SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #69

August 28, 2012

Nine reasons why the largest federal CIOs are sending their security
teams to the National Cybersecurity Innovation Conference (Oct 3-5
Baltimore Convention Center, sans.org/ncic-2012/) (1) the only place
where they can get the inside story (from the Australians) in the new
international minimum standard of due care in cybersecurity, (2) the
only place to learn about the near term and future programs shaping U.S.
federal cyber security strategy, and 7 more listed at the end of this
issue

Alan

---

TOP OF THE NEWS

Proposed Rule Would Impose Cybersecurity Requirements on Federal Contractors
Dropbox Implements Two-Factor Authentication
Phony Flash Player Downloads for Android Contain Malware

THE REST OF THE WEEK'S NEWS

Java Zero-Day Exploitable Through All Browsers on All Platforms
Saudi Aramco Confirms Attack Affected 30,000 Workstations
Former US Military Commander Says Cyberattacks Used In Afghanistan
Judge Denies Filesharer's Request For a New Trial
Security Company Retracts Assertion That Flame and Gauss are Related
Child Health and Privacy Advocates Ask FTC to Investigate Viral Marketing Aimed at Kids

THE 9 REASONS FEDERAL CIOS ARE SENDING SECURITY TEAMS TO THE NATIONAL

THE 9 REASONS FEDERAL CIOs ARE SENDING SECURITY TEAMS TO THE NATIONAL CYBERSECURITY INNOVATION CONFERENCE (NCIC)

---

*************************** Sponsored By Invincea *************************
Users are constantly spear-phished. They are the unwitting accomplices to breach. Free whitepaper from Invincea - no registration - discusses the threat and a new approach that protects the network from user error. Non-persistent browsing environments, behavior based detection, real-time kill, and pre-breach threat intelligence feeds. Don't fear the spear - protect every click!
http://www.sans.org/info/112504
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012 **Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/
- --SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Crystal City 2012 Arlington, VA September 6-11, 2012 4 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 44 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 7 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS London 2012 London, UK November 26-zdecember 3, 2012 17 courses.
http://www.sans.org/london-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Dubai, San Diego, Johannesburg, Seoul, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Proposed Rule Would Impose Cybersecurity Requirements on Federal Contractors (August 24, 2012)

A rule proposed by the US Defense Department, the General Services Administration, and NASA would require federal contractors to have in place basic cybersecurity precautions to protect systems that contain government data. Agencies would be required to add a clause to contracts to address the issue. The rule, aimed at placing responsibility for cybersecurity on the contactors themselves, does not require specific actions beyond "current and regularly updated" tools to block malware and "prompt" patch installation. The rule proposal comes amid reports that the White House is considering issuing an executive order requiring certain levels of cybersecurity at all organizations that are part of the country's critical infrastructure. Public comments on the proposed rule will be accepted until October 23, 2012.
-http://www.nextgov.com/cio-briefing/2012/08/white-house-plans-regulate-contracto
r-computer-security/57668/?oref=ng-HPtopstory
-http://www.bizjournals.com/washington/blog/fedbiz_daily/2012/08/feds-propose-rul
e-to-hold-contractors.html
-https://www.federalregister.gov/articles/2012/08/24/2012-20881/federal-acquisiti
on-regulation-basic-safeguarding-of-contractor-information-systems#h-4
[Editor's Note (Paller): With the growing consensus that there is a minimum standard of due care in cybersecurity controls, and the fact that this proposed rule completely fails to meet that standard, and that the greatest losses of national security information were from the contractors' computers, whoever is managing the authors of this half-rule should assign them to some less important responsibilities and get people who understand the threat and the controls to write the rule.
(Pescatore): This is an example of unneeded new legislation. In 2009 GSA put out a "Guide to Security Language for IT Acquisition Efforts" reminding everyone that "Contractors are also required to comply with Federal Information Processing Standards (FIPS), the "Special Publications 800 series" guidelines published by NIST, and the requirements of FISMA." Focusing on patches and anti-viral is also a good example of rearview mirror driving. ]

Dropbox Implements Two-Factor Authentication (August 27, 2012)

