SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #7

January 25, 2013

TOP OF THE NEWS

UK's ICO Fines Sony Over 2011 Data Breach
Australian PM Launches National Security Strategy, Speaks to Intelligence Agency
Google's Response to Requests for Data is Dropping
Judge Says Unprotected Wireless Network Still Affords Some Expectation of Privacy

THE REST OF THE WEEK'S NEWS

Hardcoded Backdoors in Barracuda Gear
Two Sentenced for DDoS Attacks on PayPal and Other Sites
Cisco Issues Patches for Vulnerabilities in Wireless LAN Appliances
Indictment Charged Three Allegedly Involved in Gozi Scheme
HP's JetDirect Software Makes Networked Printers Vulnerable
Stanford Medical Facility Suffers Another Data Security Breach
US Legislator Promises Net Neutrality Bill if Court Overturns FCC Rules
Putin Orders Federal Security Service to Take Steps to Protect Systems

---

************************ SPONSORED BY Bit9 *******************************
LIVE WEBCAST- Application Control: An Essential Endpoint Security Component. Learn why traditional antivirus techniques are fighting a losing battle against today's increasingly sophisticated malware threat landscape, and how application control is now an essential tool to combat malicious software.
Register Today http://www.sans.org/info/122227
****************************************************************************
TRAINING UPDATE
- - --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- - --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- - --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- - -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- - --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- - --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- - --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013

- - --Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus New Delhi, Scottsdale, Brussels, Johannesburg, Abu Dhabi, and Seoul all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

UK's ICO Fines Sony Over 2011 Data Breach (January 23 & 24, 2013)

The UK's Information Commissioner's Office (ICO) has imposed a GBP 250,000 (US $395,000) fine against Sony Computer Entertainment Europe for violating the country's Data Protection Act. In April 2011, the personal information of millions of UK citizens was exposed after hackers gained access to the Sony PlayStation Network's systems. The ICO launched an investigation that determined that the compromise could have been prevented if Sony had kept its software patched and adhered to best practices, including hashing and salting sensitive data. Deputy commissioner and director of data protection for the ICO David Smith said that Sony "is a company that trades on technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe." Sony plans to appeal the ruling.
-http://www.bbc.co.uk/news/technology-21160818
-http://www.theregister.co.uk/2013/01/24/sony_psn_breach_fine/
-http://www.computerworld.com/s/article/9236148/Sony_fined_396_000_in_U.K_for_201
1_PlayStation_hack?taxonomyId=17
-http://www.zdnet.com/uk/uk-fines-sony-395k-for-2011-playstation-hack-7000010256/
-http://www.h-online.com/security/news/item/Sony-fined-Lb250-000-for-2011-PlaySta
tion-Network-breach-Update-1790549.html
ICO's News Release:
-http://www.ico.gov.uk/news/latest_news/2013/ico-news-release-2013.aspx
[Editors Note (Honan): This fine could have far reaching consequences for Sony. Under the UK Data Protection Act 1988 there is a provision that individuals can claim compensation from an organisation found to be in breach of the Data Protection Act should the individual suffer damage as a result of the behavior identified in the finding.
-http://www.ico.gov.uk/for_the_public/personal_information/compensation.aspx
(Pescatore): The cost of a breach that exposes your customers' information is always orders of magnitude larger than any compliance-related fine your company will ever get hit with. That fine equals about .2% of Sony's stated $171M cost of the incident, and Sony's real costs were likely higher than what they publicly estimated.

