SANS NewsBites - Volume: XIII, Issue: 99

*************************************************************************
SANS NewsBites                     December 16, 2011                    Volume: XIII, Issue: 99
*************************************************************************
TOP OF THE NEWS

  Defense Dept's 2012 Funding Bill Allows Offensive Cyber Attacks
  Certain Industrial Control PLCs Have Hidden Accounts with Hard-Coded Passwords
  Carrier IQ Execs Talk with FTC and FCC Officials

THE REST OF THE WEEK'S NEWS

  Possible Payment Processor Data Leak in Europe Prompts Bank to Block Cards
  Microsoft to Start Automatic IE Updates Next Year
  UK Websites Have Until May 26, 2012 to Comply with Amended Privacy Law
  Man Arrested for 2010 DDoS Attack On Gene Simmons's Website
  Open Letters Decry SOPA
  Google Chrome Update Addresses 15 Vulnerabilities, Adds Privacy Feature
  Microsoft Patches Duqu Flaw
  Man Pleads Guilty to Facebook Cyber Intrusion
  Oracle Issues Java Update


*************************** Sponsored By SANS ***************************

SANS 8th Annual Log and Event Management Survey is Under Way

Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey cited in top technology publications and blogs! Also be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May at www.sans.org/webcasts.

Follow this link to the survey: http://www.sans.org/info/94114

**************************************************************************

TRAINING UPDATE

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
http://www.sans.org/singapore-2012/

- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Why Our Defenses Are failing Us: One Click is all It Takes ...; Evolving Threats; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/sans-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************************************************************


TOP OF THE NEWS

Defense Dept's 2012 Funding Bill Allows Offensive Cyber Attacks (December 14 & 15, 2011)
The US Defense Department's 2012 funding bill contains a provision that gives the military the authority to launch offensive strikes in the cyber arena. The provision was present in the House version of the bill and not the Senate version, but appeared in the final, reconciled form of the bill. While the bill does not get very specific, it is likely to cover actions such as releasing malware like Stuxnet; bringing down websites with DDoS attacks, or disabling online forums where terrorists share information. The language of the bill reads: "Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace;" and "in certain instances, the most effective way to deal with threats and protect US and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged."
-http://www.wired.com/threatlevel/2011/12/internet-war-2/
-http://www.sdtimes.com/blog/post/2011/12/15/US-readies-itself-for-cyber-war.aspx


Certain Industrial Control PLCs Have Hidden Accounts with Hard-Coded Passwords (December 13 & 14, 2011)
The US Industrial Control System Cyber Emergency Response Team has issued a warning about vulnerabilities in certain Supervisory Control and Data Acquisition (SCADA) system components that could be exploited to take remote control of the machinery they manage. Some versions of Modicon Quantum PLC (programmable logic controller) have multiple, hidden accounts that allow remote access. These accounts have hard-coded passwords. Schneider Electric, which makes the PLCs, has begun issuing fixes for the problem. ICS-CERT is also making a general warning to power and water plant operators to audit their systems for vulnerabilities. Hackers can use tools easily available on the Internet to search for vulnerable systems.
-http://www.informationweek.com/news/security/government/232300433
-http://www.theregister.co.uk/2011/12/14/scada_bugs_threaten_criticial_infrastruc
ture/

-http://www.h-online.com/security/news/item/Backdoors-in-industrial-control-syste
ms-1395141.html

-http://gcn.com/Articles/2011/12/13/DHS-warns-US-water-power-plants-hacked.aspx?P
age=2&p=1

[Editor's Note (Pescatore): More newsworthy would probably be an item that shows some SCADA or process control software that does *not* have glaring vulnerabilities because it depended on security through semi-obscurity for the past 20 years. ]


