SANS NewsBites - Volume: XIII, Issue: 58


Update: A short and powerful new document was released yesterday by the Defense
Signals Directorate of the Australian Department of Defense (DSD). DSD is
responsible for security of military and civilian agencies in Australia. The new
document condenses the findings from DSD investigations of all known targeted cyber
attacks against Australian government systems (civilian and defense) into an updated
list of 35 mitigations that are the best hope for stopping or mitigating the
targeted attacks that are decimating government and industry around the world. Four
of the mitigations are set apart as the ones that must be done first. The most
important use of this document is as an audit targeting system so that government
inspector generals, private auditors, and CISOs benchmark their organizations'
effectiveness in implementing the first four this year and the rest of them as soon
the first four are fully and effectively in place. The DSD 35 is a perfect match to
the 20 Critical Controls (CAG) developed by DHS and NSA and the Department of Energy
and SANS and others in the US, but the new document adds a critically valuable level
of prioritization.
You will find it at http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
Alan

*************************************************************************
SANS NewsBites                     July 22, 2011                    Volume: XIII, Issue: 58
*************************************************************************
TOP OF THE NEWS

  Sony Insurer Asks Court to Say it's Not Liable to Defend Sony Against Breach Actions
  Arrests Made Following Raids on Homes of Anonymous and LulzSec Suspects
  Microsoft Offers Reward for Arrest of Rustock Operators

THE REST OF THE WEEK'S NEWS

  Phony Apple Stores Reported in China
  Man Arrested for Allegedly Infecting Computers with Malware
  Details Emerge About How Attackers Infiltrated DOD Lab Network
  Apple Updates Safari, Releases OS X 10.7
  Google Warning of Poisoned Search Results
  Activist Allegedly Hacked Into MIT Systems
  US House Subcommittee Passes Breach Notification Bill
  IRS Chastised for Dragging Feet in Breach Notification


********************** Sponsored By SAINT Corporation ********************

SAINT 7.9 has been released and includes a phishing assessment module, web site cloning, and enables web cameras through exploitation. More information is at http://www.sans.org/info/82529

*************************************************************************

TRAINING UPDATE

- --SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include When Prevention Fails: Extending IR and Digital Forensics Capabilities to the Corporate Network; and More Practical Insights on the 20 Critical Controls
http://www.sans.org/boston-2011/

- --SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats
http://www.sans.org/virginia-beach-2011/

- --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis
http://www.sans.org/ottawa-2011/

- --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations
http://www.sans.org/network-security-2011/

- --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

- --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Tokyo, Delhi, London and Baltimore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************


TOP OF THE NEWS

Sony Insurer Asks Court to Say it's Not Liable to defend Sony Against Breach Actions (July 21 & 22, 2011)
Sony's insurance company Zurich American Insurance Company (ZAIC) and its parent company the Zurich Insurance Company are suing the media company, saying that the series of security breaches the company suffered earlier this year are not covered by its policy with Zurich. Zurich's complaint alleges that Sony has demanded that it defend the company against the plethora of lawsuits and "potential actions instituted by one or more state attorney general's offices." ZAIC maintains that Sony's policy covers "bodily injury," "property damage," and "personal and advertising injury."
-http://www.theregister.co.uk/2011/07/22/sony_breach_insurance/
-http://www.computerworld.com/s/article/9218577/Sony_insurer_says_it_s_not_liable
_for_breach_related_costs?taxonomyId=17

-http://www.reuters.com/article/2011/07/21/us-insurance-sony-idUSTRE76K3PY2011072
1

-https://iapps.courts.state.ny.us/fbem/DocumentDisplayServlet?documentId=tirVQewp
3WujFno1EgNuTA==&system=prod

