SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #96

December 06, 2011

For cybersecurity people in Washington DC, Government Executive is
hosting a free breakfast on Thursday morning, 7:30 - 9:30 at the Ronald
Reagan Center. It features both the Estonian Ambassador to the United
States who was Ambassador to Russia during the 2007 Russian attack, and
Dmitry Alperovitch who just left McAfee and has some great stories to
tell about ShadyRAT. It's a unique opportunity to get authoritative
inside stories on major cyber events.
Registration: http://www.govexec.com/cyber_insider/Dec8-2011.html

Alan

---

TOP OF THE NEWS

Senator Wyden Proposes Conversation About Alternative to PIPA
Swiss Federal Council Downplays Filesharing Concerns
Australian Defence Signals Directorate's (DSD) Finds Sweet Spot For Stopping Targeted Intrusions

THE REST OF THE WEEK'S NEWS

4,000+ Sites Affected by SQL Injection Attack
Carrier IQ Facing Lawsuits Over Tracking Software
Carrier IQ Put Under the Microscope in Europe
Carrier IQ Execs Speaks Out
MIT Researchers Consider US Power Grid Security
Proposed New European Data Directive To Impose Fines
BART Cell Service Blocking Policy Gains FCC's Attention
Yahoo Messenger Vulnerability Allows Spamming
US Military Cyber Security Education and Training is Evolving to Meet Current Needs

---

************************* Sponsored By Bit9 *****************************

FREE Webcast 12/7: Application Whitelisting 101

It sounds simple: Application Whitelisting ensures only authorized software runs. But success requires an adaptable approach. Learn how the largest of enterprises - including 30 of the Fortune 100 - use this flexible, powerful solution to protect against advanced threats. FREE webcast 12/7 @ 9am and 2pm Eastern.

http://www.sans.org/info/92979

**************************************************************************

TRAINING UPDATE

--Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

--SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
http://www.sans.org/singapore-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Perth, Atlanta, Bangalore, and Stuttgart, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************************************************************

---

TOP OF THE NEWS

Senator Wyden Proposes Conversation About Alternative to PIPA (December 2, 2011)

US Senator Ron Wyden (D-Oregon), is gathering legislators from across the political spectrum to discuss alternatives to the draconian takedown measures proposed by the Protect IP Act (PIPA). He has already promised a filibuster if bill the should make it to the Senate Floor. PIPA bears similarities to the House's Stop Online Piracy Act (SOPA), which has met with a significant public outcry), Senator Wyden hopes to convince the International Trade Commission, which already oversees issues of material property, to expand its purview to include digital property as well.
-http://www.wired.com/threatlevel/2011/12/internet-blacklist-alternative/all/1
-http://www.wired.com/images_blogs/threatlevel/2011/12/itcdraftwyden.pdf

Swiss Federal Council Downplays Filesharing Concerns (December 5, 2011)

A report from Switzerland's Federal Council, compiled at the request of the country's legislature, says that illegal filesharing is not a significant problem. The report rejects three proposals aimed at combating the issue: a three-strikes plan, similar to that codified in France; Internet filtering; and a collective licensing plan that would allow unlimited filesharing for a fee. The report says that consumers still spend money on entertainment products, and that filesharing is a concern only for "large foreign production companies," which need to adapt their business models to include consumer behavior instead of trying to push for legislation that seeks to maintain an outdated system.
-http://arstechnica.com/tech-policy/news/2011/12/swiss-government-file-sharing-no
-big-deal-some-downloading-still-ok.ars
-http://www.eweekeurope.co.uk/news/swiss-government-rules-downloading-to-remain-l
egal-48351
[Editor's Note (Murray): Legislation is a blunt tool. It almost always has unintended consequences. Nothing is so difficult to remedy as bad legislation. Legislation should be used late, cautiously, and only after all other measures have been tried. ]

Australian Defence Signals Directorate's (DSD) Finds 4 Controls Stop Targeted Intrusions (November 2011)

