SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #79
October 02, 2012
TOP OF THE NEWS
Adobe Acknowledges Internal Server HackHackers Exploit Flaws in DSL Modems to Infect Computers
THE REST OF THE WEEK'S NEWS
Attempt to Infiltrate White House Internal Network ThwartedIran Restores Gmail Service
Surveillance Software Maker Under Investigation
Japan Adds Penalties to Anti-Piracy Law
Proxy Server Provider Anomaly Blamed For IEEE Data Exposure
Think-Tank Website Will Not Honor Do Not Track Requests
Energy Companies Respond to Senator Rockefeller's Cybersecurity Questions
Privacy Groups Ask FTC to Investigate Facebook's Involvement with Datalogix
Social Engineering Becoming a Threat to Government and Corporate Networks
*********************** Sponsored By Symantec *****************************
Monitoring is Nothing without the Ability to Respond: Using the Principles of Continuous Monitoring for Threat Modeling and Response
Thursday, October 11, 1 PM EST, featuring instructor and federal expert, G. Mark Hardy and Tiffany Jones, senior manager of products at Symantec.
http://www.sans.org/info/114917
**************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. http://www.sans.org/ncic-2012
**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/
- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/
- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/
- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/
- --SANS Baltimore 2012 Baltimore, MD October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/
- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/
- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 6 courses.
http://www.sans.org/event/sydney-2012
- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012
- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Dubai, Bangalore, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************
TOP OF THE NEWS
Adobe Acknowledges Internal Server Hack (October 1, 2012)
Adobe says that one of its internal servers has been hacked. The compromised server has access to the company's digital certificate code signing infrastructure. The incident occurred in late July. The attackers were able to use the unauthorized access to create and digitally sign at least two malicious files. Adobe is planning to revoke the certificate as of October 4 and will issue updates for Adobe software that it is signed with.-http://www.darkreading.com/advanced-threats/167901091/security/application-secur
ity/240008184/adobe-says-its-code-signing-infrastructure-has-been-hacked.html
-http://www.nextgov.com/cybersecurity/2012/10/attackers-used-adobe-certificate-va
lidate-malware/58488/?oref=ng-channeltopstory
[Editor's Note (Pescatore): Of course, revoking a certificate is only meaningful if revocation checking is meaningful - which, in the current SSL certificate model, it is not. The CA/Browser Forum has spent most of the year discussing reorganizing, which despite famous quotes is not even close to making progress.
(Murray: However one feels about it, Adobe, like Boeing, is a part of the world economic infrastructure. It needs to behave by the same standards. So far, they seem unwilling or unable to measure up. Believing that code comes from Adobe may give me confidence that it is not malicious but not that it is safe to use. Am I being too harsh? Do I expect too much? Is building software so much harder than building airliners that I should be cutting Adobe more slack?
(Ullrich): If this server was used to sign code, then there is also a chance that code was modified before it was signed.]
Hackers Exploit Flaws in DSL Modems to Infect Computers (October 1, 2012)
Hackers exploited flaws in DSL modems to infect Internet users in Brazil with malware. The cross-site request forgery attack redirected users visiting certain popular websites to maliciously crafted sites that loaded malware into their computers. The attackers gained access to the modems and reconfigured them so that they communicated with malicious domain name system servers. The malware stole online banking account access credentials. More than 4.5 million DSL modems are believed to have been affected. The attack targeted modems from six manufacturers.-http://arstechnica.com/security/2012/10/dsl-modem-hack-infects-millions-with-mal
ware/
[Editor's Note (Ullrich): Cross site request forgery, or in general web application vulnerability in embedded systems like routers, are not only common, but also hard to patch for the end user. There is no great fix here, but probably the best thing a user can do as a precaution is to set a password even for access from inside the network, and to use non default IP addresses.]
