2 Days Left to Save $400 on SANS Albuquerque 2014

SANS NewsBites - Volume: XIII, Issue: 82

*************************************************************************
SANS NewsBites                     October 14, 2011                    Volume: XIII, Issue: 82
*************************************************************************
TOP OF THE NEWS

  Blackberry Services Restored After Three-Day Failure
  Air Force Downplays Severity of Malware Infection on DroneComputer System

THE REST OF THE WEEK'S NEWS

  Dutch ISP Files Complaint Against Spamhaus
  Energy Industry Notes Shift From Physical to Cyber Security Threats
  Apple Releases Updates for Mac OS X, Safari and iOS
  Sony Detects New Breach, Locks Down Affected Accounts
  Microsoft Patch Tuesday Addresses 23 Vulnerabilities
  FBI Arrests Man Who Allegedly Breached Celebrities' eMail Accounts
  Newest ZeuS Has P2P Capabilities
  Probation for Men Who Sold Lost iPhone 4 Prototype
  RSA Says Attack that Compromised SecurID Came From Groups Working for Nation State
  VeriSign Withdraws Request to ICANN for Authority to Suspend Malicious Domains


************************ Sponsored By IBM *******************************

Sign up for Analyst Webcast: Integrating Security into Development, No Pain Required. Please download a copy of the whitepaper on this subject that is available. Go to: http://www.sans.org/info/88834

**************************************************************************

TRAINING UPDATE

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 16 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Sydney, Tokyo, and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php


TOP OF THE NEWS

Blackberry Services Restored After Three-Day Failure (October 13, 2011)
Three days after a network disruption that affected messaging and email for Blackberry customers, the company says the services have been "fully restored." Blackberry founder Mike Lazaridis says the company is launching an investigation into the disruption, which is the most severe the company has yet experienced. Lazaridis said the problem started with a hardware error and a cascade of events led to the massive outage.
-http://www.bbc.co.uk/news/technology-15287072
-http://money.cnn.com/2011/10/13/technology/blackberry_outage/index.htm
[Editor's Note (Liston): I thought about saying something really humorous here, but Blackberry owners probably wouldn't get it (hehehe).
(Honan): Given the growth in mobile email in the enterprise this outage should be a sharp reminder for organisations, not just RIM, to re-examine their business continuity plans with regards to email services.]


Air Force Downplays Severity of Malware Infection on Drone Computer System (October 13, 2011)
The US Air Force has called the malware that reportedly infected the computer system controlling drone aircraft nothing more than a "nuisance." Officials said reports indicating the malware had stolen data from military networks are false. They also said that the malware did not have keystroke logging capabilities. The malware infected a system which is separate from that used to control the drones remotely. The malware was not targeting the drone system, but was commonplace malware used to steal login credentials for online gaming.
-http://www.informationweek.com/news/government/security/231900741
-http://www.msnbc.msn.com/id/44883383/ns/technology_and_science-security/#.Tpd9jH
LZV8F

-http://arstechnica.com/tech-policy/news/2011/10/get-hacked-dont-tell-drone-base-
didnt-report-virus.ars

[Editor's Note (Liston): I care less about the capabilities of the malware they were infected with and more about the fact that they were infected with malware. If your processes failed to the point that your systems got whacked, arguing about the capabilities of the creepy-crawly du jour is just a distraction. The real question here is: Have you figured out how this happened, and have you fixed it?
(Northcutt): It is likely that only people with security clearances will ever know what that malware can and cannot do. However, I think we can all agree the unmanned aerial vehicle program, which costs about $4 billion a year, has now been shown to vulnerable to malware insertion. A lot of smart people are going to put a lot of effort into doing exactly that. I would think a first line of defense would be some sort of software white listing. Speaking of that, I just switched to Mac Lion, if anyone has endpoint security tools that you feel work well, please toss me a few suggestions (stephen@sans.edu). ]



*********************** SPONSORED LINKS: *********************************

1) Check out and sign up for SANS Upcoming Webcasts! Go to: http://www.sans.org/info/88839

