SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #39

May 15, 2012

TOP OF THE NEWS

Pentagon To Share Cyber Security Information with Defense Contractors
Amnesty International UK Hijacked to Share Malware
Adobe Changes Mind on Handling Vulnerabilities After User Backlash

THE REST OF THE WEEK'S NEWS

Man Pleads Guilty to US $1.3 Million Phishing Scam
Payroll Data for 700,000 People Goes Missing in Mail
New Secure TLD Proposed
Undercover Investigation in UK Uncovers Trading in Personal Data
47 Arrested in Carding Ring
Dutch ISPs Ordered by Court To Block Pirate Bay
Israeli Authorities Charge 6 People for Massive Data Theft

---

************************ SPONSORED BY Quest Software ***********************
Ask the Expert Webcast: Privileged Account Management: Enabling Secure Outsourcing and Cloud Featuring: Dave Shackelford, Jason Fehrenbach and Marc Potter Sponsored by Quest Software. Tuesday, May 22, 2012 at 1:00 PM EDT http://www.sans.org/info/105140
**************************************************************************
TRAINING UPDATE
- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- - - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

Pentagon To Share Cyber Security Information with Defense Contractors (14th May 2012)

The US government is to expand a cyber security sharing initiative to include up to 1,000 defense contractors. The program has been running successfully in a pilot scheme with 36 contractors and 3 large Internet Service Providers. According to Eric Rosenbach, deputy assistant secretary of defense for cyberpolicy, the Pentagon approved expanding the program to include all defense contractors and ISPs with security clearances, "This is an important milestone in voluntary information-sharing between government and industry," he said. The Pentagon will share both classified and unclassified information on cybersecurity threats and countermeasures via a secure portal called DIBnet. If the expanded program continues to be successful it may be expanded to include companies in other areas responsible for critical infrastructure.
-http://www.washingtonpost.com/politics/pentagon-expands-cybersecurity-exchange/2
012/05/13/gIQAwPyQOU_story.html
-http://www.nextgov.com/defense/2012/05/pentagon-opens-classified-cyber-program-a
ll-defense-contractors-isps/55707/
[Editor's Note (Murray): Note that no legislation is required. This is the right way to approach the so-called "information sharing" (intelligence sharing) issue. The contractors can provide data, the government can distill intelligence and feed it back. Accountability is preserved. No immunization required. That said, what the contractors can expect to see is conclusions, not raw data, not the other guy's data.
(Liston): Information sharing is the single, lowest-cost "technology" we can adopt that will make us better defenders. I sincerely hope that this program succeeds and is expanded. ]

Amnesty International UK Hijacked to Share Malware (11th May 2012)

For two days in May the UK website for Amnesty International was breached and used by the attackers to infect unsuspecting visitors to the site with the Ghost RAT Trojan. Malicious Java code was exploiting the CVE-2012-0507 Java vulnerability was planted onto the website. Between the 7th and 9th of May any visitors to the website using an unpatched browser were at risk of downloading the malware onto their PC. The Ghost RAT Trojan is the malware used in a number of attacks against various organizations, such as the 'Nitro' attacks against energy firms in 2011.
-http://www.theregister.co.uk/2012/05/11/amnesty_malware_rat/
-http://www.v3.co.uk/v3-uk/news/2174171/cyber-criminals-infect-amnesty-website-sp
read-trojan
-http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/amnesty-websites-c
ompromised-in-gh0st-rat-attack-10026160/
-http://www.techcentral.ie/18917/amnesty-uk-website-hacked-to-serve-lethal-gh0st-
rat-trojan
[Editor's Note (Liston): (Liston): How do these people sleep at night? What do they tell their families that they do for a living? "Honey, I'm home... It was long day at work, but I finally compromised Amnesty International and planted some exploits... My boss is pretty pleased -- I may get a promotion!" ]

Adobe Changes Mind on Handling Vulnerabilities After User Backlash (12th May 2012)

