SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #80

October 07, 2011

Today, SANS released the materials for a cool new training program
called SANS Cyber Corps, which officially launches next week. Focused
on helping high school students and their teachers prepare for this
Fall's USCC Cyber Foundations competition, this innovative program
covers the fundamentals of computer networking, critical knowledge
needed for a variety of today's top jobs in cyber space. Even if you
aren't a high school student, you may want to check out this program to
gain a better understanding of the underlying network technologies that
run the Internet. Created by Tom Hessman, Mark Baggett, and Ed Skoudis,
SANS Cyber Corps also includes three live webcast sessions over the next
two weeks to help students master the material.
For more information about SANS Cyber Corps, please check out
http://www.sans.org/cybercorps.
For information about the Fall USCC Cyber Foundations Competition for
high schoolers, go to http://www.uscyberchallenge.org.

One of the awards (and briefings) just added to the National
Cybersecurity Innovation program next Tuesday and Wednesday in
Washington are practical and free solutions to both the problem of
scanning cloud computing environments for vulnerabilities without
scanning other people's spaces and the challenge of allowing users to
have safe access to very sensitive corporate data from mobile devices.
Those innovations are in addition to nine other breathtakingly valuable
security innovations that government and commercial companies are
sharing at the conference. If you have not yet registered, the web site
is http://www.sans.org/ncic-2011

---

TOP OF THE NEWS

White House Orders New Rules To Stop WikiLeaks-Like Events
Belgian Court Orders ISPs to Block The Pirate Bay URLs
DHS and Commerce Dept. Considering Voluntary Code of Conduct for ISPs to Fight Botnets
Former NSA and CIA Director Says NSA Should Monitor Public Networks

THE REST OF THE WEEK'S NEWS

Stanford Hospital Pins Breach Responsibility on Third-Party Billing Contractor
Microsoft to Patch 23 Flaws Next Week
Apache Issues Patch for Web Server Security Flaw
Bank of America Says Site Accessibility Problems Due to Upgrades and Traffic
FBI Investigating Cyber Attack Threat
GPS Inventor Signs Amicus Brief Urging Supreme Court to Disallow Warrantless Tracking
DARPA Launched Hacker Spaces Program in August

---

*********************** Sponsored By SANS ***************************

Announcing THREE New SANS Analyst Papers in the SANS Reading Room. All free.
http://www.sans.org/info/88384

- - Adding Enterprise Access Management to Identity Management by SANS Analyst, J. Michael Butler
- - Integrating Security into Development, No Pain Required by SANS Analyst and course author, Dave Shackleford
- - Oracle Database Firewall Review--Part I of a series of reviews on Oracle security products by SANS Oracle expert, Tanya Baccam

**************************************************************************

TRAINING UPDATE

-- NCIC: The National Cybersecurity Innovation Conference, DC, Oct.11-12, 2011 Learn from the pioneers who found the most important innovations this year in cloud security, mitigating the advanced persistent threat, cool open source tools, and developing cyber warriors.
http://www.sans.org/ncic-2011/

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 26 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

---

TOP OF THE NEWS

White House Orders New Rules To Stop WikiLeaks-Like Events

The White House plans is issuing an executive order today to replace a flawed patchwork of computer security safeguards exposed by the disclosure of hundreds of thousands of classified government documents to WikiLeaks last year. The directive enshrines many stopgap fixes that the Pentagon, the State Department and the Central Intelligence Agency made immediately after the initial WikiLeaks disclosures last November. Since then, for instance, the military has disabled 87 percent of its computers to prevent people from downloading classified data onto memory sticks, CDs or DVDs.
-http://www.nytimes.com/2011/10/07/us/politics/white-house-orders-new-computer-se
curity-rules.html

Belgian Court Orders ISPs to Block The Pirate Bay URLs (October 5 & 6, 2011)

The Belgian Court of Appeals of Antwerp last week ruled that Internet service providers (ISPs) Belgacom and Telenet must establish DNS blocking for nearly a dozen URLs associated with The Pirate Bay. The order was the result of a lawsuit brought by the Belgian Anti-Piracy Foundation (BAF). BAF is now urging all ISPs, not just those affected by the court ruling, to block the site. The court did not, however, order the ISPs to monitor whether their users circumvented the blocks. The Pirate Bay has established a new domain name to help users do just that.
-http://www.pcworld.com/article/241270/pirate_bay_website_circumvents_belgian_blo
cking.html
-http://www.theregister.co.uk/2011/10/05/belgian_piratebay_ban/

DHS and Commerce Dept. Considering Voluntary Code of Conduct for ISPs to Fight Botnets (October 5, 2011)

