SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #87

November 01, 2011

TOP OF THE NEWS

RIM Will Give Indian Government Access to Certain Customer Messages
Researchers Say ICS-CERT Needs to Improve Cyber Threat Information Sharing
Canadian Intelligence Agency Warned Government About Targeted Cyber Attacks

THE REST OF THE WEEK'S NEWS

US Central Command, Military CIOs and DoD Joint Consensus Working Group Win Security "Baked In" Award
Symantec Says Nitro Attacks Targeted Defense and Chemical Companies
Malware Targets Bitcoin on Macs
UK Hit With "Disturbing" Number of Cyber Attacks
Probation for Spamming and Credit Card Theft
Indian Authorities Seize Equipment Believed to Be Tied to Duqu
Blue Coat Says Its Devices Were Used to Censor Web Content in Syria
Old Linux Trojan Ported to OS X

---

************************ Sponsored By Zscaler ***********

ONLINE WEBCAST with FORRESTER: DEFENDING THE ENTERPRISE AFTER THE MOBILE DEVICE INVASION
How Cloud-Delivered Security Unchains Your Workers and Stops Advanced Threats.
Join Rick Holland of Forrester to learn how new cloud-delivered security can protect users and data in the age of mobility and decentralization. November 3 at 10am PST / 1pm EST http://www.sans.org/info/90179

*************************************************************************

TRAINING UPDATE

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 5 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Sydney, Tokyo and Perth all in the next 90 days. For a list of all upcoming events, on-line and live: https://www.sans.org/index.php ***************************************************************************

---

TOP OF THE NEWS

RIM Will Give Indian Government Access to Certain Customer Messages (October 28, 2011)

BlackBerry parent company Research in Motion (RIM) has opened a monitoring center in Mumbai, India to allow the Indian government access to BlackBerry user data. RIM will provide government officials with the messages and emails of individuals suspected of wrong doing when the demands for the information are legally justified. Authorities in India are particularly interested in encrypted messages because they fear that the technology could be used to plan terrorist attacks. RIM is unable to provide the government with corporate messages because the companies, not RIM, have the keys to decrypt those messages.
-http://www.theregister.co.uk/2011/10/28/blackberry_help_indian_government_sip_da
ta/
-http://www.pcmag.com/article2/0,2817,2395570,00.asp
[Editor's Note (Murray): "Legally justified" is for a court to decide, not RIM, and not the government. ]

Researchers Say ICS-CERT Needs to Improve Cyber Threat Information Sharing (October 28, 2011)

At the US Department of Homeland Security's (DHS) Industrial Control Systems Joint Working Group (ICSJWG) conference in late October, security professionals told the government that it needs to do a better job of communicating information about cyber threats with people who manage the security of the systems that run the country's critical infrastructure. The DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is responsible for sharing information about cyber threats that affect elements of critical infrastructure. The group has been criticized for not providing clear information in a timely manner.
-http://www.wired.com/threatlevel/2011/10/infrastructure-at-risk/

Canadian Intelligence Agency Warned Government About Targeted Cyber Attacks (October 31, 2011)

A year ago, the Canadian Security Intelligence Service (CSIS) issued a top secret intelligence report that included warnings of ongoing cyber attacks against the Canadian government. The report was issued in November, 2010; two months later, cyber attacks crippled Canadian government networks. It is not clear who received copies of the report when it was initially published.
-http://www.theglobeandmail.com/news/national/ottawa-warned-about-hackers-weeks-b
efore-crippling-cyber-attack-csis-report/article2219129/?from=sec434
-http://spectrum.ieee.org/riskfactor/telecom/security/canadian-security-services-
warnings-about-last-years-cyberattacks-apparently-ignored
[Editor's note (Paller): This type of journalistic Monday morning quarterbacking is worse than useless because it places blame on the wrong players. The CSIS report did a great job of identifying the problem, but it did not identify the 3 or 4 key mitigations that needed to be implemented immediately. So the recipients of the report got fair warning from people who understood the threat but without the threat-informed guidance that the users need. The Australian DSD faced exactly the same type of attacks and delivered to their agencies the four key mitigations that had to be implemented immediately. They are listed at
-http://www.cso.com.au/article/405364/dsd_wins_us_cybersecurity_innovation_award/
#closeme
(Pescatore): This is one of the reasons why Intelligence and Defense should always be kept separate. Intelligence is very good at warning about many, many things but is never very good at stopping particular individual threats. ]

