SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #55

July 12, 2011

TOP OF THE NEWS

Hackers Target DHS and DoD Contractor Booz Allen Plus and a DoD Contractor
Private Companies Turn Down Offer of Free Security Audit from ICO
Case Will Test Applicability of Fifth Amendment to Cryptographic Keys
News of the World Editors Arrested in Connection With Phone Hacking Scandal

THE REST OF THE WEEK'S NEWS

How Digital Detectives Deciphered Stuxnet
Search Result Poisoning Attack Hits Microsoft Security Center
Proposed Data Protection Rule Irks Government Contractors
DHS Official Acknowledges That Some Imported Devices Pre-Loaded Malware
Artist's Computer Seized in Surreptitious Webcam Case
More Than 900 UK Police Disciplined for Data Protection Act Violations
Pentagon to Release Cyberspace Operations Strategy
UCLA Health System Fined US $865,000 for HIPAA Violations

---

***************** SPONSORED by ArcSight, an HP Company *****************

Love Thy Logs. Now you can get true, enterprise-class log management from ArcSight - absolutely FREE! ArcSight Logger is the first Universal Log Management solution that unifies searching, reporting, alerting and analysis across any type of enterprise log data. What's not to love? Download Logger for FREE today!

http://www.sans.org/info/81839

*************************************************************************

TRAINING UPDATE

- --SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja Developers: Penetration Testing and Your SDLC; and Are Your Tools Ready for IPv6?
http:www.sans.org/sansfire-2011/

- --SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls
http:www.sans.org/boston-2011/

- --SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http:www.sans.org/virginia-beach-2011/

- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http:www.sans.org/ottawa-2011/

- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http:www.sans.org/network-security-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http:www.sans.org/chicago-2011/

- --Looking for training in your own community?
http:sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http:www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Tokyo, Delhi, London and Baltimore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Hackers Target DHS and DoD Contractor Booz Allen Plus and a DoD Contractor (July 10, 2011)

Hackers claim to have stolen data from Booz Allen Hamilton and IRC Federal in separate attacks and leaked the purloined information to the web. The attack on Booz Allen Hamilton exposed 90,000 military email addresses and other internal data, including source code. The company is a consulting firm that does a considerable amount of government work. The data stolen from FBI contractor IRC Federal include a proposal for the FBI to develop a project to "reduce terrorist and criminal activity by protecting all records associated with trusted individuals and revealing the identities of those individuals who may pose serious risk to the US and its allies."
-http://news.cnet.com/8301-27080_3-20078498-245/hackers-claim-they-exposed-booz-a
llen-hamilton-data/
-http://www.readwriteweb.com/archives/90000_military_emails_leaked_after_anonymou
s_attac.php
-http://gizmodo.com/5820049/anonymous-leaks-90000-military-email-accounts-in-late
st-antisec-attack
-http://blogs.computerworld.com/18593/anonymous_hacks_fbi_contractor_antisec_leak
s_secret_irc_federal_security_data
-http://technolog.msnbc.msn.com/_news/2011/07/08/7043037-anonymous-claims-hack-on
-fbi-partner-site-shares-databases
[Editor's Note (Pescatore): It was almost 25 years ago that hackers broke into Mitre's modem banks and went after Lawrence Berkeley National Lab computer systems. The continuing stream of reports of break-ins at defense and government contractors today shows a lot of lax security approaches are still being funded by huge government contracts.
(Paller): Booz Allen is not at all alone - nearly every major FISMA contractor has lost critical and sensitive government information in cyber attacks. The large IT companies make hundreds of millions of dollars each year writing out of date and ineffective reports about federal cybersecurity. They conveniently and profitably claim the reports are required by FISMA. Between 70 and 80% of the people writing those reports do not have the technical skills to secure a system - most have no hands-on experience at all. When that type of "paper security" permeates an industry, it is no wonder that the large contractors are being penetrated. I keep waiting for one of the major FISMA contractors to say "I cannot keep lying to our government customers. We have to stop writing these useless reports and retrain our report writers to be able to secure the systems and find the attackers before they do more damage." That firm would become the Volvo (the first "safe car") of the IT community. ]