According to a notice in the Federal Register, the Department of Homeland Security (DHS) and the Department of Commerce are looking into establishing a voluntary code of conduct for Internet service providers (ISPs) to help eradicate botnets. The majority of distributed denial-of-service (DDoS) attacks and spam come through botnets. Most companies have strict policies about allowing computers to connect to their networks - preventing infected machines from connecting because they will infect other machines. Commercial ISPs are reluctant to impose the same sort of restrictions because it interferes with their revenue flow.
-http://www.federalnewsradio.com/?nid=86&sid=2578791
[Editor's Note (Pescatore): This would be a step in the right direction. The Network Neutrality twitterpation is holding back a lot of needed progress in filtering out obviously bad stuff on the wire, rather than expecting the user to filter it out. Imagine if water companies couldn't filter out sewage from the drinking water...
(Murray): The "code" that should govern the behavior of the ISPs should be their agreement with their customers. While agencies of the state may suggest models for such agreements, only the legislature should be able preempt those agreements. I prefer agreements that strike a balance between completeness and transparency. Of course, if the number of independent ISPs continues to shrink, we can expect to have to resort to regulation.
(Paller): Here's a simple test. If the voluntary action reduces the number of bots by 15% the first year and 50% the second year, then it should be continued. If not, we need to treat bots like other dangerous public hazards and regulate the blocking of access to the Internet for computers that are spreading infection. Only the FCC is in position to enable the automated monitoring needed to know the number of bots. If they act, this problem can at least be watched and fixing it cannot be done if we cannot measure it. ]

Former NSA and CIA Director Says NSA Should Monitor Public Networks (October 4, 2011)

Former NSA and CIA director Michael Hayden told the House Intelligence Committee that the NSA should be permitted to monitor public networks to help protect them from attacks. Hayden acknowledged that legislators may have "a natural political cultural allergy to" allowing the agency to monitor public networks, but that there exist methods that would allow the NSA to monitor the networks without violating citizens' civil liberties. Hayden also said that some people are unaware of the serious nature and depth of the cyber threats the country's networks are facing from foreign nation states.
-http://www.wired.com/threatlevel/2011/10/hayden-wants-nsa-on-networks/
[Editor's Comment (Pescatore): We've learned in the past that allowing intelligence agencies and defense agencies to get involved in domestic issues invariably leads to more problems than gains. This is an idea that not only would *not* lead to an increase in security on the Internet but would lead to diluting the business value of the Internet in the US - having the business environment in the US be looked at globally as being *more* similar to the business environment in China is *not* a good thing.
(Honan): The US Patriot Act already raises many concerns with companies outside the US about the confidentiality of their data, should this recommendation be implemented I can see it driving many non-US companies away from using US companies for Internet based services.
(Northcutt): What a week. NC Gov. Bev Purdue suggests suspending elections; NY State Senators argue that free speech is a privilege, not a right; and NSA wants to monitor public networks while not violating citizens' civil liberties. At what point should we be concerned that democracy is under stress?
-http://news.yahoo.com/blogs/ticket/north-carolina-gov-bev-perdue-talks-suspendin
g-elections-160323133.html
-http://www.dailytech.com/New+York+Democrats+Argue+Free+Speech+is+a+Privilege+Tha
t+Can+be+Revoked/article22929.htm]

---

THE REST OF THE WEEK'S NEWS

Stanford Hospital Pins Breach Responsibility on Third-Party Billing Contractor (October 6, 2011)

Stanford Hospital & Clinics says that a data security breach that compromised the personal information of 20,000 patients is the fault of a third-party contractor. One of the patients filed a US $20 million lawsuit against Stanford following the breach disclosure last month. The data were exposed because a spreadsheet handled by a billing contractor somehow was posted to a student homework help website. The compromised information includes names, diagnosis codes and admission and discharge dates.
-http://www.computerworld.com/s/article/9220626/Stanford_Hospital_blames_contract
or_for_data_breach?taxonomyId=17
[Editor's Note (Pescatore): OK to pin the responsibility on the third party contractor but the liability stays with the Hospital. Using a contractor or a cloud service provider doesn't change the equation of liability and impact to your reputation.
(Murray): Increasingly we outsource and use contractors for things that traditionally have been done within the enterprise and by employees. As we do so, such choices should increase our responsibility. We should not be permitted to use such third parties as scapegoats.
(Ranum): One of the problems with our legal philosophy is that it assigns blame at a single place. Once this has all been sorted out, only one party will be "responsible" - but Stanford chose to push data they were supposed to be holding in confidence, into the hands of another organization. To me, there's blame to spare, all around. Distributed data is distributed vulnerability. ]

Microsoft to Patch 23 Flaws Next Week (October 6, 2011)

