SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #68

August 24, 2012

TOP OF THE NEWS

Data Security Now a Main Concern for US Boardrooms
New Malware Infects VMware Virtual Machines

THE REST OF THE WEEK'S NEWS

Former White House Cybersecurity Director Calls Cybersecurity Bill Failure a "Missed Opportunity"
Location Privacy Act Passed in California
Security Flaw Affecting Power Plants Being Investigated
DARPA Announces 'PLAN X' To Improve Network Defence and Attack Capabilities
Sentencing of Lulzsec Leader Postponed Until February 2013
Security Weaknesses Found in U.S. Environmental Protection Agency's IT Systems and Networks
US Authorities shutter Three Android App Pirate Sites
Google To Set up Privacy Red Team
Woman Sentenced for Her Part in WorldPay Security Breach

---

*************************** Sponsored By SANS **********************
Special Webcast: Why Security Awareness Matters - First in Series- Featuring Lance Spitzner. Many people do not understand the value of security awareness, especially how it dramatically reduces risk. In this short webinar we will explain to you the value of security awareness, and give you to the tools to measure and communicate that value. Tuesday, October 02, 2012 at 1:00 PM EDT.
http://www.sans.org/info/112289
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012 **Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/

--SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Crystal City 2012 Arlington, VA September 6-11, 2012 4 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 44 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

--SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 7 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

--SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

--SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Dubai, San Diego, Johannesburg, Seoul, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Data Security Now a Main Concern for US Boardrooms (August 20, 2012)

An annual survey of 11,000 public company directors and 2,000 general counsels shows that for the first time data security is now a prime concern for US boards. The survey, conducted by advisory firms Corporate Board Member and FTI Consulting, shows that over half (55%) of general counsels surveyed rate data security as a major concern while 48% of the directors surveyed felt the same. A similar survey in 2008 found that only 25% of directors and 23% of general counsel noted data security as a high area of concern, which reflects a doubling of this concern in four years. TK Kerstetter, President, Corporate Board Member said about the results "While a number of companies are taking steps to become more educated on IT risks, the fact is that not enough are taking the appropriate actions to fully prepare their organization." He went on to say "I think it is going to take several well-publicized security breaches before a majority of corporate boards finally embrace the fact that doing business today without a prudent crisis plan in place is a formula for disaster."
-http://www.computerworlduk.com/news/it-business/3376626/us-boardrooms-wake-up-da
ta-security/
-http://finance.yahoo.com/news/corporate-board-member-fti-consulting-153300873.ht
ml

New Malware infects VMware Virtual Machines (August 22, 2012)

The Windows version of a piece of Malware discovered in July, called Crisis, has been found to be capable of infecting VMware virtual machines as well as Windows Mobile devices, and removable USB drives. When originally discovered Crisis was thought to target just Windows and Mac OS users. It has the capability to record Skype conversations, capture traffic from instant messaging programs, and track websites visited in Firefox or Safari. According to Symantec, Crisis "searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool. This may be the first malware that attempts to spread on to a virtual machine."
-http://www.v3.co.uk/v3-uk/news/2200412/crisis-malware-infects-vmware-virtual-mac
hines
-http://www.zdnet.com/crisis-malware-targets-virtual-machines-7000002986/
[Editor's Note (Murray): I thought that a properly implemented virtual machine would be no more or less vulnerable to a virus than a physical one. What am I missing? ]

---

************************** Sponsored Links: ****************************
1) Special Webcast: Conducting a Legal Investigation in Social Media: How to Do; How Not to Do It, Featuring Benjamin Wright. Thursday, September 13 at 1:00 pm EDT. http://www.sans.org/info/112294
2) Analyst Webcast! A Review of McAfee's Solutions for Securing Physical and Virtualized Servers in the Data Center http://www.sans.org/info/112304 Thursday, September 6, 1 PM EDT
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Former White House Cybersecurity Director Calls Cybersecurity Bill Failure a "Missed Opportunity" (August 21, 2012)

Former Obama administration senior director for cybersecurity Sameer Bhalotra has joined a California cybersecurity start-up called Imperium as its chief operating officer. While at the White House, Bhalotra coordinated the National Strategy for Trusted Identities in Cyberspace, an effort to help banks and other companies verify user identities and store personal data securely. Bhalotra also helped to coordinate the White House's cybersecurity legislative agenda, which recently stalled in the Senate. He deemed the legislators' failure to pass a bill "a missed opportunity," because "in many parts of the world, hackers act with near impunity in attacking foreign governments, stealing intellectual property and credit cards ... and it's very difficult for governments and companies to keep up with the next vector of attack."
-http://bits.blogs.nytimes.com/2012/08/21/former-white-house-cybersecurity-offici
al-joins-start-up/

