SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #88

November 04, 2011

A present from SANS for everyone who signs up for an OnDemand class in
the next 3 weeks (before Nov. 23): A MacBook Air. I pushed a little for
this. The OnDemand training (the best security instructors in the world,
with a Tivo-like capability for instant replay) are extraordinarily
cost-effective for employers and satisfying for students. Since the
MacBook Air was the nicest thing I have ever done for my own computing
effectiveness (mostly because it did everything SOOO much faster than
any of my PCs) I suggested that the OnDemand folks give each of you a
MacBook Air when you sign up. That way you can take the course wherever
you find a Wifi signal. Surprise, they said yes.

Here's the URL: https://www.sans.org/online-security-training/specials.php
Alan

---

TOP OF THE NEWS

Microsoft's November Patch Tuesday to Address Four Windows Flaws
Privacy Tools Confusing to Users
Duqu Command and Control Server Reportedly Detected in Belgium
Duqu Appears to Exploit Zero-Day Windows Kernel Flaw
US Intelligence Report Says China and Russia are Conducting Cyber Espionage
Newzbin 2 Says Most UK Users Have Downloaded Workaround to Bypass BT Blocking
FBI and US Attorney General's Office Win National Cybersecurity Innovation Award for Coreflood Takedown
Prison Sentences for Cyber Theft Ring Masterminds
DHS Developing Social Media Monitoring Guidelines
Researchers Propose Mitigation Technique for eVoting "Trash Attack"
London's Met Police Using Cell Phone Interception Technology
The London Conference on Cyberspace

THE REST OF THE WEEK'S NEWS

---

**************************************************************************

TRAINING UPDATE

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 5 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Sydney, Tokyo, Perth and Atlanta all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

---

TOP OF THE NEWS

Microsoft's November Patch Tuesday to Address Four Windows Flaws (November 3, 2011)

Microsoft will issue four security bulletins on Tuesday, November 8 to address four vulnerabilities in Windows. Just one of the flaws is rated critical; it affects Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. Microsoft does not appear to be issuing a fix for the kernel vulnerability that is being used to spread Duqu (see related story in this issue). Internet Storm Center:
-https://isc.sans.edu/diary/November+2011+Patch+Tuesday+Pre-release/11944
-http://www.computerworld.com/s/article/9221470/Microsoft_to_patch_critical_Windo
ws_7_bug_in_upside_down_update_next_week?taxonomyId=85
-http://www.zdnet.com/blog/security/patch-tuesday-fix-for-duqu-zero-day-not-likel
y-this-month/9760
-http://technet.microsoft.com/en-us/security/bulletin/ms11-nov

Privacy Tools Confusing to Users (November 3, 2011)

A report from Carnegie Mellon University found that most users are confused by Internet privacy tools. In a test of nine tools used to restrict online targeted advertising, the 45 users participating in the study were unsure of how to configure their options, often making choices that did not protect their privacy to the extent they wanted to, or in some cases, not protecting it at all. The study examined how users interacted with privacy setting options for Mozilla Firefox version 5, Internet Explorer 9, and a number of tools specifically designed to restrict behavioral advertising. On the whole, the tools did not provide clear descriptions for configuration, offering instead "jargon-filled technical explanations."
-http://www.scmagazineus.com/internet-privacy-tools-too-confusing-for-most-users/
article/215869/
-http://www.cylab.cmu.edu/research/techreports/2011/tr_cylab11017.html
[Editor's Note (Pescatore): Most of the products they tested aren't really "privacy tools", they are "tools to limit online behavioral advertising" - the term the authors started out using. Of the nine tools testing, 2 were from the advertising industry, 3 were from the browser vendors and only 5 were actually from sources focused on user privacy. Expecting privacy features from the advertising industry and the browser vendors is like looking to the salty snack industry for nutritional guidance. The tools that are actually focused on user privacy are complex because they are battling an advertising-funded Internet ecology, and that really won't change any time soon.
(Liston): One of the biggest failings of our increasingly technological society is the creation of what I call the "Blinking 12:00" underclass. The divide between the man-on-the-street and technology has only increased since the days when people couldn't set the clock on their VCRs. While some progress has been made, the lack of a "common man" understanding of technology becomes more dangerous as our world becomes increasingly interconnected. ]

Duqu Command and Control Server Reportedly Detected in Belgium (November 3, 2011)

Those responsible for maintaining the infrastructure that Duqu relies upon are now using a server located in Belgium to store data collected by infected computers. Authorities in India recently seized equipment from a data center in Mumbai because of reports that a server there was communicating with Duqu-infected computers. The move to the Belgian server was discovered when Symantec found a Duqu sample that was configured to communicate with a certain server at Belgian web hosting company Combell Group. Symantec said it has notified the host and that the server was subsequently shut down. However, two employees at the Combell say the server is still actively communicating with other computers. One of the employees, speaking anonymously, said it appeared that someone who was controlling the server seemed to be deleting data to prevent useful communication logs from being generated.
-http://www.reuters.com/article/2011/11/03/us-cyberattack-belgium-idUSTRE7A25KC20
111103
Symantec's blog on Duqu has some good background material
-http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-explo
it