Australian PM Launches National Security Strategy, Speaks to Intelligence Agency (January 23 & 24, 2013)

Australian Prime Minister Julia Gillard has launched the country's National Security Strategy, which identifies cybersecurity as an area for increased effort. She noted that "government alone cannot develop a secure and safe digital environment" and that it is important to "work closely with industry and international partners." Gillard also announced the development of the Australian Cyber Security Centre, which is expected to be operational by the end of the year. Gillard also visited Australia's Defence Signals Directorate; she is the second Australian PM to ever visit that intelligence agency. Text of Prime Minister Gillard's Speech Launching Australia's National Security Strategy:
-http://www.pm.gov.au/press-office/australias-national-security-beyond-911-decade
Announcement of Cyber Security Centre:
-http://www.pm.gov.au/press-office/australian-cyber-security-centre
Remarks to Staff at Defence Signals Directorate:
-http://www.pm.gov.au/press-office/transcript-remarks-staff-defence-signals-direc
torate
-http://www.theage.com.au/opinion/political-news/gillard-visits-top-secret-spy-hu
b-20130124-2d8vu.html
[Editor's Note (Henry): The Australian PM's recognition of cyber as the number two priority in their National Security Strategy is encouraging. The Australians are intimately familiar with the cyber threat, particularly as it relates to foreign intelligence services, and my experiences with them have been very positive and valuable. ]

Google's Response to Requests for Data is Dropping (January 23, 2013)

According to Google's semi-annual Transparency Report, governments' requests for information are on the rise. Since 2009, such requests have increased 70 percent worldwide. In the most recent six-month period, July-December 2012, Google received 21,389 requests for data from 33,634 user accounts. The report also shows that Google is responding to fewer requests. In the most recent period, Google responded to 88 percent of requests from the US government. In the previous period, that figure was 90 percent, down from 93 percent in the period prior to that. Worldwide, Google's response to requests globally has fallen over the past two years from 76 percent to 66 percent. In some countries, Google's response rates to governmental requests is approaching zero. The report also describes the different legal processes the governments use when making the requests.
-http://www.wired.com/threatlevel/2013/01/google-says-get-a-warrant/
-http://news.cnet.com/8301-1009_3-57565385-83/u.s-leads-the-world-in-requests-for
-users-google-data/
-http://www.informationweek.com/government/policy/google-sees-growing-government-
demand-fo/240146808
Google Transparency Report:
-https://www.google.com/transparencyreport/userdatarequests/US/
[Editor's Note (Murray): 33000 requests does not even include "national security letters," in part because these routine tools forbid the recipient to disclose them. That the government has not hauled Google into court when it pushes back suggests that, not only does it fear an adverse ruling, it fears the light of day. Use and abuse of the Internet by government will clearly get much worse before it gets better. There are now so many exceptions to the Fourth Amendment that it operates only by accident. ]

Judge Says Unprotected Wireless Network Still Affords Some Expectation of Privacy (January 23, 2013)

A federal judge in Oregon has granted a defendant's motion to suppress evidence gathered by police as well as his subsequent testimony because the evidence was obtained illegally. A neighbor who was inadvertently connected to the John Henry Ahrndt's unprotected wireless home network discovered that Ahrndt had inadvertently made available for sharing a user library that appeared to contain incriminating evidence. The neighbor contacted law enforcement authorities. When a deputy saw the list of files, he asked the neighbor to open one of them, which revealed the offending content. Ahrndt was initially sentenced to 10 years in prison for possession of child pornography, but the US Court of Appeals for the Ninth Circuit reversed that ruling. The judge said that Ahrndt still had a reasonable expectation of privacy, albeit somewhat diminished by his failure to protect his wireless network. The judge said that simply viewing the list of filenames did not violate Ahrndt's rights, but added that it was unlikely that the list of filenames would have been sufficient to issue a probable cause warrant.
-http://www.computerworld.com/s/article/9236036/Exposure_of_files_on_unsecured_wi
reless_no_excuse_to_search_judge_rules?taxonomyId=17
[Editor's Note (Pescatore): A long legal history behind this one. Just because someone doesn't pull the shades all the way down on a window does *not* mean Peeping Toms have open license.
(Northcutt): I am setting a Google alert because this might set be an important precedent in case law. Why do the big ones seem to involve kiddie porn so often; sad? In any case here is the guilty plea and an article that raises some of the issues of the case:
-http://www.docstoc.com/docs/101576658/pleaded-guilty---Wiredcom
-http://www.privatewifi.com/using-unsecured-wifi-networks-could-jeopardize-your-c
onstitutional-right-to-privacy/]