Private Companies Turn Down Offer of Free Security Audit from ICO (July 11, 2011)

According to UK's information Commissioner Christopher Graham, nearly one-third of data breaches reported over the past 12 months occurred in the private sector. But when private sector firms were contacted by the Information Commissioner's office (ICO) offering a free data protection audit, just 19 percent accepted. In the public sector, 71 percent of organizations accepted the offer.
-http://www.scmagazineuk.com/ico-reports-that-private-sector-was-responsible-for-
a-third-of-data-breaches-yet-most-businesses-refuse-an-audit/article/207158/
[Editor's Note (Hoelzer): My suspicion is that it has nothing to do with wanting to hide what executives suspect is wrong and a great deal to do with the IT security and audit communities failing to adequately connect the important role that auditing for effective controls, IT and otherwise, has in the overall risk management strategy for a business today.
(Ranum): The way this is written makes me wonder - it seems to be a bit "spun"; perhaps those firms chose not to be audited because they were busy. Or, perhaps the results of an audit would be discoverable and outside their control. If I knew some government agency would audit me, and I wasn't given adequate guarantees they would protect the results, I'd also say "no" if I had the option. And, as we see in this article, they're willing to quote statistics about their audit process to the press, I think it goes without saying that any security practitioner in their right mind would decline such an audit unless it were absolutely mandatory. ]

Case Will Test Applicability of Fifth Amendment to Cryptographic Keys (July 11, 2011)

A case involving a Colorado woman who refused to provide authorities with the key necessary to decrypt a laptop found in her home during a raid marks the first time a US appeals court will decide whether the demand violated the Fifth Amendment, which gives people the right to refrain from self-incrimination. Ramona Fricosu is accused of perpetrating a mortgage scam. Prosecutors maintain that they are not asking for her key, but a plaintext version of the data on the computer. An amicus brief filed by the Electronic Frontier Foundation (EFF) says that "ordering the defendant to enter an encryption password puts her in the situation the Fifth Amendment was designed to prevent: having to choose between incriminating herself, lying under oath, or risking contempt of court."
-http://news.cnet.com/8301-31921_3-20078312-281/doj-we-can-force-you-to-decrypt-t
hat-laptop/
[Editor's Note (Murray): It is naive to think that courts will allow the 5th Amendment to trump their historic right to the "best evidence." If one records it, the court is entitled to the record. One cannot deny the court access to the record by putting it in a vault or encrypting it. The courts will not equate police coercion with their own orders. They will not equate torture with the punishment of contempt, the failure to comply with a court's legitimate demand for access to a record. ]

News of the World Editors Arrested in Connection With Phone Hacking Scandal (July 8, 2011)

Arrests have been made in the News of the World (NotW) phone hacking scandal. Former editor Andy Coulson and former royal correspondent Clive Goodman have been arrested. Until January, Coulson had been Prime Minister David Cameron's senior media adviser. He was editor of the 168-year old tabloid at the time of the alleged phone hacking. Goodman has already served four months in prison for intercepting phone calls made to and from members of the royal family. Prime Minister Cameron is launching inquiries into the matter.
-http://www.csmonitor.com/World/Europe/2011/0708/Tabloid-phone-hacking-scandal-sp
reads-former-Cameron-aide-arrested
An important update to this story is the former UK's Prime Minister Gordon Brown has revealed that he has been victim of various intrusions to his privacy by newspapers and that the British Royal Family were also targeted.
-http://www.bbc.co.uk/news/uk-politics-14119225
[Editor's Note (Honan): There are a lot of lessons organisations should learn from these stories to identify common security weaknesses in their own systems. Many of the intrusions were the result of default passwords not being changed, users clicking on links in emails or the result of social engineering. ]

---

*************************** SPONSORED LINKS ******************************

1) New ForeScout CounterACT Virtual Appliance ForeScout CounterACT is now available as a virtual appliance. ForeScout CounterACT provides real-time visibility and control over everything on the network - users, devices, applications, smartphones, etc. With ForeScout CounterACT Virtual Appliance, organizations can readily deploy and scale-out CounterACT leveraging their VMware investment. http://www.sans.org/info/81844

