SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #93
November 20, 2012
TOP OF THE NEWS
VA Fails Basic Security Test - Doesn't Install Encryption Software - Wastes Multi-Million Dollar InvestmentGeorgian Ministry Officials Arrested for Alleged Hacking Scheme
Major Tech Companies Support FCC's Net Neutrality Rules
THE REST OF THE WEEK'S NEWS
Trojan Communicates With Command-and-Control Server Through Google DocsFreeBSD Servers Compromised
US Rep. Tries Crowdsourcing Legislative Proposal on Piracy-Related Website Seizures
Verizon and Time Warner Reveal Plans to Dissuade Illegal Filesharers
Judge Approves Google's US $22.5 Million Offer to Settle Safari Cookie Complaint
MoneyGram Agrees to Pay Fine for Money Laundering and Wire Fraud Violations
Facebook Rolls Out HTTPS as Default Protocol
VMware Updates vSphere and ESX Platforms
Federal Data Center Consolidation Initiative on Target
Internet Companies Will Pay US $2 Million for Misleading Online Advertising
************************** SPONSORED BY Bit9 *****************************
Server Security - With 94% of data stolen in 2011 coming from servers, how has the evolution of advanced threats changed your approach to security? Take the 5 minute survey now and be entered to win an iPad Mini! Learn More http://www.sans.org/info/117662
****************************************************************************
TRAINING UPDATE
- --SANS London 2012 London November 26-December 3, 2012 16 courses. Bonus evening presentations include Why to Organizations Get Compromised; Dissecting Smart Meters; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/london-2012/
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************
TOP OF THE NEWS
VA Fails Basic Security Test - Doesn't Install Encryption Software - Wastes Multi-Million Dollar Investment (October 16, 2012)
[Thank you to former NewsBites Editor Gal Shpantzer for pointing us to this story in light of the recent laptop security issues at NASA. ]
A report from the Department of Veterans Affairs Office of the Inspector General found that of 300,000 encryption software licenses purchased in 2006, and another 100,000 purchased in 2011, the VA's Office of Information Technology (OIT) had installed just 65,000, or 16 percent. The licenses purchased in 2006 cost US $3.7 million. The reason given for the licenses not being activated are that "OIT did not allow time to test the software to ensure compatibility with VA computers, ensure sufficient human resources were available to install the encryption software on VA computers, and adequately monitor the project to ensure encryption of all VA laptop and desktop computers." The encryption project was undertaken following the May 2006 theft of a hard drive containing personally identifiable information of 26 million veterans.
-http://www.va.gov/oig/pubs/VAOIG-12-01903-04.pdf
-http://www.fiercegovernmentit.com/story/oig-finds-85-percent-va-encryption-licen
ses-lay-dormant/2012-10-16
[Editor's Note (Paller): VA has one of the best CIO-CISO teams in government, but one layer below them, the managers do not seem to follow through in implementing effective security. VA was one of the first agencies to deploy universal automated monitoring tools (costing more than $15 million) but the managers never used them to improve security like the State Department did. Even worse, the security training programs that VA implemented create and celebrate people who can talk about security but cannot perform the technical tasks required to protect systems. It would have been sensible and simple for the hundreds (more than 600 last time I looked) of information security officers (ISOs) at VA to install the encryption software, but neither they nor their managers appear to have the basic computer skills needed to implement important or even simple technical defenses. It is high time for VA to give the ISOs pathways to develop technical cybersecurity skills and give them the choice of taking advantage of those pathways or moving on to other jobs.
