SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #3

January 11, 2013

Four more days (deadline January 15) for talented veterans and college
students and high school students and people looking for new careers to
enter the national competition for places in the first U.S. CyberCenter
program - the most intensive training in the country paid for by the
government and SANS and guaranteeing great jobs at cool places for those
who get through the program and qualify for the positions. If you know
someone in the U.S (new Jersey residents will have priority because
Governor Christie is sponsoring the pilot program) who should be working
at advanced jobs in cybersecurity and who has the talent to become world
class, tell them to register at cybercenters.org

Alan

---

TOP OF THE NEWS

Zero-Day Java Exploit
Critical Flaw in Ruby on Rails
Microsoft and Adobe January Security Updates
Microsoft Likely to Issue Fix For IE In Next Two Weeks
Flaw in Foxit
Canadian Employment Company Acknowledges Cyber Extortion Attempt
Army Unit Focuses on Criminal Cyber Investigations
Some Government Agency Workers Knowingly Bought Pirated Software
Suspect Allegedly Stole Millions From Online Bank Accounts
21-Month Sentence for Point-of-Sale Payment Card Data Thief
Classified Documents Stolen from Japanese Agriculture Dept.

THE REST OF THE WEEK'S NEWS

---

******************************* Symantec *********************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. Learn More. http://www.sans.org/info/121082
***************************************************************************
TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Zero-Day Java Exploit (January 10, 2013)

An exploit is now circulating for an unpatched vulnerability in Java. The best defense against attacks is to disable Java browser plug-ins. The flaw affects fully patched and current installations of the Java platform. The exploit now in use targets all versions of Java 7 up through Update 10 and earlier through drive-by download attacks. The US Computer Emergency Management Team (US-CERT) has issued a vulnerability note on the issue. Internet Storm Center:
-https://isc.sans.edu/diary/Java+is+still+exploitable+and+is+likely+going+to+rema
in+so+/14899
-http://www.theregister.co.uk/2013/01/10/java_0day/
-http://www.computerworld.com/s/article/9235550/Attackers_are_now_exploiting_a_Ja
va_zero_day_vulnerability?taxonomyId=17
-http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
-http://news.cnet.com/8301-1009_3-57563337-83/java-flaw-draws-web-attacks-reports
-say/
-http://arstechnica.com/security/2013/01/critical-java-zero-day-bug-is-being-mass
ively-exploited-in-the-wild/
-http://www.scmagazine.com/new-java-zero-day-exploit-could-spread-mayhem/article/
275567/
-http://www.kb.cert.org/vuls/id/625617
[Editor's Note (Honan): It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data, one good place to start is the 20 Critical Security Controls
-http://www.sans.org/critical-security-controls/]

Critical Flaw in Ruby on Rails (January 9 & 10, 2013)

An "extremely critical" flaw in programming framework Ruby on Rails has left more than 240,000 websites at risk from attacks that could allow remote code execution. The vulnerability affects versions of Rails dating back six years; default configurations of the framework allow attackers to peruse the contents of databases, run system commands, and cause website crashes. Exploits for the flaw are reportedly circulating; users are urged to upgrade their systems as soon as they can to version 3.2.11, 3.1.10, 3.0.19, or 2.3.15. The updates come just one week after developers issued a fix for a SQL injection vulnerability in the Ruby on Rails Active Record database query interface. Internet Storm Center:
-https://isc.sans.edu/diary/SQL+Injection+Flaw+in+Ruby+on+Rails/14866
-http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug-thre
atens-more-than-200000-sites/
-http://www.zdnet.com/ruby-on-rails-vulnerable-to-six-year-old-flaw-7000009559/
-http://www.theregister.co.uk/2013/01/10/ruby_on_rails_security_vuln/
-http://www.h-online.com/security/news/item/Exploits-for-Ruby-on-Rails-holes-now-
in-circulation-1781158.html
-http://www.scmagazine.com/ruby-on-rails-releases-extremely-critical-fixes/articl
e/275399/
[Editor's Note (Ullrich): There was some confusion due to the fact that two very similar vulnerabilities where announced at the same time. The first affects XML parameters, and can lead to authentication bypass as well as SQL injection. The second one affects the parsing of JSON encoded parameters and it appears to be less severe. This is a "must apply now" patch. A metasploit exploit is already available. Ironically, metasploit is in part written using ruby on rails and is itself vulnerable. A patch for metasploit was released as well. Other commonly used pen testing tools like recent versions of BEef are based on ruby on rails as well. ]