2) Learn how to build your company's Human Firewall at SANSFIRE during Rohyt Belani's lunch session: http://www.sans.org/info/81849

3) SANS Baking Security into Applications and Networks Workshop, Washington DC, August 29 -30, http://www.sans.org/info/81859

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

How Digital Detectives Deciphered Stuxnet (July 11, 2011)

Wired Journalist Kim Zetter has written a highly readable and detailed account of how experts cracked "the most complex malware ever written."
-http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxn
et/
-http://www.wired.com/threatlevel/2011/07/stuxnet-timeline/
[Editor's Comment (Northcutt): This is the best Stuxnet story I have found; definitely worth the time to reinforce or expland what you already know. The article is well researched and the graphics are excellent. It may be slightly conservative, if they mentioned the Bushehr reactor rod removal conspiracy theory, I missed it:
-http://www.win32virusremoval.com/computer-security/iran-removal-of-fuel-rods-fro
m-bushehr-reactor-unrelated-to-stuxnet-virus-memri-blog/
-http://www.telegraph.co.uk/news/worldnews/europe/russia/8262853/Stuxnet-virus-at
tack-Russia-warns-of-Iranian-Chernobyl.html]

Search Result Poisoning Attack Hits Microsoft Security Center (July 11, 2011)

Microsoft Security Center last week suffered a search engine results poisoning attack that served unsavory pages for users. The attack was designed to work when specific terms were searched, so if a user searched for a term the attackers hadn't poisoned, the results would be normal, while if a user searched for one of the targeted terms, the results would lead users to pornographic sites. Some of the sites attempted to download Trojan horse programs onto users' computers. Microsoft has temporarily disabled the feature.
-http://www.scmagazineuk.com/search-results-from-microsoft-lead-to-pornographic-w
ebsites/article/207154/
-http://www.theregister.co.uk/2011/07/11/ms_security_search_malware_links_poision
ing/

Proposed Data Protection Rule Irks Government Contractors (July 10, 2011)

Some US government contractors are unhappy with a proposed rule from the Pentagon requiring that all unclassified data that are shared with the Department of Defense (DoD) be protected in certain ways. The central complaint is the significant expense they face in installing systems to safeguard the data and be in compliance. More than 64,000 small businesses were awarded DoD contracts last year; under the proposed rule, more than three-quarters of them would have to step up their security. The proposed rule, which appeared in the Federal Register on June 29, sets two levels of control. The basic level would prohibit contractors from accessing shared DoD data on public computers or posting the data on public websites. The critical level would require the contractors to implement controls similar to those used at DoD. The contractors would also be required to notify DoD of cyber attacks with 72 hours of learning of the incident. Civil liberties groups have expressed concerns about the rule as well because they view it as "an effort to restrict access to public information."
-http://www.federaltimes.com/article/20110710/ACQUISITION03/107100303/
[Editor's Note (Ranum): The central complaint is the significant expense they face in installing systems to safeguard the data and be in compliance. Complaining "Oh gosh, we'd have to actually DO SOMETHING to protect data" seems like very poor strategy indeed.
(Paller): Marcus is correct. And of extraordinary significance: DoD's new rule (posted at
-http://www.gpo.gov/fdsys/pkg/FR-2011-06-29/html/2011-16399.htm)
excludes the many, many low-priority controls in NIST SP 800-53, allowing contractors to focus on the most critical controls. Kudos to the DoD leaders who made this change possible.
(Pescatore): Sorry, if you don't want to protect data then don't bid on the contracts. ]

DHS Official Acknowledges That Some Imported Devices Pre-Loaded Malware (July 8, 9 & 11, 2011)

