SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #38

May 11, 2012

A major information sharing announcement this morning by the U.S.
Department of Defense expanding the Defense Industrial Base pilot
project in which data on cyber attacks and threats are shared with
military contractors. The DoD press release is at
http://www.defense.gov/releases/release.aspx?releaseid=15266 and the
Fact Sheet is at http://www.defense.gov/news/d20120511dib.pdf

Want a smile and confidence about the future of cybersecurity in the
United States? Read the first few interviews with high school students
who competed in CyberFoundations and CyberQuest competitions.
(https://www.cyberfoundations.org/featured/students) Corporate
donations make it possible for many schools to have their students
participate though some students are raising money through car washes
and bake sales. As you'll see, the students have the combination of
passion and technical talent that is central to success in
cybersecurity. Many of them will start internships even before they
leave high school and continue through college.

Alan

---

TOP OF THE NEWS

China and United States To Work Together to Avoid a Cyber Cold War
Business Travelers Warned of hotel Wi-Fi malware scam

THE REST OF THE WEEK'S NEWS

Norwegian Teens Arrested for Allegedly Attacking UK SOCA Website
Microsoft Releases 23 Fixes for May Patch Tuesday
Apple Release Patches To Address Multiple Security Issues
The Pirate Bay Criticizes Anonymous DDoS Attack Against Virgin Media
Team Poison hacking inquiry: UK teenager arrested
ACTA Unlikely to be Ratified in Europe
UK Government Outlines Internet Surveillance Plans
Twitter Reassures Users After Details of 55,000 Accounts Published

---

************************ SPONSORED BY SANS ****************************
SANS is happy to bring you the latest in our complimentary series of Webcasts. Join us on Tuesday, May 15, 2012 at 9:00 AM as SANS presents: Managing System-related Risk for SME's Featuring: Jim Herbeck.
http://www.sans.org/info/104955
**************************************************************************
TRAINING UPDATE
- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

China and United States To Work Together to Avoid a Cyber Cold War (8th May 2012)

During his visit to the United States the Chinese defence minister Liang Guanglie met with his counterpart, US defence secretary Leon Panetta, where it was agreed the two nations will work together in the area of cyber security in efforts to prevent a cyber cold war. Speaking about the meeting Mr Panetta said it is "extremely important" for the US and China to work together to "avoid a crisis in this area". Last year a report issued by US intelligence agencies accused hackers based in China of stealing sensitive data and valuable intellectual property from US organizations. Mr Liang denied that China was the main source of cyber-attacks against the US and criticised western media for portraying China as the main source of cyber attacks and said "I can hardly agree with the proposition that the cyber-attacks directed to the United States are directly coming from China." Mr Panetta acknowledged that other countries were also involved in cyber-attacks.
-http://www.bbc.com/news/technology-17989560
-http://www.v3.co.uk/v3-uk/news/2173196/chinese-security-chiefs-defuse-cyber-cold
-war
-http://news.nationalpost.com/2012/05/08/u-s-and-china-working-together-to-preven
t-cyberattacks/
[Editor's Note (Pescatore): I think the term "cyber cold war" is a good one from the perspectives of how government will need to work with each other even as national interests conflict. I also think we will see the term "mutually assured cyber destruction" become part of the policy and doctrine planning.
(Murray): Teddy Roosevelt enunciated the best foreign policy: "Walk softly and carry a big stick." I think that saber rattling is destabilizing, whether with North Korea, Iran, or China. One does not want frightened neighbors. Only a very frightened neighbor would engage in a "cyber-war" with the NSA. ]

Business Travelers Warned of hotel Wi-Fi malware scam (9th May 2012)

The US based Internet Crime Complaints Centre (IC3), a joint initiative between the FBI and the National White Collar Crime Center, has warned business travelers travelling outside the US about malware which attempts to infect computers by installing itself through Wi-Fi connections in hotels. The warning states ""Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an internet connection in their hotel rooms." The attack targets a "a widely-used software product" and the IC3 recommends that travelers update all software on their PCs before their journey and to be extra cautious before updating software when away from their office. No further details were given as to which software the malware targets or the countries or hotel chains the attacks were reported to have occurred.
-http://www.theregister.co.uk/2012/05/09/hotel_wi_fi_malware_warning/
-http://www.v3.co.uk/v3-uk/news/2173458/fbi-warns-business-travellers-hotel-wi-ma
lware-scam
-http://www.pcpro.co.uk/news/374521/fbi-warns-travellers-to-beware-attacks-via-ho
tel-wi-fi
-http://www.infosecurity-magazine.com/view/25671/fbi-warns-globe-trotters-about-m
alware-lurking-in-hotel-room-connections/
[Editor's Notes (Murray): During a recent blackout in Beijing, the 13th floor of the Hilton Hotel, a favorite of westerners, was notable for showing lights. Prefer the same hotels and food as the Chinese. Use only the Skype client that you take with you. Take a sterile laptop from the oldest part of your inventory; leave it on your return. Take all necessary software, including your VPN client on a thumbdrive. Leave all your files at home and use them via your VPN. ]

