SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #85

October 23, 2012

TOP OF THE NEWS

OMB IT Chiefs Jointly Recommend Amending OMB Cybersecurity Policy to Require Continuous Monitoring
Executive Order Would Require Spy Agencies to Share Info with Critical Infrastructure Organizations
Six Years After Big Breach, Just 16 Percent of VA Computers are Encrypted

THE REST OF THE WEEK'S NEWS

Hackers Hijacking Shortened US Government Sites URLs
Supreme Court Will Not Review Warrantless Wiretapping Immunity Case
Google Play Android Apps Can Leak Data
Microsoft Settles Kelihos Allegations
Man Arrested Over Trojan That Spread Through Free Smartphone Apps
New Zealand's Recording Industry Group Drops Filesharing Case
HP Asks Researcher Not to Disclose Vulnerabilities at Conference
Citadel Trojan Variant Has New Features
DHS Cyberskills Task Force Recommends The Agency Hire 600 Cybersecurity Experts

---

************************ Sponsored By Symantec ***************************
FREE TRIAL: Protect Your Endpoints - Get the fastest, most powerful endpoint antivirus software solution you can buy. Symantec Endpoint Protection, powered by Insight, is fast, powerful security for your endpoints and offers advanced defense against all types of attacks for both physical and virtual systems - try it now.
http://www.sans.org/info/115712
****************************************************************************
TRAINING UPDATE
- - - --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- - - --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses.
http://www.sans.org/event/sydney-2012

- - - --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- - - --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- - - --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- - - --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun.
http://www.sans.org/event/security-east-2013

- - - --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
http://www.sans.org/event/north-american-scada-2013

- - - --Looking for training in your own community?
http://www.sans.org/community/

- - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Johannesburg, Seoul, Tokyo, Barcelona, and Cairo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

OMB IT Chiefs Jointly Recommend Amending OMB Cybersecurity Policy to Require Continuous Monitoring (October 22, 2012)

The Center for Strategic and International Studies (CSIS) Technology and Public Policy Program gathered the people who ran Office of Management and Budget's (OMB's) IT policy organizations for the past three decades (Franklin Reeder, Daniel Chenok and Karen Evans) to identify and help eliminate errors in OMBs cybersecurity policy that are retarding the federal government's ability to lead by example in protecting computers. The CSIS report, issued today, isolates the specific errors in OMB Circular A-130 that were the root cause of billions of dollars in waste, and recommends specific changes to move to continuous monitoring of government computer systems and networks.
-http://www.nextgov.com/cybersecurity/2012/10/retired-omb-it-chiefs-urge-federal-
cyber-policy-rewrite/58945/
-http://www.darkreading.com/risk-management/167901115/security/vulnerabilities/24
0009551/possible-patch-for-policy-on-protecting-government-agency-systems.html

Executive Order Would Require Spy Agencies to Share Info with Critical Infrastructure Organizations (October 20, 2012)

The draft executive order on cybersecurity being considered by the White House would require US intelligence agencies to share information about cyber threats with companies that operate elements of the country's critical infrastructure. The order is presently being finalized, but there has been no word about when the president is expected to sign the order.
-http://www.nbcnews.com/technology/technolog/white-house-orders-spy-agencies-shar
e-cyberthreat-intel-companies-1C6578275
[Editor's Note (McBride): Unfortunately, most critical infrastructure asset owners don't currently have the tools and capabilities required to make use cyber intelligence in the first place. On the bright side, however, if such an information sharing mandate is included in the order, hopefully it will help bring closure to what has become a nagging distraction. ]

Six Years After Big Breach, Just 16 Percent of VA Computers are Encrypted (October 19, 2012)

More than six years after a major data security breach, the US Department of Veterans Affairs (VA) has still not encrypted the majority its computers. In the spring of 2006, computer equipment containing the personally identifiable information of 26 million US veterans was stolen from the home of a VA employee. Shortly after the incident, then-VA Secretary James Nicholson ordered that all VA PCs and laptops be protected with encryption. The department spent US $6 million on encryption software. According to the results of an investigation conducted by the department's inspector general, just 16 percent of VA computers are currently protected with encryption.
-http://www.informationweek.com/government/security/va-computers-remain-unencrypt
ed-years-af/240009408
[Editor's Note (Murray): The issue should not be what percentage of computers are encrypted but what percentage of the sensitive data is protected. While sensitive data stored on personal computers and laptops should be encrypted, sensitive data should be stored on enterprise servers, not personal computers and laptops. ]

---

*************************** Sponsored Links: ******************************
(1) Take the SANS Application Security Survey and be entered to win a $300 American Express Card! http://www.sans.org/info/115717
(2) SANS Webcast: Blind as a Bat? Or Eagle Vision Into Encrypted Packets? With Dave Shackleford & Tony Zirnoon. Nov 5, 2012. http://www.sans.org/info/115722
(3) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/115727
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hackers Hijacking Shortened US Government Sites URLs (October 22, 2012)

Researchers at Symantec say there is an open-redirect, or man-in-the-middle, vulnerability in a feature that allows the US government to display shortened URLs on mobile devices. Some of those links, which are supposed to lead to government websites, are being stolen by hackers to redirect users to malicious sites. The attacks started nearly on October 12; as of October 18, 15 percent of clicks on 1.USA.gov links were sending users to spam websites. The malicious links have duped an estimated 20,000 people.
-http://www.nextgov.com/mobile/2012/10/think-twice-you-click-dot-gov-link-your-ce
llphone/58914/?oref=ng-HPtopstory
-http://www.scmagazine.com/redirect-flaw-on-gov-sites-leaves-open-door-for-phishe
rs/article/264520/

