SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #62

August 05, 2011

A recent grad from the SANS Technology Institute uncovered an unexpected
public health threat through cyber vulnerabilities - led to one of the
big news stories from Black Hat:
http://blogs.computerworld.com/18744/black_hat_lethal_hack_and_wireless_attack_o
n_insulin_pumps_to_kill_people
Other recent grads now hold top jobs in SCADA security and financial
security. Seems like a growing community of excellence. If you are
considering a master of science degree in security (and you have the
technical skills to lead technologists) check out the program at
http://www.sans.edu/
Alan

---

TOP OF THE NEWS

Operation Shady RAT Infiltrated Networks at 72 Organizations Around the World
ACLU Seeking Information on Police Use of Mobile Device Data for Tracking
UK Government Will Not Order ISPs to Block Sites Hosting Pirated Content

THE REST OF THE WEEK'S NEWS

Microsoft's August Patch Tuesday to Address 22 Vulnerabilities
Bitcoin-Mining Botnet Controlled Through Twitter
USB Device Found in Pub Contained Unencrypted Housing Company Data
Microsoft Offering US $200,000 Prize for a New Approach to Blocking Attacks
Android Trojan Records Conversations
Flaw in WordPress Utility Being Actively Exploited
Google Searches Return SCADA Systems

---

************************** Sponsored By SANS ***************************

Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences. Complete this survey and be entered in a drawing to win a $100 American Express gift card. http://www.sans.org/info/83479

***********************************************************************

TRAINING UPDATE

- --SANS Boston 2011, Boston, MA, August 6-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- --SANS Virginia Beach 2011, August 22- September 2, 2011 10 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Delhi, London, Baltimore and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

Operation Shady RAT Infiltrated Networks at 72 Organizations Around the World (August 3, 2011)

A report from McAfee details a wide-reaching cyber attack that has affected 72 networks in countries around the world over the past five years. The attacks, which have been dubbed Operation Shady RAT, initially gained footholds in the networks through a phishing attack. McAfee researchers gained access to a command and control server on which the perpetrators kept records of their exploits. While targets included government agencies, defense contractors and a news organization, Olympic organizations were targeted as well, lending credence to the idea that the attacks are the work of a nation state. The majority of affected organizations were in the US.
-http://www.csmonitor.com/USA/2011/0803/Massive-global-cyberattack-hits-US-hard-W
ho-could-have-done-it
-http://www.latimes.com/la-fi-cyber-attacks-20110804,0,7350113.story
-http://blogs.csoonline.com/1626/mcafee_smells_a_shady_rat_a_lot_of_em_actually
-http://www.h-online.com/security/news/item/Operation-Shady-RAT-reveals-worldwide
-espionage-attacks-1317710.html
-http://www.bbc.co.uk/news/technology-14387559
-http://www.v3.co.uk/v3-uk/news/2099030/mcafee-uncovers-operation-shady-rat-globa
l-cyber-espionage-attack
[Editor's Comment (Northcutt): Maybe McAfee sensationalized this a bit, but they did some great research and this is truly a smoking gun. My prediction is the primary impact of this disclosure: the next generation of command and control servers will not keep history, so when you finally find them, you can cut off the head of the snake, but there will be no evidence of what the snake has eaten.]

ACLU Seeking Information on Police Use of Mobile Device Data for Tracking (August 3 & 4, 2011)

American Civil Liberties Union (ACLU) groups around the country are seeking details of how law enforcement agencies are using mobile device location information to track US residents. The nearly 400 requests for information reflect a growing interest in the ethical and legal aspects of law enforcement agencies and private companies tracking mobile device users. The ACLU requests want to know if the law enforcement agencies are obtaining warrants prior to tracking users and how often the practice is used.
-http://www.computerworld.com/s/article/9218852/ACLU_wants_details_on_mobile_trac
king_by_police?taxonomyId=17
-http://latimesblogs.latimes.com/technology/2011/08/aclu-digs-into-mobile-locatio
n-privacy-with-huge-police-records-request.html
-http://www.aclu.org/protecting-civil-liberties-digital-age/cell-phone-location-t
racking-public-records-request
[Editor's Note (Schultz): The entire mobile computing arena raises a huge number of security, legal and ethical issues that are unlikely to be resolved any time soon.
(Murray): It is naive to think that law enforcement will not use all technology to improve the investigation of crime in every way that the law permits. Here the law is silent. Even where it speaks, law enforcement will push the limits. ]

UK Government Will Not Order ISPs to Block Sites Hosting Pirated Content (August 3, 2011)

The UK government has scrapped plans under the Digital Economy Act that would allow authorities to request that the court block websites hosting pirated digital content. Internet service providers were unhappy with the provision, and the UK Office of Communications (Ofcom) reviewed the policy and found that the provisions "would not be effective." The Motion Picture Association recently won an injunction requiring BT to block a certain site that hosted links to pirated content; the case did not invoke the Digital Economy Act.
-http://www.bbc.co.uk/news/technology-14372698
-http://www.pcmag.com/article2/0,2817,2390366,00.asps
-http://www.guardian.co.uk/technology/2011/aug/03/government-scraps-filesharing-s
ites-block

---

*************************** SPONSORED LINKS ******************************

1) IN CASE YOU MISSED IT...Analyst Webcast: Protecting Access and Data: A Review of DigitalPersona Pro Version 5.1 Featuring: Jim Hietala & Tom Grissinger http://www.sans.org/info/83484

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft's August Patch Tuesday to Address 22 Vulnerabilities (August 4, 2011)

