SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #76

September 21, 2012

THE U.S. NATIONAL HIGH SCHOOL CYBER COMPETITION
Know a talented high school student or a high school with talented kids?
Get them to sign up in the next two weeks for Cyber Foundations -
SANS-quality tutorials and then three quizzes where they will win
scholarships and recognition (from Governors and Senators) that will
help them stand out in the competition for college placement - like
sports stars. Information at
National: https://www.cyberfoundations.org/
Virginia Governor's Cup:
http://www.technology.virginia.gov/CyberChallenge/index.cfm

IGs and AUDITORS: A NEW STANDARD OF DUE CARE IN CYBERSECURITY?
For federal IG audit staff and security assessors: a new standard of due
care in cybersecurity appears to be taking shape - with more specificity
than earlier versions. Getting an early understanding will help you
migrate your auditing and assessment techniques to the newer benchmark
when it arrives. A international consortium on the Critical Security
Controls, led by the NSA's (recently retired) Tony Sager, will meet for
the first time at the National Cybersecurity Innovation Conference
October 3-5 at the Baltimore Convention Center. If you audit
cybersecurity or do assessments, you probably want to be there. At the
meeting you'll see the "Five Most Dangerous New Attack Techniques," an
updated version of the top rated session from RSA - by Ed Skoudis. Also
the only U.S. briefing (plus a Q&A workshop) by the Australians on their
breakthrough that stops targeted attacks (APT) and two very cool NSA
innovations. Plus you'll learn how NASA and HHS were able to automate
security risk mitigation quickly and cost effectively. Senior federal
officials will provide policy discussion on where the government is
taking cyber security defense and automation and you will also be able
to attend (at no additional cost) the co-located DHS/NSA/NIST program
on continuous monitoring. Register at sans.org/ncic-2012

Alan

---

TOP OF THE NEWS

White House Draft of Executive Order on Cybersecurity "Close to Completion"
Senator Sends Letters to Fortune 500 CEOs Asking About Cybersecurity Efforts
State Dept. Legal Adviser Says Cyberattacks Subject to Int'l Laws of War

THE REST OF THE WEEK'S NEWS

Password Vulnerability in Oracle Database Login System
Mirage Malware Found on Companies Around the World
Apple's iOS 6 Fixes a Host of Flaws, Introduces Other Problems
Virgin Mobile Password Policy Puts Users' Accounts at Risk of Compromise
Tech Companies Band Form Lobbying Group Aimed at Fighting SOPA-Like Legislation
Stuxnet Influences New Malware
Microsoft Releases Temporary Fix for IE Flaw, Promises Update on September 21
Banks Warned to be Alert for Cyberattacks
More Charges for Man Accused of Downloading Millions of Scholarly Articles

---

******************** Sponsored By SolarWinds.Net, Inc. *********************
What if you could see a dashboard that told you which computers/servers are up to date, which need updates and which computers had patching errors? What if you could have immediate visibility into the latest Microsoft & 3rd party updates, and understand which machines are most vulnerable? You can! Check out the patch management demo now!
http://www.sans.org/info/113637
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring.
http://www.sans.org/ncic-2012

**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/

- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Baltimore 2012 Baltimore, MD October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 6 courses.
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London, UK November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, Bangalore, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

White House Draft of Executive Order on Cybersecurity "Close to Completion" (September 20, 2012)

US Department of Homeland Security (DHS) Secretary Janet Napolitano says that the White House's executive order on cybersecurity is "close to completion," but added that to ensure the safety of US networks, lawmakers will have to pass cybersecurity legislation as well. There are issues that an executive order cannot address: it cannot provide liability protection as incentives for employing cybersecurity measures and it cannot change penalties for cybercrimes. The president has not yet reviewed the draft document.
-http://www.nextgov.com/cybersecurity/2012/09/cybersecurity-order-close-completio
n/58255/
[Editor's Note (Murray): Perhaps. Perhaps we are not yet ready to impose penalties on victims or grant immunity to perpetrators. ]

Senator Sends Letters to Fortune 500 CEOs Asking About Cybersecurity Efforts (September 19 & 20, 2012)

US Senator Jay Rockefeller (D-West Virginia) has sent letters to chief executives at Fortune 500 companies, asking them to describe how their companies manage cybersecurity. The companies are not obligated to respond to the letter, but the letter does request that responses be submitted by October 19. The letter read, in part, "The cyber threats we face are real and immediate, and Congress's failure to pass legislation this year leaves the country increasingly vulnerable to a catastrophic cyber attack." The bill's failure to pass has also prompted the White House to consider issuing an executive order that would describe voluntary cybersecurity standards for organizations that are responsible for elements of the country's critical infrastructure. The order would not, as the legislation would have done, offer liability protection. The letters pose eight questions seeking the executives' views on cybersecurity, concerns, and best practices. Senator Rockefeller also wants to hear about the companies' views on cybersecurity legislation.
-http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/09/senators-lette
rs-corporate-execs-stir-cyber-bill-hopes/58240/
[Editor's Note (Pescatore): The questions are fairly innocuous but CISOs should check if their company received the letter, and should be actively involved in the response. "I'm from the government and I'm here to help" is always at best a mixed blessing... ]

