SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #60

July 27, 2012

Do you have positive answers to any of three key questions that
characterize effective leaders in cybersecurity in 2012?

1. Can you accurately say you are consistently and completely stopping
advanced persistent threat attacks against a large enterprise network?

2. Can you show that you have brought about huge risk reduction (more
than 50%, measured reliably through automation) from continuous
diagnostics and mitigation (previously known as continuous monitoring)?

3. Can you explain the five key errors that people make in implementing
the 20 Critical Controls, and how to avoid them?

If you can say yes to any of these questions, we would like to consider
you as a potential panelist to discuss added solutions (email
ncic2012@sans.org). Otherwise, the National Cybersecurity Innovation
Conference (Baltimore Convention Center, October 3-5) is the one
cybersecurity conference that you will want to attend as a delegate
(even if you consider yourself too important to attend conferences).
The people who can say "yes!" and prove it, to all three questions will
be briefing you and providing in-depth workshops. Any agency or
enterprise not implementing these solutions or better ones, this year,
will likely be considered negligent. Registration information:
http://www.sans.org/ncic-2012/

Alan

---

TOP OF THE NEWS

US Senate Votes to Move Forward with Cyber Security Bill
Sequestration Budget Cuts Would be "Devastating" to Cybersecurity Efforts
Chinese Hackers "Vacuuming Up" Huge Quantities of Proprietary Data

THE REST OF THE WEEK'S NEWS

New Air Traffic Control System Has Security Problems
Mahdi Malware Updated
AC/DC Malware Reportedly Hits Computers at Iranian Nuclear Facilities
Apple Releases Safari 6
Japan's Finance Ministry Finds Evidence of Malware Infection on 123 Computers
Siemens Fixes Software Vulnerabilities
Group Wants UK to Stop Supplying Suppressive Regimes with Surveillance Technology
Gamigo Gaming Platform Acknowledges Data Security Breach
Firefox 14 Has 46 Percent Share of Mozilla Browsers After One Week

---

************************** SPONSORED BY SANS **************************
New Analyst Webcast! Secure Configuration Management Demystified, featuring senior SANS Analyst Dave Shackleford and Tripwire's Michael Thelander, Tuesday, August 28, 1 PM EDT
http://www.sans.org/info/110574
****************************************************************************
TRAINING UPDATE
- - --SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

- - --SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

- - --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

- - --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- - --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- - --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- - --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- - --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Seattle all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

US Senate Votes to Move Forward with Cyber Security Bill (July 26, 2012)

The US Senate voted 84-11 to advance Senator Joe Lieberman's (I-Connecticut) Cyber Security Act. The lawmakers voted on the issue after Senate Majority Leader Harry Reid (D- Nevada) agreed to allow open amendments. Lieberman introduced a revised version of his original bill last week to appease Republican opposition to imposing mandatory cybersecurity requirements on private companies that operate elements of the country's critical infrastructure. The revised version would establish an incentive program for the organizations to implement cybersecurity measures.
-http://thehill.com/blogs/hillicon-valley/technology/240605-senate-advances-bill-
to-bolster-cybersecurity-defenses-in-84-11-vote

Sequestration Budget Cuts Would be "Devastating" to Cybersecurity Efforts (July 26, 2012)

Sequestration budget cuts would be "devastating" to the Pentagon's efforts to combat cyberthreats, according to top officials from each branch of the US military who testified at a House Armed Services subcommittee hearing earlier this week. Legislators were informed that not only would the cuts derail plans to bolster cybersecurity efforts, but that they could potentially undo cybersecurity efforts that have already been implemented.
-http://www.nextgov.com/cybersecurity/2012/07/defense-officials-sequestration-cut
s-would-be-devastating-cybersecurity/57020/?oref=ng-HPtopstory

Chinese Hackers "Vacuuming Up" Huge Quantities of Proprietary Data (July 26, 2012)

US intelligence has been monitoring Chinese hacking groups for years. The operation is called Byzantine Candor, also sometimes known as the Comment group for their preferred method of gaining access to computers through hidden webpage computer code called comments. The attacks date back as far as 2002, and the depth and breadth of the scope of the attacks is astounding, from data pertinent to financial crises in the European Union to Halliburton to lawyers who were initiating trade claims against Chinese exporters. The attackers breached computers at law firms, investment banks, oil companies, pharmaceutical companies, and technology companies. The sheer volume of information that has been stolen could prove damaging to the US and European economies. The details of the hackers' methods and their targets have been known in the US only to a few select investigators who have classified clearances.
-http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-
with-byzantine-candor.html

---

************************** Sponsored Links: ****************************
1) Complimentary ebook: "NETFLOW SECURITY MONITORING FOR DUMMIES" Download now http://www.sans.org/info/110575
2) Simplifying Identity Management: SANS Product Review of Oracle Identity Governance Solutions by Senior SANS Analyst, Dave Shackleford Thursday, September 27, 2012, 9 am Pacific/12 Noon Eastern http://www.sans.org/info/110580
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

New Air Traffic Control System Has Security Problems (July 26, 2012)

Speaking at the Black Hat Security Conference in Las Vegas, Nevada, researcher Andrei Costin described serious security issues in a new air traffic control system known as Automated Dependent Surveillance-Broadcast (ADS-B). The system is already being used in Australia and is being deployed in the US and other countries around the world. ADS-B uses radio frequencies to allow communications between planes and between planes and ground control. However, the system has serious vulnerabilities that could allow spoofing attacks that would cause air traffic controllers to see planes where there are none. The communications between planes and ground control is sent in cleartext and does not require authorization of transmission sources.
-http://www.wired.com/threatlevel/2012/07/adsb-spoofing/

