SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #78

September 28, 2012

IGs and AUDITORS: A NEW STANDARD OF DUE CARE IN CYBERSECURITY?
For federal IG audit staff and security assessors: a new standard of due
care in cybersecurity appears to be taking shape - with more specificity
than earlier versions. Getting an early understanding will help you
migrate your auditing and assessment techniques to the newer benchmark
when it arrives. A international consortium on the Critical Security
Controls, led by the NSA's (recently retired) Tony Sager, will meet for
the first time at the National Cybersecurity Innovation Conference
October 3-5 at the Baltimore Convention Center. If you audit
cybersecurity or do assessments, you probably want to be there. At the
meeting you'll see the "Five Most Dangerous New Attack Techniques," an
updated version of the top rated session from RSA - by Ed Skoudis. Also
the only U.S. briefing (plus a Q&A workshop) by the Australians on their
breakthrough that stops targeted attacks (APT) and two very cool NSA
innovations. Plus you'll learn how NASA and HHS were able to automate
security risk mitigation quickly and cost effectively. Senior federal
officials will provide policy discussion on where the government is
taking cyber security defense and automation and you will also be able
to attend (at no additional cost) the co-located DHS/NSA/NIST program
on continuous monitoring. Register at sans.org/ncic-2012

Alan

---

TOP OF THE NEWS

Adobe Revoking Compromised Code-Signing Certificate
Unencrypted IEEE Website Logs Exposed
New Java Vulnerability Detected

THE REST OF THE WEEK'S NEWS

RSA Report Describes VOHO Attack Waterhole Technique
Australian Authorities Shut Down Carding Operation
Australian Police Commissioners Speak at Hearing on Telecom Data Retention
SCADA System Maker Notifies Customers of Breach
German Federal Office for Information Security OKs IE After Critical Flaw is Patched
Rental Companies Agree to FTC Settlement Over Software That Invaded Renters' Privacy
Draft Executive Order Would Establish Interagency Cybersecurity Council at DHS
VA and HHS Test Meta-Data Tags For Secure Information Sharing
Document Leaks Prompt Pentagon to Put DISA in Charge of Strengthening Federal Network Security

---

************************* Sponsored By SANS *****************************
Take the SANS Survey on Application Security Policies in Enterprises! Help shape the industry and be entered to win a $300 American Express Card.
http://www.sans.org/info/114697
**************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012

**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job! https://itsac.g2planet.com/itsac2012/

- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Baltimore 2012 Baltimore, MD October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 6 courses.
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, Bangalore, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Adobe Revoking Compromised Code-Signing Certificate (September 27, 2012)

Adobe is revoking a cryptographic key that has been compromised by attackers to authenticate malware. The hackers managed to gain access to a build server used to develop Adobe software that in turn had access to the Adobe code-signing infrastructure. A forensic investigation determined that the attackers managed to use their access to sign two samples of malware. According to an Adobe blog post, the company is "proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate."
-http://arstechnica.com/security/2012/09/adobe-to-revoke-crypto-key-abused-to-sig
n-5000-malware-apps/
-http://news.cnet.com/8301-1009_3-57521794-83/adobe-to-revoke-code-signing-certif
icate/
-https://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-ce
rtificate.html
[Editor's Comment (Northcutt): SSL/TLS certificates are rapidly reaching the end of the road, anyone know of a better idea than sovereign keys? Is so, please drop stephen@sans.edu a note:
-https://freedom-to-tinker.com/blog/sjs/diginotar-hack-highlights-critical-failur
es-our-ssl-web-security-model/
-http://isc.sans.edu/diary.html?storyid=8686
-https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-ema
il-more-secure

-http://www.schneier.com/blog/archives/2011/12/the_effs_sovere.html]

Unencrypted IEEE Website Logs Exposed (September 25 & 26, 2012)

Personal information belonging to nearly 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) has been exposed in a data security breach. The compromised data include user names, plaintext passwords, and website activity. Some members are employees of well-known organizations like NASA, Apple, and Google. The information was exposed because 100 gigabytes of unencrypted website logs were publicly available for a month or more on IEEE servers. A Danish graduate student discovered the breach while looking for research material on an IEEE FTP server.
-http://arstechnica.com/security/2012/09/ieee-trade-group-exposes-100000-password
-for-google-apple-engineers/
-http://www.computerworld.com/s/article/9231731/Researcher_finds_100K_passwords_u
ser_IDs_on_IEEE_site?taxonomyId=203
-http://www.darkreading.com/database-security/167901020/security/attacks-breaches
/240008028/100-000-ieee-user-passwords-ids-exposed-on-internet.html
-http://www.esecurityplanet.com/network-security/ieee-suffers-massive-security-br
each.html
-http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/09/ieee-data-brea
ch-has-global-implications/58344/
-http://www.theregister.co.uk/2012/09/25/ieee_leaks_logins/
[Editor's Note (Honan): The statement from IEEE on the breach is available on their website
-http://www.ieee.org/about/news/2012/27september_2012.html
and states "IEEE follows security best practices based on ISO and NIST standards". I suggest the IEEE needs to do their homework and re-read the ISO and NIST material as nowhere in that material does it say storing user passwords in plain text is good practise.]

