SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #81

October 09, 2012

TOP OF THE NEWS

US Legislators Caution Companies Against Doing Business with Huawei and ZTE
DHS To Hire 600 Workers with "Red Zone" Cyber Skills
Researchers Say Hackers Planning Large-Scale Online Banking Theft

THE REST OF THE WEEK'S NEWS

SEC Fine Just the Tip of the Iceberg for GunnAllen Financial
US ISPs Monitoring Program Will Aim to Discourage Copyright Infringement
Former Verizon Network Engineer Sentenced to Prison for Equipment Theft and Resale
Adobe Releases Flash Update; Microsoft Issues Flash Fix for IE10
Skype Warns of Ransomware Threat Spreading Through Instant Messages
Facebook Proposed Amended Settlement in Sponsored Stories Case
Suspended Sentence for Man Who Hacked Pentagon and NASA Systems
Arguments Begin in Digital Music Resale Case

---

************************* Sponsored By Symantec ****************************
FREE TRIAL: Protect Your Endpoints - Get the fastest, most powerful endpoint antivirus software solution you can buy. Symantec Endpoint Protection, powered by Insight, is fast, powerful security for your endpoints and offers advanced defense against all types of attacks for both physical and virtual systems - try it now.
http://www.sans.org/info/115140
****************************************************************************
TRAINING UPDATE
--SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

--SANS Baltimore 2012 Baltimore, MD October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses.
http://www.sans.org/event/sydney-2012

--SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

--SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

--SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012 --Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, Bangalore, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

US Legislators Caution Companies Against Doing Business with Huawei and ZTE (October 8, 2012)

A draft report from the US House of Representatives Intelligence Committee recommends that American companies refrain from conducting business with Chinese technology companies Huawei and ZTE. According to the document, both companies have "failed to assuage the committee's significant security concerns presented by their continued expansion in the US." Analysts say the recommendations may be motivated more by politics than by security concerns. Both companies maintain that their products do not pose security threats, and there appears to be no hard evidence to demonstrate that their products pose a threat to national security. The report recommends that the companies be barred from mergers and acquisitions in the US market. Some have questioned why these two firms are being singled out and why other foreign companies are not being subjected to the same scrutiny. The UK government is standing by Huawei, saying that its own testing procedures through the Cyber Security Evaluation Centre are adequate.
-http://www.wired.com/threatlevel/2012/10/chinese-telecoms-suspicious/
-http://www.latimes.com/news/politics/la-na-pn-chinese-firms-20121007,0,2837618.s
tory
-http://www.h-online.com/security/news/item/US-law-makers-against-Huawei-and-ZTE-
Update-1725144.html
-http://www.computerworld.com/s/article/9232157/Politics_not_security_behind_Huaw
ei_ZTE_allegations_say_analysts?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2215297/us-intelligence-committee-warns-of-threat
-from-zte-and-huawei/page/1
-http://www.zdnet.com/dont-trust-huawei-and-zte-us-congressional-committee-warns-
7000005378/
-http://www.bbc.co.uk/news/business-19867399
-http://www.v3.co.uk/v3-uk/news/2215492/uk-government-stands-by-huawei-security-v
etting-process-despite-us-concerns
[Editor's Note (McBride): McBride: Huawei's footprint is felt among industrial control system asset owners worldwide (though not always for ICS). See for example: www.energynusantara.com/wp-content/uploads/2012/02/Huawei-Smart-Energy-Solution.pdf
(Pescatore): Supply chain integrity is a valid concern. But for a global economy, in the long run it can *not* be dealt with by random reports about companies with ties to their host governments - every country can produce equal and opposite reports about foreign vendors. The testing approach the UK is taking needs to be a starting point for a long-term strategy, augmented with defined criteria for corporate transparency. ]

DHS To Hire 600 Workers with "Red Zone" Cyber Skills (October 5, 2012)

The DHS Task Force on CyberSkills released an 11-step roadmap to close the critical gaps in cyber skills in the United States in general and at DHS specifically, and DHS leaders have established "tiger teams" to implement each of the steps. This is the first authoritative report to define the "red zone" jobs where the cyberskills shortages exist, and along with the definitions the task force listed consequences of continuing to allow people to hold cybersecurity jobs when they do not have the hands-on skills needed to protect their systems. The Task Force also outlined key steps to increase the supply of people with red zone skills by building upon cybersecurity programs at colleges and by creating new, intensive fast-track programs at community colleges. The Task Force Report:
-https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report
%20-%20Final.pdf
-http://www.nextgov.com/cio-briefing/wired-workplace/2012/10/eleven-tips-building
-stronger-cybersecurity-workforce/58564/?oref=ng-HPriver
-http://www.federalnewsradio.com/473/3066466/DHS-urged-to-hire-600-cyber-ninjas

