SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #35

May 01, 2012

With all the bad news in cyber security, it is worth a moment of
reflection when there is some good news. The first story in this issue,
about the collegiate cyber competition is good news. In addition, more
than 1,000 college students participated last weekend in CyberQuests,
an online competition to determine eligibility for invitations and
scholarships at the three US National Cyber Camps (at San Jose State,
Cal Poly Pomona, and Virginia Tech in Northern Virginia this summer).
And finally, more than 500 high school students jointly launched (in
April) the all new Cyber Foundations competition, demonstrating their
aptitude in the three foundational skills of cyber security. Lacking
these three skills, no one can excel in cyber security. Add those
programs together, and you have the beginnings of a powerful national
pipeline of world-class cyber talent.

Alan

---

TOP OF THE NEWS

National Collegiate Cyber Defense Competition Winners Named
Russia and US to Use Nuclear Secure Communications System for Cyber Security

THE REST OF THE WEEK'S NEWS

UK High Court Says ISPs Must Block The Pirate Bay
FCC Releases Statistics on Wireless Carriers' Progress in Cap Notification
RuggedCom Will Issue Firmware Updates for Backdoor
VMWare Issues Security Advisory for ESX
Flashback Infections Most Prevalent in Older Versions of OS X
Full Version of FCC's Google Street View Report Reveals Engineer Knew Code Gathered Extra Data
Researcher Releases Details of Unpatched Oracle Flaw Due to Misunderstanding
Microsoft Fixes Hotmail Hijacking Flaw
Experts Tell Lawmakers That Iran Poses Cyber Threat

---

************************ SPONSORED BY SANS *****************************
New Analyst Paper in the SANS Reading Room: Protecting Federal Systems with the SANS 20 Critical Security Controls
http://www.sans.org/info/104469
*************************************************************************
TRAINING UPDATE
--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- - --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- - --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include Getting to the Root of Highly targeted Rootkits; and All Your Hash are Belong to Us: Targeting Window Password Hashes for penetration.
http://www.sans.org/san-francisco-2012/

- - --Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies.
http://www.sans.org/vulnerability-summit-2012/

- - --SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems.
http://www.sans.org/scada-sec-training-2012/

- - - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Brisbane, Atlanta, Boston, New York, Malaysia, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

National Collegiate Cyber Defense Competition Winners Named (April 27, 2012)

Mark Weatherford, Deputy Undersecretary for Cybersecurity at DHS reports on the NCCDC (national collegiate cyber defense) competition and on the top three scoring colleges. More than 1,200 students from 100 colleges are reported to have participated in regional competitions leading to the national finals in San Antonio. The top three schools were the University of Washington (1), the United States Air Force Academy (2), and Texas A&M (3).
-http://blog.dhs.gov/2012/04/national-collegiate-cyber-defense.html

[Editor's Note (Paller): The Air Force Academy's number two position at the NCCDC, on top of its win in the 2012 National Security Agency's Cyber Defense Exercise (the most challenging collegiate cyber competition,
-http://www.nsa.gov/public_info/press_room/2012/cdx2012.shtml)
is evidence of extraordinary accomplishment in cybersecurity skills preparation. The nation has an extreme shortage of people who can operate in cyberspace at world-class levels; it's great to see a school doing what it takes to prepare the next generation of cyber operators. The US Military Academy at West Point has long been the leader in this category, but it has a new peer in the Air Force Academy. ]

Russia and US to Use Nuclear Secure Communications System for Cyber Security (April 26, 2012)

A secure communications system established to prevent misinterpreted activity that could escalate into nuclear war between the US and Russia is likely going to be expanded to perform the same function for cyber attacks. The Nuclear Risk Reduction center was created in 1988 to allow Washington and Moscow to communicate about missile tests and launches that could be misinterpreted as acts of aggression. Under the plan, the secure communications channel would also be used to provide the same type of reassurances regarding suspicious cyber activity. The channel would be used in the event that one of the countries detects what appears to be an attack emanating from computers in the other country and would be used only when the attack is perceived to be of "such substantial concern that it could be perceived as threatening national security." Russia has also requested a dedicated cyber incident phone hotline between the Kremlin and the White House.
-http://www.washingtonpost.com/world/national-security/in-us-russia-deal-nuclear-
communication-system-may-be-used-for-cybersecurity/2012/04/26/gIQAT521iT_story.h
tml
[Editor's comment (Northcutt): Failure to have good communications is the root cause of household and office drama, I would expect that the stakes increase with the size of nation state. I think this is a very good idea.]