State Dept. Legal Adviser Says Cyberattacks Subject to Int'l Laws of War (September 18, 2012)

State Department legal adviser Harold Koh said that cyberattacks can constitute the equivalent of armed attacks, thus prompting the right of self-defense, which would be triggered if the attacks cause death, injury, or significant destruction. Koh was speaking at a US Cyber Command-hosted conference at Ft. Meade. He said that the US has adopted a list of 10 principles and has shared that list through the United Nations. One of the principles is that international law applies in cyberspace.
-http://www.washingtonpost.com/world/national-security/us-official-says-cyberatta
cks-can-trigger-self-defense-rule/2012/09/18/c2246c1a-0202-11e2-b260-32f4a8db9b7
e_story.html

---

THE REST OF THE WEEK'S NEWS

Password Vulnerability in Oracle Database Login System (September 19 & 20, 2012)

A researcher has found a cryptographic flaw in the authentication protocol used by Oracle databases. The flaw can be exploited to obtain access to the databases without authorization. Known as the "Oracle stealth password cracking vulnerability," the problem resides in a session key that certain versions of Oracle databases send to users when they login. That session key leaks information about the hash used to encrypt the password. The passwords can be cracked with a simple brute force attack. The issue was reported to Oracle in May 2010. Oracle addressed it in 2011 in the 11.2.0.3 patch, which was not part of Oracle's Critical Patch Update Cycle.
-http://www.darkreading.com/authentication/167901072/security/application-securit
y/240007643/attack-easily-cracks-oracle-database-passwords.html
-http://arstechnica.com/security/2012/09/oracle-database-stealth-password-crackin
g-vulnerability/
[Editor's note (Ullrich): This is a protocol design flaw, that can not be fixed without breaking compatibility with existing clients. Best advice for Oracle users so far is to turn of the Ver. 1 connect protocol. ]

Mirage Malware Found on Companies Around the World (September 20, 2012)

Malware called Mirage has been found on computer systems at a Canadian energy company, an oil company in the Philippines, and other organizations in Taiwan, Brazil, Israel Egypt, and Nigeria. Mirage places a backdoor on infected systems through spear phishing attacks that carry maliciously-crafted email attachments, usually PDF files. Mirage hides its communications with command-and-control servers by using Secure Socket Layers (SSL).
-http://news.cnet.com/8301-1009_3-57517388-83/cyberspying-effort-drops-mirage-on-
energy-firms/

Apple's iOS 6 Fixes a Host of Flaws, Introduces Other Problems (September 20, 2012)

Apple has released the newest version of its mobile operating system, iOS 6.0, which addresses nearly 200 vulnerabilities and adds a number of new features. Some of the flaws fixed could be exploited to circumvent the lock screen's passcode; to fake sender data in text messages; and inject code through doctored websites or files. One of the changes made in iOS 6 is that the iPhone's Siri can interact with Twitter and Facebook even when the device is locked, so anyone could tweet or post Facebook updates from an unattended iPhone. Users can disable Siri in the Passcode lock settings. Users have been complaining about maps on iOS 6, which reportedly mislocates or misnames landmarks; in some cases, e.g., has lost them altogether. Apple has migrated from Google Maps as its default map application to a new, in-house mobile map application. Internet Storm Center:
-https://isc.sans.edu/diary/iOS+6+Security+Roundup/14152
-http://www.h-online.com/security/news/item/Apple-closes-numerous-security-holes-
with-iOS-6-1713012.html
-http://news.cnet.com/8301-1009_3-57517364-83/ios-6-allows-tweets-facebook-posts-
from-locked-device/
-http://www.cnn.com/2012/09/20/tech/mobile/apple-maps-complaints/
[Editor's Note (Pescatore): I'd like to know why Apple has still not achieved FIPS 140-2 certification for the crypto in the iPhone or Ipad. It has been in the "Review Pending" stage in NIST status for well over a year now. ]

Virgin Mobile Password Policy Puts Users' Accounts at Risk of Compromise (September 17 & 18, 2012)

Virgin Mobile users are at risk of having their accounts compromised because of a company policy that requires passwords to be numeric and limits them to six digits. The restrictions mean that there are no more than one million possible passwords available to Virgin Mobile users. A Virgin Mobile subscriber, who also is a cloud communications company developer, wrote a script that runs a brute-force attack to crack the password and tested it on his own account. The script clears the browser cookie that Virgin Mobile sets after each login attempt. He was never locked out of trying to access the account. If Virgin allowed eight-character passwords and included both lower- and upper-case letters, there would be 218.3 trillion possible combinations.
-http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/
-http://www.wired.com/threatlevel/2012/09/virgin-mobile/

Tech Companies Band Form Lobbying Group Aimed at Protecting Internet Freedom (September 19, 2012)

