SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #30

April 13, 2012

TOP OF THE NEWS

US Army Running Short on Qualified IT Security Staff; Lowering Standards
FBI Concerned About Smart Meter Hacking
Howard Schmidt: Energy Companies Need to Monitor Security Issues

THE REST OF THE WEEK'S NEWS

Apple Steps Up Account Security
Oracle's Quarterly Critical Patch Update Set for April 17
Court Publishes Opinion in Goldman Sachs Source Code Download Case
Apple Delivers Flashback Removal Tool
HP Warns of Malware on Flash Cards Accompanying Certain Network Switches
US Appeals Court Says CFAA is for Prosecuting Hackers
Microsoft Patch Tuesday Includes Patch for Zero-Day ActiveX Flaw
Adobe Updates Reader and Acrobat
Retailers Using Return and Exchange Tracking Service

---

********************** SPONSORED BY Tripwire, Inc. **********************
Analyst webcast! SANS 20 Critical Security Controls and Federal Systems featuring G. Mark Hardy Thursday, April 19, 1 PM EDT. http://www.sans.org/info/103319
**************************************************************************
TRAINING UPDATE
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.
http://www.sans.org/canberra-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

--Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies.
http://www.sans.org/vulnerability-summit-2012/

--SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems.
http://www.sans.org/scada-sec-training-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

---

TOP OF THE NEWS

US Army Running Short on Qualified IT Security Staff; Lowering Standards (April 10, 2012)

The US Army is finding itself without enough qualified IT staff to fill available positions. Defense Department (DOD) Directive 8570.01-M spells out the training and certifications that military personnel and contractors must have to be considered for positions in which they operate DOD information systems. The Army is changing guidelines so that fewer employees will be required to have the training and certifications. Those with the necessary credentials will have greater network access and likely higher pay.
-http://www.computerworld.com/s/article/9226053/US_Army_Military_finds_IT_securit
y_certification_difficulties?taxonomyId=17
[Editor's Comment (Northcutt): First this article appears to be based on a single source; always dangerous journalism. Second, the US Army is always running short on something, but when you look at the details, you always find the Army is very, very big. So while they may feel they are running short, they are still the largest consumer on planet earth. Finally, this article is very simplistic, the Army has an entire certification schoolhouse/factory operation. Suggest that we encourage Computerworld reporter Mesmer to do a bit of digging.]

FBI Concerned About Smart Meter Hacking (April 9, 2012)

According to an FBI cyber bulletin, an unnamed utility company in Puerto Rico was the target of attacks against smart meters, costing the company hundreds of millions of dollars. This appears to be the first report of such attacks and the FBI expects that the occurrence of similar attacks will rise as the smart grid technology is more widely adopted. The FBI believes that former employees of the meter manufacturer reprogrammed meters for between US $300 and US $3,000 so that the associated buildings appeared to be consuming less power than they actually used. Most meters are read remotely, making fraud detection difficult. The alterations require physical access.
-http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/

Howard Schmidt: Energy Companies Need to Monitor Security Issues (April 11 & 12, 2012)

White House Cybersecurity official Howard Schmidt says that the country's utilities need to actively and continuously identify security risks in their systems. The administration, along with the Departments of Energy and Homeland Security plan to run a pilot program for power companies to voluntarily share information about their security postures and pinpoint where best to focus attention on improving security. Schmidt also noted that smart meters are becoming targets for hackers.
-http://www.executivegov.com/2012/04/howard-schmidt-energy-companies-need-continu
ous-monitoring-practices/
-http://www.nextgov.com/nextgov/ng_20120411_4285.php?oref=topstory
[Editor's Note (Murray); The power grid is a special case. While it is a small part of SCADA, it is fundamentally fragile. We have not even identified the scope of the exposure and only speculate about the threat. However, the potential consequences are so high that it constitutes a risk, one that we need not and should not tolerate. ]