Location Privacy Act Passed in California (August 23, 2012)

California state legislators have passed a new bill requiring law enforcement agencies to obtain a warrant before collecting any GPS or location data from cell phones or smart phones. The Location Privacy Bill 2012, which was sponsored by the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), has now been passed on to California Governor Jerry Brown for signing into law. In a statement the EFF said it "urge
[s ]
Governor Brown to have California take the lead on this issue and sign SB 1434," and that it "strikes a sensible balance between keeping the public safe and preserving our privacy."
-http://www.zdnet.com/california-approves-location-privacy-act-get-a-warrant-7000
003050/
-http://arstechnica.com/tech-policy/2012/08/california-state-legislature-approves
-location-privacy-act/
[Editor's Comment (Northcutt): Another example of California leading the nation in sensible cyber-security legislation. ]

Security Flaw Affecting Power Plants Being Investigated (August 23, 2012)

The US Department of Homeland Security has warned businesses to improve security around their industrial control devices after a high-risk security vulnerability was discovered in the Ruggedcom ROS industrial networking platform. An alert issued by the Industrial Control System Cyber Emergency Response Team (ICS-CERT), warned that the flaw could be used by an attacker to eavesdrop on encrypted SSL traffic. In their advisory the ICS-CERT said "According to this report, the vulnerability can be used to decrypt SSL traffic between an end-user and a RuggedCom network device". It also said that it had "notified the affected vendor of the report" and had asked it "to confirm the vulnerability and identify mitigations".
-http://news.cnet.com/8301-1009_3-57498572-83/dhs-warns-siemens-flaw-could-allow-
power-plant-hack/
-http://www.bbc.com/news/technology-19343131
-http://www.v3.co.uk/v3-uk/news/2200478/department-of-homeland-security-issues-al
ert-over-ruggedcom-flaw
-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf

DARPA Announces 'PLAN X' To Improve Network Defence and Attack Capabilities (August 21, 2012)

The US government is looking to develop new technologies to enhance its cyber security defence and attack capabilities. The Defense Advanced Research Projects Agency has scheduled a workshop for September 27 at which it will present its requirements and invite technology vendors to propose how they may meet those requirements. According to DARPA the initiative, dubbed Plan X, aims to enable the Pentagon to understand, plan, and manage cyber warfare "in real-time, large-scale, and dynamic network environments". After the workshop, DARPA plans to issue a formal request for proposals.
-http://www.nextgov.com/defense/2012/08/pentagon-bolster-networks-and-cyberattack
-capabilities-plan-x/57546/
-http://www.wired.com/dangerroom/2012/08/plan-x/
-http://gcn.com/articles/2012/08/22/darpa-plan-x-automated-tools-cyber-battle.asp
x
-https://www.fbo.gov/index?s=opportunity&mode=form&id=5d40cf50b0f77e425db
9a3b884ac684a&tab=core&tabmode=list&=

Sentencing of Lulzsec Leader Postponed Until February 2013 (August 23, 2012)

Formed Lulzsec leader Hector Xavier Monsegur has had his sentencing postponed for six months due to his continued cooperation with the FBI. In August of last year Monsegur pleaded guilty to 12 counts of computer hacking conspiracies and other crimes. A request to the court by Preet Bharara, US attorney for the Southern District of New York, asked for a six-month adjournment of the sentencing control date due to Monsegur's "cooperation with the government". Monsegur could face a maximum prison sentence of up to 124-years.
-http://www.scmagazineuk.com/former-lulzsec-leader-sabu-given-six-month-reprieve-
from-sentencing-due-to-his-cooperaton-with-the-government/article/255739/
-http://www.zdnet.com/us-govt-rewards-sabu-with-six-month-sentencing-delay-700000
3044/
-http://www.darkreading.com/database-security/167901020/security/attacks-breaches
/240006026/lulzsec-leader-sabu-still-working-with-feds-gets-temporary-sentencing
-reprieve.html
-http://www.wired.com/threatlevel/2012/08/sabu-delay/

Security Weaknesses Found in U.S. Environmental Protection Agency's IT Systems and Networks (August 22, 2012)