Researchers say Hackers Planning Large-Scale Online Banking Theft (October 5 & 8, 2012)

Researchers at RSA say "underground chatter" indicates that hackers are planning cyberattacks that will affect online bank accounts at about 30 US financial institutions. The plan appears to be for a "cybersyndicate" to infect users' computers with a Trojan horse program that would allow the attackers to hijack live online banking sessions and make unauthorized wire transfers. The masterminds of the plot are reportedly attempting to recruit 100 botmasters to help them.
-http://krebsonsecurity.com/2012/10/project-blitzkrieg-promises-more-aggressive-c
yberheists-against-u-s-banks/
-http://www.scmagazine.com/us-banks-could-be-bracing-for-wave-of-account-takeover
s/article/262493/
-http://www.computerworld.com/s/article/9232117/Cybercriminals_plot_massive_banki
ng_Trojan_attack?taxonomyId=17
[Editor's Comment (Northcutt): Very scary. And at the same time, we have a shot across the bow of a highly resourced stock trading algorithm that consumed 10% of all stock trading bandwidth. eCommerce is going to need to make some radical changes to prevent the money in the mattress mindset:
-http://www.cnbc.com/id/49333454/]

---

******************************* Sponsored Link: **************************
1) Watch Rob Lee discuss the virtual Maginot Line and defending against a Cyber Blitzkrieg. http://www.sans.org/info/115145
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

SEC Fine Just the Tip of the Iceberg for GunnAllen Financial (October 8, 2012)

In 2011, the US Securities and Exchange Commission (SEC) imposed a fine against broker-dealer GunnAllen Financial for misusing customer data and not taking adequate precautions to protect customer data. A network slowdown in 2005 prompted an investigation that revealed that a network engineer had rerouted the company's IP traffic through his home router, which meant GunnAllen's trades, email, and phone called were not being archived, a breach of SEC regulations. This article delves more deeply into questionable practices at the company. GunnAllen was shut down in 2010.
-http://www.informationweek.com/security/attacks/exclusive-anatomy-of-a-brokerage
-it-melt/240008569

US ISPs Monitoring Program Will Aim to Discourage Copyright Infringement (October 8, 2012)

By the end of 2012, major Internet service providers (ISPs) in the US will have in place monitoring systems that will help implement a six-strikes plan to discourage illegal filesharing. Called the "Copyright Alert System," the plan result in increasingly severe responses for each successive strike, although "each strike is dozens or scores or hundreds of infringements," according to Gigi Sohn, president of Public Knowledge, a digital rights group. The first several strikes will result in warnings; subsequent strikes could result in users being redirected to a certain page until they contact the ISP to discuss the matter or having their Internet speeds throttled. The plan involves monitoring peer-to-peer filesharing services. Much of the response is aimed at being educational rather than punitive.
-http://www.wired.com/threatlevel/2012/10/isp-file-sharing-monitoring/
[Editor's Note (Murray): One has to be uncomfortable with this kind of vigilante effort, however limited and cautious. It will be interesting to read their Terms of Service. I suggest that the FTC watch these ISPs carefully. In any case, the real problem here is that the cost of this effort will be borne by the innocent users rather than by those publishers whose broken business model is being defended.]

Former Verizon Network Engineer Sentenced to Prison for Equipment Theft and Resale (October 5, 2012)

Michael Baxter, who once worked as a network engineer for Verizon, has been sentenced to four years in prison for stealing millions of dollars worth of equipment from both Verizon and Cisco and reselling it. Baxter exploited his authority to order equipment from Cisco, maintaining it was necessary to repair Verizon's infrastructure, but actually resold the goods. Verizon had an extended warranty program with Cisco, which allowed the company to order parts for replacement and receive them before the defective part was returned. He also took advantage of his position to have Verizon order new equipment from Cisco, which he then resold. Baxter has also been ordered to pay nearly US $2.8 million in restitution to Verizon and Cisco.
-http://www.theregister.co.uk/2012/10/05/sysadmin_jail_kit_theft/

