SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #46

June 08, 2012

TOP OF THE NEWS

DOD Framework "First Step" Toward Standardizing Military CyberOps
Stuxnet News Raises Security Concerns; Lawmakers call for Hearing on Leaks
Massive Password Leaks at LinkedIn and Others
Facebook to Warn Users Infected with DNSChanger

THE REST OF THE WEEK'S NEWS

Flame Malware Extinguishes Itself
More UK ISPs Now Blocking The Pirate Bay
New Do Not Track Specs Would Not Allow Default Settings in Browsers
MPAA Responds to Request to Return Megaupload Files to Users
NHS Trust Fighting Huge Fine
Romney Hotmail and Dropbox Accounts Reportedly Hacked
Mozilla Updates Firefox 13
Google to Warn Users of Suspected State-Sponsored Spying
Adobe Releases Updates for Photoshop and Illustrator
US Dept. of Energy Publishes Cybersecurity Capability Model for Utilities

---

****************** SPONSORED BY SolarWinds.Net, Inc. **********************
Detect & Respond to Network Security Attacks! Successful network, application and system defense rests on the ability to identify and respond to threats immediately - before they become a problem. SolarWinds(R) Log and Event Manager (LEM) gives you the firepower you need to defend your infrastructure! Experience it for yourself today, with our 30-day free trial!
http://www.sans.org/info/106569
****************************************************************************
TRAINING UPDATE
- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

- --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.

http://www.sans.org/san-francisco-2012/
- --SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Malaysia, Bangkok, San Diego, San Antonio, and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
************************* Sponsored Link: **********************
1) Streamline Risk Management With the SANS 20 Critical Security Controls, featuring senior SANS Analyst and 20 controls co-author, James Tarawa and moderated by G. Mark Hardy, Thursday, June 14, 1 PM Eastern Daylight Time http://www.sans.org/info/106574
********************************************************************

---

TOP OF THE NEWS

DOD Framework "First Step" Toward Standardizing Military CyberOps (June 6 & 7, 2012)

US Secretary of Defense Leon Panetta describes a new organizational framework he has approved for the US Defense Department (DOD) as a "first step" toward standardizing cyber operations across the military. The new command structure will grant offensive and defensive cyber operational authority to geographic combatant commanders. It also will create Joint Cyber Centers (JCC) that will serve as links between US Cyber Command (CYBERCOM) Combat Support Elements and combatant commanders in the military. Panetta has exhorted commanders to swiftly implement a transitional plan, called the Joint Staff Transitional Cyberspace operations Command and Control Concept of Operations; Panetta said that "it is imperative that we move quickly and put the transitional framework in place as soon as possible."
-http://www.defensenews.com/article/20120606/DEFREG02/306060010/Panetta-Green-Lig
hts-First-Cyber-Operations-Plan?odyssey=tab|topnews|text|FRONTPAGE
-http://www.dailytech.com/Defense+Secretary+Leon+Panetta+Sets+First+Cyber+Operati
on+Plan+in+Motion/article24876.htm

Stuxnet News Raises Security Concerns; Lawmakers call for Hearing on Leaks (June 5 & 6, 2012)

Saying that she is "deeply disturbed by the continuing leaks of classified information to the media, most recently regarding alleged cyber efforts targeting Iran's nuclear program," US Senator Dianne Feinstein (D-California) is calling for legislative hearings about the leaks regarding the US's involvement with the Stuxnet worm. Senator Feinstein is not asking for the hearings to address the actual attacks. Senator Carl Levin (D-Michigan), who chairs the Senate Armed Services Committee, has agreed to hold a hearing on the matter. The FBI has reportedly launched an investigation into the leaks. There is concern that the revelation will encourage copycat attacks against the US.
-http://www.wired.com/threatlevel/2012/06/stuxnet-leak-investigation/
-http://www.theatlantic.com/national/archive/2012/06/did-americas-cyber-attack-on
-iran-make-us-more-vulnerable/258120/
-http://www.nextgov.com/cybersecurity/2012/06/senators-blast-publicity-cyberattac
k-iran/56121/?oref=ng-channeltopstory
-http://arstechnica.com/tech-policy/2012/06/stuxnet-expert-calls-us-the-good-guys
-in-cyber-warfare/

Massive Password Leaks at LinkedIn and Others (June 6, 2012)

