SANS NewsBites - Volume: XIV, Issue: 101

*************************************************************************
SANS NewsBites                     December 21, 2012                    Volume: XIV, Issue: 101
*************************************************************************

TOP OF THE NEWS

  Wells Fargo Web Site Buckles; Bank Tells Online Users to "Go to a Bank Branch"
  Justice Dept. Will Prosecute Foreign Hackers
  White House Releases National Security Information Sharing Guidelines
  Forensic Experts Examining Connecticut Shooter's Computer

THE REST OF THE WEEK'S NEWS

  Senator Wyden Introduces Data Cap Legislation
  Adobe to Patch Shockwave Flaw 29 Months After it Was First Notified
  FCC Tool Helps Users Protect Smartphone Data
  FTC Updates Child Online Privacy Rules
  Android Botnet Sends SMS Spam
  Symantec and Singapore Mgmt. University to Collaborate on Cybersecurity Education
  Judge Says Warrantless Cell Location Data are Permissible Evidence
  Four-Year Prison Sentence for Man Who Processed Scareware Payments
  Costs Associated with NASA Laptop Theft Climbing


************************* SPONSORED BY Symantec **************************
The results are in. Symantec Endpoint Protection rated best in independent, real-world tests recently published by Dennis Technology Labs. These tests were designed to more accurately reflect what would happen if a user is actually using one of these products. Symantec Endpoint Protection received a AAA rating and beat all tested competitors in total accuracy. Learn More.

http://www.sans.org/info/119695
****************************************************************************
TRAINING UPDATE

--SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013">http://www.sans.org/event/security-east-2013

--North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III. http://www.sans.org/event/north-american-scada-2013">http://www.sans.org/event/north-american-scada-2013

--SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications. http://www.sans.org/event/singapore-2013">http://www.sans.org/event/singapore-2013

--SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster. http://www.sans.org/event/sans-2013">http://www.sans.org/event/sans-2013

--SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security. http://www.sans.org/event/monterey-2013">http://www.sans.org/event/monterey-2013

--Looking for training in your own community? http://www.sans.org/community/">http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials
Plus Anaheim, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
***************************************************************************

TOP OF THE NEWS

Wells Fargo Web Site Buckles; Bank Tells Online Users to "Go to a Bank Branch" (December 21, 2012)

Facing malicious traffic 35 times as voluminous as in the previous (September) DDoS attack, Wells Fargo's web sites have become unresponsive. Denial of service attacks against multiple banks are purportedly in response to a video trailer insulting the Prophet Muhammed.
-http://www.computerworld.com/s/article/9234957/Wells_Fargo_39_s_website_buckles_
under_flood_of_traffic
[Editor's Note (Paller): An important question is why the analysis of the earlier attack did not lead to an effective defense. A good description the problem was published after the earlier attack:
-http://newyork.newsday.com/business/pnc-bank-wells-fargo-u-s-bank-hacker-attacks
-probed-by-verizon-1.4055301]

Justice Dept. Will Prosecute Foreign Hackers (December 19 & 20, 2012)

The US Justice Department says it plans to prosecute foreign hackers, companies, and governments. Dozens of prosecutors are being trained in cyberespionage prosecution through the National Security Cyber Specialist network (NSCS). The most likely "targets" will be companies that use stolen technology. John Carlin, principal deputy assistant Attorney General in the Department of Justice's national security division says that his agency already has a particular case in mind.
-http://www.theregister.co.uk/2012/12/20/prosecute_foreign_hackers_plan/
-http://arstechnica.com/security/2012/12/feds-reportedly-plan-to-prosecute-hacker
s-sponsored-by-other-nations/
[Editor's Comment (Northcutt): I understand how we can do this with countries that have signed a Free Trade Agreement with the US, but other than that, how is this possible? The only body of law I know of that could used is the Economic Espionage Act of 1996; does anyone have further information (stephen@sans.edu)?
-http://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage
-http://tsi.brooklaw.edu/category/legal-basis-trade-secret-claims/economic-espion
age-act]

White House Releases National Security Information Sharing Guidelines (December 20, 2012)

The White House has released the National Strategy for Information Sharing and Safeguarding (NSISS) provides guidance for establishing polices to share national security information between government agencies and between the government and authorized private entities.
-http://www.eweek.com/security/obama-administration-outlines-national-information
-sharing-strategy/
-http://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf
[Editor's Note (Pescatore): As a high level strategy document, it touches all the bases. I would have liked to see more focus on some "near term wins," especially in the area of " Strengthen Information Safeguarding through Structural Reform, Policy, and Technical Solutions."
(Henry): Section 4.1 regarding actionable intelligence sharing to protect against external intrusions is right on the money. This is an incredibly complex issue, however, and this has been formulated by the government for years. Actually executing it will be a significant challenge.
(Shpantzer): This event is descriptive of some of the information-sharing activities the feds are working on, outside of cyber-intelligence:
-http://www.ijis.org/_newsroom/workshop.html
(Murray): It is not clear to me to whom this document is addressed, what its authority is, or what it requires. My sense is that industry will continue to share threat and attack data while protecting vulnerability data and personally identifiable information. We will continue to share breach information via reports from such firms as Verizon and Mandiant in cooperation with international law enforcement. It should be noted that the vulnerability information exploited by criminals is not their own product but that of so-called and self-styled "security researchers." Identification and publication of vulnerability information is neither "security research" or helpful.]

