SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #10

February 03, 2012

Is mobile security on your 2012 "to do list?" If yes, register for the
free program, The Spy in my Pocket, Goldfinger - Stealing Data from
Mobile Devices for Funds and Profits on February 9, 2012: covering
external and internal threats facing mobile devices and leading to the
theft of sensitive data.
https://www.sans.org/webcasts/spy-pocket-goldfinger-stealing-data-mobile-devices
-funds-profits-94906

Alan

---

TOP OF THE NEWS

Verisign Admits Breaches in SEC Filing
Romanian Police Arrest Alleged NASA and Pentagon Hacker
Google to Block Blogs on a Country-by-Country Basis

THE REST OF THE WEEK'S NEWS

Kernell's Appeal to Overturn Obstruction of Justice Conviction Denied
Apple Issues Security Updates
Kelihos Botnet Regaining Momentum
Spear Phishing Attack Plants Trojan on Targeted Computers
Google Won't Remove Apps with Counterclank Adware From Android Market
Mozilla Releases Firefox 10.0
Symantec Issues Hotfixes for pcAnywhere
FDIC Issues Warning About Risky Payment Processors
Pirate Bay Founders' Prison Sentences Stand

---

*********************** SPONSORED BY NitroSecurity **********************
Available ONDEMAND SANS Webcast:
Advanced Persistent Threats - Cutting Through the Hype Sponsored by NitroSecurity. Go to: http://www.sans.org/info/98481
**************************************************************************
TRAINING UPDATE

--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 6 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

-- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

--SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, San Francisco, Stuttgart, Boston, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
************************************************************************

---

TOP OF THE NEWS

Verisign Admits Breaches in SEC Filing (February 2, 2012)

In its 10-Q filing with the Securities and Exchange Commission (SEC), Verisign acknowledged having suffered several data security breaches in 2010, but notes that management did not learn about the incidents until September 2011, nearly a year after they occurred. Verisign says that data were stolen as a result of the breaches, but it did not specify what those data were.
-http://www.theregister.co.uk/2012/02/02/verisign_hacking_attack/
-http://www.computerworld.com/s/article/9223936/VeriSign_admits_multiple_hacks_in
_2010_keeps_details_under_wraps?taxonomyId=17
-http://www.wired.com/threatlevel/2012/02/verisign-hacked-in-2010/
[Guest Editor's Note (Jacob Olcott): The SEC is going to be an increasingly powerful motivator for companies to better secure their information networks. The fact that the world learned about the VeriSign breach through its SEC disclosure shows the importance of the October SEC guidance. ]

Romanian Police Arrest Alleged NASA and Pentagon Hacker (January 31 & February 1, 2012)

Police in Romania have arrested a man who allegedly broke into US government websites, including those of NASA and the Pentagon. Razvan Manole Cernaianu allegedly posted to the Internet information about SQL injection vulnerabilities he discovered on the websites. Romanian law enforcement authorities also allege that Cernaianu sold hacking tools online. Someone using the online moniker TinKode (believed to be Cernaianu) boasted about his online exploits, including hacking into the Royal Navy's site in late 2010, and into the European Space Agency's website. Officers from the FBI and NASA assisted in the investigation that led to Cernaianu's arrest.
-http://www.theregister.co.uk/2012/02/01/tinkode_nasa_hack_suspect_cuffed/
-http://news.cnet.com/8301-27080_3-57369342-245/romanian-arrested-on-pentagon-nas
a-hacking-charges/

Google to Block Blogs on a Country-by-Country Basis (January 31 & February 3, 2012)

Google has deployed technology that will allow it to block blogs on its free Blogger platform in specific countries to comply with local rules. Twitter has also announced that it will be blocking tweets in a similar way on a country-by-country basis. Google's system will direct users to country-specific domains. The localized censoring means the companies will not have to censor posts entirely.
-http://www.wired.com/threatlevel/2012/01/google-censoring-blogger/
-http://www.news.com.au/technology/google-can-now-censor-blogger-content-by-count
ry/story-e6frfro0-1226261606515

---

************************** SPONSORED LINKS ***************************
1) Ever wonder how insecure our nation's critical control systems really are? In this webcast, learn about real risks to these systems and what to do about them http://www.sans.org/info/98486
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Kernell's Appeal to Overturn Obstruction of Justice Conviction Denied (January 30 & February 2, 2012)

David Kernell, the Tennessee college student who was found guilty on hacking into then-vice presidential candidate Sarah Palin's Yahoo email account has lost an appeal to have his conviction for obstruction of justice thrown out. In 2008, Kernell gained access to the email account using publicly available information and posted some of the messages online. He tried to hide his activity by deleting information from his computer, which gave rise to the obstruction of justice charge.
-http://www.scmagazine.com/palin-hacker-appeal-rejected/article/225872/
-http://www.politico.com/blogs/under-the-radar/2012/01/court-upholds-conviction-i
n-sarah-palin-email-hack-112878.html

Apple Issues Security Updates (February 2, 2012)

Apple released its first security update of 2012 for Mac OS X, patching more than 50 vulnerabilities. Updates are available for Mac IS X 10.7, known as Lion, and for 10.6, or Snow Leopard. There are emerging reports that OS X 10.7.3 has been causing some problems for users, including crashing applications. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=12502
-http://www.eweek.com/c/a/Security/Apple-Fixes-52-Bugs-in-OS-X-Snow-Leopard-Lion-
in-Security-Update-103809/
-http://reviews.cnet.com/8301-13727_7-57370469-263/os-x-10.7.3-update-causing-cui
-interface-artifacts/
-http://www.computerworld.com/s/article/9223930/Apple_updates_Lion_patches_51_bug
s_in_Mac_OS_X
-http://www.v3.co.uk/v3-uk/news/2143131/apple-issues-security-update

