SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #33

April 26, 2013

TOP OF THE NEWS

Chinese General Says Cyber Attacks Are Like Nuclear Bombs
AP's Twitter Account Hacked; Phony Message Affected Financial Markets

THE REST OF THE WEEK'S NEWS

CISPA Not Likely to Go Far in Senate
Senate Judiciary Committee Approves ECPA Amendments Act
Google Transparency Report Shows Increase in Content Removal Requests from Governments
DOJ Granted Immunity to ISPs Participating in Threat Monitoring Program
Judge Denies FBI Permission to Install Surveillance Software on Suspect's Computer
Nosal Convicted Under Computer Fraud and Abuse Act
Australian Federal Police Arrest Alleged LulzSec Leader
Judge Will Not Force Man to Decrypt Hard Drives
Microsoft Releases New Version of Problematic Patch

---

*************************** SPONSORED BY SANS ****************************
The SANS Security Analytics Summit will bring together leading practitioners, thought leaders and technology providers to jump start the development of powerful new approaches to Security Analytics. Learn about tools to help experienced security managers and analysts make more effective, more efficient and more timely decisions that lead to fewer successful attacks and less damage from those intrusions that do get through. http://www.sans.org/info/129605. This event is co-located with the Mobile Device Security Summit 2013 - http://www.sans.org/info/129610
****************************************************************************
TRAINING UPDATE

-- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


-- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


-- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses.
http://www.sans.org/event/london-summer-2013


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Bangalore, Johannesburg, Malaysia, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Chinese General Says Cyber Attacks Are Like Nuclear Bombs (April 22, 2013)

While rejecting claims that the Chinese military is behind cyberspying aimed at Western companies, the chief of staff of the People's Liberation Army, likened cyber attacks to nuclear bombs, saying "If the security of the Internet cannot be guaranteed, then ... results may be as serious as a nuclear bomb."
-http://online.wsj.com/article/SB10001424127887323551004578438842382520654.html
-http://www.informationweek.com/security/attacks/cyber-strikes-like-nuclear-bombs
-says-ch/240153442
[Editor's Note (Paller): Not so far fetched. When Gary Roughead was U.S. Chief of Naval Operations he told Tony Sager and Jim Lewis and me, "for the Navy, Cyber is more important now than nuclear." Sadly, the Navy's new leadership hasn't followed through on making the Navy a leader in cyberspace.)

AP's Twitter Account Hacked; Phony Message Affected Financial Markets (April 23 & 24, 2013)

The Associated Press's Twitter account was hacked earlier this week. The attackers issued a phony tweet that there had been explosions at the White House. In response to the bogus news, the Dow Jones Industrial Average dropped 140 points. It rebounded after the White House announced that the tweet was phony. There have been calls for Twitter to improve security in the past, but this incident may serve as a tipping point. Twitter has announced that it is currently testing two-factor authentication internally and hopes to introduce it to users "shortly." Some are questioning whether two-factor authentication would have stood in the hackers' way. The problem was not so much Twitter's security as it was AP employees falling for a phishing attack.
-http://arstechnica.com/security/2013/04/hacked-ap-twitter-feed-rocks-market-afte
r-sending-false-news-flash/
-http://www.computerworld.com/s/article/9238637/AP_Twitter_hack_looks_like_a_secu
rity_tipping_point?taxonomyId=17
-http://www.theregister.co.uk/2013/04/23/hacked_ap_tweet_dow_decline/
-http://www.informationweek.com/security/attacks/twitter-preps-two-factor-authent
ication/240153539
-http://www.nextgov.com/mobile/2013/04/good-timing-twitter-will-soon-release-two-
step-security-solution/62747/?oref=ng-channelriver
-http://www.scmagazine.com/two-factor-authentication-may-have-done-little-to-stop
-the-ap-twitter-hijack/article/290396/
[Editor's Note (Pescatore): I'm not sure which is scarier: (1) AP having weak security around their official Twitter accounts, or (2) Institutional stock traders making buy/sell decisions based on tweets. Well, actually (2) is much scarier.
(Ranum): Now that cell phones have become nearly ubiquitous for the tweeting class, it's ridiculous not to offer cell-phone-based 2-factor authentication. However, when I polled a room of security practitioners last year, only 4 people out of the room of about 300 said that they used it.

