SANS NewsBites - Volume: XIV, Issue: 26

*************************************************************************
SANS NewsBites                     March 30, 2012                    Volume: XIV, Issue: 26
*************************************************************************

TOP OF THE NEWS

  FBI Cyber Chief Says US Losing War With Hackers
  Former US Countertorrism Czar Says China Hacked Every Major U.S. Firm
  NSA Director General Alexander Fingers China in RSA Hack
  Gen Alexander: Pres. Approval Should be Required for Cyber Attack

THE REST OF THE WEEK'S NEWS

  Study Claims Assumptions On Cyber Criminals Are Wrong
  Megaupload Drops Suit Against Universal
  Adobe Introduces Flash Player Silent Updates
  EU Proposes Hackers To Face Jail Sentence of Two Years
  European Commission Proposes New Cybercrime Center
  Second Kelihos Botnet Taken Down by Security Firms
  McCain Says DHS Not Cut Out to be Cyber Defense Leader
  Republican Cyber Security Act Introduced
  Huawei Suffering Setbacks in Global Market
  Apple iOS Review Teams Rejecting Apps That Use UDID for Tracking
  Two Teenagers Arrested for Hacking into Dutch Telecoms Operator
  TSA Blocks Schneier's Testimony at Body Scanner Hearing


****************** Sponsored By WinMagic Inc. *********************
Is Your Encryption Solution A Nightmare? Do you have Tales of Encryption? Wake up to a new Reality with WinMagic. Join us for our live broadcast on Wed, Apr 4, 2012 1:00 PM - 2:00 PM EDT to learn how WinMagic SecureDoc can dispel encryption myths and secure your data. Register Today http://www.sans.org/info/102744
**************************************************************************
TRAINING UPDATE
--SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack
http://www.sans.org/northern-virginia-2012/

--SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.
http://www.sans.org/cyber-guardian-2012/

--SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/appsec-2012/

--SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses.
http://www.sans.org/secure-amsterdam-2012/

--SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.
http://www.sans.org/security-west-2012/

--SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.
http://www.sans.org/toronto-2012/

--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Abu Dhabi, Johannesburg, Brisbane, Jakarta, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***********************************************************

TOP OF THE NEWS

FBI Cyber Chief Says US Losing War With Hackers (March 28, 2012)

In an interview with the Wall Street Journal, FBI cyber chief Shawn Henry said that the US is "not winning" the war waged by hackers on corporate networks. "We've been playing defense for a long time, ... You can only build a fence so high, and what we've found is that the offense outpaces ... and is better than the defense." He said that more and more often, FBI investigations turned up data stolen from companies that did not even know they had been infiltrated. Henry plans to leave the FBI after more than 20 years to work in private industry. James A. Lewis, senior fellow in cybersecurity with the Center for Strategic and International Studies, agrees with Henry's assessment, saying that "there's a kind of willful desire not to admit how bad things are, both in government and certainly in the private sector."
-http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html?m
od=djemalertNEWS
-http://www.technolog.msnbc.msn.com/technology/technolog/not-winning-war-hackers-
fbi-cyber-chief-581557
-http://blogs.computerworld.com/19951/cybersecurity_america_is_losing_the_war_chi
na_hacked_every_major_us_company?source=CTWNLE_nlt_security_2012-03-29
-http://news.cnet.com/8301-1009_3-57405707-83/u.s-not-winning-war-with-hackers-sa
ys-fbi-bigwig/?tag=txt;title
[Editor's Note (Pescatore): Actually, I think there is a very willful desire to make things sound worse than they are. Despite centuries of security effort, retail still loses 3% of revenue to "shrinkage" - shoplifting and employee theft, and the costs of keeping to that level. Turns out that level is an acceptable cost of doing business - they could get shrinkage down to zero but revenue would drop more than 3% so *they would be worse off.* Ditto bank robberies, and every other area of physical and cyber world crime. "Winning" any war against any crime is not crippling the business to see the crime stop, it is getting both the cost of the crime *and* the cost of the security down to acceptable business levels.
(Honan): You can only hope to win a battle when you are properly engaged. When you read reports, such as the Verizon Data Breach Investigations report, and see statistics showing 97% of the breaches studied were avoidable through simple or intermediate controls you realise that many organisations are not even in the parking lot never mind on the playing field when it comes to information security.]

