SANS NewsBites - Volume: XIV, Issue: 11


Tomorrow (Wednesday, Feb 8) is the last day to save $250 on registration
or SANS 2012 - the largest immersion training program in cyber
security, with the biggest selection of evening bonus programs. It's
in Orlando at the end of March. http://www.sans.org/sans-2012

Alan

*************************************************************************
SANS NewsBites                     February 07, 2012                    Volume: XIV, Issue: 11
*************************************************************************
TOP OF THE NEWS

  DNSChanger Trojan Still Needs to be Cleaned from Fortune 500 and US Government Systems
  30-Month Prison Sentence for Attempted Cyber Extortion
  FBI Investigating Leaked Phone Call About Anonymous

THE REST OF THE WEEK'S NEWS

  ISC-CERT Warns of Brute Force SSH Attack Threat for SCADA Systems
  Google and Facebook Remove Offensive Content in India
  New Hampshire Legislature Passes Open Data Standard Bill
  Film Company Includes Owners of Unsecured WiFi Networks in Filesharing Lawsuit
  BT Junkie Takes Itself Offline Voluntarily
  Commerce Dept's Economic Development Administration Suffers Cyber Attack
  Manning to Face All Charges in Court Martial
  Swedish Government Website Targeted by Hackers
  FDIC Guidance Clarification


*************************** SPONSORED BY SANS ***************************
SANS Analyst Webcast: Oracle Entitlements Server Review: Demystifying External Authorization http://www.sans.org/info/98774 Wednesday, March 21, 1 PM ET

Featuring SANS Oracle expert, Tanya Baccam and Oracle's Roger Wigenstam, director of project management
**************************************************************************
TRAINING UPDATE

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 6 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

- -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge.
http://www.sans.org/mobile-device-security-summit-2012/

- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses.
http://www.sans.org/appsec-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, San Francisco, Stuttgart, Boston, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
************************************************************************


TOP OF THE NEWS

DNSChanger Trojan Still Needs to be Cleaned from Fortune 500 and US Government Systems (February 3 & 6, 2012)
Half of Fortune 500 companies and nearly half of all US federal government agencies still have the DNSChanger Trojan on their networks, according to researchers. The malware alters the settings on infected computers to manipulate search results and prevent users from accessing websites with information and tools that could be used to scrub the malware from their computers. In early November 2011, authorities in Estonia arrested six people in connection with the Trojan, and US authorities obtained a court order to replace the command and control servers the attackers used with legitimate DNS servers, but that order will expire on March 8, 2012. If infected machines are not cleaned by the time the order expires and the servers are taken offline, those computers will not be able to access the Internet. There is a tool available that allows users to test their systems for infection.
-http://www.scmagazine.com/deadline-looms-to-remove-click-fraud-malware/article/2
26501/

-http://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-w
ith-dnschanger-trojan/

-http://www.theregister.co.uk/2012/02/03/dnschanger_trojan_clean_up/
[Editor's Note (Honan): These easy to use websites will allow you to check whether or not your PC has been infected with the DNSchanger Trojan; www.dns-ok.us (in English), www.dns-ok.de (in German), www.dns-ok.fi (in Finnish, Swedish & English) ]


30-Month Prison Sentence for Attempted Cyber Extortion (February 3 & 6, 2012)
Attila Nemeth has been sentenced to 30 months in prison for hacking into the a computer system belonging to Marriott International Inc. Nemeth broke into the system in 2010 and notified Marriott officials that he had stolen proprietary data, sending eight documents along as proof. An investigation revealed that Nemeth had placed two Trojan horse programs on a Marriott system through a spear phishing email attack. Nemeth threatened to share the stolen information with Marriott competitors or employees if he was not offered a job. Nemeth was lured to the US by a Secret Service agent posing as a Marriott IT executive, who asked him to come for an interview.
-http://www.theregister.co.uk/2012/02/06/marriott_hacker_jailed/
-http://www.computerworld.com/s/article/9223971/Hungarian_hacker_gets_30_months_f
or_extortion_plot_on_Marriott?taxonomyId=17



FBI Investigating Leaked Phone Call About Anonymous (February 3, 2012)
The FBI is investigating how hackers linked to the Anonymous group managed to gain access to a phone call between law enforcement agents in Britain and the UK during which they discussed taking legal action against the group. Anonymous has released a recording of the call. The call reportedly took place on January 17; a lawyer for one of the people who was mentioned in the call said it appears to have been taken from intercepted email.
-http://www.bbc.co.uk/news/world-us-canada-16881582
-http://www.wired.com/threatlevel/2012/02/anonymous-scotland-yard/
-http://www.scmagazine.com/fbi-call-gives-clues-into-anonymous-lulzsec-probes/art
icle/226231/