Georgian Ministry Officials Arrested for Alleged Hacking Scheme (November 19, 2012)
Nearly a dozen Georgian interior ministry officials and the country's former deputy interior minister have been arrested for allegedly hacking into the computers of political opponents, purportedly to gather intelligence to help them influence recent parliamentary election results. Those arrested also allegedly conducted phone tapping.-http://www.theregister.co.uk/2012/11/19/georgia_cyber_spy_plot_government/
Major Tech Companies Support FCC's Net Neutrality Rules (November 16, 2012)
The US Federal Communications Commission (FCC) has found support for its net neutrality rules in some well-known tech companies, including Amazon, Facebook, and Netflix. In a brief, the companies argue that the rules help promote the openness of the Internet. A number of other groups have also filed amicus briefs with the court. Verizon and MetroPCS are seeking to have the FCC's rules overturned.-http://thehill.com/blogs/hillicon-valley/technology/268451-google-facebook-netfl
ix-defend-net-neutrality-rules-in-court
-http://publicknowledge.org/files/Joint_intervenors_open_internet_brief.pdf
-http://arstechnica.com/tech-policy/2012/11/verizon-called-hypocritical-for-equat
ing-net-neutrality-to-censorship/
[Editor's Note (Murray): The problem with the FCC Rules is not what they provide but what they give away. Rules that apply only to the wired network, at the expense of the wireless network where the real abuses are, are not helpful. ]
************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/117667
2) Supporting Packet Decryption for Security Scanning by Dave Shackleford http://www.sans.org/info/117672
************************************************************************
THE REST OF THE WEEK'S NEWS
Trojan Communicates With Command-and-Control Server Through Google Docs (November 19, 2012)
Researchers at Symantec have detected a Trojan horse program that uses Google Docs to communicate with its command-and-control infrastructure. The malware, known as Backdoor.Makadocs, appears to be targeting users in Brazil. It harvests certain data, including infected computers' host names and operating system types. The malware uses Google Drive "Viewer" as a proxy to receive instructions from the command-and-control server. The trick disguises the communications as encrypted connections within a trusted service. A Google representative said the company is investigating, as "Using any Google product to conduct this kind of activity is a violation of our product policies."-http://www.h-online.com/security/news/item/Trojan-uses-Google-Docs-to-communicat
e-with-its-control-server-1752343.html
-http://www.computerworld.com/s/article/9233831/Malware_uses_Google_Docs_as_proxy
_to_command_and_control_server?taxonomyId=17
FreeBSD Servers Compromised (November 17 & 19, 2012)
Users who have installed software packages through the FreeBSD Project since September 19 should completely reinstall their machines, as hackers have compromised two of the Project's servers. The intrusions were detected on November 11, and those machines have been taken offline so they could be analyzed. FreeBSD also took a number of other machines offline as a precaution. The compromise affected the collection of third-party software packages distributed by the FreeBSD Project. An audit of the FreeBSD basic system found that the operating system's kernel, system libraries, complier, and core command-line tools were not affected. The organization's security team believes the intruders gained access to the servers using a SSH authentication key that was stolen from a developer. Because of the intrusion, the integrity of packages that were available for installation between September 19, 2012, and November 11, 2012 is called into question.-http://www.computerworld.com/s/article/9233822/Hackers_break_into_two_FreeBSD_Pr
oject_servers_using_stolen_SSH_keys?taxonomyId=17
-http://www.h-online.com/security/news/item/Hackers-obtained-access-to-FreeBSD-se
rvers-1752060.html
US Rep. Tries Crowdsourcing Legislative Proposal on Piracy-Related Website Seizures (November 19, 2012)
US Representative Zoe Lofgren (D-California) is hoping to garner support for legislation that would give website operators the chance to defend themselves against allegations of piracy before their domains are seized by US authorities. The US Department of Immigration and Customs Enforcement (ICE) seizes .com, org., and.net sites accused of facilitating piracy under the civil seizure law that allows officials to seize physical domains and property associated with certain criminal activity. US officials have the authority to seize the domains with those top-level domains because the organizations that administer those domains are in the US. In the past two years, ICE has seized more than 700 websites as part of its "Operation in Our Sites." Lofgren is asking Reddit users for input regarding legislation that would allow the domain owners due process. In some cases, the seized sites contain content that is protected speech. All that is required for the takedown is a judge's signature. She is "crowdsourcing a legislative proposal on Reddit" because of the site's users' commitment to free expression as evidenced by their position and action on SOPA.-http://www.wired.com/threatlevel/2012/11/lofgren-crowdsourcing-bill/
-http://www.itworld.com/it-management/318060/us-lawmaker-asks-reddit-ideas-websit
e-seizures
Lofgren's statement:
-http://www.lofgren.house.gov/index.php?option=com_content&view=article&i
d=771:rep-zoe-lofgren-asks-reddit-users-to-crowdsource-legislative-proposals-on-
domain-name-seizures&catid=22:112th-news&Itemid=161
-http://www.lofgren.house.gov/images/stories/pdf/background%20on%20domain%20name%
20seizures.pdf
[Editor's Note (Murray): "All that is required .....is a judge's signature." While there are tame judges, and while warrants may not be difficult to get, the requirement for a warrant is the only protection we have from abuse of police authority or legislative overreach. It should not be seen, or characterized, as trivial. ]
Verizon and Time Warner Reveal Plans to Dissuade Illegal Filesharers (November 16, 2012)
