SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #65

August 14, 2012

This week Microsoft is expected to make Windows Server 2012 and the
controversial Windows 8 client available for download to TechNet/MSDN
subscribers. Join us with Jason Fossen, SANS Institute Fellow, for a
webcast on what to realistically expect with Microsoft's iPad-killer and
VMware nemesis this Wednesday, August 15 at 1:00PM EDT.
https://www.sans.org/webcasts/windows-8-comingserver-2012-too-95495

Jason Fossen's "Securing Windows and Resisting Malware" course at SANS
(SEC505) is also fully updated for Server 2012 and includes a special
focus on preventing APT infections using the lessons learned from the
Australian government's top four security controls.
https://www.sans.org/cyber-defense-initiative-2012/description.php?tid=5350

---

TOP OF THE NEWS

Pentagon Seeking Authority for Cyber Command to Take Action on Non-Military Systems in Emergencies
Hackers Encrypt Medical Records and Demand Ransom
DOJ Will Not Ask Supreme Court to Review Computer Fraud and Abuse Act Case
FTC and Facebook Reach Settlement Over Privacy Practices

THE REST OF THE WEEK'S NEWS

Researchers Develop Algorithm to Determine Source of Infection
Palida Narrow Font is Gauss Infection Marker
Purloined Stratfor eMails Contain Information About TrapWire Surveillance Program
Google Changes Search Results Algorithm to Favor Legal Downloading Sites Over Pirates
Goldman Sachs Programmer Arrested Again for Source Code Theft
Hackers Steal Personal Information From Israeli Data Center

---

************************* SPONSORED BY Bit9 *******************************
Live Webcast: The future of cyber-attacks: What you should know about Flame, RSA, and other Advanced Persistent Threats. Bit9 is the only company to stop Flame and the RSA attacks. Learn the techniques and approaches that modern attackers are using and why traditional defenses do not work. REGISTER TODAY for this webcast
http://www.sans.org/info/111594
****************************************************************************
--SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

--SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

--SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Crystal City 2012 Arlington, VA September 6-11, 2012 4 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 44 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

--SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 7 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

--SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

--SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Dubai, San Diego, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Pentagon Seeking Authority for Cyber Command to Take Action on Non-Military Systems in Emergencies (August 9, 2012)

A proposed change to the US military's standing rules of engagement (SROE) would give cyber experts employed by the military the authority to take action on certain non-military computer systems. The SROE provide guidance for military commanders when they find their troops or systems are under attack and there is not time to consult the president or secretary of defense if action is to be taken before serious harm occurs. Cyberspace is posing special issues for SROE for a number of reasons: the time frame of cyberattacks; the difficulty of identifying the attackers; and the possibility of collateral damage. Some in the military would like the Cyber Command to have the authority to disable servers in foreign countries to prevent malware attacks. The military currently has the authority to take those actions only within its own networks.
-http://www.washingtonpost.com/world/national-security/pentagon-proposes-more-rob
ust-role-for-its-cyber-specialists/2012/08/09/1e3478ca-db15-11e1-9745-d9ae6098d4
93_story.html
[Editor's Note (Pescatore): Back in the 1980s I worked for the US Secret Service and when using military (not National Guard) personnel domestically we had to make sure we observed the guidelines around the Posse Comitatus statute which dictates that such use must "be expressly authorized by the Constitution or by act of Congress." It is healthy that we start the dialog on how this applies to cyber-incidents vs. hurricanes and the like. The National Guard has traditionally been the rapid reaction force, with the armed forces staying bound by Posse Comitatus. ]

Hackers Encrypt Medical Records and Demand Ransom (August 10, 2012)