[Editor's Note (Murray): It had to be really easy. If one listens to the call, one hears people coming in and dropping off at a fairly high rate with little or no discipline. However, this party came into the call very early. Occam's Razor suggests that the attacker intercepted an e-mail with instructions for the call, got there early, and then simply lurked. The FBI should not worry about it; they should let the Met handle it. Someone should alert both the FBI and the Met that there is software that permits the manager of a conference call to monitor the Caller ID of all the participants in the call. If one fails to use such software on sensitive calls, one should assume the Anonymous is listening.
(Ullrich): The security of e-mail systems is a common problem in recent attacks by the "anonymous" affiliated groups. Sadly, there are few good solutions to secure e-mail and maintain the need for ubiquitous and timely access from various devices. Two factor authentication systems hardly ever include full e-mail protection and end-to-end encrypted or signed e-mail is still the exception. Most recent proposals are focused on spam and include sender verification vs. offering solutions to protect stored e-mail or providing recipient authentication. ]



************************** SPONSORED LINK ****************************
1) SANS Analyst webcast! Password Sharing: Root of All Evil Join senior SANS Analyst, J. Michael Butler and learn how to protect shared passwords in mixed server environments http://www.sans.org/info/98779
************************************************************************


THE REST OF THE WEEK'S NEWS

ISC-CERT Warns of Brute Force SSH Attack Threat for SCADA Systems (February 3 & 6, 2012)
The Industrial Control System Cyber Emergency Response Team (ISC-CERT) has issued a warning to utilities that certain supervisory control and data acquisition (SCADA) systems may be vulnerable to brute-force attacks. The threat described in the alert targets SCADA systems with secure shell (SSH) command-line access. The alert notes that organizations have been reporting SSH scans of Internet-facing control systems. ISC-CERT makes several recommendations for mitigation.
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
232600345/utilities-facing-brute-force-attack-threat.html

-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-034-01.pdf
[Editor's Note (Ullrich): The fact that the ISC-CERT has to warn its constituency of brute force SSH attacks reaffirms that SCADA security has a long way to go. ]


Google and Facebook Remove Offensive Content in India (February 6, 2012)
Facebook and Google say they have removed content deemed "offensive" by Indian government officials. Judges in India say they will block sites that do not comply with the content takedown order. The order is the result of a lawsuit filed to make sites stop hosting blasphemous content. Some other Internet companies are likely to appeal the decision.
-http://www.bbc.co.uk/news/world-asia-india-16903765
-http://www.pcworld.com/businesscenter/article/249327/google_agrees_to_court_orde
r_in_india_to_remove_content.html

-http://www.washingtonpost.com/business/google-facebook-remove-content-as-india-t
hreatens-lawsuits-for-offending-religious-sentiments/2012/02/06/gIQAJjUntQ_story
.html



New Hampshire Legislature Passes Open Data Standard Bill (February 6, 2012)
Both houses of the New Hampshire state legislature have passed HB 418, which "requires state agencies to consider open source software when acquiring software and promotes the use of open data formats by state agencies.
[The ]
bill also directs the commissioner of information technology to develop a statewide information policy based on principles of open government data."
-http://www.bristolwireless.net/2012/02/us-state-of-new-hampshire-passes-open-sou
rce-open-standards-and-open-data-bill/

-http://www.nhliberty.org/bills/view/2012/HB418


Film Company Includes Owners of Unsecured WiFi Networks in Filesharing Lawsuit (February 6, 2012)
A California company has filed a lawsuit seeking damages from more than 50 named and unnamed Massachusetts individuals for participating in illegal filesharing. Liberty Media Holdings LLC produces adult content video. The lawsuit maintains that the accused were responsible either for directly downloading or sharing the movie in question, or owns an unsecured wireless network that was used to share or download the film. Liberty Media alleges that those with unsecured networks contributed to illegal filesharing through their negligence.
-http://www.computerworld.com/s/article/9224003/Copyright_lawsuit_targets_owners_
of_non_secure_wireless_networks?taxonomyId=17