[Editor's Note (Pescatore): No cyber insurance policy ever protected your customers' data, and many of them even fail to provide any meaningful bounding of the financial exposure from a cyber-incident. Since software engineering is an oxymoron, it is impossible for insurance companies to have a meaningful basis for assessing risk and thus premiums are high, payouts are limited and, as the ZAIC suit illustrates, the definition of a qualifying "injury" or event may also be very limited.
(Paller): A few years ago the White House cyber coordinator was being pressured, by people paid by a major insurer, to back cyber insurance as an incentive for better security - "just as fire insurance and resulting building standards helped improve building safety." The coordinator asked me to find out how well cyber insurance was working. I met with the representatives of nearly every organization selling cyber insurance in the U.S. and was surprised that they were unable to provide even one example where any of their insurance policies ever paid for the kinds of losses that weak cyber security facilitated. It turns out the problem they face is lack of reinsurance, without it insurers will not take the risk. Reinsurance requires that a fire in Chicago not also be happening in New York and Atlanta and everywhere else. The cyber threat can and does affect many victims in many places; its losses simply cannot be re-insured effectively. Without reinsurance, the insurers had to radically constrain the losses they covered. If you bought a cyber policy, don't bet your career on telling your boss that your company "is covered for cyber losses." ]


Arrests Made Following Raids on Homes of Anonymous and LulzSec Suspects (July 19 & 20, 2011)
Twenty-one people in the US, the Netherlands and the UK have been arrested in connection with a distributed denial-of-service (DDoS) attack on PayPal and other cyber attacks. Sixteen arrested were made in the US. Fourteen of those arrested in the US are believed to be members of the Anonymous hacking collective that launched an attack on PayPal after the online payment facilitator refused to process payments to support WikiLeaks. The other two people arrested in the US are facing charged for alleged attacks on InfraGard and ATY&T; those attacks were conducted in the name of LulzSec.
-http://www.wired.com/threatlevel/2011/07/paypal-hack-arrests/
-http://www.theregister.co.uk/2011/07/19/anonymous_hacking_arrests/
-http://www.theregister.co.uk/2011/07/20/europe_anon_suspects_cuffed/
-http://www.bbc.co.uk/news/world-us-canada-14212110
-http://www.h-online.com/security/news/item/FBI-arrests-suspected-members-of-Anon
ymous-1282502.html

-http://www.computerworld.com/s/article/9218528/_Anonymous_arrests_tied_to_PayPal
_DDoS_attacks_FBI_says?taxonomyId=17

-http://www.theatlanticwire.com/technology/2011/07/how-two-lulzsec-hackers-slippe
d/40215/



Microsoft Offers Reward for Arrest of Rustock Operators (July 18 & 19, 2011)
Microsoft is offering a US $250,000 reward for information that leads to the arrest and conviction of those responsible for the Rustock botnet. Earlier this year, Microsoft launched a concerted attack on Rustock when it obtained court orders that allowed authorities to seize the botnet's command and control servers. At one point, Rustock was believed to be responsible for 40 percent of all spam sent worldwide.
-http://krebsonsecurity.com/2011/07/microsoft-offers-250k-bounty-for-rustock-auth
or/

-http://www.h-online.com/security/news/item/Microsoft-offers-250-000-for-informat
ion-on-Rustock-botnet-1281469.html

-http://www.theregister.co.uk/2011/07/18/microsoft_rustock_reward/
-http://www.computerworld.com/s/article/9218503/Microsoft_posts_250K_reward_for_R
ustock_botnet_herders?taxonomyId=17




*************************** SPONSORED LINKS ******************************

1) SANS Baking Security into Applications and Networks Workshop, Washington DC, August 29 -30. http://www.sans.org/info/82539

****************************************************************************


THE REST OF THE WEEK'S NEWS

Phony Apple Stores Reported in China (July 21, 2011)
An American ex-pat blogging from Kunming, China, has reported finding three phony Apple stores in that city. The blogger said that the staff at the establishments appeared to believe that they were actually employed by Apple, but certain details, including the words Apple Store outside the storefronts, led to suspicion that the establishments were bogus. The origin of the merchandise being sold has not been determined. The Wall Street Journal cannot speak reporter managed to speak to one of the store's employees who appeared to know that the store was not official. Apple has not commented on the situation. Apple has four official stores in China and several official resellers, but the Kunming store appears to be neither.
-http://www.bbc.co.uk/news/technology-14236786
-http://www.pcmag.com/article2/0,2817,2388826,00.asp
-http://www.usatoday.com/tech/news/2011-07-21-apple-china-piracy_n.htm


