SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIII - Issue #98
December 13, 2011
For the past 9 years, Ed Skoudis has written a holiday hacking challenge
focused on helping info sec professionals improve their skills while
having fun. This year's challenge, titled "Grandma Got All Hax0red by
a Reindeer... Or Did She?" includes several major attack techniques that
made headlines in 2011. It is located at http://is.gd/zKsQu6. To
participate, download a packet capture, analyze the attacker's tracks,
and send your answers by January 9, 2012.
Alan
TOP OF THE NEWS
2008 Malware Infection Prompted Cyber Security Revamping at U.S. DoDGoogle Removes Malicious Apps from Android Market
Georgia Medical Center Turns Away Patients Because of Malware Infection
THE REST OF THE WEEK'S NEWS
SOPA Amendments Aim to Clarify Proposed Anti-Piracy LegislationMost US Data Theft Originating in China is the Work of a Dozen Groups
Six Arrested in Connection with Student Loan Phishing Scheme
Telstra Customer Database Accidentally Exposed
Senator Wyden Seeks Answers About Domain Seizure Operation
Two Flaws in Adobe Flash Player
Microsoft Issues Offline Windows Defender Beta
Judge Rules That Some Banks Failed to State Proper Claims for Seeking Damages from Heartland
************************** Sponsored BY SANS ****************************
SANS 8th Annual Log and Event Management Survey is Under Way - Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey cited in top technology publications and blogs! Also be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May at www.sans.org/webcasts. Follow this link to the survey: http://www.sans.org/info/93799
**************************************************************************
TRAINING UPDATE
--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/
--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/
--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/
--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/
--SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
http://www.sans.org/singapore-2012/
--Looking for training in your own community?
http://www.sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
**************************************************************************
TOP OF THE NEWS
2008 Malware Infection Prompted Cyber Security Revamping at U.S. DoD (December 8, 2011)
The Washington Post's Ellen Nakashima has written a detailed account of the worm that infected US military computers in 2008. Cyber security specialists first became aware that something was not as it should be in October 2008, when they noticed something on the classified military system acting as a beacon, trying to "phone home." The affected network contained highly sensitive information, including battle plans for commanders in Iraq and Afghanistan. Analysis determined that the malware made its way into the system through a thumb drive. The incident has been a driving force behind the government's revamped approach to cyber security. The effort to contain the malware and prevent any further damage was known as operation Buckshot Yankee. Nakashima's article includes information that has not before been disclosed, gleaned from interviews with people who have knowledge of the operation. The malware, known as Agent.btz, was discovered on the military computer system of a NATO-member government in June 2008. In October 2008, it showed up on the US's Secret Internet Protocol Router Network, or SIPRNet, which is used by the Departments of State and Defense to transfer classified information. Once the system was infected, any thumb drives that were subsequently attached to it became infected as well. The fix was laborious and time consuming - infected computers needed to be identified, taken offline, scrubbed, and reformatted. The infection also led to the ban of thumb drives on Defense Department computers in November 2008. The ban has been partially lifted because other security measures are now in place. The incident was a major driver behind the creation of Cyber Command. It served as a reminder that humans are the weakest link and raised questions about parameters and rules for cyber warfare.-http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-r
esponse-debate/2011/12/06/gIQAxLuFgO_print.html
Google Removes Malicious Apps from Android Market (December 12, 2011)
Google has pulled more than 20 malicious applications from the Android Market, bringing the total number of apps removed this year to over 100. The malware that was bundled with the removed apps has been dubbed "RuFraud." It sends text messages to premium rate phone numbers, incurring charges for users and accruing profits for those who reap the revenue of the numbers. The malware was written not to affect users in the US, but users in several European countries and in Asia are affected.-http://www.computerworld.com/s/article/9222595/Google_pulls_22_more_malicious_An
droid_apps_from_Market?taxonomyId=17
[Editor's Note (Pescatore): The "Droid Does" marketing campaign was trying to portray Google's wide open Market as an advantage over Apple's more restrictive App Store. However, the consumer marketplace is definitely demanding more security testing *before* apps are released and *less* need to remove malicious apps *after* they've done damage. "Droid Does Have Malware" is not a great sales pitch...