Dropbox has implemented two-factor authentication for Windows, Mac, and Linux users. Earlier this summer, the company said it would take steps to better protect customers' data after hackers managed to hijack an employee's account, access some customer email addresses, and send them spam advertising gambling sites. Dropbox attributed the attack to an employee who used the same password for his work account as for another account elsewhere, which had been compromised earlier. Dropbox will now provide users with one-time security codes, either sent to their phones in a text message, or generated with a mobile authenticator app. Users say the plan still has some problems that need to be worked out.
-http://krebsonsecurity.com/2012/08/dropbox-now-offers-two-step-authentication/
-http://www.informationweek.com/security/application-security/dropbox-two-factor-
authentication-has-ki/240006269
-http://www.theregister.co.uk/2012/08/27/dropbox_security_two_factor/
[Editor's Note (Murray): Kudos to Dropbox (and Google) for leading the way to what every cloud service provider, and most online application providers, should be doing. This is not rocket science. Google will gladly license this technology to you. It is "strong," not merely "two-factor," authentication, i.e., it resists credential replay. It sends the user a one-time password (OTP), out-of-band, to SMS, a hand-held app, or telephone of the user's choice. It is a user option for Dropbox and Google but is so unobtrusive that it should be mandatory for sensitive applications like enterprise VPN initialization.]

Phony Flash Player Downloads for Android Contain Malware (August 23 & 24, 2012)

Hackers have released malicious apps that claim to be Flash Player installers exploiting Adobe's decision to stop distributing Android Flash Player through Google Play. Adobe stopped making Flash Player available from Google Play on August 15; the decision was made to encourage the use of Adobe AIR, which is a cross-platform runtime environment. Several SMS Trojan apps masquerading as Android Flash Player downloads have been detected. The malware changes users' home pages, displays ads through the Android notification bar and sends contact information to advertisers. The unauthorized software has been found on Russian- and English-language unauthorized Android software marketplaces. It also makes infected devices dial premium SMS numbers.
-http://www.computerworld.com/s/article/9230591/Cybercriminals_take_advantage_of_
Android_Flash_Player_gap_on_Google_Play?taxonomyId=246
-http://www.v3.co.uk/v3-uk/news/2200466/malware-writers-spread-fake-flash-player-
download-on-android
[Editor's Note (Murray): One's favorite bait message has to be "Click here to download the latest security fix for Adobe foobar." ]

---

************************** Sponsored Links: ****************************
1) Try SolarWinds(R) Event Log Consolidator FREE tool to organize event logs from multiple Windows(R) systems. http://www.sans.org/info/112509
2) Time is Running Out to take the SANS 2nd Survey on BYOD Security Policy and WIN Cash Prizes! http://www.sans.org/info/112514 Survey expires August 31
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Java Zero-Day Exploitable Through All Browsers on All Platforms (August 27, 2012)

Hackers are actively exploiting a zero-day vulnerability in Java 7. The flaw can be exploited through any browser running on Windows, Linux, or Mac OS X that has Java installed. Currently, hackers are targeting Windows machines in drive-by attacks. The flaw affects Java versions 7.x, but earlier versions are not affected. Users are urged to disable Java until Oracle released patches to address the issue.
-http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
-http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompt
s-calls-to-disable-java/
-http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219
.html
-http://www.computerworld.com/s/article/9230656/Macs_at_risk_from_super_dangerous
_Java_zero_day?taxonomyId=17

Saudi Aramco Confirms Attack Affected 30,000 Workstations (August 26 & 27, 2012)

