SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #28

April 06, 2012

TOP OF THE NEWS

Apple Issues Fix For Java Flaw; Mozilla Blacklists Older Java Versions in Firefox
Sky News Admits to eMail Hacking
Megaupload Attorney Says Case Could Set Troubling Precedent
Survey Underscores Need for Bring Your Own Device Policies in Workplace

THE REST OF THE WEEK'S NEWS

Guilty Plea in Sony Hack
Microsoft's Patch Tuesday for April to Fix 11 Security Flaws
Hackers Steal Utah Medicaid Claim Data
Prison Sentence for Online Data Theft
Federal Utility's Cyber Security Weaknesses Not Uncommon
British MPs to Consider Proposal to Expand Government's Surveillance Powers
VA Getting Tough About Employee Security Training

---

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Sponsored By CyberQuests 2012 National Collegiate Cybersecurity Competition
Registration opened yesterday for the only national collegiate cyber competition where individual college students can play without having to form teams. No special preparation needed - it tests your mastery. Colleges with lots of participants win awards; students who participate win access to cool jobs with great employers, scholarships to summer "Cyber Camps" where they will interact with some of the nation's top cyber security gurus, and recognition from national leaders. Check it out at http://uscc.cyberquests.org/
*************************************************************************
TRAINING UPDATE
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.
http://www.sans.org/canberra-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Brisbane, Jakarta, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

---

TOP OF THE NEWS

Apple Issues Fix For Java Flaw; Mozilla Blacklists Older Java Versions in Firefox (April 4 & 5, 2012)

Apple has released a fix for a vulnerability in the Mac OS X Java implementation, but not before more than 500,000 computers were infected with malware that targets machines running Apple's operating system. A variant of the Flashback Trojan horse program has been infecting vulnerable Macs. The Java problem was patched for Windows more than a month ago. The Java fix for Mac addresses 12 issues in all, and they were all rated critical. The update is for Mac OS X 10.6 and 10.7, Snow Leopard and Lion. While Apple did respond quickly to the issue once it became clear the flaw was being actively exploited to spread malware, some are questioning the overall delay in getting out the Java fix. Mozilla has also taken steps to protect users from Java exploits; changes made in Firefox will block older versions of Java.
-http://www.h-online.com/security/news/item/Apple-and-Mozilla-take-on-Java-vulner
abilities-1500931.html
-http://www.theregister.co.uk/2012/04/04/apple_java_update/
-http://www.computerworld.com/s/article/9225837/Apple_patches_Mac_Java_zero_day_b
ug?taxonomyId=82&pageNumber=2
-http://krebsonsecurity.com/2012/04/urgent-fix-for-zero-day-mac-java-flaw/s
-http://tech.fortune.cnn.com/2012/04/05/apple-closes-a-trojan-loophole-after-5500
00-macs-are-infected/
-http://www.v3.co.uk/v3-uk/news/2166330/half-million-macs-enslaved-botnet
-http://news.cnet.com/8301-1009_3-57409619-83/more-than-600000-macs-infected-with
-flashback-botnet/

Sky News Admits to eMail Hacking (April 5, 2012)

Sky News, a company owned in part by the Murdoch News Corporation, has admitted to authorizing a reporter to hack email accounts of private citizens on two separate occasions. Sky News maintains that the action was taken in the public interest, but the UK's Computer Misuse Act makes no such allowances. The person responsible for both incidents was Sky News North of England correspondent Gerard Tubb. In one case, he broke into the Yahoo email account of a man who faked his own death in 2002 so that his wife could collect on a large life insurance policy. In the other, Tubb accessed the email account of an alleged pedophile.
-http://arstechnica.com/tech-policy/news/2012/04/sky-news-admits-to-hacking-e-mai
l-accounts.ars
-http://www.telegraph.co.uk/news/uknews/crime/9188402/Sky-News-admits-hacking-ema
ils-of-canoe-man-John-Darwin.html
-http://www.usatoday.com/news/world/story/2012-04-05/rupert-murdoch-sky-news-hack
ing/54041982/1
[Editor's Note (Honan): Breaking into the email accounts "in the public interest" does not make it any less illegal.
(Murray): When one pleads civil disobedience, one must be prepared to pay the consequences. I hope that this case sets a good example. Bradley Manning may make the same plea. ]