****************************************************************************


THE REST OF THE WEEK'S NEWS

Dutch ISP Files Complaint Against Spamhaus (October 13, 2011)
Dutch Internet service provider (ISP) A2B has filed a complaint with police after a request from Spamhaus to block traffic from a German ISP ended up affecting its traffic as well. Spamhaus had requested an order to block all traffic from Cyberbunker, a German ISP that has supported The Pirate Bay. Cyberbunker has several server racks with a partner of A2B. The upstream provider did not comply with the order to block all Cyberbunker traffic and instead blocked only one IP address that had been pinpointed by Spamhaus as a source of spam. As a result, Spamhaus blocked all A2B customers' traffic. When A2B finally did remove Cyberbunker from its border gateway protocol (BGP) list, its customers were able to resume business. But A2B's managing director is unhappy with Spamhaus's actions, saying that "Spamhaus cannot be its own judge."
-http://www.theregister.co.uk/2011/10/13/dutch_isp_accuses_spamhaus/
-http://www.eweekeurope.co.uk/news/dutch-isp-hits-spamhaus-with-police-complaints
-42302



Energy Industry Notes Shift From Physical to Cyber Security Threats (October 13, 2011)
Security concerns within the energy industry have shifted in the last few years from physical threats to cyber threats. Energy companies used to be focused on physical terrorist attacks and kidnappings; now companies are focused on protecting proprietary information from cyber theft. In 2008, computer networks at several oil companies were found to have been infiltrated by cyber criminals looking for data about gas lease bids. Companies within the energy industry are still reluctant to talk about cyber attacks. At the recent FBI-sponsored Energy Security Awareness Symposium, two speakers asked that they not be identified and reporters were asked to leave during a presentation about counter-terrorism.
-http://fuelfix.com/blog/2011/10/13/cybercrime-becomes-bigger-threat-to-energy-in
dustry-than-terrorists/

[Editor's Note (Pescatore): I hope this is *not* a shift, but an addition of cyber defense to physical defense. By far the most likely catastrophic event in the power system will be physical attacks and other physical events.
(Liston): I would hope that "shift" isn't the case. I would hope that the proper term is "augment." ]


Apple Releases Updates for Mac OS X, Safari and iOS (October 13, 2011)
Apple has released Mac OS X 10.7.2, which addresses several security issues and introduces iCloud. Apple has also released updates for Safari (version 5.1.1) and iOS. One of the flaws addressed in the Safari update is extremely critical to patch because it is simple to exploit. The update for iOS (version 5) fixes nearly 100 security flaws. There have been reports that the Mac OS X update has caused computer crashes.
-http://www.h-online.com/security/news/item/Apple-releases-Mac-OS-X-10-7-2-and-Sa
fari-5-1-1-1360457.html

-http://www.h-online.com/security/news/item/Update-closes-critical-Safari-hole-on
-Mac-OS-X-1360602.html

-http://www.h-online.com/security/news/item/Apple-s-iOS-5-update-closes-almost-10
0-security-holes-1360528.html

-http://www.computerworld.com/s/article/9220826/Mac_OS_X_security_update_causes_c
rashes_say_experts?taxonomyId=17



Sony Detects New Breach, Locks Down Affected Accounts (October 12, 2011)
Sony has acknowledged another data security breach affecting users of PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment. Sony issued a statement saying that the attackers used brute force methods to gain access to user accounts using login data stolen from other sites. Sony says it detected the attack soon after it was launched and that the majority of affected accounts were locked down before attackers could use them to conduct unauthorized activities. Sony also said that no credit card information was compromised in the attack. Users are reminded not to use the same username and password combinations on multiple accounts.
-http://www.scmagazineus.com/another-playstation-network-breach-stings-sony-custo
mers/article/214179/

-http://www.wired.com/threatlevel/2011/10/93000-sony-accounts-breached/
-http://www.informationweek.com/news/security/attacks/231900657
-http://www.theregister.co.uk/2011/10/12/playstation_network_brute_force_attack/
[Editor's Note (Pescatore): With consumer oriented services like Google adding "two step verification" login that moves away from reusable passwords, it would be nice to see Sony do this as well. ]


