SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #34

April 27, 2012

TOP OF THE NEWS

Number of Conficker Infections Increased in 2011
As Deadline Approaches, Efforts to Clean Machines of DNS Changer Increase
House Passes CISPA Despite Threat of Veto

THE REST OF THE WEEK'S NEWS

UK's Anti-Piracy Legislation Delayed at Least Two Years
Hacker Steals and Posts VMWare Source Code
International Law Enforcement Effort Targets Sites Selling Payment Card Data
DOD Set to Expand Cyber Threat Information Sharing Program
Backdoor Found in Industrial Control Systems
Majority of Fines for Data Breaches in UK Fall to Public Sector
eMail Gaffe Sent Termination Notice to All Employees

---

************************ SPONSORED BY SANS ****************************
New Analyst paper in the SANS Reading Room: A Review of Oracle Entitlement Server, by SANS Oracle Security expert, Tanya Baccam. Paper: http://www.sans.org/info/104324
**************************************************************************
TRAINING UPDATE
- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- - - - --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- --Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies.
http://www.sans.org/vulnerability-summit-2012/

- --SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems.
http://www.sans.org/scada-sec-training-2012/

- - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************************

---

TOP OF THE NEWS

Number of Conficker Infections Increased in 2011 (April 26, 2012)

According to a report from Microsoft, the number of computers infected by the Conficker worm increased 225 percent between 2009 and 2011; by the end of the 2011, the malware had compromised 1.7 million computers worldwide. Conficker first appeared in 2008 and at its height, infected seven million computers. The worm is seen as a greater threat to enterprises than to individual users because it exploits weak passwords to spread to administrative shares of computers on a network. Conficker's persistence can be attributed in part to its defense: it blocks infected users from accessing security websites, disables security software, and uses encryption to disguise its malicious intent.
-http://gcn.com/articles/2012/04/26/conficker-returns-exploting-weak-passwords.as
px?admgarea=TC_SECCYBERSSEC
-http://www.eweek.com/c/a/Security/Microsoft-Conficker-Worm-Continues-to-Plague-E
nterprises-258258/

As Deadline Approaches, Efforts to Clean Machines of DNS Changer Increase (April 24 & 25, 2012)

The FBI and the ad hoc DNSChanger Working group are stepping up efforts to inform users that their machines may still be infected with the DNSChanger malware. At its height, the malware had infected four million machines. The malware redirected users' computers to web sites crafted specifically for the purpose of fraud. It also disabled antivirus software on infected machines. As suggested by its name, DNSChanger change DNS server settings on infected machines, redirecting them to sites under the hackers' control. The operation was busted last fall, and at that time, the FBI obtained a court order allowing the Internet Systems Consortium to run alternate DNS servers in the place of those the criminal group had set up. Infected machines were then communicating with the new servers and appeared to be accessing the Internet as usual. When the order expires, the servers will be taken offline and people whose computers remain infected will not be able to access the Internet. Initially, that court order expired in March, but the FBI was granted an extension through July 9. The efforts to clean up the remaining infected machines are include expanded news coverage of news story and availability of resources to help detect the malware and remove it from infected machines.
-http://news.cnet.com/8301-1009_3-57421311-83/renewed-efforts-to-revert-dnschange
r-in-effect/
-http://gcn.com/articles/2012/04/24/dnschanger-fbi-working-group-new-campaign.asp
x
[Editor's Note (Murray): We can count them but not identify them? We can clean up DNSchanger but not Conficker? Is the difference a judge? A corrupt machine is a corrupt machine ]

House Passes CISPA Despite Threat of Veto (April 25 & 26, 2012)

