SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #56

July 13, 2012

We rarely point to Microsoft updates as "top of the news" but John
Pescotore advises this week's updates are very high priority. He is a
reliable source of advice.
Alan

---

TOP OF THE NEWS

Experts Urge Lawmakers to Pass Cybersecurity Legislation
Microsoft Addresses XML Core Services Flaw in July's Patch Tuesday

THE REST OF THE WEEK'S NEWS

Indian Authorities Arrest Man on Software Piracy Charges
Google Updates Chrome 20.x
Oracle's Quarterly Update to Address 88 Vulnerabilities
450,000 Yahoo Voice Logins Compromised
Dutch Chemical Company Thwarts Attempted USB Attack
Apple Releases Gold Master Version of Mountain Lion to Developers
Microsoft Urges Admins to Disable Gadgets and Sidebar Due to Security Issues
Formspring Logins Compromised
Kim Dotcom Tweets an Extradition Waiver Proposal
Cross-Platform Trojan Downloader

---

********************* SPONSORED BY Palo Alto Networks ********************
Download Free Modern Malware for Dummies eBook and learn how to stop the most dangerous threats facing your network. This book provides an in-depth analysis of how modern malware works and outlines the specific actions and technologies needed in order to regain control over today's malware.
http://www.sans.org/info/109919
****************************************************************************
TRAINING UPDATE
- --SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- --SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation - - The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 46 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, and Prague all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Experts Urge Lawmakers to Pass Cybersecurity Legislation (July 11, 2012)

Security experts told the Senate Homeland Security and Governmental Affairs Committee that any cybersecurity legislation is better than none, and that it can be fine-tuned as needed after it is enacted. Frank Cilluffo, director of George Washington University's Homeland Security Policy Institute told the committee that "if we don't act now, I can assure you that whatever comes after something bad happens will be much more draconian and not as constructive as it could be."
-http://www.nextgov.com/cybersecurity/2012/07/any-cybersecurity-bill-better-no-bi
ll-senate-panel-told/56730/?oref=ng-HPriver
[Editor's Note (Pescatore): Anyone who says "*any* cybersecurity legislation is better than none" has managed to ignore a long history of damaging effects of bad legislation.
(Paller): Reinforcing John Pesactore's comment - the most critical need for cyber legislation - improving cybersecurity of the critical infrastructure now appears to be off the table, despite protestations to the contrary. Given DHS's cyber leadership's extraordinary actions, and the rewrite of A130, there is little need for legislation to fix FISMA.
(Murray): One sympathizes with congress. Law, however bad, is the only tool they have.]

Microsoft Addresses XML Core Services Flaw in July's Patch Tuesday (July 10 & 11, 2012)

Among the security issues addressed in Microsoft's patch Tuesday for July is the XML Core Services zero-day flaw that is being actively exploited in attacks. The batch of fixes also includes a cumulative update for Internet Explorer (IE) and a patch for a remote execution vulnerability in Microsoft Data Access Components.
-http://www.computerworld.com/s/article/9228979/Microsoft_patches_critical_drive_
by_IE9_bug_Windows_zero_day?taxonomyId=17
-http://www.theregister.co.uk/2012/07/11/ms_july_patch_tuesday/
-http://krebsonsecurity.com/2012/07/microsoft-patches-zero-day-bug-15-other-flaws
/
-http://technet.microsoft.com/en-us/security/bulletin/ms12-jul
Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=13642
[Editor's Note (Pescatore): This month's Microsoft Vulnerability Tuesday should get priority treatment. ]

---

************************* Sponsored Links: *************************
1) Special Webcast: SEC575 Webcast Series: Session 3: A Taste of SANS Security 575 - 2012: A Mobile Penetration Test. Thursday, July 19, 2012 at 1:00 PM EDT. http://www.sans.org/info/109920
2) New Analyst Paper in the SANS Reading room! Streamline Risk Management by Automating the SANS 20 Critical Security Controls by senor SANS Analyst James Tarala http://www.sans.org/info/109925
3) SANS Analyst Webcast: Server Security and Compliance: A Review of McAfee's Product Portfolio for Server Security by senior SANS Analyst Jim D. Hietala http://www.sans.org/info/109930
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Indian Authorities Arrest Man on Software Piracy Charges (July 12, 2012)

Acting on a request from a US court, authorities in India have arrested a man on charges of hacking and copyright infringement. It is not known whether US authorities will seek to extradite Nikhil Kablekar or if they will travel to Mumbai to question him there. Police in India seized computers, CDs, USB drives and other evidence from his home. Kablekar allegedly broke copyright protection on software CDs, then copied then and resold the pirated software.
-http://timesofindia.indiatimes.com/city/mumbai/Man-wanted-for-hacking-in-US-held
/articleshow/14832213.cms
-http://www.theregister.co.uk/2012/07/12/indian_software_counterfeit_suspect_us_e
xtradition_threat/

Google Updates Chrome 20.x (July 12, 2012)

Google has released an update for Chrome 20.x to address three high severity security issues. Chrome 20.0.1132.57 fixes two use-after-free errors in counter handling and layout height tracking. The third flaw is in object access with JavaScript in PDFs. The update also includes some stability improvements for the browser, as well as updates for the Flash player plug-in and the V8 JavaScript engine.
-http://www.h-online.com/security/news/item/Chrome-20-update-fixes-high-risk-secu
rity-vulnerabilities-1637304.html

Oracle's Quarterly Update to Address 88 Vulnerabilities (July 12, 2012)

