SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #47

June 14, 2011

Have you noticed that cybersecurity is getting far more press coverage
than ever before? From FOX News to public television, cybersecurity is
THE hot topic. A Bloomberg TV reporter told me that cybersecurity
outranked the presidential race yesterday. This surge in visibility is
catalyzing two huge opportunities for people interested in cool jobs in
cybersecurity.

The first is the shift from compliance-based security to continuous
monitoring and daily prioritization of mitigation tasks. That change has
gotten strong White House support. Just last week the federal agency
cybersecurity (FISMA) reporting requirements were substantively changed
to emphasize continuous monitoring and alleviate the need for a lot of
compliance reports. Today people who know how to implement continuous
monitoring of Twenty Critical Controls are in increasingly high demand
among government agencies and contractors and among commercial
organization that are also shifting to continuous monitoring.

The second major opportunity is bigger, but is just emerging. It is a
direct response to the question now coming from senior executives and
CIOs: "Do we know whether every system and application we deploy has
security baked in?" The people who can answer that question with
authority will be the new heroes in cybersecurity. They have many names
- - security architect, security engineer, security consultant, and
several more but their skills are those that can on a large scale, make
sure that every application has security built in. Three of the
companies that have done the best job in transforming their security
programs to be able to ensure security is architected in are helping
with a workshop in August to share best practices. If you want to be the
leader in this area for your company or agency, you should consider
attending the program. My favorite part is the way Cisco in particular
is creating pretty good security architects out of IT architects - very
impressive.

https://www.sans.org/baking-security-applications-networks-2011
Alan

---

TOP OF THE NEWS

Proposed US Legislation Would Require Breach Notification Within 48 Hours
Council of Europe Adopts Rules Setting Harsher Punishments for Cyber Crimes
Spanish Police Site Attacked in Retaliation for Anonymous Arrests

THE REST OF THE WEEK'S NEWS

International Monetary Fund Suffers Cyber Attack
Senate Websites Under Review After Hosting Server Breach
Nissan Leaf Sends Location Data in RSS GET Requests
Siemens Fixes SCADA Flaws
FBI Investigating Fraudulent ACH Transactions from NY Town's Bank Account
Adobe to Fix Remote Code Execution Flaws in Reader and Acrobat
Fines for Former T-Mobile Employees Who Stole and Sold Data
Microsoft to Fix 34 Flaws on June 14

---

***************************************************************************

TRAINING UPDATE

-- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 8 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link
http://www.sans.org/rocky-mountain-2011/

-- SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja Developers: Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http://www.sans.org/sansfire-2011/

-- Security Impact of IPv6 Summit, Washington DC, July 15-16, 2011
http://www.sans.org/ipv6-summit-2011/

-- SANS Boston 2011, Boston, MA, August 6-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

-- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

-- SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

-- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 44 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations
http://www.sans.org/network-security-2011/

-- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Ottawa and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

******************* SPONSORED BY ForeScout Technologies *******************

New ForeScout CounterACT Virtual Appliance ForeScout CounterACT is now available as a virtual appliance. ForeScout CounterACT provides real-time visibility and control over everything on the network - users, devices, applications, smartphones, etc. With ForeScout CounterACT Virtual Appliance, organizations can readily deploy and scale-out CounterACT leveraging their VMware investment. http://www.sans.org/info/79693

****************************************************************************

---

TOP OF THE NEWS

Proposed US Legislation Would Require Breach Notification Within 48 Hours (June 13, 2011)

Proposed data breach legislation introduced by US Representative Mary Bono Mack (R-Calif.) would require companies to notify law enforcement authorities of data breaches within 48 hours. If the data compromised in a breach could be used to commit identity fraud, the company must notify the Federal Trade Commission within 48 hours and start contacting affected customers. The bill would also require companies to take reasonable steps to protect personal data, including collecting and storing only data they need.
-http://www.reuters.com/article/2011/06/13/us-cybersecurity-congress-idUSTRE75C5U
B20110613
-http://www.seattlepi.com/national/politico/article/Bono-Mack-proposes-data-breac
h-bill-1422622.php

Council of Europe Adopts Rules Setting Harsher Punishments for Cyber Crimes (June 13, 2011)