On Thursday, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). The White House has promised to veto the bill, and privacy rights organizations are speaking out against it. One of the legislators opposed to CISPA say that it "would waive every single privacy law ever enacted in the name of cybersecurity." The bill's proponents maintain that recently introduced amendments would establish "significant safeguards to protect personal and private information." The Electronic Frontier Foundation (EFF), which opposes CISPA, says the amendments do not go far enough. The White House says that CISPA "fails to provide authorities to ensure that the nation's core infrastructure is protected while repealing important" privacy protections.
-http://www.computerworld.com/s/article/9226639/House_passes_CISPA_cyberthreat_sh
aring_bill_despite_privacy_concerns?taxonomyId=17
-http://www.wired.com/threatlevel/2012/04/house-passes-cispa/
-http://www.bbc.co.uk/news/world-us-canada-17864539
-http://arstechnica.com/tech-policy/news/2012/04/cispa-advances-in-house-as-eff-d
ecries-bills-revisions.ars
-http://www.washingtonpost.com/politics/obama-threatens-to-veto-cispa-cybersecuri
ty-bill-citing-privacy-concerns/2012/04/25/gIQAkS3khT_story.html
-http://thehill.com/blogs/hillicon-valley/technology/223483-house-to-amend-cybers
ecurity-bill-privacy-group-calls-changes-good-progress
-http://www.nextgov.com/nextgov/ng_20120425_5558.php?oref=topnews

---

*************************** Sponsored Links: *************************
1) Sorting Through the Noise: SANS 8th Log and Event Management Survey, part I http://www.sans.org/info/104329 Tuesday May 1, 1 PM EDT
2) Learning from Logs: SANS 8th Log and Event Management Survey, part II http://www.sans.org/info/104334 Thursday, May 3, 1 PM EDT
************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK's Anti-Piracy Legislation Delayed at Least Two Years (April 26, 2012)

Anti-piracy provisions of the UK's Digital Economy Act will not be enforced until at least 2014 because of legal challenges to the legislation. The provisions have been criticized by the ISPs, which say they would be placed in the role of policing user behavior. The measures in question include sending warning letters to repeat offenders and increasingly harsh penalties that could limit users' bandwidth or even cut them off from the Internet altogether.
-http://www.bbc.co.uk/news/technology-17853518
-http://www.zdnet.com/blog/london/uks-anti-piracy-law-delayed-8216three-strike-wa
rnings-on-hold/4412

Hacker Steals and Posts VMWare Source Code (April 25 & 26, 2012)

Source code for VMWare's ESX virtual machine software has been leaked to the Internet. The person claiming responsibility said it was taken from a Chinese company's network. VMWare has acknowledged the leak of the code that is part of the ESX hypervisor and downplayed the idea that the leak posed an increased risk to customers. However, a 2010 IBM study found that 35 percent of vulnerabilities in a virtualized environment can be traced to the hypervisor. The code dates back to 2003-2004. The hacker said he has roughly 300 megabytes of the source code.
-http://www.informationweek.com/news/security/attacks/232901025
-http://www.h-online.com/security/news/item/Hacker-leaks-source-code-of-old-VMwar
e-software-1559794.html
-http://www.computerworld.com/s/article/9226581/VMware_downplays_leaks_of_source_
code?taxonomyId=208
-http://www.wired.com/threatlevel/2012/04/vmware-source-code-leaked/

International Law Enforcement Effort Targets Sites Selling Payment Card Data (April 26, 2012)

The UK's Serious Organised Crime Agency (SOCA) and the US's FBI and the Department of Justice in the US have seized 36 domains linked to stolen payment card information trafficking. Law enforcement agencies in five other countries assisted in the investigation and subsequent seizure of the domains. The sites used ecommerce software called Automated Vending Carts, which allowed them to sell large amounts of stolen data quickly. Three people have been arrested in connection with the scheme.
-http://arstechnica.com/business/news/2012/04/uk-us-seize-36-domains-tied-to-fina
ncial-fraud.ars
-http://www.wired.com/threatlevel/2012/04/36-carding-sites-seized/?
-http://www.theregister.co.uk/2012/04/26/cops_pwn_credit_data_selling_sites/
-http://www.bbc.co.uk/news/uk-17851257

DOD Set to Expand Cyber Threat Information Sharing Program (April 25, 2012)

