SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #8

January 27, 2012

TOP OF THE NEWS

Proposed Changes to EU Data Protection Law Draw Criticism
Massachusetts Data Protection Law to Include Third Parties as of March 1
Symantec Says Stolen Code Puts pcAnywhere Users at Risk of Attack
Judge Orders Woman to Decrypt Laptop

THE REST OF THE WEEK'S NEWS

European Parliament Site Hit With DDoS Attack Over ACTA Anti-Piracy Treaty
O2 Fixes Mobile Phone Number Leak
Video Conferencing Software Configuration Vulnerabilities
NIST Issues Cloud Security Guidelines
Microsoft Names Alleged Kelihos Botnet Mastermind in Lawsuit
DHS Says Computer Problems at Rail Company Were Not a Targeted Attack
Google Updates Chrome to Version 16.0.912.77

---

***************** SPONSORED BY Emerson Process Management **************
Designed for the power generation and water/wastewater treatment industries, Emerson's Ovation(tm) control and SCADA system offers many layers of embedded security to help protect these critical infrastructure sectors from malicious, or even unintentional, cyber-attack. And, our Ovation(tm) Security Center streamlines and centralizes the execution of additional cyber security management functions. Learn more at http://www.sans.org/info/98026
**************************************************************************
TRAINING UPDATE

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 6 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

- -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, San Francisco, Stuttgart, Nashville, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
************************************************************************

---

TOP OF THE NEWS

Proposed Changes to EU Data Protection Law Draw Criticism (January 26, 2012)

The proposed changes to the European Union's data protection law have companies buzzing about the costs associated with compliance, the stringent penalties for violations, and the difficulty of enforcement. While the "right to be forgotten" provision, which allows citizens to request that much of their personal information be deleted from companies' databases, may be a boon to privacy proponents, organizations will have to implement new procedures for deleting the data and ensuring that it is done properly. In addition, companies found to be in violation of the rules could be fined up to two percent of their annual global revenue. And a provision that calls for a 24-hour deadline for security breach notifications has been called "absolutely unworkable."
-http://www.theregister.co.uk/2012/01/25/europe_data_protection_proposal/
-http://www.bbc.co.uk/news/technology-16722229
-http://www.eweek.com/c/a/Security/EU-24hour-Data-Breach-Notification-Rule-Unwork
able-ATandT-Executive-863336/
[Editor's Note (Pescatore): If organizations currently don't protect customer data well, they *should* be required to implement new procedures and ensure it is done properly. Industry self regulation has not been working - it had a chance to do so and did not.
(Murray): 24 hours is simply an invitation for law suits. Most breaches are requiring weeks to months to detect.]

Massachusetts Data Protection Law to Include Third Parties as of March 1 (January 25, 2012)

As of March 1, 2012, all companies that retain and store data about Massachusetts residents must be able to demonstrate that they and all their contractors and other third party partners comply with the state's data breach law. The law took effect on March 1, 2010, but the portions of compliance requirements were phased in. The last part, third-party compliance, is what is taking effect just over a month from now. There will need to be language in the contracts with third parties requiring them to take reasonable steps to protect the information. Companies will not be required to audit third-party partners for compliance, but it is recommended that their contracts specify they reserve the right to conduct an audit if they choose. The contract language also needs to specify that the third-party will notify the companies immediately in the event of a breach and destroy or return data when the contract is terminated. The law applies to all companies that store data of Massachusetts residents, whether or not that company is based in the state. The law was scheduled to take effect in January 2009, but the deadline has been extended twice.
-http://www.computerworld.com/s/article/9223709/Final_phase_of_Mass._data_protect
ion_law_kicks_in_March_1?taxonomyId=84

Symantec Says Stolen Code Puts pcAnywhere Users at Risk of Attack (January 25, 2012)

Symantec now says source code that was accessed by cyber intruders puts users of the company's pcAnywhere software at increased risk of attacks. Symantec is urging users for whom the software is not absolutely necessary to disable it until a fix is available. The attackers accessed source code related to 2006 versions of several Norton products and pcAnywhere. While the Norton products have been updated and therefore do not put users at risk, pcAnywhere does, contradicting earlier statements Symantec had made that its products were not vulnerable because of the theft.
-http://www.scmagazine.com/symantec-admits-stolen-source-code-impacts-pcanywhere/
article/224724/
-http://www.v3.co.uk/v3-uk/news/2141452/symantec-advises-users-pcanywhere-hack-af
termath
-http://news.cnet.com/8301-1009_3-57366090-83/symantec-tells-customers-to-disable
-pcanywhere/
Symantec has also released a white paper on security recommendations for pcAnywhere:
-http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Reco
mmendations%20WP_01_23_Final.pdf

