SANS NewsBites - Volume: XIV, Issue: 25

*************************************************************************
SANS NewsBites                     March 27, 2012                    Volume: XIV, Issue: 25
*************************************************************************

TOP OF THE NEWS

  The End Game for U.S. Cybersecurity Legislation This Year
  Microsoft Leads Takedown of Zeus Command-and-Controls
  White House Cybersec Advisor Sets CAP Cybersecurity Goals

THE REST OF THE WEEK'S NEWS

  Huawei Banned From Bidding on Australia's National Broadband Network
  Senators Want to Know if Employer Requests for Facebook Access are Legal
  Microsoft Blocking Links to Pirate Bay in Windows Live Messenger
  Comcast Says Xbox 360 App Video Streaming Will Not Count Against Data Cap
  DDOS Attack Shuts Down Online Election Poll
  Millions of UK Credit Card Holders Exposed to Fraud
  Chinese Police Arrest Man for Leaking Personal Data of Millions
  Experts Tell Senate Subcommittee US Networks Penetrated by Foreign Spies
  GAO Report: Agencies Need to Improve Supply Chain Security
  Megaupload Sued For Allegedly Distributing Files in Violation of Copyright
  33-Month Prison Term For Man Who Ran Site That Benefitted Identity Thieves
  Carriers Must Do a Better Job Of Resisting the Use Of Stolen Phones


********************** Sponsored By Palo Alto Networks ******************
Do Not Miss SANS Special Webcast: Threat Review of Resurgent Botnets: Waledac, Kelihos, Zeus sponsored by Palo Alto Networks WHEN: Thursday, March 29, 2012 at 1:00 PM EST. Sign up TODAY at http://www.sans.org/info/102604
**************************************************************************
TRAINING UPDATE
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Abu Dhabi, Johannesburg, Brisbane, Jakarta, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

TOP OF THE NEWS

The End Game for U.S. Cybersecurity Legislation This Year (March 27, 2012)

Editorial (Paller): The U.S. Congress is rapidly approaching the end game in the evolution of a cybersecurity bill. Central to the argument is whether the government has any right to tell industry - especially the critical infrastructure - how to protect its computer systems. The U.S. government, other than in a few exceptional agencies, has wasted multiple billions of dollars on useless activities that got in the way of adequate system and network security. If industry were forced to follow in their footsteps, untold amounts of money would be wasted. At the same time, despite knowing for four years that their systems are under active attack, U.S. power companies have done so little that those who discover intrusions find the intruders have been in place, on average, for more than 18 months. That is more than enough time for intruders to burrow deeply enough to be ready to destroy large parts of the power generation capacity of U.S., highlighting an existential issue for the United States. Assuming industry will change its behavior without external pressure is madness. The middle ground is not to ask industry to do what the government has done, and not to leave industry to solve the problem on its own. The Cybersecurity Act of 2012 is a gentle compromise now being blocked by a few corporate lobbyists - apparently led by those from IBM and Oracle. It is high time for those lobbyists to come out into the light and show the public exactly how and why the U.S. power system will be adequately protected without the Act, or allow the Act to move forward. A cybersecurity act without strong protection for the U.S. power system would be an abrogation of Section 4 of the U.S. Constitution ("The United States ... shall protect
[the states ]
against invasion") that each Member of Congress has sworn, under oath, to uphold. Background reading:
-http://www.huffingtonpost.com/scott-j-shackelford/cybersecurity-act_b_1382552.ht
ml

Microsoft Leads Takedown of Zeus Command-and-Controls (March 25 & 26, 2012)

A number of key Command and Control servers for the Zeus and SpyEye Botnets have been taken down in an operation led by Microsoft. On Friday, March 23, Microsoft employees and US Marshalls armed with a federal warrant raided facilities in Pennsylvania and Illinois that were housing equipment allegedly being used by the botnets. The takedown was the result of months of work culminating in Microsoft filing a suit against 39 unnamed parties seeking permission to disrupt the command and control infrastructure for the botnets. The action follows similar tactics used by Microsoft to takedown other botnets such as the Waledac, Rustock and Kelihos botnets. Microsoft worked with officers from the Financial Services - Information Sharing and Analysis Center (FS-ISAC), the US Marshalls, the National Automated Clearing House Association, the US electronic payments association and researchers from the F-Secure. While the move is seen by many as one that will cause severe disruption to the operation of these botnets experts warn that those botnets will not be entirely disabled.
-http://www.theregister.co.uk/2012/03/26/zeus_botnet_takedown/
-http://www.zdnet.co.uk/news/security-threats/2012/03/26/microsoft-and-us-marshal
s-take-out-botnet-servers-40154882/
-http://www.net-security.org/malware_news.php?id=2047
-http://arstechnica.com/business/news/2012/03/microsoft-uses-racketeering-law-to-
seize-servers-take-down-botnets.ars
-http://www.wired.com/threatlevel/2012/03/microsoft-botnet-takedown/
-http://www.computerworld.com/s/article/9225529/Microsoft_leads_seizure_of_Zeus_r
elated_cybercrime_servers?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57404275-83/the-long-arm-of-microsoft-tries-tak
ing-down-zeus-botnets/?tag=txt;title
[Editor's Comment (Northcutt): The details are very sketchy, I tried several of the URLs above. Last year about this time, they took out Rustock:
-http://arstechnica.com/microsoft/news/2011/03/how-operation-b107-decapitated-the
-rustock-botnet.ars]
Editor's Note (Murray): Kudos to all involved. The rogues should not be permitted to believe that their space is risk free. ]

