SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #16
February 24, 2012
One of the rarest of men died yesterday, far too soon. Paul Bartock was
a Renaissance man. He was a carpenter and a paramedic and he was one of
the top cybersecurity engineers in the United States. When you hear
people say, "NSA has the best cybersecurity talent," they were talking
in many, many cases about the groups that Paul led at the National
Security Agency. He was at home with generals and equally so with
maintenance folks and also with the product development gurus shaping
the future of information and networking technology. I could go on, but
there will be a chance to share Paul stories in Washington in three
weeks at a memorial service where we can raise a glass to him and share
our recollections. Some of his co-workers are collecting "Paul stories"
so if you have one you are willing to share, please send it to
apaller@sans.org (subject Paul). And if you would like to do even more,
a Paul Bartock Scholarship Fund has been established to help young men
and women who attend any of the University of Maryland schools to
complete their education so they can follow Paul in using technology to
serve the nation. Send checks to Paul Bartock Scholarship Fund at the
Community Foundation, 5404 Falmouth Road, Bethesda, MD 20816.
Alan
TOP OF THE NEWS
FCC Chairman Calls for ISPs to Help Fight BotnetsTHE REST OF THE WEEK'S NEWS
US Air Force Cancels iPad Purchase PlanWhite House Releases Consumer Privacy Bill of Rights
Feds Seek Extension for Surrogate Servers in DNSChanger Case
Azerbaijan Airline and Television Websites Hacked
DOJ Wants Supreme Court to Stop Challenge to FISA
IPv6 DDoS Attacks Detected
Many Users Have Still Not Patched pcAnywhere
News of the World Hacker's Name Revealed
Canadian Legislature to Consider Online Child Protection Bill
************************** SPONSORED BY SANS *****************************
Take the SANS 8th Annual Log and Event Management Survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/100296
**************************************************************************
TRAINING UPDATE
--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/
-- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/
--SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/
--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses.
http://www.sans.org/appsec-2012/
--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/
--SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/
--Looking for training in your own community?
http://www.sans.org/community/
Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus San Francisco, Stuttgart, Boston, Abu Dhabi, and Toronto all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org/index.php
************************************************************************
TOP OF THE NEWS
FCC Chairman Calls for ISPs to Help Fight Botnets (February 22, 2012)
US Federal Communications Commission (FCC) Chairman Jules Genachowski said that Internet service providers (ISPs) should notify customers when activity suggesting their computers have been infected with malware is detected. Genachowski has called for an industry standard among ISPs to help prevent attacks that infect users' computers. Specifically, Genachowski wants ISPs to develop a code to fight botnets. The plan would be voluntary.-http://www.bloomberg.com/news/2012-02-22/fcc-chief-presses-internet-providers-on
-cybersecurity.html
-http://www.computerworld.com/s/article/9224485/FCC_chairman_calls_on_ISPs_to_ado
pt_new_security_measures?taxonomyId=17
[Editor's Note (Murray): I argue that ISPs have an obligation to protect the Internet from their customers. As long as they put it in their terms of use and as long as there are competitive ISPs, I see no problem here. My ISP charges me extra if I want to operate an SMTP server. Its in the service agreement.
(Pescatore): The Australian ISPs agreed to a voluntary "code of conduct" in late 2010 called iCode where they do this. I think I've only seen it used once to isolate an infected home PC when the owner did not respond to numerous notifications, but many have been notified. As long as ISPs are given some cover from the various anti-trust, net neutrality and privacy concerns, this is a good thing. ]
**************************** Sponsored Link:***********************
1) Privileged Password Sharing: Root of All Evil Featuring Senior SANS Analyst, J. Michael Butler, and Jason Fehrenbach from Quest Software. http://www.sans.org/info/100301
************************************************************************
THE REST OF THE WEEK'S NEWS
US Air Force Cancels iPad Purchase Plan (February 23, 2012)
The US Air Force has abruptly cancelled its plans to use iPads as flight books in place of paper-filled flight bags. While no explanation has been given for the decision, NextGov Editor at Large Bob Brewin recently questioned the Air Force's plan to use the GoodReader document viewing application with the devices because the developer is Russian.-http://www.washingtonpost.com/business/technology/air-force-does-an-about-face-w
ith-ipad-order/2012/02/23/gIQAOCxMWR_story.html
-http://www.nextgov.com/nextgov/ng_20120221_7036.php
-http://www.pcworld.com/article/250498/air_force_abruptly_scraps_ipad_plan_for_sp
ecial_ops.html
White House Releases Consumer Privacy Bill of Rights (February 23, 2012)
The White House has issued a set of voluntary guidelines for online companies that aims to give people more control over how their personal data are collected and used. The Consumer Privacy Bill of Rights comprises seven principles: individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability.-http://www.nextgov.com/nextgov/ng_20120223_5522.php?oref=topnews
-http://arstechnica.com/tech-policy/news/2012/02/white-house-announces-new-privac
y-bill-of-rights-do-not-track-agreement.ars
-http://www.washingtonpost.com/business/technology/obama-administration-backs-vol
