SANS NewsBites - Volume: XIV, Issue: 21

*************************************************************************
SANS NewsBites                     March 13, 2012                    Volume: XIV, Issue: 21
*************************************************************************
TOP OF THE NEWS

  Report Warns of Risk From China's Cyber Warfare Skills
  Government Software Buggier Than Commercial Software
  Geo-Location Data on Social Networking Sites Poses Threat to Military

THE REST OF THE WEEK'S NEWS

  Google Quickly Patches Flaws Exposed in Pwnium Exploits
  More Symantec Source Code Posted to Internet
  Hackers Claim to Have Stolen User Data From Porn Site
  University Student Wins UK Cyber Security Competition
  South Korean Police Make Arrests in Data Theft Case
  EFF Says French Biometric Database Law Could Prove Slippery Slope for Civil Liberties
  Apple Issues Safari Update
  Secunia Discloses a Pair of Flaws in Safari Not Corrected By Apple


******************** SPONSORED BY F5 Networks, Inc. *********************
WHITE PAPER: PROTECTING FEDERAL SYSTEMS FROM ADVANCED PERSISTENT THREATS In today's multilayered attacks against government systems, one of the key entry points is through web applications. This SANS Institute paper discusses how to set policies to develop secure applications and protect against known and unknown threats throughout the application's lifetime. http://www.sans.org/info/101419
**************************************************************************
TRAINING UPDATE
- --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 12 courses.
http://www.sans.org/secure-amsterdam-2012/

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************


TOP OF THE NEWS

Report Warns of Risk From China's Cyber Warfare Skills (March 7 & 8, 2012)
A report from Northrop Grumman for the US-China Economic and Security Review Commission says that China's cyber warfare skills could pose a risk to the US military "in the event of a conflict," describing the possibility of such a situation arising if the US ever needed to come to the defense of Taiwan. The report goes on to say that the difficulty of determining the true source of cyber attacks is a hindrance to responding to such attacks and delays decision making, which could be exploited by an adversary to gain advantage. The report also says that the Chinese military has begun testing its cyber attack capabilities in exercises. The report points out that the US does not have a policy for deciding on appropriate responses to large-scale cyber attacks.
-http://www.defensenews.com/article/20120308/DEFREG02/303080006/China-Cyber-Warfa
re-Skills-Risk-U-S-Military-Report?odyssey=tab|topnews|text|FRONTPAGE

-http://www.washingtonpost.com/world/national-security/china-testing-cyber-attack
-capabilities-report-says/2012/03/07/gIQAcJwDyR_story.html

-http://www.reuters.com/article/2012/03/08/china-usa-cyberwar-idUSL2E8E82TD201203
08

-http://thehill.com/blogs/defcon-hill/policy-and-strategy/214919-pentagon-cyber-w
ar-capabilities-falling-short-of-expectations

[Editor's Note (Paller): In Joel Brenner's new book (Joel was the US Counter Intelligence Executive) he writes that China has 30,000 hackers in the People's Liberation Army and a connected private militia of 150,000, most with deep technical knowledge built through hands-on training and real work in cyber defense and offense and forensics. The US Department of Defense continues to sponsor a policy and program called "8570" that anoints people as "certified" for technical jobs in cyber security with tests that can be (and are being) passed by sales people and journalists and tens of thousands of others with no technical, hands-on skills. The people running that program know what they are doing and have told me "we cannot tell the Commanders that their security people don't know how to secure their systems so we have to let them all pass. If anyone at DoD actually cares about cybersecurity, he or she will change that policy. ]


Government Software Buggier Than Commercial Software (March 13, 2012)
Forbes magazine previewed a presentation at the upcoming European BlackHat conference in which he proves that developers of government software are allowing significantly more hackable security flaws to find their way into their code than those who develop programs for private industry. One reason he reports is that government contractors have an incentive to get add-ons to their work, and security flaws create add-on contracts.
-http://www.forbes.com/sites/andygreenberg/2012/03/13/study-confirms-governments-
produce-the-buggiest-software/



Geo-Location Data on Social Networking Sites Poses Threat to Military (March 9 & 12, 2012)
The US Army is reminding soldiers that check-in and metadata contained in images posted online could provide information to those seeking to do harm. In 2007, photos taken on a base in Iraq after the arrival of a fleet of helicopters contained sufficient information to allow the enemy to launch a mortar attack that destroyed four of the Apache craft. GPS data are now embedded by default in images taken by many digital cameras.
-http://www.technolog.msnbc.msn.com/technology/technolog/us-army-soldiers-check-i
ns-can-kill-405150

-http://www.bbc.co.uk/news/technology-17311702
[Editor's Note (Murray): Social networking sites spew data by design and intent. Their use by soldiers is bound to compromise operations security. Location data is only one obvious kind of leak. ]



*********************** SPONSORED LINKS: *****************************
1) Got Sudo? Get a centralized sudoers file and easy access rights reporting for $59. Download a Free Trial at: http://www.sans.org/info/101424
2) Ignore 99% of Your IT Risks. Learn how from Rapid7's new Security Risk Intelligence whitepaper. http://www.sans.org/info/101429
3) New Analyst Paper in the SANS Reading Room! Review of NetIQ Sentinel 7 for Security Information and Event Management, by senior SANS analyst, Jerry Shenk. http://www.sans.org/info/101434
************************************************************************

THE REST OF THE WEEK'S NEWS

Google Quickly Patches Flaws Exposed in Pwnium Exploits (March 9 & 12, 2012)
Google has paid two people US $60,000 each for their discovery and demonstrations of vulnerabilities in its Chrome browser. The Pwnium challenge was launched in late February. Researcher Sergey Glazunov developed an attack that exploited two previously unknown flaws, and a teenager who uses the online moniker "PinkiePie" developed an attack that exploited three zero-day flaws. Google has already patched the flaws used in both attacks.
-http://www.pcworld.com/article/251671/browser_bug_hunters_collect_payoff_in_pwn2
own.html