New Java Vulnerability Detected (September 26, 2012)

A just-detected vulnerability in Java affects most versions of Java currently in use. The flaw could be exploited to bypass the sandbox in Java. There are currently no reports of active exploits.
-http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabi
lities/240008029/deja-vu-all-over-again-new-java-vulnerability-found-bypasses-bu
ilt-in-security.html
-http://www.forbes.com/sites/andygreenberg/2012/09/25/another-critical-security-f
law-in-java-appears-before-oracle-has-even-resolved-the-last-one/
-http://www.h-online.com/security/news/item/Researcher-uncovers-yet-another-Java-
hole-1717740.html
-http://www.informationweek.com/security/application-security/java-vulnerability-
affects-1-billion-plu/240007985

---

THE REST OF THE WEEK'S NEWS

RSA Report Describes VOHO Attack Waterhole Technique (September 25 & 27, 2012)

A report from RSA details a cyberattack in which hackers placed malware on websites their targets are likely to visit to redirect them to other sites where their computers would become infected. Known as a waterhole attack, the technique allowed cybercriminals to infiltrate computer systems at nearly 1,000 organizations in less than a year. The attack campaign has been dubbed VOHO. Of the 35,000 computers that were affected by VOHO and redirected to malicious servers, roughly 4,000 were infected with the malware that gave attackers access to organizations' systems, a 12 percent rate of success. (Regular drive-by attacks have a success rate of between five and 10 percent.) The attack targeted users in 10 specific geographic areas. VOHO bears some resemblance to the attacks in the campaign known as Aurora that targeted Google, Adobe, and other companies - mainly, the use of the Gh0st remote access tool, but there is no evidence to suggest that the same groups are behind both attack campaigns.
-http://www.eweek.com/security/government-agencies-utilities-among-targets-of-voh
o-cyber-spy-attacks/
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
240007959/vast-cyberespionage-campaign-brazen-in-its-approach.html
-http://blogs.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-0924
2012_AC.pdf
[Editor's Note (Murray): The Lion has always waited at the waterhole for prey. Mitnick's book is part of the hacker culture. Most people are inherently trusting. I see little in that list that is likely to change much. You cannot protect the whole enterprise or all of your data. Focus on the sensitive data.]

Australian Authorities Shut Down Carding Operation (September 27, 2012)

Law enforcement officials in Australia have shut down a large carding operation and arrested several people in connection with the criminal scheme. The case, which has been in the works for more than a year, was a joint effort between the Australian Federal Police (AFP), New South Wales (NSW) Police, NSW Roads and Maritime Services, and the Department of Immigration and Citizenship. The agencies worked together to form an Identity Security Strike Team to investigate such crimes. Authorities allege that those involved in the carding scheme were manufacturing fraudulent payment cards, populating them with data stolen over the Internet and through skimming attacks.
-http://www.zdnet.com/au/joint-strike-force-shuts-down-largest-carding-operation-
in-australia-7000004876/

Australian Police Commissioners Speak at Hearing on Telecom Data Retention (September 26, 2012)

At a hearing before Australia's Joint Committee on Security and Intelligence focused on proposed changes to telecommunications communication interception, AFP Commissioner Tony Negus said that ideally, telecommunications companies would be required to retain customer data indefinitely. Law enforcement agencies are asking telecommunications companies to retain non-content user data for up to two years. Negus said that while indefinite retention of the data would be preferable, he "understand
[s ]
that is not practical in the context of costs." The current two-year retention period is a compromise worked out with the Attorney General. NSW Police Commissioner Andrew Scipione, who also spoke at the hearing, suggested that telecommunications "legislation needs to be rewritten from scratch."
-http://www.zdnet.com/australian-police-want-telco-customer-data-retained-forever
-7000004811/
[Editor's Note (Honan): It's interesting to note that in Europe, where data retention has been in place for a number of years, there are calls to revise the Data Protection directive. In particular after studies in Germany show that retaining such data for long periods of time has no benefit in criminal investigations
-http://www.computerworlduk.com/news/public-sector/3285242/german-crime-figures-c
ast-doubt-on-data-retention-directive/
(Murray): The exponentially falling price of storage will inevitably increase the amount of data retained. Just as inevitably it will leak. Certainly US telcos cannot be relied upon to resist such leakage; are Australian telcos better? The so-called "non-content" data is the "social graph," the history of our relationships, the very data that FaceBook so cherishes. I am glad that I am so old because this is not leading to a world that I want to live in.]