Carrier IQ Execs Talk with FTC and FCC Officials (December 13 & 14, 2011)
Carrier IQ has issued a document to clarify what its technology does. The company included a list of the more than 225 pieces of information that carriers can choose to harvest from customers' handsets. Carrier IQ acknowledged that its software has been saving some text messages but that the content was saved in an unreadable format. A bug in the company's software caused SMS messages to be saved when they were received while the handset was being used in a phone call. The bug has been fixed. The Carrier IQ document also addressed the allegations that the software logged user keystrokes, saying that it happened only when "handset manufacturer software's debug capabilities remained switched on in devices sold to customers." Carrier IQ executives also met with Federal Communications Commission (FCC) and Federal Trade Commission (FTC) officials to clarify what its software does and answer any questions the officials had. Rumors that the FTC is conducting an investigation into Carrier IQ have been neither confirmed nor denied. Carrier IQ VP of Marketing Andrew Coward says his company has learned a lot of valuable lessons in recent weeks. Coward said that the company should not have used the cease and desist order against the researcher who first disclosed the privacy issues; he also spoke to the value of being open and transparent when such issues arise.
-http://www.computerworld.com/s/article/9222637/Carrier_IQ_moves_to_allay_fears_o
f_its_tracking_software?taxonomyId=17

-http://www.h-online.com/security/news/item/Carrier-IQ-finds-bug-that-has-been-sa
ving-SMS-texts-1394601.html

-http://www.washingtonpost.com/business/technology/carrier-iq-bug-made-some-keypr
esses-message-data-accessible/2011/12/13/gIQAWmPVsO_story.html

-http://www.wired.com/threatlevel/2011/12/carrieriq-ftc-fcc/
-http://www.washingtonpost.com/business/economy/feds-probing-carrier-iq/2011/12/1
4/gIQA9nCEuO_story.html?tid=pm_business_pop

-http://news.cnet.com/8301-1009_3-57343272-83/carrier-iq-exec-says-company-has-le
arned-lessons/?tag=txt;title




************************ SPONSORED LINK **********************************

1) Take the first annual SANS Mobility Survey and Win $250

Take this groundbreaking survey to help determine policy, controls and standards needed to enable users to use their own small mobile devices for work-related functions. Also be entered to win a $250 American Express Card Giveaway when results are announced in late March at www.sans.org/webcasts.

Follow this link to the survey: hhttp://www.sans.org/info/94124

****************************************************************************


THE REST OF THE WEEK'S NEWS

Possible Payment Processor Data Leak in Europe Prompts Bank to Block Cards (December 15, 2011)
Visa is investigating a rumored breach at a payment processor in Europe that potentially affects cardholders in Eastern Europe. The state-owned Romanian bank CEC has chosen to block and reissue 17,000 payment cards after learning of the security breach.
-http://www.scmagazineuk.com/rumours-of-database-security-breach-causes-romanian-
bank-to-block-17000-cards/article/219473/

-http://www.theregister.co.uk/2011/12/15/credit_card_processor_security_probed/
[Editor's Note (Murray): Since smart cards cannot be compromised in this way, one is tempted to conclude that this is one more failure of mag-stripe and PIN. ]


Microsoft to Start Automatic IE Updates Next Year (December 15, 2011)
Starting in January 2012, Microsoft will begin pushing silent updates for Internet Explorer (IE). The change is being made to help keep the Internet safer by not relying on users to install necessary security updates. Google's Chrome browser has updated in the background without user interaction since it was introduced in 2008. The program will first be introduced in Australia and Brazil. The updater will push the most recent version of IE that runs on users' current operating systems. While Microsoft will not ask permission to upgrade to the next version of the browser, users will be able to choose to turn upgrades off. Additionally, IE upgrades will not be forced on users who have previously declined to upgrade to newer versions of the browser. Mozilla plans to start background updates for Firefox starting with Firefox 12, which is scheduled to debut on April 24, 2012.
-http://www.darkreading.com/database-security/167901020/security/vulnerabilities/
232300587/internet-explorer-to-get-silent-updates.html