The Council of Europe has adopted a set of new rules proposed by the European Commission that establish more stringent punishments for cyber criminals. The rules also establish specific penalties for those who develop malware for creating botnets and who sell such tools. The rules would have to be ratified by the European Parliament before they become official.
-http://www.zdnet.co.uk/news/security-management/2011/06/13/eu-nations-give-nod-t
o-tougher-cybercrime-jail-terms-40093082/?tag=mncol;txt
-http://www.siliconrepublic.com/strategy/item/22172-eu-agrees-to-tougher/
[Editor's Note (Honan): Given the numbers of countries that still have to ratify the Council of Europe's Convention on Cybercrime it is good to see the EU take this tact to ensure that all member states implement new laws to tackle modern threats. ]

Spanish Police Site Attacked in Retaliation for Anonymous Arrests (June 10 & 13, 2011)

On Friday, June 10, authorities in Spain arrested three people believed to be members of the loosely organized hacking collective known as Anonymous and who were involved with the cyber attack on Sony networks. Following the arrests, the website of the Spanish national police force was hit with a distributed denial-of-service (DDoS) attack that took it offline for a short period of time. The attack is believed to be retaliation for the arrests. Also following the attack, Turkish authorities detained 32 people alleged to be associated with Anonymous.
-http://news.cnet.com/8301-30685_3-20070818-264/turkey-arrests-32-after-anonymous
-web-attacks/?tag=mncol;title
-http://www.nzherald.co.nz/internet/news/article.cfm?c_id=137&objectid=107315
76
-http://www.wired.com/threatlevel/2011/06/three-anonymous-members-arrested/
-http://www.bbc.co.uk/news/technology-13727639
-http://www.bbc.co.uk/news/technology-13749181

---

*************************** SPONSORED LINKS ******************************

1) Download the Symantec Endpoint Protection 12 Beta for unrivaled security and blazing performance. http://www.sans.org/info/79698

2) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/info/79703

3) Sign up TODAY for SANS Ask The Expert Webcast: The Rise of Web Malware: The Impact for Your Website, Social Media, and Ad Networks and How You Can Protect Your Business on June 16th at 1 PM ET sponsored by Dasient. Go to http://www.sans.org/info/79708

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

International Monetary Fund Suffers Cyber Attack (June 13, 2011)

Some experts are saying that the cyber attack on the International Monetary Fund (IMF) bears the hallmarks of a state-sponsored effort. That the World Bank severed its network connection with the IMF suggests that it was a broad attack. The IMF informed staff and board members of the attack last week, but has not yet made a public announcement. The attack appears to have taken place over several months. (While The New York Times places a monthly limit on the number of stories non-subscribers can view, the publication broke this story, so we are including their link along with the others.)
-http://www.nytimes.com/2011/06/12/world/12imf.html?_r=1&hp
-http://www.h-online.com/security/news/item/IMF-attack-a-very-major-breach-125946
9.html
-http://www.bbc.co.uk/news/technology-13748488
-http://www.wired.com/threatlevel/2011/06/imf/
-http://www.youtube.com/watch?v=WmVArUiFM2E
-http://www.nextgov.com/nextgov/ng_20110613_8064.php?oref=topstory
-http://www.bbc.co.uk/news/world-us-canada-13754496

Senate Websites Under Review After Hosting Server Breach (June 13, 2011)

All US Senate (one of two legislative bodies in the US) websites are under review following a breach that compromised the security of the server that hosts Senate.gov. The review was ordered by the Senate sergeant at arms, Terrance Gainer. The compromised server held only content intended for public consumption. The breach is under investigation by the US Department of Homeland Security's (DHS) Computer Emergency Readiness Team (US-CERT) and other law enforcement authorities. The group of cyber intruders claiming responsibility for the breach is the same one that has claimed responsibility for recent cyber attacks on Sony, Nintendo and PBS.
-http://www.cnn.com/2011/POLITICS/06/13/senate.website.hacked/
-http://www.washingtonpost.com/politics/hacking-group-claims-it-breached-senate-w
ebsite-publishes-evidence-of-break-in/2011/06/13/AG7xAaTH_story.html

Nissan Leaf Sends Location Data in RSS GET Requests (June 13, 2011)

A blogger has determined that the Nissan Leaf electric automobile leaks information about the vehicle's location, speed and destination through the car's RSS reader. The Leaf is equipped with technology that allows drivers to select RSS feeds which are then read to them. The blogger, Casey Halverson, discovered that the GET request sent from the car for the feed contains the vehicle's latitude, longitude, speed, direction and the latitude and longitude of the car's destination.
-http://www.h-online.com/security/news/item/Nissan-LEAF-cars-leak-speed-position-
destination-to-RSS-feeds-1259465.html
-http://www.theregister.co.uk/2011/06/13/nissan_leaf_privacy_invasion/
-http://seattlewireless.net/~casey/?p=97
[Editor's Note (Schultz): Whether we like it or not, we'll be hearing increasingly about allegations of this nature. A rapidly increasingly proportion of applications require information about current user location to deliver information needed by users. ]

