SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #75

September 18, 2012

A great new book about the people and technology behind WikiLeaks: "This
Machine Kills Secrets" is the first book about WikiLeaks written by a
journalist who actually understands information security. Andy Greenberg
of Forbes is one of the 10 best journalists on the cybersecurity beat.
Worth reading.

The international consortium on the 20 Critical Security Controls, led
by the NSA's (recently retired) Tony Sager, will meet for the first time
at the National Cybersecurity Innovation Conference October 3-5 at the
Baltimore Convention Center. In addition you'll see the top rated
session from RSA - Ed Skoudis on the Five Most Dangerous New Attack
Techniques and the only U.S. briefing (plus a Q&A workshop) by the
Australians on their breakthrough that stops targeted attacks (APT) and
two very cool NSA innovations. Plus you'll learn how NASA and HHS were
able to automate security risk mitigation quickly and cost effectively.
Senior federal officials will provide policy discussion on where the
government is taking cyber security defense and automation and you will
also be able to attend (at no additional cost) the co-located
DHS/NSA/NIST program on continuous monitoring.
Register at sans.org/ncic-2012

Alan

---

TOP OF THE NEWS

Sequestration and Cyber Defense Programs
Internet Explorer Zero-Day Exploited in Drive-By Attacks
Flame Authors Were Developing Other Malware

THE REST OF THE WEEK'S NEWS

Two Admit to Subway Restaurant Hack
Last of the IPv4 Addresses to be Allocated in Europe
Google Plans to Add Do Not Track to Chrome
Five Fired for Alleged Misuse of Personal Data in University Medical Research
Chinese Cyber Gangs Target Intellectual Property
Twitter Surrenders OWS Account Data and Tweets
US Nuclear Agency Plans to Establish Social Network
Dutch Court Says Links to Photos Constitute Copyright Violation
French Government Levies First Piracy Fine

---

******************** Sponsored By SolarWinds.Net, Inc. ********************
SolarWinds(r) Log & Event Manager (LEM) versus Splunk(R). Review the Top 5 Reasons to Choose Log & Event Manager over Splunk. See how SolarWinds LEM delivers powerful Security Information and Event Management (SIEM) capabilities in a highly affordable, easy-to-deploy virtual appliance. SolarWinds LEM delivers the visibility, security, and control you need to overcome everyday IT challenges.
http://www.sans.org/info/113487
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012

**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job! https://itsac.g2planet.com/itsac2012/
- --SANS Capital Region Fall 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 43 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS London 2012 London, UK November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, San Diego, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Sequestration and Cyber Defense Programs (September 17, 2012)

Some analysts are saying that the cuts to the Department of Homeland Security (DHS) budget due to possible sequestration could eliminate support for cyberdefense programs in the private sector. Government network security would not likely face any cuts, but funding for research and development grants, forensic equipment used in cybercrime prosecutions, and help for corporate network security could face cuts. Funding for Department of Energy support for industrial control system cybersecurity could disappear as well. The White House has released estimated figures for cuts that could be imposed in January if sequestration were to go into effect.
-http://www.nextgov.com/cloud-computing/2012/09/sequestration-could-hurt-cyber-de
fense-programs/58164/?oref=ng-HPtopstory
[Editor's Note (Pescatore): The level of R&D spending by DHS is just noise as a percentage of the total amount private industry spends on information security R&D. The amount of "help for corporate network security" coming from federal funds is an even smaller percentage of overall spending on security. The focus should be what the spending cuts will do to the federal Government's progress in making the federal Government more secure. ]

Internet Explorer Zero-Day Exploited in Drive-By Attacks (September 17, 2012)

Attackers are actively exploiting a vulnerability in Internet Explorer (IE) for which there is currently no patch. The flaw affects IE6, IE7, IE8, and IE9 running on Windows XP, Windows Vista, and Windows 7. It does not affect IE10. The attacks install malware known as the Poison Ivy backdoor. Microsoft is investigating. Users are encouraged to use an alternative browser until more in known about the issue.
-http://arstechnica.com/security/2012/09/critical-zero-day-bug-in-microsoft-inter
net-explorer/
-http://www.computerworld.com/s/article/9231367/Hackers_exploit_new_IE_zero_day_v
ulnerability?taxonomyId=85
-http://krebsonsecurity.com/2012/09/exploit-released-for-zero-day-in-internet-exp
lorer/