A medical facility in northern Illinois has acknowledged that hackers broke into its computer network and encrypted data, demanding a ransom to be paid for revealing the password to decrypt the data. The Surgeons of Lake County instead turned off the compromised server and contacted authorities. This is not the first time that health data have been held for ransom. Prescription drug benefits management company Express Scripts was the target of cyber criminals who took the data and demanded payment if the company did not want the stolen information made public.
-http://www.bloomberg.com/news/2012-08-10/hackers-encrypt-health-records-and-hold
-data-for-ransom.html
[Editor's Note (Murray): There are two vulnerabilities here. The first is that someone else has write access privilege to the data; necessary to erase the clear-text after creating the cipher text. The second is that either there is only one copy, no backup, or the outsider has access to that too. Note that the encryption step is cute but unnecessary; an attacker could simply create his own copy and then erase the original. ]

DOJ Will Not Ask Supreme Court to Review Computer Fraud and Abuse Act Case (August 10, 2012)

The US Justice Department (DOJ) will not ask the Supreme Court to review a case in which a lower court ruled that employees cannot be prosecuted under the Computer Fraud and Abuse Act (CFAA) for merely violating employers' computer use policies. The CFAA was passed in 1984 to help the government prosecute individuals who gained access to computers to steal data or disrupt the machines' operations. The US government has interpreted the law to include violating websites' terms of service and violating company's computer use policies. Earlier this year, the Ninth US Circuit Court of Appeals said that such interpretations would make it possible to prosecute people who lie about their appearance online.
-http://www.wired.com/threatlevel/2012/08/computer-fraud-supreme-court/
-http://www.wired.com/images_blogs/threatlevel/2012/08/nosaldeclination.pdf

FTC and Facebook Reach Settlement Over Privacy Practices (August 10, 2012)

The US Federal Trade Commission (FTC) and Facebook have agreed to the terms of a settlement regarding the social networking site's privacy practices. The settlement requires Facebook to obtain users' "express consent" prior to sharing their information beyond the limitations in users' privacy settings. Facebook must also provide users with "clear and prominent notice" whenever their data are shared. Failure to comply will cost Facebook US $16,000 in civil penalties for each violation. The FTC alleged that Facebook told users they could make their data private, but then allowed the information to be shared and made public. In the settlement, Facebook denies the allegations and admits no guilt.
-http://news.cnet.com/8301-1009_3-57490948-83/ftc-settles-facebook-privacy-compla
int-sans-google-like-fine/
-http://www.computerworld.com/s/article/9230171/FTC_gives_final_approval_to_Faceb
ook_privacy_settlement?taxonomyId=84
[Editor's Note (Pescatore): More "prior express consent" or opt-in is a good thing. ]

---

************************** Sponsored Links: ****************************
1) Take the SANS 2nd Survey on BYOD Security Policy and WIN Cash Prizes! http://www.sans.org/info/111599
2) Analyst Webcast: When Breaches Happen: 5 Questions to Prepare for, featuring Senior SANS Analyst Dave Shackleford, Wednesday, August 29 at a special time of Noon EDT. http://www.sans.org/info/111604
3) Secure Configuration Management Demystified, sponsored by Tripwire Tuesday, August 28 at 1 PM EDT. http://www.sans.org/info/111609
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Researchers Develop Algorithm to Determine Source of Infection (August 13, 2012)

In a paper titled "Locating the Source of Diffusion in Large-Scale Networks" researchers at the Audiovisual Communications Laboratory of the Swiss Federal Institute of Technology (EPFL) describe an algorithm they have developed that should be helpful in locating spammers and sources of malware. The Sparse Interference algorithm identifies the source by checking a fraction of the connections in a network, as tracking the status of all nodes on the Internet is impossible. The algorithm uses data from between 10 and 20 percent of a network's nodes; in some cases, that figure is as low as five percent. The algorithm is also useful for determining the source of biological epidemics and sources of rumors on social networking sites.
-http://www.h-online.com/security/news/item/New-algorithm-tracks-down-the-origins
-of-internet-attacks-1665935.html
-http://www.computerworld.com/s/article/9230199/Swiss_scientists_develop_algorith
m_to_sniff_out_source_of_malware_spam_attacks?taxonomyId=244
-http://www.pedropinto.org.s3.amazonaws.com/publications/locating_source_diffusio
n_networks.pdf

Palida Narrow Font is Gauss Infection Marker (August 10 & 13, 2012)

