SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #9

January 31, 2012

I just finished reading a book on cybersecurity written by one of the
few people who was in position where he could see the whole picture. I
sent copies to friends who have been asking me how they could "get
up to speed" on this topic. The author is Joel Brenner who was the
National Counterintelligence Executive in the Office of the Director
of National Intelligence. People from all across the community told
him the truth and he summarized it fully and clearly. Called "America
the Vulnerable," this book may help shape the national debate, but
far more importantly, it can give cybersecurity professionals the
breath of knowledge that few of us ever have a chance to gain and
thereby make each of us more effective in what we try to do.
Alan

---

TOP OF THE NEWS

White House Calls for Comprehensive Cyber Security Legislation

THE REST OF THE WEEK'S NEWS

Group Pushes Anti-Phishing Specifications
Whistleblowing FDA Employees File Suit Over Alleged Monitoring
Carrier IQ Controversy Prompts Phone Privacy Bill
Man Accused of Running Botnet Maintains His Innocence
FINRA Exhorts Brokerages to Deploy Stronger Authentication for Online Transactions
Windows Media Player Flaw is Being Actively Exploited
Twitter Aims for Transparency in Making DMCA Takedown Notices Public
Counterclank is Adware, Not Malware
High School Students Arrested for Alleged Computer Intrusion and Grade Altering
University of Hawaii Reaches Settlement Over Data Breaches

---

*************************** SPONSORED BY SANS ***************************

Needle in a Haystack: Getting to Attribution in Control Systems with SANS SCADA expert, Matthew L. Luallen Wednesday, February 22

http://www.sans.org/info/98316

Register for this webcast and get an advance copy of Luallen's accompanying paper on the same topic!

**************************************************************************

TRAINING UPDATE

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 6 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

- -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, San Francisco, Stuttgart, Nashville, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
************************************************************************

---

TOP OF THE NEWS

White House Calls for Comprehensive Cyber Security Legislation (January 27, 2012)

White House Cybersecurity Coordinator Howard Schmidt is encouraging legislators to "quickly enact legislation to address the full range of cyber threats facing our nation." In a White House blog post, Schmidt said that the legislation, which would resemble the proposal sent by the president to Congress last May, would grant officials the necessary authority to fight "growing and consistently sophisticated cyberthreats."
-http://thehill.com/blogs/hillicon-valley/technology/207025-white-house-cyber-cza
r-stumps-for-comprehensive-bill
-http://www.informationweek.com/news/government/security/232500639
[Editor's Note (Paller) I spent the early part of this morning listening to Mac Thornberry who is shepherding the collection of House cyber legislation, and Tommy Ross of Majority Leader Reid's staff both saying, confidently, that this is a unique moment for bipartisan legislation despite the partisanship of an election year. Their one caveat is that if either side takes a "my way or the highway" approach the opportunity will be lost. ]

---

************************** SPONSORED LINKS ***************************

1) When it comes to cyber-security, play it safe - choose Emerson's Ovation(tm) control and SCADA technology. http://www.sans.org/info/98321
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Group Pushes Anti-Phishing Specifications (January 30 & 31, 2012)

Several large technology companies have come together with financial services companies and email providers to encourage the use of a technical specification aimed at reducing phishing attacks. The authentication framework, known as DMARC (Domain-based Authentication, Reporting, and Conformance), is aimed at consolidating the current array of specifications that are already in use.
-http://www.computerworld.com/s/article/9223807/Update_Industry_group_makes_fresh
_push_to_fight_phishing?taxonomyId=17
-http://www.informationweek.com/news/security/vulnerabilities/232500658
-http://www.theglobeandmail.com/news/technology/tech-news/microsoft-google-push-n
ew-plan-to-combat-e-mail-scams/article2319337/
-http://www.v3.co.uk/v3-uk/news/2142425/dmarc-takes-phishing-attacks
[Editor's Note (Pescatore): A good thing to harmonize SPF and DKIM, and very good to have Facebook and LinkedIn joining the major email firms in agreeing to use. Still need advances in differentiating human-sent email from any automated email, good or bad. ]

Whistleblowing FDA Employees File Suit Over Alleged Monitoring (January 30, 2012)