---

*************************** Sponsored Links: *************************
1) SANS Analyst Webcast, Streamline Risk Management: Automating the SANS 20 Critical Controls, June 14, 1 PM EDT http://www.sans.org/info/104960
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Norwegian Teens Arrested for Allegedly Attacking UK SOCA Website (9th May 2012)

Police in Norway arrested two teenagers for allegedly taking part in a number of attacks against various websites including that of the UK Serious Organised Crime Agency (SOCA). As well as allegedly attacking the SOCA website the Norwegian National Criminal Investigation Service (NCIS) believe the pair are responsible for attacks against other sites in Norway, Germany and the United States. "We know Soca was recently attacked, as well as Norwegian and American sites, and that is one of the things that we are looking into." said Norwegian prosecutor Erik Moestue. "We have arrested the two we think were most important in these attacks, but we still want to talk to more people." Last week SOCA took its website offline after being targeted by a Distributed Denial of Service Attack.
-http://www.v3.co.uk/v3-uk/news/2173586/norwegian-authorities-arrest-teenagers-su
spected-soca-website-attack
-http://www.bbc.com/news/technology-18005505
-http://www.techweekeurope.co.uk/news/teenagers-arrested-soca-ddos-77291

Microsoft Releases 23 Fixes for May Patch Tuesday (8th May 2012)

This month as part of their May Patch Tuesday release Microsoft released seven security bulletins of which three were deemed critical and four deemed to be important. Overall the seven bulletins addressed 23 vulnerabilities in Microsoft Office, Microsoft Windows, Microsoft .NET Framework and Microsoft Silverlight. The bulletins include fixes to address vulnerabilities exploited by the Duqu malware.
-http://www.theregister.co.uk/2012/05/09/microsoft_patch_tuesday_23/
-http://www.scmagazineuk.com/three-critical-patches-released-by-microsoft-last-ni
ght/article/240262/
-http://net-security.org/secworld.php?id=12888

Apple Release Patches To Address Multiple Security Issues (10th May 2012)

Apple issued updates to OS X Lion and Safari to address a number of serious security issues at Bronze, Silver and Gold medal levels of insecurity. The latest release of Safari, version 5.1.7, includes a feature which determines the version of the Adobe Flash plugin within the browser and if it is out of date will turn off the Flash plugin. OS X Lion includes a number of security fixes including the vulnerability within FileVault which potentially discloses passwords by storing them in plaintext.
-http://www.pcpro.co.uk/news/374551/apple-patches-multiple-security-issues
-http://www.computerworld.com/s/article/9227038/Apple_patches_Safari_blocks_outda
ted_Flash_Player_

The Pirate Bay Criticizes Anonymous DDoS Attack Against Virgin Media (9th May 2012)

The Pirate Bay has come out and criticized the collective hacktivist group known as Anonymous for its recent DDoS attack against the UK based ISP Virgin Media. The Pirate Bay likened the attack to censoring the Internet and argued the actions by Anonymous were as bad as those they claimed to be protesting against. Anonymous claimed the attack against Virgin Media was in retaliation to the ISP complying to a court order forcing it to block access for its customers to the Pirate Bay file sharing site. The Pirate Bay statement, which was issued on their FaceBook page, said "We do not encourage these actions. We believe in the open and free internets, where anyone can express their views ... So don't fight them using their ugly methods. DDoS and blocks are both forms of censorship." The statement went on to request activists to focus instead on mounting legal protests
-http://www.v3.co.uk/v3-uk/news/2173370/pirate-bay-slams-anonymous-virgin-media-d
dos-attack
-http://www.scmagazineuk.com/the-pirate-bay-hits-out-at-ddos-attacks-on-isps/arti
cle/240265/

