Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #90

November 11, 2011

TOP OF THE NEWS

DARPA Doubles Cyber Security Research Funding; Also Provides Cyber Researchers With Rapid Funding
Senate Votes Down Opposition to Net Neutrality
Six Arrested in Connection with Clickjacking Scheme

THE REST OF THE WEEK'S NEWS

Juniper Error Causes Widespread Internet Outage
Legislator Expresses Concern About Electronic Health Care Record Security
IEEE Revising Smart Grid Standard
Judge Rules DoJ May Obtain WikiLeaks Employees' Twitter Records
Warner Brothers Admits Issuing Over-Broad Takedown Orders
Mozilla Releases Firefox 8
Researcher Ousted From Apple's iOS Developer Program
Microsoft Fixes Four Windows Flaws in November's Patch Tuesday
DoD Aims to Trap Data Thieves With Phony Documents


******************** Sponsored By Silicium Security ********************

Worried about targeted attacks and APT? Find what AV misses with Silicium's ECAT Enterprise Compromise and Assessment Tool - signature-less malware detection. See ECAT in action, then download our whitepaper, APT in the Enterprise: http://www.sans.org/info/91001

**************************************************************************

TRAINING UPDATE

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 5 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Tokyo, Perth and Atlanta all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

TOP OF THE NEWS

DARPA Doubles Cyber Security Research Funding; Also Provides Cyber Researchers With Rapid Funding (November 7 & 9, 2011)

The Defense Advanced Projects Research Agency (DARPA) plans to increase spending on cyber security research by 50 percent over the next five years. DARPA plans to step up its focus on offensive cyber capabilities. In addition a new program managed by DARPA program manager Mudge (Peiter Zatko) has launched "Cyber Fast Track" to provide funds to small researchers in less than 2 weeks with little or no bureaucracy. Eight grants were made in the first 2 months of the program.
-http://www.informationweek.com/news/government/security/231902495
-http://www.wired.com/dangerroom/2011/11/darpa-hackers-cybersecurity/
-http://www.computerworld.com/s/article/9221643/DARPA_gets_serious_with_Internet_
security?taxonomyId=83

-http://www.networkworld.com/community/node/79135

Senate Votes Down Opposition to Net Neutrality (November 10, 2011)

In a 52-46 party-line vote, the US Senate has rejected a resolution that would have overturned the Federal Communications Commission's net neutrality rules. President Obama had said he would veto the resolution if it passed. The FCC's net neutrality rules are still facing challenges through lawsuits filed by telecommunications companies.
-http://arstechnica.com/tech-policy/news/2011/11/senate-votes-down-anti-net-neutr
ality-resolution.ars

-http://latimesblogs.latimes.com/technology/2011/11/senate-net-neutrality-vote-.h
tml

-http://www.wired.com/threatlevel/2011/11/senate-net-neutrality/
[Editor's Note (Murray): The FCC rule surrendered to AT&T and Verizon on the air side, where it matters, in return for rules on the wired side where it doesn't. What am I missing?
(Paller): The answer to Bill's question may be that AT&T and Verizon lobbyists, along with those of a few other lobbyists representing IT companies, are now approaching Enron's lobbyists in power to shape federal actions and in disregard for the public good. ]

Six Arrested in Connection with Clickjacking Scheme (November 9 & 10, 2011)

The FBI said that six people have been arrested in connection with a click-fraud scheme that infected more than four million computers in countries around the world. The arrests were the result of a two-year investigation known as Operation Ghost Click. All six were arrested in Estonia. A seventh defendant, who is Russian, is still at large. The US attorney's office will seek extradition of those in custody. The malware used in the scheme is known as DNS Changer. DNSChanger virus changed the DNS settings on the infected computers pointing them to DNS servers under the control of the criminals. They could then redirect victim's traffic from legitimate sites, e.g. iTunes, to other sites where they earned more than $14 million from commissions on referrals to the online advertising. The defendants are facing charges of wire and computer intrusion. One was also charged with money laundering. The FBI worked with law enforcement authorities in Estonia and the Netherlands on the case. The attack targeted both Windows and Mac OS X machines. The FBI put up a website where people can check if their computer is infected:
-https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS
Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=11986
-http://www.scmagazineus.com/fbi-arrests-six-in-click-fraud-cyber-scam-that-nette
d-14m/article/216399/

-http://www.informationweek.com/news/security/attacks/231902762
-http://www.v3.co.uk/v3-uk/news/2124002/trend-micro-fbi-claim-landmark-cybercrime
-bust

