SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #45

June 07, 2011

The US federal transformation in cybersecurity measurement has now
officially begun. It matters. See the first story in this issue.
Alan

---

TOP OF THE NEWS

FISMA Compliance Metrics Focus on Continuous Monitoring
World IPv6 Day
Sony Pictures Database Hacked
Rootkit Now Has Self-Propagation Mechanism

THE REST OF THE WEEK'S NEWS

Canadian Judge Blocks Extradition of Alfred-Adekeye to US
Syria Temporarily Shuts Down Much of Internet
Adobe Releases Fix for Zero-Day Flash Flaw
Attackers Steal InfraGard Login Credentials
Man Arrested for Attempted Facebook Hack
Attackers Steal Information from Acer Customer Database
Spear Phishing Attacks Gathered Information Over Many Months
Chinese Paper Warns That Groundless Accusations Could be Dangerous
British Intelligence Agency Replaces Online al Qaeda Article with Cupcake Recipes

---

***************************************************************************

TRAINING UPDATE

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 8 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja Developers: Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

-- SANS Boston 2011, Boston, MA, August 6-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

-- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

-- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

-- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 44 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Austin, Canberra, Ottawa and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

********************** SPONSORED BY ForeScout Technologies *****************

ForeScout delivers automated solutions for Network Access Control (NAC), mobile security, threat prevention and endpoint compliance. Because our agentless appliance is easy to deploy, use and scale, over 1000 of the world's most secure enterprises and military installations rely on ForeScout to enable accessibility while protecting networks and sensitive data.

http://www.sans.org/info/79348

****************************************************************************

---

TOP OF THE NEWS

FISMA Compliance Metrics Focus on Continuous Monitoring (June 6, 2011)

New Federal Information Security Management Act (FISMA) compliance metrics released by the US Department of Homeland Security (DHS) require agencies to report on their implementation of automated continuous measurement of critical security risks. The memo stems from 2010 guidance requiring government agencies to begin moving to continuous security monitoring.
-http://www.informationweek.com/news/government/security/230100013
-http://www.govinfosecurity.com/articles.php?art_id=3707
-http://www.nextgov.com/nextgov/ng_20110606_5245.php?oref=topstory
-http://gcn.com/articles/2011/06/06/fisma-reporting-metrics.aspx
-http://www.sans.org/critical-security-controls/fisma.pdf
[Editor's Note (Hoelzer): This is an extremely important step. Federal CIOs and others have known for a long time that the "Report Card" method just doesn't work since it completely fails to address the real risks that a particular agency faces. A Continuous Monitoring focus means that FISMA compliance is starting to align with what much of the FISMA constituency has been saying: Government agencies must have the correct monitoring systems deployed, they must be monitoring the correct things and they must be providing meaningful information to inform the defenders about events and trends. It is heartening to see FISMA compliance coming closer into line with the 20 Critical Security Controls.
(Pescatore): To most federal agencies, the reporting requirements are increasing much faster than security budgets are increasing.
(Paller): The agencies do not have to continue wasting money on the old reporting - they continue only because it makes the FISMA contractors money and because of the Stockholm syndrome (the CIOs and CISOs have been captives of the paper-compliance fanatics for so long that the victims cannot believe they are free to use the money to do the right thing (continuous, automated, daily monitoring). ]

World IPv6 Day (June 3, 2011)

On Wednesday, June 8, web sites around the world will test the IPv6 standard, which will ultimately allow many more IP addresses than IPv4 with faster connectivity. Among the organizations participating in World IPv6 Day are Microsoft, Google, Yahoo and Facebook. The test runs from 8PM EST on June 7 until 7:59PM EST on June 8. The event is designed to allow network engineers to see how well the new protocol works on a large scale and to identify technical problems like misconfigured systems. The event is also aimed at raising awareness of IPv6 deployment, which is necessary because the Internet is running out of IPv4 address space. IPv6 is not compatible with IPv4, which means web sites will need to upgrade network equipment and software.
-http://www.networkworld.com/news/2011/060311-ipv6-day.htmls
[Editor's Note (Pescatore): There are a variety of ways enterprises and carriers will run both v4 and v6 during what will be a lengthy transition period. Need to make sure these kinds of tests are used to look for weaknesses within and between those mechanisms. (Ullrich): This is a wakeup call for everybody who doesn't have an IPv6 integration plan in place yet. If you think you don't need one, because you have enough IP space for your network, ask your current and future customers if they have any IPv6 plans. Our monthly ISC threat update, which happens to fall on IPv6 day, will cover IPv6 security.
(Honan): Users that have not implemented IPv6 will probably experience slow responses from some sites during World IPv6 day as their connection is dropped from IPv6 to IPv4. It will be a good idea to have your support desk and incident response teams pre-warned and up to date about IPv6 day in order to deal with the increase in calls they may receive from users experiencing "strange" results when accessing the Internet and certain websites. Some useful resources to point users at include the RIPE IPv6 Eye Chart
-http://ipv6eyechart.ripe.net/
and also
-http://www.test-ipv6.com/
to test your IPv6 connectivity. ]