Microsoft and Adobe January Security Updates (January 8 & 9, 2013)

On Tuesday, January 8, Microsoft released seven security bulletins to address a total of a dozen vulnerabilities, including two critical flaws that affect Windows. Adobe's release addressed 27 vulnerabilities in Flash, Reader, and Acrobat. Internet Storm Center:
-https://isc.sans.edu/diary/Microsoft+January+2013+Black+Tuesday+Update+-+Overvie
w/14854
-https://isc.sans.edu/podcastdetail.html?id=3043
-http://krebsonsecurity.com/2013/01/adobe-microsoft-ship-critical-security-update
s/
-http://www.computerworld.com/s/article/9235461/Microsoft_kicks_off_2013_with_clu
tch_of_critical_Windows_updates?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2234869/microsoft-opens-new-year-with-two-critica
l-patches
-http://www.h-online.com/security/news/item/Microsoft-and-Adobe-close-almost-40-h
oles-1779941.html
-http://technet.microsoft.com/en-us/security/bulletin/ms13-jan

Microsoft Likely to Issue Fix For IE In Next Two Weeks (January 9, 2013)

Researchers say that Microsoft is likely to release a patch for a flaw in Internet Explorer (IE) sometime in the next two weeks, outside Microsoft's regular, monthly security updates. The vulnerability, which affects IE6, IE7, and IE8, has been used in active exploits for over a month. Microsoft acknowledged the problem in late December. Researchers have noticed an increase in the number of websites that are serving up drive-by attacks aided by the vulnerability. Two workarounds have been released for the flaw, but both can be circumvented.
-http://www.computerworld.com/s/article/9235519/Researchers_Microsoft_will_pull_t
rigger_on_emergency_IE_patch?taxonomyId=17
[Editor's Note (Ullrich): If you have to use a browser like IE8 or older, you should consider applying EMET to harden the browser. See
-https://isc.sans.edu/diary/EMET/14797]

Flaw in Foxit (January 10, 2013)

A vulnerability in the PDF viewer application Foxit Reader could be exploited to allow arbitrary code execution. The problem lies in a boundary error in the application's browser plug-in component. There is no patch currently available.
-http://www.computerworld.com/s/article/9235544/Flaw_opens_Foxit_Reader_to_hacker
s?taxonomyId=17
-http://www.h-online.com/security/news/item/Current-Foxit-Reader-can-execute-mali
cious-code-1780636.html

Canadian Employment Company Acknowledges Cyber Extortion Attempt (January 9 & 11, 2013)

Canadian job placement company Drake International has acknowledged that it was targeted by cyber extortionists. Drake has offices in nine countries. The hackers claim they have information belonging to clients from Canada, the UK, Australia, and New Zealand and have demanded payment of US $50,000 in exchange for not releasing the personal information. The compromised data include names, email addresses and passwords. Drake did not acquiesce to the hackers' demands, instead choosing to go authorities with the situation.
-http://business.financialpost.com/2013/01/09/drake-international-confirms-databa
se-with-user-information-hacked/
-http://www.canoe.ca/Canoe/Money/News/2013/01/10/20486781.html
-http://www.cso.com.au/article/446230/australian_job_seekers_caught_drake_us50k_h
acker_ransom_standoff_/

Army Unit Focuses on Criminal Cyber Investigations (January 8, 2013)

