SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #13

February 14, 2012

NSA's discovery is the top story this week because it illuminates the
most effective technique for blocking targeted (APT) intrusions.

This week's second story (on the Senate Cyber Bill) will get more
general news coverage, but the rest of the story hasn't yet been
reported. It will tell how six people, getting paid, on average,
hundreds of thousands of dollars each year as government affairs
representatives for American technology industry groups and companies,
decimated a draft bill that would have been the first legislative step
toward turning the tide against the attackers. The six demanded so many
loopholes in the draft bill that it ought to be renamed the "Chinese
cyber espionage protection act," because it enables attackers while
hamstringing defenders; and they continue to demand more loopholes.
These six people, had they worked for the auto industry in Washington
in the 50s, would have said, "requiring seat belts in cars is government
over-regulation, but we are patriots here to protect the American
people, so we will support the bill, as long as it applies only to cars
with three wheels."

Alan

---

TOP OF THE NEWS

NSA's Application Whitelisting Breakthrough
Senate Cyber Security Bill to be Introduced This Week

THE REST OF THE WEEK'S NEWS

Valve Says Encrypted Customer Payment Data Were Likely Stolen
TicketWeb System Hacked
CIA Website Attacked with DDoS
Google Blocking Use of Pre-Paid Cards With Google Wallet Until Flaw Addressed
Hackers Steal Data From Microsoft's Online Store for India
Mozilla Fixes Critical Bug in Firefox 10
AT&T Throttling Heaviest Data Users
US Air Force Plans to Use Tablets in Move to Paperless Cockpits
Iranian Government Blocking Encrypted Internet Traffic
Trojan Exploits Known Hole in Microsoft Office

---

*********************** SPONSORED BY Quest Software **********************
Using sudo? Centralize the management of sudo, the sudoers policy file and reporting on sudoers access rights and activities. Quest One Privilege Manager for Sudo makes administering sudo easy, intuitive and consistent - eliminating the inefficient and inconsistent box-by-box management.
Visit http://www.sans.org/info/98994for a free trial.
**************************************************************************
TRAINING UPDATE

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

- -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses.
http://www.sans.org/appsec-2012/

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, San Francisco, Stuttgart, Boston, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: https://www.sans.org/index.php
************************************************************************

---

TOP OF THE NEWS

NSA's Application Whitelisting Breakthrough (February 10, 2012)

The National Security Agency (NSA) has developed an approach to application whitelisting that consumes considerably fewer resources to deploy than standard whitelisting techniques. Instead of purchasing expensive software and employing people to update whitelists, the NSA's approach focuses on specific areas of computers where downloaded applications are permitted to execute.
-http://www.nextgov.com/nextgov/ng_20120210_8712.php?oref=topnews
-http://gcn.com/articles/2012/02/13/nsa-whitelisting-apps-secure-systems.aspx
[Editors' Note (Ullrich, Paller): Application whitelisting still hasn't reached the mainstream adoption it deserves. If you thought it was too hard to implement because of false positives, consider this as a wake up call that (you have no idea what's running on your systems, and) you can stop rogue software and cost-effectively. Yes it has weaknesses (like in-memory scanning), but they are dwarfed by the benefits. Now someone please come up with a good whitelisting solution for OS X. ]

Senate Cyber Security Bill to be Introduced This Week (February 9 & 13, 2012)

A bill scheduled to be introduced in the US Senate on Tuesday, February 14, would grant the US Department of Homeland Security (DHS) the authority to strengthen security standards for privately owned network that support the country's critical infrastructure. The bill would also allow companies from various economic sectors to appeal the need to comply with certain regulations. A hearing on the bill is scheduled for Thursday, February 16.
-http://thehill.com/blogs/hillicon-valley/technology/210349-senate-cybersecurity-
bill-would-let-firms-appeal-regulations
-http://www.federaltimes.com/article/20120209/IT01/202090309/1015/CONGRESS02

---

THE REST OF THE WEEK'S NEWS

Valve Says Encrypted Customer Payment Data Were Likely Stolen (February 13, 2012)

Valve says that hackers have likely stolen encrypted payment information, including credit card numbers, belonging to users of the Steam online game distribution platform. The data theft occurred during an intrusion last year; the information was taken from a backup database. Valve acknowledged the intrusion in November 2011, and said at the time that there was no evidence of the payment card data having been taken. Valve notified Steam users of the situation by email before sending official breach notification letters. An investigation is ongoing, but UK authorities have a man in custody who claimed he had downloaded Steam usernames, passwords, and credit card information.
-http://www.csoonline.com/article/700059/hackers-probably-stole-steam-transaction
-data-valve-says

TicketWeb System Hacked (February 13, 2012)

Ticketmaster has acknowledged that hackers accessed a computer system at its TicketWeb subsidiary. The attackers used the compromised system to send TicketWeb customers email messages that contained links to malicious sites. The messages told the recipients that they needed to download the newest version of Adobe Acrobat. The company says that no financial data were compromised in the attack.
-http://www.v3.co.uk/v3-uk/news/2152067/hackers-target-ticketweb-customers-email-
database-hack
-http://www.zdnet.co.uk/news/security-threats/2012/02/13/hackers-compromise-ticke
tweb-email-system-40095026/
-http://www.theregister.co.uk/2012/02/13/ticketweb_email_lists_hacked/
[Editor's Note (Murray): "Click here to download the latest version of Adobe Reader" is my favorite bait message. Putting it on Ticketmaster strikes a little too close to home.
(Ullrich): This one could have been worse, and the attackers didn't play this well. The phishing email they sent could have referred to a prior order with Ticketweb to trick users into giving up credit card details. Instead, the attacker went for a rather lame flash update ruse. ]