Kelihos Botnet Regaining Momentum (February 1 & 3, 2012)

The Kelihos botnet, which Microsoft was instrumental in helping take down last year, appears to be regaining its foothold. Although Kelihos comprised a relative small number of machines - 45,000 - it had been responsible for sending out close to four billion spam messages a day at the height of its strength. Kelihos was crippled in September 2011 when researchers managed to get the infected machines to communicate with a server they controlled and stop the botnet's activity. The malicious code remained on the computers, however. Although the researchers controlling the "sinkhole" server, as it is called, could have sent a command to remove the malware, the action would have been illegal in some countries.
-http://www.computerworld.com/s/article/9223885/Kelihos_botnet_once_crippled_now_
gaining_strength?taxonomyId=17
-http://www.zdnet.com.au/kelihos-variants-slipped-microsofts-noose-339330987.htm

Spear Phishing Attack Plants Trojan on Targeted Computers (February 1, 2012)

A recently detected, sophisticated spear phishing attack disguises itself as conference invitations. The attack exploits unpatched flaws in Adobe Reader to place Trojans on vulnerable computers. The malware, once on the computer, manages to disguise itself as a Windows Update utility. The attack has been named MSUpdate Trojan. Researchers have evidence of similar attacks from what appears to be the same group of attackers, dating back to 2009. The Trojan steals information and sends it back to the command and control server, but the traffic is disguised as Windows Update traffic.
-http://www.theregister.co.uk/2012/02/01/spear_phishing_rats/
-http://www.eweek.com/c/a/Security/Trojan-Targets-Industry-Government-with-Fake-C
onference-Invitations-542238/

Google Won't Remove Apps with Counterclank Adware From Android Market (January 31 & February 1, 2012)

Thirteen apps that have been identified as containing adware known as Counterclank will remain available in Google's Android Market. The software was initially believed to be malware, but was then revealed to be associated with an aggressive marketing platform. Google says it is not removing the apps because they comply with the Android market's terms of service. The software has the capacity to change the browser homepage of mobile devices and to add bookmarks.
-http://www.informationweek.com/news/security/app-security/232600049
-http://www.scmagazine.com/google-wont-pull-android-apps-deemed-malicious/article
/225569/

Mozilla Releases Firefox 10.0 (February 1, 2012)

Mozilla has released a new version of its flagship browser, Firefox 10.0, for Windows, Mac, and Linux. Among the issues addressed is one that sometimes caused Firefox to crash when users tried to move their bookmarks. Mozilla has also added new developer tools in Firefox 10.0. Mozilla has also released new versions of its Thunderbird email client and Sea Monkey application suite. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=12490
-http://www.h-online.com/security/news/item/Mozilla-closes-critical-holes-in-Fire
fox-Thunderbird-and-SeaMonkey-1426048.html
-http://www.eweek.com/c/a/Application-Development/Mozillas-Firefox-10-Muscles-Up-
on-Developer-Tools-477285/
-http://www.zdnet.com/news/firefox-10-eases-add-on-updates-but-no-android-yet/634
2357

Symantec Issues Hotfixes for pcAnywhere (February 1 & 2, 2012)

Symantec has released hotfixes for its pcAnywhere software. The updates address all known vulnerabilities in versions 12.0, 12.1 and 12.5 (including SP2, SP2, and SP3). Concern about the vulnerability of the software arose when Symantec acknowledged that hackers stole source code associated with pcAnywhere in 2006 and shared it with others. Despite the update, some are concerned that because the source code has been leaked, hackers may have found previously undetected vulnerabilities in the software. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=12463
-http://www.informationweek.com/news/security/app-security/232600043
-http://www.theregister.co.uk/2012/02/02/pcanywhere_source_code_leak_sheanigans/

FDIC Issues Warning About Risky Payment Processors (February 1, 2012)

The Federal Deposit Insurance Corporation (FDIC) has issued guidance for banks and other financial services institutions, warning that certain third-party payment processors could prove to be security liabilities. The guidance describes the potential for "risks associated with relationships with third-party entities that process payments for telemarketers, online businesses, and other merchants."
-http://www.darkreading.com/vulnerability-management/167901026/security/news/2326
00097/fdic-warns-of-high-risk-payment-processors.html
-http://www.fdic.gov/news/news/financial/2012/fil12003.html
-http://www.fdic.gov/news/news/financial/2012/fil12003.pdf
[Editor's Comment (Northcutt): I have read the .pdf three times and I still cannot understand it. Is it possible we have a reader in the financial industry willing to provide a two paragraph summation of the problem and the guidance? If yes, send that to stephen@sans.edu. We can cite you as the source, or provide non-attribution as you prefer. Thank you!]

Pirate Bay Founders' Prison Sentences Stand (February 1, 2012)

Sweden's Supreme Court has refused to hear an appeal of the prison sentences for The Pirate Bay founders that were meted out by the Swedish Court of Appeals more than a year ago. Peter Sunde, Fredrik Neij, Carl Lundstrom, and Gottfrid Svartholm received sentences ranging from four months to one year. They also face a combined fine of 46 million kronor (US $6.8 million). They were convicted in 2009.
-http://www.wired.com/threatlevel/2012/02/supreme-court-of-sweden-upholds-pirate-
bay-prison-sentences/
-http://www.computerworld.com/s/article/9223874/Prison_terms_in_Pirate_Bay_trial_
stand_as_Supreme_Court_refuses_hearing?taxonomyId=17

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/