SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #47

June 12, 2012

NEW: DEFINITIVE LIST OF NOTABLE, NEW, ACTIVE ATTACKS
Yesterday, the 125,000 subscribers to @RISK received a sample of the new
weekly threat update that may evolve into the definitive weekly list of
new attack vectors. A segment is included at the end of this newsletter
along with a way for you to get it weekly (on Thursdays). The list's
purpose is to ensure that the 20 Critical Security Controls
(http://www.sans.org/critical-security-controls/) do not miss any of the
newest attacks. The 20 Critical Controls were adopted last fall as the
national cybersecurity benchmark in the United Kingdom and have gained
widespread and increasing adoption in government and critical
infrastructure the United States.

Alan

---

TOP OF THE NEWS

US Senators Draft Proposed a Cybersecurity Bill Compromise
IPv6 Adoption Estimated to be One Percent

THE REST OF THE WEEK'S NEWS

Shared Code Suggests Link Between Flame and Stuxnet
US Government Says It Doesn't Have to Retrieve Megaupload User's Files
European Data Protection Supervisor Warns of Smart Meter Privacy Issues
MySQL and MariaDB Flaw Lets Hackers Bypass Authentication
FTC Reaches Settlements With Two Companies Over Data Leaks
Microsoft's June Updates
Judge Will Not Dismiss Charges Against Bradley Manning
Adobe Issues Flash Update
Oracle to Patch Java SE

@RISK

The New @Risk: Weekly Threat Update

---

************************** SPONSORED BY Bit9 *******************************
Live Webcast: The Future of Cyber Espionage - Don't Get Burned by Flame and other Advanced Persistent Threats. Have you heard of Flame - the latest high-profile cyber-attack - and are you concerned that you are vulnerable to attacks like it?
Register today for this live webcast as learn how you can stop advanced attacks.
http://www.sans.org/info/106719
****************************************************************************
TRAINING UPDATE
- - --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- - --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- - --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- - --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

- - --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- - --SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Malaysia, Bangkok, San Diego, San Antonio, and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

US Senators Draft Proposed a Cybersecurity Bill Compromise (June 7, 2012)

US Senators Sheldon Whitehouse (D-Rhode Island) and John Kyl (R-Arizona) are circulating a draft proposal for a cybersecurity bill that aims at satisfying legislators on both sides of the aisle. Democrats support legislation that would impose mandatory cybersecurity standards on systems that are part of the country's critical infrastructure, while Republicans support legislation that encourages threat information sharing but does not compel the utility companies to comply with requirements. The draft legislation treads a middle ground, offering incentives for companies that meet established "baseline performance goals" of cybersecurity. The incentives would include liability protections, edges in acquiring government funding, and they would receive technical cybersecurity assistance.
-http://thehill.com/blogs/hillicon-valley/technology/231601-senators-float-compro
mise-on-cybersecurity-mandates

IPv6 Adoption Estimated to be One Percent (June 7, 2012)

Although Wednesday, June 6 marked the first official day of IPv6 operation on the Internet, just one percent of the Internet is estimated to be running on the new protocol. That one percent, however, represents a 150 percent increase over the number of IPv6 users just one year ago. Google predicts that by 2015, half of all Internet users will be in IPv6. Gartner predicts that by 2015, 17 percent of users worldwide will use IPv6. Security issues that users should be aware of include reconfiguring or upgrading firewalls and perimeter defenses to support IPv6 and the importance of properly configuring tunneling between IPv4 and IPv6.
-http://www.darkreading.com/security-monitoring/167901086/security/news/240001730
/ipv6-arrives-but-not-everywhere.html?itc=edit_stub
[Editor's Note (Ullrich): Asking an IPv4 network admin how much IPv6 traffic he sees is like asking a color blind person how many blue and red shirt he owns. IPv6 adoption is slow, but most networks do not have sufficient controls in place to know how much IPv6 they need. At the ISC, we are seeing many of the IPv6 connections accessing our public website using auto-configured tunnels that probably escape network controls and are considered IPv4 by the origin if they are seen at all.
-http://www.forbes.com/sites/firewall/2012/06/05/why-we-need-ipv6-now-and-what-it
-means-for-network-security/
(Northcutt): I enjoyed reading the article, but one percent is probably wrong; many people running IPv6 don't know they are. One thing that should be on every CISO's todo list is to have a device in their perimeter reporting the number of IPv6 packets to their dashboard. Here is an article with a different point of view:
-http://www.techrepublic.com/blog/security/ipv6-oops-its-on-by-default/1955