The US Army's CID's Computer Crimes Investigative Unit (CCIU) is the "sole entity for conducting criminal investigations involving Army computer networks." Its work has led to arrests of soldiers, civilians, and foreign nationals. CCIU became an official investigative unit within CID in January 2000. The digital evidence collected by CCIU is handled by its Digital Forensic Research Branch.
-http://www.army.mil/article/93984/Computer_detectives_hunt_hackers__deliver_digi
tal_justice/

Some Government Agency Workers Knowingly Bought Pirated Software (January 8, 2013)

More details are emerging about the pirated software scheme that resulted in the arrest of Xiang Li, who recently pleaded guilty to copyright infringement and wire fraud charges. "Some of Li's biggest customers were Americans who held significant engineering positions with government agencies and government contractors," according to an Immigration and Customs Enforcement (ICE) spokesperson. One of those was a NASA electronics engineer who bought US $1.2 million worth of software used in telecommunications design and aerospace technology from Li.
-http://www.nextgov.com/cybersecurity/2013/01/nasa-engineer-defense-contractor-kn
owingly-bought-illicit-software-chinese-conspirator/60525/?oref=ng-HPtopstory

Suspect Allegedly Stole Millions From Online Bank Accounts (January 7, 8, & 10, 2013)

Police in Thailand have arrested an Algerian man in connection with thefts from online US bank accounts. Hamza Bendelladj allegedly stole millions of dollars from accounts at more than 200 financial institutions using botnets powered by ZeuS. US federal agents have been tracking his activity for three years. Bendelladj has said that he spent the stolen funds on first class travel and other luxuries. He will be extradited to the US.
-http://krebsonsecurity.com/2013/01/police-arrest-alleged-zeus-botmaster-bx1/
-http://www.bbc.co.uk/news/world-asia-20937024
-http://www.theregister.co.uk/2013/01/08/cybercrook_suspect_thai_arrest/

21-Month Sentence for Point-of-Sale Payment Card Data Thief (January 8, 2013)

A Romanian man has been sentenced to 21 months in prison for his role in a payment card hacking scheme. Cezar Iulian Butu pleaded guilty to one count of conspiracy to commit access device fraud in September 2012. A co-conspirator in the scheme, Iulian Dolan, has pleaded guilty to conspiracy to commit computer fraud and conspiracy to commit access device fraud; he will be sentenced in April. A third defendant, Adrian-Tiberiu Oprea, will face trial next month, and a fourth defendant, Florin Radu, is still at large. The scheme involved breaking into point of sale payment card processing systems at more than 50 US retailers. The hackers placed backdoors on systems they infiltrated.
-http://www.wired.com/threatlevel/2013/01/subway-hacking-scam/
-http://www.net-security.org/secworld.php?id=14197
-http://www.wired.com/images_blogs/threatlevel/2011/12/Indictment_Romanian-POS-Ha
ckers.pdf

Classified Documents Stolen from Japanese Agriculture Dept. (January 3 & 4, 2013)

Hackers have stolen more than 3,000 classified documents from Japan's Ministry of Agriculture, Forestry, and Fisheries. Some of the documents are relevant to the Trans-Pacific Partnership free trade agreement. The attack employed a Trojan horse program "along with a connection bouncer called 'HTran'," a tool used to disguise the location of the command and control server.
-http://www.esecurityplanet.com/hackers/hackers-steal-3000-classified-japanese-go
vernment-documents.html
-http://www.zdnet.com/japan-ministry-information-reportedly-stolen-in-cyberattack
-7000009323/
-http://www.yomiuri.co.jp/dy/national/T130102002295.htm
[Editor's Comment (Northcutt): It just gets harder and harder to detect these things. An example of a service that employs a bouncer is Filetopia, you can probably guess what they do. And here is a Dell SecureWorks writeup on HTran:
-http://www.filetopia.org/bouncer.htm
-http://www.secureworks.com/cyber-threat-intelligence/threats/htran/]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/