******************************* Sponsored Link: **************************
1) Take the SANS Survey on Application Security Policies in Enterprises! Help shape the industry and be entered to win a $300 American Express Card. http://www.sans.org/info/114922
***************************************************************************
THE REST OF THE WEEK'S NEWS
Attempt to Infiltrate White House Internal Network Thwarted (October 1, 2012)
The White House has acknowledged that hackers tried to gain access to an internal computer network there, but say that the attack was detected and thwarted, and no classified networks were in danger. The attack was launched through spear phishing. The targeted network is that of the White House Military Office. The incident occurred in September and is being described as an isolated incident.-http://arstechnica.com/security/2012/10/white-house-says-it-thwarted-attack-on-g
overnment-computer-system/
-http://www.washingtonpost.com/politics/white-house-says-1-of-its-unclassified-ne
tworks-was-cyber-attacked-says-effort-was-repelled/2012/10/01/a4c4e5d0-0bc8-11e2
-97a7-45c05ef136b2_story.html
-http://news.cnet.com/8301-1009_3-57523621-83/white-house-confirms-spearphishing-
intrusion/
-http://www.zdnet.com/white-house-confirms-network-breach-thwarted-attack-7000005
042/
Iran Restores Gmail Service (October 1, 2012)
Gmail is once again accessible in Iran after being unavailable for a week. The government has been blocking YouTube since 2009 and blocked Gmail after Google refused to take down an anti-Islam video from YouTube. The decision to allow access to Gmail was made after members of Iran's parliament complained.-http://www.eweek.com/security/google-gmail-returns-to-iran-but-youtube-still-blo
cked
-http://arstechnica.com/tech-policy/2012/10/iran-restores-access-to-gmail-after-w
eeklong-block/
-http://www.bbc.com/news/technology-19784409
-http://www.telegraph.co.uk/technology/google/9579314/Iran-unblocks-Gmail.html
[Editor's Note (Murray): My grandmother used to call that "Cutting off one's nose to spite one's face."]
Surveillance Software Maker Under Investigation (October 1, 2012)
The software company that created the surveillance tool that has been used by some rent-to-own companies on PCs is being investigated by the Florida Attorney General's Office. DesignerWare and seven rent-to-own companies recently agreed to a US Federal Trade Commission (FTC) settlement regarding a complaint that the companies used the software to spy on customers and harvest their personal information. DesignerWare and the seven companies have agreed to refrain from spying on customers and to maintain records documenting their compliance with the settlement for 20 years.-http://www.informationweek.com/security/attacks/florida-ag-confirms-pc-surveilla
nce-tool/240008218
Japan Adds Penalties to Anti-Piracy Law (September 30 & October 1, 2012)
Changes to Japanese anti-piracy law establish new penalties for illegal downloaders. Individuals convicted of illegally downloading digital content could face up to two years in prison and a fine of up to two million yen (US $25,600). Downloading content in violation of copyright law has been illegal since 2010, but the penalties have not been in place. Critics say the enforcement should focus instead on those who make the content available. Penalties for uploading include a maximum 10-year prison sentence and a fine of up to 10 million yen (US $128,000).-http://www.bbc.com/news/technology-19767970
-http://contentmanagement.cbronline.com/news/japan-lays-down-new-anti-piracy-law-
against-illegal-online-file-sharing-011012
[Editor's Note (Murray): When something is not working, doing it harder usually does not help much.]
Proxy Server Provider Anomaly Blamed For IEEE Data Exposure (September 28, 2012)
The Institute of Electrical and Electronics Engineers (IEEE) has issued a statement regarding a security issue that exposed personal information of 100,000 members of the professional organization. The IEEE says that "an anomaly ...[in ]
a process executed in coordination with a proxy provider of IEEE" was responsible for the data exposure. The anomaly allowed for some copies of logs to be placed on the IEEE's public FTP server.
-http://www.scmagazine.com/ieee-says-proxy-anomaly-caused-100k-password-breach/ar
ticle/261341/
[Editor's Note (Honan): The anomaly was not the reason for the data exposure, the root cause was not securing the members' passwords properly in the first instance.]
