SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #83

October 16, 2012

What do Harvard and Cornell and Cambridge and Stanford and Princeton
and the University of Tokyo and the University of Maryland all have in
common? It isn't good. At the end of this issue you'll find a partial
listing of victims and a follow up to Friday's story on the Florida
State breach where personal data on 275,000 students and employees'
was taken and many, many are experiencing identity theft now. Colleges
have a tough challenge in security; though they have some of the best
security people and do more with less money than their counterparts
in any other industry, sysadmins in colleges are often just part time
researchers and fail in their role as "human sensors." A promising
solution is proposed in the "A Closing Word" at the end of this issue.
Alan

---

TOP OF THE NEWS

US Defense Secretary Says US is Prepared to Take Action
More Banks Targeted by DDoS Attacks

THE REST OF THE WEEK'S NEWS

EU Regulators Say Google's New Privacy Policy Does Not Pass Muster
Flame Relative is a "High-Precision, Surgical Attack Tool"
Thieves Steal US $400,000 From Washington Town
IC3 Warns of Android Malware
Chinese Authorities Arrest Thousands in Connection with Cybercrime
New Zealand Ministry of Social Development Data Breach
Sony Hacker Takes Plea Deal
Popular RATs Found Riddled With Bugs, Weak Crypto, (Remote Administration Tools) Could be Turned on Attackers)
GAO Report: Agencies Need to be Clearer About Mobile Device Location Data Use

A CLOSING WORD

A Closing Word: Security Breached At 53 Major Colleges

---

************************* Sponsored By Symantec ***************************
FREE TRIAL: Protect Your Endpoints ^ Get the fastest, most powerful endpoint antivirus software solution you can buy. Symantec Endpoint Protection, powered by Insight, is fast, powerful security for your endpoints and offers advanced defense against all types of attacks for both physical and virtual systems try it now. http://www.sans.org/info/115532
****************************************************************************
TRAINING UPDATE
- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses.
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun.
http://www.sans.org/event/security-east-2013

- --NA SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Johannesburg, Seoul, Tokyo, Barcelona, and Cairo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

US Defense Secretary Says US is Prepared to Take Action (October 11 & 14, 2012)

US Defense Secretary Leon Panetta last week said that a recent campaign of cyberattacks on Middle East oil and gas companies "was probably the most destructive attack that the private sector has seen to date." While Panetta did not say that Iran was involved in those attacks, he did note that Iran is trying to "gain an advantage in cyberspace" and warned those who would consider launching cyberattacks against the US that the US is prepared to take action.
-http://www.eweek.com/security/iranian-cyber-attack-is-most-destructive-to-date-s
ays-defense-secretary/
-http://www.washingtonpost.com/world/national-security/cyberattack-on-mideast-ene
rgy-firms-was-biggest-yet-panetta-says/2012/10/11/fe41a114-13db-11e2-bf18-a8a596
df4bee_story.html
[Editor's Note (Assante): One must not lose sight of the big picture when considering the consequences of all cyber attacks on our productivity, competitiveness, and national security. The challenge with the emerging attacks referred to by the Secretary of Defense is in the development of doctrines that are flexible enough to apply the right response to manage the death by a thousand cuts while deterring specific attacks that can directly impact economic and nation security. Cyber defense is a job too big for any one organization we all play an important part in safeguarding our information and critical systems.
(McBride): McBride: The tone of Panetta's comments appears to support a stance of deterrence. He well might have said "the U.S. is prepared to take offensive or retaliatory action if and when it can positively attribute highly-destructive attacks to another nation-state." On the other hand, the tone of the comments does not build confidence that the U.S. is prepared to defend and restore. That makes his plea to executives of firms that own and operate critical infrastructure all the more imperative. ]

More Banks Targeted by DDoS Attacks (October 13 & 15, 2012)

More US banks were hit with distributed denial-of-service (DDoS) attacks last week. Among those targeted were Capitol One and SunTrust. The attack campaign began about a month ago and has also targeted Bank of America, JPMorgan, Wells Fargo, and Citigroup. The attacks were launched in such a way as to help the packets evade defenses against DDoS attacks. The packets appear to be valid encrypted requests. News reports are speculating that Iran may be responsible for the attacks on US bank websites. Iran is denying those claims.
-http://www.eweek.com/security/more-banks-come-under-denial-of-service-attack/
-http://www.informationweek.com/security/attacks/bank-hacks-iran-blame-game-inten
sifies/240009068
-http://www.h-online.com/security/news/item/Iran-rejects-US-accusations-after-hac
ker-attack-1729374.html
[Editor's Note (Pescatore): These DoS attacks against banks often used compromised corporate web servers to launch the attacks. Several companies received surprise visits from the FBI, which tends to get management's attention... This is a good event to use to convince your management to make sure your web site doesn't lead to similar visits.
(Murray): Before we go to war, we should have better intelligence than this about who the enemy is.]

