SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #14

February 17, 2012

TOP OF THE NEWS

FBI Says Social Network Monitoring Plan Will Abide By Privacy Rules
EU Court of Justice Says Social Networks Cannot be Forced to Filter for Piracy
Apple Will Require Apps to Obtain User Permission Before Accessing Contact Data

THE REST OF THE WEEK'S NEWS

Cyber Security Legislation Meets With Criticism From Many Angles
Adobe Issues Out of Cycle Fix for Flash
Microsoft Patches 21 Flaws
Stolen Stratfor Data Used in Targeted Attacks
UK Police Shutter Alleged Filesharing Site
New Version of Waledac Steals Information
Nortel Execs Knew About Data Breach Years Ago
Cryptome Infected With Drive-By Download Exploit

---

*********************** SPONSORED BY SANS *******************************
1. Take the SANS 8th Annual Log and Event Management Survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/99594

2. SANS Analyst Webcast: Needle in a Haystack? Getting to Attribution in Control Systems, featuring control systems expert Matt Luallen on Wednesday, February 22 http://www.sans.org/info/99599
**************************************************************************
TRAINING UPDATE

--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

-- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

--SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses.
http://www.sans.org/appsec-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, San Francisco, Stuttgart, Boston, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
************************************************************************

---

TOP OF THE NEWS

FBI Says Social Network Monitoring Plan Will Abide By Privacy Rules (February 14, 2012)

The FBI is attempting to allay concerns about user privacy over its plan to monitor social networking sites by making assurances that all its activity will comply with privacy and civil rights requirements. The FBI says that quick analysis of information posted on sites like Facebook and Twitter will help detect imminent threats. The US Department of Homeland Security (DHS) has conducted similar monitoring; that activity has prompted the Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC) to call for greater transparency of such undertakings.
-http://www.computerworld.com/s/article/9224247/FBI_says_social_media_monitoring_
won_t_infringe_privacy_rights?taxonomyId=17
[Editor's Note (Murray): I have been expecting this since Facebook emerged. Most Facebook users have no idea what they are doing when they "friend" someone. Few of us have "six degrees' of separation from a rogue, terrorist, or pornography fan. We saw in the fifties that FBI monitoring of association inevitably gives rise to a presumption of guilt. ]

EU Court of Justice Says Social Networks Cannot be Forced to Filter for Piracy (February 16, 2012)

The European Court of Justice has ruled that copyright holders may not force social networking sites to use filters to thwart illegal filesharing. The court said that compelling the sites to use filters would violate users' rights to protection of personal information, and places a "complicated
[and ]
costly" burden on the sites while offering them no benefit.
-http://www.computerworld.com/s/article/9224305/Copyright_holders_dealt_blow_in_E
U_social_networking_case?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57379062-83/eu-court-social-networks-cant-be-fo
rced-to-monitor-users/
-http://www.msnbc.msn.com/id/46411861/ns/technology_and_science-security/
[Editor's Note (Murray): The publishing industry is not going to willingly give up the idea that copy rights trump all others.]

Apple Will Require Apps to Obtain User Permission Before Accessing Contact Data (February 15, 2012)

US legislators sent a letter to Apple CEO Tim Cook asking why the company does not require iOS developers to obtain permission from users before apps download users' contacts. The inquiry follows close behind news that the Path app downloaded users' address books without their permission. Apple has responded to the question with a promise to change that policy so apps requiring use of address book data request that information explicitly.
-http://news.cnet.com/8301-1009_3-57378450-83/lawmakers-ask-apple-to-explain-ipho
ne-app-privacy-policies/
-http://www.computerworld.com/s/article/9224292/Apple_to_ban_stealthy_iPhone_cont
act_data_harvesting?taxonomyId=17
-http://www.h-online.com/security/news/item/Apple-Future-iOS-release-will-require
-user-permission-for-apps-to-access-address-book-1435404.html
-http://technolog.msnbc.msn.com/_news/2012/02/15/10416360-iphone-flaw-allows-apps
-access-to-your-contacts
[Editor's Comment (Northcutt): I wonder if they will be in time to avoid a major disaster. I was surprised to read on slashdot that your data was safer on unapproved apps for jailbroken iPhones than on approved apps from Apple's store:
-http://apple.slashdot.org/story/12/02/15/0036242/unauthorized-ios-apps-leak-priv
ate-data-less-than-approved-ones]

---

THE REST OF THE WEEK'S NEWS

Cyber Security Legislation Meets With Criticism From Many Angles (February 16, 2012)

Republican Senators have expressed concern that the recently introduced Cyber Security Act is moving too quickly, saying that the legislation needs to go through hearings and markup. Some critics of the bill say it would impose expensive regulations on US companies. Others say it contains too many loopholes to allow companies exemptions, leaving the country inadequately protected from cyber attacks.
-http://www.politico.com/news/stories/0212/72943.html
-http://www.washingtonpost.com/politics/experts-cyber-security-bill-critical-step
-should-be-stronger-cover-more-companies/2012/02/16/gIQADGAtHR_story.html
-http://www.computerworld.com/s/article/9224341/Cybersecurity_bill_would_create_c
ostly_regulations_say_critics?taxonomyId=17
-http://www.wired.com/threatlevel/2012/02/cybersecurity-act-of-2012/
-http://www.csmonitor.com/USA/2012/0216/Loopholes-leave-America-with-weak-cyberse
curity-plan-experts-say

Adobe Issues Out of Cycle Fix for Flash (February 16, 2012)