The success of a US Department of Defense's (DOD) cyber threat information sharing pilot program has prompted the DOD to make plans to expand the program and make it permanent. The defense industrial base (DIB) pilot program would then expand from the original 37 participating entities to approximately 200 firms. The proposal to expand the program and make it permanent is awaiting approval from the Office of Management and Budget (OMB). The program was started two years ago when it became apparent that foreign attackers were targeting firms in the US's defense industrial base to steal information. The information sharing runs both ways; the companies share threat information with the government agencies, and the agencies share it with the participating members of private industry.
-http://www.federalnewsradio.com/?nid=411&sid=2840342
[Editor's Note (Honan): The article form FederalNewsRadio.com is worth the time taken to read it as it offers some interesting insights behind the headlines we see. For example "most incidents that are characterized as "attacks" are more aptly described as probes, intelligence gathering or espionage" are among some of the more sensible commentary on the issues surrounding cyber security. ]

Backdoor Found in Industrial Control Systems (April 25, 2012)

Industrial control equipment made by Rugged Operating Systems has been found to have an undocumented backdoor. The backdoor exists in all versions of the Rugged Operating System made by RuggedCom; it cannot be disabled. The company's equipment is designed to be used in "harsh environments" such as oil refineries and power plants. The backdoor is a factory user account with a password based on the MAC address of the network interface. A workaround has been made available to be used until a fix is released. The person who discovered the backdoor contacted RuggedCom about the issue more than a year ago but the company did not address the issue then.
-http://www.wired.com/threatlevel/2012/04/ruggedcom-backdoor/
-http://www.h-online.com/security/news/item/Backdoor-in-industrial-networking-har
dware-1559593.html
-http://www.kb.cert.org/vuls/id/MAPG-8RCPEN
[Editor's Comment (Northcutt): What could possibly go wrong? This reminds me of the Verizon MiFi problem first published by Josh Wright in 2010, if you could see the default SSID, you could deduce the shared secret password:
-http://www.willhackforsushi.com/?p=417

(Murray): We are already having a hard enough time identifying and eliminating the vulnerabilities in this space; we did not need this. I remember when a plenary session of the National Computer Security Conference was told that they would never be professionals unless and until they stopped paying rogues for after dinner confessions. Programmers will never be software "engineers" until they are willing to "stand under the bridge while the army marches across." There must be someone between the brand and the code to accept accountability for the product. ]

Majority of Fines for Data Breaches in UK Fall to Public Sector (April 25, 2012)

Although more than a third of the data security breaches reported in the UK in a recent 11 month period occurred in the private sector, the fines imposed on those firms are significantly lower than those imposed on public sector organizations. Between March 2011 and February 2012, there were five fines imposed on public sector entities, totaling GBP 790,000 (US $1.28 million), while there was just one fine imposed on a private sector for GBP 1,000 (US $1,619). According to the Information Commissioner's Office, fines may be imposed only if certain conditions are met.
-http://www.bbc.co.uk/news/technology-17843371
-http://www.scmagazineuk.com/ico-has-issued-only-one-1000-fine-to-the-private-sec
tor/article/238148/

[Editor's Note (Murray): Without counting, I would suggest that here the major fines are paid by hospitals. Not all malware is the same but a corrupt machine is a corrupt machine.
(Honan): A striking aspect of the breaches reported is the number that are caused by to human error. Of the 730 incidents reported, 281 were due to emails or documents sent to the wrong people, while another 108 incidents were the result of lost equipment and 17 due to incorrect disposal. That means 55% of incidents were self-inflicted breaches, while only 170, or 23%, of the incidents reported were due to theft of data or hardware. A good reminder that we need to focus on better security awareness training for users and controls to compensate for when users make mistakes or break policy. ]

eMail Gaffe Sent Termination Notice to All Employees (April 23, 2012)

An email slip-up sent job termination notices to more than 1,300 employees of a London-based investment firm. Aviva Investors has offices throughout Europe and in Canada and the US. The message was supposed to have been sent to just one person. A message correcting the error was sent out soon after. Aviva announced in January that it planned to cut approximately 160 jobs worldwide and a part of its restructuring efforts.
-http://www.ibtimes.com/articles/332138/20120423/aviva-investors-accidentally-fir
es-company-email-text.htm

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/