A top US Department of Homeland Security (DHS) official has acknowledged that some computer equipment and software that are being imported to the US are pre-loaded with spyware and other components that compromise security. In response to questioning while providing testimony at a House Oversight and Government Reform Committee hearing, DHS acting deputy undersecretary for National Protection and Programs Greg Schaffer said he was "aware that there are instances where that has happened." He did not offer specific information.
-http://www.informationweek.com/news/government/security/231001333
-http://technolog.msnbc.msn.com/_news/2011/07/08/7043349-us-official-says-pre-inf
ected-computer-tech-entering-country
-http://www.fastcompany.com/1765855/dhs-someones-spiking-our-imported-tech-with-a
ttack-tools
-http://www.pcworld.com/article/235355/malware_comes_with_many_gadgets_homeland_s
ecurity_admits.html
-http://www.nextgov.com/nextgov/ng_20110707_5612.php?oref=topstory
[Editor's Note (Ullrich): This has been discussed several times over the last few years. For example:
-http://isc.sans.edu/diary.html?storyid=4247
-http://isc.sans.edu/diary/Vodafone+Android+Phone+Complete+with+Mariposa+Malware/
8389
-http://isc.sans.org/diary.html?storyid=3892
[Editor's Note (Pescatore): Let's not forget there have been many, many, many more instances of US-built computer equipment and software coming with pre-loaded spyware and malware. It is easy to demonize foreign suppliers, but the real issue is the lack of testing of software and systems for vulnerabilities as part of the acceptance criteria.
(Northcutt): These supply chain attacks are nothing new, I saw my first software example in 1995, but when they give you special purpose hardware, that is when you really feel the loving:
-http://forum.darwincentral.org/viewtopic.php?f=24&t=37412]

Artist's Computer Seized in Surreptitious Webcam Case (July 8, 2011)

The US Secret Service has seized a New York City artist's computer after the man allegedly installed software on computers in Apple stores around the city, took pictures of people looking at computers without their knowledge, and posted them to a blog. Kyle McDonald maintains he asked security guards at the stores for permission to take pictures, but it is not clear if he specified that he would be installing software on the display machines. The warrant used in the raid on McDonald's home allege that he violated US Code Title 18, section 1030, which includes "fraud and related activity in connection with computers."
-http://www.bbc.co.uk/news/technology-14080438
-http://www.pcmag.com/article2/0,2817,2388270,00.asp

More Than 900 UK Police Disciplined for Data Protection Act Violations (July 8, 2011)

Between 2007 and 2010, more than 900 police officers and staff in the UK were disciplined for violating the Data Protection Act (DPA). The violations included running unauthorized background checks and providing information to criminals. Of those disciplined, 243 received criminal convictions, and 98 were fired. Allegations have surfaced that former NotW editor Andy Coulson had paid police for information.
-http://www.scmagazineuk.com/police-officers-and-staff-breach-data-protection-act
/article/207002/
-http://www.information-age.com/channels/security-and-continuity/news/1636103/ove
r-900-police-workers-abused-data-access-privileges.thtml
-http://www.computerweekly.com/Articles/2011/07/08/247222/Police-officers-routine
ly-breach-Data-Protection-Act-says-civil-liberties.htm

Pentagon to Release Cyberspace Operations Strategy (July 8, 2011)

An unclassified draft of the Pentagon's forthcoming cyberspace defense strategy indicates that DOD will incorporate "active defenses" into military networks to help detect malicious code and prevent it from affecting their systems. The plan does not call for militarizing cyber space, but instead aims to "dissuade military actors from using cyberspace for hostile purposes." Because DOD cannot monitor civilian networks, the department will give certain industry partners classified threat intelligence to help them protect their own networks. The practice has been tested in a pilot program and has already proven successful at stopping intrusions. The strategy is scheduled to be released on July 14.
-http://www.nextgov.com/nextgov/ng_20110708_6484.php?oref=topstory

UCLA Health System Fined US $865,000 for HIPAA Violations (July 7, 2011)

The US Department of Health and Human Services (HHS) has fined the University of California at Los Angeles Health System (UCLAGS) US $865,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA). Between 2005 and 2008, UCLAHS employees accessed patients' private health records without authorization. UCLAHS will also implement a plan to help prevent further violations.
-http://www.healthcareitnews.com/news/uclahs-pay-hipaa-fines-employee-snooping
-http://www.computerworld.com/s/article/9218257/UCLA_Medical_Center_agrees_to_set
tle_HIPAA_violation_charges_for_865K?taxonomyId=203

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/login