SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #19

March 06, 2012

TOP OF THE NEWS

Ex-CIA Director Sees New Phase Of Warfare Where Cyberweapons Create Physical Destruction
Global Arrests And Charges Against Members of Lulzsec Hacking Group
FCC Seeking Public Comment on Cell Phone Blocking

THE REST OF THE WEEK'S NEWS

Hackers Stole Michael Jackson's Entire Catalog From Sony
Senator Asks FTC to Investigate Google and Apple Over Possible App Privacy Violations
Google Updates Chrome
Adobe Issues Another Flash Player Fix
US Authorities Start Extradition Process in Megaupload Case
Anonymous Hacking Tool Infected With Trojan
NASA Suffered Intrusion at Jet Propulsion Lab
Cable Modem Hacker Convicted
Federal Agencies and Fortune 500 Companies Eradicating DNSChanger

---

********************** SPONSORED BY F5 Networks, Inc. ******************
WHITE PAPER: THE NEW DATA CENTER FIREWALL PARADIGM
The increasing sophistication, frequency, and diversity of today's network attacks are overwhelming conventional stateful security devices at the edge of the data center. Learn how to combat modern attacks while reducing capital expenditures. Download The New Data Center Firewall Paradigm
http://www.sans.org/info/100974
**************************************************************************
TRAINING UPDATE
- -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 12 courses.
http://www.sans.org/secure-amsterdam-2012/

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

---

TOP OF THE NEWS

Ex-CIA Director Sees New Phase Of Warfare Where Cyberweapons Create Physical Destruction (March 4, 2012)

US television news magazine 60 Minutes recently ran a segment on Stuxnet, which was detected in June 2010. Former head of the National Security Agency and former CIA director Ret. Gen. Michael Hayden tells 60 Minutes, "We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction." He goes on to say that "A cyberweapon doesn't
[destroy itself when it is used ]
, so there are those out there who can take a look at this, study it, and maybe even attempt to turn it to their own purposes."
-http://news.cnet.com/8301-1009_3-57390326-83/60-minutes-profiles-threat-posed-by
-stuxnet/

Global Arrests And Charges Against Members of Lulzsec Hacking Group (March 6, 2012)

Law enforcement agents on two continents arrested three and charged two more members the hacking group LulzSec early this morning, charged with conspiracy. Law enforcement acted largely on evidence gathered by the organization's leader -- who sources say has been secretly working for the government for months.
-http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-
enforcement/
#ixzz1oM0suc7h">http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-
enforcement/#ixzz1oM0suc7h
-http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-
enforcement/

FCC Seeking Public Comment on Cell Phone Blocking (March 3, 2012)

The US Federal Communications Commission (FCC) is seeking public comment on intentional disruptions of wireless communications. The question was prompted by the shutdown of such services by San Francisco's Bay Area Rapid Transit (BART) subway police in August 2011 in the hopes of quelling planned protests. According to the FCC, 70 percent of 911 calls now come from mobile phones. The FCC is accepting comments through April 30, 2012 and will respond by May 30.
-http://arstechnica.com/tech-policy/news/2012/03/who-can-shut-down-cell-phone-ser
vice-fcc-seeks-public-comment.ars
-http://news.cnet.com/8301-1009_3-57389838-83/fcc-seeks-comment-on-police-shutdow
ns-of-cell-service/
-http://transition.fcc.gov/Daily_Releases/Daily_Business/2012/db0301/DA-12-311A1.
pdf

---

*********************** SPONSORED LINKS: *****************************
1) Webinar: Experts from Google, Identropy, Ping Identity and UnboundID discuss 2012 Top Security Threats. http://www.sans.org/info/100979
2) Demystifying External Authorization: Oracle Entitlements Server Review Featuring: Tanya Baccam and Roger Wigenstam http://www.sans.org/info/100984
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hackers Stole Michael Jackson's Entire Catalog From Sony (March 5, 2012)