Forensic Experts Examining Connecticut Shooter's Computer (December 19, 2012)

Cyber forensic experts are examining the hard drive of the Connecticut shooting suspect's computer, which he attempted to destroy prior to the attack. The seized computer is in the possession of the Connecticut State Police computer crimes unit. The FBI has offered to help with the investigation.
-http://www.washingtonpost.com/investigations/cybersleuths-try-to-mine-killers-ha
rd-drive/2012/12/19/412cc81c-4a02-11e2-b6f0-e851e741d196_story.html
[Editor's Note (Murray): While the article focuses on the hard drive, I think that most of us would focus on his e-mail service provider and his correspondents. Most of us leave more of a persistent mark in the network than we do on our hard drives. Hitting a hard-dive with a hammer greatly increases the cost of reading it.]



************************* Sponsored Link: ********************************
1) Getting (and Staying) Ahead of Advanced Threats - A workbook for assessing your advanced threat protection posture. Learn More: http://www.sans.org/info/119700
****************************************************************************

THE REST OF THE WEEK'S NEWS

Senator Wyden Introduces Data Cap Legislation

(December 20, 2012) US Senator Ron Wyden (D-Oregon) has introduced legislation that would prohibit Internet service providers (ISPs) from removing data cap restrictions on services that benefit them financially. A recent report found that ISPs use data caps to increase profits rather than to manage traffic, which was the stated purpose for their implementation. The legislation also would require a standardized method for measuring data.
-http://thehill.com/blogs/hillicon-valley/technology/274173-overnight-tech-wyden-
unveils-data-cap-bill-
-http://www.wired.com/threatlevel/2012/12/net-neutrality-data-bill/
-http://arstechnica.com/tech-policy/2012/12/senator-introduces-bill-to-regulate-d
ata-caps/
[Editor's Note (Shpantzer): DefCon 19 panel on Net Neutrality with diverse viewpoints, including an EFF attorney, a DC-based telecom/regulatory attorney and a "Geek, burner, hacker, artist" to round things out.
-http://www.youtube.com/watch?feature=player_detailpage&v=Sxn1cAFUSTQ#t=24s]

Adobe to Patch Shockwave Flaw 29 Months After it Was First Notified (December 19 & 20, 2012)

Adobe says it will issue a fix for a vulnerability in Shockwave in February 2013. Adobe has known about the flaw since October 2010, when the US Computer Emergency Response Team (US-CERT) notified the company. Shockwave currently installs certain downloadable components known as Xtras without prompting users for permission.
-http://www.computerworld.com/s/article/9234916/Adobe_to_patch_2_year_old_Shockwa
ve_flaw_next_year?taxonomyId=17
-http://krebsonsecurity.com/2012/12/shocking-delay-in-fixing-adobe-shockwave-bug/
-http://www.kb.cert.org/vuls/id/519137

FCC Tool Helps Users Protect Smartphone Data (December 20, 2012)

The US Federal Communications Commission (FCC) has published an online tool to help smartphone users protect their devices from security threats. The Smartphone Security Checker offers a step-by-step process that will keep personal data from exposure if the smartphones get infected with malware or are lost or stolen.
-http://www.computerworld.com/s/article/9234928/FCC_offers_security_advice_to_sma
rtphone_users?taxonomyId=17
[Editor's Note (Shpantzer): A major factor in Android security is the version of the OS. If it doesn't start with a 4 you're due for an upgrade. Unlike iOS, Android fragmentation is caused in large part by the carriers who control the updates to the handsets. A scary graphic...
-http://bgr.com/2011/10/27/android-fragmentation-gets-visualized-infographic/]

FTC Updates Child Online Privacy Rules (December 19, 2012)

The US Federal Trade Commission (FTC) has updated its child online privacy rules. The changes include requiring companies to obtain parents' permission before collecting children's pictures, videos, and geolocational data. They must also obtain parents permission before using cookies and other methods of tracking activity across multiple applications and websites. The rules apply to sites and apps that specifically target children, so companies like Apple and Facebook are relatively unaffected.
-http://www.washingtonpost.com/business/technology/ftc-releases-landmark-update-t
o-child-online-privacy-laws/2012/12/19/6afbab30-494f-11e2-820e-17eefac2f939_stor
y.html
-http://news.cnet.com/8301-1009_3-57560037-83/childrens-privacy-law-catches-on-to
-apps-social-networks/

