SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #64

August 10, 2012

Mark your calendar for October 3-5 for the Eighth Annual IT Security
Automation Conference in Baltimore where you will be the first to learn
about the Continuous Monitoring Working Group's new continuous
monitoring and mitigation initiative and you'll also get a much clearer
picture of the national cyber action strategy going forward. It's being
held in the same Baltimore Convention Center as the National
Cybersecurity Innovation Conference (NCIC) which is the *only*
opportunity in the US where you will be able to have access to an
in-depth workshop on how the Australians actually stop targeted
intrusions, consistently and absolutely. They briefed the White House
while in the US earlier this summer and were invited back for this one
national workshop in Baltimore in October. You'll also get the inside
story on what is happening with the 20 Critical Controls -- fascinating.
Registration for NCIC - that will also get you access to the DHS
presentations and strategy briefings at http://www.sans.org/ncic-2012/

Alan
PS If you are one of the people, as I was, who said "you really cannot
stop the targeted intrusions (advanced persistent threat)," then you,
as I was, are dead wrong and you are wasting money on security products
and people because of it. We're writing notes to the senior government
officials in each Department this week telling them that if their
security people are telling them they cannot stop these attacks, they
are being misinformed at best and being misled at worst. The Australians
proved it.

---

TOP OF THE NEWS

CyberCom Asks For More Powers To Act In Defense Outside Military Systems
White House Considering Executive Order on Cybersecurity
Federal Appeals Court Says Utilities Must Provide Customer Data to Authorities
Federal Appeals Court Says Case Challenging Warrantless Wiretapping May Not Continue

THE REST OF THE WEEK'S NEWS

Microsoft to Issue Fixes for 14 Vulnerabilities on August 14
Gauss Malware Believed to be Related to Flame
Google to Pay Huge Fine Over Safari Cookie Privacy Issue
Apple and Amazon Amend Security Practices After Journalist Suffers Hack
Australia's Privacy Commissioner Tells Google to Destroy StreetView Payload Data
Mobile Device Trojan ZitMo Now Targets BlackBerry
Shylock Variant Now Inserts Phone Numbers Into Online Banking Sites
Users of IE10 on Windows 8 Will Have Option of Changing DNT Default on First Run
Police in Hong Kong Arrest Man Over Alleged DDoS Threats
Cybercriminal Spoofing Payroll Services Companies to Infect Machines
Baidu Fires Four Over Allegations They Took Bribes to Remove Forum Posts

---

******************** SPONSORED BY SANS *************************
Special Webcast: Harvesting the Rotten Fruit: Finding the Vulnerabilities in our Web Applications. Friday, August 17, 2012 at 1:00 PM EDT featuring Kevin Johnson. We will explore three types of attacks; information disclosure, SQL injection and Cross-Site Scripting. We will discuss what the flaws can do, how we find the issues within our applications as efficiently as possible and tools to make this process easier.
http://www.sans.org/info/111344
****************************************************************************
TRAINING UPDATE
- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --Looking for training in your own community? http://www.sans.org/community/

- - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Melbourne, Prague, Dubai, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

CyberCom Asks For More Powers To Act In Defense Outside Military Systems (August 10, 2012)

The Pentagon has proposed that military cyber-specialists be given permission to take action outside its computer networks to defend critical U.S. computer systems - a move that officials say would set a significant precedent.
-http://www.washingtonpost.com/world/national-security/pentagon-proposes-more-rob
ust-role-for-its-cyber-specialists/2012/08/09/1e3478ca-db15-11e1-9745-d9ae6098d4
93_print.html

White House Considering Executive Order on Cybersecurity (August 8 & 9, 2012)