In October, the Australian Defence Signals Directorate received a US national Cybersecurity Innovation Award for identifying and implementing (across the Australian civilian and military agencies) four security controls that could defeat more than 85 percent of targeted cyber intrusions. The four controls top a list of 35 strategies, but unlike any other government initiative, the Australians say "do the top 4 controls first" and then decide which of the other controls to implement. This is the first strategy for mitigating targeted attacks that resonates with top executives inside and outside government. The DSD just published new documents explaining exactly how to implement the four controls in the "Sweet Spot."
-http://www.dsd.gov.au/publications/Implementing_Top_4_for_Windows.pdf
-http://www.dsd.gov.au/publications/Assessing_Security_Vulnerabilities_and_Patche
s.pdf
-https://www.sans.org/press/australian-defence-signals-directorate-national-cyber
security-award.php

---

THE REST OF THE WEEK'S NEWS

4,000+ Sites Affected by SQL Injection Attack (December 5, 2011)

A massive SQL injection attack appears to have infected more than 4,000 websites. Data gathered by the Internet Storm Center indicate that the sites have been injected with a string that is inserted into several tables. Users who visit the infected sites are being redirected to other sites that attempt to place rogue anti-virus programs and other malware on their machines.
-http://www.scmagazineuk.com/sql-injection-attack-infects-more-than-4000-websites
/article/218104/
-http://www.scmagazine.com.au/News/282150,new-mass-sql-injection-attack-could-be-
forming.aspx
-http://isc.sans.edu/diary.html?storyid=12127
[Editor's Note (Murray): This attack, like many others, exploits unchecked inputs in the application and the practice of relying upon such applications to protect the database. Parsing inputs is difficult; use the OWASP Enterprise Security API and libraries. Use the access controls in the database manager. One should prefer the controls closest to the data and most reliable.]

Carrier IQ Facing Lawsuits Over Tracking Software (December 5, 2011)

A class action lawsuit filed over the use of Carrier IQ tracking software names eight companies: four handset makers, three wireless service carriers, and Carrier IQ itself. The suit alleges violations of the Federal Wiretap Act, the Stored Electronic Communications Act, and the Federal Computer Fraud and Abuse Act. The carriers and handset makers named in the suit have all admitted that they use Carrier IQ's software; the carriers say they use the software for network diagnostic purposes only, and the handset makers say they allowed the software on the phones at the request of the carriers. At least two other lawsuits have been filed over the use of Carrier IQ. Apple has already announced plans for an iPhone update that will remove Carrier IQ from its handsets.
-http://www.computerworld.com/s/article/9222424/8_companies_hit_with_lawsuit_over
_Carrier_IQ_software?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57335851-83/carrier-iq-faces-lawsuits-lawmaker-
seeks-ftc-probe/
[Editor's Note (Pescatore): This is sort of like suing your neighbor's dog when it does its business in your yard, when you should be suing your neighbor. The carriers install CarrierIQs software on the phones and collect the data and determine how much data is collected and what is done with it. The carriers are also the ones who have not made this explicit to the users of the phone. CarrierIQ shouldn't be demonized over this, any more than GPS chip vendors would be for having GPS chips in phones. ]

Carrier IQ Put Under the Microscope in Europe (December 5, 2011)

Regulators in several European countries have begun looking into Carrier IQ's behind-the-scenes tracking software. The Bavarian State Office for Data Protection wants to ensure that people are aware of how their data are used and has sent a letter to Apple asking about its use of the product. The UK's Information Commissioner's Office (ICO) is also concerned about carriers complying with the country's Data Protection Act. France's privacy regulator CNIL is also looking into Carrier IQ.
-http://www.computerworld.com/s/article/9222411/European_regulators_start_investi
gating_Carrier_IQ?taxonomyId=208
-http://www.businessweek.com/news/2011-12-05/apple-questioned-in-germany-as-carri
er-iq-use-probed-in-europe.html

Carrier IQ Execs Speaks Out (December 2, 2011)

Executives at Carrier IQ say their monitoring software gathers information about web usage, as well as when, where and to what numbers calls are made and text messages are sent, but does not log all keystrokes, which is one of the claims made by an Android developer who has been a vocal critic of the software. The executives also noted that downloaded data are encrypted while being transferred to the company's servers.
-http://www.wired.com/threatlevel/2011/12/carrier-iq-data-vacuum/
This story provides an overview of the Carrier IQ situation:
-http://www.informationweek.com/news/security/mobile/232200654

MIT Researchers Consider US Power Grid Security (December 5, 2011)