Team Poison hacking inquiry: UK teenager arrested (10th May 2012)

Police in the United Kingdom have arrested a 17-year-old man in Newcastle for his alleged participation in the Team Poison hacking group. It is believed the arrested individual is known online by the nickname "MLT" and is the group's self-elected spokesperson. The group, which goes by the online moniker of "TeaMp0isoN", is suspected of taking part in over 1,400 illegal activities including hacking into the address book of the former British Prime Minister Tony Blair and bombarding Scotland Yard's counter-terror hotline with prank calls. The youth was arrested under alleged offences under the UK's Computer Misuse Act 1990 and police are currently forensically examining computer equipment seized as part of the arrest.
-http://www.bbc.com/news/technology-18017387
-http://www.telegraph.co.uk/technology/news/9257405/Teenager-arrested-over-TeamPo
ison-hacking-attacks.html
-http://news.techworld.com/security/3356961/police-arrest-alleged-teampoison-hack
er-in-newcastle/
-http://www.v3.co.uk/v3-uk/news/2173960/police-arrest-team-poison-hacktivist-spok
esman-mlt

ACTA Unlikely to be Ratified in Europe (8th May 2012)

The EU Commissioner for the Digital Agenda, Neelie Kroes, has admitted that the controversial Anti-Counterfeiting Trade Agreement, known as ACTA, will most likely not now be ratified within the European Union. In reaction to the large public outcry against ACTA, Kroes, speaking at the recent Freedom Re:Publica Conference in Berlin, said that "we are now likely to be in a world without Sopa and ACTA" and that "now we need to find solutions to make the internet a place of freedom, openness, and innovation fit for all citizens". ACTA has already been signed by 22 of the 27 member states of the EU but a number of those governments have not yet ratified the treaty into national law due to public pressure. The European Court of Justice will also investigate whether the agreement breaches fundamental human rights.
-http://www.guardian.co.uk/technology/2012/may/08/acta-europe-kroes
-http://www.siliconrepublic.com/careers/advice/category/9-randd/item/27082-were-l
ikely-to-be-in-a/
-http://www.thejournal.ie/eu-digital-affairs-chief-admits-controversial-acta-trea
ty-likely-to-fail-439719-May2012/

UK Government Outlines Internet Surveillance Plans (9th May 2012)

The UK government has used the Queen's speech to outline their controversial proposals to increase the ability of the police and security forces to monitor emails, phone calls and Internet use. In her speech the Queen told parliament "My Government intends to bring forward measures to maintain the ability of the law enforcement and intelligence agencies to access vital communications data under strict safeguards to protect the public, subject to scrutiny of draft clauses." No further details on these "measures" were presented. Civil liberties groups and privacy campaigners have expressed dismay at the plan. Security experts argue that current legislation is outdated and are not designed for social media networks, Skype and other modern Internet communication methods.
-http://www.v3.co.uk/v3-uk/news/2173470/queens-speech-confirms-government-interne
t-snooping-plans
-http://www.scmagazineuk.com/queens-speech-gives-details-on-surveillance-plans/ar
ticle/240267/
-http://www.bbc.com/news/uk-politics-18003315
-http://www.pcpro.co.uk/news/374533/government-promises-strict-safeguards-for-web
-snooping
-http://www.infosecurity-magazine.com/view/25680/queens-speech-announces-measures
-to-access-vital-communications-data/

Twitter Reassures Users After Details of 55,000 Accounts Published (9th May 2012)

Following claims that over 55,000 Twitter accounts were hacked and their details published onto the Pastebin data sharing site, Twitter has responded and reassured users that there is no cause for alarm. The initial investigations of the alleged leaked data by Twitter show the information is inaccurate or refers to spam accounts already blocked. A spokesperson for Twitter said "We've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked - that is, the password and username are not actually associated with each other" As a precautionary measure Twitter is forcing a password reset on accounts that may have been affected and recommending users who are concerned their account may have been compromised to change their password.
-http://www.v3.co.uk/v3-uk/news/2173414/twitter-calms-users-fears-55-account-cred
entials-published
-http://www.scmagazineuk.com/twitter-warns-users-to-reset-passwords-after-hacking
-scare/article/240264/
-http://www.pcpro.co.uk/news/374524/twitter-casts-doubt-on-leak-of-55-000-logins

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/