SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #66

August 17, 2012

Save $300 on the workshop on stopping APT attacks (based on the
Australian technique briefed at the White House) that will be at the
National Cybersecurity Innovation Conference in Baltimore. Register
before Sept 5. Also featured is an extraordinary new NSA brief on
Non-Persistent Desktop Browsing that effectively addresses the rapidly
increasing security threat stemming from malicious software (malware)
used by nation states and in cyber crime; extremely low cost and
effective implementation of continuous monitoring and mitigation (NASA),
plus briefings on the most important and effective technologies for
implementing the 20 critical controls and more. Big exhibit of
substantially all the security tools that matter for continuous
monitoring and automation of the 20 critical controls, and the system
integrators who have a clue about implementing the controls and
continuous monitoring. Register at www.sans.org/ncic-2012

---

TOP OF THE NEWS

Malware Targets Energy Sector in Middle East and Wipes Data
Syrian Dissidents are Target of Malware Attack
Appeals Court Says No Probable Cause Warrant Needed in Cell Phone Tracking Case

THE REST OF THE WEEK'S NEWS

Saudi Aramco Isolates Network in Wake of Virus Infection
ACLU Sues DOJ for FBI Memos on GPS Tracking Guidelines
County Jail Nurses Unhappy With Electronic Health Record System
NASA IG Report Recommends Strengthening Stance Against Cyberespionage
NIST to Release Draft of New Government Encryption Standard Guidelines
AT&T Experiencing DDoS Attack on DNS Servers
Experts Seek Help Decrypting Gauss Payload
Costly Knight Computer "Glitch" Caused By Old Software
Microsoft and Adobe Release Security Updates

---

*************************** Sponsored By SANS *****************************
Special Webcast: Conducting a Legal Investigation in Social Media: How to Do; How Not to Do It - Featuring Benjamin Wright. Thursday, September 13, 2012 at 1:00 PM EDT. You will learn the risks that any kind of investigator faces in social media, as well as methods to manage that risk. Mr. Wright will share tips for evidence collection so it's more likely to be accepted and believed as evidence in court or in other official proceedings.
http://www.sans.org/info/112019
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012 **Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/

- --SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

- --SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 4 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 44 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 7 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Dubai, San Diego, Johannesburg, Seoul, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Malware Targets Energy Sector in Middle East and Wipes Data (August 16, 2012)

Researchers have discovered more malware that targets computers in a specific sector of the energy industry in the Middle East. Dubbed Shamoon and Disttrack by different companies, the malware permanently wipes data from infected computers' hard drives. Researchers from Kaspersky Lab say that despite the presence of the string "wiper" in a Windows file directory used to compile the malware, it does not appear to be related to malware called Wiper that reportedly infected computers at Iran's oil ministry earlier this year.
-http://arstechnica.com/security/2012/08/shamoon-malware-attack/
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
240005715/new-targeted-attack-destroys-data-at-middle-east-energy-organization.h
tml
[Editor's Note (Ullrich): The sad part is that this malware would be pretty easy to detect by web proxies. It uses artificial fixed user agents that should stand out like a sore thumb if people would bother to look at their logs. ]

Syrian Dissidents are Target of Malware Attack (August 15, 2012)

The Electronic Frontier Foundation (EFF) says that Syrian journalists, activists, and people involved with government opposition groups are being targeted with malware. The people are lured into downloading the malware because it is disguised as a security package. Once it is downloaded onto a computer, it can monitor people through webcams, disable anti-virus programs, steal passwords and delete data.
-http://news.cnet.com/8301-1009_3-57494231-83/syrian-dissidents-besieged-by-malwa
re-attacks/
[Editor's Note (Murray): Most computer users cannot manage their systems in such a way as to make them resistant to nation states. While modern networks have proved to be very effective in organizing insurrections, they will inevitably compromise some of the users. ]

Appeals Court Says No Probable Cause Warrant Needed in Cell Phone Tracking Case (August 14 & 15, 2012)

The US Circuit Court of Appeals for the Sixth Circuit has ruled that law enforcement officials do not need to obtain a probable-cause warrant to track suspects through their cell phones' GPS location information. The defendant's legal team was seeking to have their client's convictions overturned, arguing that the use of GPS location data to track his whereabouts violated his Fourth Amendment rights. One of the judges wrote in the opinion that the defendant "did not have a reasonable expectation of privacy in the data given off by his" disposable cellphone.
-http://www.wired.com/threatlevel/2012/08/warrantless-gps-phone-tracking/
-http://www.technolog.msnbc.msn.com/technology/technolog/warrantless-cellphone-tr
acking-legal-federal-court-rules-944452
-http://news.cnet.com/8301-1009_3-57493811-83/federal-court-oks-warrantless-cell-
phone-tracking-by-police/