Man Arrested for Allegedly Infecting Computers with Malware (July 21, 2011)
Authorities in Canada have arrested a man for allegedly placing keystroke-logging software on computers in Canada, the US, France, Russia and the United Arab Emirates. Joseph Mercier was employed as an information security manager at an unnamed organization. He allegedly used his work computers and computers at his home to conduct the scheme, which also allowed him to use infected computers' webcams to spy on people and take pictures.
-http://www.theregister.co.uk/2011/07/21/canadian_bofh_botnet_scam/
-http://www.scmagazineuk.com/security-practitioner-arrested-on-charge-of-hacking-
in-canada/article/207988/

-http://www.infosecurity-magazine.com/view/19574/alleged-laval-botnet-creator-arr
ested-in-canada/



Details Emerge About How Attackers Infiltrated DOD Lab Network (July 20 & 21, 2011)
The cyber attack on the US Department of Energy's Pacific Northwest National Laboratory (PNNL) was carried out through a web server flaw and a zero-day Adobe Flash vulnerability. The attack was detected the Friday prior to the July 4th holiday; the lab then shut down most internal network services and blocked Internet traffic. The attackers gained their initial foothold through public-facing web servers that are considered "low impact" and therefore subject to less stringent security requirements than other components of the lab's network. The attackers used a flaw in the server to plant the Adobe Flash exploit, which was designed to infect the computers of those who visited the site. An analysis of the attack found that the attackers were unable to move laterally within the PNNL network.
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
231002231/attack-on-pacific-northwest-national-lab-started-at-public-web-

servers.htmldark
[Editor's Comment (Northcutt): Sounds like defense in depth in action. Hurrah for the PNNL team!]


Apple Updates Safari, Releases OS X 10.7 (July 20 & 21, 2011)
Apple has issued an update for Safari for Mac OS X and Windows. Version 5.1 of the company's browser addresses 58 security flaws present in earlier versions. Safari 5.1 will run on Mac OS X 10.6; Apple also released an update for Safari to version 5.0.6 for users who are running Mac OS X 10.5. Most of the flaws patched in Safari are in WebKit, and many of those could be exploited through drive-by attacks. The new version of Safari comes bundled with Mac OS X 10,7, known as Lion. Apple is reporting that on the first day it was available, more than one million copies of Lion, were sold. It is the first new OS to be offered by Apple as a digital download through the Mac App Store, where it costs US $29.99. The company will also make Lion available on a USB drive for US $69.
-http://www.h-online.com/security/news/item/Safari-updates-close-security-holes-U
pdate-1283018.html

-http://www.computerworld.com/s/article/9218549/Apple_patches_58_Safari_bugs_to_d
eflect_drive_by_attacks?taxonomyId=17

-http://www.zdnet.com/blog/security/apple-slaps-bandaid-on-critical-safari-window
s-security-holes/9095

-http://news.cnet.com/8301-27076_3-20081551-248/apples-lion-hits-1-million-copies
-sold/



Google Warning of Poisoned Search Results (July 19, 20 & 21, 2011)
After noticing "unusual search traffic" while conducting maintenance at a one of its data centers, Google discerned that some users' computers were infected with a certain strain of malware that was redirecting their Google search results to dodgy websites. The malware causes users' Google search requests to send traffic through certain proxy servers. Google has begun notifying users whose machines appear to be affected. The notification offers a link to an article to help users rid their machines of the malware. The issue has raised some concerns that cyber criminals could start to spoof the alert messages and send users to malicious websites instead of the Help Center page.
-http://www.theregister.co.uk/2011/07/20/google_search_hijack_malware_warning/
-http://www.bbc.co.uk/news/technology-14232577
-http://krebsonsecurity.com/2011/07/google-your-computer-appears-to-be-infected/
-http://www.computerworld.com/s/article/9218532/Google_notices_will_warn_search_u
sers_of_malware?source=CTWNLE_nlt_pm_2011-07-20

-http://www.informationweek.com/news/security/vulnerabilities/231002214
-http://www.scmagazineus.com/google-notifying-users-about-malware-infections/arti
cle/207969/

-http://news.cnet.com/8301-1009_3-20080917-83/google-adds-malware-warning-to-sear
ch-results/?tag=mncol;txt