Android Botnet Sends SMS Spam (December 19, 2012)

Earlier this month, two security companies detected a botnet composed of infected Android devices. The devices become infected when users install certain game applications that contain a Trojan horse program called SpamSoldier. Users must agree to permissions for the app, including allowing it to send SMS messages and access websites; the apps in question are usually free versions of well-known paid games. Infected devices receive instructions from a command-and-control server to send SMS messages to certain phone numbers. Last week, the botnet was estimated to have sent out more than half a million unsolicited texts a day.
-http://www.theregister.co.uk/2012/12/19/spamsoldier_android_botnet/
-http://www.informationweek.com/security/attacks/attack-turns-android-devices-int
o-spam-s/240144988
-http://www.scmagazine.com/android-botnet-detected-on-all-major-mobile-networks/a
rticle/273339/

Symantec and Singapore Mgmt. University to Collaborate on Cybersecurity Education (December 19, 2012)

Subhendu Sahu, Symantec's business development director for government and network security, told ZDNet Asia that internships are not long enough for students to acquire necessary IT security skills. He also noted that Singapore IT professionals tend to be focused on traditional perimeter and network security. Steven Miller, vice provost of research and dean of School of Information Systems at Singapore Management University (SMU) added that IT security is constantly evolving and that "whatever
[students ]
learn during the internship would be irrelevant by the time they come out and work." Symantec and SMU have developed a Memorandum of Understanding (MoU) to help provide students with applicable skills and knowledge. The partnership will include internships, mentorships, in-depth discussions, and security intelligence briefings.
-http://www.zdnet.com/internships-alone-insufficient-for-cybersecurity-education-
7000009005/
[Editor's Note (Henry): While internships described here, in and of themselves, are not a panacea, they certainly can go a long way in introducing young professionals to explore the cybersecurity field as a career, and to encourage their continued technical education. Internship opportunities will be increasingly necessary as we push the STEM initiative, and seek to excite people about these fields. ]

Judge Says Warrantless Cell Location Data are Permissible Evidence (December 18, 2012)

A US District Judge has ruled that federal prosecutors may introduce cell-phone location data obtained without a warrant in the retrial of Antoine Jones. The case has received media attention recently because of the Supreme Court ruling that law enforcement should obtain probable cause warrants from judges to place GPS tracking devices on suspects' vehicles, which meant that placement of GPS device on Jones's vehicle constituted an illegal search, thus disallowing the evidence and overturning Jones's conviction. US District Judge Ellen Segal Huvelle focused on the "good faith exemption," which allows evidence that was gathered prior to a court ruling prohibiting its use.
-http://www.wired.com/threatlevel/2012/12/warrantless-cell-site-data/
-https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2005cr0386-658

Four-Year Prison Sentence for Man Who Processed Scareware Payments (December 18, 2012)

A Swedish man has been given a four-year prison sentence for processing payments for a scareware operation. He has also been fined US $650,000. Mikael Patrick Sallnert admitted to providing the infrastructure that facilitating payments for phony anti-virus software even though he was aware of the fraudulent nature of the operation. Sallnert was arrested in Denmark last January and was extradited to the US in March 2012. He pleaded guilty to conspiracy to commit wire fraud and accessing a protected computer in furtherance of fraud in August 2012. This particular operation was international in scope and earned its perpetrators US $71 million and affected nearly one million people.
-http://www.h-online.com/security/news/item/Four-year-sentence-for-processing-sca
reware-payments-1771615.html
-http://www.justice.gov/opa/pr/2012/December/12-crm-1503.html
[Editor's Note (Murray): This is an important case because criminals are using black markets to specialize and cooperate in ways that avoid accountability and make investigation and prosecution difficult. ]

Costs Associated with NASA Laptop Theft Climbing (December 18, 2012)

The costs associated with a stolen NASA laptop are approaching US $1 million, according to a report from NASA inspector general (IG) Paul Martin. The machine held personally identifiable information of 10,000 current and former agency employees. The October 31 incident prompted NASA to move up its target date for encrypting all hard drives on agency laptops to December 21, 2012. The former encryption deadline target was March 2013. The IG's report says that "it is extremely unlikely that the agency will meet its December goal primarily because the agency does not have a full account of the number of laptops in its possession." The cost of credit monitoring is estimated to be US $700,000, while the cost of moving up the encryption deadline is US $259,000.
-http://www.nextgov.com/cybersecurity/2012/12/costs-mount-nasa-responds-october-d
ata-breech/60232/?oref=ng-channeltopstory
[Editor's Note (Murray): This case illustrates the efficiency of using full-disk encryption and lock words or phrases on portable devices. ]


************************************************************************
The Editorial Board of SANS NewsBites


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.


Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/