SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #97

December 07, 2012

TOP OF THE NEWS

Eurograbber Exploits Mobile Phones To Defeat Two-Factor Online Banking Authentication - $ Millions Stolen
European Council Close on Cyber Activity Warning Pact

THE REST OF THE WEEK'S NEWS

Appeals Court Will Not Rehear Warrantless Wiretapping Case
Microsoft's Patch Tuesday for December to Include Fixes for IE10
Swiss Intelligence IT Admin Allegedly Stole Terabytes of Counter-Terrorism Data
Judge Says Kim Dotcom Can Sue Intelligence Agency Over Unlawful Surveillance
Standardized Cyberthreat Information Language Project
FBI Investigating Cyberattack on Retired Admiral's Computers
South Carolina IG Recommends Statewide Information Security Program
Online Advertiser Settles FTC Charges Over Browser Sniffing
Judge Approves Revised Sponsored Stories Settlement
Traffic Monitoring System Uses Weak Encryption
US Naval Academy Plans for Cybersecurity Major

---

************************ SPONSORED BY Symantec ***************************
The results are in. Symantec Endpoint Protection rated best in independent, real-world tests recently published by Dennis Technology Labs. These tests were designed to more accurately reflect what would happen if a user is actually using one of these products. Symantec Endpoint Protection received a AAA rating and beat all tested competitors in total accuracy. Learn More.
http://www.sans.org/info/119005

***************************************************************************
TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013 - --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013 - --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013 - --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013 - --Looking for training in your own community?
http://www.sans.org/community/ - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials Plus Cairo, Anaheim, New Delhi, and Brussels all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Eurograbber Exploits Mobile Phones To Defeat Two-Factor Online Banking Authentication - $ Millions Stolen (December 5 & 6, 2012)

A malware attack known as Eurograbber has managed to steal more than 36 million euros (US $47 million) from 30,000 European bank accounts. It targets customers of certain banks in Italy, Spain, Germany, and the Netherlands and is a version of Zitmo, which stands for ZeuS in the mobile. When a user with an infected machine visits a banking site, the malware intercepts the session and injects a JavaScript onto the page. The user is notified of a "security upgrade," which involves providing cell phone information. When the cyberthieves send a confirmation message to the phone, it asks users to click on a link that actually infects the phone. The malware's command-and-control infrastructure has been taken down.
-http://www.darkreading.com/authentication/167901072/security/news/240143960/euro
grabber-lets-attackers-steal-36-million-euros-from-banks-customers.html
-https://www.informationweek.com/security/attacks/zeus-botnet-eurograbber-steals-
47-millio/240143837
-http://arstechnica.com/security/2012/12/sophisticated-botnet-steals-more-than-47
m-by-infecting-pcs-and-phones/
[Editor's Note (Murray): To the extent that we use hand-helds in financial applications, they will be targets. Prefer iOS to Android or Windows Mobile. Be careful. ]

European Council Close on Cyber Activity Warning Pact (December 5, 2012)

Members of the Organization for Security and Cooperation in Europe Ministerial Council appear to be close to reaching an agreement on a pact to warn other signatories about government activity in cyberspace that could be misinterpreted as hostile. The pact is aimed to prevent misunderstandings, which could escalate. The Council is meeting in Dublin, Ireland. The pacts established by the body are politically binding but are not official treaties. The declaration requires consensus from all 57 member nations, which include Russia and the US, before it can be officially adopted.
-http://www.nextgov.com/cybersecurity/2012/12/us-russia-other-nations-near-agreem
ent-cyber-early-warning-pact/59977/?oref=ng-channelriver
[Editor's Note (Henry): The US Government's cyber strategy, the Comprehensive National Cybersecurity Initiative (CNCI), contained an initiative to identify "redlines" for foreign governments. These redlines would be specified acts in cyberspace that, if crossed, would result in a definitive response by the U.S. The efforts in the OCSE, fostering clear channels of communication to reduce misinterpretation and unintended consequences, is a necessary and required step in this process. ]

---

************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/119010

2) Why Deception Matters in Today's Web Attacks by John Bumgarner http://www.sans.org/info/119015

3) Learn results of the SANS Survey on Application Security in the Enterprise with SANS instructor Frank Kim, Thur. Dec. 13, 1PM EST: http://www.sans.org/info/119020
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Appeals Court Will Not Rehear Warrantless Wiretapping Case (December 6, 2012)