SCADA System Maker Notifies Customers of Breach (September 26 & 27, 2012)

Industrial control system maker Telvent Canada Ltd. has sent letters to customers, notifying them that it became aware of a data security breach of its internal firewall and security systems. The attackers installed malware and stole files related to the company's OASyS SCADA product, which is used to help let legacy IT assets work with smart grid technology. The breach affects customers in Canada, the US, and Spain. Some are saying that the attack is the work of a Chinese cyberespionage operation known as the Comment of Shanghai Group.
-http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energ
y-industry-giant-telvent/
-http://www.csmonitor.com/USA/2012/0927/China-cyberspies-suspected-in-new-caper-w
hat-has-experts-worried
-http://www.wired.com/threatlevel/2012/09/scada-vendor-telvent-hacked/
-http://arstechnica.com/security/2012/09/hack-attack-on-energy-giant-highlights-t
hreat-to-critical-infrastructure/
-http://news.cnet.com/8301-1009_3-57521049-83/maker-of-smart-grid-software-disclo
ses-hack/
-http://www.computerworld.com/s/article/9231748/Energy_giant_confirms_breach_of_c
ustomer_project_files?taxonomyId=82

German Federal Office for Information Security OKs IE After Critical Flaw is Patched (September 26, 2012)

Now that Microsoft has issued a patch to address a critical flaw in nearly all versions of Internet Explorer (IE), Germany's Federal Office for Information Security (BSI) has deemed the browser acceptable to use once again. When news of the unpatched flaw that was being actively exploited first broke, BSI recommended that users turn to an alternative browser until the issue was adequately addressed. BSI still recommends that organizations "implement a two-browser strategy."
-http://www.zdnet.com/internet-explorer-safe-to-use-again-after-zero-day-patch-ge
rmany-decides-7000004794/

Rental Companies Agree to FTC Settlement Over Software That Invaded Renters' Privacy (September 25 & 26, 2012)

Eight rental companies have agreed to the terms of a settlement with the US Federal Trade Commission (FTC) regarding allegations that computers they rented spied on renters. The computers were outfitted with software called PC Rental Agent that has a feature called Detective Mode, which can provide the rental companies with the location of the machines via GPS if the renters were late with their payments. The program is also capable of logging keystrokes, screenshots, and taking pictures with the webcam. It also displays a phony registration screen that appears to be from Microsoft requesting users' contract information. The FTC complaint alleged that "data gathered by Detective Mode has revealed private, confidential, and personal details about the computer user."
-http://arstechnica.com/security/2012/09/rent-to-own-pcs-surreptitiously-captured
-users-most-intimate-moments/
-http://news.cnet.com/8301-1009_3-57520249-83/rent-to-own-firms-settle-computer-s
pying-charges/
-http://www.theregister.co.uk/2012/09/26/ftc_computer_rental_spying/
-http://www.bbc.com/news/technology-19726954
-http://www.informationweek.com/security/client/ftc-wrist-slaps-pc-rental-firms-f
or-spyi/240007967
FTC Complaint:
-http://www.ftc.gov/os/caselist/1123151/designerware/120925designerwarecmpt.pdf
[Editor's Note (Honan): This software apparently also gathered renters' email and social network passwords, financial information and other data and is a good example of never trust a computer that you do not own yourself. Whether that be a rental PC, an Internet caf PC or a friend's PC, always be wary of what information you type into such machines.]

Draft Executive Order Would Establish Interagency Cybersecurity Council at DHS (September 25, 2012)

The White House draft executive order on cybersecurity would reportedly gather representatives from federal agencies to draw up voluntary cybersecurity measures for companies that support the country's critical infrastructure. There is a 90-day deadline to write up the guidelines and establish a new cybersecurity council at the Department of Homeland Security (DHS). The executive order reportedly includes elements of cybersecurity legislation that failed to pass earlier this year.
-http://www.theregister.co.uk/2012/09/25/executive_order_cybersecurity/
[Editor's Note (Murray): NIST or DHS, that is the question. NIST has the better record but DHS has the political clout.]

VA and HHS Test Meta-Data Tags For Secure Information Sharing (September 25, 2012)

The US Departments of Veterans Affairs (VA) and Health and Human Services (HHS) are using a meta-data technique to share sensitive health information. The data to be shared are meta-tagged in electronic health records (EHRs) to designate them as requiring special handling. This is part of the Data Segmentation for Privacy (DS4P) initiative, which allows users to designate certain data within EHRs as sensitive. In this test run sharing data between VA and HHS, the data were tagged indicating that they could be used only for authorized purposes and that patients had to provide consent if the data were to be further disclosed.
-http://www.informationweek.com/healthcare/interoperability/feds-automate-sharing
-of-sensitive-healt/240007877
[Editor's Note (Murray): HIPAA Security and Privacy Rules have had the perverse effect of discouraging the use of EHR. The paper records are killing and impoverishing us. They are error prone and they conceal the horizontal information needed to advance the science of medicine. We really need to get this right.]

Document Leaks Prompt Pentagon to Put DISA in Charge of Strengthening Federal Network Security (September 25, 2012)

The Defense Information Systems Agency (DISA) has been given the task of bolstering network security at all government agencies with the exception of the State Department and the FBI. The move was made in response to the unauthorized release of classified State Department and Pentagon documents over the last two years through WikiLeaks. Contract documents disclosed earlier this week indicate that DISA will serve as "the common service provider for the new public key infrastructure hardware tokens, certificates, and services for federal classified and secret networks" expect those named above. The decision applies to "all federal agencies that operate on the federal classified
[or ]
Secret networks."
-http://www.nextgov.com/defense/2012/09/disa-charged-securing-all-two-federal-net
works/58354/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/