Flame Authors Were Developing Other Malware (September 17, 2012)

Research indicates that those behind Flame were also working on three other pieces of malware. Flame is a cyber espionage tool that was detected on computers in the Middle East earlier this year. The other pieces of malware were discovered during analysis of the command-and-control servers that Flame used. Researchers found evidence of the other programs while analyzing the scripts that managed data transmissions to infected computers. There were four different communications protocols. Evidence found on the servers suggests that those responsible for Flame had been using the servers to communicate with malware as far back as 2006. Analysis also indicates that just one server was able to steal nearly six gigabytes of data in eight days.
-http://arstechnica.com/security/2012/09/new-malware-linked-to-state-sponsored-fl
ame/
-http://www.wired.com/threatlevel/2012/09/flame-coders-left-fingerprints/
-http://www.nextgov.com/cybersecurity/2012/09/flame-operators-likely-behind-three
-other-unidentified-viruses/58152/?oref=ng-channeltopstory
-http://www.v3.co.uk/v3-uk/news/2206055/three-flamerelated-malware-threats-uneart
hed

---

************************** Sponsored Links *****************************
1) SANS Analyst Webcast: Peek into Oracle Identity Governance Solutions reviewed by Senior SANS Analyst, Dave Shackleford Thursday, September 27, 2012, at a SPECIAL TIME of 9 am Pacific/12 Noon Eastern. http://www.sans.org/info/113492
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Two Admit to Subway Restaurant Hack (September 17, 2012)

Two Romanian men have admitted to roles in a scheme to hack into payment card terminals at Subway restaurant franchises in the US. The attacks, which took place between 2009 and 2011, compromised more than 146,000 payment card accounts and caused more than US $10 million in losses.
-http://arstechnica.com/security/2012/09/romanians-cop-to-10-million-hacking-spre
e/
[Editor's Note (Pescatore): Always good to punish criminals, but most of those compromises took advantage of default remote access passwords. Even better to avoid vulnerabilities so the criminals fail. ]

Last of the IPv4 Addresses to be Allocated in Europe (September 14 &17, 2012)

RIPE, the organization that gives out IP addresses in Europe, is down to its last batch of IPv4 addresses. Companies may only make one more request for these addresses, and if the request is granted, they will receive 1,024 IPv4 addresses. All applications must describe how the organization is implementing the new IPv6 address scheme. Until this final batch, RIPE was giving out about four million IPv4 addresses every 10 days.
-http://www.v3.co.uk/v3-uk/news/2206112/ripe-ncc-begins-moving-out-final-ipv4-add
resses
-https://www.ripe.net/internet-coordination/news/ripe-ncc-begins-to-allocate-ipv4
-address-space-from-the-last-8
-http://www.bbc.com/news/technology-19600718
-http://www.infoworld.com/t/ipv6/scramble-ipv6-begins-europe-depletes-ipv4-urls-2
02456
[Editor's Note (Ullrich): There is now a petition drive under way, to get the UK government to release a /8 it owns. This may buy Europe a couple of months at the current rate of IPv4 exhaustion. It may also put more pressure on other regional registrars. In particular multi national companies may start requesting address space from ARIN or others to use the addresses in Europe. ]

Google Plans to Add Do Not Track to Chrome (September 14, 15, & 17, 2012)

Google has added support for Do Not Track (DNT) to Chromium, the open source code that is incorporated in the company's Chrome browser. DNT has not yet been added to the Chrome development channel. There has been some controversy around the DNT standard. Although the specification for DNT states that "the choice mechanism
[for DNT ]
MUST NOT have the user preference selected by default," Microsoft has turned on DNT by default in IE10 for Windows 8. IE10 users will be given notice when they first start the operating system that this is the case and they will have the opportunity to change that setting.
-http://www.computerworld.com/s/article/9231336/Google_adds_Do_Not_Track_to_Chrom
e_precursor?taxonomyId=17
-http://www.informationweek.com/development/web/google-chrome-to-get-do-not-track
/240007408
-http://www.h-online.com/security/news/item/Google-enables-Do-Not-Track-in-Chrome
-1708643.html

Five Fired for Alleged Misuse of Personal Data in University Medical Research (September 14 & 17, 2012)