---

*********************** SPONSORED LINKS: *********************************

1) Now Available ONDEMAND, Analyst Webcast: Integrating Security into Development, No Pain Required. FEATURING: Dave Shackleford and Karl Snider. Go to http://www.sans.org/info/90184

2) Sign Up for SANS WhatWorks Webcast: Worldwide Retailer Boosts Privacy with Security Intelligence. Sponsored by Q1 Labs. Do not miss this webcast featuring Alan Paller. Go to http://www.sans.org/info/90189

3) Do not Miss: SANS Analyst Webcast: Critical Control System Vulnerabilities Demonstrated - And What to Do About Them. Featuring Matt Luallen and Eric Knapp. Go to http://www.sans.org/info/90194

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Central Command, Military CIOs and DoD Joint Consensus Working Group Win Security "Baked In" Award (October 31, 2011)

The US Central Command, the CIOs of the Defense Department, the US Air Force, the US Army, and the Department of Defense Joint Consensus Working Group have won the 2011 US National Cybersecurity Innovation Award. The aforementioned received the honor "for baking security into the configurations of computers deployed to the war zones and ultimately to all DoD computers." The effort centralizes security management, standardizes security settings and decreases the lag time between patches being issued and their deployment from 57 days to 72 hours. It also allows for faster threat response and has saved millions of dollars in system administrator and help-desk costs that are not needed..
-http://www.prnewswire.com/news-releases/us-central-command-j-6-us-air-force-us-a
rmy-and-department-of-defense-chief-information-officers-and-their-teams-and-the
-department-of-defense-joint-consensus-working-group-win-national-cybersecurity-
innovation-award-132943903.html

Symantec Says Nitro Attacks Targeted Defense and Chemical Companies (October 31, 2011)

Symantec researchers say that a wide-reaching industrial espionage they are calling "Nitro" has targeted both defense and chemical companies. The attacks appear to be designed to steal confidential information. Nearly 50 companies have been targeted in the campaign since July 2011. Those behind the attack are interested in "proprietary designs, formulas, and manufacturing processes." The attacks proceeded unhindered from the mid-July until mid-September. Most of the infected computers were in the US, the UK and Bangladesh. Computers in 17 other countries were infected as well. The attacks spread through email messages sent to IT departments at targeted organizations, pretending to be requests for meetings or warnings about unpatched Adobe programs. The Trojan used in the attacks is known as PoisonIvy and is readily available on the Internet.
-http://www.theregister.co.uk/2011/10/31/chemical_firms_hacked/
-http://www.computerworld.com/s/article/9221335/_Nitro_hackers_use_stock_malware_
to_steal_chemical_defense_secrets
-http://www.bbc.co.uk/news/technology-15529930
-http://www.v3.co.uk/v3-uk/news/2121298/symantec-uncovers-nitro-attacks-targeting
-chemical-industry

Malware Targets Bitcoin on Macs (October 31, 2011)

Malware known as DevilRobber has been detected on Mac OS X computers. It makes its way onto computers by being bundled with Mac applications available on file sharing networks. DevilRobber has several components. It attempts to steal usernames and passwords; it tries to steal users' Bitcoin wallets; and it hijacks computers' processing power to conduct Bitcoin mining. The virtual currency is earned by using processing power to help solve complex cryptographic problems.
-http://www.scmagazineus.com/devilrobber-trojan-targets-mac-os-x-for-bitcoins/art
icle/215714/
-http://www.computerworld.com/s/article/9221332/Mac_OS_X_Trojan_steals_processing
_power_to_produce_Bitcoins?taxonomyId=17
-http://www.theregister.co.uk/2011/10/31/mac_os_x_bitcoin_mining_trojan/
[Editors Note (Liston): Interestingly, when Bitcoin first appeared, a co-worker and I discussed the likelihood that someone would use malware as a "mining" tool and we came to the conclusion that OS X would be an ideal target because of the homogeneity of the hardware and the presence of GPUs on most machines. ]

UK Hit With "Disturbing" Number of Cyber Attacks (October 31, 2011)