White House Cybersec Advisor Sets CAP Cybersecurity Goals (March 26, 2012)

White House cybersecurity coordinator Howard Schmidt has established goals for federal agencies to focus on cybersecurity priorities in three areas: Trusted Internet Connections (TIC); continuous monitoring; and strong authentication. Schmidt has provided guidance in each of the areas to help agencies understand where their focus would be best put to use. Schmidt is leading a Cross-Agency Priority (CAP) Cybersecurity goal of "95 percent utilization of critical administration cybersecurity capabilities on Federal information systems" by the end of 2014.
-http://www.informationweek.com/news/government/security/232700242
-http://www.whitehouse.gov/blog/2012/03/23/federal-departments-and-agencies-focus
-cybersecurity-activity-three-administration-p
[Editor's Note (Pescatore): These are three very high payback areas to focus on, with a focus on increasing the operational level of security vs. just talking about security. I'd expand TIC to focus on more built-in security filtering, such as available in the MTIPS services that are part of the contracts. On strong authentication, the Googles of the world are starting to nudge consumers towards stronger authentication - it is long past time for the government to do on its own systems.
(Murray): Good set of priorities. Short, sweet, efficient. It is long since time for the government to use strong authentication. That is the least that they owe the citizen taxpayer. ]



*************************** Sponsored Links: **************************
1) SolarWinds(R) Log and Event Manager for operations, compliance and security is powerful, easy and affordable! http://www.sans.org/info/102609

2) SANS Analyst Program Webcast: Reducing Risk to Federal Systems with the SANS 20 Critical Controls April 19, 1 PM EST. http://www.sans.org/info/102614
************************************************************************

THE REST OF THE WEEK'S NEWS

Huawei Banned From Bidding on Australia's National Broadband Network (March 27, 2012)

At the recommendation of the Australian Security Intelligence Organization (ASIO), China's Huawei Technologies has been banned from bidding on Australia's National Broadband Network over national security concerns. Huawei is also being investigated by the US House Intelligence Committee over concerns that it operates as part of the Chinese government's espionage efforts. That investigation was announced late last year. Huawei says it is not linked to China's government.
-http://www.ctv.ca/generic/generated/static/business/article2381651.html
-http://www.theaustralian.com.au/national-affairs/rejected-telco-drew-us-worry-fo
r-spying/story-fn59niix-1226310748639
-http://www.vancouversun.com/business/Australia+shuts+China+Huawei+from+broadband
+business/6360163/story.html
[Editor's Note (Pescatore): Of course, this is very much a two-way street. Many non-US companies see the Patriot Act as meaning that US-based technology services are government influenced and would put customer data at risk. ]

Senators Want to Know if Employer Requests for Facebook Access are Legal (March 26, 2012)

US legislators want to know if employers who ask job applicants for the access credentials to their Facebook accounts are violating US laws. Senators Richard Blumenthal (D-Connecticut) and Charles Schumer (D-New York) have asked the Department of Justice and Equal Employment Opportunity Commission to launch an investigation into the matter. If the requests for the login information do not violate current federal law, the senators plan to introduce new legislation that would make it illegal for employers to request applicant's login information for social networking sites and email accounts.
-http://arstechnica.com/tech-policy/news/2012/03/senators-want-ruling-on-whether-
facebook-password-requests-are-illegal.ars
[Editor's Note (Murray): When I called this practice to the attention of a fifteen year old, his first reaction was that he "had nothing to hide." On further consideration, he said that he understands that Facebook is a dangerous neighborhood and he rarely goes there. While I expect the FTC to oversee commercial this practice, I would prefer that the Congress spend oversight time on DoD, DHS, NSA, CIA, and the FBI. ]

Microsoft Blocking Links to Pirate Bay in Windows Live Messenger (March 26, 2012)