(Murray): The fundamentally open strategy of Android is dangerous. Early prevention trumps late remediation. ]
Georgia Medical Center Turns Away Patients Because of Malware Infection (December 9 & 10, 2011)
Last week, a hospital in Georgia had to ask ambulances to take patients to other area hospitals after its computer system became infected with malware that slowed down patient registration and other functions. The cyber infection was discovered on Wednesday, December 7; the hospital reverted to old-fashioned paperwork. The malware affected patient registration times, pharmacy operations, and accessibility to radiology and laboratory results. Gwinnett Medical Center, which is a trauma center, accepted severe cases such as respiratory distress, cardiac issues, and other traumas, but sent other cases to area hospitals. The center was back to accepting all patients as of Saturday evening, December 10.-http://www.ajc.com/news/gwinnett/ambulances-turned-away-as-1255750.html
-http://www.examiner.com/headlines-in-atlanta/gwinnett-medical-no-longer-on-diver
sion-status
-http://www.cbsatlanta.com/story/16231305/virus-infects-gwinnett-medical-center-f
orces-ambulances-away
[Editor's Comment (Northcutt): Hmmm, the malware is believed to be Silly FDC, spreads largely by USB removable media and several sites say it is fairly harmless:
-http://www.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99
-http://www.2-spyware.com/remove-sillyfdc.html]
************************ SPONSORED LINK **********************************
Take the first annual SANS Mobility Survey and Win $250
Take this groundbreaking survey to help determine policy, controls and standards needed to enable users to use their own small mobile devices for work-related functions. Also be entered to win a $250 American Express Card Giveaway when results are announced in late March at www.sans.org/webcasts.
Follow this link to the survey: http://www.sans.org/info/93804
****************************************************************************
THE REST OF THE WEEK'S NEWS
SOPA Amendments Aim to Clarify Proposed Anti-Piracy Legislation (December 12, 2011)
US Representative Lamar Smith (R-Texas) has introduced changes to the controversial Stop Online Piracy Act (SOPA) that appear to temper the proposed legislation's reach. Originally, SOPA allowed rights holders to have payment processors cease doing business with suspect sites websites without a judge's approval. Now, before a site can be taken down, the rights holders must obtain an order from a judge to get payment processors to sever business dealings with the suspect sites. The legislation will not apply to sites that end with .com, .net, and .org; only foreign websites will be subject to SOPA's provisions. Remaining untouched are provisions that allow the DoJ to demand that Internet service providers (ISPs) block customers from visiting these sites. The bill no longer requires ISPs to alter DNS, but they may still choose to do so to comply with blocking orders.-http://www.wired.com/threatlevel/2011/12/sopa-watered-down-amendment/
-http://news.cnet.com/8301-31921_3-57341679-281/sopa-foes-marshal-opposition-befo
re-house-panel-vote/
-http://www.techdirt.com/articles/20111212/14010917054/lamar-smith-proposes-new-v
ersion-sopa-with-just-few-changes.shtml
Most US Data Theft Originating in China is the Work of a Dozen Groups (December 12, 2011)
The bulk of data theft committed against the US companies and government agencies appears to be conducted by about 12 Chinese groups, according to analysts. Most of the groups are backed by the Chinese government. The analysts, who have worked with businesses and the government regarding cyber intrusions, say that the attacks bear signatures that identify them as being part of certain hacking groups.-http://www.boston.com/news/nation/articles/2011/12/12/a_few_chinese_hacker_teams
_do_most_us_data_theft/
-http://www.washingtonpost.com/business/summary-box-as-few-as-12-hacker-teams-res
ponsible-for-bulk-of-china-based-data-theft/2011/12/12/gIQAjipmpO_story.html
[Editor's Note (Murray): These anonymous sources carry about as much weight as water cooler gossip. ]
Six Arrested in Connection with Student Loan Phishing Scheme (December 9, 10 & 12, 2011)
Six people have been arrested for their alleged roles in a phishing scheme that targeted university students in the UK. The phishing emails included a link that, when clicked, took the recipients to a site where they were asked to update their personal information for their student loan accounts. Those allegedly involved with the scheme used the stolen information to access students' bank accounts and steal funds. In all, police say the cyber thieves stole more than GBP 1 million (US $1.56 million).-http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/six-arrested-in-student