In the wake of the failure of cybersecurity legislation in the US Senate, the White House is reportedly considering issuing an executive order to impose cybersecurity requirements to protect the country's critical infrastructure. The bill was defeated in large part because its opponents felt it exerted too much government control over private entities. Civil liberties groups also opposed the legislation because they felt it did not adequately protect citizens' privacy. Representative Edward Markey (D-Massachusetts) has called on the president to issue an order.
-http://thehill.com/blogs/defcon-hill/policy-and-strategy/242799-white-house-cons
iders-executive-action-to-address-cybersecurity-threats-
-http://www.msnbc.msn.com/id/48577162/ns/technology_and_science-security/#.UCRJ50
KViqR
-http://www.computerworld.com/s/article/9230099/White_House_exploring_executive_o
rder_to_secure_critical_networks?taxonomyId=17
-http://thehill.com/blogs/hillicon-valley/technology/242833-dem-rep-markey-presse
s-obama-to-address-cybersecurity-via-executive-action
[Editor's Note (Pescatore): These bill and its numerous predecessors have been floating around for over 5 years now and there is very little in the bill that will lead to meaningful changes that aren't already happening *without* this bill. ]

Federal Appeals Court Says Utilities Must Provide Customer Data to Authorities (August 8, 2012)

The 9th US Circuit Court of Appeals has unanimously ruled that utility companies must provide authorities with customer records upon request if drug agents believe the information is relevant to an investigation. The Comprehensive Drug Abuse Prevention and Control Act of 1970 allows law enforcement authorities to demand data with an administrative subpoena, which does not require judicial oversight. The case in question involves demands from the Drug Enforcement Agency for account information about three customers of Fairbanks, Alaska's Golden Valley Electric Association.
-http://www.wired.com/threatlevel/2012/08/customer-utility-records/

Federal Appeals Court Says Case Challenging Warrantless Wiretapping May Not Continue (August 7 & 8, 2012)

The 9th US Circuit Court of Appeals has ruled that the plaintiff in a case brought against the government challenging the warrantless wiretapping program may not proceed. The court ruled unanimously that the organization, a Muslim charity, could not bring a lawsuit against the government, but could, if it wished, bring a lawsuit against individual government officials. A lower court had ruled that two attorneys working with the al-Haramain Islamic Foundation were spied on without warrants and awarded them more than US $20,000 each and US $2.5 million in legal fees.
-http://www.wired.com/threatlevel/2012/08/appeals-court-oks-wiretapping/
-http://arstechnica.com/tech-policy/2012/08/appeals-court-dismisses-warantless-wi
retapping-suit/

---

************************** Sponsored Links: ****************************
1) Take the SANS 2nd Survey on BYOD Security Policy and WIN Cash Prizes! http://www.sans.org/info/111354
2) Special Webcast: A Look at Exploiting Windows 7 and Windows 8 - featuring Stephen Sims. Tuesday, 8/14 at 1:00 pm EDT. http://www.sans.org/info/111359
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft to Issue Fixes for 14 Vulnerabilities on August 14 (August 9, 2012)

On Tuesday, August 14, Microsoft will release nine security bulletins to address a total of 14 vulnerabilities. Four of the flaws affect Internet Explorer (IE), making this the third month in a row that Microsoft has issued a fix for an issue in the browser. Five of the bulletins have maximum severity ratings of critical. Also being patched are vulnerabilities in Microsoft Exchange, SQL Server, Windows, Office, and Visual Basic.
-http://technet.microsoft.com/en-us/security/bulletin/ms12-aug
-http://www.computerworld.com/s/article/9230147/Microsoft_plans_patches_for_hacke
r_s_playground_?taxonomyId=17

Gauss Malware Believed to be Related to Flame (August 9, 2012)