Microsoft has acknowledged that it has blocked links to The Pirate Bay through its Windows Live Messenger instant messaging service. Microsoft says it "block
[s ]
instant messages if they contain malicious or spam URLs based on intelligence algorithms, third-party sources, and/or user complaints. Pirate Bay URLs were flagged by one or more of these." Users who try to send an IM that contains a Pirate Bay link will receive a warning message telling them that the link was "blocked because it was reported as unsafe."
-http://www.theregister.co.uk/2012/03/26/microsoft_censors_pirate_bay_im/
-http://news.cnet.com/8301-13506_3-57404389-17/the-pirate-bay-walks-the-plank-on-
windows-live-messenger/

Comcast Says Xbox 360 App Video Streaming Will Not Count Against Data Cap (March 26, 2012)

Comcast has announced that streaming Comcast On-Demand videos over its Xbox live streaming video app will not count against customers' 250GB monthly data limit. Comcast maintains that they are able to do this because the video is being streamed over its "private IP network and not the public Internet." The announcement has raised concerns from net neutrality advocates. The Xbox 360 app has not yet launched, but has been available in a beta.
-http://arstechnica.com/gaming/news/2012/03/comcast-xbox-360-on-demand-streams-wo
nt-count-against-data-caps.ars
-http://arstechnica.com/tech-policy/news/2012/03/net-neutrality-concerns-raised-a
bout-comcasts-xbox-on-demand-service.ars
-http://www.philly.com/philly/business/technology/144228256.html

DDOS Attack Shuts Down Online Election Poll (March 26, 2012)

Two men have been arrested in Hong Kong for their alleged part in a Distributed Denial of Service (DDoS) attack which disrupted an online poll organized by the University of Hong Kong as part of its Civic Referendum Project to allow people in the Special Administrative Region (SAR) to indicate who they would like to be the CEO of the region. The results of the poll are not official and have no bearing on the actual appointment of the CEO, which is done by an election committee made up of pro-Chinese business people. Robert Chung, director of the university's program said about the website supporting the online poll, "We suspect it is under systematic attack as there are more than one million clicks on our system every second." The online poll could have been seen to undermine the results of the official election committee.
-http://www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/
-http://www.theaustralian.com.au/news/world/online-poll-in-hong-kong-mocked-by-a-
million-clicks/story-e6frg6so-1226308588795
[Editor's Note (Pescatore): Just like a data center with no electricity, a web site without available Internet connectivity is pretty useless. Just as any important data center has power backup, any important web site should have DDoS mitigation as part of its Internet connectivity. ]

Millions of UK Credit Card Holders Exposed to Fraud (March 26, 2012)

According to an experiment run by Channel 4 News in the UK, customers using contactless credit cards issued by Barclay's bank could have their data stolen without their knowledge by criminals using standard card readers built into many mobile phones. The contactless credit cards work by using a chip built into the credit card which when scanned over a reader will make the payment without the need for a pin. In its tests Channel 4 News was able to extract information from a contactless credit card which included the long card number, the expiry date and the name of the cardholder. None of the data extracted was encrypted. Channel 4 News were then able to use that information to make a purchase online with Amazon. Barclay's bank said the issue is not with the contactless cards, but with the security checks taken for "card not present" transactions by some retailers. The UK government's Department for Business, Innovation and Skills has called for the findings of the report to be investigated as a matter of urgency.
-http://www.channel4.com/news/millions-of-barclays-card-users-exposed-to-fraud
-http://www.theregister.co.uk/2012/03/26/nfc_security_amazon/
-http://www.zdnet.co.uk/blogs/mixed-signals-10000051/millions-of-barclays-custome
rs-at-risk-in-nfc-attack-10025729/
[Editor's Note (Murray): One of the excuses that the US Card issuers have used for not issuing EMV cards is that it does nothing to improve the security of "card not present" transactions. On the other hand, they have done little to encourage the use of their out-of-band solutions (e.g., Verified by Visa) which would. Instead they rely on their AI fraud detection systems. These work pretty well for them but operate late from the perspective of the card user. ]

Chinese Police Arrest Man for Leaking Personal Data of Millions (March 21 & 26, 2012)

Police in China have arrested a man suspected of leaking the personal data of more than six million users of the China Software Developer Network (CSDN). The exposed information includes user names, passwords, and email addresses. Police also penalized CSDN for not adequately protecting its database.
-http://www.zdnet.com/blog/security/chinese-hacker-arrested-for-leaking-6-million
-logins/11064
-http://www.infosecurity-magazine.com/view/24689/china-arrests-suspect-in-data-br
each-affecting-six-million-csdn-subscribers/

