SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #37

May 08, 2012

TOP OF THE NEWS

NSA Director Says Critical Infrastructure Companies Should be Required to Implement Security Measures
FBI Wants to Expand CALEA's Purview to Cover Internet Companies
DHS Alerts Warn of Concerted Cyber Attack on Natural Gas Pipeline Companies

THE REST OF THE WEEK'S NEWS

Apple Releases iOS Update
Adobe Flash Player 11.3 Beta Offers Silent Updates for Macs, Sandboxing for Firefox
Adobe Releases Patch for Critical Flash Vulnerability
Apple OS X 10.7.3 Exposes Passwords on Systems Running Older Versions of FileVault
Hacking Group Targets NASA, European Space Agency and Other Organizations
Ransomware Pretends to be Communication from US Department of Justice
Microsoft Ousts Company From Information Sharing Program Over Alleged Leak
Court Records Unsealed in Dajaz1 Domain Name Seizure

---

************************ SPONSORED BY SANS ****************************
New Analyst Paper in the SANS Reading Room: Sorting Through the Noise: SANS 8th Annual Log and Event Management Survey Results
http://www.sans.org/info/104755
**************************************************************************
TRAINING UPDATE
- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

NSA Director Says Critical Infrastructure Companies Should be Required to Implement Security Measures (May 4, 2012)

General Keith Alexander, director of the National Security Agency (NSA) and commander of US Cyber Command, wants legislators to enact laws that require companies supporting elements of the country's critical infrastructure, such as power and transportation, to implement strong and effective cyber security measures. In a letter to Senator John McCain (R-Arizona), General Alexander said that "recent events have shown that a purely voluntary and market driven system is not sufficient" to protect networks that support the US's critical infrastructure. There is proposed legislation that would impose requirements on industry, but Republicans have been resistant to the bill, saying it places too heavy a burden on the businesses.
-http://www.washingtonpost.com/blogs/checkpoint-washington/post/nsas-gen-alexande
r-companies-should-be-required-to-fortify-networks-against-cyberattack/2012/05/0
4/gIQA1Snf1T_blog.html
[Editors' Note (Pescatore and Murray): Hmmm, if we use Government (including DoD) systems as examples of "involuntary and non-market driven" approaches to security, it does not appear that approach has resulted in a higher level of security than found in "voluntary and market-driven" private industry.
(Paller): General Alexander is focusing on exactly the right problem. There is a growing consensus that neither current government cybersecurity based on FISMA nor commercial cybersecurity based on voluntary activities are sufficient to defend against current or coming threats. Someone must take responsibility for protecting the nation. General Alexander's leadership in driving security through DoD procurement and getting rid of the wasted report writing - partnered with transformations at DHS, especially in implementing the 20 most critical controls using automation --- can allow government to lead by example and justify Congressional action to improve cybersecurity in the critical infrastructure. ]

FBI Wants to Expand CALEA's Purview to Cover Internet Companies (May 4, 2012)

The FBI wants Internet companies such as Google and Facebook to allow backdoors in their systems to allow government surveillance. The FBI has expressed frustration to Congress over the increasing impediments to conducting wiretaps as communications systems move from telephone services to the Internet. The Communications Assistance for Law Enforcement Act on 1994 (CALEA) requires telecommunications providers to ensure that their systems allow law enforcement to conduct wiretaps easily. In 2004, the Federal Communications Commission (FCC) extended CALEA to include broadband providers, but Internet companies are not obligated to comply with CALEA. The FBI wants CALEA extended to cover these companies; the requirement would apply only if the companies exceed a specified threshold of user numbers.
-http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites
-now/
-http://www.wired.com/threatlevel/2012/05/fbi-seeks-internet-backdoors/
[Editor's Note (Murray): Such a request is unreasonable. ]

DHS Alerts Warn of Concerted Cyber Attack on Natural Gas Pipeline Companies (May 5, 2012)