---

************************ Sponsored Links: *******************************
1) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/122232
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/122237
3) Are You Ready for the Cyber Readiness Challenge? Join the competition to win prizes! Register: http://www.sans.org/info/122425
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hardcoded Backdoors in Barracuda Gear (January 24, 2013)

Multiple products from Barracuda have been found to have hardcoded backdoors that could be exploited to gain access to vulnerable systems. The backdoor accounts, which can be accessed via the secure shell (SSH) protocol, allow attackers to log in remotely and access sensitive information or take control of networks. The backdoor accounts are protected with weak passwords and cannot be disabled. The problem was reported to Barracuda in November 2012. There is a specific set of IP addresses that can access the appliances, but Barracuda does not own all of those addresses. Barracuda is urging all users to update their security definitions to version 2.0.5.
-http://isc.sans.edu/diary/Barracuda+Back+Door+/15004
-http://arstechnica.com/security/2013/01/secret-backdoors-found-in-firewall-vpn-g
ear-from-barracuda-networks/
-http://www.zdnet.com/backdoor-root-logins-found-in-barracuda-security-networking
-gear-7000010287/
-http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gear/
-http://www.h-online.com/security/news/item/Backdoors-in-many-Barracuda-appliance
s-1790947.html
-http://www.scmagazine.com/barracuda-appliances-susceptible-to-backdoor-access/ar
ticle/277391/
-http://www.theregister.co.uk/2013/01/24/barracuda_backdoor/
-http://www.informationweek.com/security/vulnerabilities/barracuda-security-equip
ment-contains-ha/240146890
[Editor's Note (Pescatore): Lots of products have the hooks for remote access but any product (let alone a security product) that keeps such features hidden from its customers is automatically a huge risk. Products that have such risky undocumented capabilities almost invariable compound the risk by having weak security around the features since they were depending on the always unreliable "security through obscurity." ]

Two Sentenced for DDoS Attacks on PayPal and Other Sites (January 24, 2013)

A UK court has sentenced two men to jail for their involvement with the hacking collective that calls itself Anonymous. Christopher Weatherhead and Ashley Rhodes received sentences of 18 months and seven months, respectively, for launching distributed denial-of-service (DDoS) attacks against a number of sites, including PayPal, MasterCard, and Visa. Two other men were involved in the attacks: Peter Gibson received a six-month sentence, suspended for two years. Jake Birchall will be sentenced on February 1. The convictions in this case are believed to be the first in the UK for DDoS attacks.
-http://www.bbc.co.uk/news/uk-21187632
-http://www.theregister.co.uk/2013/01/24/uk_anonymous_hackers_sentencing_payback/
-http://www.guardian.co.uk/technology/2013/jan/24/anonymous-hackers-jailed-cyber-
attacks

Cisco Issues Patches for Vulnerabilities in Wireless LAN Appliances (January 24, 2013)

Vulnerabilities in Cisco wireless LAN appliances could be exploited to allow remote code execution and trigger denial-of-service conditions. Cisco has released a fix for the problems and is urging administrators to patch affected products. In some instances, limiting SNMP access on wireless controllers can lessen the threat of attacks.
-http://www.v3.co.uk/v3-uk/news/2238990/cisco-issues-security-warning-for-wireles
s-lan-controllersnetwork-appliances-vulnerable-to-dos-attacks
[Editor's Note (Pescatore): Good reminder to check if your patch management processes extend out to WLAN access points. ]

Indictment Charged Three Allegedly Involved in Gozi Scheme (January 23 & 24, 2013)