---

************************** Sponsored Links: *****************************
1) Take the SANS Application Security Survey and be entered to win a $300 American Express Card! http://www.sans.org/info/115537
2) Watch Rob Lee discuss the virtual Maginot Line and defending against a Cyber Blitzkrieg. http://www.sans.org/info/115542
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

EU Regulators Say Google's New Privacy Policy Does Not Pass Muster (October 15, 2012)

Privacy regulators in the European Union (EU) say that Google's revised privacy policy fails to comply with EU data protection laws. A group of privacy regulators from EU member states plan to send a letter to Google asking the company to revise the policy so that it will be in harmony with EU information privacy laws. The letter also asks Google to explain why and how it will share user data across services and says that Google must obtain "explicit consent" before aggregating users' data from its various services.
-http://www.bbc.co.uk/news/technology-19953241
-http://www.zdnet.com/eu-regulators-find-legal-problems-in-google-privacy-policy-
7000005778/
-http://news.cnet.com/8301-1009_3-57532286-83/eu-will-tell-google-to-change-priva
cy-policy-tomorrow-report-says/
[Editor's Note (Pescatore): Similar to the points raised in the GAO report (in this issue), handling of location data is an issue here.
(Honan): The letter from the EU Data Protection Authorities to Google and makes for interesting reading
-http://www.cnil.fr/fileadmin/documents/en/20121016-letter_google-article_29-FINA
L.pdf]

Flame Relative is a "High-Precision, Surgical Attack Tool" (October 15, 2012)

Researchers have detected another piece of malware that targets systems used in the Middle East. It is being called miniFlame because it appears to be built on the same platform as the Flame malware, which was detected earlier this year. While Flame focuses on stealing information, miniFlame acts as a backdoor on infected machines to allow attackers access. It also appears to be able to act as a module for both Flame and Gauss, lending more credence to the theory that the two pieces of malware are related. miniFlame can download files from a command-and-control server. It is being called a "high-precision, surgical attack tool."
-http://www.wired.com/threatlevel/2012/10/miniflame-espionage-tool/all/
-http://www.computerworld.com/s/article/9232367/Kaspersky_discovers_miniFlame_cyb
erespionage_malware_directly_linked_to_Flame_and_Gauss?taxonomyId=82
-http://www.v3.co.uk/v3-uk/news/2217221/miniflame-surgical-cyberstrike-malware-to
ol-discovered
-http://www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_
friends
[Editor's Note (McBride): From an analytical perspective the fact that a sinkhole designed for Flame found miniFlame is a nice windfall (but not necessarily great opsec). Is the fact that Kaspersky continues to find state sponsored malware (allegedly belonging to the United States) surprising - or is the awe wearing off? Is it concerning that the U.S. appears to be a leader in offensive cyber operations? Is the real difference between APT and APF (advanced persistent friendliness) summed up in the amount of trust you have for the motives of the sponsoring nation-state?

Thieves Steal US $400,000 From Washington Town (October 15, 2012)

Cyberthieves have stolen more than US $400,000 from a Bank of America account belonging to the city of Burlington, Washington. The city is notifying hundreds of employees and city residents that their own bank account information may have been compromised because some employees use the city's electronic payroll deposit program and some city residents participate in an automatic payment system for sewer and storm drain bills. The city administrator says that customers should assume that their names, account numbers, and bank routing numbers have been compromised. The city learned of the theft when an East Coast bank contacted people in Burlington about some suspicious transfers.
-http://www.computerworld.com/s/article/9232372/Cyberthieves_loot_400_000_from_ci
ty_bank_account?taxonomyId=82

IC3 Warns of Android Malware (October 15, 2012)

The IC3 has issued an intelligence note, warning people of malware that targets Android mobile devices. The IC3 is a partnership between the FBI and the National White Collar Crime Center; its mission is "to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cybercrime."
-http://news.cnet.com/8301-1009_3-57532937-83/fbi-warns-users-of-malicious-mobile
-malware/
-http://www.ic3.gov/media/2012/121012.aspx
[Editor's Note (Murray): This was predictable and predicted. Open systems are fundamentally vulnerable to malicious code attacks. We should not be encouraging their use by amateurs, nor relying upon amateurs for security. ]

Chinese Authorities Arrest Thousands in Connection with Cybercrime (October 15, 2012)

China's Ministry of Public Security says that since August of this year, 8,900 people have been arrested in connection with cybercrimes. In all, 700 cybercrime gangs were busted and 3,500 spam websites were shut down.
-http://www.zdnet.com/china-busts-700-cybercriminal-gangs-7000005742/
[Editor's Comment (Northcutt): If we can believe the news media, it is not just China, here is a link to a crackdown in the Philippines:
-http://nakedsecurity.sophos.com/2012/08/24/cybercrime-sting-philippines/]

New Zealand Ministry of Social Development Data Breach (October 14 & 16, 2012)

Public computer kiosks available to people in New Zealand to help them find employment were found to have had access to the country's Ministry of Social Development's (MSD) corporate network. The kiosks in the Work and Income New Zealand (WINZ) offices have been shut down following the disclosure, but the fact of the data breach has some people concerned that the same information may have been accessible through the Internet.
-http://www.theregister.co.uk/2012/10/14/nz_mnd_leaks_data/
-http://www.bbc.co.uk/news/technology-19948939
-http://www.scmagazine.com.au/Feature/319327,nz-government-needs-to-start-over-on
-security.aspx
-http://publicaddress.net/onpoint/msds-leaky-servers/