---

*************************** Sponsored Links: ******************************
1) "Data Center Virtualization from a Security Perspective," featuring Dave Shackleford and Deepak Thakkar, Wednesday, May 1, at 1 PM EDT http://www.sans.org/info/129615

2) Tune in to next week's Wednesday Webcast: Understanding Control System Cyber Security. Includes a live cybersecurity demo using the CYBATI hands-on control system training environment. Wednesday, May 1 at 11:30am EDT Register at: http://www.sans.org/info/129635

3) Calling all Forensics Practitioners to Take the SANS Digital Forensics Survey! Provide Your Expert Perspective and Enter to Win a $400 American Express Card. http://www.sans.org/info/129630
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

CISPA Not Likely to Go Far in Senate (April 25, 2013)

The Cyber Information Sharing and Privacy Act, better known as CISPA, is likely to die in the US Senate, according to Senator Jay Rockefeller (D-WV). CISPA passed in the House last week, but Senator Rockefeller says that the privacy protections CISPA offers are "insufficient" and he thinks that the Senate will not take up the bill. The White House has also indicated that it does not support CISPA as currently drafted.
-http://www.zdnet.com/cispa-dead-in-senate-privacy-concerns-cited-7000014536/

Senate Judiciary Committee Approves ECPA Amendments Act (April 25, 2013)

The US Senate Judiciary Committee has approved the Electronic Communications Privacy Act (ECPA) Amendments Act, which would require law enforcement agents to obtain warrants to access electronic communications that are more than 180 days old. ECPA was signed into law in 1986, when communications stored for more than 180 days were considered to have been abandoned. With today's prevalence of web-based email and cloud storage services, people are storing their communications for longer and longer periods of time. The amended bill would require warrants for obtaining all private electronic communications.
-http://www.computerworld.com/s/article/9238685/Senate_committee_limits_governmen
t_electronic_surveillance?taxonomyId=17
-http://www.wired.com/threatlevel/2013/04/email-warrants-bill/
-http://arstechnica.com/tech-policy/2013/04/proposals-to-end-warrantless-e-mail-s
earches-gain-momentum-in-congress/
-http://www.zdnet.com/plans-to-end-warrantless-email-searches-pass-senate-committ
ee-7000014527/

Google Transparency Report Shows Increase in Content Removal Requests from Governments (April 25, 2013)

According to Google's most recent transparency report, the company received more requests from governments to remove content in the last six months of 2012 than during any pervious six-month period for which records have been kept. Between July and December 2012, Google received 2,285 requests from governments around the world to remove a total of 24,179 pieces on content. The figures for the first half of 2012 were 1,811 requests to remove 18,070 pieces of content. Many of the requests came from governments seeking the removal of content critical of government officials. Google does not automatically comply with content removal requests, but instead scrutinizes the legality of requests and considers each request's scope.
-http://news.cnet.com/8301-1009_3-57581399-83/google-more-government-takedown-req
uests-than-ever-before/
-http://www.zdnet.com/google-reports-more-government-removal-requests-than-ever-b
efore-7000014525/
Google's Transparency Report:
-http://www.google.com/transparencyreport/

DOJ Granted Immunity to ISPs Participating in Threat Monitoring Program (April 24, 2013)

According to documents obtained by the Electronic Privacy Information Center (EPIC) through a Freedom of Information Act (FOIA) request, the US Justice Department granted some Internet service providers (ISPs) immunity from prosecution for their participation in a communications monitoring and interception program. The program, originally known as the Defense Industrial Base Cyber Pilot project, was designed to monitor traffic for indicators of cyberthreats and use the information to help protect systems from cyberattacks. Participation was initially limited to certain defense contractors and their ISPs, but has since been expanded to include all sectors of critical infrastructure. The DOJ provided the ISPs with "2511 letters," granting them immunity for the monitoring activity.
-http://news.cnet.com/8301-13578_3-57581161-38/u.s-gives-big-secret-push-to-inter
net-surveillance/
-http://www.wired.com/threatlevel/2013/04/immunity-to-internet-providers/