Verizon plans to start throttling the Internet speeds of customers who persist in illegal downloading. Violators will first receive email and voicemail warnings. Other Internet service providers (ISPs) are developing plans of their own to help fight piracy. Time Warner Cable plans to use pop-ups to warn users; those who ignore those messages will later find their browsing restricted - they will find themselves redirected to a landing page. The music and movie industry acknowledges that those who are determined to pirate digital content will always find a way to do so, but says that this plan is aimed at educating users who may not be aware that what they are doing is illegal.-http://www.bbc.co.uk/news/technology-20361952
Judge Approves Google's US $22.5 Million Offer to Settle Safari Cookie Complaint (November 19, 2012)
A US District Court judge has approved Google's offer of US $22.5 million to settle a Federal Trade Commission (FTC) complaint surrounding the use of cookies in Apple's Safari browser. The judge deemed the settlement "substantively fair, adequate, and reasonable," despite the Consumer Watchdog's contention that it was not enough and that the settlement did not include Google admitting liability. The FTC became involved it learned that Google was using cookies to track the surfing habits of Safari users even though their privacy settings indicated that they did not want to be tracked. Google maintained that it was unaware that it was tracking Safari users and agreed to pay the fine and to disable all cookies it had placed on the affected users' computers by February 2014. The Consumer Watchdog maintains that Google's violation of that agreement merits a stiffer penalty because its actions bear similarity to issues addressed in an earlier agreement with the FTC over Google Buzz.-http://www.theregister.co.uk/2012/11/19/google_safari_settlement_accepted/
MoneyGram Agrees to Pay Fine for Money Laundering and Wire Fraud Violations (November 19, 2012)
MoneyGram International has agreed to pay a US $100 million fine for its role in aiding and abetting wire fraud, as well as for not having a reasonable anti-money laundering program in place. MoneyGram is often used by cybercriminals running scams in which they pretend to be a friend or relative in urgent needs of funds or in which they offer expensive products and deep discounts, or other fraudulent offers. The targets are directed to send the funds through MoneyGram. In a press release, the US Department of Justice wrote that "MoneyGram knowingly turned a blind eye to scam artists and money launderers who used the company to perpetrate fraudulent schemes targeting the elderly and other vulnerable victims."-http://krebsonsecurity.com/2012/11/moneygram-fined-100-million-for-wire-fraud/
-http://www.justice.gov/opa/pr/2012/November/12-crm-1336.html
Facebook Rolls Out HTTPS as Default Protocol (November 19, 2012)
Facebook has begun using HTTPS as its default protocol for all pages for all users. Facebook announced its intention to make the switch last year. The shift is being introduced first in North America and will eventually be rolled out to users around the world. Facebook started offering HTTPS as an option in January 2011; prior to that, it used the protocol only for pages that required passwords. The change may slow down connections slightly. Facebook will allow users to opt out of using HTTPS if they wish.-http://www.informationweek.com/security/application-security/facebook-adopts-sec
ure-web-pages-by-defa/240142310
-http://www.cnn.com/2012/11/19/tech/social-media/facebook-https/index.html
[Editor's Note (Murray): While the use of end-to-end encryption may not be absolutely necessary, it takes a very long list of possible attacks off the table. While it does not, as an FBI director was fond of asserting, provide "perfect security," it raises the security in the middle to that of the end points and it does so at a tolerable cost.
(Pescatore): I think moving to SSL is being oversold by consumer web sites. Yes, ubiquitous use will make WiFi sniffing much more difficult but the vast, vast majority of information compromises occur *on* these websites, not during communications to and from them. Turning on SSL is sort of like putting on a raincoat when going out in a hurricane. The overall gain in security and privacy would be much higher if the same sites went to user "Opt In" for personal information disclosure. ]
VMware Updates vSphere and ESX Platforms (November 17 & 19, 2012)
VMware has released an update for its vSphere and ESX platforms. The update fixes a denial-of-service (DoS) flaw in ESX and ESXi versions of vSphere; it also addresses a number of issues in open source components of the ESX Service Console.-http://www.eweek.com/security/vmware-patches-dos-vulnerability-in-virtualization
-software/
-http://www.v3.co.uk/v3-uk/news/2225525/vmware-posts-updates-for-security-flaws
-http://www.vmware.com/security/advisories/VMSA-2012-0016.html
Federal Data Center Consolidation Initiative on Target (November 16, 2012)
According to data released by the Office of Management and Budget (OMB), the government has closed 382 data centers since 2010; 64 of those were shut down in the last three months. Another 315 are scheduled to be shut down by next fall. OMB's data center consolidation plan calls for shutting down 40 percent of government data centers, which originally numbered roughly 3,100. The scale-back is slated to be complete by the end of 2015. While the overall savings is difficult to project, estimate range from US $2.4 billion to US $5 billion over time. Agencies have not provided adequate information necessary to calculate the savings.-http://www.nextgov.com/cloud-computing/2012/11/government-has-shuttered-64-data-
centers-august/59598/?oref=ng-HPtopstory
-http://fcw.com/articles/2012/11/19/data-center-savings.aspx
Internet Companies Will Pay US $2 Million for Misleading Online Advertising (November 16, 2012)
Two Internet companies have agreed to pay US $2 million to settle a Federal Trade Commission (FTC) complaint alleging that they hired other companies to market products with phony testimonials and other misleading information. Clickbooth.com and IntegraClick were accused of hiring affiliates to put up fake news sites on the Internet hawking the products. The complaint also alleged that the companies failed to inform customers that they would be billed for their free trial samples of products if they did not cancel their accounts within the designated period of time.-http://www.scmagazine.com/online-marketers-behind-spam-ads-to-pay-2m-to-ftc/arti
cle/268741/
[Editor's Note (Murray): FTC enforcement continues to demonstrate that the power of government can be used in favor of the consumer. ]
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/