---

************************** Sponsored Links: ****************************
1) Analyst Webcast: When Breaches Happen: 5 Questions to Prepare for, featuring Senior SANS Analyst Dave Shackleford, Wednesday, August 29 at a special time of Noon EDT. http://www.sans.org/info/112024
2) Secure Configuration Management Demystified, sponsored by Tripwire Tuesday, August 28 at 1 PM EDT. http://www.sans.org/info/112029
3) August 30, 2012: The Fundamentals of OAuth Webinar. http://www.sans.org/info/112034
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Saudi Aramco Isolates Network in Wake of Virus Infection (August 16, 2012)

The Saudi Arabian Oil Company, known as Saudi Aramco, has isolated its computer network from outside access following the discovery of a virus infection on "some of the sectors of its network." The state-owned oil company said the issue is having no effect on oil production. The virus is believed to have made its way onto the network through personal computers.
-http://www.businessweek.com/news/2012-08-15/aramco-says-virus-attacks-network-oi
l-output-unaffected
-http://www.theregister.co.uk/2012/08/16/saudi_aramco_malware/
-http://www.securityweek.com/saudi-arabias-national-oil-company-kills-network-aft
er-cyber-attack
[Editor's Note (Ullrich): The "air gap" may keep some of the noise down, but in the end, could end up making the network more vulnerable as patching will be more difficult and the risk of infection still exists via unauthorized connections and vectors like usb drives. An "isolated" network is usually just a bad excuse for not bothering to secure it. ]

ACLU Sues DOJ for FBI Memos on GPS Tracking Guidelines (August 15 & 16, 2012)

The American Civil Liberties Union (ACLU) is suing the US Justice Department (DOJ); the documents filed in US District Court in New York seek the release memos regarding the FBI's use of GPS technology. The information is being sought in the wake of a Supreme Court decision that said placing a GPS tracking device on a suspect's vehicle is equivalent to a search under the Fourth Amendment. The memos being sought are the FBI's guidelines to agents regarding the use of the GPS devices to track suspects.
-http://www.nextgov.com/mobile/2012/08/aclu-sues-fbi-gps-tracking-guidelines/5745
2/?oref=ng-HPriver
[Editor's Comment (Northcutt): The article has almost no information thought this is a fascinating and relevant problem. If anyone sees reporting on this topic supported by references, I would love to receive the URLs (Stephen@sans.edu).]

County Jail Nurses Unhappy With Electronic Health Record System (August 15, 2012)

Nurses at the Contra Costa County (California) jail are not happy with their new electronic health records (EHR) system. One nurse alleges that the system recommended a dose of medication for a heart patient that could have been fatal if the error had not been caught. The EHR system integrates the jail's medical records with county health records. During its first month, the system received 142 complaints from nurses. The nurse who caught the inaccurate drug recommendation said that those responsible for training staff on the HER system had told county officials that there were problems with the system.
-http://www.nextgov.com/health/2012/08/jailed-man-narrowly-escapes-fatal-error-el
ectronic-health-record/57439/?oref=ng-HPtopstory
[Editor's Note (Murray): Still, it is the paper medical record systems that are killing and impoverishing us. ]

NASA IG Report Recommends Strengthening Stance Against Cyberespionage (August 15 & 16, 2012)

A report from the NASA Inspector General (IG) indicates that while the agency has made some progress in improving its cybersecurity stance, there are still issues that need to be addressed. Several years ago, NASA consolidated its cybersecurity efforts at various locations into one Security Operations Center (SOC), which was created to provide continuous monitoring for all inbound and outbound NASA network traffic and to provide a single point for reporting and tracking security incidents. According to the IG's report, the SOC is not monitoring all NASA networks. In the report, the IG recommends that NASA improve its position against sophisticated cyberespionage attempts.
-http://gcn.com/articles/2012/08/16/nasa-ig-cybersecurity-report.aspx
-http://www.aviationweek.com/Article.aspx?id=/article-xml/asd_08_15_2012_p05-02-4
85524.xml
Report Summary from NASA:
-http://oig.nasa.gov/audits/reports/FY12/IG-12-017.pdf

NIST to Release Draft of New Government Encryption Standard Guidelines (August 15, 2012)