---

*************************** Sponsored Links: *************************
1) Is Your Encryption Solution A Nightmare? Do you have Tales of Encryption? Wake up to a new Reality with WinMagic. Join us for our live broadcast on Wed, Apr 18, 2012 1:00 PM - 2:00 PM EDT to learn how WinMagic SecureDoc can dispel encryption myths and secure your data. Register Today http://www.sans.org/info/103324
2) Read this new whitepaper, Privileged Password Sharing: "root" of All Evil, from Quest Software to learn how to effectively manage privileged accounts. http://www.sans.org/info/103329
3) Webinar: OpenID Connect-How it Can Work for You Link: http://www.sans.org/info/103334
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Steps Up Account Security (April 12, 2012)

Apple has tightened account security to protect users from having their App Store accounts hijacked. The changes were made on April 11 and include choosing three security questions that users will have to answer correctly before being permitted to download apps from the App Store. Users are also being asked to supply a backup email address. Users have expressed frustration that Apple did not let them know ahead of time that the new measures were going to be put in place.
-http://news.cnet.com/8301-1009_3-57413072-83/apple-ratchets-up-app-store-securit
y/

Oracle's Quarterly Critical Patch Update Set for April 17 (April 12, 2012)

Oracle's quarterly critical patch update is due to be released on Tuesday, April 17. The update is expected to include 88 fixes for numerous Oracle products. Six of the patches are for Oracle's database, and three of those could be exploited remotely. There will be 11 patches for Oracle Fusion Middleware, nine of which are remotely exploitable.
-http://www.computerworld.com/s/article/9226169/Oracle_to_issue_88_security_patch
es_on_Tuesday?taxonomyId=17

Court Publishes Opinion in Goldman Sachs Source Code Download Case (April 11, 2012)

The 2nd US Circuit Court of Appeals has published its opinion in the case regarding Sergey Aleynikov, who was released from prison in February after the court reversed his December 2010 conviction for source code theft from his former employer. The ruling states that the high-frequency trading system source code Aleynikov downloaded from Goldman Sachs before leaving the company in 2009 does not satisfy the definition of being a physical object, and because Aleynikov did not "assume physical control" over any object when he took the code, he did not violate the National Stolen Property Act. The court also said that Aleynikov is not guilty of violating the Economic Espionage Act because the source code was not made for interstate or foreign commerce, which is a requirement of being charged under that law. With regard to the NSPA, the court wrote, "We decline to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age."
-http://arstechnica.com/tech-policy/news/2012/04/a-federal-appeals-court-has-2.ar
s
-http://news.cnet.com/8301-1009_3-57412779-83/code-cant-be-stolen-under-federal-l
aw-court-rules/
-http://www.wired.com/threatlevel/2012/04/code-not-physical-property/

Apple Delivers Flashback Removal Tool (April 11, 2012)

Apple is developing a tool to remove Flashback malware from Macs. Last week, Apple released an update to fix the hole in the Java implementation for Mac OS X that the malware exploits to infect machines. Apple has not said when the tool will be available. Apple is encouraging users to install the most recent update to fix the Java vulnerability. Mac users who are running versions prior to 10.6 (Snow Leopard) are urged to disable Java in their browsers as Java is no longer supported for those versions of the operating system. An estimated 600,000 Macs are already infected with Flashback. Apple also said that it is working with Internet service providers (ISPs) to disrupt the malware's command-and-control network. Internet Storm Center announces tool is delivered:
-http://isc.sans.edu/diary.html?storyid=12973
-http://www.h-online.com/security/news/item/Apple-announces-Flashback-removal-too
l-1518781.html
-http://www.computerworld.com/s/article/9226088/Apple_Developing_Flashback_Malwar
e_Removal_Tool?taxonomyId=17
-http://www.bbc.co.uk/news/technology-17675314

HP Warns of Malware on Flash Cards Accompanying Certain Network Switches (April 11 & 12, 2012)

HP is warning its customers that compact flash cards sent with its one of its networking kits are infected with malware. The cards in question were bundled with HP ProCurve 5400zl switches that were purchased after April 30, 2011. The infected flash card would not have an adverse effect on the switch, but if the card were to be used in a PC, that machine could become infected. HP has not said how the cards became infected, but the company has made available a script that performs a software purge to delete the flash card's contents.
-http://www.theregister.co.uk/2012/04/11/hp_ships_malware_cards_with_switches_oop
s/
-http://www.zdnet.com.au/hp-spots-virus-on-own-network-switches-339335811.htm