---

*************************** Sponsored Link: **************************
1) New Analyst paper in the SANS Reading Room: A Review of Oracle Entitlement Server, by SANS Oracle Security expert, Tanya Baccam. Paper: http://www.sans.org/info/104474
************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK High Court Says ISPs Must Block The Pirate Bay (April 30, 2012)

The UK High Court has ruled that internet service providers (ISPs) there must block users' access to The Pirate Bay. Late last year, the British Phonographic Industry (BPI) asked ISPs to block access to the site voluntarily. The BPS's request followed a court ruling that ordered ISPs to block access to Newzbin 2. The ISPs responded to the BPI's request by saying they would not block sites without a court order. Critics observe that for the determined, there are always ways to circumvent blocked sites. Supporters note that the court order serves to underscore the illegality of piracy. Critics have also called the order a slippery slope that could easily lead to further censorship of the Internet.
-http://www.bbc.co.uk/news/technology-17894176
-http://www.wired.com/threatlevel/2012/04/uk-pirate-bay-blocked/
[Editor's Note (Murray): ISPs should not be in the position of judge, jury, and executioner just because someone in power complains. A finding by a court may not be perfect, or even correct, but it is the difference between the Rule of Law and that of men.]

FCC Releases Statistics on Wireless Carriers' Progress in Cap Notification (April 30, 2012)

The US Federal Communications Commission (FCC) has released statistics on wireless carriers' efforts to alert their customers when they are approaching caps on data, text messages, and other services. Last October, US wireless carriers agreed to establish the text message alert systems so that users would be able to rein in their activity or switch to a higher service tier rather than incur charges for exceeding their limits. According to a 2011 FCC survey, more than 15 percent of mobile phone customers had been hit with overage charges of US $50 or more. The providers agreed to establish the text message services within a year. Six months out, T-Mobile has established overage alerts for voice, data, and international roaming. Verizon has implemented alerts for data and international roaming. AT&T has established an alert for data overages and Sprint has established an alert to let customers know when they are approaching their limit on international roaming.
-http://www.cnn.com/2012/04/30/tech/mobile/wireless-data-alerts-gahran/index.html
-http://www.fcc.gov/encyclopedia/bill-shock-wireless-usage-alerts-consumers

RuggedCom Will Issue Firmware Updates for Backdoor (April 30, 2012)

Canadian company RuggedCom says it will remove an embedded backdoor login account from its industrial control systems. The vulnerability has been known for more than a year; last week, the problem was disclosed publicly. The flaw was discovered by Justin W. Clarke after he purchased two used RuggedCom devices on eBay. Clarke notified RuggedCom about the problem in April 2011. When RuggedCom did not address the issue, Clarke contacted the US Department of Homeland Security's Industrial Control System Cyber Emergency Response Team and CERT Coordination Center at Carnegie Mellon University. RuggedCom now plans to release new versions of its firmware to remove the account in its products, which are used on power grids and systems that control railways and traffic. The update, which will be released in the next several weeks, will disable telnet and remove shell services by default. The issue illustrates a problem in the development cycle at RuggedCom. Apparently the developer backdoor was included in the final release of the products. Security researcher Reid Weightman wrote that "nobody and no process at RuggedCom stopped it, and RuggedCom has no process to address security concerns in already-released products."
-http://www.wired.com/threatlevel/2012/04/ruggedcom-to-fix-vuln/

VMWare Issues Security Advisory for ESX (April 30, 2012)

VMWare has issued a security advisory warning users about several security issues in versions 4.0 and 4.1 of ESX enterprise level computer visualization product. The vulnerabilities could be exploited by a local user in a guest virtual machine to obtain elevated privileges, or by a remote user to cause denial-of-service (DOS) conditions.
-http://www.h-online.com/security/news/item/VMware-patches-vulnerabilities-in-ESX
-4-1-1564129.html
-http://www.vmware.com/security/advisories/VMSA-2012-0008.html
[Editor's Note (Murray): Vulnerabilities in the infrastructure are one of the reasons we've learned over the years not to trust the infrastructure to secure the infrastructure. As data centers are increasingly virtualized there is still a need for have layers of security separate from the virtualization infrastructure. ]

Flashback Infections Most Prevalent in Older Versions of OS X (April 30, 2012)

According to Russian security company Dr. Web, Snow Leopard is the version of Mac OS X most likely to be infected by the Flashback malware. Dr. Web has been analyzing data from infected machines gathered through sinkhole techniques. Other findings are that most machines were infected through drive-by downloads; when users refused to enter a password, the attack was still successful. Snow Leopard accounts for 63 percent of infected machines, while Leopard accounts for 25 percent. Just 10 percent of the infected machines are running Lion. While some could point to Apple lagging behind in security, the fact that older versions of OS X are much more likely to be infected than newer versions speaks to Apple's decision to stop bundling Java in its most recent operating system, a positive security decision.
-http://news.cnet.com/8301-1009_3-57424299-83/snow-leopard-hit-hardest-by-flashba
ck-malware/

