SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #91

November 15, 2011

TOP OF THE NEWS

Title Company Suing Bank Over Fraudulent Transactions
South Korea Wants ISPs to Help Stop Spam
Facebook Reaching Settlement with FTC Over Privacy

THE REST OF THE WEEK'S NEWS

World Wide Web Consortium Seeks "Do Not Track" Standard
Inquiry Finds That Many Reporters Used Phone Hacker Services
Malware Signed with Stolen Digital Certificate
Flaw in Mac OS X Sandboxing
Cyclist and Manager Draw Suspended Sentences for Drug Test Lab Hack
Researchers are Finding Evidence that Duqu is Designer Malware
Adobe Patches Critical Flash Flaws

---

******************** Sponsored By ForeScout Technologies ***********

Sign up and view SANS Analyst Webcast-Your Pad or Mine? Enabling Personal and Mobile Device Use On the Network. How to Apply Guest Networking, BYOD (Bring Your Own Device) and Endpoint Security. Go to http://www.sans.org/info/91146

**************************************************************************

TRAINING UPDATE

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Tokyo, Perth and Atlanta all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

---

TOP OF THE NEWS

Title Company Suing Bank Over Fraudulent Transactions (November 14, 2011)

A Virginian title insurance company is suing its bank over cyber thefts that resulted in losses of US $200,000. After computers at Global Title Services became infected with ZeuS malware, cyber thieves based in Eastern Europe stole online banking account access credentials that they used to make unauthorized wire transfers out of the company's account at what was then Chevy Chase Bank; it is now Capital One. The thieves conducted fraudulent transactions totaling US $2 million; the bank was able to recover all but US $200,000 of the stolen funds. The suit filed by Global Title against Capital One alleges failure to act in good faith and failure to implement reasonable online banking security procedures.
-http://krebsonsecurity.com/2011/11/title-firm-sues-bank-over-207k-cyberheist/
[Editor's Note (Murray and Paller): It is hard to believe that it is easier for the banks to defend these suits than to fix the problem. Token-based or out-of-band authentication just is not that expensive. They could even charge a fee for it. Of course, the regulators, the FFIEC, are not helping; they could easily require it, rather than giving the banks the "risk assessment" escape clause. Banks are not equipped to assess this risk or to choose methods without guidance. They actually believe that whatever the FFIEC Guidance permits is secure. ]

South Korea Wants ISPs to Help Stop Spam (November 14, 2011)

South Korea is urging Internet service providers (ISPs) in that country to agree to a national anti-spam plan. Dubbed "Block 25," the plan would require the IPSs to restrict email to official gateways, or block all email except that sent from official servers. The plan is facing criticism from those who say it does not go far enough.
-http://www.bbc.co.uk/news/technology-15720599
-http://www.zdnet.com/blog/networking/south-korea-proposes-restricting-all-e-mail
-sending-to-official-e-mail-servers/1647
-http://securitywatch.pcmag.com/spam/290525-radical-korean-spam-block-can-it-work

Facebook Reaching Settlement with FTC Over Privacy (November 11, 2011)

Facebook is close to a settlement with the US Federal Trade Commission (FTC) that would require the network to make any changes to its privacy practices opt-in. Facebook has been the target of many complaints for making users' personal information public by default. In the past, every time Facebook has changed the way it facilitates sharing information, users have had to dig deep into the site's privacy settings to find the new default settings and decide which settings they want to change. The settlement would also require Facebook submit to privacy audits for the next 20 years.
-http://arstechnica.com/tech-policy/news/2011/11/facebook-settlement-will-make-al
l-future-privacy-changes-opt-in.ars
-http://www.latimes.com/business/la-fi-1112-facebook-privacy-20111112,0,4467952.s
tory
[Editor's Note Murray): Facebook's stock in trade is the "social graph," the information about our associations. Opt-in is a huge price to pay but if it preserves their right to monetize the graph, they will pay it. ]

---

*************************** SPONSORED LINKS: *****************************

1) See Active Cyber Attack and Defense Demo Showing the Power of Corero Network Security's IPS. http://www.sans.org/info/91151

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

World Wide Web Consortium Seeks "Do Not Track" Standard (November 14, 2011)

The World Wide Web Consortium (W3C) is developing tools that will warn users when they visit websites that are not complying with privacy requests. W3C is seeking help from users, businesses and browser makers to finalize the specifications, which are aimed at helping users because browsers do not use common Do Not Track mechanisms. The tools will be privacy friendly, helping users to divulge as little information as possible. They will also be able to alert users when sites are not respecting their requests.
-http://www.bbc.co.uk/news/technology-15723407
-http://www.informationweek.com/news/security/privacy/231902974

Inquiry Finds That Many Reporters Used Phone Hacker Services (November 14, 2011)