An audit of the IT systems and networks at the U.S. Environmental Protection Agency, published by the Government Accountability Office, found that security weaknesses pervade IT systems and networks at the agency. In its audit report the GAO highlighted that the EPA failed to implement access controls, did not enforce strong password policies, failed to keep logs and monitor them for security incidents, control physical access to sensitive systems, and not encrypt sensitive information. GAO Information Security Issues Director Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati commented in the audit report that "an underlying reason for the control weaknesses is that EPA has not fully implemented a comprehensive information security program," they went on to say "Until EPA fully implements a comprehensive security program, it will have limited assurance that its information and information systems are adequately protected against unauthorized access, use, disclosure, modification, disruption or loss."
-http://www.govinfosecurity.com/gao-questions-epas-ability-to-secure-data-a-5051
-http://gcn.com/articles/2012/08/22/epa-it-security-weaknesses-gao-report.aspx
-http://www.scmagazine.com/gao-scolds-epa-for-poor-security/article/255692/
[Editor's Note (Murray):" Private enterprise does not have to deal with having the results of all of its audits published in scandal-seeking newspapers. What we have learned from such publication is that few government agencies are measurably better or worse than their peers. It is likely that they are not much better or worse than their private sector peers. Neither the press or the public appreciate that security is a "hard problem" with no broadly satisfying, much less perfect, solutions. I will really worry about the security of the EPA when I am satisfied that State, Defense, and Energy have got it right. ]

US Authorities Shutter Three Android App Pirate Sites (August 23, 2012)

The US Department of Justice has moved to shutter three websites that were being used to illegally distribute copyrighted apps aimed at the Android market. The three websites, applanet.net, appbucket.net and snappzmarket.com, had their domains seized and their main pages replaced with a seizure banner from the US Department of Justice. The US authorities were assisted in the operation by French and Dutch law enforcement agencies. In a statement, U.S. Attorney Sally Quillian Yates of the Northern District of Georgia said "Criminal copyright laws apply to apps for cell phones and tablets, just as they do to other software, music and writings.... We will continue to seize and shut down websites that market pirated apps, and to pursue those responsible for criminal charges if appropriate."
-http://www.net-security.org/secworld.php?id=13472
-http://www.ibtimes.com/articles/376360/20120822/piracy-infringement-android-apps
-download-applications.htm
-http://www.theregister.co.uk/2012/08/22/fbi_android_apps/
-http://blogs.wsj.com/law/2012/08/22/in-a-first-doj-seizes-illegal-phone-app-down
load-websites/
[Editor's Note (Murray): One more publisher added to the list of those who expect law enforcement to shore up their flawed business model. ]

Google To Set up Privacy Red Team (August 23, 2012)

In what appears to be a response to recent high profile privacy issues involving Google and some of its services, the company is in the process of setting up a Privacy Red Team. In a job posting for the role of a Data Privacy Engineer Google says the purpose of the team will be to "independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today". Google has come under fire in a number of jurisdictions for how it has infringed on the privacy of its users. Recently Google was ordered by the US Federal Trade Commission to pay a $22.5 million fine for having misrepresented to users of Apple's Safari Internet browser that it would not place tracking "cookies" or serve targeted ads. While in Europe Google has come under fire from various Data Protection agencies for not deleting Wi-Fi data it gathered as part of its StreetView program from unsecured wireless networks.
-http://www.theregister.co.uk/2012/08/23/google_red_team/
-http://www.net-security.org/secworld.php?id=13471
-http://www.pcmag.com/article2/0,2817,2408825,00.asp
-http://www.informationweek.com/security/privacy/google-red-team-to-test-product-
privacy/240006115

Woman Sentenced for Her Part in WorldPay Security Breach (August 21, 2012)

Sonya Martin, a 45 year old woman from Chicago, was sentenced on Tuesday to 2 and a half years in prison for her part in the 2008 security breach at the Atlanta-based WorldPay U.S. Inc. payment processor. A group of hackers successfully breached the security of the WorldPay systems and fraudulently adjusted the balances of compromised debit cards. In a coordinated move gangs of "cashers" used cloned debit cards to withdraw more than $9 million from roughly 2,100 ATMs in 280 cities around the world. Prosecutors said that Martin worked with one of those cashers. In addition to the 30 month prison sentence Martin must spend five years on supervised release and pay $89,120.25 in restitution.
-http://www.bizjournals.com/atlanta/news/2012/08/21/cell-leader-in-rbs-worldpay-f
raud.html?page=all
-http://www.scmagazine.com/worldpay-casher-jailed-for-helping-to-steal-80k/articl
e/255862/
-http://www.ajc.com/news/atlanta/woman-sentenced-in-9-1503503.html

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/