Duqu Appears to Exploit Zero-Day Windows Kernel Flaw (November 2 & 3, 2011)

A new report indicates that Duqu may be spreading through an unpatched Windows kernel vulnerability. The malware is installed through a dropper file that is a Microsoft Word document. Microsoft says it is working on a fix for the vulnerability. The Windows flaw is not necessarily the only vector of attack that Duqu uses to spread. Researchers are still unsure about exactly what Duqu does, and although several companies are in agreement that there are similarities between Duqu's code and that of Stuxnet, there is skepticism about the notion that the two have the same author.
-http://www.csmonitor.com/Innovation/Horizons/2011/1103/Duqu-worm-looms-as-next-b
ig-cyber-threat
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
231902150/what-is-duqu-up-to.html?itc=edit_stub
-http://www.informationweek.com/news/security/vulnerabilities/231902121
-http://www.h-online.com/security/news/item/Duqu-exploits-previously-unknown-vuln
erability-in-Windows-kernel-1370369.html
-http://www.msnbc.msn.com/id/45136542/ns/technology_and_science-security/
-http://www.theregister.co.uk/2011/11/01/duqu_exploits_windows_zero_day/

US Intelligence Report Says China and Russia are Conducting Cyber Espionage (November 3, 2011)

According to a report to Congress from the US Office of the National Counterintelligence Executive, online industrial espionage emanating from China and Russia poses a threat to the US economy and national security. The report says that trade secrets and other intellectual property worth billions of dollars are being stolen from government agencies, companies, and research institutions. The report marks a change from the usual hesitancy to identify perpetrators, saying that "Chinese actors are the world's most active and persistent perpetrators of economic espionage, ...
[and ]
Russia's intelligence services are conducting a range of activities to collect economic information and technology from US targets."
-http://www.washingtonpost.com/world/national-security/us-cyber-espionage-report-
names-china-and-russia-as-main-culprits/2011/11/02/gIQAF5fRiM_story.html
-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/11/03/bloomberg_articlesLU
347X6K50Z7.DTL
[Editor's Note (Pescatore): The 1937 version of this headline said "US Intelligence Report Says China and Russia are Conducting Telephonic Espionage."
(Honan and Paller): Most nation states, not just Russia and China, have been conducting espionage for many years; moving to computer based espionage is simply a natural progression. The focus should not be solely on who is committing espionage but rather on ensuring the defenses in place are adequate enough to protect sensitive data and systems and the response capabilities are good enough to detect and mitigate the impact of an attack.
(Northcutt): Some rapid and serious work on developing air gap technologies to segment internal networks with sensitive information from anything Internet reachable needs to be put in place tomorrow. SANS has been doing this for some of our data since before I joined the company in January 2000, and NO, I will not give you details of our architecture, sorry.
(Murray): Any nation state that is not using the Internet to gather intelligence is either derelict or incompetent. Espionage is what nation states do. What do you think the purpose of the NSA is? Given that we know, or ought to know this, our security is inadequate. ]

Newzbin 2 Says Most UK Users Have Downloaded Workaround to Bypass BT Blocking (November 3, 2011)

BT has begun its court-ordered blocking of Newzbin 2, a members-only website that facilitates access to pirated digital content. Newzbin 2 has called the block ineffective, saying that members are still able to access content through a workaround it made available earlier this fall. Newzbin 2 said that the majority of its users in the UK have downloaded the workaround. BT is using blocking technology called Cleanfeed that it already has in place to block child abuse sites.
-http://www.bbc.co.uk/news/technology-15572495

FBI and US Attorney General's Office Win National Cybersecurity Innovation Award for Coreflood Takedown (November 3, 2011)

The FBI and the US Attorney General's Office have been named winners of the 2011 US National Cybersecurity Innovation Award for their work in disabling the Coreflood botnet. The FBI obtained a temporary restraining order that allowed it to seize five Coreflood command-and-control servers and replace them with servers run by law enforcement officials, which allowed the government to communicate with infected computers and halt malicious activity. The order also allowed the government to send commands to disable Coreflood malware on users' computers after obtaining their permission.
-http://www.prnewswire.com/news-releases/federal-bureau-of-investigation-and-the-
us-attorney-generals-office-win-national-cybersecurity-innovation-award-13316832
8.html
[Editor's Note (Murray): The Coreflood Takedown demonstrated that judicial supervision does not, as so many claim, impede law enforcement.]