Malware called Gauss has been detected on systems in Middle Eastern countries. Gauss appears to be related to Flame, which is believed to have been developed to target computers in Iran. Gauss harvests system data and carries a payload that could be harmful to critical infrastructure. The payload is at present unknown; it is encrypted and is activated when it finds certain system configurations. Most of the affected machines are in Lebanon. The malware was first detected in June. It also targets online banking accounts. Gauss is being called a "complex cyber-espionage toolkit" for its combination of espionage capabilities and a banking Trojan.
-http://www.informationweek.com/security/attacks/flame-20-gauss-malware-targets-b
anking-c/240005220
-http://www.wired.com/threatlevel/2012/08/gauss-espionage-tool/
-http://blogs.computerworld.com/security/20816/gauss-malware-nation-state-cyber-e
spionage-banking-trojan-related-flame-stuxnet
[Editor's Note (Honan): An in-depth analysis of this malware can be found on Kapersky's website
-http://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution
and it looks as if this malware was targeting online accounts for banks in Lebanon. Interesting to note that infected machines will have the Palida Narrow font installed. There is an online tool developed by the Budapest University to check your PC for this font which could indicate your system is infected with Gauss
-http://gauss.crysys.hu/]

Google to Pay Huge Fine Over Safari Cookie Privacy Issue (August 9, 2012)

Google has agreed to pay a US $22.5 million fine for misrepresenting its activity when it monitored the activity of web surfers who were using the Safari browser and had selected "do not track" privacy setting. The fine was imposed as part of a settlement with the US Federal Trade Commission (FTC). The settlement requires that Google disable all cookies it has placed on the computers of Safari users who had selected the do not track preference.
-http://www.bbc.com/news/technology-19200279
-http://www.wired.com/threatlevel/2012/08/ftc-google-cookie/
-http://www.computerworld.com/s/article/9230126/Update_Google_to_pay_22.5M_fine_o
ver_privacy_practices?taxonomyId=17
[Editor's Note (Pescatore): Once again, the FTC is enforcing privacy and security regulations without requiring new legislation or a presidential directive. Two quibbles: (1) $22.5M may be "huge" to you and me (well, at least to me) but to Google it represents about 5 hours of revenue. This is apparently the largest fine the FTC has levied, mainly because Google's privacy bypass here violated a 2011 settlement when Google was caught violating its privacy policy in Google Buzz; (2) It looks like by paying this fine Google escaped having to have ongoing security audits of its practices, which many other FTC actions have required. ]

Apple and Amazon Amend Security Practices After Journalist Suffers Hack (August 7 & 8, 2012)

Apple and Amazon have changed their security policies after a hacker was able to exploit weaknesses in the systems to gain access to a journalist's accounts and wipe several of his devices. Apple said earlier this week that users will temporarily be unable to reset AppleID passwords over the phone, and will instead have to use the iForgot online system. Amazon said that the exploited weakness was closed on Monday, but declined to offer details about what that weakness was and what was done to correct it. An article in Wired noted that Amazon customer service representatives no longer change account settings over the phone.
-http://money.cnn.com/2012/08/08/technology/apple-amazon-hack/index.html
-http://arstechnica.com/security/2012/08/amazon-fixes-security-flaw-hackers-used-
against-wireds-mat-honan/
[Editor's Note (Pescatore): Corporations need to beware that this area is one of the major risks of using consumer driven cloud services: the password reset and account activation/termination processes in use do not equate to, or automatically integrate with, the enterprise version of those processes.
(Honan): Core to this hack was the ability by the attackers to gather enough personal data belonging to the victim allowing them to answer his "secret" questions to reset the passwords to his accounts. In these days of social media and people sharing all their personal details online it is time for organisations to think of more effective ways of identifying their users rather than the current secret questions. I highlighted this as an issue back in 2009.
-http://www.infosecurity-magazine.com/view/4696/rsa-europe-identity-theft-is-too-
easy-and-can-even-be-automated-says-it-security-expert/]

Australia's Privacy Commissioner Tells Google to Destroy StreetView Payload Data (August 8, 2012)

Australia's Privacy Commissioner has instructed Google to destroy all payload data harvested while gathering data for StreetView. The letter from Privacy Commissioner Timothy Pilgrim to Google's Australian Head of Public Policy and Government Affairs Iarla Flynn also demands that an independent third party verify the data's destruction. Pilgrim has also asked that Google undergo an audit to ensure that the data do not exist on other disks.
-http://www.theregister.co.uk/2012/08/08/google_must_destroy_data/

Mobile Device Trojan ZitMo Now Targets BlackBerry (August 8, 2012)