Saudi Arabian oil company Saudi Aramco has released an official statement regarding a cyberattack that affected 30,000 workstations. The statement confirms the attack, but offers scant details beyond the number of workstations affected. Saudi Aramco said that it had cleaned the affected workstations and that internal network operations were resumed. Remote access to the computers is still being restricted "as a precaution." The attack did not affect oil production. Malware named Shamoon was detected on systems of some companies in the oil industry earlier this month as well, but Saudi Aramco made no mention of it in its statement.
-http://www.bbc.com/news/technology-19389401
-http://news.cnet.com/8301-1009_3-57501066-83/saudi-oil-firm-says-30000-computers
-hit-by-virus/
-http://arstechnica.com/security/2012/08/worlds-largest-oil-producer-falls-victim
-to-30k-workstation-attack/
-http://www.saudiaramco.com/en/home.html#news%257C%252Fen%252Fhome%252Fnews%252Fl
atest-news%252F2012%252Fsaudi-aramco-restores-network.baseajax.html
[Editor's Comment (Murray): Saudi Aramco did the right thing by shutting down their connections while they did damage assessment and remediation. - From Sony they learned that reconnection should proceed cautiously.
(Northcutt): Was it Shamoon? Article from PC World indicates it might be:
-http://www.pcworld.com/businesscenter/article/261320/kill_timer_found_in_shamoon
_malware_suggests_possible_connection_to_saudi_aramco_attack.html
The various press reports call it a virus, a worm and a trojan and there is apparently some relation to Disttrack:
-https://community.mcafee.com/message/252660
-http://www.securityweek.com/disttrack-sabotage-malware-wipes-data-unnamed-middle
-east-energy-organization
At the bottom of the Symantec blog below, they point out that destructive malware of this nature is unusual:
-http://www.symantec.com/connect/blogs/shamoon-attacks]

Former US Military Commander Says Cyberattacks Used In Afghanistan (August 24, 2012)

The US military has engaged in cyberattacks against targets in Afghanistan, according to a US general. While speaking at a Baltimore conference earlier this month, Marine Lt. General Richard P. Mills said that "as a commander in Afghanistan in the year 2010,
[he ]
was able to use ... cyber operations against
[his ]
adversary with great impact." Mills said he was able to "get inside his nets, infect his command-and-control, and in fact defend
[himself ]
against his almost constant incursions to ... affect
[his ]
operations."
-http://m.washingtonpost.com/national/us-general-says-his-forces-carried-out-cybe
rattacks-on-opponents-in-afghanistan/2012/08/24/dd9e6a28-ee06-11e1-b624-99dee49d
8d67_story.html
[Editor's Note (Honan): General Mills' presentation can be seen at
-http://www.slideshare.net/afcea/afcea-technet-land-forces-east-aberdeen-chapter-
lunch-ltgen-richard-p-mills-usmc]

Judge Denies Filesharer's Request For a New Trial (August 23 & 24, 2012)

A US District Court Judge in Massachusetts has rejected Joel Tenenbaum's request for a new jury trial in the filesharing lawsuit brought against him by the (Recording Industry Association of America) RIAA. Judge Rya W. Zobel upheld the lower court's verdict, which imposed a US $675,000 penalty against Tenenbaum for the illegal filesharing of 31 songs. Tenenbaum's attorney says he plans to appeal.
-http://www.bbc.com/news/technology-19370862
-http://news.cnet.com/8301-13578_3-57499519-38/court-affirms-$675000-penalty-in-m
usic-downloading-case/

Security Company Retracts Assertion That Flame and Gauss are Related (August 23 & 24, 2012)

A security company that initially said the pieces of industrial control system malware known as Gauss and Flame were related has withdrawn that assertion. Researchers at FireEye first believed that the two shared a command-and-control server, but it turned out to be a sinkhole operated by Kaspersky Lab, another security company. In a blog post, FireEye researchers said this: "We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions."
-http://www.theregister.co.uk/2012/08/24/fireeye_gauss_reverse_ferret/
-http://news.cnet.com/8301-1009_3-57499508-83/new-gauss-and-flame-link-was-a-mist
ake-researchers-say/

Child Health and Privacy Advocates Ask FTC to Investigate Viral Marketing Aimed at Kids (August 22, 2012)

