SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #36

May 04, 2012

TOP OF THE NEWS

Congressman Langevin Calls CISPA "A Good-Faith Effort"
Mozilla Speaks Out Against CISPA

THE REST OF THE WEEK'S NEWS

SOCA Temporarily Takes Its Site Offline in Wake of DDoS Attack
Hackers Accessed UK Ministry of Defense Systems
Sixth Defendant Named in LulzSec/Anonymous Case
Microsoft's Patch Tuesday to Address 23 Vulnerabilities
EU Court Limits How Programming Languages and Program Functionality Can be Copyrighted
Federal Judge in NY Comes Down Hard on Copyright Trolls
Pentagon Cyber Command Seeking Elevated Status
Global Payments Breach May Date Back to June 2011

---

************************ SPONSORED BY NetIQ *************************
Special Webcast: A History of Threat Intelligence (Part Three) - Sustaining and Optimizing Intelligence Operations. Tuesday, May 08, 2012 at 2:00 PM EDT (1800 UTC/GMT)
http://www.sans.org/info/104620
**************************************************************************
TRAINING UPDATE
- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.
http://www.sans.org/secure-amsterdam-2012/

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- - - --SANSFIRE 2012, Washington, DC July 6-15, 2012 45 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- - - --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include Getting to the Root of Highly targeted Rootkits; and All Your Hash are Belong to Us: Targeting Window Password Hashes for penetration.
http://www.sans.org/san-francisco-2012/

- - - --Vulnerability Management Summit & Training, San Antonio, TX August 14-17, 2012 Listen to strategies and best practices that allow network administrators and asset owners to understand the best approaches to creating vulnerability management strategies.
http://www.sans.org/vulnerability-summit-2012/

- - - --SCADA Security Advanced Training, Houston, TX August 20-24, 2012 5 day course combining advanced topics from SCADA and IT Security into the first hands-on Ethical Hacking course for Industrial Control Systems.
http://www.sans.org/scada-sec-training-2012/

- - - - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Brisbane, Atlanta, Boston, New York, Malaysia, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

Congressman Langevin Calls CISPA "A Good-Faith Effort" (May 2, 2012)

Speaking at a cybersecurity symposium at the University of Rhode Island, US Congressman Jim Langevin (D-RI) called the Cyber Intelligence Sharing and Protection Act (CISPA) "a good-faith effort to come together in a first step towards better cybersecurity for our nation." CISPA has been decried by privacy groups and the White House has threatened to veto the bill. Langevin is a strong proponent of cybersecurity training and has supported legislation that called on the Department of Homeland Security (DHS) to develop a cybersecurity workforce training program and to support "educational paths to cybersecurity professions."
-http://www.fiercegovernmentit.com/story/langevin-cispa-good-faith-effort-address
-cybersecurity/2012-05-02
Langevin's prepared remarks:
-http://langevin.house.gov/resources/Langevin_Prepared_Remarks_URI_Cyber_2012.pdf

Mozilla Speaks Out Against CISPA (April 30 & May 1 & 2, 2012)

Mozilla is the first major US company to voice opposition to CISPA, the bill that recently passed in the US House of Representatives. In a statement sent to Forbes journalist Andy Greenberg, Mozilla wrote that "CISPA has a broad and alarming reach that goes far beyond Internet security." Other technology companies, including Facebook, Symantec, Verizon, and Microsoft, have voiced their support for CISPA. Microsoft did say that any new legislation needs to allow the company "to honor the privacy and security promised we make to our customers." Despite reports that the statement indicated a waning of support for CISPA, Microsoft spokesperson Christina Pearson said that the company's "position remains unchanged."
-http://www.forbes.com/sites/andygreenberg/2012/05/01/mozilla-slams-cispa-breakin
g-silicon-valleys-silence-on-cybersecurity-bill/
-http://news.cnet.com/8301-1009_3-57425719-83/mozilla-is-first-major-tech-company
-to-denounce-cispa/
-http://www.h-online.com/security/news/item/CISPA-Mozilla-distances-itself-from-t
he-cyber-security-act-1565532.html
-http://thehill.com/blogs/hillicon-valley/technology/224587-microsoft-denies-soft
ening-of-cispa-support
[Editor's Note (Murray): The problem with CISPA is not that it does not permit Big Data to respect the rights of its customers but that it immunizes them from accountability for compromising it. It is little wonder that Big Data favors the bill. ]