An indictment unsealed earlier this week charges Nikita Kuzmin, Deniss Calovskis, and Mihai Ionut Paunescu in connection with creating and distributing the Gozi Trojan horse program, which was used to steal millions of dollars from online bank accounts around the world. The scheme infected more than 40,000 computers in the US alone, including systems at NASA. In all, at least one million computers were infected worldwide. Kuzmin, who is from Russia, was arrested in the US in November 2010. He pleaded guilty to several charges in May 2011. Calovskis has been arrested in Latvia, and Paunescu has been arrested in Romania; US authorities are seeking their extradition.
-http://www.theregister.co.uk/2013/01/24/gozi_trojan_indictment/
-http://www.computerworld.com/s/article/9236055/Three_indicted_for_making_spreadi
ng_Gozi_Trojan?taxonomyId=17
-http://krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-tro
jan/
-http://www.wired.com/threatlevel/2013/01/mastermind-behind-gozi-charged/
-http://news.cnet.com/8301-1009_3-57565535-83/3-charged-in-malware-scheme-targeti
ng-bank-accounts/
-http://www.justice.gov/usao/nys/pressreleases/January13/GoziVirusPR.php
[Editor's Note (Henry): This was a complex investigation, requiring collaboration between US agencies and international partners. These global intrusions, where victims and subjects alike cross national boundaries, require this type of cooperation; a great example of the success that can be achieved from partnerships. ]

HP's JetDirect Software Makes Networked Printers Vulnerable (January 23, 2103)

Vulnerabilities in Hewlett-Packard's (HP's) JetDirect software could allow attackers to circumvent biometric and other security protections to access partially printed documents and crash all machines running the vulnerable software that are connected to the network. The software is used in internal, external, and embedded print servers from many manufacturers, not just HP. It is designed to manage print requests made through networks.
-http://www.informationweek.com/security/vulnerabilities/security-flaws-leave-net
worked-printers/240146805

Stanford Medical Facility Suffers Another Data Security Breach (January 23, 2013)

The Lucile Packard Children's Hospital at Stanford University has notified 57,000 patients that their personal information was compromised after an unencrypted laptop containing the data was stolen from a doctor's car. The theft occurred on January 9, 2013, and was reported to the hospital the following day. The incident is the fourth data security breach involving a Stanford medical facility since January 2010.
-http://www.healthcareitnews.com/news/fourth-hipaa-breach-involving-stanford-u

US Legislator Promises Net Neutrality Bill if Court Overturns FCC Rules (January 22 & 23, 2013)

US Representative Anna Eshoo (D-California) said earlier this week that if a federal court overturns the Federal Communications Commission's (FCC's) net neutrality rules, she will introduce a bill to 'ensure a free and open Internet.' Eshoo is the ranking member of the House Energy and Commerce Committee's Communications and Technology Subcommittee. Verizon Communications is challenging the FCC's rules. The US Court of Appeals for the District of Columbia Circuit is considering that lawsuit and will likely issue a decision later this year.
-http://www.bna.com/eshoo-offer-net-n17179871971/
-http://thehill.com/blogs/hillicon-valley/technology/278493-democrat-vows-to-push
-net-neutrality-bill-if-fcc-rules-overturned
[Editor's Note (Murray): Even the FCC caved to AT&T and Verizon on the wireless side, where "net neutrality" is really important. It is ludicrous to think that this broken Congress can legislate against them. Even on the wired side, any legislation is likely to look like the tax code or Obama Care. Good public policy is now bad politics. ]

Putin Orders Federal Security Service to Take Steps to Protect Systems (January 21, 2013)

After learning that the Red October cyberespionage campaign had infiltrated Russian government and embassy computer systems, Russia's president, Vladimir Putin, ordered the country's Federal Security Service (FSB) to "create a state system for the detection, prevention, and liquidation of the effects of computer attacks on the information resources of the Russian Federation."
-http://www.reuters.com/article/2013/01/21/russia-cyber-security-putin-idINDEE90K
0AZ20130121

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/