(Murray): This is one of those cases where the absolute number is more meaningful than the relative number. One percent of the Internet is huge. ]

---

************************* Sponsored Links: *************************
1) Got Sudo? Get a centralized sudoers file and easy access rights reporting for $59. Learn more at: http://www.sans.org/info/106724
2) Streamline Risk Management With the SANS 20 Critical Security Controls, featuring senior SANS Analyst and 20 controls co-author, James Tarala and moderated by G. Mark Hardy, Thursday, June 14, 1 PM Eastern Daylight Time http://www.sans.org/info/106729
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Shared Code Suggests Link Between Flame and Stuxnet (June 11, 2012)

Researchers at two different firms have found evidence linking the recently detected Flame malware to Stuxnet. Analysis found that some code found in Flame is almost exactly the same as code in an older version of Stuxnet. Both pieces of malware targeted systems in Iran. Recent reports lend credence to rumors that Stuxnet was the work of Israel and the US in an effort to slow down Iran's nuclear program. The White House has neither confirmed nor denied its involvement with Stuxnet, but it has launched investigations into the leaks.
-http://www.washingtonpost.com/business/technology/cybersecurity-researchers-say-
theyve-spotted-new-link-between-flame-stuxnet-viruses/2012/06/11/gJQAE9i0UV_stor
y.html
-http://www.msnbc.msn.com/id/47767016/ns/technology_and_science-security/
-http://www.bbc.co.uk/news/technology-18393985
-http://news.cnet.com/8301-1009_3-57450292-83/shared-code-indicates-flame-stuxnet
-creators-worked-together/

US Government Says It Doesn't Have to Retrieve Megaupload User's Files (June 11, 2012)

Ohio videographer Kyle Goodman filed a lawsuit seeking the return of his files from the US government; his files were stored on Megaupload's servers which were shut down in January as part of the government's case against the filesharing site. Goodwin has the help of the Electronic Frontier Foundation, and the Motion Picture Association of America (MPAA) said it would not object to Goodwin and other users regaining access to their legitimately owned files. However, the government claims that because it did not seize the Megaupload servers - it merely imaged a number of them - it cannot return legitimately uploaded data. The government says that Goodwin should sue Megaupload for the files, despite the government having seized Megaupload's assets in January. The government does not oppose Goodwin having access to the information, but says that retrieving his files would be unduly burdensome.
-http://arstechnica.com/tech-policy/2012/06/us-argues-it-shouldnt-have-to-give-me
gaupload-user-his-legit-files/
-http://www.wired.com/threatlevel/2012/06/feds-megaupload-data/

European Data Protection Supervisor Warns of Smart Meter Privacy Issues (June 11, 2012)

The European Union's data protection supervisor (EDPS), Giovanni Buttarelli, says that the expanding use of smart meters poses serious privacy issues unless safeguards are put in place. The EU plans call for smart meters to be installed in most homes and businesses there within the next eight years. Although the technology is expected to reduce energy bills, it will also generate a considerable amount of personal data, which could be used to determine when people are out of their homes and how they spend their leisure time. The EDPS said that customers should be fully informed about the data about them that are being stored, and that the energy companies should be prepared to explain the analyses they conduct with those data.
-http://www.v3.co.uk/v3-uk/news/2183404/european-chiefs-warns-brother-implication
s-smart-meter-roll

MySQL and MariaDB Flaw Lets Hackers Bypass Authentication (June 11, 2012)

A vulnerability in MySQL and MariaDB password software allows hackers to circumvent authentication through brute force attacks and gain root access to the database. The issue lies in a casting error when passwords are checked with the memcmp function. The flaw affects MySQL and MariaDB versions 5.1.61, 5.2.11, 5.3.5, and 5.5.22. MySQL versions 5.1.63 and 5.5.25, both released in May, address the problem. Internet Storm Center link:
-http://isc.sans.edu/diary.html?storyid=13432]