Judge Denies FBI Permission to Install Surveillance Software on Suspect's Computer (April 24 & 25, 2013)

The FBI may not install specialized surveillance software on a suspect's computer, according to a ruling from a federal magistrate judge. Judge Stephen Smith said that the order requested by the FBI was too broad and too invasive. The FBI had sought permission to install specialized software on a computer used by the suspect; the software "has the capacity to search the computer's hard drive, random access memory, and other storage media; to activate the computer's ... camera; to generate
[location ]
data for the device; and to transmit the extracted data to FBI agents." The judge also took the FBI to task for failing to specify how the operation would be certain to target the suspect and no one else.
-http://arstechnica.com/tech-policy/2013/04/fbi-denied-permission-to-spy-on-hacke
r-through-his-webcam/
-http://www.computerworld.com/s/article/9238699/Judge_rejects_FBI_s_bid_to_hack_c
omputer_of_suspect_in_attempted_cyberheist?taxonomyId=17

Nosal Convicted Under Computer Fraud and Abuse Act (April 24, 2013)

A federal jury in San Francisco has convicted David Nosal on half a dozen charges, including theft of trade secrets and hacking, even though he never broke into a computer. Nosal was tried under the Computer Fraud and Abuse Act (CFAA), a law that has come under increased scrutiny following the suicide of Aaron Swartz. Critics say that CFAA allows for overly broad interpretations. In Nosal's case, the jury concluded that he had paid former colleagues to access a company database and provide him with information that allowed him to start a competing business.
-http://www.wired.com/threatlevel/2013/04/man-convicted-of-hacking-despite-no-hac
king/

Australian Federal Police Arrest Alleged LulzSec Leader (April 23 & 24, 2013)

The Australian Federal Police have arrested a man who is the self-described leader of LulzSec. The suspect, Matthew Flannery, was arrested in Sydney and has been released on bail. Flannery has been charged with unauthorized modification of data to cause impairment and unauthorized access to or modification of restricted data. He allegedly defaced an Australian government website.
-http://news.cnet.com/8301-1009_3-57581074-83/australian-police-arrest-alleged-le
ader-of-lulzsec-hacking-group/
-http://www.scmagazine.com/alleged-lulzsec-leader-charged-with-hacking-australian
-government-site/article/290374/
-http://www.nbcnews.com/technology/technolog/lulzsec-leader-arrested-australian-c
ops-say-6C9576130

Judge Will Not Force Man to Decrypt Hard Drives (April 23 & 24, 2013)

A federal judge in Wisconsin said that forcing a suspect to decrypt his hard drives would violate his Fifth Amendment right against self-incrimination. Judge William E. Callahan called the decision a "close call."
-http://arstechnica.com/tech-policy/2013/04/fifth-amendment-shields-child-porn-su
spect-from-decrypting-hard-drives/
-http://www.wired.com/threatlevel/2013/04/encrypt-your-data/
Text of Ruling:
-http://ia601700.us.archive.org/6/items/gov.uscourts.wied.63043/gov.uscourts.wied
.63043.3.0.pdf
[Editor's Note (Murray): In the general case, if you make a record and a judge finds that it is relevant to a matter before the court, you will have to disclose it. Locking it in a vault or hiding it with encryption will not protect it. On the other hand, we should be able to rely upon the courts to resist "unreasonable searches and seizures." ]

Microsoft Releases New Version of Problematic Patch (April 23 & 24, 2013)

Microsoft has released an updated version of MS13-036, a security bulletin that included a patch that was reportedly causing problems for some users. The original update, issued on April 9, was reportedly causing some PCs to crash. Microsoft pulled the patch on the 12th. Users who have automatic updates enabled will have the patch updated automatically.
-http://www.zdnet.com/microsoft-issues-new-version-of-patch-pulled-on-patch-tuesd
ay-7000014473/
-http://www.scmagazine.com/microsoft-issues-replacement-for-botched-patch/article
/290377/
-http://www.h-online.com/security/news/item/Microsoft-patches-the-patch-1848659.h
tml
-http://www.computerworld.com/s/article/9238628/Microsoft_re_releases_Blue_Screen
_of_Death_patch?taxonomyId=17

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/