SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #49

June 19, 2012

The 25 Most Important Cybersecurity Innovations of 2012 and 10 More
on the Horizon. Extraordinary nominations flowing in - from Symantec
and other corporate users - from governments - and from researchers
in major laboratories - some showing how companies are getting huge
value from products that they already own - plus new technologies
and practices that may change the game. Take a peek at the ones
that have already won. And make sure innovations that are worth broad
adoption are included. http://www.sans.org/cyber-innovation-awards/.

Alan

---

TOP OF THE NEWS

Some Companies, Frustrated by Cyber Attacks, Strike Back
US Defense Department Publishes Mobile Device Strategy
Senator Wyden Blocks Reauthorization of FISA Amendments Act
NSA Data Provenance Initiative
FS-ISAC Survey Shows Cyber Attacks on Banks are Increasing

THE REST OF THE WEEK'S NEWS

IE and XML Flaws Exploited in Limited Attacks
Government Cybersecurity Spending Should Focus on Catching Bad Guys
Six Arrested in Japan in Connection with Android Malware
More Megaupload Legal Maneuvering
Law Enforcement Concerned About IPv6 Record-Keeping
Flash Plugin Causing Crashes in Firefox 13 on Windows
Honeynet Project Adds USB Malware Bait Research
Apple Will Add Privacy Measures in iOS 6

---

*********************** SPONSORED BY Cellebrite ***************************
The new industry standard in mobile forensics, the UFED Touch unites high performance with Cellebrite's unrivaled device support. A real-time viewer and new GUI on an adjustable touch screen, integrated battery, redesigned cable tips and technology upgrades make for UFED extractions that are now up to 10 times faster.
http://www.sans.org/info/107574
****************************************************************************
TRAINING UPDATE
- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012 Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

- --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- --SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

---

TOP OF THE NEWS

Some Companies, Frustrated by Cyber Attacks, Strike Back (June 18, 2012)

According to a Reuters report, some companies in the US have become frustrated with available security measures and have taken steps to strike back at cyber attackers. In a few cases, the companies have hired people to attack the attackers' systems; others have taken steps to slow down the cyber intruders' activity. Companies that launch retaliatory attacks run the risk of violating laws. Some have suggested that companies can seed their systems with phony data to trick intruders.
-http://www.canada.com/technology/Hacked+companies+fight+cyber+criminals/6799367/
story.html
-http://news.cnet.com/8301-1009_3-57455030-83/post-hack-companies-fire-back-with-
their-own-attacks/
[Editor's Note (Murray): This is not the wild west; it is not yet time to give up on law and order. Robin Hood was a thug. ]

US Defense Department Publishes Mobile Device Strategy (June 15, 2012)

The US Department of Defense (DOD) has issued a strategy for mobile devices, which "identifies the vision and goals for capitalizing on the full potential of mobile devices and supports the end-user services approach in the DOD Information Technology Enterprise Strategy and Roadmap."
-http://www.nextgov.com/mobile/2012/06/pentagons-blueprint-mobile-devices-lacks-s
ecurity-details/56301/?oref=ng-HPtopstory
-http://www.defense.gov/news/dodmobilitystrategy.pdf

Senator Wyden Blocks Reauthorization of FISA Amendments Act (June 14, 2012)

US Senator Ron Wyden (D-Oregon) has blocked the reauthorization of the FISA Amendment Act, legislation that allows the government to conduct warrantless wiretaps. Although the Obama administration expected the reauthorization to sail through the legislature, Wyden has taken a stand to block the bill because the government refuses to disclose how often the wiretap powers are being used. Wyden has placed a hold on the legislation, the same type of action he took last year when he opposed the Protect IP Act (PIPA).
-http://www.wired.com/threatlevel/2012/06/fisa-amendments-act-fate/
-http://www.wyden.senate.gov/news/press-releases/wyden-places-hold-on-fisa-amendm
ents-act-extension

NSA Data Provenance Initiative (June 14, 2012)

A new National Security Agency (NSA) initiative will track the life-cycle of data, a practice known as data provenance or data pedigree. The goal is to be able to determine the origin of every piece of data the NSA collects and to identify the permissions associated with those data. The practice also helps organizations establish whether or not the data have been altered.
-http://gcn.com/articles/2012/06/14/nsa-tracking-data-life-cycle.aspx

FS-ISAC Survey Shows Cyber Attacks on Banks are Increasing (June 14, 2012)