Mahdi Malware Updated (July 25 & 26, 2012)

The newest version of the Mahdi malware has some new features, according to researchers. It is now capable of monitoring VKontakte and Jabber conversations and seeks users who visit web pages that have "USA" and "gov" in their titles and takes screenshots of those sites. The updated Mahdi also uploads all stolen data immediately rather than waiting for instructions from a command-and-control server. Mahdi also appears to be more widespread than first thought.
-http://news.cnet.com/8301-1009_3-57480284-83/mahdi-malware-creators-add-new-feat
ures/
-http://www.informationweek.com/news/security/attacks/240004380
-http://www.v3.co.uk/v3-uk/news/2194475/madi-trojan-may-be-targeting-uk-firms

AC/DC Malware Reportedly Hits Computers at Iranian Nuclear Facilities (July 25, 2012)

Computer systems at Iranian nuclear facilities have reportedly been hit with malware that shuts down computers and plays music by the band AC/DC. Mikko Hypponen, chief research officer at F-Secure, says he received several email messages from someone with access to an account within Iran's Atomic Energy Organization that provided information about the malware. Hypponen acknowledged that he "can't confirm that the person was who he said he was
[or that ]
any of the things he said actually happened." The name used by the individual corresponding with Hypponen is that of someone who has published many papers and articles on nuclear science.
-http://www.bloomberg.com/news/2012-07-25/iranian-nuclear-plants-hit-by-virus-pla
ying-ac-dc-website-says.html
-http://www.nextgov.com/cybersecurity/2012/07/acdc-virus-attacks-iranian-nuke-pla
nt-dhs-issues-alert-us-industry/56986/?oref=ng-channelrivers

Apple Releases Safari 6 (July 25, 2012)

Apple has released an updated version of its Safari browser. Safari 6 for OS X 10.7 (Lion) addresses more than 120 security issues present in 5.x versions of the browser that could have been exploited to allow cross-site scripting attacks, arbitrary code execution, and file theft. Safari 6 also incorporates several new features, including a "Smart Search Field" that can be used to search and to input site addresses, and an Offline Reading List that allows users to save pages to a list to be read even when an Internet connection is not available. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=13783
-http://www.h-online.com/security/news/item/Safari-6-addresses-numerous-security-
vulnerabilities-1652411.html

Japan's Finance Ministry Finds Evidence of Malware Infection on 123 Computers (July 24 & 25, 2012)

The Japanese Finance Ministry has told local new outlets that its computer systems were infected with a Trojan horse program that went undetected for nearly two years. Of 2,000 computers checked, 123 have been found to be infected with the unspecified malware. Those machines have had their hard drives traded out for clean ones. The malware is believed to have been in place since January 2010 and was able to steal data from then until November 2011, when the attacks stopped for reasons not yet known. The infection was discovered last week during a security audit. No details have been released about how the computers became infected.
-http://www.theregister.co.uk/2012/07/25/japan_finance_ministry_trojan_attack/
-http://www.computerworld.com/s/article/9229534/Japanese_Finance_Ministry_uncover
s_major_Trojan_attack?taxonomyId=17

Siemens Fixes Software Vulnerabilities (July 24 & 25, 2012)

Siemens has fixed vulnerabilities in its Simatic STEP7 and Simatic WinCC software that are similar to those exploited by Stuxnet. The two advisories say that the issues were first detected in 2010 and that subsequent updates have addressed the problems, which allowed attackers to load malicious dynamic-link library (DLL) files.
-http://www.h-online.com/security/news/item/Siemens-issues-Stuxnet-hole-warnings-
1650537.html
-http://www.theregister.co.uk/2012/07/25/siemens_scada_security/

Group Wants UK to Stop Supplying Suppressive Regimes with Surveillance Technology (July 24, 2012)

Privacy International (PI), an organization devoted "to defend
[ing ]
the right to privacy across the world, and to fight
[ing ]
unlawful surveillance and other intrusions into private life by governments and corporations," has given the UK government three weeks to respond to a request to take action to prevent the export of surveillance technology to countries where it is being used by repressive regimes. PI has made such requests of the UK government in the past, all of which have been ignored. This time, if the government has not responded at the end of the three weeks, PI will file for judicial review and possibly seek an injunction that would prohibit British companies from maintaining and updating surveillance products already in use in the designated countries.
-http://www.theregister.co.uk/2012/07/24/privacy_international_legal_action/
-https://www.privacyinternational.org/about-us

Gamigo Gaming Platform Acknowledges Data Security Breach (July 24, 2012)

Users of the Gamigo online gaming platform are being urged to change their login details after a file containing 11 million password hashes belonging to Gamigo users was found on the Internet. The file also includes 8.2 distinct email addresses. The file was posted to a forum which in previous months has seen the posting of similar information from LinkedIn, eHarmony, and other websites. Gamigo has confirmed that the data in the file are authentic, and has acknowledged a breach in March 2012, in which an older version of a database was copied.
-http://www.h-online.com/security/news/item/11-million-passwords-leaked-from-onli
ne-gaming-platform-1651198.html

Firefox 14 Has 46 Percent Share of Mozilla Browsers After One Week (July 24, 2012)

Just one week after Mozilla released Firefox 14, nearly half of users running the browser are running the latest version, indicating that Mozilla's automated, silent updates are effective. Firefox 14 was released on July 17, and by July 23, it had a 46 percent share of all Mozilla browsers.
-http://www.computerworld.com/s/article/9229525/Silent_update_speeds_Firefox_14_u
ptake?taxonomyId=17

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/