Sony Pictures Database Hacked (June 3, 2011)

Attackers have targeted Sony once again, this time using an SQL injection attack to steal user records and admin details, including passwords and music codes, from Sony Pictures. The attackers claiming responsibility for the attack are the same who claimed to be behind a recent attack on the US Public Broadcasting Service (PBS) website in which a phony news story was posted. The group claims that none of the information they took was encrypted. The breach reportedly affects more than one million SonyPictures.com users. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=10996
-http://www.informationweek.com/news/security/attacks/229900111
-http://www.scmagazineus.com/hacker-group-raids-sony-pictures-in-latest-breach/ar
ticle/204379/

Rootkit Now Has Self-Propagation Mechanism (June 3 & 6, 2011)

A researcher says that the TDSS rootkit, also known as Alureon and TDL4, now has a self-propagation mechanism that lets it spread to other computers using two different methods. The malware is now able to infect both removable media drives and over local area networks (LANs).
-http://www.theregister.co.uk/2011/06/03/tdss_self_propagation_powers/
-http://www.infosecurity-magazine.com/view/18439/advanced-worm-uses-builtin-dhcp-
server-to-propagate-/

---

*************************** SPONSORED LINKS ******************************

1) Logs Don't Lie. What do yours say? Find out when you download ArcSight Logger for FREE. http://www.sans.org/info/79353

2) Download the Symantec Endpoint Protection 12 Beta for unrivaled security and blazing performance. http://www.sans.org/info/79358

3) Sign up NOW for SANS Ask The Expert Webcast: The Rise of Web Malware: The Impact for Your Website, Social Media, and Ad Networks and How You Can Protect Your Business on June 16th at 1 PM ET. Sponsored by Dasient. Go to http://www.sans.org/info/79363

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Canadian Judge Blocks Extradition of Alfred-Adekeye to US (June 3 & 6, 2011)

A British Columbia Supreme Court judge has stayed extradition proceedings against former Cisco employee Peter Alfred-Adekeye. Justice Ronald McKinnon did not mince words in an oral decision that said the point of the extradition demand was to derail an antitrust lawsuit Alfred-Adekeye had brought against Cisco. That suit alleged that Cisco forced customers to purchase maintenance contracts to receive security updates for Cisco products. Cisco filed a countersuit, alleging that Alfred-Adekeye had gained access to Cisco networks using a former colleague's login credentials. He was arrested while testifying at a special hearing in that case that was held in Canada because he had been denied entry to the US.
-http://www.computerworld.com/s/article/9217300/Canada_blocks_extradition_of_Cisc
o_suspect?taxonomyId=82
-http://www.vancouversun.com/news/used+unmitigated+gall+court+jail+exec/4885987/s
tory.html
-http://www.salon.com/news/david_sirota/2011/06/06/cisco_law_enforcement

Syria Temporarily Shuts Down Much of Internet (June 6, 2011)

Internet service in Syria has been restored after the government cut off access to citizens on Friday, June 3 during some of the largest anti-government protests the country has recently seen. Following the shutdown, only Syrian government sites remained available in that country. Internet in Syria was once again available by 7AM local time the next day. Other Middle Eastern governments have severed Internet access in an attempt to quell protests.
-http://www.zdnet.com/blog/networking/syria-8217s-internet-is-back-up-8230-for-no
w/1139
-http://www.eweekeurope.co.uk/news/syrian-internet-cut-off-during-protests-31009
-http://technolog.msnbc.msn.com/_news/2011/06/03/6779700-syrian-government-unplug
s-internet-for-much-of-country
[Editor's Note (Schultz): Tyrants know all too well that information is power and thus that withholding information from the masses is one of the best ways to keep them enslaved. ]

Adobe Releases Fix for Zero-Day Flash Flaw (June 5 & 6, 2011)

Adobe has released an out-of-band fix for a zero-day vulnerability in its Flash Player. The cross-site scripting (XSS) flaw affects Flash Player versions 10.3.181.16 and earlier on Windows, Mac, Linux and Solaris and versions 10.3.185.22 and earlier for Android. A fix has already been pushed out to address the Flash flaw in Google's Chrome browser. The flaw could be exploited "to take action on a user's behalf on any website or webmail provider" by tricking users into clicking on malicious links in email messages. Adobe is still investigating whether or not the vulnerability affects Reader and Acrobat. The flaw is reportedly being actively exploited against Gmail Users. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=11014