At least two companies are offering methods for detecting the presence of Gauss malware on computers. One company has released a virus removal tool; another has created a webpage that checks to see if users' systems have the Palida Narrow font, which has been identified as a marker for Gauss infection. It is still unclear why the font is part of the malware. Gauss can be spread through USB sticks and it deletes itself after it has infected 30 systems. Gauss's payload has not yet been unraveled; it is possible that the significance of the font will become evident when the payload is finally understood.
-http://www.h-online.com/security/news/item/Font-installed-with-Gauss-trojan-rais
es-questions-1666328.html
-http://news.cnet.com/8301-1009_3-57491167-83/researchers-release-ways-to-detect-
gauss-malware/

Purloined Stratfor eMails Contain Information About TrapWire Surveillance Program (August 11, 2012)

Among the email messages stolen from Stratfor late last year are several that have information about the implementation of TrapWire, a domestic surveillance program that gathers data from spots in major cities around the US, encrypts it, and sends it to a secretive central database center. A press release describes TrapWire as being "designed to provide a simple yet powerful means of collecting and recording suspicious activity reports." In an interview, the founder of the company responsible for TrapWire said that it "can collect information about people and vehicles that is more accurate than facial recognition, draw patterns, and do threat assessment of areas that may be under observation from terrorists." WikiLeaks, which has the TrapWire messages posted, has been under a sustained distributed denial-of-service (DDoS) attack that started before the TrapWire documents were posted to the Internet.
-https://rt.com/usa/news/stratfor-trapwire-abraxas-wikileaks-313/
-http://www.technolog.msnbc.msn.com/technology/technolog/trapwire-surveillance-re
ally-spying-americans-939948
[Editor's Note (Murray): Security professionals must be saddened when the government leaks information about sources and methods, which it intends to be secret. ]

Google Changes Search Results Algorithm to Favor Legal Downloading Sites Over Pirates (August 10, 11, & 13, 2012)

Google is altering the way it displays search results to ensure that sites offering legitimate downloads of digital content appear before sites offering pirated content. Google revised algorithm will consider the volume of "valid copyright removal notices" a site has received. Google says it has received copyright removal notices for more than 4.3 million URLs in the last 30 days.
-http://www.bbc.co.uk/newsbeat/19229349
-http://money.cnn.com/2012/08/13/technology/google-youtube-piracy/?source=cnn_bin
-http://www.washingtonpost.com/business/technology/google-fights-piracy-with-sear
ch/2012/08/10/f8d1be0e-e31f-11e1-a25e-15067bb31849_story.html
[Editor's Note (Peasctore): In general, this and other Google algorithm tweaks (like telling you if a site is trying to download what Google believes to be malware) feel like goodness but I'm starting to wonder about the cumulative effect. Search is to the Internet as the old Yellow Pages was to the phone system - advertising and all. But a lot of subjective factors that vary independently are changing what will show up first, likely opening up new opportunities for misdirection.
(Northcutt): This is a reasonable and handy solution. It will make pirates risk carpal tunnel syndrome as they search for their wares on page 34 of Google. ]

Goldman Sachs Programmer Arrested Again for Source Code Theft (August 10, 2012)

Sergey Aleynikov, the former Goldman Sachs computer programmer who earlier this year was cleared of charges that he stole the company's high-frequency trading system source code, has been arrested again, this time on charges of "unlawfully using secret scientific material and unlawfully duplicating computer-related material."
-http://www.theregister.co.uk/2012/08/10/goldman_sachs_programmer_re_arrested/

Hackers Steal Personal Information From Israeli Data Center (August 8 & 9, 2012)

A hacker claiming to be part of a "group" says he has gained control of an Israeli server and stolen personal data, which it then posted to the Internet. The compromised data include Facebook account passwords, credit card numbers, and email addresses. The hacker/"group" claims to have more information to post. The information was taken from an Israeli data center.
-http://www.israelhayom.com/site/newsletter_article.php?id=5349
-http://www.jpost.com/NationalNews/Article.aspx?id=280585

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/