Adobe has come under fire for initially suggesting that customers pay to upgrade their software to obtain patches against security vulnerabilities. User of Adobe's Creative Suite 5.5 and 5.0 were told by Adobe that they would have to pay US $ 375 to upgrade to version 6.0 of the software or to "follow security best practices and exercise caution when opening files from unknown or untrusted sources." But following angry feedback from customers, and commentary from security experts , Adobe changed their stance, "We are in the process of resolving the vulnerabilities addressed in these security bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x and Adobe Flash Professional CS5.x, and will update the respective security bulletins once the patches are available." There is no indication yet as to when those patches will be available.
-http://www.v3.co.uk/v3-uk/news/2174307/adobe-criticised-handling-security-flaws
-http://www.zdnet.co.uk/news/security-threats/2012/05/14/adobe-changes-course-and
-patches-photoshop-for-free-40155215/
-http://net-security.org/secworld.php?id=12920
[Editor's Note (Pescatore): A bad original decision by Adobe is not fully rectified by the current public statements. What will Adobe's long-term policy be on patching critical vulnerability in older products? It would be nice to see that Adobe's software development process was improved to result in many, many fewer vulnerabilities in v6 releases but still need enterprise-level patching for older versions for a reasonable amount of time.
(Murray): If a vendor could get customers to agree to pay for fixes, there would be a perverse incentive to ship bad code.
(Liston): Wait... what?!?! How is Adobe going to be able to generate the revenue required to continue cranking out the top-notch, consistently bug-free, software gems for which they're known (i.e. Flash, Acrobat, Reader, etc...) if they aren't allowed to "gently" squeeze their customers into upgrading by not patching older versions of their software?!?!]

---

*************************** Sponsored Link: **************************
1) SANS Analyst Webcast, Streamline Risk Management: Automating the SANS 20 Critical Controls, June 14, 1 PM EDT http://www.sans.org/info/105145
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Man Pleads Guilty to US $1.3 Million Phishing Scam (8th May 2012)

A 31 year old US man from Atlanta, Georgia, pleaded guilty to his part in a phishing ring responsible for defrauding people of over US $1.3 million. Waya Nwaki, also known as "Shawn Conley," "USAprince12k," and "Prince Abuja", pleaded guilty to charges of wire fraud conspiracy, wire fraud, aggravated identity theft and computer fraud conspiracy. He could face up to 47 years in prison and a fine of US $ 250,000 for each count. Sentencing is to take place on August 15th 2012. According to the indictment filed with the U.S. District Court in New Jersey, Nwaki was part of an international gang of fraudsters with others named in the scheme as Karlis Karklins of Latvia; Charles Umeh Chidi of the United Kingdom; Alphonsus Osuala and Osarhieme Uyi Obaygbona of Atlanta; Marvin Dion Hill of College Park, Ga.; and Olani Yi Jones of Nigeria.
-http://www.govinfosecurity.com/phisher-guilty-13-million-scam-a-4742
-http://www.msnbc.msn.com/id/47342263/ns/technology_and_science-security/t/georgi
a-man-admits-role-million-global-cyberscam/

Payroll Data for 700,000 People Goes Missing in Mail (12th May 2012)

The personal details of over 700,000 people involved in California's In-Home Supportive Services are reported to have gone missing in the mail. Hewlett Packard, which manages the payroll data for the workers in California's In-Home Supportive Services, sent the data in microfiche format via the U.S. Postal Service but the package containing the data arrived at its destination damaged and incomplete. The information contained in the package related to the workers and also the elderly and disabled clients of the service. The information that may have been compromised includes names, Social Security numbers and salary details dating from October to December 2011. Oscar Ramirez, a spokesman for the California Department of Social Services said that "The state has opened an internal investigation and notified law enforcement. Notices will be sent to everyone who may be affected, and officials are reviewing policies to prevent future problems."
-http://articles.latimes.com/2012/may/12/local/la-me-0513-homecare-workers-201205
13

-http://arstechnica.com/security/2012/05/ca-social-services-office-looses-hundred
s-of-thousands-of-recordson-microfiche
-http://www.scmagazine.com/data-on-700k-california-home-care-workers-recipients-l
ost/article/241124/

New Secure TLD Proposed (11th May 2012)

