SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #44

June 03, 2011

FLASH: Earlier this morning, the White House and Department of Homeland
Security announced what will, I think, be a huge improvement in federal
cybersecurity - one that will result in rapid risk reduction and
potentially allow the government to lead by example in showing how to
manage cyber security effectively. The newly released document, "FY 2011
Chief Information Officer FISMA Reporting Metrics," requires agencies
to report on their progress in automating the continuous (daily)
measurement of the most critical security risks. "What gets measured
gets done." These new metrics asses agency progress in implementing the
sensors and systems needed for continuous monitoring of the small number
of key controls defined by NSA, DHS and the other agencies and companies
that are fully aware how cyber attacks are executed and what controls
are needed to block those attacks or mitigate damage. For a copy of the
new document, click the button at the top of the screen at

http://www.sans.org/critical-security-controls/

Kudos to Matt Coose of DHS and to the White House team.

Of direct relevance to people interested in continuous monitoring: NSA
is just releasing complementary documents on continuous improvement of
the critical controls detailed in the metrics required by DHS, and SANS
will release an updated version of the Twenty Critical Controls later
this month. More on both of those next week.

Alan

---

TOP OF THE NEWS

Another Defense Contractor Targeted in RSA SecurID Attacks
Pentagon Cyber Warfare Strategy
Tennessee Law Prohibits Sharing Login Credentials

THE REST OF THE WEEK'S NEWS

Apple Playing Catch-Up With Malware Variants
All Sony PSN Services Now Restored
Google Thwarts Spear Phishing Attack Against Government Officials
Second Annual UK Cyber Security Challenge Launched
Facebook Video Scam Spreading
Honda Canada Facing Class Action Lawsuit Following Breach
Google Pulls Malware-Infected Apps From Android Market
HHS Proposes Changes to HIPAA Privacy Rule

---

***************************************************************************

TRAINING UPDATE

- -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 8 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

- -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 41 courses. Bonus evening presentations include Ninja Developers: Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

- -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- -- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 5 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 43 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Austin, Canberra and Ottawa all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org

******************* SPONSORED BY Symantec *************************

Modern malware rarely strikes the same way twice. Today's malicious code rapidly mutates, bypassing traditional defenses. Traditional antivirus approaches no longer work. Download the Symantec Endpoint Protection 12 beta to see how Symantec can help mitigate threats today and tomorrow for both small businesses and the largest enterprises. http://www.sans.org/info/79184

****************************************************************************

---

TOP OF THE NEWS

Another Defense Contractor Targeted in RSA SecurID Attacks (May 31 & June 1 & 2, 2011)

More US defense contractors may have been targeted in attacks using information stolen from RSA in March. An internal message sent to employees of L-3 Communications said the company "has been actively targeted with penetration attacks leveraging the compromised information." What is not known is whether the attackers were successful. L-3 reportedly uses RSA's SecurID to allow access to an unclassified corporate network. Another defense contractor, Lockheed Martin, recently acknowledged that it suffered a cyber attack which has also been linked to the RSA data breach. A third defense contractor may have been targeted as well. Emerging reports are saying that last week, Northrup Grumman, cut remote access to its network and initiated a "domain name and password reset across the entire organization."
-http://www.wired.com/threatlevel/2011/05/l-3/
-http://www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-
Cloned-RSA-SecurID-Tokens-841662/
-http://www.scmagazineus.com/lockheed-admits-to-hack-that-may-portend-more-breach
es/article/204205/
-http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-sour
ce-says/
-http://news.cnet.com/8301-27080_3-20068051-245.html

Pentagon Cyber Warfare Strategy (May 31, 2011)

