Data Center Risk - Tell us how you manage it and enter to win iPad

SANS NewsBites - Volume: XIII, Issue: 100

*************************************************************************
SANS NewsBites                     December 20, 2011                    Volume: XIII, Issue: 100
*************************************************************************
TOP OF THE NEWS

  Iranian Engineer Says GPS Hack Tricked Drone into Landing
  Exploit Code Boost Cross Site Scripting Attacks Into "Persistent State"

THE REST OF THE WEEK'S NEWS

  Top U.S. High School Cybersecurity Talent Announced
  Republicans Take Steps to Shore Up Cyber Security Around Iowa Caucuses
  Irish Data Protection Commissioner Tells Eircom to Stop Three-Strikes Policy
  Fifty-Five People Charged in Connection with Cyber Theft
  Megaupload Promo Video Back On YouTube After Misguided DMCA Takedown Request
  Reader and Acrobat Updates Address Memory Corruption Flaws
  House Judiciary Committee Does Not Vote on SOPA
  Phone Manufacturers and Carriers Say Carrier IQ Consent is in EULA
  |||List of phones that have Carrier IQ installed: http://gizmodo.com/5868732/the-complete-list-of-all-the-phones-with-carrier-iq-spyware-installed [Editor's Note (Liston): EULA's are consciously written to cover a multitude of sins. If I need to consult a lawyer to figure out what I may be allowing a phone company to do when I use one of their devices, then perhaps the EULA is a tool of obfuscation, rather than explanation. (Murray): The function provided by the software is clearly being abused. However, I have to agree with the software vendor that the responsibility for its use rests with the carriers. However, while there are tens of carriers, there is only one company producing the software.]


********************* Sponsored By Palo Alto Networks ********************

Palo Alto Networks Recognized as a Leader in the Gartner Magic Quadrant for Enterprise Network Firewalls. According to Gartner, vendors in the leaders quadrant "lead the market in offering new safeguarding features, providing expert capability, rather than treating the firewall as a commodity, and having a good track record of avoiding vulnerabilities in their security products."

http://www.sans.org/info/94264

**************************************************************************

TRAINING UPDATE

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/

--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

--SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
http://www.sans.org/singapore-2012/

--SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Why Our Defenses Are failing Us: One Click is all It Takes ...; Evolving Threats; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/sans-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************************************************************


TOP OF THE NEWS

Iranian Engineer Says GPS Hack Tricked Drone into Landing (December 15, 2011)
According to a report in The Christian Science Monitor, the US military drone aircraft that was captured by Iran last week may have been forced to make its unplanned landing in that country through a GPS spoofing attack. An unidentified Iranian engineer is quoted as saying that the navigational weakness was exploited to trick the unmanned aircraft into landing in Iran while "thinking" it was landing at a US military base in Kandahar, Afghanistan. The craft is an RQ-170 Sentinel. Iranian officials released a photo of the drone on December 8, 2011.
-http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-
drone-says-Iranian-engineer-Video

-http://www.theregister.co.uk/2011/12/15/us_spy_drone_gps_spoofing/
-http://www.computerworld.com/s/article/9222728/Iran_tricked_U.S._spy_drone_into_
landing_in_country_report_says?taxonomyId=82



Exploit Code Boost Cross Site Scripting Attacks Into "Persistent State" (December 16, 2011)
Code posted to the Internet can be used to conduct cross-site scripting (XSS) attacks that phish for valuable troves of sensitive information. The person who posted the exploit code is the same one who found a XSS flaw in the American Express site's debugging tool. He claims that his code shows that XSS attacks can be used for harvesting more than cookies and that it "transform
[s ]
a 'non persistent' XSS into a persistent state." It is "self-aware" and infects all links of websites that users with infected machines visit so it can gather information as the user moves through the various pages. Some have questioned the hacker's claim of ingenuity, saying that the technique has been known for a while, but did acknowledge that the XSS attack it offers presents a more potent risk than most. The hacker says he posted the code to demonstrate the need for improved security on online banking websites.
-http://www.theregister.co.uk/2011/12/16/potent_xss_script/
[Editor's Note (Murray): I wonder why the Register chose to characterize this "security researcher" as a "hacker?" Is it possible that they are finally learning that language matters? That is why I prefer "narcissistic vulnerability pimp." ]



************************ SPONSORED LINKS **********************************

1) SAINT is the FIRST product to receive USGCB validation by NIST. SAINT provides both FDCC and USGCB SCAP scanning policies. http://www.sans.org/info/94269

2) Take this groundbreaking survey to help determine policy, controls and standards needed to enable users to use their own small mobile devices for work-related functions. Also be entered to win a $250 American Express Card Giveaway when results are announced in late March at www.sans.org/webcasts. Follow this link to the survey: http://www.sans.org/info/94274