Researchers from the Massachusetts Institute of Technology (MIT) say the cyber security of the US power grid should be managed by a single entity rather than perpetuate the current situation, in which it is overseen by a patchwork of federal, state and local authorities. In their report, The Future of the Electric Grid, the researchers say that the various organizations involved in maintaining the grid are not working together. Specifically, the report says that the "lack of a single operational entity with responsibility for grid cyber security preparedness as well as response and recovery creates a security vulnerability in a highly interconnected electric power system comprising generation, transmission, and distribution." Existing cyber security standards apply to "the bulk power system and not the distribution system."
-http://www.msnbc.msn.com/id/45555394/ns/technology_and_science-security/
-http://news.cnet.com/8301-13506_3-57336531-17/should-homeland-security-control-t
he-electrical-grid-maybe/
-http://web.mit.edu/mitei/research/studies/the-electric-grid-2011.shtml

Proposed New European Data Directive To Impose Fines (December 5, 2011)

The new European Data Protection Directive could impose considerable fines on organizations that run afoul of European data protection laws. Even companies that are headquartered in the US would be subject to the requirements. The directive also imposes mandatory data breach disclosure on all organizations in the public and private sectors.
-http://www.zdnet.com/blog/london/massive-fines-planned-in-european-data-breach-c
rackdown/1278?tag=search-results-rivers;item0
-http://www.scmagazineuk.com/data-protection-directive-changes-will-be-ineffectiv
e/article/218102/
[Editor's Note (Honan): Given the recent spate of security breaches it should come as no surprise that the proposed new European Data Directive will include mandatory breach disclosures. However, it could be 2-4 years before this new Data Directive is ratified into local law for each member state. It should be worth noting that mandatory breach disclosure is already in place for telecoms operators and Internet service providers under the current ePrivacy Directive and in Ireland the Data Protection Commissioner has introduced a Personal Data Security Breach Code of Practice
-http://www.dataprotection.ie/docs/7/7/10_-_Data_Security_Breach_Code_of_Practice
/1082.htm]

BART Cell Service Blocking Policy Gains FCC's Attention (December 2, 2011)

The US Federal Communications Commission (FCC) plans to look into the "Cell Service Interruption Policy" recently established by the Bay Area Rapid Transit (BART) system. Earlier this year, BART made the decision to block cell phone service at several stations during protests prompted by the fatal shooting of some passengers by BART police. The move met with public outcry and criticism. BART's new policy says that transit district will do the same thing again if "extraordinary circumstances" occur. The language of the new policy allows BART to impose cell service blocking "when it determines that there is strong evidence of imminent unlawful activity that threatens the safety of ... passengers."
-http://arstechnica.com/tech-policy/news/2011/12/fcc-to-probe-san-francisco-subwa
y-cell-phone-interruption-policy.ars
-http://news.cnet.com/8301-1009_3-57336075-83/fcc-to-review-sf-subway-cell-servic
e-shutdown-rules/

Yahoo Messenger Vulnerability Allows Spamming (December 2, 2011)

A vulnerability in Yahoo Messenger that can be exploited to change users' status messages can also be used to send spam messages to other users. The flaw lies in the way Yahoo Messenger's file transfer application programming interface (API) processes malformed requests. The exploit does not require any action from users. Until a fix is available, Yahoo Messenger users can protect themselves by configuring the application to ignore users who are not in their Messenger lists, although attacks are still possible through known contacts that become infected.
-http://www.computerworld.com/s/article/9222360/Yahoo_Messenger_flaw_enables_spam
ming_through_other_people_s_status_messages?taxonomyId=85

US Military Cyber Security Education and Training is Evolving to Meet Current Needs (November 18, 2011)

Understanding the need for a dynamic cyber security education and training strategy, the US military is pursuing new models for training troops for cyber warfare. Collaboration is increasing, both between branches of the military and with industry partners. Each branch of the military has developed cyber security education and training that it tailored for its needs. The US Naval Academy requires all midshipmen to participate in cyber education, and all Marines must take courses every year to update their cyber security knowledge. The Air Force has collaborated with SANS to use NetWars in its training program, and the Army has teamed with a number of technology companies to help train and certify soldiers.
-http://fcw.com/Articles/2011/11/28/FEAT-Military-cyber-training.aspx

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/