Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #31

April 17, 2012


Stories related to security of iOS devices have reached critical mass.
We put the three Apple stories a separate section this week to
memorialize Apple's arrival as a prime target of cyber crime following
its recent ascent into a trusted platform for enterprise computing.

Alan

MAC SECURITY

Apple iOS Approved for Use in Australian Government
Apple Issues Flashback Removal Tool
New Mac Malware

THE REST OF THE WEEK'S NEWS

FCC Says Google Did Not Violate Wiretapping Law
Man Charged in Utah Police Website Attacks
Arrests Made in Scotland Yard Anti-Terrorism Hotline Attacks
Mozilla Testing Plug-In Opt-In Feature for Firefox
Judge Wants Interested Parties to Work Out Arrangement for Megaupload Data
Los Alamos National Lab Conducts Cyber Security Exercise
Researchers Criticize Microsoft's ZeuS Takedown Strategy


********************** SPONSORED BY WinMagic Inc. **********************
Is Your Encryption Solution A Nightmare? Do you have Tales of Encryption? Wake up to a new Reality with WinMagic. Join us for our live broadcast on Wed, Apr 18, 2012 1:00 PM - 2:00 PM EDT to learn how WinMagic SecureDoc can dispel encryption myths and secure your data.
Register Today http://www.sans.org/info/103554
*************************************************************************
TRAINING UPDATE
- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- --Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies.
http://www.sans.org/vulnerability-summit-2012/

- --SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems.
http://www.sans.org/scada-sec-training-2012/

- - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

MAC SECURITY

Apple iOS Approved for Use in Australian Government (April 13, 2012)

Australia's Defence Signals Directorate has approved the use of Apple's iOS in certain "classified Australian government communications." Agency workers will have to abide by a Hardening Guide, which, among other requirements, insists on iOS version 5.1 or newer. The guide also includes requirements for password strength and frequency of change and devices will be automatically wiped after five failed login attempts. iOS has been approved for information classified no higher than "protected." iOS has been deemed an unsuitable means of access for information classified as "confidential," "secret," or "top secret."
-http://www.theregister.co.uk/2012/04/13/ios_secure_for_australian_classified_com
ms/

-http://www.zdnet.com.au/dsd-certifies-ios-5-for-government-use-339334988.htm

Apple Issues Flashback Removal Tool (April 13 & 16, 2012)

Apple has released a tool to wipe the Flashback Trojan horse program from infected computers. The tool was first released last week and was bundled with a Java update; that update scrubs the malware from machines, and disables Java applets by default on OS X Lion on all browsers. Last week, Apple has now released a standalone version of the Flashback removal tool.
-http://www.bbc.co.uk/news/technology-17700824
-http://www.theregister.co.uk/2012/04/13/apple_releases_flashback_removal_tool/
-http://www.h-online.com/security/news/item/Apple-publishes-standalone-Flashback-
malware-removal-tool-1526041.html

-http://www.scmagazine.com/third-apple-java-update-rids-infections-and-turns-off-
java/article/236489/

New Mac Malware (April 14, 15, & 16, 2012)

A new piece of malware that infects Mac OS X computers through a Java vulnerability has been detected. Last week, Apple released an update to the Java implementation for OS X that was being actively exploited by the Flashback Trojan horse program. The new malware is called SabPub and exploits a different Java vulnerability, justifying Apple's decision to have the update disable Java on computers that had not accessed the plug-in within the last 35 days. SabPub receives instructions from a remote website and is capable of taking screen shots of infected computers.
-http://www.usatoday.com/tech/news/story/2012-04-16/apple-mac-java/54317794/1
-http://news.cnet.com/8301-1009_3-57414516-83/new-mac-os-x-trojan-unearthed-call-
it-sabpub/

-http://www.computerworld.com/s/article/9226234/Two_More_Mac_Trojans_Discovered?t
axonomyId=17

-http://www.zdnet.com/blog/security/new-targeted-mac-os-x-trojan-requires-no-user
-interaction/11545

-http://www.theregister.co.uk/2012/04/15/new_osx_backdoor/


*************************** Sponsored Links: *************************
1) Special Webcast: PCI - Top 5 Issues and Best Practices Surrounding Privileged Passwords and PCI Compliance: Sponsored by Quest Software http://www.sans.org/info/103559">http://www.sans.org/info/103559
2) Annalyst Webcast! Reducing Systems Risk with the SANS 20 Critical Controls, Thursday, April 19, 1 PM EDT featuring G. Mark Hardy Thursday. http://www.sans.org/info/103564">http://www.sans.org/info/103564
3) Special Webcast: Threat Review of Resurgent Botnets: Waledac, Kelihos, Zeus Wed. 4/18/12 at 1:00 pm EDT http://www.sans.org/info/1035
************************************************************************

THE REST OF THE WEEK'S NEWS

FCC Says Google Did Not Violate Wiretapping Law (April 16, 2012)

In an order released on Monday, April 16, the US Federal Communications Commission (FCC) said that Google did not violate wiretapping laws when it inadvertently collected more information than intended while gathering data for its Google Maps Street View feature. Between 2008 and 2010, Google slurped the data from unprotected Wi-Fi networks. In 2011, a US federal judge ruled that Google could be held liable for violating federal wiretapping law. The FCC will not take any enforcement measures against Google, although it has fined the company US $25,000 for hindering the investigation. Google has also promised to stop collecting extra information. The FCC agreed with Google's assertion that wiretapping laws did not apply in this case because the information they collected was "readily accessible to the general public," as the networks were unsecured.
-http://www.wired.com/threatlevel/2012/04/fcc-clears-google/
-http://www.washingtonpost.com/business/economy/fcc-metes-out-light-penalty-for-g
oogle-in-street-view-case/2012/04/16/gIQAEryRMT_story.html