Microsoft will issue eight security bulletins to address a total of 23 vulnerabilities on Tuesday, October 11. Two of the bulletins will be rated critical; the other six will be rated important. The two critical bulletins will address vulnerabilities in Windows, Internet Explorer, Silverlight and Microsoft .NET framework.
-http://www.scmagazineus.com/microsofts-october-update-to-fix-23-flaws/article/21
3781/
-http://www.computerworld.com/s/article/9220614/Microsoft_slates_IE_bug_fix_for_n
ext_week?taxonomyId=17
-http://www.msnbc.msn.com/id/44806234/ns/technology_and_science-security/#.To41TX
JdAwY
-http://technet.microsoft.com/en-us/security/bulletin/ms11-oct

Apache Issues Patch for Web Server Security Flaw (October 6, 2011)

The Apache Software Foundation has issued a security advisory warning of a reverse proxy vulnerability that could allow attackers to access internal servers. Organizations running the Apache web server are urged to apply the most recent patches to protect their systems from attacks. The flaw affects Apache 1.3 and all series 2 versions through 2.2.20.
-http://www.v3.co.uk/v3-uk/news/2115114/apache-patches-reverse-proxy-flaw-access-
internal-systems
-http://www.darkreading.com/advanced-threats/167901091/security/application-secur
ity/231900214/apache-issues-patch-to-stop-reverse-proxy-bypass-attack.html
-http://www.h-online.com/security/news/item/Apache-hole-allows-attackers-to-acces
s-internal-servers-1355890.html
-http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/

Bank of America Says Site Accessibility Problems Due to Upgrades and Traffic (October 5 & 6, 2011)

Bank of America (BofA) maintains the "unprecedented" site outages and slow-downs it experienced this week are due to system upgrades and above average traffic levels rather than to distributed denial-of-service (DDoS) or other cyber attacks. The disruptions to service on the BofA site began on Friday, September 30, shortly after the bank announced it was imposing a US $5 a month fee for debit card use. A BofA spokesperson said the site is operating normally as of Thursday, October 6.
-http://www.computerworld.com/s/article/9220562/Update_BofA_site_outages_called_u
nprecedented_?taxonomyId=17
-http://redtape.msnbc.msn.com/_news/2011/10/04/8148887-update-bofa-blames-site-sl
owness-on-upgrade-says-no-risk-for-customers

FBI Investigating Cyber Attack Threat (October 5, 2011)

The FBI is investigating a threat of an attack against the New York Stock Exchange (NYSE). A video message that claims to be the work of the Anonymous hacking collective was posted to YouTube last week; the message suggests that the NYSE will be the target of a cyber attack on October 10. The video bears similarities to other messages released by Anonymous, but the group appears to be distancing itself from the threat. A post from a source known to have reliable information about Anonymous says that the group "won't hack Wall Street," and that the FBI should be looking elsewhere.
-http://www.informationweek.com/news/security/vulnerabilities/231900039

GPS Inventor Signs Amicus Brief Urging Supreme Court to Disallow Warrantless Tracking (October 4, 2011)

Roger L. Easton, "the principal inventor and developer of" what we now know as the Global Positioning System (GPS), wants the US Supreme Court to reject warrantless tracking with the technology. Easton is one of the signatories, along with the Center for Democracy and Technology and the Electronic Frontier Foundation and others, on an amicus brief submitted to the court in the case that is scheduled to be argued on November 8. The brief says that the precedent on which current wireless tracking is based is outdated.
-http://www.wired.com/threatlevel/2011/10/gps-inventor-surveillance/

DARPA Launched Hacker Spaces Program in August (August 2011)

The Defense Advanced Research Project Agency (DARPA) in August announced a new program to support cyber security research. Cyber Fast Track is aimed at "hacker spaces, labs, and boutique security companies to make it easier to compete with large government contractors," according to Mudge (aka Peiter Zatko), who is the program manager for DARPA's information innovation office. The project will fund between 20 and 100 projects a year. Those receiving funding will retain the rights to their intellectual property.
-http://www.darkreading.com/security/news/231300269/mudge-announces-new-darpa-hac
ker-spaces-program.html
-http://defensesystems.com/articles/2011/08/04/black-hat-darpa-mudge-fast-track-h
ackers.aspx
-http://www.cft.usma.edu/
[Editor's Note (Murray): Has Zatko decided whether he wants to be "part of the problem or part of the solution?"
(Paller): Kudos to DARPA. Had we learned about this project earlier it most likely would have been one of the nominees for the 2011 US National Cybersecurity Innovation Awards. This sounds like a perfect way to tap into the energy and skills of a group that is a powerful part of the cyber defense and attack resources in China and Russia, but has never had a way to help effectively in the U.S. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/