Several big technology companies have joined forces to form a lobbying group to protect Internet freedom. The Internet Association was founded in large part to counteract efforts by the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) to influence legislation; both the RIAA and the MPAA lobbied hard for the Stop Online Piracy Act (SOPA), and effort that was ultimately unsuccessful. The Internet Association counts Amazon, Google, and Facebook among its members.
-http://www.wired.com/threatlevel/2012/09/internet-freedom-lobby/?utm_source=twit
ter&utm_medium=socialmedia&utm_campaign=twitterclickthru

Stuxnet Influences New Malware (September 19, 2012)

When Stuxnet emerged into the public eye two years ago, cybercriminals with fewer resources than those who developed the sophisticated malware that targeted industrial control systems were able not only to glean the zero-day flaws the malware exploited, but also to learn from the "higher-level design features" to make their products more insidious. For example, Stuxnet installed phony device drivers using stolen digital certificates. Other malware has since emerged that uses phony certificates to make malware harder for security products to detect. Researchers believe that developments to come include modular design, like that used in Flame. Roel Schouwenberg, a security researcher with Kaspersky, has noted that such "cyberweapons and targeted attacks now give us some insight into what will be coming into the mainstream."
-http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-computer-cr
iminals/

Microsoft Releases Temporary Fix for IE Flaw, Promises Update on September 21 (September 18, 19, & 20, 2012)

Microsoft has issued a temporary fix for a zero-day flaw in Internet Explorer (IE) that is being actively exploited in targeted attacks. The company said it plans to release a more permanent, cumulative update to address the problem on Friday, September 21; that update will also address a number of other issues in IE. The German government has recommended that people refrain from using IE until the full update is released. The flaw affects all versions of IE except IE10. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=14134
-http://technet.microsoft.com/en-us/security/bulletin/ms12-sep
-http://blogs.technet.com/b/msrc/
-http://www.darkreading.com/vulnerability-management/167901026/security/attacks-b
reaches/240007691/multiple-targeted-ie-attacks-underway-microsoft-to-release-pat
ch-tomorrow.html
-http://arstechnica.com/security/2012/09/microsoft-pledges-fix-for-critical-inter
net-explorer-bug/
-http://krebsonsecurity.com/2012/09/microsoft-issues-stopgap-fix-for-ie-0-day-fla
w/
-http://news.cnet.com/8301-1009_3-57516392-83/microsoft-issues-fix-for-ie-hole-fu
ll-update-coming-friday/
-http://securityledger.com/microsoft-issues-fix-for-ie-zero-day-promises-update-f
or-friday/
-http://www.theregister.co.uk/2012/09/20/ie_zero_day_latest/
-http://www.zdnet.com/microsoft-to-ship-emergency-ie-patch-to-thwart-active-attac
ks-7000004577/

Banks Warned to be Alert for Cyberattacks (September 19 & 20, 2012)

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has issued a warning to US financial institutions to be alert for cyberattacks following outages on the public websites of Bank of America and JP Morgan Chase. There are reports that several banks are being targeted by distributed denial-of-service (DDoS) attacks, but the others have not been named. The warning from the FS-ISAC comes just two days after the FBI issued a fraud alert warning that cyber criminals may be launching attacks as a distraction from attempts to conduct fraudulent wire transfers. National security officials in the US now believe that Iran is behind the attacks on the bank sites, and they may have been launched in retaliation for US sanctions on Iranian banks. Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=14146
-http://openchannel.nbcnews.com/_news/2012/09/20/13990206-officials-see-iran-not-
outrage-over-film-behind-cyber-attacks-on-us-banks
-http://in.reuters.com/article/2012/09/20/us-jpmorganchase-website-idINBRE88I16M2
0120920
-http://www.computerworld.com/s/article/9231515/U.S._banks_on_high_alert_against_
cyberattacks?taxonomyId=17
[Editor's Note (Pescatore): Financial institutions have been dealing with continuing and complex DoS attacks for several years now, as well as many online retailers. For a company that relies on Internet connectivity for revenue and customer service, an Internet connection without DDoS mitigation is like a data center without a UPS. ]

More Charges for Man Accused of Downloading Millions of Scholarly Articles (September 18, 2012)

Aaron Swartz, who was charged last year in connection with downloading a huge number of academic articles from a the JSTOR subscription database through an Internet connection at the Massachusetts Institute of Technology (MIT), is now facing additional charges. Federal prosecutors have added nine more felony counts to the indictment against Swartz, who is free on bond. Swartz allegedly violated JSTOR's terms of service, which require that users "must agree and acknowledge that they cannot download or export content from JSTOR's computer servers with automated programs." He also allegedly used a dedicated laptop hidden in a closet at MIT so he could have a persistent network connection while downloading the documents. The scope of Swartz's downloading allegedly brought down JSTOR servers several times.
-http://www.wired.com/threatlevel/2012/09/aaron-swartz-felony/
Original Indictment (7/14/2011):
-http://www.wired.com/images_blogs/threatlevel/2011/07/swartz_indictment.pdf
Superseding Indictment (9/12/2012):
-http://www.wired.com/images_blogs/threatlevel/2012/09/swartzsuperseding.pdf

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/