untary-guidelines-for-web-privacy/2012/02/22/gIQAFHLWUR_story.html
-http://news.cnet.com/8301-1009_3-57383300-83/obama-unveils-consumer-privacy-bill
-of-rights/
Feds Seek Extension for Surrogate Servers in DNSChanger Case (February 23, 2012)
US federal prosecutors are seeking a three-month extension to continue to operate surrogate DNS servers set up to allow users infected with the DNSChanger Trojan to clean their machines. The current court order expires on 8th March. The malware is estimated to have infected four million computers around the world. The malware redirected surfers to malicious websites and disabled anti-virus and software updates. Officials in the US obtained a court order allowing them to replace the rogue DNS servers with others under their own control. The infected users were to have been notified by ISPs, but not all have removed the malware from their computers, and if the temporary servers were shut off, users would be unable to access the Internet. The FBI is also attempting to extradite six people from Estonia in connection with DNSChanger.-http://www.scmagazine.com/prosecutors-request-more-time-for-trojan-removal/artic
le/229114/
-http://arstechnica.com/business/news/2012/02/500000-zombies-risk-death-as-dnscha
nger-court-order-nears-expiration.ars
-http://krebsonsecurity.com/2012/02/feds-request-dnschanger-deadline-extension/
-https://www.computerworld.com/s/article/9224491/Feds_request_DNS_Changer_extensi
on_to_keep_400K_users_online
[Editor's Note (Honan): Working in the CERT community I am aware that many ISPs, never mind end users, are unaware of DNSChanger or the implications of this court order expiring. As such this extension is important to ensure more time is given so clear, unambiguous and effective guidelines can be communicated to the ISPs and end users so infected machines can be removed with minimal disruption to the users and indeed the ISPs. ]
Azerbaijan Airline and Television Websites Hacked (February 23, 2012)
Officials in Azerbaijan say that the websites of the national airline, AZAL, and the state television station have been attacked. In January, cyber attacker defaced the websites of more than a dozen state body websites. Officials in Azerbaijan are saying the attacks originated in Iran. There has been growing tension between the two nations.-http://www.vancouversun.com/business/technology/Iran+Cyber+Army+hits+Azerbaijan+
state+site/6197748/story.html
DOJ Wants Supreme Court to Stop Challenge to FISA (February 22, 2012)
The US Department of Justice (DOJ) is asking the Supreme Court to stop a challenge to the FISA Amendments Act, which legalizes warrantless wiretapping as long as one of the parties involved in the communication is outside the US. Specifically, DOJ wants the court to review an appellate court decision allowing the lawsuit challenging provisions of the act to proceed.-http://www.wired.com/threatlevel/2012/02/scotus-fisa-amendments/
IPv6 DDoS Attacks Detected (February 20 & 22, 2012)
The first distributed denial-of-service (DDoS) attacks targeting IPv6 networks have been reported. The milestone is both bad news and good news: while attacks are never desirable, the fact of their presence indicates a growing adoption of the next generation Internet traffic protocol. It also underscores the fact that IPv6 is not more secure than IPv4.-http://www.h-online.com/security/news/item/Report-IPv6-sees-first-DDoS-attacks-1
440502.html
-http://www.zdnet.com/blog/networking/first-ipv6-distributed-denial-of-service-in
ternet-attacks-seen/2039
[Editor's Note (Murray): In Internet Protocol openness trumps accountability. Is that the wrong priority? ]
Many Users Have Still Not Patched pcAnywhere (February 21 & 22, 2012)
Researchers estimate that between 150,000 and 200,000 machines are running unpatched versions of pcAnywhere. In addition, there could be as many as 5,000 machines running point-of-sale programs that are also running pcAnywhere. A month ago, Symantec acknowledged that attackers had stolen source code related to the product. It urged users to disable or uninstall pcAnywhere until the company released a patch, which happened a week later. Furthermore, even patched versions of pcAnywhere are still vulnerable to attacks; exploit code that can be used to crash the program has been posted to the Internet.-http://www.computerworld.com/s/article/9224481/Researcher_200_000_Windows_PCs_vu
lnerable_to_pcAnywhere_hijacking?taxonomyId=17
-http://www.informationweek.com/news/security/vulnerabilities/232601182?queryText
=pcanywhere
"News of the World" Hacker's Name Revealed (February 20 & 21, 2012)
Former British Army intelligence officer Philip Campbell Smith has been identified as the person who allegedly used a Trojan horse program to gain access to another army intelligence officer's computer on behalf of a "News of the World" editor. Smith was convicted of conspiring to access private information for profit. His identity had been cloaked until earlier this week, when legal restraints were lifted. Smith has admitted to stealing information from private databases.-http://www.theregister.co.uk/2012/02/21/notw_computer_hacker_named/
-http://www.guardian.co.uk/technology/2012/feb/20/news-world-hacking-suspect-cons
piracy?newsfeed=true
-http://www.telegraph.co.uk/journalists/mark-hughes/9095733/Convicted-blagger-all
egedly-hacked-emails-for-News-of-the-World.html
Canadian Legislature to Consider Online Child Protection Bill (February 14, 2012)
A bill aimed at protecting children from online predators has been introduced in Canada's House of Commons. Bill 30-C, the Protecting Children from Internet Predators Act, would require telecom providers to "implement and maintain systems capable of lawfully intercepting communications ... to support the police and CSIS when needed, and provide basic subscriber information ... to designated ... officials upon request."-http://www.reuters.com/article/2012/02/14/idUS203620+14-Feb-2012+MW20120214
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/