According to a survey released by the Financial Services Information Sharing and Analysis Center (FS-ISAC), large banks in the US suffered 314 attacks trying to break into and transfer funds out of customer accounts; nearly one-third of the attempts were successful. The survey was conducted by the American Bankers Association using responses from 95 financial institutions and five service providers. Banks participating in the survey said they are taking steps to improve security through customer education, multi-factor authentication, and cutting off customers' access to commercial systems if they detect anomalous behavior.
-http://www.computerworld.com/s/article/9228139/Banks_Hackers_more_aggressive_in_
attacking_customer_accounts?taxonomyId=17
Related: Newer Attacks are Stealthier The more recent attacks, such as those employed by ZeuS and SpyEye, use a method of attack that does not require them to be online at the same time as the target. The method is called automatic transfer system and is used to establish a "man in the browser" scenario; the attack does not require the target to enter any additional information.
-http://www.scmagazine.com/cyber-crooks-evading-advanced-bank-security-to-transfe
r-funds/article/246227/
[Editor's Note (Murray); The attacks are not against the banks but against their customers. The banks continue to use the legislatures and the FFIEC to escape their fundamental responsibility to ensure that transactions are properly authorized. ]

---

************************* Sponsored Links: *************************
1) Top 5 Reasons to Choose SolarWinds(R) Log & Event Manager Over Splunk(R) SolarWinds LEM with node-based licensing is an affordable alternative to volume-based pricing from Splunk. Powerful SIEM software for log collection, analysis and event management, SolarWinds LEM protects your IT environment before, during, and after an attack. Learn More. http://www.sans.org/info/107584
2) Streamline Risk Management with the SANS 20 Critical Security Controls, featuring SANS 20 controls expert, James Tarala, Sensage president Joe Gottlieb, and experts from Bit9 and FireEye. http://www.sans.org/info/107589
************************************************************************

---

THE REST OF THE WEEK'S NEWS

IE and XML Flaws Exploited in Limited Attacks (June 18, 2012)

A remote code execution vulnerability in Internet Explorer is being exploited in limited attacks, according to Microsoft. The company issued a patch for the flaw last week, but the bulletin (MS12-037) has not yet been updated to reflect the availability of exploit code and the presence of active attacks, which date back to at least June 1. In a related story, attack code that exploits a vulnerability in Microsoft XML Core Services has been published as well. There is no patch currently available for this particular flaw, but Microsoft has released a "Fix it" tool that blocks attacks.
-http://www.zdnet.com/blog/security/attack-code-published-for-critical-ie-flaw-pa
tch-your-browser-now/12493?tag=mantle_skin;content
-http://www.computerworld.com/s/article/9228203/Attack_code_published_for_two_act
ively_exploited_flaws_in_Microsoft_software?taxonomyId=17
-http://www.h-online.com/security/news/item/Exploit-for-unpatched-IE-hole-release
d-1619732.html
XML Fix It Tool:
-http://support.microsoft.com/kb/2719615

Government Cybersecurity Spending Should Focus on Catching Bad Guys (June 18, 2012)

Researchers say that government is better off spending its security budget to police the Internet and catch cyber criminals than on anti-virus software or surveillance. Ross Anderson, a University of Cambridge professor of security engineering and other researchers from the UK, Germany, the Netherlands, and the US, conducted an analysis of cybercrime costs at the request of the UK's Ministry of Defence. The resulting paper will be presented at a conference in Germany later this month.
-http://www.computerworld.com/s/article/9228196/Governments_should_spend_more_to_
cybercriminals_researchers_say?taxonomyId=17
-http://www.bbc.co.uk/news/technology-18456607
-http://www.theregister.co.uk/2012/06/18/catch_more_cybercriminals_uk_gov/
-http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf
[Editor's Note (Ranum): When law enforcement switches their tactics from "solving the problem" to "sending a message" they are hoisting the white flag without admitting it.
(Paller): Ross Anderson is a better researcher than these stories imply. My guess is the PR people who wrote up the research were working so hard to get articles written that they just got the story wrong. ]

Six Arrested in Japan in Connection with Android Malware (June 18, 2012)

Authorities in Japan have arrested six people in connection with an Android malware operation. More than 9,000 people downloaded the malware, which was disguised as a video player application. Those behind the scheme allegedly earned more than 20 million yen (US $253,000). Those arrested are also suspected of developing the malware. Infected phones displayed messages demanding payment of 99,800 yen (US $1,262) and the malware was used to steal personal data from the devices.
-http://www.theregister.co.uk/2012/06/18/android_malware_japan_adult_site/