-http://www.computerworld.com/s/article/9227965/MySQL_vulnerability_allows_attack
ers_to_bypass_password_verification?taxonomyId=17
-http://www.theregister.co.uk/2012/06/11/mysql_mariadb_password_flaw/
-http://www.h-online.com/security/news/item/Simple-authentication-bypass-for-MySQ
L-root-revealed-1614990.html
[Editor's Note (Ullrich): This is a very interesting vulnerability. While the exact details are a bit obscure and specific to MySQL, it should serve as a great lesson to not overlook standard pen testing procedures like password brute forcing as part of the software testing regiment. Developers should read the original post, not the news summary links supplied above:
-http://seclists.org/oss-sec/2012/q2/493]

FTC Reaches Settlements With Two Companies Over Data Leaks (June 9, 2012)

A Georgia automobile dealership and a Utah-based debt collection agency have agreed to settlements with the US Federal Trade Commission (FTC) regarding customer data that were leaked over file-sharing networks. Franklin Toyota and Checknet (formerly known as EPN) have both agreed to undergo audits every two years for the next 20 years; they are also prohibited from misrepresenting their data security and privacy postures.
-http://www.scmagazine.com/auto-dealer-debt-collector-settle-with-ftc-over-data-b
reaches/article/244994/
-http://www.ftc.gov/opa/2012/06/epn-franklin.shtm

Microsoft's June Updates (June 8 & 11, 2012)

On Tuesday, June 12, Microsoft plans to issue seven security bulletins to address a total of 28 vulnerabilities. Three of the bulletins have been labeled critical, while the remaining four have been labeled important. The updates will address flaws in Windows, Internet explorer, Microsoft Office, and a number of other products.
-http://www.technolog.msnbc.msn.com/technology/technolog/microsoft-fix-28-securit
y-bugs-tuesday-patch-823331
-http://www.v3.co.uk/v3-uk/news/2182921/trio-critical-fixes-microsoft
-http://technet.microsoft.com/en-us/security/bulletin/ms12-jun
[Editor's note (Ulrich): And please apply last weeks certificate update first in order to protect the integrity of your update process. Internet Storm Center Link:
-http://isc.sans.edu/diary.html?storyid=13429]

Judge Will Not Dismiss Charges Against Bradley Manning (June 8 & 9, 2012)

A military judge will not dismiss any of the charges brought against Pfc Bradley Manning, who is facing court martial for allegedly leaking US State Department documents to WikiLeaks. Manning's legal team sought to have 10 of the 22 charges brought against their client dismissed. Manning faces a possible life sentence in prison. Manning's court martial has also been pushed back from September until at least November to ensure that the prosecution provides full disclosure of evidence that could help Manning's defense.
-http://www.guardian.co.uk/world/2012/jun/08/bradley-manning-fails-military-judge
?newsfeed=true
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/06/08/MNAT1OV51N.DTL

Adobe Issues Flash Update (June 8 & 9, 2012)

On Friday, June 8, Adobe released the newest version of Flash Player. The updated version of the Flash fixes at least seven vulnerabilities found in older versions of the software. Adobe also released a protected mode sandbox for Firefox running on Windows. The Flash update is available for Windows, Mac OS X, and Linux. The Flash background updater feature is also now available to users running Firefox on Mac OS X. Internet Storm Center Link:
-http://isc.sans.edu/diary.html?storyid=13417
-http://www.zdnet.com/blog/security/adobe-patches-critical-flash-player-holes-add
s-support-for-mac-os-x-gatekeeper/12436?tag=mantle_skin;content
-http://www.esecurityplanet.com/patches/adobe-patches-critical-flash-player-secur
ity-flaws.html
-http://www.computerworld.com/s/article/9227927/Adobe_patches_critical_Flash_bugs
_ships_sandboxed_plug_in_for_Firefox?taxonomyId=17
-http://krebsonsecurity.com/2012/06/critical-security-fixes-for-adobe-flash-playe
r/
-http://www.h-online.com/security/news/item/Adobe-Flash-update-closes-several-cri
tical-holes-1614700.html

Oracle to Patch Java SE (June 8 & 9, 2012)