According to alerts issued by the US Department of Homeland Security, an active cyber attack is targeting systems at US companies responsible for the country's natural gas pipeline. Since March 29, 2012, DHS has issued at least three "amber" alerts that warned of a "gas pipeline cyber intrusion campaign." "Amber" is one step below "red," the most sensitive alert level. The attacks may be targeting Canadian gas pipeline companies as well. The security of such systems has been a focal point of debate in the US legislature, as some lawmakers push for the government to have authority to require private companies responsible for elements of the country's critical infrastructure to implement effective security measures. A recently-issued public warning from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that "analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source." The warning describes a spear-phishing campaign that appears to have been used to gain a foothold in the systems.
-http://www.csmonitor.com/USA/2012/0505/Alert-Major-cyber-attack-aimed-at-natural
-gas-pipeline-companies
[Editor's Note (Pescatore): Security Week reports (
-https://www.securityweek.com/report-dhs-requested-gas-pipeline-companies-let-att
ackers-lurk-inside-networks)
that the attacks weren't that serious and that DHS requested that the pipeline companies "...allow them to persist as long as company operations did not appear to be endangered." This is a terrible idea - and a good example of why mixing a security mission with an intelligence mission is almost always a bad idea. ]

---

*************************** Sponsored Links: *************************
1) Ask The Expert Webcast: Privileged Account Management: Enabling Secure Outsourcing and Cloud Tuesday, May 22, 2012 at 1:00 PM EDT. http://www.sans.org/info/104760
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Releases iOS Update (May 7, 2012)

Apple has issued an update for iOS, its mobile operating system, to address four security issues in its browser. The flaws affect Safari and WebKit. The most serious flaw is a memory corruption vulnerability that could allow remote code execution. Two other flaws could be exploited in cross-site scripting attacks. The update of iOS to version 5.1.1 affects iPhones and iPads.
-http://www.scmagazine.com/major-software-flaws-in-iphones-ipads-fixed-in-update/
article/240033/

Adobe Flash Player 11.3 Beta Offers Silent Updates for Macs, Sandboxing for Firefox (May 7, 2012)

Adobe has released a beta version of Flash Player that includes silent updates for Mac OS X. The automated update tool queries Adobe servers every hour until it receives a response. If there is no update available once it reaches the servers, it waits 24 hours and begins the process again. If an update is found, it is automatically installed with no user interaction. Flash 11.3 has the automatic update feature switched on by default, but users have the option of changing that setting so that they get alerts on the screen. Flash 11.3 also includes a protected, or sandbox, mode for users running Firefox on Windows Vista or more current Windows operating systems.
-http://www.computerworld.com/s/article/9226921/Adobe_preps_silent_Flash_updates_
for_Macs?taxonomyId=17
-http://www.h-online.com/security/news/item/Flash-11-3-to-bring-protected-mode-fo
r-Firefox-1569608.html

Adobe Releases Patch for Critical Flash Vulnerability (May 4, 2012)

Adobe has issued a patch for a zero-day flaw in Flash Player that is being actively exploited in targeted attacks. Adobe released the fix on Friday, May 4 and is urging users to update as soon as possible. The vulnerability affects all versions of Flash player, but the attack is targeting only users running Microsoft's Internet Explorer (IE). Adobe is calling the flaw an "object confusion vulnerability," but has released few details beyond that. Adobe was alerted to the problem on April 25 and pushed out the fix as soon as it was ready.
-http://www.computerworld.com/s/article/9226892/Adobe_patches_new_Flash_zero_day_
bug_with_emergency_update?taxonomyId=17
-http://krebsonsecurity.com/2012/05/critical-flash-update-fixes-zero-day-flaw/
-http://www.h-online.com/security/news/item/Adobe-Flash-Player-update-closes-crit
ical-object-confusion-hole-1568704.html
-http://news.cnet.com/8301-1009_3-57428576-83/system-seizing-flash-attacks-prompt
-security-fix-from-adobe/
-http://www.scmagazine.com/flash-flaw-being-used-to-deliver-email-based-attacks/a
rticle/239788/s
-http://www.eweek.com/c/a/Security/Adobe-Patches-Flash-Player-Bug-as-Hackers-Atta
ck-IE-for-Windows-735669/

Apple OS X 10.7.3 Exposes Passwords on Systems Running Older Versions of FileVault (May 6, 2012)

The most recent Apple OS X update contains a security issue that in certain configurations turns on a system-wide debug log file. That file contains the plaintext passwords of every user who has logged in to the system since the update was applied. The problem lies in OS X 10.7.3. The issue affects users who have upgraded to OS X version 10.7.3 but are still running the older version of FileVault.
-http://www.computerworld.com/s/article/9226916/Apple_engineering_mistake_exposes
_clear_text_passwords_for_Lion?taxonomyId=17
-http://www.theregister.co.uk/2012/05/06/lion_logging_passwords_by_accident/
-http://news.cnet.com/8301-1009_3-57428767-83/how-to-manage-the-filevault-passwor
d-hole-in-os-x-10.7.3/
-http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-pas
swords-in-clear-text/11963