A group of former US Food and Drug Administration (FDA) employees have filed a lawsuit alleging that the FDA monitored their personal email through which they warned Congress that some devices approved by the agency posed risks to patients. The six scientists and doctors maintain that they suffered harassment and that some were wrongfully terminated as a result. Their correspondence was monitored and the FDA twice asked the Department of Health and Human Services (HHS) inspector general to investigate because the six had allegedly disclosed confidential information about the devices in question. The HHS IG declined both times to launch an investigation, because it found no evidence of criminal conduct.
-http://www.nextgov.com/nextgov/ng_20120130_8294.php?oref=topnews
-http://www.informationweek.com/news/government/policy/232500716
[Editor's Note (Liston): This case pits the protections afforded whistleblowers against an organization's ability to monitor activity that takes place on equipment that it owns. These employees were warned numerous times that they had no expectation of privacy while using the FDA network -- personally I think their case would be much stronger if they focused on the actions (harassment / firings) that resulted from the monitoring, rather than monitoring itself. ]

Carrier IQ Controversy Prompts Phone Privacy Bill (January 30, 2012)

Congressman Edward Markey (D-Massachusetts) has introduced legislation that would require mobile phone carriers to tell customers when tracking software like Carrier IQ is on their devices. The companies would have to be very specific about what information is collected and who will have access to it. The Mobile Device Privacy Act would require that providers obtain customers' consent before data are collected and when the data are to be sent to third parties.
-http://www.wired.com/threatlevel/2012/01/new-mobile-phone-privacy-law-proposed/
-http://www.washingtonpost.com/blogs/post-tech/post/carrier-iq-concerns-prompt-di
sclosure-bill-from-markey/2012/01/30/gIQAEH3XcQ_blog.html
[Editor's Note (Pescatore): The mobile carriers could easily forestall legislation (with all the unintended consequences it always brings) by doing the common sense thing and agreeing to always be open about what may be collected and use opt-in as the default.
(Murray): Both transparency and competition are required here. The devil is in the detail but the more "specific" the disclosure is, the less likely the consumer is to read or comprehend it. This whole controversy began when a "consumer" made unwarranted inferences about what the software could do and what it was being used for. ]

Man Accused of Running Botnet Maintains His Innocence (January 27 & 30, 2012)

The Russian man accused by Microsoft of being behind the Kelihos botnet is maintaining his innocence. Andrey Sabelnikov was named in a suit filed by Microsoft as the person who allegedly wrote the botnet agent and maintained the network of compromised computers used to send spam. Sabelnikov learned of the allegations against him when he arrived in the US on a business trip on January 21, 2012. He was employed at a Russian anti-virus company that offers firewalls, antivirus and security software. Russian law forbids extradition of citizens to face trial abroad.
-http://www.bbc.co.uk/news/technology-16757150
-http://www.theregister.co.uk/2012/01/30/kelihos_suspect_denial/
-http://www.v3.co.uk/v3-uk/news/2142254/russian-programmer-refutes-microsofts-kel
ihos-botmaster-accusations
-http://www.computerworld.com/s/article/9223820/Accused_Kelihos_botmaster_proclai
ms_innocence

FINRA Exhorts Brokerages to Deploy Stronger Authentication for Online Transactions (January 27, 2012)

US investment firms are being urged to improve security around fund transfers and withdrawals. The Financial Industry Regulatory Authority (FINRA) has released a regulatory notice, describing a flood of reports about users' computers becoming infected with malware that allow attackers to take control of their brokerage accounts; the attackers then email brokerages from users' accounts to make transaction requests. FINRA is recommending that investment companies establish failsafe methods for ensuring customers' identities when transaction requests are made.
-http://www.scmagazine.com/finra-advises-brokers-to-bulk-up-security/article/2251
63/
FINRA Notice:
-http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p125
462.pdf
[Editor's Note (Pescatore): Starting to see Google and others offer "two step verification" but it would really help if those consumer services "nudged" or incented their users to do so. It took about 20 years for automobiles to start having ignition locks built in - reusable passwords are hard to dislodge but I think we will have a chance soon to start nibbling away at their dominance.
(Liston): This goes back to a question I've been asking for a long time: Why can I get two-factor authentication on a World of Warcraft account, but not on my online banking or brokerage account? ]