The Pentagon's forthcoming cyber warfare strategy will reframe cyber attacks as possible acts of war, which would allow the US to respond to certain attacks on critical systems with force. US government and military systems have been facing cyber attacks from foreign powers more at least eight years. Attackers have stolen sensitive information, including data about the F35 fighter.
-http://www.guardian.co.uk/world/2011/may/31/washington-moves-to-classify-cyber-a
ttacks
-http://www.computerworld.com/s/article/9217161/Cyberattacks_can_justify_armed_re
sponse_Pentagon_says?taxonomyId=17
-http://www.theregister.co.uk/2011/05/31/hacking_as_act_of_war/
-http://www.bbc.co.uk/news/world-us-canada-13614125
-http://www.informationweek.com/news/government/security/229700205
-http://www.nextgov.com/nextgov/ng_20110531_5712.php?oref=topnews
[Editor's Note (Paller) What you might have missed in the buzz caused by the Wall Street Journal report on the upcoming DoD cyber strategy was the report published this week by Ellen Nakashima of the Washington Post detailing the Pentagon's list of cyber weapons and tools, including viruses that can sabotage an adversary's critical networks, to streamline how the United States engages in computer warfare.
-http://www.washingtonpost.com/national/list-of-cyber-weapons-developed-by-pentag
on-to-streamline-computer-warfare/2011/05/31/AGSublFH_story.html
(Schultz): Given that malicious code can be used as a weapon and that attackers are capable of breaking into and controlling systems that are part of the national infrastructure, the Pentagon's strategy makes perfect sense. ]

Tennessee Law Prohibits Sharing Login Credentials (June 2, 2011)

Tennessee's governor has signed into law a bill that makes it illegal to share login information - usernames and passwords - with anyone, including family members. The law takes effect July 1 and applies only within the borders of that state. The bill is an expansion of laws that allow prosecution of people for stealing cable service or not paying for restaurant meals. People convicted under the law of stealing up to US $500 worth of entertainment could face a year in jail and a fine of up to US $2,500. For those convicted of stealing more than US $500 of content, penalties are greater.
-http://news.cnet.com/8301-13506_3-20068233-17.html?tag=mncol;title

---

*************************** SPONSORED LINKS ******************************

1) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/info/79189

2) Hear industry experts discuss techniques to fight crimes at the Forensics and Incident Response Summit in Austin, Texas - June 7-8th. Make sure to also attend any of the 4 post-Summit courses June 9-14th. http://www.sans.org/info/79194

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Playing Catch-Up With Malware Variants (May 31 & June 1 & 2, 2011)

Not even a day after Apple released an update for OS X to protect users from attacks used to spread rogue anti-virus products, a variant of the malware that evades the new protections was been detected. Apple has released yet another update to detect the new malware variant. Researchers are calling the events a "cat-and-mouse game." Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=10951
-http://www.theregister.co.uk/2011/06/02/apple_mac_scareware_updte/
-http://www.v3.co.uk/v3-uk/news/2075478/macdefender-bypasses-apples-security-patc
h
-http://www.computerworld.com/s/article/9217269/Apple_strikes_back_at_newest_Mac_
scareware?taxonomyId=17
-http://www.theregister.co.uk/2011/06/01/mac_osx_scareware_evasion/
-http://www.computerworld.com/s/article/9217210/Mac_scareware_gang_evades_Apple_s
_new_anti_malware_defenses?taxonomyId=17
-http://krebsonsecurity.com/2011/05/apple-update-targets-mac-malware/

All Sony PSN Services Now Restored (June 2, 2011)

More than a month after a massive data breach forced Sony to shut down its PlayStation Network (PSN) and Qriocity music service, both services have been completely restored. Sony took down the sites on April 20, and partially restored PSN in May. Users had been unable to access the PSN Store until this week.
-http://content.usatoday.com/communities/gamehunters/post/2011/06/sony-restores-a
ll-playstation-network-services/1
-http://www.washingtonpost.com/blogs/faster-forward/post/sony-playstation-store-b
ack-online/2011/06/02/AGhwcEHH_blog.html
-http://www.theglobeandmail.com/news/technology/video-games/controller-freak/sony
-completes-full-restoration-of-playstation-network/article2044628/

Google Thwarts Spear Phishing Attack Against Government Officials (June 1 & 2, 2011)

The US government is investigating a spear phishing attack that tricked senior US government officials and military personnel into revealing their Gmail login credentials. Google says it shut down the attack, which appeared to emanate from Jinan in China, and also targeted journalists, Chinese political activists and officials in other Asian countries. A statement from a Chinese official called allegations of China's involvement with the attack "groundless." The incident underscores the security issues posed by cloud-based services.
-http://www.washingtonpost.com/business/technology/google-says-hackers-based-in-c
hina-accessed-us-officials-gmail-accounts/2011/06/01/AGwgRmGH_story.html?hpid=z1
-http://www.wired.com/threatlevel/2011/06/gmail-hack/
-http://news.cnet.com/8301-1009_3-20068229-83/feds-investigate-alleged-attacks-on
-gmail-accounts/?tag=mncol;title
[Editor's Note (Pescatore): There appears to be a lot more research being done using Facebook, LinkedIn and other social network posts to make targeted phishing emails much more personalized. ]