Supreme Court Will Not Review Warrantless Wiretapping Immunity Case (October 22, 2012)

The US Supreme Court has declined to review a lower court decision that upholds immunity for telecommunications companies participating in the National Security Agency's (NSA's) warrantless wiretapping program. The Ninth Circuit Court of Appeals let stand the original ruling in December 2011.
-http://www.computerworld.com/s/article/9232580/High_court_nixes_appeal_of_AT_T_N
SA_wiretap_Case?taxonomyId=17

Google Play Android Apps Can Leak Data (October 19 & 22, 2012)

Researchers have found that certain Android apps can leak users' personal data. The issue lies in the was the applications in the Google Play Marketplace respond to attacks on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security protocols. Some of the apps use the protocols incorrectly, which could allow them to be exploited through man-in-the-middle attacks to steal sensitive personal information.
-http://news.cnet.com/8301-1009_3-57537298-83/some-android-apps-could-leak-person
al-data-researchers-find/
-http://www.informationweek.com/security/vulnerabilities/popular-android-apps-vul
nerable/240009507
-https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-app-s
sl-implementations-101912

Microsoft Settles Kelihos Allegations (October 19 & 22, 2012)

Microsoft has reached a settlement with a Russian man over his involvement with the Kelihos botnet. Microsoft initially alleged that Andrey Sabelnikov was one of the operators of Kelihos, but according to the settlement, Microsoft now acknowledges that he was only responsible for some code that was used in Kelihos. The terms of the settlement are confidential. Microsoft shut down Kelihos in September 2011. At its height, the botnet had infected 41,000 computers and was sending out 3.8 billion spam messages a day.
-http://www.h-online.com/security/news/item/Kelihos-botnet-lawsuit-Microsoft-back
pedals-1734131.html
-http://www.scmagazine.com/microsoft-closes-kelihos-botnet-case-after-latest-sett
lement/article/264530/
-http://news.cnet.com/8301-10805_3-57536319-75/microsoft-settles-with-second-keli
hos-botnet-suspect/

Man Arrested Over Trojan That Spread Through Free Smartphone Apps (October 18, 19, & 22, 2012)

Authorities in France have arrested an individual who allegedly created a Trojan horse program that succeeded in helping him steal 500,000 euros (US $653,300) from victims. The malware was spread through free smartphone apps. The malicious apps would call premium-rate phone numbers without the knowledge of the phone's user, and some also stole login credentials for gaming and gambling websites.
-http://www.h-online.com/security/news/item/French-hacker-captures-EUR500-000-wit
h-smartphone-trojan-1734182.html
-http://www.bbc.co.uk/news/world-europe-19994944
-http://www.theregister.co.uk/2012/10/19/french_android_trojan_suspect_arrested/

New Zealand's Recording Industry Group Drops Filesharing Case (October 18 & 19, 2012)

New Zealand's recording industry organization RIANZ has dropped a lawsuit against a student who maintained that while she was the Internet service account holder in her apartment, she had no idea how to use filesharing software and had not engaged in illegal filesharing. After receiving the copyright violation notices, she turned off the apartment's Internet access. This was the only one of eight cases brought by RIANZ in which the accused requested a formal hearing before the Copyright Tribunal.
-http://arstechnica.com/tech-policy/2012/10/accused-student-in-prevails-in-first-
three-strikes-copyright-case/
-http://www.stuff.co.nz/technology/digital-living/7839300/Rianz-drops-music-pirac
y-case

HP Asks Researcher Not to Disclose Vulnerabilities at Conference (October 18 & 19, 2012)

Just two days before a scheduled presentation at a conference in San Diego, Hewlett-Packard asked a researcher to refrain from disclosing several networking vulnerabilities he discovered. Kurt Grutzmacher had planned to present vulnerabilities in Huawei and H3C networking equipment. HP is the parent company of H3C. Grutzmacher had told the US Computer Emergency Response Tea, (US-CERT) about the vulnerabilities in August.
-http://www.h-online.com/security/news/item/HP-asks-researcher-not-to-publish-sec
urity-vulnerabilities-1733216.html
-http://arstechnica.com/security/2012/10/demonstration-of-serious-networking-vuln
s-cancelled-at-hps-request/

Citadel Trojan Variant Has New Features (October 18 & 19, 2012)

A new variant of the Citadel Trojan horse program targets organizations in the financial industry. Citadel first appeared in January 2011; this version, known as the Rain Edition, marks the sixth release of the malware. It includes new features that make it more dangerous, including a dynamic configuration mechanism, which makes the malware more difficult to detect and helps it spread more rapidly.

DHS Cyberskills Task Force Recommends The Agency Hire 600 Cybersecurity Experts (October 18, 2012)

The DHS Cyberskills task force recently recommended that DHS hire 600 of its own cybersecurity experts. The task force also recommended that DHS create a cyber reserve program to ensure that there are plenty of capable experts when they are needed, and to develop a community-college-based program to identify and training students for mission critical jobs. Currently, the cool cybersecurity jobs at the US Department of Homeland Security (DHS) are going to contactors rather than regular DHS employees. These are the jobs that involve testing the defenses of systems and networks to determine their ability to withstand cyberattacks, and examine systems that have been attacked to determine how the bad guys got in and help power companies and federal agencies recover from attacks.
-http://www.federaltimes.com/article/20121018/IT01/310180001/Task-force-DHS-Keep-
mission-critical-jobs-house?odyssey=nav%7Chead

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://www.sans.org/account/