Judge Orders Woman to Decrypt Laptop (January 23 & 24, 2012)

A US district judge in Colorado has ordered a Colorado Springs woman to decrypt her laptop computer so that prosecutors may access information it contains to use as evidence against her. Ramona Fricosu, who is accused of bank fraud, had argued that being made to decrypt the machine would violate her right against self-incrimination as set forth in the Fifth Amendment, but Colorado US District Judge Robert Blackburn disagreed. The computer was seized in 2010. Fricosu has been given until February 21 to surrender the unencrypted drive.
-http://www.wired.com/threatlevel/2012/01/judge-orders-laptop-decryption/
-http://www.zdnet.com/blog/identity/judge-says-defendant-must-decrypt-files-fifth
-amendment-not-at-issue/175
-http://www.informationweek.com/news/security/encryption/232500386
[Editor's Comment (Northcutt): This came up before in the Boucher case, both decisions seem to be factors where they could show the encrypted drives probably had relevant evidence, but I hope these events do not start to establish case law:
-http://en.wikipedia.org/wiki/In_re_Boucher

(Murray): We assume that the 30 day delay is to allow time for an appeal. However, I expect the decision to be affirmed. This is not a civil liberties issue. This is not the police on a fishing expedition. There is a judge making the call. Most important, civil liberties have never included the right to conceal evidence from the courts. ]

---

************************** SPONSORED LINKS ***************************
1) Take the SANS 8th Annual Log and Event Management Survey Be a part of this industry leading survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/98036

2) Take the SANS first annual mobility survey and be entered to win a $250 American Express Card. Follow this link to the survey: http://www.sans.org/info/98046
************************************************************************

---

THE REST OF THE WEEK'S NEWS

European Parliament Site Hit With DDoS Attack Over ACTA Anti-Piracy Treaty (January 26, 2012)

The website of the European Parliament fell victim to a distributed denial-of-service (DDoS) attack on Thursday, January 26. The incident appears to be protesting the signing of the Anti-Counterfeiting Trade Agreement (ACTA) by twenty-two European Union member states.
-http://www.networkworld.com/news/2012/012612-european-parliament-says-its-websit
e-255359.html
-http://news.cnet.com/8301-1023_3-57367012-93/u.k-signs-anti-counterfeiting-treat
y-as-digital-activists-protest/
[Editor's Note (Pescatore): The news aspect of these DDoS attacks is not that they occur, it is that websites are still being impacted by them. DDoS protection should be a standard part of business continuity planning for any business critical Internet connection.
(Honan): Take active steps to monitor the geo-political climate you and your organisation operate in and update your information security risk management strategy as appropriate. Also, the US-CERT issued some good guidance on how to tackle the common types of DDoS attacks used by groups such as Anonymous
-http://www.us-cert.gov/cas/techalerts/TA12-024A.html
(Murray): These treaties bypass the legislatures but have the force of law. Legislatures often consent to things that they would not dare pass. ]

O2 Fixes Mobile Phone Number Leak (January 25 & 26, 2012)

UK wireless carrier O2 has apologized for a problem that caused users' mobile phone numbers to be shared with websites they were visiting. O2 said the issue arose from technical changes made during routine maintenance. The numbers were leaked for two weeks before the problem was addressed. The Information Commissioner's Office plans to ask O2 for additional information.
-http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/90408
23/O2-forced-to-apologise-after-revealing-phone-numbers.html
-http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/o2-fixes-mobile-br
oadband-number-leaks-10025290/
-http://www.h-online.com/security/news/item/O2-sends-users-phone-numbers-to-web-s
ites-Update-2-1421553.html
-http://www.bbc.co.uk/news/technology-16725531

Video Conferencing Software Configuration Vulnerabilities (January 25 & 26, 2012)