Second Annual UK Cyber Security Challenge Launched (June 1 & 2, 2011)

Registration has begun for the UK's second annual Cyber Security Challenge, a competition designed to encourage people with interest and skills in cyber security to pursue and develop careers to fill the need for specialists to defend UK networks. Those who are interested can register through the competition website to participate in a series of challenges over the coming year. This year's competition has three strands: secure network design, informed defence, and investigate and understand.
-http://www.bbc.co.uk/news/technology-13615091
-http://www.eweekeurope.co.uk/news/cyber-security-challenge-open-for-registration
s-30797

Facebook Video Scam Spreading (June 1, 2011)

Some links spreading through Facebook that claim to lead to salacious videos actually lead users to sites that install rogue security software on their computers. Facebook has thus far been powerless to stop the scareware attacks. The scheme targets both PCs and Macs. The ruse varies with operating systems. PC users are told they need to install the most recent version of Adobe Flash Player to view the video; Mac users are greeted with a security warning pop-up that offers a "fix" button. The malware redirects users to pornographic websites every five minutes until they pay for a software license.
-http://www.computerworld.com/s/article/9217229/Facebook_video_scam_puts_malware_
on_Mac_and_Windows?taxonomyId=17

Honda Canada Facing Class Action Lawsuit Following Breach (June 1, 2011)

Lawyers representing Honda Canada customers have filed a class action lawsuit against the automobile company over a data security breach that compromised information belonging to 283,000 customers. The breach occurred in March 2011, but Honda Canada did not start notifying customers until May. The compromised information included names, addresses, vehicle identification numbers (VINs) and Honda Financial Services account numbers stored on personalized web pages. Some customers who never entered the information are affected by the breach because the company pre-populated pages with customer data before asking them to customize their own pages.
-http://www.informationweek.com/news/security/attacks/229700261

Google Pulls Malware-Infected Apps From Android Market (May 31 & June 1, 2011)

Google has pulled nearly three dozen apps from its Android market after learning that the mobile applications were infected with malware. The questionable apps are maliciously altered versions of legitimate ones. Several months ago, Google removed more than 50 apps from Android Market over similar concerns. The malware in question this time is being called DroidDream Light.
-http://www.scmagazineus.com/new-android-malware-variant-lands-with-a-punch/artic
le/204296/
-http://www.theregister.co.uk/2011/05/31/android_market_malware/
-http://www.theregister.co.uk/2011/06/01/android_trojan_rash/
-http://www.computerworld.com/s/article/9217178/Google_faces_new_round_of_Android
_malware?taxonomyId=17
[Editor's Note (Schultz): The real problem here is that apps for smartphones (not just Androids) generally receive little if any security scrutiny before they are made available to the public.
(Pescatore/Paller): We think the iPhone/iPad App Store approach has proven the world is tired of constant malware problems when the platform vendor provides no security value add via some testing of apps before the malicious ones impact users. The Amazon AppStore for Android is a step in the right direction, but Google really needs to raise the bar, not lower it, in this area. ]

HHS Proposes Changes to HIPAA Privacy Rule (May 31, 2011)

The US Department of Health and Human Services (HHS) has proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) that would allow patients to see the names of every person who accesses their electronic health records. Paper records would be exempt from the new rule. HIPAA currently gives consumers the right to know when their health information has been shared with third parties, but patients must request that information.
-http://redtape.msnbc.msn.com/_news/2011/05/31/6757204-is-someone-snooping-your-h
ealth-records-new-rule-will-tell-you-who
-http://www.informationweek.com/news/healthcare/policy/229700217
-http://www.informationweek.com/news/security/government/229700300
-http://www.healthcareitnews.com/blog/hitech-revises-hipaa-regulations
Text of proposed rule:
-http://www.federalregister.gov/articles/2011/05/31/2011-13297/hipaa-privacy-rule
-accounting-of-disclosures-under-the-health-information-technology-for-economic#
p-35

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account