The US National Institute of Standards and Technology (NIST) plans to release a draft regarding a new government encryption standard. Currently, NIST's standard requires that government agencies support Transport Layer Security (TLS) 1.0 encryption; the update will require TLS 1.1 and 1.2. This means that "some agencies ... will need to ... acquire new web server products to support" the new versions of TLS. The lag time between a release for public review and finalization of a standard is usually about six months. NIST's draft document for public comment is expected to be released next month.
-http://www.computerworld.com/s/article/9230330/New_NIST_encryption_guidelines_ma
y_force_agencies_to_replace_old_websites?taxonomyId=244
[Editor's Note (Ullrich): The move to TLS 1.1 and 1.2 is overdue, and hopefully this will get vendors on board to support it. It is still non-trivial to use TLS 1.1 or 1.2 with Apache on many mainstream Linux distributions. ]

AT&T Experiencing DDoS Attack on DNS Servers (August 15, 2012)

Some AT&T customers are experiencing data traffic disruption as the result of a distributed denial-of-service (DDoS) attack launched against the company's DNS servers. The attack began on the morning of Wednesday, August 15. As of Wednesday afternoon, AT&T did not have an estimate for when full service would be restored.
-https://www.pcworld.com/businesscenter/article/260940/atandt_hit_by_ddos_attack_
suffers_dns_outage.html

Experts Seek Help Decrypting Gauss Payload (August 14, 2012)

Experts are calling for help from cryptographers to determine the payload of the recently detected Gauss malware. What researchers know so far is that Gauss steals several different kinds of data - website passwords, online banking login credentials, and system configuration data of infected machines. There is a general consensus that Gauss, like Stuxnet, Duqu, and Flame, is a state sponsored piece of malware. Most of the computers infected with Gauss are in the Middle East. The payload, which is encrypted, is delivered through USB flash drives, and the module is encrypted with an RC4 key. The payload is large enough to contain attack code on the scale of Stuxnet. The payload appears to be designed to target systems with a certain configurations, although that configuration has not been determined.
-http://www.theregister.co.uk/2012/08/14/gauss_mystery_payload/
-http://www.computerworld.com/s/article/9230272/Kaspersky_pleads_for_crypto_help_
to_probe_Gauss_malware?taxonomyId=17
-http://www.wired.com/threatlevel/2012/08/gauss-mystery-payload/

Costly Knight Computer "Glitch" Caused By Old Software (August 14, 2012)

The computer "glitch" that cost Knight Capital Group US$440 million appears to have been caused by old software. The issue was triggered when a new program was installed on the system, reactivating the outdated software, which caused stock trades to be multiplied by one thousand. A trade group for the hedge fund industry, the managed Funds Association, says that there should be at all times at least one trading official with the power to pull a "kill switch" to turn off trading programs. The US Securities and Exchange Commission (SEC) is looking into whether Knight's computer systems were in compliance with its regulations.
-http://www.bloomberg.com/news/2012-08-14/knight-software.html
-http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/9475292/Knight-C
apitals-440m-trading-loss-caused-by-disused-software.html

Microsoft and Adobe Release Security Updates (August 14, 2012)

Microsoft has issued nine security bulletins to address a total of 26 security flaws. The vulnerabilities affect Windows, Internet Explorer, Microsoft Exchange, SQL Server, Office, and Microsoft Developer Tools. Five of the bulletins have been given maximum severity ratings of critical. The other four are rated important. Adobe has also released a batch of security updates, including a fix for a flaw in Flash Player that is being actively exploited. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=13900
-http://www.computerworld.com/s/article/9230281/Microsoft_patches_critical_securi
ty_holes_in_Windows_Office_IE?taxonomyId=17
-http://krebsonsecurity.com/2012/08/critical-security-fixes-from-adobe-microsoft/
-http://www.theregister.co.uk/2012/08/15/patch_tuesday/
-http://news.cnet.com/8301-1009_3-57493648-83/adobe-patches-critical-security-bug
s-in-flash-reader-acrobat/
-http://www.h-online.com/security/news/item/Microsoft-closes-26-holes-for-August-
Patchday-1667716.html
-http://www.h-online.com/security/news/item/Adobe-closes-numerous-critical-holes-
in-Reader-and-Acrobat-Update-1667695.html
-http://technet.microsoft.com/en-us/security/bulletin/ms12-aug
-http://blogs.adobe.com/psirt/2012/08/adobe-security-bulletins-posted-2.html

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/