The inquiry into the News of the World phone hacking scandal has revealed that dozens of News International employees used the services of private investigator Glenn Mulcaire, who has been convicted of breaking into other people's mobile phones. The Leveson Inquiry was established earlier this year after news of the scandal broke. The discovery in Mulcaire's notebooks of the names of more than two dozen people who had used his services suggests that the one News of the World journalist who has been convicted of phone hacking "was not a rogue reporter."
-http://www.guardian.co.uk/media/2011/nov/14/phone-hacking-news-international-sta
ff-named?newsfeed=true
-http://edition.cnn.com/2011/11/14/world/europe/uk-phone-hacking-scandal/

Malware Signed with Stolen Digital Certificate (November 14, 2011)

F-Secure is reporting that a Malaysian governmental digital certificate was used to sign malware, which is spreading through infected PDF files that exploit a vulnerability in Adobe Reader 8. The certificate, which belongs to the Malaysian Agricultural Research and Development Institute, expired on September 29, 2011.
-http://news.cnet.com/8301-1009_3-57324501-83/f-secure-finds-rare-digitally-signe
d-malware/
-http://www.h-online.com/security/news/item/Stolen-government-certificate-signed-
malware-1378914.html
-http://www.theregister.co.uk/2011/11/14/stolen_certificate_discovered/

Flaw in Mac OS X Sandboxing (November 12, 2011)

A vulnerability in Mac OS X could be exploited to circumvent sandboxing restrictions. This flaw is especially notable given Apple's recent announcement that all applications sold through the Mac App Store will be required to implement sandboxing as of March 1, 2012. The company that discovered the flaw says it notified Apple in September.
-http://threatpost.com/en_us/blogs/mac-os-x-sandbox-security-hole-uncovered-11121
1
-http://news.cnet.com/8301-1009_3-57324583-83/sandboxing-flaw-is-no-real-problem-
for-os-x/
[Editor's Note (Murray): Sandboxing in iOS has proven to be very effective. It is much more difficult to retrofit the concept to an existing system and without breaking applications. However I will continue to hope and to give Apple credit for trying. ]

Cyclist and Coach Draw Suspended Sentences for Drug Test Lab Hack (November 12, 2011)

A French court has given US cyclist Floyd Landis and his former coach, Arnie Baker, 12-month suspended sentences for their roles in a scheme involving hacking into a computer at a drug-testing laboratory. A computer at Laboratoire National de Depistage du Dopage was infected with a Trojan horse program in 2006; a subsequent investigation revealed that intruders had downloaded more than 1,700 files, some of which turned up on a website questioning the credibility of the lab's findings. The lab had run tests that found Landis had been using unauthorized substances when he won the 2006 Tour de France; he was stripped of that title. There was apparently no evidence suggesting that the men were directly involved with the cyber attack, but "both ... benefitted from the illegal intrusion."
-http://www.theregister.co.uk/2011/11/12/floyd_landis_sentenced/
-http://www.npr.org/blogs/thetwo-way/2011/11/10/142211319/french-court-convicts-c
yclist-floyd-landis-in-hacking-of-doping-lab
-http://www.securitynewsdaily.com/floyd-landis-hacking-doping-1330/
-http://www.usatoday.com/sports/cycling/story/2011-11-10/floyd-landis-convicted/5
1152204/1

Researchers are Finding Evidence that Duqu is Designer Malware (November 11, 2011)

Analysis of Duqu suggests that the malware has been in development for at least four years. Kaspersky Labs has found that at least one component dates back to August 2007. Researchers also say that each instance in which Duqu was used, the malware was tailored specifically for the targeted systems.
-http://www.computerworld.com/s/article/9221760/Hackers_may_have_spent_years_craf
ting_Duqu?taxonomyId=85
-http://www.theregister.co.uk/2011/11/11/duqu_analysis/

Adobe Patches Critical Flash Flaws (November 9 & 10, 2011)

Adobe has issued a critical update for Flash player to address a dozen flaws, some of which allow remote code execution. Flash version 11.1.102.55 is available for Windows, Mac, Linux and Solaris. Adobe has also released Flash version 11.1.102.59 for Android, which is expected to be the last time it updates Flash for mobile. In addition, Adobe has released AIR version 3.1.0.4880 for Windows, Mac, and Android. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=12007
-http://www.scmagazineus.com/adobe-fixes-12-flash-flaws-many-allow-for-code-execu
tion/article/216511/
-http://www.h-online.com/security/news/item/Adobe-closes-12-critical-holes-in-Fla
sh-1377759.html
-http://krebsonsecurity.com/2011/11/critical-flash-update-plugs-12-security-holes
/
-http://www.wired.com/gadgetlab/2011/11/adobe-kills-mobile-flash

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/