-http://www.computerworld.com/s/article/9222690/Microsoft_gets_silent_upgrade_rel
igion_will_push_IE_auto_updates?taxonomyId=17

-http://www.zdnet.com/blog/microsoft/microsoft-to-push-latest-version-of-ie-to-us
ers-starting-in-2012/11435

-http://windowsteamblog.com/ie/b/ie/archive/2011/12/15/ie-to-start-automatic-upgr
ades-across-windows-xp-windows-vista-and-windows-7.aspx

[Editor's Note (Pescatore): It is probably time for this switch to be made. There are three major reasons for *not* doing automatic updating: (1) Low quality of patches; (2) Patches impacting application compatibility; and (3) functionality changes getting mixed in with security/reliability patches. (1) and (2) are mostly non-issues with browser software these days, (3) is still the risky part. ]


UK Websites Have Until May 26, 2012 to Comply with Amended Privacy Law (December 15, 2011)
New laws in the UK mean that as of May 26, 2012, websites will be required to obtain permission from users before storing or accessing cookies on their computers. The law was enacted on May 2011, so companies have had a year to develop compliance strategies, but the Information Commissioner's office (ICO) says that even six months out, companies have not done enough to prepare for the new requirements. The ICO is hoping for "good solutions rather than rushed ones," which is why companies were given a year's lead time. One of the factors for the lack of action may be the absence of any formal guidance for compliance. The ICO has just issued guidance earlier this week.
-http://www.scmagazine.com.au/News/284458,cookie-cutter-compliance-cant-cut-it.as
px

-http://www.theregister.co.uk/2011/12/15/ico_cookie/
-http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-complianc
e-says-ico-13122011.aspx

[Editor's Note (Honan): Companies should take heed of the ICO and start preparing now to manage not only their own cookies but the third party cookies used on their website. The biggest challenge will be informing visitors to the website about what cookies are and how they will be used on the website and then getting their permission to use cookies. Guidance from the ICO on how to manage this issue can be found at
-http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Privacy_an
d_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx
]



Man Arrested for 2010 DDoS Attack On Gene Simmons's Website (December 14 & 15, 2011)
The FBI has arrested Kevin George Poe for allegedly launching a distributed denial-of-service (DDoS) attack against the website of Gene Simmons, singer and bassist for the rock band KISS. Poe faces charges of conspiracy and unauthorized impairment of a protected computer. He is allegedly affiliated with the hacking collective known as Anonymous. Poe allegedly used Anonymous's Low Orbit Ion Canon to launch the attack, which took place over a five-day period in 2010. The tool, once widely used by members of the group, has a privacy leak - the packets generated by the tool include the IP addresses of those conducting the attack.
-http://www.informationweek.com/news/security/attacks/232300516
-http://www.theregister.co.uk/2011/12/15/feds_cuff_simmons_ddos_hack_suspect/


Open Letters Decry SOPA (December 14, 2011)
The day before the Stop Online Piracy Act (SOPA) was scheduled for markup in the US House of Representatives Judiciary Committee, two groups of people prominent in information technology have written open letters condemning its heavy-handedness and short-sightedness. One of the letters says, "We cannot have a free and open Internet unless its naming and routing systems sit above the political concerns of any one government or industry." The blocking techniques that the bill would permit are similar to those used in China and other countries with oppressive political regimes. While supporters of the bill say that the comparison trivializes the suffering of residents in those countries, those opposed point out that if the US uses the same techniques, it loses the standing to criticize those countries for their actions. As of Thursday afternoon, SOPA was stalled in committee; legislators from both parties expressed concern that the bill was moving too fast and questioned the need for haste. The markup session is expected to go late into the night.
-http://arstechnica.com/tech-policy/news/2011/12/technology-entrepreneurs-attack-
sopa-on-eve-of-hearings.ars

-http://news.cnet.com/8301-1009_3-57342914-83/silicon-valley-execs-blast-sopa-in-
open-letter/?tag=txt;title