Reports originally surfaced in Norway overnight that about 6.5 million unsalted SHA-1 password hashes had been posted to a Russian site with a request for assistance in cracking them. Several highly trusted security researchers have confirmed that the hashes posted include those of passwords they use exclusively on LinkedIn.
-https://isc.sans.edu/diary.html?storyid=13390
How to tell if you are affected:
-http://www.zdnet.com/blog/btl/linkedin-password-breach-how-to-tell-if-youre-affe
cted/79412

Facebook to Warn Users Infected with DNSChanger (June 5, 2012)

Facebook has begun warning users whose computers appear to still be infected with the DNSChanger malware. Infected machines that are not cleaned by July 9 will cease to be able to access the internet. The Facebook warning will include a link to the DNSChanger Working group website, where users can find information about removing the malware from their computers. DNSChanger works by changing settings on infected machines to redirect them to rogue DNS servers controlled by those launching the attack. In November 2011, the FBI seized the malicious machines and realizing that millions of users would be cut off from the Internet if the servers were simply removed, replaced them with others, operated by the Internet Systems Consortium, that allowed infected users to continue to access the Internet. The court order allowing the FBI to operate the servers expires on July 9. The number of infected devices is estimated to be 350,000 down from an initial figure of four million.
-http://news.cnet.com/8301-1009_3-57447967-83/facebook-warns-users-of-the-end-of-
the-internet-via-dnschanger/
-http://www.computerworld.com/s/article/9227779/Facebook_joins_Google_ISPs_in_not
ifying_DNSChanger_victims?taxonomyId=17

---

THE REST OF THE WEEK'S NEWS

Flame Malware Extinguishes Itself (June 7, 2012)

The people behind the Flame malware network appear to have responded to recent publicity by sending out a command that has caused it to self-destruct. Some of the command-and-control servers in Flame's infrastructure sent out a file that is essentially a Flame uninstaller, which also overwrites the disk with random characters to help disguise its footprint.
-http://www.theregister.co.uk/2012/06/07/flame_suicide_command/
-http://news.cnet.com/8301-1009_3-57448813-83/flame-authors-force-self-destruct/
[Editor's Note (Honan): This malware contains lots of interesting techniques including its ability to use a MD5 chosen-prefix collision attack. "Crypto breakthrough shows Flame was designed by world-class scientists"
-http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/]

More UK ISPs Now Blocking The Pirate Bay (June 7, 2012)

Citing a court order that obliged compliance, UK Internet service provider O2 is now blocking file sharing site The Pirate Bay. O2 subsidiary Be posted a message on its company blog, telling customers "Our parent company was one of the name ISPs so we are obliged to comply. We wouldn't do this voluntarily, but we need to comply with UK laws." The order was handed down in April from the High Court after a judge ruled that The Pirate Bay was facilitating copyright infringement.
-http://www.bbc.co.uk/news/technology-18358483

New Do Not Track Specs Would Not Allow Default Settings in Browsers (June 6 & 7, 2012)

Just days after Microsoft announced that Internet Explorer 10, the next version of its flagship browser which is scheduled to be bundled with the forthcoming Windows 8 operating system, would have its do-not-track feature enabled by default, the W3C (World Wide Web Consortium) proposed an update to its Do Not Track Specification that says: "an ordinary user agent must not send a Tracking Preference signal without a user's explicit consent." If the change is formally adopted, Microsoft could not claim that IE 10 is compliant with the W3C's Do Not Track Standard unless it backs off from the enabled-by-default plan.
-http://www.computerworld.com/s/article/9227881/Standards_group_to_bar_IE10_from_
claiming_Do_Not_Track_compliance?taxonomyId=17
-http://www.wired.com/threatlevel/2012/06/default-do-not-track/
-http://news.cnet.com/8301-1009_3-57448795-83/microsofts-do-not-track-default-in-
ie10-violates-new-specs/
[Editor's Note (Pescatore): The companies that depend on monitoring user activities for revenue want to make it hard for users to turn on Do Not Track, where common sense (and decency) says it should be the default setting and users should opt-in to being tracked. The ad industry's objections are like the band-aid industry objecting to razor blades coming by default with protective cardboard covers.
(Ullrich): Advertisers didn't mind claiming "Do Not Track" compliance as long as nobody uses it. In a test we ran at the ISC web site, only 3% of users had it enabled. Apple announced a change to "default on" for the next version of Safari as well.
-https://isc.sans.edu/diary.html?storyid=13273]