3) SANS 8th Annual Log and Event Management Survey is Under Way - Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey cited in top technology publications and blogs! Also be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May at www.sans.org/webcasts. Follow this link to the survey: http://www.sans.org/info/94279

****************************************************************************


THE REST OF THE WEEK'S NEWS

Top U.S. High School Cybersecurity Talent Announced (December 19, 2011)
The Fall 2011 round of the US Cyber Challenge Cyber Foundation's competition for high school students drew more than 2,000 participants from 32 states and three territories. The students represented 169 high schools. The top five finishers nationally received scholarships. The competition provides students with the opportunity to engage with real-world cyber security issues. The student who placed first is Gavy Aggarwal of Wilmington, Delaware.
-http://gcn.com/articles/2011/12/19/cyber-challenge-high-school-winners.aspx


Republicans Take Steps to Shore Up Cyber Security Around Iowa Caucuses (December 19, 2011)
The Republican Party is taking steps to bolster the security of electronic voting systems that will be used to count votes in next month's Iowa caucuses. The move was made following a threat, attributed to Anonymous, to corrupt the vote-gathering database and crash the website used to keep the public informed about the results. Those responsible for organizing the precinct voting are being encouraged to use paper ballots instead of a show of hands so results can be reconstructed if necessary. Iowa caucuses are run by political parties, not state government.
-http://www.washingtonpost.com/national/apnewsbreak-concerned-about-computer-hack
ers-iowa-gop-take-steps-to-protect-caucus-results/2011/12/19/gIQAby4r3O_story.ht
ml



Irish Data Protection Commissioner Tells Eircom to Stop Three-Strikes Policy (December 19, 2011)
Irish telecommunications company Eircom has 21 days to respond to the Irish Data Protection Commissioner's order to halt its three strikes anti-piracy policy. Eircom instituted the policy as part of a court case settlement with a music industry group, known as IRMA. Eircom's agreement with IRMA involves IRMA providing the ISP with IP addresses of suspected illegal filesharers. Eircom is then supposed to issue a series of warnings which, if unheeded, could result in a yearlong suspension of broadband service. IRMA, then went on to pursue the same kind of deal with other Irish telecommunications companies, but UPC won its case against IRMA after refusing to implement a similar policy. The order to Eircom to abandon the policy is the result of a ruling from the DPC prompted by users' privacy concerns about their IP addresses being used to identify them.
-http://www.siliconrepublic.com/comms/item/25072-eircom-has-21-days-to/
-http://www.thejournal.ie/massive-blow-to-music-industry-as-eircom-anti-piracy-me
asures-rejected-307584-Dec2011/

[Editor's Note (Honan): On the day that this story was announced another newspaper broke the news that the Irish government, in response to legal pressure from EMI, is going to introduce a law in January 2012 to compel Irish ISPs to block access to pirate websites upon request by the copyright holders
-http://www.irishtimes.com/newspaper/frontpage/2011/1219/1224309259318.html.
Yet it is only a few weeks since the EU Court of Justice ruled that "EU law precludes the imposition of an injunction by a national court which requires an internet service provider to install a filtering system with a view to preventing the illegal downloading of files."
-http://curia.europa.eu/jcms/upload/docs/application/pdf/2011-11/cp110126en.pdf.]



Fifty-Five People Charged in Connection with Cyber Theft (December 19, 2011)
Fifty-five people have been indicted on charges related to the theft of millions of dollars from financial institutions as well as stealing and personal information of more than 200 people and organizations. Over a 16-month period between May 2010 and September 2011, the accused allegedly obtained information from insiders at the financial institutions. The scheme also employed middlemen, who used the stolen data to conduct fraudulent transactions or sell it to others who did the same.
-http://www.scmagazineus.com/nyc-authorities-charge-55-in-cyber-fraud-id-theft-ri
ng/article/220013/

-http://www.manhattanda.com/press-release/da-vance-and-nypd-55-defendants-indicte
d-widespread-%E2%80%9Cinsider%E2%80%9D-cyberfraud-scheme

[Editor's Note (Honan): This story is an interesting read as it highlights how the criminals recruited trusted insiders to help them steal money from victim accounts. A reminder that not all threats come solely from external sources and we need to have controls in place to prevent, detect and respond to rogue insiders. ]


Megaupload Promo Video Back On YouTube After Misguided DMCA Takedown Request (December 17, 2011)
After Hong Kong-based Megaupload posted a video on YouTube promoting its hosting and file transfer services, Universal Music Group used automated tools on YouTube to have the video removed for what it said were violations of the digital Millennium Copyright Act (DMCA). Megaupload filed a counter-notice and sued UMG for misrepresentation of copyright infringement. UMG has dropped the take down order and now says it never claimed copyright ownership of the video's content. The promotional video is available on YouTube again.
-http://news.cnet.com/8301-27080_3-57344570-245/mystery-surrounds-universals-take
down-of-megaupload-youtube-video/