-http://www.computerworld.com/s/article/9218576/Security_experts_knock_Google_on_
PC_infection_warnings?taxonomyId=85

[Editor's Note (Pescatore): This is really what ISPs should be doing, as they have strongly authenticated relationships with the legitimate end user and are the first point of DNS resolution where the first signs of a compromised PC show up. Google doing so is generally a good thing, but the "Learn how to fix this" link worries me - the spoofing issue is one thing, but Google sells security services and gets lots of money from advertisers who sell security software, hardware and services. There needs to be a lot of transparency on how that link works to avoid conflicts of interest. ]


Activist Allegedly Hacked Into MIT Systems (July 19, 2011)
Aaron Swartz, executive director of online activism group Demand Progress, has been charged with wire fraud, computer fraud, unlawfully obtaining information from a protected computer and recklessly damaging a protected computer. Swartz allegedly broke into a computer network at the Massachusetts Institute of Technology (MIT) and stole millions of documents from an academic and scientific journal archive known as JSTOR. Swartz allegedly broke into a computer wiring closet in the basement of an MIT building, accessed the network through a switch there and downloaded 4.8 million articles that he intended to make available through file-sharing sites. The documents were never posted to file-sharing sites, and have been returned to JSTOR.
-http://www.scmagazineus.com/google-notifying-users-about-malware-
infections/article/207969/
-http://www.wired.com/threatlevel/2011/07/swartz-arrest/
-http://www.theregister.co.uk/2011/07/19/harvard_fellow_indicted/
-http://www.computerworld.com/s/article/9218519/Internet_activist_charged_with_ha
cking_into_MIT_network?taxonomyId=17

-http://news.cnet.com/8301-31001_3-20080754-261/prominent-web-activist-arrested-o
ver-data-theft/?tag=mncol;title

Update: Just days after Swartz's indictment, volumes of articles from JSTOR have been posted to The Pirate Bay in an apparent protest. A message posted along with the files notes that they are not the same articles that Swartz downloaded.
-http://www.wired.com/threatlevel/2011/07/science-pirate-bay/
[Editor's Note (Murray): Demand Progress, a public interest group with which Schwartz has been associated, has mounted a campaign insisting that his only offense was "downloading" and suggesting that he was targeted because of his activism. ]


US House Subcommittee Passes Breach Notification Bill (July 20 & 21, 2011)
The trade subcommittee of the US House Energy and Commerce Committee has approved a data breach notification bill. The Secure and Fortify Electronic Data Act has met with criticism from some committee members because they say it contains "loopholes that sacrifice data security and privacy." The bill would require organizations to report most data breaches within 48 hours and also calls for the Federal Trade Commission (FTC) to establish data security regulations for organizations that retain personal information. The bill now goes to the full committee. Concerns about the proposed legislation include the fact that it would take precedence over stronger state notification laws. This bill does not cover email addresses, payroll records, online video and pictures. Notification would be mandatory only when names, phone numbers or credit card numbers are compromised along with Social Security numbers (SSNs). Compromises of SSNs, bank account or credit card account numbers on their own would not mandate notification.
-http://www.computerworld.com/s/article/9218554/House_panel_approves_data_breach_
notification_bill?taxonomyId=17

-http://www.scmagazineus.com/breach-law-passes-hurdle-but-faces-opposition/articl
e/208067/



IRS Chastised for Dragging Feet in Breach Notification (July 19, 2011)
The US Internal Revenue Service has been reprimanded by the Treasury Department Inspector General for Tax Administration for failing to notify taxpayers of data security breaches in a timely fashion. In fiscal 2009 and fiscal 2010, the IRS experienced more than 4,000 instances of inadvertent taxpayer information disclosure. A sampling of cases from the two-year period found that 20 percent of the time, the IRS took 86 days to notify affected taxpayers of breaches. Of instances in which taxpayers were not notified at all, five percent were due to the identities of the affected taxpayers not being documented; 10 percent were due to the exposed information not fitting the definition of sensitive personal information; and 21 percent because the information was exposed to individuals and entities that the IRS did not perceive as a threat.
-http://www.washingtonpost.com/local/dc-politics/auditors-scold-irs-over-cybersec
urity-issues/2011/07/19/gIQAWEOgOI_story.html



************************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978. Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/