MPAA Responds to Request to Return Megaupload Files to Users (June 6, 2012)

The Motion Picture Association of America (MPAA) responded to a legal request seeking the return of Megaupload users' files, saying that if the request is granted, the returned files should exclude digital content that violates copyright. The stipulations would complicate the return of content. In a separate but related story, attorneys in New Zealand representing Megaupload CEO Kim Dotcom and his business associates allege that the FBI acted illegally when it copied data from computers seized from Megaupload and sent them back to the US. The data were sent several days after a judge in New Zealand decided that a court hearing would be necessary to determine whether or not the FBI would be permitted to take the data to the US. New Zealand's government maintains that the FBI acted within its rights because the law in question applies to physical evidence, not information, although it did concede that in the Megaupload case, information is likely to be the most valuable of the assets seized. Nonetheless, because nothing physical was removed and sent to the US, the New Zealand government maintains that no laws were broken.
-http://arstechnica.com/tech-policy/2012/06/the-mpaa-would-be-ok-seeing-legit-mea
gupload-files-restored/
-http://www.wired.com/threatlevel/2012/06/fbi-pirated-kim-dotcom/

NHS Trust Fighting Huge Fine (June 6, 2012)

The Brighton and Sussex University Hospitals NHS Trust is disputing a GBP 325,000 (US $505,450) fine imposed by the UK's Information Commissioner's Office (ICO) for leaving patient data on hard drives that were later sold on eBay. According to the ICO, the compromised data include names, dates of birth, and medical diagnoses, as well as the names of 1,527 people who had tested HIV positive. The drives in question were decommissioned in March 2008 and had remained in storage until 2010, when the Trust's IT service provider asked its regular subcontractor to handle the drives' destruction. The company was not able to do that, so the service provider asked another company to do it. After the drives started turning up on eBay, the ICO launched an investigation and determined that more than 230 of the trust's drives had been sold. According to a statement from the Trust, they are disputing the fine because they "arranged for an experienced NHS IT service provider to safely dispose of
[the devices ]
and acted swiftly to recover ... those that their sub-contractor placed on eBay."
-http://www.theregister.co.uk/2012/06/06/nhs_trust_disputes_ico_fine/
[Editor's Note (Honan): Under EU Data Protection legislation the Data Controller, in this case the Brighton and Sussex University Hospitals NHS Trust, is responsible for ensuring the data it entrusts to its Data Processor, the "experienced NHS IT service provider" and any of its subcontractors, secures that data in accordance with data protect requirements. So this case is not necessarily about who should pay the fine but rather should the fine be so high. ]

Romney Hotmail and Dropbox Accounts Reportedly Hacked (June 6, 2012)

According to Mitt Romney's campaign communications director, "the proper authorities are investigating" reported breaches of the US presidential candidate's Hotmail and Dropbox accounts. The campaign stopped short of confirming the hacks. The person claiming responsibility for the alleged attacks maintains that there is no connection to the Anonymous hacking group.
-http://www.csoonline.com/article/707822/mitt-romney-email-and-dropbox-accounts-r
eportedly-hacked?source=CSONLE_nlt_update_2012-06-07_testA
-http://www.theregister.co.uk/2012/06/06/romney_hacked_hotmail_gmail/
[(Ullrich): One would think that presidential candidates would have learned from the last campaign, and the attack against Sarah Palin's e-mail, that free services typically do not consider threat scenarios commonly directed at a presidential campaign. ]

Mozilla Updates Firefox 13 (June 5 & 6, 2012)

Mozilla has updated both Firefox and Thunderbird to version 13. The newest versions address several critical vulnerabilities, including a buffer overflow flaw, a use-after-free issue, and other problems with memory safety. Two of the flaws fixed in Firefox 13 were in the browser's updater and update service for Windows.
-http://www.h-online.com/security/news/item/Multiple-security-vulnerabilities-fix
ed-in-Firefox-and-Thunderbird-1611791.html
-http://www.computerworld.com/s/article/9227766/Mozilla_patches_updater_bugs_with
_Firefox_13_plays_catch_up_on_new_tabs?taxonomyId=17
[(Ullrich): This version of Firefox also enables SPDY by default, which is a significant amendment to HTTP and commonly seen as a path to HTTP 2.0. SPDY uses SSL by default, and in particular if it is your job to manage proxies and intrusion detection systems, you should take a look at the challenges it presents. At this point, Twitter and Google are two major sites supporting SPDY. SPDY was included, but not enabled by default in FF 12
-https://isc.sans.edu/diary.html?storyid=13318]