Megaupload Attorney Says Case Could Set Troubling Precedent (March 3, 2012)

The lawyer representing Megaupload in the US said that if the storage service company is found guilty of charges against it, other cloud storage service companies could be held liable for the content of their customers' files. If US prosecutors are successful in their extradition attempt and Megaupload and its executives are tried, it will be the first criminal copyright infringement case brought against a cloud services provider in the US. In a criminal case, the prosecution would need to prove primary copyright infringement, in other words, that the defendants were aware of the copyright violations and willfully violated the laws. The indictment against Megaupload does not cite particular content nor does it name any individuals who shared the content. The indictment holds Megaupload and those operating the company responsible for users' conduct. US privacy laws prohibit cloud storage service providers from looking at the content their customers store.
-http://www.computerworld.com/s/article/9225822/Megaupload_lawyer_says_case_could
_affect_other_storage_services?taxonomyId=82

Survey Underscores Need for Bring Your Own Device Policies in Workplace (April 4 & 5, 2012)

According to SANS' First Annual Survey on Mobility Security, while some companies allow employees to use their own mobile devices at work, many of those companies do not know what devices their employees are using. More than half of the organizations do not have or only "sort of" have bring-your-own-device (BYOD) security and usage policies. The study found that just nine percent of responding organizations were "fully aware" of what devices they were allowing to access their networks.
-http://gcn.com/articles/2012/04/05/byod-sans-report-organizations-in-the-dark.as
px
-http://www.darkreading.com/mobile-security/167901113/security/news/232800317/san
s-survey-byod-widespread-but-lacking-sufficient-oversight.html
[Editor's Note (Honan): BYOD is nothing new. Any companies that allow remote web access to their email or allow users connect USB devices to their systems has been running a BYOD program by default. Companies need to recognize this and develop policies and controls accordingly. ]

---

************************ Sponsored Links: ****************************
1) SolarWinds(R) Log and Event Manager for operations, compliance and security is powerful, easy and affordable! http://www.sans.org/info/103114
2) Learn the results of the SANS First Annual Mobility Security Survey and gain practical advice for securely supporting mobility/BYOD Thursday, April 12, 1 PM EST. http://www.sans.org/info/103119
3) New SANS Analyst Paper: Privileged Password Sharing: Root of all Evil, with Dave Shackleford http://www.sans.org/info/103124 For a full index of SANS Analyst papers, go here: https://www.sans.org/reading_room/analysts_program/
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Guilty Plea in Sony Hack (April 5, 2012)

Cody Kretsinger has pleaded guilty to felony charges for his role in last year's security breach of Sony Pictures Entertainment. Kretsinger admitted to helping to launch an SQL injection attack on a Sony website, to stealing personal information of registered users of that site, and to providing that information to other members of his hacking group so they could post it to the Internet. Kretsinger was charged with conspiracy and unauthorized impairment of a protected computer.
-http://www.bbc.co.uk/news/uk-17628600
-http://arstechnica.com/tech-policy/news/2012/04/accused-lulzsec-member-pleads-gu
ilty-to-hacking-sony.ars
-http://www.msnbc.msn.com/id/46971398/ns/technology_and_science/

Microsoft's Patch Tuesday for April to Fix 11 Security Flaws (April 5, 2012)

Microsoft plans to release six security bulletins on Tuesday, April 10, to address a total of 11 vulnerabilities. Four of the bulletins have maximum severity ratings of critical; the other two are rated important. The bulletins address issues in Windows, Internet Explorer (IE), Office, SQL Server, and Forefront United Access Gateway 2010, Microsoft's virtual private networking platform.
-http://technet.microsoft.com/en-us/security/bulletin/ms12-apr
-http://www.computerworld.com/s/article/9225883/Microsoft_slates_critical_Windows
_Office_IE_patches_next_week_including_head_scratcher_?taxonomyId=17
-http://www.zdnet.com/blog/security/microsoft-readies-patch-for-gaping-ie-browser
-security-holes/11366
-http://www.scmagazine.com/microsoft-to-sew-up-11-security-vulnerabilities-next-w
eek/article/235396/
[Editor's Comment (Northcutt): I realize most readers know this, but just to reinforce. They may be fixing 11 flaws, but this means thousands of changes. For organizations that track changes, this is going to be a hard week.]