Five employees of the British Columbia Ministry of health have been fired following an investigation into the alleged misuse of personal data in medical research. Two other people have been suspended. Research conducted at the University of British Columbia and the University of Victoria allegedly used personal health data for unapproved purposes. The Royal Canadian Mounted Police is investigating the breach, which involved the British Columbia Ministry of Health's Pharmaceutical Services Division.
-http://www.nextgov.com/health/health-it/2012/09/canadian-researchers-allegedly-m
isuse-personal-health-data/58158/
-http://www.vancouversun.com/health/Health+ministry+suspends+workers+over+privacy
+breach/7197204/story.html
-http://www.vancouversun.com/news/Timeline+scandal+that+cost+four+bureaucrats+the
ir+jobs/7205243/story.html

Chinese Cyber Gangs Target Intellectual Property (September 14, 2012)

Researchers have identified cyber espionage groups in China. While there are about 20 such identifiable gangs, the two known by some as The Elderwood Gang and Comment Crew are the largest and appear to be extremely well funded and organized. Their goal is to steal intellectual property from US companies, universities, and government agencies. Elderwood is believed to be responsible for attack on Google in 2009-10 in which source code was stolen. Google is no longer in the Chinese market. Elderwood is believed to have infiltrated systems at defense industry, shipping, aeronautics, energy, manufacturing, engineering, financial, and software companies. The group tends to use spear phishing attacks to gain purchase within target organizations' systems. They also use zero-day vulnerabilities, which can be expensive - evidence that the group is well-funded. Elderwood has now started infecting websites that users at the target organization tend to frequent. Experts say that Elderwood and Comment Crew are likely to be connected to the attacks on RSA.
-http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-t
wo-huge-cyber-gangs-in-China

Twitter Surrenders OWS Account Data and Tweets (September 14, 2012)

Twitter has turned over the tweets and account information of Occupy Wall Street protester Malcolm Harris to a New York criminal court judge. Twitter initially refused to comply with a judge's order to provide the information, filing an appeal last month. The judge who initially issued the subpoena for the information denied Twitter's request to stay the order until the appeals court ruled on the matter. Twitter was given a choice between surrendering the data and providing the judge with earnings statements form the last two quarters so an appropriate fine could be determined.
-http://arstechnica.com/tech-policy/2012/09/twitter-hands-over-occupy-wall-street
-protesters-tweets/
-http://news.cnet.com/8301-1009_3-57513125-83/twitter-hands-over-occupy-protester
s-tweets/
-http://www.wired.com/threatlevel/2012/09/twitter-occupy-data/

US Nuclear Agency Plans to Establish Social Network (September 14, 2012)

The US's National Nuclear Security Administration (NNSA) is planning to introduce a social network to take the place of most email and phone calls within the agency. Initially, the platform, which is known as One Voice, will be available to the 45,000 employees and contractors at NNSA. Access to the site will require strong authentication, and more authentication will be required to access specific communities within the network. In addition, network information will be archived.
-http://www.nextgov.com/emerging-tech/2012/09/workplace-social-network-planned-na
tional-nuclear-security-administration/58129/

Dutch Court Says Links to Photos Constitute Copyright Violation (September 14, 2012)

A court in the Netherlands has ruled that a website that offered links to unauthorized photographs was infringing copyright, and has ordered the site to pay 28,400 euros (US$37,300) and remove all links to the pictures. Failure to comply could result in additional fines. The website, GeenStijl, offered links to the photos that had been put up on another site by an unknown individual. The photos were scheduled to appear in a magazine. According to the court's reasoning, the broader public was not aware of the photos until GeenStijl posted the links; therefore, GeenStijl's actions made the pictures publicly accessible.
-http://arstechnica.com/tech-policy/2012/09/dutch-court-rules-linking-to-photos-i
s-copyright-infringement/
-http://www.pcworld.com/article/262320/linking_to_infringing_material_can_violate
_copyright_says_dutch_court.html

French Government Levies First Piracy Fine (September 14, 2012)

The French government has imposed its first fine under the country's new anti-piracy law. Alain Prevost was fined 150 euros (US $197) for downloading two songs, even though his wife has admitted that she was the person who had downloaded the files. The fine was levied against Prevost because he paid for the Internet connection over which the songs were downloaded. After receiving two warnings about the downloaded songs from Hadopi, the agency that seeks out Internet copyright violators, Prevost terminated his ISP account. He and his wife are divorcing, and he had written to Hadopi, telling them to contact her about the downloaded songs. Their replies were sent to an email address that he no longer had access to.
-http://www.bbc.com/news/technology-19597429

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/