are reportedly still planning to switch to other registrars. December 29 was designated as the day for people to move their domains and websites away from GoDaddy.
-http://www.bbc.co.uk/news/technology-16320149
-http://news.cnet.com/8301-1009_3-57348831-83/go-daddy-gets-name-off-sopa-support
ers-list/?tag=txt;title

US-CERT Warns of Vulnerability in WPS Standard (December 28 & 29, 2011)

US-CERT has issued an advisory warning of a vulnerability in the WiFi Protected Setup (WPS) setup standard that could be exploited in a brute force attack to gain access to wireless routers. The WPS specification for PIN authentication returns information after attackers have entered a random PIN that tells them whether the first half of the PIN is correct. If there is no lock-out policy after a given number of failed attempts, the likelihood of a successful attack is increased. US-CERT recommends disabling WPS until fixes are available for the problem.
-http://www.scmagazine.com/vulnerability-allows-brute-force-hacking-of-wireleless
-routers/article/221016/
-http://www.theregister.co.uk/2011/12/29/wi_fi_not_protected/
-http://www.kb.cert.org/vuls/id/723755
[Guest Editor (Raul Siles of Internet Storm Center): The WPS vulnerability could be considered as a kind of "backdoor" to get full access to protected Wi-Fi networks where WPS is enabled. Based on the experience we had on similar Wi-Fi vulnerabilities over the last decade, I anticipate the fix (once available) is going to take a very long time to get implemented and effectively protect users worldwide. Solution: Disable WPS!! ISC diary:
-https://isc.sans.edu/diary/Wi-Fi+Protected+Setup+WPS+PIN+Brute+Force+Vulnerabili
ty/12292
(Murray): This is a vulnerability without a problem. Brute force attacks are unlikely as long as there are large numbers of soft targets. ]

Microsoft Issues Patch for ASP.NET Hash Collision Vulnerability; Flaw Affects Many Web App Platforms (December 28 & 29, 2011)

Microsoft has issued an out-of-cycle patch for a zero-day vulnerability in ASP.NET, the web application framework. The flaw lies in "the way ASP.NET processes values in an ASP.NET form post causing a hash collision." The vulnerability could be exploited to cause denial-of-service conditions. The flaw in question affects many web programming languages. Microsoft is not presently aware of attacks in the wild, but does expect that exploit code is imminent because the vulnerability was recently disclosed at the Chaos Computer Conference in Berlin. Germany.
-http://www.h-online.com/security/news/item/28C3-Denial-of-Service-attacks-on-web
-applications-made-easy-1401863.html
-http://www.scmagazine.com/microsoft-delivers-rare-out-of-band-patch-for-aspnet-i
ssue/article/221187/
-http://www.theregister.co.uk/2011/12/28/ms_zero_day/
-http://www.pcworld.com/businesscenter/article/247092/flaw_in_web_app_frameworks_
pushes_microsoft_to_patch_aspnet_promptly.html
-http://arstechnica.com/business/news/2011/12/huge-portions-of-web-vulnerable-to-
hashing-denial-of-service-attack.ars
-http://www.scmagazine.com/microsoft-scrambles-to-address-widespread-aspnet-bug/a
rticle/220921/
-http://www.computerworld.com/s/article/9223069/Websites_apps_vulnerable_to_low_b
andwidth_bot_free_takedown_say_researchers?taxonomyId=17
Microsoft Advisory:
-http://technet.microsoft.com/en-us/security/advisory/2659883
Microsoft Security Bulletin:
-http://technet.microsoft.com/en-us/security/bulletin/ms11-100
[Guest Editor's Note (Raul Siles of the Internet Storm Center): It is valuable to clarify that the OOB bulletin from Microsoft fixes 4 different vulnerabilities. One of them is the DoS that affects many web platforms (CVE-2011-3414). The other three (CVE-2011-3415 to 3417) are ASP.NET vulnerabilities, and it is the authentication bypass (3416) the most relevant one, rated as critical by Microsoft. Follow multi-platform fix status for the DoS vulnerability at:
-http://www.ocert.org/advisories/ocert-2011-003.html.]

DHA and Idaho Nat'l Lab Receive Innovation Award for Control System Security Training Program (December 27, 2011)

The US Department of Homeland Security National Cyber Security Division and Idaho National Laboratory have been awarded a 2011 US National Cybersecurity Innovation Award. The entities are being honored for their work building cyber security skills necessary for power grid and other control system defense. Their joint Control Systems Security Program (CSSP) has developed training programs for both managers and technical people in industries that use control systems. One of the programs includes a Red Team/Blue team attack simulation exercise within a real control systems environment.
-http://www.sacbee.com/2011/12/27/4147512/us-department-of-homeland-security.html

NIST Issues BIOS Lockdown Guidance (December 27, 2011)

The National Institute of Standards and Technology (NIST) has released a draft version of security guidelines for locking down Basic Input/Output Systems (BIOS). The BIOS Integrity Measurement Guidelines aim to help detect changes to system configuration and changes to BIOS code that could be used to let malware execute during the boot-up process. NIST welcomes comments on the draft document through January 20, 2012.
-http://www.informationweek.com/news/government/security/232301025
-http://csrc.nist.gov/publications/drafts/800-155/draft-SP800-155_Dec2011.pdf
[Editor's Note (Murray): This guidance is directed at developers. Like most NIST guidance, it is permissive, not mandatory. As a buyer one will want to know to what extent a product is compliant. It will be nice if the government uses its buying power to ensure labeling. ]

Phishing Attacks Target US Military Personnel (December 23 & 28, 2011)

Recent phishing attacks are targeting military personnel through their .mil email accounts. The phony email messages are spoofed so that they appear to be coming from senior officers or companies that do business with the military, including financial services company USAA. The emails attempt to get recipients to click on a link that would infect their computers with ZeuS malware.
-http://www.informationweek.com/news/government/security/232301104
-http://www.army.mil/article/71306/Aggressive_phishing_attack_targets_military/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/