Experts Tell Senate Subcommittee US Networks Penetrated by Foreign Spies (March 24, 2012)

Computer security experts testifying before the US Senate Armed Services Committee Subcommittee on Emerging Threats and Capabilities told members to assume that the computer networks of the US Military have been penetrated by foreign spies. Testifying before the committee, Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories, said "I think we have to go to a model where we assume that the adversary is in our networks." Instead of focusing efforts on shoring up defenses such as firewalls and gateway devices the experts argued the focus should be more on protecting the data and not controlling access. Other challenges facing those trying to secure the networks is the difficulty in attracting people with the right cyber skills to work in government. Low pay, poor promotion prospects and pay freezes were all cited as issues that need to be addressed in order to attract the right skills. The current head of the Defense Advanced Research Projects Agency, Dr Kaigham Gabriel, said "It's not that we're doing wrong things, it's just the nature of playing defense in cyber."
-http://www.bbc.co.uk/news/technology-17486847
-http://www.theregister.co.uk/2012/03/24/congress_dod_pwned/
-http://blogs.cio.com/security/16923/dod-networks-completely-compromised-experts-
say
[Editor's Note (Murray): Given the evidence in the Verizon Data Breach Incident Report that breaches are not discovered for weeks to months, it is prudent to assume that there are compromised systems on one's network. ]

GAO Report: Agencies Need to Improve Supply Chain Security (March 23, 2012)

According to the US Government Accountability Office (GAO), US government agencies involved in national security need to improve the security of their IT supply chains. Currently, there are no federal requirements for tracking "the extent to which their telecommunications networks contain foreign-developed equipment, software, or services." The Defense Department has implemented a supply chain risk management program that has reduced its risk. According to the Department of Homeland Security's (DHS) US-Computer Emergency Readiness Team (US-CERT), 25 percent of the approximately 43,000 reported incidents involved malicious code that could have been introduced somewhere in the supply chain. The GAO's report says that the lack of requirements makes the Departments of Energy, Homeland Security, and Justice more vulnerable to malware installed by foreign governments and others seeking to cause harm.
-http://www.nextgov.com/nextgov/ng_20120323_1655.php?oref=topstory
-http://www.gao.gov/assets/590/589568.pdf

Megaupload Sued For Allegedly Distributing Files in Violation of Copyright (March 23, 2012)

A company that makes automatic voice paging systems is suing Megaupload for copyright damages, saying that the download site was distributing a significant number of its files. Valcom said that Megaupload was responsible for more than half a billion dollars in copyright losses.
-http://arstechnica.com/tech-policy/news/2012/03/this-is-not-a-test-voice-paging-
systems-recorder-seeks-millions-in-damages-from-megauploadcom.ars

33-Month Prison Term For Man Who Ran Site That Benefitted Identity Thieves (March 23, 2012)

Dmitry Naskovets of Belarus has been sentenced to 33 months in US prison for his role in running CallService.biz, a site that helped cyber thieves by selling the services of English and German speaking accomplices to online bank fraud. The thieves would provide the site's employees with a dossier of information about the legitimate account holder. When the bank attempted to verify transactions, the thieves then had someone who sounded like the legitimate account holder and who knew answers to personal questions. That information was stolen from targets through phishing and keystroke loggers. Naskovets was arrested in the Czech Republic in 2010 and extradited to the US. An accomplice, Sergey Semashko, was arrested sat the same time in Belarus and has been charged there.
-http://www.wired.com/threatlevel/2012/03/rent-a-fraudster/

Carriers Must Do a Better Job Of Resisting the Use Of Stolen Phones (March 22, 2012)

While authorities say that there are ways to help fight smartphone theft, they also say that the wireless companies are not doing what they can to help address the problem. Tens of thousands of smartphones are stolen every year; in some cases, thieves have taken violent action and the owners have been hurt. The problem is that wireless companies are allowing stolen smartphones to be reactivated under different numbers. Police chiefs in cities around the US are writing to federal authorities to ask that wireless companies be required to take some steps to make the phones are less appealing target for those looking to steal and resell them. Every wireless phone has a unique ID. Once a phone is reported stolen, that number would be added to a blacklist and the companies would share information, blocking service on the stolen phones forever. Similar plans are already running in the UK and Australia. Several wireless companies have responded to the idea.
-http://today.msnbc.msn.com/id/46794322/ns/today-today_rossen_reports/t/rossen-re
ports-why-wont-wireless-companies-help-stop-cell-phone-thefts/#.T2_bnZh9020
-http://today.msnbc.msn.com/id/46799809/ns/today-today_rossen_reports/t/statement
s-wireless-industry-about-cell-phone-thefts/#.T2_ei5h9020


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/