A US federal appeals court has said it will not reconsider its earlier ruling that said the government has the authority to spy on citizens' communications without a warrant and without the threat of legal action. The decision was originally handed down from a three-judge panel of the 9th US Circuit Court of Appeals; the court has said that it would not rehear the case with an 11-judge panel. A lower court ruled in favor of two attorneys who worked for the al-Haramain Islamic Foundation, but the decision was overturned on appeal earlier this year.
-http://www.wired.com/threatlevel/2012/12/al-haramain-en-banc/
-http://www.wired.com/images_blogs/threatlevel/2012/12/al-haramain.pdf

Microsoft's Patch Tuesday for December to Include Fixes for IE10 (December 6, 2012)

Microsoft will release seven security bulletins on Tuesday, December 11 to address a total of 11 vulnerabilities. Five of the bulletins have maximum severity ratings of critical; the other two are rated important. This release marks the first update to Microsoft's newest browser, Internet Explorer 10 (IE10).
-http://www.computerworld.com/s/article/9234433/Microsoft_plans_patches_for_IE10_
Windows_8_next_week?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2230328/microsoft-preps-five-critical-fixes-with-
december-update
-http://technet.microsoft.com/en-us/security/bulletin/ms12-dec

Swiss Intelligence IT Admin Allegedly Stole Terabytes of Counter-Terrorism Data (December 4 & 6, 2012)

A Swiss Federal Intelligence Service (NDB) IT administrator copied several terabytes of data from the organization's servers. He was arrested after Swiss bank USB became suspicious of his attempt to open a numbered account and contacted authorities. He had reportedly become dissatisfied with his work after the organization did not take his advice about the way they were operating their data systems. NDB is warning US and UK intelligence agencies that some of their shared counter-terrorism is part of the of stolen data.
-http://www.h-online.com/security/news/item/Frustrated-employee-embarrasses-Swiss
-intelligence-service-1763673.html
-http://www.theregister.co.uk/2012/12/04/swiss_intelligence_data_loss/
-http://www.zdnet.com/swiss-spy-agency-warns-cia-mi6-over-massive-secret-data-the
ft-7000008282/
-http://news.cnet.com/8301-1009_3-57557004-83/u.s-u.k-caught-in-middle-of-huge-sw
iss-spy-data-leak-report/
[Editor's note (Henry): While we often focus our efforts on remote-access attacks due to their frequency and volume, this example of the insider threat serves to remind us of the significant damage which can be inflicted. While often difficult to detect, the high risk this vulnerability presents requires constant employee vetting, lawful monitoring, and colleagues familiar with the telltale signs of insider. Focus on the threat. ]

Judge Says Kim Dotcom Can Sue Intelligence Agency Over Unlawful Surveillance (December 5 & 6, 2012)

A judge in New Zealand has granted Kim Dotcom's request to sue police and GCSB, the country's intelligence service, for violating his rights in their actions leading up to the January 2012 raid on his mansion. Dotcom is a permanent resident of New Zealand and as such, authorities may not intercept his communications. The judge has also ordered the government to surrender information it holds about the GCSB's surveillance of Dotcom.
-http://arstechnica.com/tech-policy/2012/12/court-gives-dotcom-green-light-to-sue
-nz-spy-agency-for-january-raid/
-http://www.computerworld.com/s/article/9234399/Megaupload_s_Kim_Dotcom_allowed_t
o_seek_damages_against_spy_agency?taxonomyId=17

Standardized Cyberthreat Information Language Project (December 5, 2012)

A group of organizations is developing a language, Structured Threat Information eXpression (STIX), that companies and agencies can use to share information about cyberthreats that can be quickly incorporated into other organizations' security infrastructures. Organizations have been sharing information, but there is no consistency with which the information is conveyed. If the information is in machine-readable language, it will be easier for organizations to deploy fixes quickly.
-http://www.darkreading.com/threat-intelligence/167901121/security/vulnerabilitie
s/240143864/attack-intelligence-sharing-goes-wire-speed.html

FBI Investigating Cyberattack on Retired Admiral's Computers (December 5, 2012)

The FBI is investigating a reported hacking attempt made on computers that belong to former chairman of the Joint Chiefs of Staff Admiral Mike Mullen. The attacks targeted computers that Mullen was using at the US Naval Academy in Annapolis after he retired in 2011. Mullen surrendered several computers to the FBI as part of the investigation; the devices have been returned.
-http://nation.time.com/2012/12/05/adm-mullen-possible-target-of-foreign-cyber-in
trusion/
-http://www.nbcnews.com/technology/technolog/foreign-hackers-targeted-former-mili
tary-chief-mullen-report-1C7455842