---

*************************** Sponsored Links: *************************
1) New Analyst Paper in the SANS Reading Room: Sorting Through the Noise: SANS 8th Annual Log and Event Management Survey Results http://www.sans.org/info/104625
************************************************************************

---

THE REST OF THE WEEK'S NEWS

SOCA Temporarily Takes Its Site Offline in Wake of DDoS Attack (May 3, 2012)

Hackers have launched a distributed denial-of-service (DDoS) attack against the website of the UK's Serious Online Crime Agency (SOCA). The site went offline late Wednesday evening; the organization said that the attack was an inconvenience, but posed no security threat. SOCA may have been targeted because it recently helped shutter three dozen websites that were allegedly trafficking in stolen payment card data. SOCA took down the site deliberately once it became aware of the attack "to limit the impact on other clients hosted by the
[same ]
service provider."
-http://www.bbc.co.uk/news/technology-17936962
-http://www.v3.co.uk/v3-uk/news/2172341/uk-crime-agency-site-offline-ddos-threat
-http://www.theregister.co.uk/2012/05/03/soca_site_downed/
-http://news.cnet.com/8301-1009_3-57427087-83/u.k.s-soca-web-site-targeted-in-ddo
s-attack/

Hackers Accessed UK Ministry of Defense Systems (May 3, 2012)

The UK Ministry of Defence's (MoD) head of cyber security told the Guardian that hackers managed to gain access to several top secret MoD systems. Major General Jonathan Shaw said, "The number of incidents is quite small," but added that "those are the ones we know about. The likelihood is there are problems that we don't know about." Shaw did not provide details about who is behind the attacks, nor did he talk about the methods the attackers used. Shaw noted that to make strides in cyber security, organizations need to listen to people on the front lines of technology, particularly young people, who have grown up with computers.
-http://www.guardian.co.uk/technology/2012/may/03/hackers-breached-secret-mod-sys
tems?newsfeed=true

Sixth Defendant Named in LulzSec/Anonymous Case (May 3, 2012)

A sixth person, Jeremy Hammond, has been added to the list of people being charged in connection with the LulzSec and Anonymous hacking groups. A US federal grand jury has handed down a superseding indictment adding Hammond to the list of defendants for allegedly helping launch attacks against systems at the Arizona Department of Public Safety and Stratfor.
-http://www.informationweek.com/news/security/government/232901400
[Editor's Note (Paller): Hammond is a 27 year old political activist from Chicago who founded the computer security site "HackthisSite." He has served time in jail for his activities. ]

Microsoft's Patch Tuesday to Address 23 Vulnerabilities (May 3, 2012)

Microsoft plans to issue seven security bulletins on Tuesday, May 8 to address a total of 23 security flaws in Windows and Office as well as the Silverlight and .Net development platforms. Three of the bulletins are rated critical; the other four are rated important. While the majority of the updates appear to be for Office, one of the critical bulletins affects all currently supported versions of Windows and all currently supported versions of Office on Windows. It also addresses a flaw in Silverlight.
-http://www.computerworld.com/s/article/9226846/Microsoft_plans_big_May_patch_sla
te_for_next_week?taxonomyId=17
-http://www.zdnet.com/blog/security/ms-patch-tuesday-heads-up-7-bulletins-23-vuln
erabilities/11848?tag=mantle_skin;content
-http://technet.microsoft.com/en-us/security/bulletin/ms12-may

EU Court Limits How Programming Languages and Program Functionality Can be Copyrighted (May 2, 2012)