US Appeals Court Says CFAA is for Prosecuting Hackers (April 10 & 12, 2012)

The 9th US Circuit Court of Appeals has ruled that employees may not be tried under the Computer Fraud and Abuse Act (CFAA) merely for violating the employers' computer use policy. The CFAA became law in 1984 and is aimed at prosecuting individuals who gain access to computers to steal data or damage the machines. The defendant in the case in question may have been spared the hacking charges, he still faces theft of trade secrets, mail fraud, and conspiracy charges.
-http://www.wired.com/threatlevel/2012/04/computer-fraud-and-abuse-act/
-http://news.cnet.com/8301-1009_3-57412137-83/court-narrows-prosecutors-use-of-an
ti-hacking-law/
-http://arstechnica.com/tech-policy/news/2012/04/terms-of-service-violations-not-
a-crime-appeals-court-rules.ars
-http://www.scmagazine.com/court-ruling-limits-reach-of-us-anti-hacking-law/artic
le/236335/
-http://www.technolog.msnbc.msn.com/technology/technolog/court-facebooking-work-n
ot-federal-crime-even-when-forbidden-710056

Microsoft Patch Tuesday Includes Patch for Zero-Day ActiveX Flaw (April 10 & 11, 2012)

On Tuesday, April 10, Microsoft released six security bulletins to patch a total of 11 vulnerabilities. The bulletins address security issues in Windows, Internet Explorer (IE), Office and several other Microsoft products. One of the flaws is already being actively exploited. Bulletin MS12-027 addresses a critical flaw in an ActiveX control that comes with 32-bit versions of Office 2003, 2007, and 2010. The patch also applies to SQL Server, Commerce Server, BizTalk Server, Visual FoxPro, and Visual Basic. Internet Storm Center descriptions:
-http://isc.sans.edu/diary.html?storyid=12949
-http://www.theregister.co.uk/2012/04/11/ms_april_patch_tuesday/
-http://www.computerworld.com/s/article/9226060/Microsoft_patches_critical_Window
s_zero_day_bug_that_hackers_are_now_exploiting?taxonomyId=17
-http://www.h-online.com/security/news/item/Patch-Tuesday-closes-critical-Windows
-Office-and-IE-holes-1518553.html
-http://www.scmagazine.com/microsoft-patches-11-security-issues-attacks-underway/
article/235953/
-http://technet.microsoft.com/en-us/security/bulletin/ms12-apr

Adobe Updates Reader and Acrobat (April 11, 2012)

Adobe has released security updates for Reader and Acrobat. The newest versions of the products, 10.1.3 and 9.5.1, fix a handful of arbitrary code execution vulnerabilities. The update also removes the bundled Flash Player from 9.x versions of the software. The fixes are available for all supported platforms. Windows and Mac versions now have built-in update mechanisms. Internet Storm Center:
-http://isc.sans.edu/diary.html?storyid=12952
-http://krebsonsecurity.com/2012/04/adobe-microsoft-issue-critical-updates/
-http://www.h-online.com/security/news/item/Adobe-fixes-critical-vulnerabilities-
in-Reader-and-Acrobat-1518711.html
-http://www.computerworld.com/s/article/9226087/Adobe_Reader_update_patches_bugs_
removes_bundled_Flash_Player?taxonomyId=17
-http://www.adobe.com/support/security/bulletins/apsb12-08.html

Retailers Using Return and Exchange Tracking Service (April 9, 2012)

Retail stores in the US are starting to use a service that tracks consumers' product return histories. A man who brought a defective Blu-Ray disk back to a BestBuy store in Connecticut was asked for his driver's license before the disk was accepted. He was told that the store would not be able to authorize any returns or exchanges for 90 days following the activity, regardless of whether or not he had a valid receipt. The service is provided by a California-based company called The Retail Equation that tracks consumers' return and exchange activity. The Retail Equation says that its software identifies the roughly 1 percent of consumers who routinely commit return fraud or abuse. The Connecticut man had returned or exchanged several items earlier in the year, each with a valid receipt, apparently enough activity for the software to flag him.
-http://www.courant.com/business/custom/consumer/hc-bottom-line-best-buy-returns-
20120409,0,5063368.column

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/