Prison Sentences for Cyber Theft Ring Masterminds (November 1 & 2, 2011)

Two men have each been given 56-month prison terms, by UK courts, for their roles as leaders in a scheme that stole more than GBP 2.8 million (US $4.5 million) from online bank accounts. Yuriy Konovalenko and Yevhen Kulibaba organized the online crime ring that used Trojan horse programs to steal users' online financial account login data. The men both pleaded guilty to conspiracy to defraud. Eleven other people associated with the scheme have also received prison sentences.
-http://www.informationweek.com/news/security/cybercrime/231902126
-http://www.v3.co.uk/v3-uk/news/2122037/ukrainian-bank-account-hackers-jailed
-http://www.theregister.co.uk/2011/11/01/banking_trojan_ring_leaders_jailed/
-http://www.h-online.com/security/news/item/Trojan-using-criminal-ringleaders-jai
led-in-UK-1369980.html

DHS Developing Social Media Monitoring Guidelines (November 1, 2011)

The US Department of Homeland Security (DHS) is drawing up guidelines for gathering information from social networking sites without violating citizens' privacy. DHS made the decision to create the guidelines earlier this year when protesters in the Middle East and North Africa began to use sites like Facebook and Twitter to communicate and organize. DHS does not actively monitor the sites, but would turn to public sites to gather information when it learns of a potential threat. Although users may be unhappy with the practice, they should realize that what they post on the social networking sites is often within the public domain.
-http://www.computerworld.com/s/article/9221374/DHS_to_set_up_policies_for_monito
ring_Twitter_Facebook_?taxonomyId=84

Researchers Propose Mitigation Technique for eVoting "Trash Attack" (November 1, 2011)

Researchers from Microsoft have published a paper in which they describe a method of improving the security of end-to-end verifiable electronic voting systems. The idea is to add a procedure to the machines' routines that provides each voter with a receipt that includes a cryptographic hash of his or her ballot's content. Each ballot's hash is linked to the previous ballot's hash. The proposed fix is to reduce or eliminate "trash attacks," in which voter receipts that are thrown away as they exit polling places are retrieved by those who want to alter election results. The receipts allow voters to check their votes against a publicly available list. The tossed receipts are indications that the voters will not check the accuracy of their votes against the list and are good candidates for vote tampering.
-http://www.theregister.co.uk/2011/11/01/electronic_voting_fraud_mitigation/
-https://research.microsoft.com/pubs/155590/The%20Trash%20Attack.pdf
[Editor's Note (Murray): A newly eligible voter was asked this week by the media what would get him to vote. He responded "SSL." Actually voting is the single most difficult security problem in all of IT. The e-voting problem is soluble as long as one does not impose upon it requirements that no other system can meet. E-voting and cryptography are the only problem sets from which we exclude all non-perfect solutions. ]

London's Met Police Using Cell Phone Interception Technology (October 30 & 31, 2011)

London's Metropolitan Police have been using surveillance technology that allows them to intercept cell phone communications and track users' locations through their mobile devices without requesting the data from mobile carriers. The technology, which covers up to 10 sq. km, tricks phones into thinking it is a legitimate cell phone tower. It can also be used to send a signal that shuts off mobile phones. It is unclear whether the system behaves as a man-in-the-middle while intercepting communications, or if the messages dead-end into the system. The Met Police did not offer details about when and where they have used the technology.
-http://www.wired.com/threatlevel/2011/10/datong-surveillance/
-http://www.guardian.co.uk/uk/2011/oct/30/metropolitan-police-mobile-phone-survei
llance
[Editor's Note (Murray): Not having to worry about a written constitution is a big advantage to the Met. They can do anything that parliament does not explicitly forbid. ]

The London Conference on Cyberspace was held on November 1-2:

-http://www.fco.gov.uk/en/global-issues/london-conference-cyberspace/

In his opening remarks, UK Foreign Secretary William Hague enumerated seven principles for international cyber space cooperation:
-http://www.fco.gov.uk/en/news/latest-news/?view=Speech&id=684997682
-http://www.v3.co.uk/v3-uk/news/2121638/-londoncyber-hague-sets-seven-principles-
global-internet-operation

Experts said that companies need to acknowledge falling prey to cyber attacks
-http://www.theregister.co.uk/2011/11/02/business_need_to_confess_cyber_attacks/
and the Dutch government acknowledged the need for public/private cooperation
-http://www.v3.co.uk/v3-uk/news/2121991/-londoncyber-microsoft-calls-internationa
l-cooperation-cyber-security
">http://www.v3.co.uk/v3-uk/news/2121991/-londoncyber-microsoft-calls-internationa
l-cooperation-cyber-security

Microsoft's Scott Charney spoke about the need to harmonize cyber crime laws across borders:

-http://www.v3.co.uk/v3-uk/news/2121991/-londoncyber-microsoft-calls-internationa
l-cooperation-cyber-security
">http://www.v3.co.uk/v3-uk/news/2121991/-londoncyber-microsoft-calls-internationa
l-cooperation-cyber-security


and system administrators' valuable role in cyber investigations:

-http://www.theregister.co.uk/2011/11/02/sys_admins_should_help_cybercrime_probes
/

---

*********************** SPONSORED LINKS: *********************************

1) Complimentary Forrester Webinar & Research: "See, Know, Act: Advancing Network Visibility, Analysis & Protection with NetFlow" Link: http://www.sans.org/info/90419

2) Now Available ONDEMAND, Analyst Webcast: Integrating Security into Development, No Pain Required. FEATURING: Dave Shackleford and Karl Snider. Go to http://www.sans.org/info/90424

3) New Analyst paper in the SANS reading room! SANS Review of Oracle Database Vault, part II on a series of Oracle security product reviews by SANS Oracle expert, Tanya Baccam. http://www.sans.org/info/90429

****************************************************************************

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGUardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/