Google to Warn Users of Suspected State-Sponsored Spying (June 5 & 6, 2012)

Google plans to warn users when the company thinks they may be targeted by state-sponsored attacks. Users who appear to be the targets of the attacks will see a message that says, "Warning: we believe state-sponsored attackers may be attempting to compromise your account or computer. Protect yourself now." Google would not provide details about how it would determine if an attack were state-sponsored. The warning does not mean that a user's account has been compromised, only that it is a suspected target of what is believed to be a state sponsored attack. Users are urged to change their passwords and make sure that all operating systems, applications, and plug-ins are updated.
-http://googleonlinesecurity.blogspot.com/2012/06/security-warnings-for-suspected
-state.html
-http://www.washingtonpost.com/business/economy/google-to-alert-users-about-state
-sponsored-attacks/2012/06/05/gJQAzSR8GV_story.html
-http://www.bbc.com/news/technology-18335957
-http://www.wired.com/threatlevel/2012/06/google-to-warn-possible-victims-of-stat
e-sponsored-spying/
-http://www.computerworld.com/s/article/9227782/Google_warns_Gmail_users_of_state
_sponsored_hacks?taxonomyId=17
-http://www.h-online.com/security/news/item/Google-will-warn-users-of-potential-s
tate-sponsored-attacks-1611730.html
-http://news.cnet.com/8301-1009_3-57447906-83/google-warns-gmail-users-about-stat
e-sponsored-email-hacking/
[Editor's Note (Pescatore): But Google will not warn me of the vastly more frequent and just as dangerous times I'm targeted by cybercriminals? The focus on "state sponsored" is silly.
(Ullrich): At the ISC, we had a couple of reports of users who saw these messages. All users who reported these messages are malware researchers using gmail accounts to communicate and occasionally exchange malware samples. The Google warning considers certain specific malware samples "state sponsored", and the warning is apparently triggered if one of these samples was sent to the account holder in the past.
(Honan): Google has other security features that users can implement at no charge including adding two factor authentication using a mobile phone and using the Google authenticator app or voice dialing. More information at:
-https://support.google.com/accounts/bin/topic.py?hl=en&topic=1099588&par
ent=28786&ctx=topic]

Adobe Releases Updates for Photoshop and Illustrator (June 5, 2012)

Adobe has released updates to address vulnerabilities in Photoshop CS5 and CS 5.1 and Illustrator CS 5 and CS 5.5. Adobe initially told users that to fully protect themselves from attacks that exploited the flaws, they would have to upgrade to the most recently released version of each product, which run about US $200 each. Adobe did not think the flaws merited an "out-of-band" update, but later bowed to users' protests. The updates address nine vulnerabilities in all and are available for both products on Windows and Mac OS X.
-http://www.h-online.com/security/news/item/Adobe-updates-arrive-after-user-prote
sts-1605177.html
-http://www.computerworld.com/s/article/9227750/Adobe_patches_critical_flaws_in_P
hotoshop_Illustrator_CS5.x?taxonomyId=17

US Dept. of Energy Publishes Cybersecurity Capability Model for Utilities (June 4, 2012)

On May 31, the US Department of Energy (DOE) published the "Electricity Subsector Cybersecurity Capability Maturity Model." The model is designed to help utilities evaluate their cybersecurity posture and prioritize their cybersecurity actions and investments. The model breaks the information down into 10 capabilities or domains, each with its own objectives. The capabilities include identity and access management; threat and vulnerability management; event and incident response and operational continuity; and cybersecurity program management. The model also establishes four maturity indicator levels for each capability. A draft of the model was piloted at 17 utilities.
-http://www.fiercegovernmentit.com/story/doe-publishes-electric-grid-cybersecurit
y-model/2012-06-04
-http://energy.gov/sites/prod/files/Electricity%20Subsector%20Cybersecurity%20Cap
abilities%20Maturity%20Model%20%28ES-C2M2%29%20-%20May%202012.pdf

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/