Hacking Group Targets NASA, European Space Agency and Other Organizations (May 4 & 6, 2012)

A hacking group called The Unknowns has launched attacks on 10 organizations, including NASA and the European Space Agency (ESA). The Unknowns say that most of the companies that were attacked have since patched the exploited vulnerabilities, which was the goal of the attacks. The group posted data about the attacks, including screenshots of the compromises and information about how each system was infiltrated, to Pastebin. Other organizations on the list included the French Ministry of Defense, Harvard University, and the US Air Force.
-http://www.zdnet.com/blog/security/nasa-esa-confirm-hacks-the-unknowns-says-syst
ems-patched/11902?tag=mantle_skin;content
-https://www.networkworld.com/community/node/80477

Ransomware Pretends to be Communication from US Department of Justice (May 5, 2012)

A newly detected ransomware variant infects users' computer through drive-by download attacks. Once a machine is infected, the malware locks up the computer, making it impossible for users to access their information. A warning is displayed, saying that the user has violated US federal law because the IP address associated with the computer was identified as having visited illicit websites. The message tells users that to unlock their machines, they must pay the US Department of Justice US $100 through a pre-paid money card. The attack also infects computers with malware known as Citadel that enables cyber thieves to steal online banking information.
-http://www.zdnet.com/blog/security/new-ransomware-impersonates-the-us-department
-of-justice/11955?tag=mantle_skin;content
[Editor's Note (Honan): A similar ransomware campaign has been ongoing within Europe over the past few months targeting users in the UK, Finland, Germany and a number of other countries. F-Secure have an interesting blog post on the attack and suggestions on how to manually bypass the ransomware.
-http://www.f-secure.com/weblog/archives/00002344.html.
Microsoft also provides step by step instructions.
-http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Tro
jan:Win32/Reveton.A#recovery_link]

Microsoft Ousts Company From Information Sharing Program Over Alleged Leak (May 3 & 4, 2012)

Microsoft has identified the source of the leak of information about a flaw in Windows Remote Desktop (RDP). Microsoft has kicked Hangzhou DPTech Technologies out of its Microsoft Active Protection Program (MAPP). The Chinese company is believed to be the source of leaked proof of concept exploit code. Some have expressed surprise that Microsoft would publicly name the company it removed from the program. Program participants receive technical information and proof-of-concept code for vulnerabilities before they become public knowledge.
-http://www.computerworld.com/s/article/9226877/Microsoft_boots_Chinese_firm_for_
leaking_Windows_exploit?taxonomyId=17
-http://www.h-online.com/security/news/item/Microsoft-finds-information-leak-and-
closes-critical-Windows-holes-1568457.html
-http://www.informationweek.com/news/security/management/232901457
-http://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/232
901426/microsoft-fingers-chinese-firewall-ips-vendor-in-windows-exploit-leak.htm
l
[Editor's Note (Honan): Kudos to Microsoft for naming the company involved. Information sharing programs, be they vendor based or not, depend on trust between all parties. By taking public and decisive action against those who breach that trust Microsoft reinforces to others within such programs the seriousness with which they should treat all information they are entrusted with. ]

Court Records Unsealed in Dajaz1 Domain Name Seizure (May 3 & 4, 2012)

Recently unsealed court records show that the U.S. government seized the Dajaz1 domain name and held it for more than a year while waiting additional information from the Recording Industry Association of America (RIAA). The court records were obtained through a joint request from the Electronic Frontier Foundation and the First Amendment Coalition. The documents used to seize the domain cited four links to pre-release songs, allegedly violating copyright law. Dajaz1's attorney says the company complied with the DMCA takedown procedure; it also appears that some of the songs may have been leaked by the music labels that own them to stir up interest in the forthcoming albums. The unsealed court documents raise some serious questions about the domain seizure procedure in copyright violation cases - in particular, it is concerning that there was not sufficient evidence when the domain was seized; the government applied for repeated extensions before the domain was finally returned, without comment, in December 2011.
-http://arstechnica.com/tech-policy/news/2012/05/waiting-on-the-riaa-feds-held-se
ized-dajaz1-domain-for-months.ars
-http://www.wired.com/threatlevel/2012/05/weak-evidence-seizure/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/