-http://krebsonsecurity.com/2011/06/flash-player-patch-fixes-zero-day-flaw/
-http://www.informationweek.com/news/security/app-security/229900192
-http://www.h-online.com/security/news/item/Flash-Player-update-closes-zero-day-1
255599.html
-http://www.adobe.com/support/security/bulletins/apsb11-13.html
-http://www.scmagazineus.com/gmail-users-targeted-by-adobe-flash-exploit/article/
204617/
-http://www.zdnet.com/blog/security/hackers-exploiting-flash-player-xss-vulnerabi
lity/8732
[Editor's Note (Honan): Issues such as this zero-day flash flaw highlight how important security awareness training is in helping users protect themselves from malicious attacks. A quick review of many of the major security breaches show the attack gained a foothold within the organisation after a user clicked on a link or attachment in an email. Technical controls can detect and prevent many attacks but always be aware that the unwary/uneducated user can be exploited to circumvent these controls. ]

Attackers Steal InfraGard Login Credentials (June 6, 2011)

Login credentials belonging to members of InfraGard, an FBI partner organization, have been stolen and posted to the Internet. InfraGard is a "public-private partnership devoted to sharing information about threats to US physical and Internet infrastructure." InfraGard Atlanta Members Alliance President Paul Farley acknowledged that the organization's website was compromised. The group claiming responsibility for the attack said it was launched in retaliation for the Pentagon's announcement that it is considering classifying certain cyber attacks as acts of war. The Atlanta InfraGard website has been shut down as a precaution.
-http://www.msnbc.msn.com/id/43293246/ns/technology_and_science-security/
-http://www.ajc.com/news/hackers-hit-atlanta-fbi-968059.html
Related Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=11011

Man Arrested for Attempted Facebook Hack (June 6, 2011)

Law enforcement authorities have arrested a UK man for allegedly attempting to break into Facebook. The social networking company is working with London's Metropolitan Police Service and the FBI to look into the incident. Facebook says that no user information was compromised. Details about the incident are vague because the investigation is ongoing.
-http://www.computerworlduk.com/news/security/3284072/man-arrested-in-yorkshire-o
n-facebook-hacking-charges/

Attackers Steal Information from Acer Customer Database (June 3 & 6, 2011)

Attackers claim to have stolen information from an Acer customer database. The compromised information appears to include the names, email addresses and purchase histories of about 40,000 customers. The attackers also claim to have stolen source code from the computer manufacturer. The attackers appear to have taken the information by gaining access to an Acer FTP server.
-http://www.computerworld.com/s/article/9217295/Acer_server_in_Europe_reportedly_
breached?taxonomyId=82
-http://www.theregister.co.uk/2011/06/03/acer_customer_data/
-http://www.h-online.com/security/news/item/Acer-inadvertently-releases-40-000-cu
stomer-details-1255998.html
-http://www.v3.co.uk/v3-uk/security-watchdog-blog/2076219/hacking-claims-breached
-acer-s-european-systems

Spear Phishing Attacks Gathered Information Over Many Months (June 3, 2011)

The recently disclosed spear phishing attacks against key government officials, political activists and journalists in several countries around the world had been painstakingly planned; the attackers appear to have been gathering personal information about their targets for as long as nine months. Google claims to have disrupted the targeted attacks.
-http://www.theregister.co.uk/2011/06/03/gmail_users_stalked_for_months/

Chinese Paper Warns That Groundless Accusations Could be Dangerous (June 6, 2011)

China has warned that Google's insinuation that the Chinese government is behind the recent spear phishing attacks targeting government officials' and political activists' Gmail accounts (see story above) could prove detrimental to Google's business. Google has not directly accused the Chinese government of being responsible for the attacks, but did say that they appeared to originate in a Chinese city that houses a government intelligence agency. The article in China's paper, the People's Daily, did not specify exactly how the allegations could come back to haunt Google.
-http://www.reuters.com/article/2011/06/06/us-google-china-idUSTRE7550CV20110606
-http://news.cnet.com/8301-13506_3-20069245-17/china-paper-blusters-at-google-ami
d-hacking-affair/?tag=mncol;title

British Intelligence Agency Replaces Online al Qaeda Article with Cupcake Recipes (June 2, 2011)

The British intelligence agency MI6, along with GCHQ (the UK counterpart of the US National Security Agency), has broken into an online al Qaeda publication and replaced instructions for making a bomb with a series of cupcake recipes. The cyber infiltrators also removed several articles from the publication.
-http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-a
l-Qaeda-in-Operation-Cupcake.html

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account