-http://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/
-http://news.cnet.com/8301-13506_3-57393337-17/chrome-hacker-wins-$60000-for-find
ing-full-exploit/

-http://news.cnet.com/8301-1009_3-57394130-83/quick-fix-pwnium-exploit-of-chrome-
patched-within-24-hours/

-http://www.h-online.com/security/news/item/Google-fixes-Pwnium-security-issue-in
-Chrome-1467780.html



More Symantec Source Code Posted to Internet (March 12, 2012)
A group of cyber thieves has posted Norton Antivirus 2006 source code on the Internet. The code theft is believed to date back to a 2006 cyber intrusion. Symantec has acknowledged that the code is authentic, but notes that because of its age, users who have current versions of Symantec products are not at increased risk of attack.
-http://www.h-online.com/security/news/item/Source-code-of-Symantec-Antivirus-pos
ted-on-the-net-1468974.html



Hackers Claim to Have Stolen User Data From Porn Site (March 9 & 12, 2012)
Hackers say they have stolen personal information of more than 70,000 subscribers of an Internet pornography site. The data thieves claim to have stolen 40,000 credit card numbers in plaintext, along with their expiration dates and security codes. Other purloined data include usernames, email addresses, and passwords.
-http://www.bbc.co.uk/news/technology-17339508
-http://www.theregister.co.uk/2012/03/12/smut_site_hacked/
-http://www.scmagazine.com/porn-site-digital-playground-hacked-to-expose-card-num
bers/article/231472/



University Student Wins UK Cyber Security Competition (March 11 & 12, 2012)
UK university student Jonathan Millican has won the UK Cyber Security competition. The six-month long contest is sponsored by the UK's GCHQ and several technology companies. The final portion of the competition involved six five-person teams. Their challenges included advising a fictional start-up company on cyber security and defending a network against a simulated attack. While Millican's team did not win, his demonstration of leadership skills, technical capability, and business acumen helped the judges determine that he deserved top prize. The prizes are customized to meet the winners' situations. In Millican's case, he has been awarded a full scholarship for a master's degree when he completes his undergraduate work.
-http://www.bbc.co.uk/news/technology-17333601
-http://www.v3.co.uk/v3-uk/news/2158678/cambridge-student-crowned-uk-security-cha
mpion

-http://www.theregister.co.uk/2012/03/12/hack_idol_2012/
[Editor's Note (Muray): Finally a story about a government agency that gets it. I am up to my eye-balls with stories about the government that just hired the rogue hacker that breached them.
(Honan): It is also great to see this competition focusing on the defensive skills required for protecting our networks. Too often we focus on the attacking skills forgetting that the defensive nature of information security is one of the most intellectually challenging careers people can have. ]


South Korean Police Make Arrests in Data Theft Case (March 9, 2012)
Police in South Korea have arrested five men for allegedly stealing mobile phone data and selling them to private detectives. The men were employed as sub-contractors for two major mobile service providers. They were managing online friend tracking services and allegedly developed software that stole information without the user's knowledge and sold it to private investigators. Police also reportedly arrested the owner of a private detective agency and a person who allegedly brokered the sale of the stolen data.
-http://www.theregister.co.uk/2012/03/09/south_korea_phone_hackers/


EFF Says French Biometric Database Law Could Prove Slippery Slope for Civil Liberties (March 9, 2012)
The Electronic Frontier Foundation (EFF) is warning that a law recently passed by the French National Assembly is a threat to citizens' civil liberties. The law mandates the creation of a biometric database, ostensibly to be used to help fight identity fraud. The EFF observes that some governments are now requiring citizens to have biometric data stored on chips in passports and also held in government databases. The French law would require citizens to carry biometric ID cards. EFF says the new law is invasive and cites precedent of databases being created for one purpose and then being used for another.
-http://www.siliconrepublic.com/strategy/item/26167-eff-warns-of-big-brother/


Apple Issues Safari Update (March 12, 2012)
Apple has issued security updates for both the Windows and the OS X version of its Safari browser. Safari 5.1.4 fixes a number of memory corruption flaws in WebKit that could be exploited to allow remote code execution. Other fixes for WebKit include one for a cross-site scripting flaw that could be exploited to gain access to users' cookie data. Vulnerabilities addressed in Safari itself include a flaw in the way JavaScript is handled and another in the way International Domain Name (IDN) code is handled.
-http://www.v3.co.uk/v3-uk/news/2158904/apple-posts-security-update-safari-browse
r



Secunia Discloses a Pair of Flaws in Safari (March 9, 2012)
Secunia is warning of two zero-day flaws in Apple's Safari 5 browser (neither of which are patched by Apple's Safari updates). Both vulnerabilities could be exploited to run malware and launch spoofing attacks; no attacks using these flaws have been detected in the wild. One of the flaws lies in the part of the browser that handles plug-ins. The other flaw is in a function called "setInterval." Secunia notified Apple of the vulnerabilities at least six months ago, but has not received adequate status updates about their progress in developing fixes. Normally, information about vulnerabilities is withheld until the company whose product is affected has issued a fix so users can be protected from exploits. But Secunia's policy is that if a company fails to respond to vulnerability reports within six months, they will release information about the flaws.
-http://news.cnet.com/8301-1009_3-57394491-83/danish-firm-outlines-two-unpatched-
safari-vulnerabilities/

-http://www.infoworld.com/t/patch-management/security-firm-goes-public-apple-safa
ri-flaws-188346



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/