-http://news.cnet.com/8301-27080_3-57343935-245/in-sopas-shadow-megaupload-strike
s-back-against-universal/

-http://arstechnica.com/tech-policy/news/2011/12/judge-gives-umg-24-hours-to-expl
ain-takedown-spree.ars



Reader and Acrobat Updates Address Memory Corruption Flaws (December 15 & 17, 2011)
Adobe has released out-of-cycle security updates for Reader and Acrobat 9.x for Windows. The update addresses a memory corruption flaw in the way Universal 3D (U3D) files are handled, which was being actively exploited in the wild; it also fixes a second memory corruption vulnerability in the processing of Product Representation Compact (PRC) 3D files. Adobe has chosen not to update Reader and Acrobat X at this time because the sandboxing feature in both products should protect users from attacks. Updated versions of both X versions will be released on January 10, 2012, Adobe's regularly scheduled update. Updates for Mac and Unix will also be released then. Users running Acrobat and Reader X should make sure that the functions designed to protect them are enabled.
-http://www.h-online.com/security/news/item/Adobe-closes-Acrobat-and-Reader-secur
ity-holes-1397440.html

-http://www.theregister.co.uk/2011/12/17/adobe_reader_critical_update/
-http://www.computerworld.com/s/article/9222712/Adobe_promises_Reader_zero_day_pa
tch_on_Friday?taxonomyId=85

[Editor's Note (Liston): Isn't it about time that we drove a stake through the heart of PDF and started over? This time, let's not include stupid cruft like JavaScript, Flash, and Universal 3D in a *DOCUMENT* format.]


House Judiciary Committee Does Not Vote on SOPA (December 16, 2011)
The US House Judiciary Committee adjourned on Friday, December 16 without passing the Stop Online Piracy Act (SOPA) out of committee and to the House floor. The "abrupt" adjournment was prompted by a motion from Representative Jason Chaffetz (R-Utah), who asked that technical experts be brought in to testify about the security risks posed by allowing alteration of the domain name system.
-http://arstechnica.com/tech-policy/news/2011/12/stop-online-piracy-act-vote-dela
yed-probably-well-into-2012.ars

-http://www.washingtonpost.com/business/economy/sopa-hearings-cast-debate-as-old-
media-vs-new-media/2011/12/16/gIQAmCD3yO_story.html?tid=pm_pop



Phone Manufacturers and Carriers Say Carrier IQ Consent is in EULA (December 16, 2011)
Four mobile phone manufacturers and service carriers have said that their end-user licensing agreements (EULAs) include language that allow then to use Carrier IQ software to monitor a number of functions on the devices. The software in question has become a hot potato issue. Carrier IQ has clarified that its software does not collect users' keystrokes, but that the functionality is in the debug log left on by the handset manufacturer. It has been found only on HTC and Samsung smartphones. Samsung says it places the software on the devices at the carriers' request and that the carriers are responsible for informing customers of its presence. Wireless carrier Sprint says it has disabled the use of the Carrier IQ software on its customers' handsets. Sprint has ceased using the software to collect customer information, including diagnostic data. Sprint has been using Carrier IQ's software since 2006 and has installed it on 26 million handsets.
-http://www.wired.com/threatlevel/2011/12/telcos-say-you-consented/

-http://money.cnn.com/2011/12/16/technology/carrier_iq/index.htm
">
-http://money.cnn.com/2011/12/16/technology/carrier_iq/index.htm


-http://www.computerworld.com/s/article/9222762/Sprint_disables_Carrier_IQ_softwa
re_on_its_handsets?taxonomyId=17


-http://news.cnet.com/8301-1009_3-57344492-83/sprint-disabling-carrier-iq-on-phon
es/?tag=txt;title


-http://money.cnn.com/2011/12/16/technology/carrier_iq/index.htm
">
-http://money.cnn.com/2011/12/16/technology/carrier_iq/index.htm



List of phones that have Carrier IQ installed:
-http://gizmodo.com/5868732/the-complete-list-of-all-the-phones-with-carrier-iq-s
pyware-installed

[Editor's Note (Liston): EULA's are consciously written to cover a multitude of sins. If I need to consult a lawyer to figure out what I may be allowing a phone company to do when I use one of their devices, then perhaps the EULA is a tool of obfuscation, rather than explanation. (Murray): The function provided by the software is clearly being abused. However, I have to agree with the software vendor that the responsibility for its use rests with the carriers. However, while there are tens of carriers, there is only one company producing the software. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/