Oracle's quarterly security update will contain fixed for 88 vulnerabilities. Some of the vulnerabilities affect multiple products. There will be four fixes for Oracle database, 22 for Fusion Middleware, and 25 for the Sun product family. Oracle will release the update on Tuesday, July 17.
-http://www.computerworld.com/s/article/9229081/Oracle_to_release_88_security_fix
es?taxonomyId=17

450,000 Yahoo Voice Logins Compromised (July 11 & 12, 2012)

Yahoo is investigating a breach that may have exposed the login information of 450,000 users. The compromised information includes email addresses and plain-text passwords. The data thieves stole the information by exploiting an SQL injection vulnerability and posted it online. Those responsible for the attack included a message, saying that the action was taken as a warning that the security used on the subdomain from which the data were stolen needs to be improved. The compromised accounts are for Yahoo Voice, a voice-over-Internet-protocol (VoIP) service. Some early reports incorrectly indicated that the breach was of Yahoo Voices accounts; Yahoo Voices is a publishing tool.
-http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked/index.html
-http://www.h-online.com/security/news/item/450-000-email-addresses-and-plain-tex
t-passwords-in-circulation-1637505.html
-http://news.cnet.com/8301-1009_3-57470786-83/hackers-post-450k-credentials-pilfe
red-from-yahoo/

Dutch Chemical Company Thwarts Attempted USB Attack (July 11 & 12, 2012)

Employees at Dutch chemical company DSM who found USB drives in the company parking lot handed them over to the IT department instead of plugging them into their computers. The drives were infected with keystroke-logging malware; the IT department was able to examine the malware and block access to the site where the malware was supposed to send the harvested information, just in case someone else decided to see what was on the mysterious drive instead of handing it to the IT department. It is not known who is responsible for the infected drives. It could be run-of-the mill cyber criminals, people involved in industrial espionage, or they could even be the work of a company hired to surreptitiously test company security.
-http://www.theregister.co.uk/2012/07/11/infected_usb_spyware/
-http://www.h-online.com/security/news/item/USB-drives-left-in-car-park-as-corpor
ate-espionage-attack-vector-1637776.html

Apple Releases Gold Master Version of Mountain Lion to Developers (July 11, 2012)

Apple has released the gold master version of its Mountain Lion operating system to developers. The first developer preview of Mountain Lion was released earlier this year. Mountain Lion is Apple's next OS, scheduled for general release later this month. It also appears that limitations affecting 64-bit Macs in the earlier release will still affect those machines in the final release of Mountain Lion. This means that certain MacBook Pros, iMacs, and Mac Pros will be restricted from upgrading to Mountain Lion, also known as Mac OS X 10.8.
-http://arstechnica.com/apple/2012/07/confirmed-mountain-lion-sends-some-64-bit-m
acs-gently-into-that-good-night/
-http://www.informationweek.com/news/hardware/mac/240003489

Microsoft Urges Admins to Disable Gadgets and Sidebar Due to Security Issues (July 11, 2012)

Microsoft has issued a security advisory recommending that system administrators disable Windows sidebar and gadgets in all supported versions of the desktop operating system because of security issues. Gadgets and Sidebar are widgets written in JavaScript, CSS, and HTML, and run in Windows Vista and some editions of Windows 7. The vulnerabilities could potentially be exploited to allow arbitrary code execution.
-http://technet.microsoft.com/en-us/security/advisory/2719662
-http://www.h-online.com/security/news/item/Microsoft-advises-disabling-Windows-G
adgets-amid-vulnerability-fears-1636895.html
-http://www.technolog.msnbc.msn.com/technology/technolog/microsoft-tells-customer
s-disable-windows-sidebar-gadgets-879132
Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=13651

Formspring Logins Compromised (July 10 & 11, 2012)

Question-and-answer site Formspring has disabled the passwords of 28 million users after learning of an attack that compromised at least 420,000 user password hashes. Those data were posted to the Internet. Users will be able to change their passwords when they log in to Formspring. The company says that someone was able to access one of its development servers and took the information from a production database. The flaw has been repaired.
-http://news.cnet.com/8301-1009_3-57469944-83/formspring-disables-user-passwords-
in-security-breach/
-http://www.theregister.co.uk/2012/07/11/formspring_security_breach/
-http://www.h-online.com/security/news/item/Formspring-question-and-answer-platfo
rm-compromised-1636642.html

Kim Dotcom Tweets an Extradition Waiver Proposal (July 10, 2012)

Megaupload founder Kim Dotcom has tweeted that he and his co-defendants will come to the US from New Zealand without an extradition hearing if the US government agrees to set bail and unfreeze seized funds to pay for legal and living expenses. The extradition hearing for Dotcom and his colleagues had been set for August 2012, but a New Zealand court recently pushed the date back to March 2013. The Megaupload defendants have not been able to pay their legal team, and Dotcom said that the delay is a tactic to further exhaust their ability to defend themselves. Dotcom does not expect his offer to be accepted, as he believes that the US would lose its case against Megaupload; he "remain
[s ]
committed to fighting extradition in New Zealand."
-http://www.wired.com/threatlevel/2012/07/dotcom-surrender/
-http://www.computerworld.com/s/article/9228996/Megaupload_founder_offers_deal_to
_the_US?taxonomyId=144
-http://www.informationweek.com/news/security/vulnerabilities/240003523

Cross-Platform Trojan Downloader (July 10 & 11, 2012)

Researchers have detected a downloader Trojan horse program that checks to see which operating system is running on users' machines and downloads malware tailored to that platform. A malicious Java applet installs backdoors on Windows, Mac, and Linux systems.
-http://www.zdnet.com/cross-platform-trojan-checks-your-os-attacks-windows-mac-li
nux-7000000656/
-http://news.cnet.com/8301-1009_3-57469668-83/new-web-exploit-targets-multiple-pl
atforms/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/