Siemens Fixes SCADA Flaws (June 10 & 11, 2011)

Siemens has released firmware updates to address two vulnerabilities in its Simatic S7 computer systems. One of the flaws, known as a replay attack, could allow attackers to take control of vulnerable systems; the other could be exploited to create denial-of-service conditions. The flaws were discovered by a researcher who planned to give a presentation about them at a conference in May, but pulled the talk from that conference after discussions with Siemens and the US Department of Homeland Security (DHS) made it clear that to disclose the vulnerabilities before a fix was available could prove dangerous. The researchers, Dillon Beresford from NSS Labs, will present the talk at the Black Hat security conference in Las Vegas, Nevada this August.
-http://www.computerworld.com/s/article/9217547/Siemens_fixes_industrial_flaws_fo
und_by_hacker
-http://www.v3.co.uk/v3-uk/news/2078294/siemens-finally-patches-industrial-contro
l-flaws
[Editor's Note (Schultz): The big question here is why Siemens, a world-class company, has not invested more resources and effort in discovering and fixing security-related vulnerabilities in its SCADA systems before the bad guys do.
(Paller): Siemens has invested heavily in improving the security skills of its programmers and ensuring its applications are built securely. The challenge they face is the 90% of their customers use versions of their tools that were built and deployed before the current wave of improvements were built into the development process. SCADA systems often stay in place for 20 to 30 years; the manufacturers do not have an effective plan to mitigate the risks to those legacy systems.
(Honan): The Industrial Control Systems Cyber Emergency Response Team, which is part of the US-CERT, have issued a good advisory on this issue at
-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf
while Siemens has released the patch at
-http://support.automation.siemens.com/WW/view/en/41886031/133100]

FBI Investigating Fraudulent ACH Transactions from NY Town's Bank Account (June 10, 2011)

The FBI is investigating fraudulent automated clearinghouse (ACH) transactions that resulted in the theft of at least $139,000 from the bank account of Pittsford, New York. The fraudulent transactions started about two weeks ago, when the attackers made a series of transactions from city coffers to money mules, who took the money and wired it to accounts outside the US. The transactions took place shortly after Pittsford opened an account with a new bank, where they had not yet established transaction controls. At their previous bank, all transactions had to be approved by at least two town officials.
-http://krebsonsecurity.com/2011/06/fbi-investigating-cyber-theft-of-139000-from-
pittsford-ny/

Adobe to Fix Remote Code Execution Flaws in Reader and Acrobat (June 10, 2011)

On Tuesday, June 14, 2011, Adobe plans to release updates for Reader and Acrobat to fix critical flaws in both products. The vulnerabilities could be exploited through maliciously crafted PDF files to allow remote code execution on users' computers.
-http://www.zdnet.com/blog/security/adobe-readies-critical-pdf-reader-patch-tuesd
ay/8751?tag=mantle_skin;content

Fines for Former T-Mobile Employees Who Stole and Sold Data (June 10 & 13, 2011)

Two men who used to work for T-Mobile have been fined a total of GBP 73,700 (US $121,000) for stealing customer information and selling it to third parties. The action resulting in the decision was brought by the UK information Commissioner's Office (ICO), which launched the investigation in 2008.
-http://www.v3.co.uk/v3-uk/news/2078194/thieves-fined-gbp75-stealing-information-
mobile
-http://www.eweekeurope.co.uk/news/miscreants-fined-for-selling-t-mobile-customer
-data-31582

Microsoft to Fix 34 Flaws on June 14 (June 9, 2011)

On Tuesday, June 14, Microsoft will release fixes for 34 security flaws. Of the 16 security bulletins Microsoft plans to issue, nine are rated critical; the remaining seven are rated important. The bulletins address vulnerabilities in Windows, Microsoft .NET Framework, Silverlight, Office, Internet Explorer, SQL Server and other products. Among the vulnerabilities to be fixed is a cookie-jacking flaw and could let attackers steal access credentials.
-http://www.scmagazineus.com/microsofts-16-patches-include-one-for-cookiejacking/
article/204890/
-http://www.computerworld.com/s/article/9217501/Microsoft_slates_hefty_Patch_Tues
day_to_fix_34_flaws_next_week?taxonomyId=85
-http://www.microsoft.com/technet/security/Bulletin/MS11-jun.mspx

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/login.