South Carolina IG Recommends Statewide Information Security Program (December 5, 2012)

South Carolina's inspector general blames the recent breach of data at the state's Department of Revenue on decentralized information security management and has proposed changes to help reduce the risk of future breaches. Patrick Maley's recommendations include establishing a statewide information security program and hiring a CISO.
-http://www.scmagazine.com/sc-inspector-general-calls-for-statewide-security-prog
ram/article/271321/
-http://media.scmagazine.com/documents/42/oig_infosec_interim_report_120_10340.pd
f
[Editor's Note (Pescatore): I was once challenged by a CEO: "Users and business units should be responsible for security, I don't need a CISO." Response: "OK, I assume since users and business units should be responsible for financial integrity, you don't need that expensive CFO either?"
(Henry): The breach in South Carolina should cause all states to immediately review their data protection policies. The IG's plan to install an accountable executive - the CISO - and to centralize policies and procedures across a large enterprise, is a foundational step in securing this process. (Honan): Hiring a CISO is only part of the solution. You need to ensure the CISO has the budget, resources, authority and autonomy to carry out their role properly.]

Online Advertiser Settles FTC Charges Over Browser Sniffing (December 5, 2012)

Online advertising network Epic Marketplace has settled Federal Trade Commission (FTC) charges that it exploited a known vulnerability to harvest Internet users' surfing histories. Epic used the information to serve targeted ads to users. Epic has agreed to destroy the data it collected and to stop browser sniffing. The flaw it exploited existed in every major browser until about 2010. Mozilla fixed the vulnerability in Firefox and the others followed suit.
-http://arstechnica.com/security/2012/12/online-marketer-tapped-browser-flaw-to-s
ee-if-visitors-were-pregnant/
-http://www.scmagazine.com/ftc-penalizes-ad-network-covertly-spying-on-users/arti
cle/271336/
-http://www.computerworld.com/s/article/9234363/FTC_bars_advertising_firm_from_sn
iffing_browser_histories?taxonomyId=17

Judge Approves Revised Sponsored Stories Settlement (December 4, 2012)

A federal judge in California has approved a restructured settlement regarding Facebook's Sponsored Stories, which used members' pictures to promote stories without the members' permission. US District Court Judge Richard Seeborg rejected the initial settlement, which would have paid US $10 million to plaintiff's attorneys and put aside US $10 million for non-profit organizations that promote privacy issues. The new settlement offers the same amount of money, but is designated to pay plaintiffs. The attorneys will be paid from that US $20 million, but will have to file a motion for their fees.
-http://arstechnica.com/tech-policy/2012/12/judge-oks-20-million-privacy-deal-for
-facebooks-sponsored-stories/
-http://ia700609.us.archive.org/1/items/gov.uscourts.cand.239253/gov.uscourts.can
d.239253.252.0.pdf

Traffic Monitoring System Uses Weak Encryption (December 3 & 4, 2012)

Vulnerabilities in a traffic monitoring system used by several municipalities in the US could be exploited to gather information about people's travel patterns. Post Oak Traffic AWAM (anonymous wireless address matching) Bluetooth Reader Systems use encryption with insufficient entropy in sensors that read data sent by Bluetooth equipment in vehicles. The company has released a patch for the issue and new devices shipped from Post Oak will include firmware updates to fix the problem. The sensors, which are embedded in the roads, read the Bluetooth data to determine traffic speeds and conditions on roads. The US Computer Emergency Response Team (US-CERT) has issued a warning about the vulnerability.
-http://www.nextgov.com/cybersecurity/2012/12/dhs-hackers-could-manipulate-highwa
y-sensors/59938/?oref=ng-HPtopstory
-http://www.gsnmagazine.com/node/27933?c=cyber_security
-http://www.us-cert.gov/control_systems/pdf/ICSA-12-335-01.pdf
[Editor's Note (Murray): The most likely use of this vulnerability is to introduce doubt into a trial. ]

US Naval Academy Plans for Cybersecurity Major (December 3, 2012)

The US Naval Academy is looking to establish an ABET-accredited cybersecurity major. (ABET stands for the Accreditation Board for Engineering and Technology.) The goal is to gain the accreditation within four years. Last year, the Naval Academy added two cybersecurity courses to its core curriculum.
-http://www.marinecorpstimes.com/news/2012/12/ap-navy-aims-for-cybersecurity-majo
r-120312/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/