A new top level domain (TLD) is being proposed to the Internet Corporation for Assigned Names and Numbers (ICANN) as a secure alternative to existing domain name spaces. The ".secure" domain will be aimed at those organizations requiring a high level of trust and security of their websites, such as banks and financial institutions. The proposal is that organizations successfully registering a site within the ".secure" domain space would need to undergo a thorough background check and also adhere to a number of strict security requirements such as end-to-end encryption and regular scanning of sites for vulnerabilities and malware. Any sites not adhering to the security policies would be disconnected. ICANN is currently reviewing submissions for new TLDs and is expected to publish its results over the coming weeks.
-http://www.timesofoman.com/innercat.asp?detail=4760
-http://www.wired.com/threatlevel/2012/05/dot-secure
-http://gcn.com/articles/2012/05/11/dot-secure-domain-would-enforce-rigorous-secu
rity.aspx
[Editor's Note (Pescatore): This is unlikely to have any meaningful impact, as there is no single definition of "secure."
(Murray): Of course, this is what we are entitled to get from SSL certificates. Is there any reason to believe that this domain administrator would do a better job than Verisign? They make money for issuing credentials, not denying them. ]

Undercover Investigation in UK Uncovers Trading in Personal Data (12th May 2012)

An investigation within the UK conducted by the Channel 4 TV station's Dispatches program alleges that private investigators are paying for access to personal details of individuals held in government databases. The program shows how a private investigation firm sold sensitive data of individuals such as bank account details, social welfare benefit claims and medical details. The program highlights that up to five members of staff a day are disciplined for data offences at the Department of Work and Pensions. Under the UK's Data Protection Act, specifically section 55, it is a criminal offence to: "obtain or disclose personal data" without permission or "procure the disclosure to another person". The report has led to calls for more regulation into the private investigations industry.
-http://www.guardian.co.uk/technology/2012/may/12/trade-personal-data-secret-inve
stigation
-http://www.channel4.com/info/press/news/five-staff-a-day-disciplined-for-data-of
fences-at-the-dwp
[Editor's Note (Murray): While US private investigators do not advertise their methods, they do promise that data. These are exactly the services that HP hired. One role of the PI relationship is to protect the principal from the methods of the investigator. ]

47 Arrested in Carding Ring (11th May 2012)

The Royal Canadian Mounted Police arrested 47 people in a number of raids in Montreal and Ontario in a crackdown on a well-organized international bank card ring responsible for stealing US $ 7 million and potentially hundreds of millions more. The gang installed skimming devices on ATMs and modified POS terminals so that card data could be gathered remotely. In one attack lasting just 5 minutes police claim the thieves made 203 transactions using 79 fraudulent cards at 23 different bank machines netting them US $ 30,000. According to Royal Canadian Mounted Police Sargent Yves Leblanc "This went on once, twice, three times a day. It went on maybe four or five times a week." The gang had accomplices in Vancouver, Australia, New Zealand, Malaysia, Tunisia and England. The arrests are the result of an investigation that began in 2008.
-http://net-security.org/secworld.php?id=12913
-http://www.wired.com/threatlevel/2012/05/mounties-bust-carders/

Dutch ISPs Ordered by Court To Block Pirate Bay (11th May 2012)

In The Nederlands a Dutch court has issued an order to 5 of the country's ISPs to block access to the Pirate Bay file-sharing service. In addition, the Court of The Hague has forbidden the Dutch Pirate Party from informing the public on how to circumventing the blocking mechanisms or providing any proxy services to bypass the filters. In response the Pirate Party claims the court is censoring the Internet. "This is a slap in the face for the free internet and a novel judicial decision. The judge decided to give the Netherlands another nudge on the sliding scale of censorship," said a Pirate Party spokesman. In January of this year a separate court order required 2 separate ISPs to block access to Pirate Bay. The Pirate Party operated a proxy service which allowed clients of those ISPs to bypass the filters.
-http://www.v3.co.uk/v3-uk/news/2174066/dutch-court-isps-block-pirate-bay
-http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/court-bans-dutch-p
arty-from-helping-pirate-bay-10026156/

Israeli Authorities Charge 6 People for Massive Data Theft (13th May 2012)

The district attorney for Tel Aviv, Israel, has charged 6 people for their involvement in a massive data theft of the country's population database and exposing the details of up to 9 million people. The indictment lists 55-year-old Shalom Bilik, a former contractor of the Welfare and Social Services Ministry, and alleges that while working at the ministry he made copies of the population registry database and sold it. Others included in the indictment are also accused of selling the data to third parties. In a separate charge, Bilik is also accused of copying databases containing the personal information regarding children up for adoption and their biological parents. The district attorney has requested that the trial be held in a closed court and a gag order imposed on the defendants' testimony so that details of the Interior Ministry's databases and database security can be kept secret to avoid any further data breaches.
-http://www.jpost.com/NationalNews/Article.aspx?id=269728

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/