Microsoft will release fixes for 22 vulnerabilities on Tuesday, August 9. The patches will address security issues in Internet Explorer, Windows, Visio and Visual Studio. The patches are described in 13 security bulletins, two of which have been given maximum severity ratings of critical. The first critical bulletin will address vulnerabilities in all supported versions of IE; it is likely to be the one that most experts will recommend be applied first. The second critical update addresses flaws in Windows Server 2008 and 2008 R2. Server 2003 is vulnerable as well, but the bulletin is rated important for that version.
-http://www.computerworld.com/s/article/9218877/Microsoft_slates_22_patches_for_W
indows_IE_next_week?taxonomyId=17
-http://www.microsoft.com/technet/security/Bulletin/MS11-aug.mspx
[Editor's Note (Murray): If the MS strategy was working, one would hope that the number would be going down by now. ]

Bitcoin-Mining Botnet Controlled Through Twitter (August 3 & 4, 2011)

A recently detected botnet uses the processing power of infected PCs to mine for Bitcoins. The botnet receives commands via Twitter. Bitcoin virtual currency is obtained by having computers solve complex mathematical problems.
-http://www.h-online.com/security/news/item/Twitter-controlled-botnet-mines-Bitco
ins-1318497.html
-http://www.theregister.co.uk/2011/08/03/twitter_controlled_bitcoin_botnet/

USB Device Found in Pub Contained Unencrypted Housing Company Data (August 4, 2011)

The UK Information Commissioner's Office (ICO) has found two organizations in violation of the Data Protection Act after a USB containing unencrypted data was left at a pub. The data storage device contained information about residents of two housing companies and included 800 records with bank account information. The USB was lost by a contractor working for one of the companies, but data from both were on the device. More than 26,000 people were affected. The USB was turned in to police. Both housing companies have agreed to encrypt portable data devices and monitor contractors' and staff members' data handling. There were no fines. The ICO imposes financial penalties only when there has been demonstrable damage to those whose data are compromised.
-http://www.itpro.co.uk/635422/hundreds-of-bank-account-details-left-at-london-pu
b
-http://www.v3.co.uk/v3-uk/news/2099539/ico-fumes-unencrypted-usb-containing-deta
ils-27-people-left-pub

Microsoft Offering US $200,000 Prize for a New Approach to Blocking Attacks (August 3 & 4, 2011)

Microsoft is offering a US $200,000 prize that will be awarded to a researcher who discovers a way to block entire classes of cyber attacks on Window memory flaws. Second prize is US $50,000. Dubbed the Blue Hat Prize, the competition was announced at the Black Hat security conference in Las Vegas and will be awarded at that conference in 2012. Microsoft was clear that this challenge is aimed at "rewarding work on innovative solutions to mitigate entire types of attacks," and that the company will not be instituting a vulnerability bounty system.
-http://www.v3.co.uk/v3-uk/news/2099253/microsoft-offers-usd200-blue-hat-prize-se
curity-vulnerability-researchers
-http://www.theregister.co.uk/2011/08/04/microsoft_blue_hat_prizes/
-http://www.net-security.org/secworld.php?id=11386
[Editor's Note (Schultz, Honan): Good for Microsoft! Challenging the "white hat" community in this manner can only result in good.]

Android Trojan Records Conversations (August 2 & 3, 2011)

A recently detected Trojan horse variant that affects Android devices is capable of recording conversations users hold on their phones. Earlier versions of Android Trojans could harvest the numbers of calls made and received and the length of those calls, but the new variant grabs conversations contents and stores them on the SD-slot memory card from where the attackers can upload to servers. The malware requires permission to be installed on Android devices. The dialog box seeking permission spells out what the Trojan will have permission to do, including intercepting calls, recording audio and preventing the phone from sleeping.
-http://www.h-online.com/security/news/item/Android-trojan-records-phone-calls-13
17967.html
-http://www.theregister.co.uk/2011/08/02/android_malware_records_calls/
-http://arstechnica.com/gadgets/news/2011/08/new-android-trojan-records-all-phone
-calls.ars
-http://community.ca.com/blogs/securityadvisor/archive/2011/08/01/a-trojan-spying
-on-your-conversations.aspx

Flaw in WordPress Utility Being Actively Exploited (August 2, 2011)

A zero-day vulnerability in the Wordpress blogging platform is being actively exploited. The issue lies in an image-resizing utility called TimThumb, which is used in many Wordpress themes. The utility writes files into a directory when it gets images, and that directory is accessible to site visitors, who could potentially upload malicious files. The flaw has been exploited to upload advertising content to people's blogs without their permission.
-http://www.computerworld.com/s/article/9218798/Zero_day_bug_found_in_Wordpress_i
mage_utility
-http://www.scmagazineus.com/zero-day-flaw-affects-popular-wordpress-image-utilit
y/article/208933/
[Editor's Note (Murray): We should add Wordpress to the list with Windows and Adobe, historically broken, probably beyond repair. ]

Google Searches Return SCADA Systems (August 2, 2011)

In a workshop at the Black Hat security conference in Las Vegas, Nevada, researchers demonstrated how some SCADA systems can be detected through Google searches. By entering search terms associated with certain components of SCADA systems, results can provide identifying information for systems in specific locations and in some cases, associated passwords. To actually click on the links could be a violation of law. Apparently, the use of encryption and authentication in SCADA products is the exception rather than the rule. Because of this, people who find the IP addresses of the devices can access them and send them commands.
-http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipme
nt-discoverable-via-google/#ixzz1U4vGXz8G

---

************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/