New variants of a mobile device Trojan horse program now target BlackBerry devices, which have generally been ignored by hackers. The Trojan is known as ZitMo, which stands for "ZeuS in the mobile." Its goal is to steal mobile transaction authentication numbers, which are one-use passwords, used largely by European banks and are sent to users' mobile devices. There are four new variants of ZitMo that target Blackberry devices; a fifth new variant targets Android devices.
-http://www.scmagazine.com/blackberry-android-users-targeted-by-new-zeus-trojan/a
rticle/253940/
-http://www.theregister.co.uk/2012/08/08/zeus_comes_to_blackberry/
[Editor's Note (Murray): Neither Blackberry nor Android make any attempt, much less a claim, to resist malicious code. ]

Shylock Variant Now Inserts Phone Numbers Into Online Banking Sites (August 8, 2012)

The newest variants of Shylock malware insert phone numbers into online banking websites' contact pages; the phone numbers are controlled by the attackers, so if customers are suspicious about online transactions, they will be calling the cyber criminals themselves instead of their banks. At present, the new versions of Shylock target UK banks. Shylock was designed to steal online banking credentials.
-http://www.computerworld.com/s/article/9230087/Shylock_malware_injects_rogue_pho
ne_numbers_in_online_banking_websites?taxonomyId=17

Users of IE10 on Windows 8 Will Have Option of Changing DNT Default on First Run (August 7, 2012)

Microsoft Windows 8 users will be able to change the default setting for the do not track (DNT) feature in Internet Explorer 10 (IE10) when the operating system is first run. Early this year, Microsoft said that the DNT feature would be turned on by default in IE10. When Windows 8 is first run, users will have the option of allowing the Express Settings, which accepts all default Microsoft settings, or they can choose Customize, which will give then the opportunity to turn off the DNT setting if they wish. Windows 8 users who select the Express Settings will also see a notice telling them that DNT will be on by default in IE10.
-http://www.computerworld.com/s/article/9230056/Microsoft_will_give_Windows_8_use
rs_Do_Not_Track_options_for_IE10?taxonomyId=84
[Editor's Note (Pescatore): This is how all products should work: have the default be the safest settings and let the user consciously take more risks. The advertising supported Internet interests would much rather see the reverse, but the auto repair industry would also like to see cars easily shift into drive without the driver having their foot on the brake, too... ]

Police in Hong Kong Arrest Man Over Alleged DDoS Threats (August 7, 2012)

Police in Hong Kong have arrested a man for allegedly threatening to launch distributed denial-of-service attacks against government web sites. The man was arrested last week and released on bail after he allegedly wrote on Facebook that he planned to conduct the cyberattacks.
-http://www.theregister.co.uk/2012/08/07/facebook_anonymous_suspect_ddos_hong_kon
g/

Cybercriminal Spoofing Payroll Services Companies to Infect Machines (August 6, 2012)

Cybercriminals are sending malicious emails that pretend to come from payroll services companies in an attempt to infect payroll administrators' computers with malware. One payment processor, ADP, has examples of phishing emails on its website to help its customers identify the attempted attacks. A recent phishing attack against ADP customers claimed that the digital certificates they used to access ADP Internet services were set to expire. The phishing messages asked recipients to click on a link that appeared to be to the ADP website to renew the certificates.
-http://www.computerworld.com/s/article/9230017/Criminals_target_firms_with_rogue
_emails_from_payroll_services_providers?taxonomyId=82

Baidu Fires Four Over Allegations They Took Bribes to Remove Forum Posts (August 6, 2012)

Chinese search engine Baidu has fired four employees for allegedly deleting posts from a company forum in exchange for payments. Police have arrested three of the four people who were fired. Law enforcement became involved because the size of the bribes involved - reportedly tens of thousands of yuan. (10,000 yuan = US $1,572)
-http://www.bbc.com/news/technology-19149185
-http://www.theregister.co.uk/2012/08/06/baidu_staff_sacked_arrested_deleting_pos
ts/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/