The UK has been the target of a "disturbing" number of cyber attacks in the past several months, according to British Intelligence Agency GCHQ director Iain Lobban. He also noted that the Foreign and Commonwealth Office blocked a "significant" attack over the summer. Attackers have targeted personal data, financial data and proprietary information from the IT, defense, engineering and energy industries. Foreign Secretary William Hague said that government systems face more than 600 malicious attacks a day. The government will spend GBP 650 million (US $1.04 billion) on cyber security over the next four years. The government-sponsored London Conference on Cyberspace begins on Tuesday, November 1, 2011.
-http://www.bbc.co.uk/news/uk-15516959
-http://www.theregister.co.uk/2011/10/31/britain_attacked/
-http://www.guardian.co.uk/technology/2011/oct/31/cyber-attacks-uk-disturbing-gch
q?newsfeed=true
-http://www.computerworlduk.com/news/security/3314473/foreign-office-blocked-sign
ificant-cyber-attack-says-gchq-chief
-http://www.fco.gov.uk/en/global-issues/london-conference-cyberspace/

Probation for Spamming and Credit Card Theft (October 31, 2011)

Josh Holly has been sentenced to three years probation for his involvement in a number of cyber crimes. Although he gained notoriety for bragging that he had stolen pictures from Miley Cyrus's email account and posting them on the Internet, Holley was sentenced for being in possession of 200 stolen credit card numbers and a spamming scheme involving hacked celebrity MySpace accounts through which he earned US $100,000 or more. Holly was apprehended after bragging online about his antics surrounding Cyrus's photos and other illegal cyber activity. Authorities raided his home in Murfreesboro, Tennessee, and discovered evidence of his involvement with the credit card number theft and spamming.
-http://www.wired.com/threatlevel/2011/10/josh-holly-sentenced/
[Editor's Note (Liston): I don't care how much he "cooperated" with authorities, a sentence of three years probation is *exactly* why cybercrime is out of control. Sentences like this act as recruiting posters for cybercrime. ]

Indian Authorities Seize Equipment Believed to Be Tied to Duqu (October 29 & 31, 2011)

Authorities in Mumbai, India have seized computer components from a data center because the equipment appeared to be communicating with computers infected with Duqu. Officials from India's Department of Information Technology reportedly took hard drives and several other pieces of equipment. While Duqu was initially believed to be related to Stuxnet, the malware's purpose remains unclear; there have a relatively small number of reported instances of infection. The equipment seized from the data center may provide more information into Duqu's purpose.
-http://www.huffingtonpost.com/2011/10/29/duqu-computer-virus-prompts_n_1065217.h
tml
-http://www.eweek.com/c/a/Security/Indian-Authorities-Seize-Suspected-Duqu-CC-Ser
ver-741604/

Blue Coat Says Its Devices Were Used to Censor Web Content in Syria (October 28 & 30, 2011)

According to the Wall Street Journal, a US technology company says its devices were being used in Syria to censor web content earlier this year, despite a trade embargo that prohibits their export to that country. Blue Coat Systems was alerted to the situation when the appliances began "transmitting automatic status messages back to the company." The company said that of 14 devices shipped to Dubai, UAE, last year that were supposed to be for Iraqi government use, 13 have been found to be in use in Syria. Log analysis indicates that the devices are being used to block or monitoring users' visits to web sites that contain information about the Syrian uprising.
-http://news.cnet.com/8301-27080_3-20127340-245/blue-coat-confirms-syria-used-its
-web-filtering-devices/
-http://www.theregister.co.uk/2011/10/30/blue_coat_in_syria/

Old Linux Trojan Ported to OS X (October 27 & 28, 2011)

The Tsunami Trojan horse program, which has infected Linux-based systems for nearly 10 years, has now been found on OS X systems. The malware is relatively low risk because it requires users to install the program manually. The malware is an IRC bot that connects to IRC network servers and channels, which allows it to be used as a zombie in distributed denial-of-service (DDoS) attacks. Once it has infected a system, it has the ability to download files and run shell commands. The OS X versions that have been detected so far are non-functional; they appear to be in the testing phase.
-http://news.cnet.com/8301-1009_3-20127094-83/tsunami-trojan-malware-bot-ported-t
o-os-x/
-http://www.eweek.com/c/a/Security/Tsunami-Trojan-Hijacks-Mac-OS-X-to-Launch-DDoS
-Attacks-Remote-Access-676241/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/