Hackers Steal Utah Medicaid Claim Data (April 4 & 5, 2012)

Hackers in Europe are believed to be responsible for stealing files of Medicaid patients. The breach occurred on a server at the Utah Health Department. The hackers compromised 24,000 Medicaid claim files according to initial estimates; now officials believe that many more patients have been affected by the breach. Compromised information includes names, Social Security numbers (SSNs), and other sensitive data. The breached server has been shut down and new security measures have been put in place. The breach was possible because employee error: the security on the newly-set-up server was not complete. The hackers gained access to the server on a Friday and began downloading data two days later. The breach was detected on Monday morning.
-http://www.v3.co.uk/v3-uk/news/2166363/eastern-european-hackers-suspected-medica
id-cyber-raid
-http://www.sltrib.com/sltrib/news/53854948-78/state-utah-medicaid-health.html.cs
p
-http://www.govinfosecurity.com/articles.php?art_id=4654
-http://articles.chicagotribune.com/2012-04-04/news/sns-rt-us-usa-hackers-utahbre
83404g-20120404_1_data-security-breach-cyber-attack-hackers

Prison Sentence for Online Data Theft (April 4 & 5, 2012)

A UK man has been sentenced to more than two years in prison for stealing identity, payment card, and PayPal data. Edward Pearson was caught after making just GBP 2,400 (US $3,800) in fraudulent transactions. Pearson gained access to the accounts online over a 20-month period with the help of Trojan horse programs such as ZeuS and SpyEye. The losses could have been considerably higher. Police were able to track Pearson after his girlfriend used some of the stolen payment card information to book rooms at upscale hotels.
-http://www.csoonline.com/article/703537/uk-hacker-accessed-accounts-for-20-month
s-before-bust?source=CSONLE_nlt_update_2012-04-05
-http://www.theregister.co.uk/2012/04/04/cybercrook_jailed/

Federal Utility's Cyber Security Weaknesses Not Uncommon (March 4, 2012)

According to an internal US Department of Energy (DOE) audit, the Bonneville Power Administration in Portland, Oregon, has cyber security weaknesses that make its systems vulnerable to breaches. Experts say that the issues found at Bonneville are found at many other government and industry systems as well. The audit found that 11 Bonneville servers used weak passwords and 400 known vulnerabilities had not been fixed. Bonneville is a federal utility that provides power to 30 percent of the Pacific Northwest region.
-http://www.nextgov.com/nextgov/ng_20120404_8857.php
[Editor's Note (Murray): Better to have had these vulnerabilities discovered by one's auditors than by one's adversaries. Let only those whose systems do not have any of the vulnerabilities on the SANS list snigger. ]

British MPs to Consider Proposal to Expand Government's Surveillance Powers (April 2, 2012)

Later this year, British legislators will examine a proposal that would allow the government access to residents' text messages, phone calls, email, and Internet browsing history. The government maintains that the increased snooping powers are necessary to protect the country from terrorism and other threats. But some citizens and some members of Parliament (MPs) say the proposal goes too far and would move Britain more deeply into a surveillance society. The proposal is not yet complete, but some say it would grant powers beyond those the US government has to access private information of its residents. Access to the content of messages would still require warrants, but the time, frequency, and destination of the communications would be accessible without a warrant.
-http://www.washingtonpost.com/world/europe/britain-weighs-proposal-to-allow-grea
tly-increased-internet-snooping/2012/04/02/gIQAOerQrS_story.html

VA Getting Tough About Employee Security Training (March 29 & April 2, 2012)

The US Department of Veterans Affairs is getting tough on its employees regarding privacy and security training. Workers who do not complete their mandatory annual training in those areas will find themselves unable to access agency networks. Between VA employees and contractors, there are 450,000 people who have access to information contained in VA networks. Currently, the VA has a 95 percent compliance rate with the training, which means 18,000 people would be locked out of the networks if the program had gone into effect a year ago. The training program is called the Continuous Readiness in Information Security Program (CRISP) and involves a one-hour, online course that can be accessed within or outside of the VA network.
-http://gov.aol.com/2012/04/02/va-to-unplugs-employees-who-skip-cybersecurity-tra
ining/
-http://www.govinfosecurity.com/articles.php?art_id=4629

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/