Researchers say that some video conferencing set-ups have vulnerabilities that could allow attackers to eavesdrop on what goes on at meetings. The situation is largely the result of loose security settings, such as being configured to answer all incoming calls and not being protected by a firewall. Other problems include used conferencing software still containing pre-connections to other locations. While many systems are set by default to automatically answer all incoming calls, this feature can be adjusted. The researcher scanned three percent of accessible IP addresses, finding 250,000 systems supporting the commonly-used H.323 protocol. Nearly 5,000 of those systems were not securely configured.
-http://www.computerworld.com/s/article/9223743/Video_conferencing_mistakes_make_
espionage_easy_say_researchers?taxonomyId=17
-http://www.h-online.com/security/news/item/Video-conferencing-systems-as-spying-
tools-1421346.html
-http://www.wired.com/threatlevel/2012/01/videoconferencing-hijacked/
-http://www.darkreading.com/insider-threat/167801100/security/perimeter-security/
232500417/video-conferencing-can-be-the-bug-in-the-boardroom.html?itc=edit_stub

NIST Issues Cloud Security Guidelines (January 25, 2012)

The National Institute of Standards and Technology (NIST) has issued Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, which offers advice applicable to both government and private sector organizations. Companies and agencies are urged not to leave security up to service providers and service arrangements. Instead, organizations need to take responsibility for specifying security and privacy requirements such as access control and vulnerability scanning. In addition, contractual language should spell out the roles and responsibilities of the providers and the users.
-http://www.informationweek.com/news/government/security/232500472
-http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909494

Microsoft Names Alleged Kelihos Botnet Mastermind in Lawsuit (January 24 & 25, 2012)

Microsoft has filed a lawsuit in US District Court in Alexandria, Virginia, naming the individual it believes was responsible for operating the Kelihos botnet. The alleged culprit is Russian engineer Andrey N. Sabelnikov. In a "complaint, Microsoft presented evidence to the court that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware." Sabelnikov lives in St. Petersburg, Russia.
-http://www.darkreading.com/insider-threat/167801100/security/client-security/232
500407/microsoft-names-alleged-botnet-operator-behind-kelihos.html?itc=edit_stub
-http://www.scmagazine.com/microsoft-names-russian-man-in-kelihos-botnet-suit/art
icle/224543/
-http://www.computerworld.com/s/article/9223712/Accused_Kelihos_botmaster_s_forme
r_employer_angered_at_revelation?taxonomyId=82
-http://krebsonsecurity.com/2012/01/microsoft-worm-author-worked-at-antivirus-fir
m/
-http://www.bbc.co.uk/news/technology-16700192

DHS Says Computer Problems at Rail Company Were Not a Targeted Attack (January 24 & 25, 2012)

In early December 20111, a memo was sent to rail companies and transportation agencies, informing them that a system in the Pacific Northwest had been the target of what at the time appeared to be a targeted attack emanating from three separate IP addresses. An unnamed official from the US Department of Homeland Security (DHS) said that further analysis indicated that it was not a targeted attack, but appeared to be more likely a random incident of malware infection. A spokesperson for the American Association of Railroads (AAR) reiterated that "there was no targeted computer-based attack on a railroad."
-http://www.wired.com/threatlevel/2012/01/railyway-hack/
-http://news.cnet.com/8301-1009_3-57366341-83/dhs-disputes-memo-on-purported-rail
way-computer-breach/
-http://www.nextgov.com/nextgov/ng_20120123_3491.php
[Editor's Note (Pescatore): This has become a very predictable cycle: breathless overhype about attacks against critical infrastructure, followed by facts pointing out, nope - just a badly protected system falling prey to very common attacks.
(Honan): This story and a similar one last year claiming a water utility in Illinois was broken into by Russian hackers create unnecessary fear and confusion which only serves those with particular agendas or wishing to sell security products. It also reflects badly on us as a profession if we are seen to be too eager to propagate scare stories. The Illinois Hacker was later found to be one of its employees accessing the system from Russia while on vacation.
-http://www.pcmag.com/article2/0,2817,2397140,00.asp]

Google Updates Chrome to Version 16.0.912.77 (January 24, 2012)

Earlier this week, Google fixed four vulnerabilities in Chrome and acknowledged having fixed a fifth several weeks ago. The current stable version of Google's browser is Chrome 16; the update brings that version to 16.0.912.77.
-http://www.h-online.com/security/news/item/Chrome-16-update-closes-security-hole
s-1420506.html
-http://www.computerworld.com/s/article/9223672/Google_patches_several_serious_Ch
rome_bugs?taxonomyId=85
[Editor's Note (Pescatore): The changes in Google's privacy policy are making it questionable whether I want to continue using the Google search engine and the Chrome browser. At some point, the only way to stop the continual ramping up of access to personal data is to vote by your choice of product. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/