-http://www.theregister.co.uk/2011/11/09/dns_malware_scam/
-http://www.h-online.com/security/news/item/Operation-Ghost-Click-FBI-busts-DNSCh
anger-botnet-1376746.html

-http://www.wired.com/threatlevel/2011/11/14-million-clickjack-scheme/
-http://www.computerworld.com/s/article/9221699/Feds_lead_biggest_botnet_takedown
_ever_end_massive_clickjack_fraud

[Editor's Note (Honan): A very large well done to all involved in this case. In order to protect those computers that were infected and minimise disruption of their Internet connectivity, the authorities had to replace the DNS servers under the criminals' control with genuine DNS servers. This case serves as a prime example of how international cooperation between law enforcement agencies and between public and private bodies can be used to tackle the scourge of online criminals. It is encouraging to see such positive action and hopefully it is the first of many to come. Hopefully we will also see the statistics relating to the percentage of computers that were Apple Macs. This would help raise awareness amongst Apple users that they are no longer immune from online criminals and the tools of their trade. ]


*********************** SPONSORED LINKS: *********************************

1) Now Available ONDEMAND, Analyst Webcast: Integrating Security into Development, No Pain Required. FEATURING: Dave Shackleford and Karl Snider. Go to http://www.sans.org/info/91006

2) Sign up for SANS Analyst Webcast-Your Pad or Mine? Enabling Personal and Mobile Device Use On the Network. How to Apply Guest Networking, BYOD (Bring Your Own Device) and Endpoint Security. Go to http://www.sans.org/info/91011

****************************************************************************

THE REST OF THE WEEK'S NEWS

Juniper Error Causes Widespread Internet Outage

A flaw in an update to the Juniper software that runs large routers that Juniper supplies to ISPs caused a widespread Internet outage - disabling large segments of the Internet.
-https://isc.sans.edu/diary.html?storyid=11965
-http://money.cnn.com/2011/11/07/technology/juniper_internet_outage/?hpt=hp_t3

Legislator Expresses Concern About Electronic Health Care Record Security (November 10, 2011)

The federal government plans to spend close to US $20 billion to move health records to digital formats. While embracing the new technology has the potential to increase the effectiveness of medical treatment, there are also dangers. US Senator Tom Coburn (R-Oklahoma) has warned that migrating medical records from paper to electronic format creates a serious security issue. The US attorney for the Eastern District of New York noted that incorrect information in patients' records could result in insurers denying them necessary treatment and services. All but one of the proposed data breach notification bills pending in the Senate exempt health care data from the requirements.
-http://www.nextgov.com/nextgov/ng_20111110_2226.php?oref=topnews
[Editor's Note (Murray): HIPAA Privacy rules killed EHR. Unintended consequence but after a decade it is clear that that is what happened. Now "safety" is going to put the last nail in the coffin. It is paper medical records that are the problem. They are error prone at best, dangerously inaccurate at worst. Not only are they not efficient, they are ineffective. They obscure clinical information and render epidemiological information infeasible to extract. Yes, there would be problems with electronic health records but they are dwarfed by the problems with paper records that we not only tolerate but foster. Out of an excess of caution, we are killing ourselves.]

IEEE Revising Smart Grid Standard (November 8, 2011)

IEEE has begun revising Secure Authentication (SA) protocols in its 1815 Distributed Network protocol (DNP3) smart grid security standard. The changes are aimed at improving the security of data gathering, data exchange, and data use in applications such as supervisory control and data acquisition (SCADA) systems.
-http://www.fiercesmartgrid.com/story/ieee-revises-critical-smart-grid-security-s
tandard/2011-11-08

-http://www.marketwatch.com/story/ieee-addresses-evolving-smart-grid-security-cha
llenges-with-revisions-to-critical-ieee-1815tm-standard-2011-11-07

-http://standards.ieee.org/findstds/standard/1815-2010.html

Judge Rules DoJ May Obtain WikiLeaks Employees' Twitter Records (November 10, 2011)

A US District Court Judge in Virginia has ruled that the Justice Department may legally obtain Twitter account records of three people who work or worked for WikiLeaks. The ruling allows prosecutors access to information about the times messages were sent to each other and from which IP addresses the messages were sent; the content of the messages is not included in the order.
-http://www.wired.com/threatlevel/2011/11/wikileaks-twitter-ruling/

Warner Brothers Admits Issuing Over-Broad Takedown Orders (November 9, 2011)