CIA Website Attacked with DDoS (February 13, 2012)

The website of the US Central Intelligence Agency (CIA) came under attack late last week, and appears to be continuing to experience intermittent connectivity issues as of Monday, February 13. Anonymous initially claimed responsibility for the distributed denial-of-service (DDoS) attack, but later communications claimed, "If we report a hack or DDoS attack, it doesn't necessarily mean we did it."
-http://www.informationweek.com/news/security/attacks/232600729

Google Blocking Use of Pre-Paid Cards With Google Wallet Until Flaw Addressed (February 13, 2012)

Google has temporarily blocked the use of pre-paid cards through Google Wallet while it addresses a pair of flaws that could be exploited to steal funds from users' accounts. Until the problems are addressed, users will not be able to add money to their Google wallet accounts with pre-paid cards. The attacks, which have been released in the wild, can crack users' PINs.
-http://news.cnet.com/8301-1009_3-57376429-83/google-wallet-disables-prepaid-card
-use-following-latest-hacks/
-http://www.theregister.co.uk/2012/02/13/google_wallet_lock/
-http://www.v3.co.uk/v3-uk/news/2152199/google-moves-calm-fears-wallet-attacks

Hackers Steal Data From Microsoft's Online Store for India (February 13, 2012)

Microsoft's online store that serves customers in India has fallen prey to hackers. Microsoft's Store India has been taken offline while the problem is addressed. The attackers accessed the store's customer database. Someone connected with the group claiming responsibility for the attack said that they found unencrypted data on the site. The compromised information includes usernames and passwords. The information could be used to launch spear phishing attacks.
-http://content.usatoday.com/communities/technologylive/post/2012/02/hackers-brea
ch-database-of-microsofts-india-store/1
-http://news.cnet.com/8301-1009_3-57376462-83/microsoft-online-customer-accounts-
hacked-in-india/

Mozilla Fixes Critical Bug in Firefox 10 (February 13, 2012)

Mozilla has pushed out a fix for a critical flaw in Firefox 10, just a week after the newest version of the browser was released. Firefox 10.0.1 fixes a vulnerability that could be exploited to crash the browser. Firefox 10 shipped on January 31; the update was pushed out on February 7. At the same time, Mozilla updated other products to address the same issue, releasing Firefox ESR 10.0.1, Thunderbird 10.0.1, Thunderbird ESR 10.0.1, and SeaMonkey 2.7.1
-http://www.h-online.com/security/news/item/Mozilla-closes-critical-security-hole
-in-Firefox-Thunderbird-and-Seamonkey-1433248.html
-http://www.computerworld.com/s/article/9224192/Mozilla_patches_critical_Firefox_
bug?taxonomyId=85

AT&T Throttling Heaviest Data Users (February 13, 2012)

AT&T has begun cracking down on customers who are among the heaviest cellular data users by throttling their data speeds. The move is part of the company's new plan to manage network data usage. AT&T stopped selling unlimited data plans in 2010, but there are still 17 million customers who have plans that predate the change. The company warned users last year that the plan would be put in place.
-http://www.seattlepi.com/news/article/AT-T-customers-surprised-by-unlimited-data
-limit-3308535.php

US Air Force Plans to Use Tablets in Move to Paperless Cockpits (February 10, 2012)

The US Air Force is considering buying iPads or other similar devices for flight crew members. The tablets would be used to replace the bulky cases loaded with paper charts and manuals used by pilots and navigators. The bags can weigh as much as 40 pounds. The US Department of Defense's Air Mobility Command updates flight charts every 28 days. Some commercial airlines have already obtained Federal Aviation Administration approval to use iPads in their cockpits.
-http://www.latimes.com/business/technology/la-fi-tn-us-air-force-18000-ipads-201
20210,0,8910.story
-http://www.pcmag.com/article2/0,2817,2400158,00.asp
-http://www.popsci.com/technology/article/2012-02/air-force-buying-ipads-replace-
flight-bags

Iranian Government Blocking Encrypted Internet Traffic (February 9 & 10, 2012)

There are reports that the Iranian government has begun blocking encrypted Internet traffic. According to a post by an Iranian resident, the "government has shut down the https protocol." Another post said that "SSH has been disabled for a few months," and computer users in Iran are reporting seeing error messages that read, "According to computer crime regulations, access to this web site is denied."
-http://arstechnica.com/tech-policy/news/2012/02/iran-reportedly-blocking-encrypt
ed-internet-traffic.ars
-http://www.washingtonpost.com/blogs/blogpost/post/iran-begins-blocking-access-to
-gmail-other-sites/2012/02/09/gIQAlZ0i1Q_blog.html
[Editor's Note (Murray): I think that is called cutting off one's nose to spite one's face. By the time that they have blocked the "low hanging fruit" they will have broken the WWW but the traffic that really offends them will continue. ]

Trojan Exploits Known Hole in Microsoft Office (February 9, 2012)

A Trojan horse program detected by Symantec researchers exploits a known vulnerability in Microsoft Office to infect computers. The malware has been detected in the wild and is being used in targeted attacks. The attack uses email messages with attachments that contain a Microsoft Word file with an embedded ActiveX control and an accompanying DLL file. Microsoft issued a fix for the flaw in September 2011, in bulletin MS11-073.
-http://www.scmagazine.com/trojan-appears-that-leverages-patched-microsoft-office
-flaw/article/227196/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/