-http://www.bbc.co.uk/news/technology-16195344
-http://www.wired.com/threatlevel/2011/12/sopa-stalls/all/1
-https://www.eff.org/deeplinks/2011/12/internet-inventors-warn-against-sopa-and-p
ipa

-http://thehill.com/blogs/hillicon-valley/technology/199823-overnight-tech-judici
ary-burning-midnight-oil-on-sopa-markup

[Editor's Note (Pescatore): Doesn't it always seem that those who make money from *other* people's content never seem to worry about how those people who actually *create* the content will make money?
(Murray): On December 15, the managers of the bill published amendments intended to respond to the criticism. The amendments said, in effect, that the remainder of the bill should not be interpreted as written English, that it was not intended to do what it does. Drafting legislation is difficult, even when one's intentions are honest. When it is drafted by an interested party, bent on disclaiming its interest, it becomes nigh impossible.
-http://judiciary.house.gov/hearings/pdf/HR%203261%20Managers%20Amendment.pdf]



Google Chrome Update Addresses 15 Vulnerabilities, Adds Privacy Feature (December 14, 2011)
Google has updated its Chrome browser to version 16, patching 15 security flaws in the process. Google paid a total of US $6,000 to researchers who alerted them to seven of the patched bugs. One of the new features made available in Chrome 16 allows multiple users on the same computer to keep their personal data, including bookmarks, separate and private from one another's. It allows separate identities without having to log out of the OS.
-http://www.computerworld.com/s/article/9222665/Google_ships_Chrome_16_patches_15
_vulnerabilities?taxonomyId=17

-http://download.cnet.com/8301-2007_4-57342468-12/chrome-gets-multiple-user-suppo
rt/



Microsoft Patches Duqu Flaw (December 13 & 14, 2011)
On Tuesday, December 13, Microsoft issued 13 security bulletins to address a total of 19 vulnerabilities. In its advance notice, Microsoft has said that it would release 14 bulletins, but the company pulled a fix for the SSL/TLS (secure sockets layer/transport security layer) BEAST vulnerability because the patch broke some of software of third-party vendor SAP.
-http://www.computerworld.com/s/article/9222639/Microsoft_scratches_BEAST_patch_a
t_last_minute_but_fixes_Duqu_bug?taxonomyId=17

-http://www.theregister.co.uk/2011/12/14/ms_bumper_patch_tuesday/
-http://www.scmagazineuk.com/microsoft-slims-final-patch-tuesday-of-2011-to-13-pa
tches-from-proposed-14/article/219293/



Man Pleads Guilty to Facebook Cyber Intrusion (December 13 & 14, 2011)
A York, UK, man has pleaded guilty to breaking into Facebook computers. Glenn Mangham hacked the social networking site in April and May 2011, prompting concern that the activity was espionage related. Mangham's actions were found to have violated the Computer Misuse Act. Mangham is a computer science student. He loaded some of his own software onto Facebook computers and downloaded some FB intellectual property onto an external drive so he could work on it. Mangham's sentencing is scheduled for February 2012. Customer data were not compromised.
-http://www.theregister.co.uk/2011/12/14/facebook_hack_prosecution/
-http://www.bbc.co.uk/news/uk-england-york-north-yorkshire-16159653
-http://www.mirror.co.uk/news/technology/2011/12/14/facebook-hacker-admits-breaki
ng-into-social-network-s-servers-115875-23633578/



Oracle Issues Java Update (December 13, 2011)
Oracle has released an update for its Java software to address a number of security flaws. The majority of fixes addressed in Java 6 Update 30 are for performance and stability issues. The security issues it fixes affect developers. One of the fixes remedies a problem in Java 6 Update 29 that broke SSL connectivity. Another fix addresses a problem in which cookies were occasionally dropped.
-http://www.scmagazineus.com/oracle-updates-java-adobe-patches-coldfusion/article
/219224/



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/