Windows Media Player Flaw is Being Actively Exploited (January 27, 2012)

Researchers have detected an in-the-wild attack that exploits a known flaw in Windows Media Player (WMP). Microsoft released a fix for the vulnerability on January 10, 2012 in the MS12-004 security bulletin. The attack tricks users into opening a maliciously crafted MIDI file. It is being called a drive-by download attack. The malware attempts to download a Trojan horse program onto the computer. The Trojan appears to have rootkit capabilities.
-http://www.computerworld.com/s/article/9223768/Drive_by_download_attack_exploits
_critical_vulnerability_in_Windows_Media_Player?taxonomyId=17
-http://www.zdnet.com/blog/security/hackers-pounce-on-just-patched-windows-media-
vulnerability/10213

Twitter Aims for Transparency in Making DMCA Takedown Notices Public (January 27, 2012)

Twitter is making its Digital Millennium Copyright Act (DMCA) takedown notices public. The information is available through the Chilling Effects website, which is a joint project of the Electronic Frontier Foundation (EFF) and a number of universities. DMCA grants "safe harbor" against related lawsuits when sites comply with takedown orders in a timely manner. The Tweets targeted in the orders generally link to sites that distribute pirated content. Twitter acknowledges that it is not a platform where anything goes, particularly as it moves into markets around the world where there are "different ideas about the contours of freedom of expression." Twitter will be censoring Tweets on a country-by-country basis when the need arises. EFF Legal Director Cindy Cohn says the ability to do so means less censorship.
-http://arstechnica.com/tech-policy/news/2012/01/twitter-uncloaks-a-years-worth-o
f-dmca-takedown-notices-4410-in-all.ars

Counterclank is Adware, Not Malware (January 27 & 30, 2012)'

Symantec has backed away from its initial claims that Counterclank, which has been detected in more than a dozen apps sold through Google's Android Market, is malware. Instead, Symantec now says that "the situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows." The apps in question request a broad range of privileges, but most users do not read the fine print of the permissions they grant to apps they download.
-http://www.computerworld.com/s/article/9223777/Massive_Android_malware_op_may_ha
ve_infected_5_million_users?taxonomyId=17
-http://www.eweek.com/c/a/Security/AndroidCounterclank-an-Aggressive-Mobile-Ad-Ne
twork-Not-Malware-Lookout-125303/
[Editor's Note (Murray): The issue is not so much about malware as about the openness of Android and the standard of care related to its choice. Most of those choosing Android think that they are getting a "consumer," rather than a "geek," environment. Most of those buying it are choosing hardware, not software. Warnings raised here will never reach these buyers. ]

High School Students Arrested for Alleged Computer Intrusion and Grade Altering (January 27, 2012)

Three California high school students have been arrested for allegedly hacking into their school's computer system to alter grades. The students allegedly broke into a janitor's closet at Palos Verdes High School and made a copy of the school's master key. They then allegedly placed keystroke-logging software on four teachers' computers, which gave them the passwords they needed to access the school network's central files and used the access to nudge up their grades. Two of the students have been expelled. They were caught only because they were also selling answers to tests, which they had stolen from classrooms.
-http://www.theregister.co.uk/2012/01/27/students_hack_teachers_computers/

University of Hawaii Reaches Settlement Over Data Breaches (January 27, 2012)

The University of Hawaii has reached a settlement with 98,000 individuals over a series of data security breaches that compromised personal information, including names, Social Security numbers (SSNs), and in some cases, credit card numbers. The settlement is the result of a class action lawsuit filed on behalf of those affected by the breaches. One of the breaches resulted when a faculty member inadvertently uploaded files to an unencrypted web server. In another breach, hackers were able to access a computer at a University parking office. The terms of the settlement call for the University of Hawaii to provide two years of credit monitoring and fraud restoration services to victims. The settlement still requires court approval.
-http://www.scmagazine.com/univ-of-hawaii-settles-with-98000-over-five-breaches/a
rticle/225158/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/