Authorities in the UK have charged two men in connection with the theft of Michael Jackson's entire back catalog from Sony servers. The catalog comprises more than 50,000 tracks and includes a number of unreleased songs. Sony bought the catalog for US $250 million in 2010. The theft of the tracks is believed to have been discovered shortly after the Sony PlayStation network attack last April. The two men have denied the theft.
-http://news.cnet.com/8301-1009_3-57390339-83/michael-jackson-back-catalog-stolen
-in-sony-hack/
-http://www.bbc.co.uk/newsbeat/17256870
-http://www.theregister.co.uk/2012/03/05/jackson_catalogue_hack_charges/
-http://www.guardian.co.uk/music/2012/mar/05/michael-jackson-back-catalogue-stole
n?newsfeed=true
-http://www.wired.com/threatlevel/2012/03/sony-music-hack/

Senator Asks FTC to Investigate Google and Apple Over Possible App Privacy Violations (March 5, 2012)

US Senator Chuck Schumer (D-New York) has asked the Federal Trade Commission (FTC) to investigate Google and Apple over concerns that some of their Android and iOS applications are collecting users' personal data and sharing them with third parties. In a letter, Schumer wondered if the applications are violating citizens' privacy rights, noting that there have been accusations that the applications' data collection practices go "beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of ... functionality." The FTC has not yet responded to Schumer's request.
-http://www.v3.co.uk/v3-uk/news/2157055/ftc-investigate-apple-google-personal-col
lection
-http://news.cnet.com/8301-1009_3-57390567-83/new-york-senator-asks-ftc-to-invest
igate-google-apple/
[Editor's Note (Pescatore): In the past the FTC has gone a very good job (using existing regulations and regulatory authority) to police privacy violations. It would be good to see attention paid to privacy when we are still relatively early in the evolution of mobile apps.
(Ullrich): This is a usability vs. granular access control issue. Right now, mobile operating systems define "super permissions" like Internet access and access to the address book that implicitly include access to images. However, offering the user a large list of security access control will likely cause more confusion and lead to the same "click accept to make it work" issue that has broken so many other security controls.
(Murray): Are Apple and Google to be guilty for attempting, but failing, to do the right thing while Microsoft, Adobe et. al., are innocent by virtue of not trying? ]

Google Updates Chrome (March 5, 2012)

Google has released a new stable version of its Chrome browser. The newest version of Chrome addresses 17 vulnerabilities and includes an update for the bundled Flash Player. The browser will be automatically updated. Google said it paid researchers between US $500 and US $3,000 for the flaws they reported.
-http://www.h-online.com/security/news/item/Chrome-security-update-and-researcher
s-bonuses-1463415.html
-http://www.computerworld.com/s/article/9224881/Google_patches_14_Chrome_bugs_pay
s_record_47K_in_bounties_and_bonuses?taxonomyId=17

Adobe Issues Another Flash Player Fix (March 5, 2012)

Adobe has issued a fix for Flash Player to address two security flaws; the update comes less than three weeks after Adobe last patched Flash. One of the flaws is a memory corruption vulnerability, which could be exploited to execute code. The second flaw is an information disclosure issue. Neither flaw is being actively exploited. The February 15 patch addressed seven flaws, one of which was being actively exploited at the time. Administrators are urged to apply the most recent update within 30 days.
-http://www.computerworld.com/s/article/9224885/Adobe_patches_Flash_Player_for_se
cond_time_in_20_days?taxonomyId=17
-http://krebsonsecurity.com/2012/03/adobe-patches-critical-flash-flaws/
[Editor's Note (Ullrich): Adobe released the bulletin and update yesterday, but the version of Flash player offered on the Adobe site today is still the old vulnerable version. Adobe also released a tool to investigate flash issues (see
-http://www.adobe.com/devnet/security/articles/inroducing-adobe-swf-investigator.
html)
(Murray): Flash is "historically broken." Get over it. ]

US Authorities Start Extradition Process in Megaupload Case (March 5, 2012)