Groups focused on children's health and privacy have asked the US Federal Trade Commission (FTC) to investigate online viral advertising programs that exploit commercial appeal to children. The groups say that the "tell-a-friend" features used by McDonald's, General Mills, Turner Broadcasting and other companies violates the Children's Online Privacy Protection Act (COPPA), which became law in 2000, because the actions are taken without adequate parental notification and without parental consent. Georgetown law professor and legal counsel for the Center for Digital Democracy said that the FTC should put an end to the "commercial exploitation of children."
-http://www.wired.com/threatlevel/2012/08/kids-net-exploitation/
-http://news.cnet.com/8301-1009_3-57498655-83/mcdonalds-general-mills-accused-of-
collecting-kids-data/
-http://www.msnbc.msn.com/id/48756909/ns/technology_and_science-security/#.UDvFhk
KVgUs

---

THE 9 REASONS FEDERAL CIOS ARE SENDING SECURITY TEAMS TO THE NATIONAL

THE 9 REASONS FEDERAL CIOs ARE SENDING SECURITY TEAMS TO THE NATIONAL CYBERSECURITY INNOVATION CONFERENCE (NCIC)
www.sans.org/ncic-2012

The 9 reasons nearly all the federal CISOs and CIOs are sending teams to the National Cybersecurity Innovation Conference (NCIC) and why security integrators and vendors view NCIC as the one program where they can find out what will happen next in federal cybersecurity and how broad international government consensus on the 20 Critical Controls is changing the way cybersecurity is acquired and deployed. Here are just a few of the key policy changes and innovations they will learn about:

1. The Senior Federal Executive Panel: The Near Term Future of Federal Cybersecurity Strategy
Federal CIOs and White House cyber officials provide insight into the near term future for FISMA, continuous monitoring and mitigation, minimum standards fo due care, NSTIC, NIST guidance and the 20 Critical Controls

2. Blocking Advanced Persistent Threat Techniques
The Breakthrough TTP (Tactics, Techniques, and Procedures) for only one national government has found and implemented techniques that actually block both intrusion vectors exploited in nearly all targeted intrusions nicknamed APT. Cybersecurity executives from the lead agency that proved it worked at scale are coming to the US exclusively to speak at the NCIC and accept the 2012 US National Cybersecurity Innovation Award. They have also agreed to conduct an in-depth Q&A workshop so you can get the answers you need to replicate and build on their success.

3. Tony Sager on the New International Governance Consortium for the 20 Critical Controls
Recently retired NSA guru, Tony Sager will introduce you to the public private, internationa consortum wthat has taken over responsibility for ensuring the 20 Critical Controls are constantly up-todate with the changing cybersecurity threat picture.

4. Using the 20 Critical Controls in Security Architecture (at a Large Institution)
As the governments of the U.S., U.K., Australia and other allies achieve consensus on the most critical controls, security architects around the world are working diligently to ensure that these controls are built into systems when they are designed and delivered rather than trying to bolt them on. In this session the award-winning team that first showed how to build advanced security architectures using the 20 Critical Controls will show what they did and the lessons they learned along the way,

5. Who Discovered Low Cost Implementation Techniques for Continuous Monitoring and Mitigation
Two agencies have demonstrated that the extraordinary success of automated continuous monitoring and mitigation first proven at the U.S. Department of State, can also be gained quickly and inexpensively in smaller organizations. They will show you the tools and techniques - some quite innovative - that they used.

6. How NSA's Non-Persistent Desktop Browsing Effectively Addresses The Rapidly Increasing Security Threat Stemming From Malicious Software
This previously hypothetical approach now has been shown to actually work to stop nation states, cyber crime, and rogue actors, from socially engineering people browsing the Internet to attack and penetrate systems. This is a first line of defense to stop the exfiltration of valuable information for profit or espionage.

7. How the Leading System Integrators are Making the 20 Critical Controls a Centerpiece of Their Cybersecurity Services
Two of the largest federal system integrators have found that the 20 Critical Controls are a good package to illuminate their cybersecurity capabilities. In this session they'll show you how they did that and discuss the impact it is having.

8. Which Security Tools Are Being Effectively Used in Automating the 20 Critical Controls
A series of panels will enable you to find the vendors with the right tools through user case studies where their tools are being used effectively in automating the 20 Critical Controls.

9. The Fall 2012 Updated Cybersecurity Threat Briefing
How have the attacks changed? What are the newest techniques? A fascinating peek inside the attackers? changing toolbox.

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/