More Megaupload Legal Maneuvering (June 14, 15, & 18, 2012)

The US Attorney's office said that a request from Megaupload's legal team to dismiss criminal copyright charges against the company should be denied. Megaupload maintained that the US has no jurisdiction over the company because it does not have offices in the US. In a related story, a high court judge in New Zealand has ordered the US government to prepare to copy the 150 terabytes of data held on servers seized in the Megaupload case and provide them to the Megaupload defense team.
-http://news.techworld.com/personal-tech/3364544/court-orders-us-govt-prepare-han
d-over-megaupload-data/
-http://www.wired.com/threatlevel/2012/06/megaupoad-data/
-http://rt.com/usa/news/data-dotcom-megaupload-us-948/
-http://news.cnet.com/8301-1023_3-57453507-93/u.s-slams-megauploads-request-to-di
smiss-criminal-charges/

Law Enforcement Concerned About IPv6 Record-Keeping (June 15 & 16, 2012)

Law enforcement agencies in the US and Canada are concerned that the shift to IPv6 will complicate investigations because the new protocol, which expands the number of available Internet addresses, will make it harder to identify the individual associated with a particular IP address. The reason for this is the likelihood of lax record-keeping. Previously, blocks of IP addresses were distributed every few months, meaning the authority distributing those could require the entities receiving the addresses to maintain accurate Whois database records if they wanted more addresses. Because IPv6 is so large, the block of addresses will be distributed far less frequently, making it less likely that the organization handing out the addresses will have leverage to get the companies to maintain records properly. The issue is part of what the FBI calls "going dark," or the concern that its surveillance abilities will decrease as technology advances. The FBI has suggested the possibility that a new law may be needed if the companies do not keep records up-to-date.
-http://news.cnet.com/8301-1009_3-57453738-83/fbi-dea-warn-ipv6-could-shield-crim
inals-from-police/
-http://tech2.in.com/news/web-services/ipv6-could-shield-criminals-from-police-wa
rns-fbi/316902

Flash Plugin Causing Crashes in Firefox 13 on Windows (June 15 & 18, 2012)

The most recent release of the Flash Player plugin, version 11.3, is reportedly causing crashes in Firefox 13 running on Windows. The issue appears to be related to the Protection Mode, which causes the plugin to run in a sandboxed environment. Some of the crashes seem to be due to bad interactions between Flash Player and other plugins. Mozilla has suggested disabling a particular plugin - RealPlayer Browser Record - to address this issue. Adobe has suggested downgrading Flash Player to a previous, safe version. Mozilla has released an updated version of Firefox, 13.0.1, which addresses this issue as well as several others.
-http://www.bbc.co.uk/news/technology-18495965
-http://www.h-online.com/security/news/item/Firefox-13-tripped-up-by-Flash-patch-
Update-1619399.html

Honeynet Project Adds USB Malware Bait Research (June 14, 15, & 17, 2012)

The Honeynet Project has taken up research designed to capture malware that spreads through USB sticks. The research project, dubbed the Ghost-USB-Honeypot, was initiated by German university student Sebastian Peoplau. It emulates USB drives to see what kinds of malware use USBs to propagate. Stuxnet and Flame are known to spread this way. The USB technique is used to infect systems that are not connected to the Internet.
-http://www.csoonline.com/article/708533/honeynet-project-tackles-usb-carried-mal
ware-like-flame?source=CSONLE_nlt_newswatch_2012-06-15
-http://www.theregister.co.uk/2012/06/17/honeynet_for_usb/
-http://www.h-online.com/security/news/item/Catching-worms-with-ghost-flash-drive
s-1618455.html
[Editor's Comment (Northcutt): I really enjoyed the cartoon of the B52 dropping a USB stick posted on Facebook by Niels Groeneveld:
-http://yfrog.com/mn820akj]

Apple Will Add Privacy Measures in iOS 6 (June 14 & 18, 2012)

Apple plans to add a privacy control panel to iOS 6, the next version of its operating system for mobile devices, which is scheduled for release this fall. iOS 6 will ask users if they want to allow particular applications access to their information; the controls will allow users to specify which data are approved for access and which are not. Presently, applications only need to get permission to access geographical location data.
-http://www.h-online.com/security/news/item/iOS-6-to-ask-if-apps-can-access-perso
nal-data-1619965.html
-http://news.cnet.com/8301-1009_3-57453473-83/apples-ios-6-to-add-privacy-control
s-for-user-contacts/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/