Full Version of FCC's Google Street View Report Reveals Engineer Knew Code Gathered Extra Data (April 28, 29, & 30 2012)

Google has released the full text of the Street View probe report from the Federal Communications Commission (FCC). The disclosure follows a Freedom of Information Act (FOIA) request for the report made by the Electronic Privacy Information Center (EPIC). The FCC issued a version of the report with significant chunks of text blocked out. Google made the entire document available to the LA Times, redacting only the names of individuals. The report includes mention of a Google engineer who knowingly wrote the Street View data collection code to include the extra personal information. The FCC dropped its investigation of Google earlier this month and fined the company US $25,000 for obstructing the investigation.
-http://www.latimes.com/business/la-fi-google-probe-20120429,0,7046776.story
-http://arstechnica.com/business/news/2012/04/google-releases-full-details-of-fcc
-investigation-into-street-view-wifi-snooping.ars
-http://news.cnet.com/8301-1009_3-57423691-83/google-releases-full-fcc-report-on-
street-view-probe/
-http://www.eweek.com/c/a/Security/Google-Staff-Knew-Street-View-Cars-Were-Collec
ting-Private-Data-FCC-276221/
-http://www.bbc.co.uk/news/technology-17892288
Text of the report:
-http://www.scribd.com/fullscreen/91652398
[Guest Editor's Note (Rob VandenBrink): Just my 2 cents, but I thought that the FCC report on Google's wardriving last year was an interesting read. For me it illustrated just how wrong things can go in a corporate project, and how much worse the lawyers can make it by denying and obstructing. And how enforcement on privacy is either very ineffective or very selective.
-http://isc.sans.edu/diary/13087
(more links in the diary and in the reader comments)]

Researcher Releases Details of Unpatched Oracle Flaw Due to Misunderstanding (April 27, 2012)

A researcher who mistakenly believed that Oracle had patched a flaw in Oracle Database Server released details of the vulnerability to the Full Disclosure mailing list. An advisory accompanying Oracle's quarterly Critical Patch Update on April 17 credited Joxean Koret for a vulnerability he had reported, so he believed that the update include a patch for it. On April 18, Koret emailed Full Disclosure. He later discovered that the vulnerability had been addressed in forthcoming versions of Oracle products, but was not patched for currently available versions. The vulnerability could be exploited to grab information exchanged between clients and databases.
-http://www.computerworld.com/s/article/9226674/Researcher_misinterprets_Oracle_a
dvisory_discloses_unpatched_database_vulnerability?taxonomyId=17
-http://www.h-online.com/security/news/item/Oracle-databases-vulnerable-to-inject
ed-listeners-1563150.html
[Editor's Note (Murray): When are we going to stop encouraging this irresponsible behavior by calling the perpetrators "researchers?" ]

Microsoft Fixes Hotmail Hijacking Flaw (April 27 & 30, 2012)

Microsoft has fixed a security problem in Hotmail that allowed attackers to reset account passwords. The flaw was being actively exploited, and there were reports that compromised Hotmail accounts were being sold for US $20. The flaw was detected earlier this month; it involves the handling of data that passes between Hotmail and the user while changing passwords. The attack was made through Firefox add-ons. Microsoft released a fix for the flaw just a day after learning of the problem.
-http://www.theregister.co.uk/2012/04/27/hotmail_bug_squashed/
-http://www.bbc.co.uk/news/technology-17866897
-http://www.h-online.com/security/news/item/Hotmail-hacked-for-20-1561894.html
-http://www.technolog.msnbc.msn.com/technology/technolog/microsoft-fixes-critical
-hotmail-password-bug-739992
-http://www.v3.co.uk/v3-uk/news/2171257/microsoft-rushes-fix-hotmail-password-fla
w

Experts Tell Lawmakers That Iran Poses Cyber Threat (April 26, 2012)

Policy and technology experts told US legislators that Iran poses a more dangerous cyber threat than do Russia or China. At an April 26 joint hearing of the House Homeland Security Committee's Cybersecurity, Infrastructure Protection, and Security Technologies, and Counterterrorism and Intelligence subcommittees, legislators heard testimony from experts who said that while China and Russia are usually considered the US's greatest cyber adversaries, "what
[Iran ]
lacks in capability, it makes up for in intent." At another congressional subcommittee hearing on April 24, James Lewis, senior fellow at the Center for Strategic and International Studies, said that China and Russia "aren't going to start a war just for fun," but that the same could not be said of Iran and North Korea. Witnesses at the hearings said that the US needs to take concrete steps in its cyber security stance and create policy that leaves no room for misinterpretation.
-http://gcn.com/articles/2012/04/26/iran-dangerous-cyber-threat-house-hearing.asp
x

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/