Microsoft Patch Tuesday Addresses 23 Vulnerabilities (October 11 & 12, 2011)
On Tuesday, October 11, Microsoft released eight security bulletins to address a total of 23 vulnerabilities in Windows, Internet Explorer (IE), Silverlight and other products. The update for IE fixes eight flaws and affects versions IE6 through IE9.
-http://technet.microsoft.com/en-us/security/bulletin/ms11-oct
-http://www.h-online.com/security/news/item/Microsoft-closes-holes-in-Internet-Ex
plorer-and-Silverlight-1359574.html

-http://www.computerworld.com/s/article/9220735/Microsoft_patches_critical_IE_Sil
verlight_drive_by_bugs?taxonomyId=85

-http://www.theregister.co.uk/2011/10/12/patch_tuesday_october_2011/
-http://krebsonsecurity.com/2011/10/critical-security-updates-from-microsoft-appl
e/



FBI Arrests Man Who Allegedly Breached Celebrities' eMail Accounts (October 12, 2011)
FBI agents have arrested a man in Florida in connection with a series of cyber attacks that targeted celebrities. Christopher Chaney allegedly broke into more than 50 email accounts and stole photographs, movie scripts, and financial data. Chaney allegedly altered the settings on the hacked accounts to forward copies of all incoming messages. He faces charges of accessing protected computers without authorization; identity theft; damaging protected computers without authorization; and wiretapping.
-http://www.bbc.co.uk/news/entertainment-arts-15277900
-http://www.wired.com/threatlevel/2011/10/nude-celeb-hacker-arrested/


Newest ZeuS Has P2P Capabilities (October 12 & 13, 2011)
The newest version of ZeuS malware uses peer-to-peer (P2P) networks to transmit updates to infected machines, making the associated botnet more difficult to take down. The variant, known as Murofet, makes it more difficult for law enforcement and security researchers to track and disrupt associated command and control servers.
-http://www.darkreading.com/security/vulnerabilities/231900777/new-version-of-zeu
s-leverages-peer-to-peer-technology.html

-http://www.computerworld.com/s/article/9220755/Zeus_Trojan_P2P_update_makes_take
_downs_harder?taxonomyId=85

-http://www.theregister.co.uk/2011/10/13/zeus_botnet_p2p/


Probation for Men Who Sold Lost iPhone 4 Prototype (October 11, 2011)
The two men involved in the sale of the lost iPhone 4 prototype in 2010 have been sentenced to probation and community service; they were also ordered to pay US$250 in restitution to Apple. Brian Hogan found the device at a bar in Redwood City, California where it had been accidentally left behind by an Apple engineer. Hogan eventually sold the phone to an editor at the tech blog Gizmodo, an arrangement brokered by his friend and co-defendant, Sage Wallower.
-http://www.wired.com/threatlevel/2011/10/brian-hogan-sentenced/


RSA Says Attack that Compromised SecurID Came From Groups Working for Nation State (October 11 & 12, 2011)
RSA says that the attack on its network that exposed data that compromised the security of its SecurID authentication products originated from two groups working for an unnamed nation state. The information was made public when RSA executive chairman Arthur Coviello and RSA president Tom Heiser spoke at the RSA Conference Europe on October 11.
-http://www.wired.com/threatlevel/2011/10/two-hacker-groups-breached-rsa/
-http://www.informationweek.com/news/security/attacks/231900632
[Editor's Note (Liston): Considering that "attribution" is the single most difficult problem in cyber-warefare, I find Heiser's statements to be a bit "bold."]


VeriSign Withdraws Request to ICANN for Authority to Suspend Malicious Domains (October 11 & 13, 2011)
VeriSign has withdrawn a request it submitted to the Internet Corporation for Assigned Names and Numbers (ICANN) earlier this week that sought the authority to suspend malicious domains without first getting a court order. The proposal was designed to "facilitate takedown of malicious sites," and provide a free and optional malware scanning service for domain registrars.
-http://www.darkreading.com/insider-threat/167801100/security/vulnerabilities/231
900792/verisign-withdraws-request-to-suspend-malicious-domains.html

-http://arstechnica.com/business/news/2011/10/verisign-wants-power-to-scan-sites-
for-malware-and-shut-them-down.ars



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://www.sans.org/account