Think-Tank Website Will Not Honor Do Not Track Requests (September 28, 2012)
The website of Washington, DC-based think tank Information Technology Innovation Foundation (ITIF) will not honor users do-not-track (DNT) requests. A new feature on the website detects visitors' DNT settings and informs those who have the preference selected that the request is denied. In a blog post, ITIF senior analyst Daniel Castro wrote, "Do Not Track is a detrimental policy that undermines the economic foundation of the Internet. Advertising revenue supports most of the free content, services, and apps available on the Internet."-http://www.computerworld.com/s/article/9231857/Tech_think_tank_s_website_rejects
_browser_do_not_track_requests?taxonomyId=84
-http://www.itif.org/publications/why-itif-rejects-your-do-not-track-request
[Editor's Note (Murray): Nonsense. Do not track is "opt-in" and, therefore is likely to have minimal impact, much less "undermine the economic foundation of the internet."
(Ullrich): They do have a valid point. "Do Not Track" is a bit like skipping commercials on TV. The implied "contract" is that you as a consumer get free or discounted content in exchange for exposing yourself to ads. Legacy concepts like "Privacy" interfere with this economic model.]
Energy Companies Respond to Senator Rockefeller's Cybersecurity Questions (September 28, 2012)
Last week, Senator Jay Rockefeller (D-West Virginia) sent letters to the CEOs of Fortune 500 companies asking their opinions about cybersecurity. Rockefeller sought the executives' input after cybersecurity legislation failed to pass in the Senate earlier this year. In response, industry associations representing electric companies wrote a letter, saying they are amenable to voluntary collaboration with the government. The letter goes on to say, "While standards enforce good business practices and encourage a baseline level of security, compliance checklists that focus only on performance requirements are not sufficient to address cyberthreats."-http://www.nextgov.com/cybersecurity/2012/09/utilities-open-cybersecurity-dialog
ue/58459/?oref=ng-channeltopstory
[Editor's Note (Murray): There seems to be a fundamental assumption on Capitol hill that the only way to get cooperation, or even right behavior, from industry is by legislation, the more draconian the better. Asking might be a good idea. In the case of the electrical utilities, the last think that we want to do is to put them in a bind between an intractable Federal Government and the states that regulate them. "Can't we all just get along?"]
Privacy Groups Ask FTC to Investigate Facebook's Involvement with Datalogix (September 28, 2012)
The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy want the US Federal Trade Commission (FTC) to investigate whether Facebook is violating the terms of a privacy settlement reached with the agency. Facebook has entered into an agreement with data-mining company Datalogix to measure the effectiveness of ads on the social networking site. Facebook has issued a statement saying that it is "confident that we are[in ]
compliance with our legal obligations." The two groups seeking the FTC investigation say that "Facebook did not attempt to notify users of its decision to disclose user information to Datalogix" and that Facebook's arrangement for users to opt out of the arrangement is "confusing and ineffective."
-http://www.nextgov.com/mobile/2012/09/ftc-urged-probe-whether-facebook-violating
-privacy-settlement/58421/
[Editor's Note (Murray): The FTC is doing a good job. However, one has little hope that they will have much effect upon FaceBook. Perhaps DoD, or if we are really serious, the IRS.]
Social Engineering Becoming a Threat to Government and Corporate Networks (September 26, 2012)
A recent batch of spear phishing attacks targeted a national security consulting company, and other organizations involved in energy and intelligence. The email messages included details that made them appear as though they were coming from friends or colleagues. Social engineering has become a serious threat to government and corporate computer networks. Hackers generally gather information about their targets. There are online data-mining services that pull together information about individuals' friends, family, work, and interests. The recent attacks were focused on a tight group of individuals. The attack failed at a security company called Digital Bond because employees noticed something was a bit off with the email message that appeared to come from their boss. Further examination of the attachments revealed tat they were not what they claimed to be, but instead, were executable files that placed Trojan horse programs on computers.-http://www.washingtonpost.com/investigations/in-cyberattacks-hacking-humans-is-h
ighly-effective-way-to-access-systems/2012/09/26/2da66866-ddab-11e1-8e43-4a3c437
5504a_story.html
[Editor's Note (Murray): The rogues defined "social engineering" as "the acquisition of special knowledge by means of wit and skill." It has been the favorite tool in their kit since biblical times. It exploits human nature, the inclination to trust. Crafted bait messages, so-called 'spear-fishing," exploit the trust we put in what we think are known sources. Human beings have always been, and will always be, the weak nodes in the Internet. The bait messages may be novel but there is nothing novel in "social engineering."]
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/