Adobe Releases Flash Update; Microsoft Issues Flash Fix for IE10 (October 8, 2012)

On Monday, October 8, Adobe released an out-of-cycle security update for its Flash Player for all platforms. An hour later, Microsoft announced that an update for Flash Player for Internet Explorer 10 (IE10) on Windows 8 was available as well. Microsoft has faced criticism recently over its timing in addressing Flash vulnerabilities in E10. The updates released by Adobe address a total of 25 vulnerabilities. IE10 contains Flash as a built-in component, hence Microsoft, not Adobe, is in charge of making sure that fixes are released. While Windows 8 will not be officially released until October 26, it has already been made available to some professionals, developers, and enterprises.
-http://www.zdnet.com/adobe-and-microsoft-release-flash-security-updates-in-sync-
7000005406/
-http://www.computerworld.com/s/article/9232173/Microsoft_speeds_up_IE10_Flash_pa
tching_matches_Google

Skype Warns of Ransomware Threat Spreading Through Instant Messages (October 8, 2012)

Skype is recommending that users upgrade to the most recent version of the software following the discovery that ransomware is spreading through instant messages. Users who click on links accompanying a message asking, "Is this your new profile pic?" are putting themselves at risk of being locked out of their computers. The attackers demand a ransom of US $200 within 48 hours or they threaten to delete the users' files. Infected machines also display a screen telling users that their computers have been used to visit questionable sites and that the activity will be reported to the government.
-http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs
-ransomware/
-http://www.v3.co.uk/v3-uk/news/2215432/dorkbot-ransomware-worm-targets-skype-use
rs
[Editor's Note (Pesactore): I think the SDbot worm hit AOL IM users back in 2005 in a nearly identical way. That was the same year eBay acquired Skype, and it has now been 1 year since Microsoft closed on the acquisition of Skype. Seven years of ownership by two fairly large companies does not seem to have advanced the safety level of Skype very much.]

Facebook Proposed Amended Settlement in Sponsored Stories Case (October 8, 2012)

Facebook has proposed a new settlement over its Sponsored Stories program after a judge nixed the social networking site's initial offer. US District Court Judge Richard Seeborg had "serious concerns" about the initial proposal, which guaranteed plaintiffs' attorneys US $10 million in fees while offering the same amount to half a dozen consumer privacy organizations. The new settlement calls for each affected user to receive US $10. It would also provide users with the ability to easily review their involvement with Sponsored Stories. Facebook is also seeking to have a separate US $15 billion class action lawsuit over tracking user behavior dismissed.
-http://www.wired.com/threatlevel/2012/10/facebook-sponsored-stories/
-http://www.informationweek.com/security/client/facebook-tries-again-on-sponsored
-storie/240008664

Suspended Sentence for Man Who Hacked Pentagon and NASA Systems (October 5 & 8, 2012)

A Romanian court has handed Manole Razvan Cernaianu a two-year suspended sentence for breaking into numerous high-profile computer systems, including those owned by NASA, the US Department of Defense (DOD), and Oracle. Cernaianu was also ordered to pay more than US $120,000 in damages. He will serve four years of probation.
-http://www.computerworld.com/s/article/9232113/NASA_Pentagon_hacker_TinKode_gets
_two_year_suspended_sentence?taxonomyId=17
-http://www.scmagazineuk.com/hacker-tinkode-handed-two-year-suspended-sentence/ar
ticle/262663/

Arguments Begin in Digital Music Resale Case (October 5, 2012)

Opening arguments began last week in a case involving the resale of digital music files. A start-up called ReDigi has developed a system that allows people to resell their unwanted music files through the company, and says it is set up to comply with US copyright law. The plaintiff, EMI, maintains that the first sale doctrine, a legal principle that allows the resale of purchased material goods, does not apply in this case and has sued ReDigi for copyright infringement. EMI's argument rests on the idea that the only way to move digital files from place to place is to make copies and thus is not the same thing as selling a used book or CD. ReDigi's attorney says that the company's technology works in such a way that copies of the file are not made.
-http://www.bbc.co.uk/news/technology-19842851
-http://www.bloomberg.com/news/2012-10-05/vivendi-label-asks-judge-to-close-music
-service-redigi.html

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/