-loan-phishing-swoop-10024991/
-http://www.bbc.co.uk/news/uk-england-16122836
-http://www.theregister.co.uk/2011/12/09/met_arrest_phishing_scam/
Telstra Customer Database Accidentally Exposed (December 9, 10 & 12, 2011)
Telstra has reset passwords for 60,000 accounts after a data breach exposed the information. The telecommunications and media company took its customer self-service site offline after learning that the information had been inadvertently exposed when Google indexed it. The compromised data include passwords, usernames, and addresses. An internal investigation has been launched to determine how the data came to be exposed and to prevent the situation from recurring, and Australia's Privacy Commissioner is also investigating the breach.-http://www.scmagazine.com.au/News/282986,telstra-resets-60k-passwords-after-priv
acy-gaffe.aspx
-http://www.smh.com.au/it-pro/security-it/site-disabled-after-telstra-customer-pe
rsonal-details-show-up-online-20111209-1onpd.html
-http://www.zdnet.com.au/telstra-exposes-customer-information-339327696.htm
-http://www.theregister.co.uk/2011/12/09/telstra_opens_customer_database_in_egreg
ious_blunder/
-http://www.zdnet.com.au/telstras-breach-worse-than-sony-voda-339327801.htm
Senator Wyden Seeks Answers About Domain Seizure Operation (December 9 & 11, 2011)
US Senator Ron Wyden (D-Oregon) wants answers from the Department of Homeland Security (DHA) about a program known as In Our Sites, an operation in which domains were seized, after learning that a music review site had its name kept for a year without giving the domain's owner an opportunity to challenge the seizure. The site in question, Dajaz1.com, was seized in November 2010 for allegedly letting users download music that had not yet been released. In this case, some of the music had been sent to the site by the artists or their labels. All documents relating to the seizure were sealed expect for the initial court order filing. The site was returned late last week by the Immigration and Customs Enforcement, which is a part of DHS, with the acknowledgment that the seizure was unwarranted.-http://www.wired.com/threatlevel/2011/12/wyden-domain-seizure/
-http://www.pcworld.com/article/246010/us_immigration_services_blasted_for_domain
_seizures.html
Two Flaws in Adobe Flash Player (December 9, 2011)
The US Computer Emergency Readiness Team (US-CERT) has issued an advisory warning of a pair of vulnerabilities in Adobe Flash Player. The remote code execution flaws are exploitable through malicious Flash content placed on websites or in PDF documents. The company that disclosed the flaws does not plan to contact Adobe about them, having announced several years ago that it would no longer notify vendors of flaws it finds in their products. No attacks have been detected in the wild. Internet Storm Center:-http://isc.sans.edu/diary.html?storyid=12166
-http://isc.sans.edu/diary.html?storyid=12160
-http://www.computerworld.com/s/article/9222546/Two_zero_day_vulnerabilities_foun
d_in_Flash_Player?taxonomyId=85
Microsoft Issues Offline Windows Defender Beta (December 9 & 12, 2011)
Microsoft has issued a beta offline version of its Windows Defender anti-malware tool. The tool will be especially useful for users whose machines are infected with malware that prevents them from accessing security sites because it can be used to boot infected PCs.-http://www.h-online.com/security/news/item/Microsoft-releases-Windows-Defender-O
ffline-tool-beta-1392853.html
-http://www.theregister.co.uk/2011/12/09/microsoft_offline_av_tool/
-http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
-http://www.infoworld.com/t/security-tools/microsoft-releases-old-recovery-softwa
re-in-new-wrapper-181461
Judge Rules That Some Banks Failed to State Proper Claims for Seeking Damages from Heartland (December 7 & 9, 2011)
US District Judge Lee Rosenthal has dismissed all but one of the claims brought by banks against Heartland Payment Systems regarding the data breach that exposed payment card account information. Heartland disclosed the breach in 2009; it actually took place in 2007. The civil complaints filed against Heartland were consolidated in the Southern District of Texas and were separated into consumer complaints and financial institution complaints. Judge Rosenthal said that the majority of the banks had not provided proper claims to seek damages; his ruling allows them to amend their claims.-http://www.computerworld.com/s/article/9222549/Court_dismisses_most_breach_claim
s_against_Heartland_by_banks?taxonomyId=144
-http://www.courthousenews.com/2011/12/07/42036.htm
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/