Sony Hacker Takes Plea Deal (October 12 & 15, 2012)

Raynaldo Rivera has pleaded guilty to conspiracy to intentionally cause damage without authorization to a protected computer for his role in attacks on, and data theft from a Sony Pictures website. Rivera admitted to using a proxy service to disguise his IP address to launch the SQL-injection attack on the Sony website. The attack netted Rivera personal data belonging to more than one million Sony account holders. He gave the stolen data to other members of his hacking group and they posted some of the data online. Rivera faces a maximum prison sentence of five years and a minimum fine of US $250,000; he has also agreed to pay restitution to Sony.
-http://arstechnica.com/security/2012/10/lulzsec-hacker-neuron-pleads-guilty/
-http://www.informationweek.com/security/attacks/lulzsec-attacker-pleads-guilty-t
o-sony-p/240009026
-http://www.scmagazine.com/second-lulzsec-member-pleads-out-in-sony-pictures-atta
ck/article/263524/

Popular RATs Found Riddled With Bugs, Weak Crypto, (Remote Administration Tools) Could be Turned on Attackers) (October 11, 2012)

Researchers have found that many remote administration tools (RATs), which are often used to conduct cyberespionage and launch other targeted attacks, have common vulnerabilities of their own. These "flaws could be exploited to turn the tables on" hackers. RATs often use keystroke logging, screenshots, and webcams, code execution, and password-sniffing.
-http://www.darkreading.com/threat-intelligence/167901121/security/vulnerabilitie
s/240008942/popular-rats-found-riddled-with-bugs-weak-crypto.html?cid=nl_DR_dail
y_2012-10-12_html&elq=c779b992a78a49d7bb4ff0237572e1ed
[Editor's Note (Honan): Is anyone really surprised that criminals write insecure code too? The bigger question is not if there are vulnerabilities in that software but if those vulnerabilities can legally be used against the criminal gangs. ]

GAO Report: Agencies Need to be Clearer About Mobile Device Location Data Use (October 11, 2012)

According to a report from the US Government Accountability Office (GAO), federal agencies need to take steps to protect mobile phone users' location data. The report says that mobile carriers' descriptions of their collection and use of customer location data is often vague. While having the location information can be helpful for navigation and timely emergency response, it can also be used to profile users, commit identity fraud, and to conduct surveillance. The GAO recommends the development of "specific goals, time frames, and performance measures for the multi-stakeholder process to create industry codes of conduct."
-http://thehill.com/blogs/hillicon-valley/technology/261575-report-calls-for-toug
her-rules-to-protect-cellphone-location-data
-http://www.computerworld.com/s/article/9232306/US_senator_Use_of_location_data_n
ot_well_disclosed?taxonomyId=17
-http://www.gao.gov/assets/650/648044.pdf
[Editor's Note (Pescatore): Back in 2011 the FTC proposed making location data part of personal information, which would be a good thing. The GAO report once again points out that Opt-In is a key part of Fair Information Practices but is often not the default approach. ]

---

A CLOSING WORD

A Closing Word: Security Breached At 53 Major Colleges - A Sensible Path To Avoiding More Embarrassment

Two weeks ago, the New York Times reported that 53 universities (see partial list below) had been breached.
-http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dump-tho
usands-of-personal-records-online/?elq=3c0a7e78ad19446eac41cc0334bf6d74&elqC
ampaignId=269
Add in Friday's story that personal information on 275,000 students and staff were taken at Florida State (and identity theft reported on 50 of the victims already), and you have a massive failure of security in the academic sphere. Even more interesting was the comment from the Team Gotshell hacker after breaching the servers, "When we got there, we found that a lot of them (university severs) already have malware injected." That means that the system administrators are not seeing the signs of infection (or not doing anything about the infections they uncover). The government nuclear energy laboratories have discovered a fascinating way to get all their system administrators and security staff to be much better at detecting system breaches and stopping the breach. SANS is experimenting with a few leading colleges to bring those same skills to the system administrators at colleges. We are looking for other colleges that want to participate in the consortium, beginning with a very cool webinar in a few weeks. Send expression of interest to Scott Weil (sweil@sans.org). Partial list of victims:
Harvard University
Cambridge University
Stanford University
Princeton
John Hopkins
Imperial College London
University of Tokyo
University of Wisconsin
University of Pennsylvania
Cornell University
Kyoto University
University of Houston
New York University
University of Edinburgh
University of Pittsburgh
University of Maryland
University of British Columbia
University of Texas
University of Colorado
Duke University
Rutgers University
Manchester University
University of Florida
Moscow State University
Texas A&M
Boston University
McMaster University
Purdue University
Upsala
Case Western University
Arizona State University
Nagoya University
University of Bristol
Ohio State
University of Melbourne
University of Oslo
University of Utah

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/