On Tuesday, June 12, Oracle plans to patch 14 vulnerabilities in Java SE. The update will affect all versions of Java. Twelve of the flaws are remotely exploitable without authentication. Oracle's pre-release announcement underscores the seriousness of the vulnerabilities addressed in these patches: "Due to the threat posed by a successful attack, Oracle strongly recommends that its customers apply Critical Patch Update fixes as soon as possible."`
-http://www.h-online.com/security/news/item/Oracle-to-patch-14-critical-Java-SE-h
oles-on-Tuesday-1614778.html
-http://www.computerworld.com/s/article/9227909/Oracle_to_issue_14_patches_for_Ja
va_SE?taxonomyId=17

---

@RISK

THE NEW @RISK: THREAT UPDATE

We are transforming @RISK, both the participants and the content, to meet the new needs inherent in the transformation to the 20 Critical Controls (
-http://blogs.csoonline.com/data-protection/2214/poster-20-critical-security-cont
rols-effective-cyber-defense),
led by private critical infrastructure organizations and the US and British governments. A rapidly expanding consensus holds that these 20 controls are the essential core of an effective cyber defense, because they are the only ones demonstrated to be effective in stopping and mitigating damage from known attacks, based on the cumulative experience of the participants (NSA Red and Blue Teams, US CERT, DC3, US Nuclear Labs), and the nation's top private forensics and penetration experts.

But agreeing on these controls raises the need for an authoritative method of ensuring the 20 controls and their measurement systems continue to be what is needed to respond to new attacks. @RISK is changing to become the authoritative record of the new attacks. That means it is a community-wide initiative.

The key authors are the technical folks at Sourcefire under the leadership of Marty Roesch (author of Snort) with full participation by the folks at Qualys and the Internet Storm Center. Additional partners are being recruited.

Here's a draft of an important component of the new @RISK. We would love your feedback: email atrisk@sans.org with suggestions.

To subscribe to @RISK, sign up at
-http://www.sans.org/newsletters/#risk

Thanks in advance for helping to make this critical global defensive initiative successful.
Alan Paller, Director of Research, SANS institute apaller@sans.org

=====

Notable security issues, handpicked by the Sourcefire Vulnerability Research Team

Title: Base64-encoded c99 shell download Description: The recently reported PHP-CGI vulnerability (CVE-2012-1823) is being actively exploited in the wild. This rule detects one of the shells being dropped by automated attacks against this vulnerability. This payload has been observed in the wild by the Sourcefire VRT (see blog link below), and reported as active by several other organizations around the globe. Reference:
-http://vrt-blog.snort.org/2012/05/php-cgi-leads-to-c99-shell.html
-https://www.virustotal.com/file/79e6e865e1bc97a74a14989a1bb428bddc31d821a062f6da
7a145ebbb0bc2928/analysis/
Snort sids: 16613 - 16628, 18686 - 18690, 22917 - 22936, 23016, 23018, 22063, 22064 and 22097

ClamAV: PHP.C99-12

Title: CVE-2012-0184 Microsoft Office Excel SXLI record integer overrun Description: Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2008 and 2011 for Mac; Excel Viewer; and Office Compatibility Pack SP2 and SP3 do not properly handle memory during the opening of files, which allows remote attackers to execute arbitrary code via a crafted spreadsheet, aka "Excel SXLI Record Memory Corruption Vulnerability." Reference:
-http://technet.microsoft.com/security/bulletin/MS12-030
Snort Sid: 23009 ClamAV: BC.CVE_2012_0184-2

Title: CVE-2011-2397 Iron Mountain connected backup opcode 13 processing command injection Description: The Agent service in Iron Mountain Connected Backup 8.4 allows remote attackers to execute arbitrary code via a crafted opcode 13 request that triggers use of the LaunchCompoundFileAnalyzer class to send request data to the System.getRunTime.exec method. Reference:
-http://osvdb.org/77495
Snort Sid: 22952 ClamAV: -

Title: Blackhole Ramnit redirection Description: Ramnit is a Zeus-like trojan/worm/file infector with rootkit capabilities. Reference:
-http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.h
tml
Snort Sid: 22949 ClamAV: Trojan.CripUnp

Title: CVE-2010-0262 Microsoft Office Excel FNGROUPNAME record memory corruption Description: Microsoft Office Excel 2007 SP1 and SP2 and Office 2004 for Mac do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that triggers access of an uninitialized stack variable, aka "Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability." Reference:
-http://technet.microsoft.com/en-us/security/bulletin/ms10-017
Snort Sid: 23010 ClamAV: Exploit.CVE_2012_0262
===================================================================

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/