US federal prosecutors have filed paper work in New Zealand to begin the extradition process of Megaupload founder Kim Dotcom. The request also seeks the extradition of three additional Megaupload senior staff members: Mathias Ortmann, Bran van der Kolk, and Finn Batato. The people named in the papers are accused of racketeering, copyright infringement, money laundering, wire fraud, and other charges. Dotcom was arrested in New Zealand in January and has been released on bail.
-http://www.bbc.co.uk/news/technology-17257308
-http://www.wired.com/threatlevel/2012/03/dotcom-extradition/

Anonymous Hacking Tool Infected With Trojan (March 5, 2012)

Some supporters of the Anonymous hacking collective who believed they were downloading only a distributed denial-of-service (DDoS) attack tool were actually tricked into downloading Zeus malware onto their computers as well. This variant harvests email passwords and online banking account access credentials. The users thought they were downloading Slowloris, but the software was infected with the ZeuS variant.
-http://www.computerworld.com/s/article/9224856/Hacker_on_hacker_Zeus_bot_master_
dupes_Anonymous_backers_into_installing_password_stealer?taxonomyId=17
-http://www.informationweek.com/news/security/attacks/232602010
-http://www.zdnet.com/blog/security/anonymous-reacts-to-symantec-trojan-report/10
485

NASA Suffered Intrusion at Jet Propulsion Lab (March 1, 2 & 5, 2012)

More details are emerging about the depth of intrusion hackers have made into NASA networks over the last several years. In testimony provided to a Congressional panel last week, NASA inspector general Paul Martin said that intruders gained "full functional control" of computers systems at Jet Propulsion Laboratory in late 2011. The attack appeared to originate from IP addresses in China. In 2010 and 2011, NASA experienced more than 5,400 cyber security incidents. Martin said two factors play heavily into NASA's networks as cyber targets: the value of the data they hold and the large number of entry points.
-http://www.telegraph.co.uk/technology/news/9123276/Hackers-had-full-control-of-h
ijacked-Nasa-network.html
-http://www.bbc.co.uk/news/technology-17231695
-http://www.wired.com/threatlevel/2012/03/jet-propulsion-lab-hacked/
-http://www.usatoday.com/tech/science/space/story/2012-03-05/nasa-cybersecurity-l
awmakers/53372826/1
-http://latimesblogs.latimes.com/lanow/2012/03/jpl-computers-hacked-repeatedly-in
-2010-and-2011-nasa-report-says.html

Cable Modem Hacker Convicted (March 2, 2012)

A jury in federal court in Boston has convicted Ryan Harris of seven counts of wire fraud for helping people steal Internet service. Harris was involved in selling hacked cable modems and software that helped people circumvent device restrictions such as bandwidth limits. Harris faces up to 20 years in prison and a fine of up to US $250,000 for each count.
-http://www.computerworld.com/s/article/9224838/Ore._man_convicted_for_helping_th
ousands_steal_Internet_service?taxonomyId=17
-http://www.wired.com/threatlevel/2012/03/ryan-harris-convicted/

Federal Agencies and Fortune 500 Companies Eradicating DNSChanger (March 1, 2012)

US federal agencies appear to be making headway into identifying computers infected with DNSChanger and scrubbing the malware from machines. A month ago, data suggested that half of Fortune 500 companies and US government agencies were still infected with DNSChanger. As of February 23, the number of companies still infected was down to 94, and just three government agencies still had infected machines, according to a member of the DNSChanger Working Group. The infected computers are communicating with servers run by the Internet Systems Consortium, which has a court order to operate them until Thursday, March 8.
-http://gcn.com/articles/2012/03/01/rsa-13-federal-dnschanger-cleanup.aspx
[Editor's Note (Murray): Such precise counts suggest that identifying them is easy. How much more difficult can it be to isolate or cleanse them?
(Northcutt): The working group also has instructions for home users to see if they are infected:
-http://www.dcwg.org/checkup.html

(Honan): The court order has was extended today to the 9th of July 2012
-http://www.marketwatch.com/story/iid-reports-downturn-in-fortune-500-and-major-u
s-government-agencies-infected-with-dnschanger-malware-2012-03-05#]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/