Adobe has released an updated version of Flash that addresses seven vulnerabilities, one of which is currently being actively exploited in the wild. The cross site scripting (XSS) flaw is being exploited in targeted attacks through email; the messages contain links to malicious sites, where the attackers could then take action on the users' behalf. The zero-day attacks for the XSS flaw are targeting only Windows versions of Flash. The other six flaws could be exploited to crash vulnerable systems and possibly take control of them; there have been no reported attacks that exploit these flaws. Users are urged to upgrade as soon as possible. The current version of Flash is now 11.1.102.62 for Windows, Mac, Linux, and Solaris.
-http://www.informationweek.com/news/security/vulnerabilities/232600976
-http://www.scmagazine.com/adobe-patches-flash-because-of-ongoing-attacks/article
/227935/

Microsoft Patches 21 Flaws (February 15 & 16, 2012)

Of the 21 vulnerabilities addressed in Microsoft's Patch Tuesday for February 2012, the general consensus is that the bulletin addressing flaws in Internet Explorer (IE) is the most critical. The security bulletin, MS12-010, provides fixes for four vulnerabilities in all supported versions of IE. Six of the 21 vulnerabilities patched on February 14 were deemed critical by Microsoft.
-http://www.theregister.co.uk/2012/02/15/patch_tuesday/
-http://www.computerworld.com/s/article/9224255/Microsoft_quashes_21_bugs_blocks_
drive_by_attacks?taxonomyId=17

Stolen Stratfor Data Used in Targeted Attacks (February 15, 2012)

Information stolen from Stratfor is reportedly being used to send email containing malicious links to government clients of the geopolitical analysis company. To help protect customers from falling prey to the attacks, Stratfor has instituted a "no-link" policy for official email. The data breach occurred in late 2011; it exposed information of as many as 860,000 subscribers from both the public and private sectors. The compromised data include email addresses and some credit card information. The hackers are sending emails that appear to be instructing recipients to protect themselves from attacks, but the link provided, which the message claims is antivirus software, infects their computers with malware.
-http://www.nextgov.com/nextgov/ng_20120215_5840.php

UK Police Shutter Alleged Filesharing Site (February 15, 2012)

The UK's Serious Organized Crime Agency (SOCA) has shut down the RnBXclusive.com website for enabling copyright infringement. The notice that greets people attempting to visit the site says, "The majority of music files that were available via this site were stolen from the artists," and warns that if users have downloaded music through the website, they could face criminal penalties carrying a sentence of up to 10 years in prison and an unlimited fine. The notice goes on to inform users that "SOCA has the capacity to monitor and investigate you, and can inform your internet service provider of these infringements."
-http://www.bbc.co.uk/news/technology-17039722
-http://arstechnica.com/tech-policy/news/2012/02/police-download-a-file-go-to-jai
l-for-10-years-and-pay-an-unlimited-fine.ars

New Version of Waledac Steals Information (February 15, 2012)

The Waledac botnet is back, and it's meaner than ever. Waledac, which started as the Storm botnet, was taken down by Microsoft two years ago. It was responsible for sending more than 1.5 billion spam messages a day at the height of its strength. This incarnation of the botnet has a more malicious bent; it has added the capacity to steal passwords and other credentials.
-http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/23
2600968/new-waledac-variant-goes-rogue.html
-http://www.computerworld.com/s/article/9224324/Waledac_malware_returns_after_two
_years_with_password_stealing_capabilities?taxonomyId=17

Nortel Execs Knew About Data Breach Years Ago (February 14, 2012)

Emerging news stories indicate that executives at Nortel knew of a breach of their data systems that occurred more than a decade ago, but took no action. A former Nortel employee conducted an investigation that uncovered evidence of the breach in 2004, but company executives blocked him from doing anything about it. Evidence suggests that hackers had been accessing the company's computer systems and stealing technical papers, business plans, research and development reports, and email. The attackers gained access to the system with seven passwords that belonged to Nortel executives.
-http://www.zdnet.com/blog/security/nortel-hacking-attack-went-unnoticed-for-almo
st-10-years/10304
-http://www.csoonline.com/article/700193/nortel-executives-knew-of-data-breach-ch
ose-to-do-nothing
[Editor's Note (Hoelzer): While some may wonder how important this story is given the economic problems of Nortel, it actually should give you pause if you have service contracts for your infrastructure equipment. Unless the device is being actively managed day to day through that service contract, I always prefer a policy of keeping out of band channels disconnected. Such a policy protects you not only from errors made by the company offering the service, but from security practices like this. I can only wonder how many people who previously ran Nortel infrastructures are wondering, as am I, whether their networks were penetrated through inside information stolen from Nortel years ago.
(Murray): I once asked a Nortel executive what the Nortel ethical culture was. He said "Behave as though your mother is watching." Making ethical choices is really difficult. ]

Cryptome Infected With Drive-By Download Exploit (February 14, 2012)

The Cryptome.org website was found to have been seeded with malware that infected users running Internet Explorer (IE) in a drive-by attack. Cryptome became aware of the situation last weekend when a reader informed the site's owners about a message his antivirus program generated while he was accessing the site. An investigation revealed that the malware had been planted on February 8; it infected site visitors with the Blackhole exploit kit. It is unclear how the malware was injected into the site.
-http://www.computerworld.com/s/article/9224241/Whistleblowing_site_Cryptome.org_
infected?taxonomyId=17
-http://www.theregister.co.uk/2012/02/14/cryptome_hacked/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/