BT Junkie Takes Itself Offline Voluntarily (February 6, 2012)
BT Junkie, a torrent search engine that is unaffiliated with BitTorrent, has voluntarily shuttered its website, ostensibly over concerns that it may be the target of law enforcement action similar to that which forced the shutdown of Megaupload. Other sites associated with filesharing have taken measures, though not as drastic, to avoid attention. For example, FileSonic now prohibits filesharing between users, but members may still upload and download their own files. The Pirate Bay has taken a different tack, moving its domain name from .org to .se to prevent seizure by US authorities.
-http://arstechnica.com/tech-policy/news/2012/02/torrent-search-engine-btjunkie-v
oluntarily-shuts-down.ars

-http://www.computerworld.com/s/article/9223989/BTJunkie_voluntarily_closes_file_
sharing_website?taxonomyId=17

-http://www.theregister.co.uk/2012/02/06/btjunkie_bye/


Commerce Dept's Economic Development Administration Suffers Cyber Attack (February 2 & 3, 2012)
The computer network of US Department of Commerce's Economic Development Administration (EDA) has been hit with what appears to be a virus, forcing EDA to disable email and Internet access until an investigation determines the cause and scope of the problem. EDA awards business development grants in communities that require economic stimulus; a temporary site provides basic information for those seeking grants, and employees will work via telephone and fax until the computer system is available. The infected systems were isolated from the rest of the department after the EDA became aware of the infection, which is being investigated by the US Computer Emergency Readiness Team (US-CERT) and outside experts.
-http://www.informationweek.com/news/government/security/232600258
-http://www.washingtonpost.com/politics/commerce-agencys-system-infected-by-virus
-may-be-victim-of-cyber-attack/2012/02/02/gIQAViHWlQ_story.html



Manning to Face All Charges in Court Martial (February 3, 2012)
The commander of the US Army Military District of Washington has announced that Pfc. Bradley Manning will face all charges brought against him in a general court-martial. The most serious of the 22 charges - aiding the enemy - carries the possibility of a death penalty, but prosecutors have said they will not seek capital punishment. If he is convicted of all charges, Manning faces life in prison.
-http://www.wired.com/threatlevel/2012/02/manning-to-be-court-martialed/


Swedish Government Website Targeted by Hackers (February 4, 2012)
Hackers claiming affiliation with Anonymous have launched a distributed denial-of-service (DDoS) attack on the Swedish government's main website. A government spokesperson said that the site has been experiencing problems but declined to provide further details. The attack appears to have coincided with protests against the Anti-Counterfeiting Trade Agreement (ACTA), an international treaty.
-http://www.usatoday.com/news/world/story/2012-02-04/hacker-anonymous-swedish-gov
ernment/52962142/1

[Editor's Note (Honan): This attack, and other similar attacks against government websites in Poland and Ireland
-http://www.siliconrepublic.com/strategy/item/25485-ireland-taking-a-whole-of/,
highlights those responsible for information security in their organisations need to keep abreast of developments in geo-political events and adjust their threat profile accordingly. When doing so don't forget to include customer and suppliers in that threat profile as they may become targets of attacks which in turn could impact on your organisation. ]


FDIC Guidance Clarification
Thank you to everyone who wrote in on the FDIC FIL 3- 2012 guidance to banks. There was a fairly wide range of thought; I am going to try to shoot the middle and avoid politics. In information security we commonly state there are four risk choices: accept, avoid, transfer and mitigate. This article is focused on transfer, and the guidance is that transfer is not an allowable choice. Even if banks outsource their payment card processing, they are still liable for any issues related to inappropriate or illegal activity caused by their customers when using the outsourced card payment service. This has been a principle for financial industries at least since GLBA. In this particular case, apparently, some credit card processors are known to be associated with shady activity: money laundering, sales of fake anti-virus, and so forth. Some banks perceive this to be an unfunded mandate or requirement for them to serve as law enforcement, however this guidance is consistent with all former direction and is actually just the price of doing business as an FDIC member bank.
-http://www.fdic.gov/news/news/financial/2012/fil12003.html
-http://www.bankinfosecurity.com/webinars.php?webinarID=98
-http://www.bankinfosecurity.com/articles.php?art_id=4419
-http://www.gao.gov/new.items/d02670.pdf
-http://krebsonsecurity.com/2011/08/huge-decline-in-fake-av-following-credit-card
-processing-shakeup/

-http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2291
[Editor's Note (Murray): I think that it goes a little farther than "outsourcing." I think it cautions the banks against acts by rogue (electronic) customers that result in losses to others.]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/