Warner Brothers has admitted that it used an automated takedown tool to request the removal of files from the Internet that were obviously not infringing on the company's copyrights. The case involved Hotfile, a locker site that maintains it is in compliance with the Digital Millennium Copyright Act (DMCA) because it follows the rules about notice and takedown procedures. In fact, Hotfile provided Warner Brothers with a takedown tool to facilitate the process. Hotfile is now arguing that Warner Brothers violated DMCA when it ordered the takedown of files that were clearly not infringing copyright. The data used in those takedowns appeared to come from an automated data scraper rather than a human being's examination. Warner Brothers says it cannot possibly examine all suspect files due to their sheer volume, but the DMCA requires that copyright holders issue takedown notices only when there is a "good faith belief that the use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law."
-http://arstechnica.com/tech-policy/news/2011/11/warner-admits-it-issues-takedown
s-for-files-it-hasnt-looked-at.ars

[Editor's Note (Liston): Warner Bros' assertion that it "cannot possibly examine all files" is more than a bit disingenuous: what they're really saying is that they don't want to incur the costs associated with examining the files. Media companies are all about enjoying the monetary benefit of their copyrights, but are constantly looking for ways to foist the cost of protecting those copyrights off onto someone else. ]

Mozilla Releases Firefox 8 (November 8 & 9, 2011)

Mozilla has released Firefox 8, addressing seven security flaws, four of which are rated critical. All four are exploitable through drive-by downloads. Firefox 8 allows users to search Twitter and includes a feature that prevents third party plug-ins from being automatically installed. The Twitter search option is available in the English, Portuguese, Japanese and Slovenian versions of Firefox 8. The newest version of the browser is available for Windows, Mac, Linux and Android operating systems.
-http://www.scmagazineus.com/firefox-updates-for-security-user-add-on-control/art
icle/216380/

-http://www.informationweek.com/news/software/enterprise_apps/231902597

Researcher Ousted From Apple's iOS Developer Program (November 8 & 10, 2011)

Apple has revoked researcher Charlie Miller's developer status after he created a proof-of-concept application that allowed "unapproved code to run on iPhones and iPads" and managed to fool Apple into approving it for sale in the App Store. The application that Miller wrote and put in the App Store appeared to simply track stock share prices; the exploit operated behind the scenes and allowed Miller to spy on people who had installed his app. Apple has fixed the flaw exploited by Miller's application. The iOS Developer Program allows Apple to ban Miller because his actions "violated
[terms of ]
the developer agreement."
-http://www.theregister.co.uk/2011/11/10/apple_iphone_security_bug/
-http://www.scmagazineus.com/apple-kicks-bug-hunter-out-of-its-developer-program/
article/216275/

-http://www.informationweek.com/news/security/mobile/231902576
-http://www.networkworld.com/news/2011/110811-miller-ios-bug-252886.html
This issue was corrected in iOS 5.0.1 which was released early Thursday. See
-http://support.apple.com/kb/HT5052

Microsoft Fixes Four Windows Flaws in November's Patch Tuesday (November 8 & 9, 2011)

Microsoft issued four security bulletins on Tuesday, November 8 to address four vulnerabilities in Windows. Notably absent from the release was a fix for the Windows kernel flaw exploited by Duqu, although Microsoft did issue a temporary workaround to help users protect their computers from infection. Of the four patches released this month, just one was rated critical. It addresses a remote code execution flaw in the Windows TCP/IP stack. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=11971
-http://www.h-online.com/security/news/item/Microsoft-patch-day-fixes-critical-bu
g-in-TCP-IP-stack-1375511.html

-http://www.scmagazineus.com/microsoft-releases-four-security-patches-one-critica
l/article/216311/

-http://technet.microsoft.com/en-us/security/bulletin/ms11-nov

DoD Aims to Trap Data Thieves With Phony Documents (November 4 & 7, 2011)

According to a military abstract, the US Department of Defense (DOD) is seeding its computer systems with honeypots to help prevent situations like the stolen data exposed via WikiLeaks. A computer science professor who is leading the project said the plan is to put a lot of false information out there to mislead data thieves. The specially crafted documents will record the snoop's IP address and let administrators know that a breach has occurred. Decoy Document System.
-http://www.foxnews.com/scitech/2011/11/07/darpa-sets-traps-for-future-wikileaker
s/

-http://www.wired.com/dangerroom/2011/11/darpa-trap-wikileaks/
[Editors Note (Murray): This is a dangerous method that should be used sparingly only by those with special training and authorization. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/