Man Charged in Utah Police Website Attacks (April 16, 2012)

An Ohio man has been charged with felony computer intrusion for allegedly launching attacks on the websites of law enforcement agencies in Utah. John Anthony Borell III, is accused of causing thousands of dollars of damage by knocking two police sites offline. The Salt Lake City Police Department website was offline for three months and has only recently been relaunched. Borell has pleaded not guilty to the charges.
-http://news.cnet.com/8301-1009_3-57414740-83/ohio-man-charged-in-utah-police-hac
ks/

-http://www.washingtonpost.com/national/ohio-anonymous-member-21-charged-with-hac
king-utah-police-websites/2012/04/16/gIQACKZkLT_story.html

Arrests Made in Scotland Yard Anti-Terrorism Hotline Attacks (April 12, 13, & 15, 2012)

A UK teenager has been arrested and charged in connection with a series of denial-of-service attacks launched against a Scotland Yard anti-terrorism hotline. The unnamed 17-year-old was charged with conspiracy to cause a public nuisance and a violation of the Computer Misuse Act. A 16-year-old has also been arrested in connection with the attacks; he has been released on bail. The suspects allegedly eavesdropped on a conversation between Scotland Yard officials and posted a recording of the call on the Internet.
-http://www.computerworld.com/s/article/9226220/UK_teen_charged_with_jamming_of_a
nti_terrorist_hotline

-http://www.bbc.co.uk/news/uk-17698528

Mozilla Testing Plug-In Opt-In Feature for Firefox (April 11, 12, & 13, 2012)

Mozilla is considering strengthening the security of Firefox by requiring users to grant explicit permission for browser plug-ins. When the feature is enabled, plug-ins will require one extra click from users to play. Plug-ins often consume resources, slowing down systems; they also pose a security threat. The feature is not yet ready for stable versions of the browser, but is available in the Firefox nightly channel, builds of the browser released for testing purposes only.
-http://www.informationweek.com/news/security/vulnerabilities/232900294
-http://arstechnica.com/open-source/news/2012/04/mozilla-may-make-flash-click-to-
play-by-default-in-future-firefox.ars

Judge Wants Interested Parties to Work Out Arrangement for Megaupload Data (April 13, 2012)

US District Court Judge Liam O'Grady wants the attorneys for parties with interest in Megaupload's data to find a compromise regarding the issue of the cost of retaining the information. The US DOJ says that it has copied all the data it needs and that Carpathia, the hosting company which is currently shouldering the cost of maintaining the servers, should wipe those machines. Megaupload wants the data retained because it says the information could prove beneficial to its defense; Megaupload wants to pay Carpathia for its services, but the company's accounts have been frozen. O'Grady has asked for a report on the matter at the end of the month.
-http://www.computerworld.com/s/article/9226191/Judge_wants_Megaupload_other_grou
ps_to_work_out_server_maintenance?taxonomyId=17

-http://www.wired.com/threatlevel/2012/04/megaupload-data-flap/
-http://arstechnica.com/tech-policy/news/2012/04/judge-orders-more-negotiations-o
ver-fate-of-megaupload-servers.ars

Los Alamos National Lab Conducts Cyber Security Exercise (April 12 & 13, 2012)

Los Alamos National Laboratory recently conducted a cyber security exercise that drew participants from the FBI, the Energy Department (DOE)'s Cyber Forensics Laboratory, the national Nuclear Security Administration, and other government agencies. The exercise, dubbed Eventide, required participants to assess the malicious activity as it was happening and determine the best course of action to address the problems that arose. The participants are also developing recommendations for the Joint Cyber Coordination Center.
-http://www.infosecurity-magazine.com/view/25142/los-alamos-subjected-to-maelstro
m-of-simulated-cyberattacks

-http://gcn.com/articles/2012/04/12/cyber-exercise-provides-strategies-for-new-ce
nter.aspx

Researchers Criticize Microsoft's ZeuS Takedown Strategy (April 12, 2012)

Researchers in the Netherlands say that Microsoft's tactics in the takedown of the ZeuS botnet have hindered years of investigations by both law enforcement and private industry. Microsoft seized two of the botnet's command-and-control servers earlier this year. The crux of the issue is the allegation that through their actions, Microsoft exposed information that had been shared in confidence. Journalist Brian Krebs spoke with a former US DOJ lawyer who helped design the legal initiative that Microsoft used in its ZeuS takedown.
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
232900239/controversy-erupts-over-microsoft-s-recent-takedown-of-a-zeus-botnet.h
tml

-http://krebsonsecurity.com/2012/04/microsoft-responds-to-critics-over-botnet-bru
haha/

[Editor's Comment (Northcutt): This is a classic problem in incident response. Microsoft went for the contain and clean approach. Apparently, other groups were using the watch and learn. There is always a risk that watch and learn will either be destroyed, modified, or used to attack some other group. These researchers do not have the high ground. While they were doing their "research" other computers were being compromised and added to the bonnet.
-https://securosis.com/blog/incident-response-fundamentals-contain-investigate-an
d-mitigate

(Honan): This item highlights the major challenge we as a community have in tackling cybercrime. On the one hand we are encouraged to share more information so we can work together to tackle the criminals, on the other hand we need to be careful on how that information is shared so that confidence, trust and good working relationships are not undermined. Spending time and money on developing and implementing a robust information sharing framework for all to work together is something I believe will provide us with large dividends in the fight against cybercrime. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/