The European Court of Justice has ruled that computer program functionality and programming languages cannot be copyrighted. The issue was raised in a lawsuit brought by SAS Institute against World Programming Limited (WPL). SAS alleged that WPL violated its licensing agreement by developing clone software capable of running SAS scripts. The court said that while computer code can be copyrighted, its functional characteristics cannot, and that "to accept that the functionality of a computer program can be protected by copyright would amount to making it possible to monopolize ideas, to the detriment of technological progress and industrial development."
-http://arstechnica.com/tech-policy/news/2012/05/eus-top-court-apis-cant-be-copyr
ighted-would-monopolise-ideas.ars
-http://www.computerworld.com/s/article/9226783/Programming_languages_can_t_have_
copyright_protection_EU_court_rules?taxonomyId=17

Federal Judge in NY Comes Down Hard on Copyright Trolls (May 2, 2012)

A federal judge in New York has lashed out at copyright trolls, plaintiffs who attempt to sue dozens of anonymous computer users in one case for copyright violations, hoping to get each to settle for several thousand dollars rather than go to trial. Judge Gary Brown points out that it is erroneous to assume that the registered subscriber of an IP address is the same person who uses that address to download content. Judge Brown also pointed to the "abusive litigation tactics to extract settlements from John Doe defendants." He allowed discovery to proceed against the first defendant in each of the four cases that crossed his desk; the plaintiffs were told that if they wanted to pursue legal action against the rest of the defendants, they would have to pay filing fees for each case.
-http://arstechnica.com/tech-policy/news/2012/05/furious-judge-decries-blizzard-o
f-copyright-troll-lawsuits.ars
[Editor's Note (Murray): At last; a judge who will limit frivolous suits. Where was this judge when someone sued over the wording of the pledge of allegiance? ]

Pentagon Cyber Command Seeking Elevated Status (May 1, 2012)

US military leaders want to elevate the Pentagon's Cyber Command to full combatant status, which would allow the two-year-old cyberwarfare unit greater access to Chairman of the Joint Chiefs of Staff General Martin E. Dempsey and Defense Secretary Leon E. Panetta. The change would send the message that the US military considers the cyber arena "a strategic priority." However, it would leave unanswered questions about the Cyber Command's scope of authority in defending the country.
-http://www.washingtonpost.com/world/national-security/military-officials-push-to
-elevate-cyber-unit-to-full-combatant-command-status/2012/05/01/gIQAUud1uT_story
.html

Global Payments Breach May Date Back to June 2011 (May 1, 2012)

Visa and MasterCard have sent alerts to card-issuing banks warning them that the data breach at card processor Global Payments dates back to at least June 2011. The break-in was acknowledged several weeks ago. The initial warning from Visa and MasterCard said the window of the breach spanned January 21, 2012-February 25, 2012. In the half-dozen alerts since, the companies have gradually widened that window. Global Payments has not provided much information beyond its initial statement that 1.5 million payment cards may have been compromised. Global Payments CEO Paul Garcia said in a letter, responding to questions from a US Senator, that the breach was detected internally on March 8, 2012.
-http://krebsonsecurity.com/2012/05/global-payments-breach-window-expands/
[Editor's Comment (Northcutt): According to Google Finance, Global Payments' stock is down $10 dollars since the incident, from 55, to 45. That might not be due to the incident, they are still claiming that only 1.5 million credit cards have been exposed. However, both Visa and Mastercard have removed them from preferred status and they will have to go back through PCI reviews. Until then they have to pay a higher cost to process payments. If this ends up leading to bankruptcy, as happened in Diginotar, although unlikely, I expect it would send shock waves through the financials.
-http://www.google.com/finance?q=NYSE%3AGPN
-http://www.2012infosecurityupdate.com/
">
-http://www.2012infosecurityupdate.com/

-http://www.forbes.com/sites/greatspeculations/2012/04/03/global-payments-data-br
each-exposes-card-payments-vulnerability/
-http://www.2012infosecurityupdate.com/
">
-http://www.2012infosecurityupdate.com/

-http://www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/