Former US Countertorrism Czar Says China Hacked Every Major U.S. Firm (March 29, 2012)

In an interview published in Smithsonian Magazine, ex-US Cyber Czar Richard A. Clarke claimed, on the record, that Chinese hackers have infiltrated every major American corporation with "brutal" effects for American innovation, especially corporate R&D.
-http://www.fastcompany.com/1826665/counterterrorism-czar-chinas-hacked-every-maj
or-us-firm?partner=rss&utm_medium=referral&utm_source=pulsenews
[Editor's Note (Murray): While I think all large enterprises should behave as targets and as though there are compromised systems on their networks, most of them do not know what Clarke claims to know about them. ]

NSA Director General Alexander Fingers China in RSA Hack (March 29, 2012)

Earlier this week, NSA Director and Commander of the US Cyber Command General Keith Alexander told the Senate Armed Services Committee that China was responsible for the attack on RSA last year. Those attacks compromised the security of RSA's SecurID tokens. The information taken was used in an attempted but ultimately unsuccessful attack against Lockheed Martin. General Alexander also said that China is stealing large quantities of military intellectual property from the US. General Alexander said that changes need to be made to make it more difficult for these types of attacks to occur. He said that the government needs real time capabilities to work with the private sector and stop attacks.
-http://www.theregister.co.uk/2012/03/29/nsa_blames_china_rsa_hack/
-http://www.informationweek.com/news/government/security/232700341
[Editor's Note (Murray): The recent Verizon Data Breach report tells us that commercial enterprises do not know in "real time" when they are under attack. ]

Gen Alexander: Pres. Approval Should be Required for Cyber Attack (March 27, 2012)

Alexander also told the Senate Armed Services Committee that cyber attacks on enemies' systems should require presidential approval and should not be left to the discretion of individual military commanders. General Alexander addressed the issue in what has been a classified debate over the military's rules of engagement in cyberspace. Alexander also told the committee that the NSA does not want to monitor private networks for cyberthreats, but instead, wants to provide malware signatures to help private industry monitor their own networks. Information about the threats would then be shared in real time.
-http://www.washingtonpost.com/world/national-security/cyberattacks-should-requir
e-presidential-authorization-official-says/2012/03/27/gIQA0312eS_story.html
-http://www.wired.com/threatlevel/2012/03/nsa-malware-signature/



***************** Sponsored Links: **********************
1) Do Not Miss SANS Special Webcast: Threat Review of Resurgent Botnets: Waledac, Kelihos, Zeus sponsored by Palo Alto Networks. Go to http://www.sans.org/info/102749
2) SANS Analyst Program Webcast: Reducing Risk to Federal Systems with the SANS 20 Critical Controls April 19, 1 PM EDT. http://www.sans.org/info/102754
************************************************************************

THE REST OF THE WEEK'S NEWS

Study Claims Assumptions On Cyber Criminals Are Wrong (March 29, 2012)

According to a study released by The John Grieve Centre for Policing and Security at London Metropolitan University, 80 percent of cybercrime is committed by ordinary criminals and not sophisticated hackers as depicted by Hollywood. The research shows that 43 per cent of cyber-crooks are over 35 years old while 29 per cent are under 25, dispelling the myth of hacking being the preserve of highly skilled teenagers. The availability of crimeware and easy-to-use hacking tools means that criminals can get involved with cybercrime without having any high level of technical skills. Professor John Grieve, founder of policing centre, said "The research found evidence of many cases where there has been real success in closing down digital criminal operations. Growth in the digital economy will inevitably cause an increase in organized digital crime, however this need not be seen as an insurmountable problem. Rather, it is a predictable problem that - by better understanding the perpetrators and their working methods - we can meet head on."
-http://www.theregister.co.uk/2012/03/29/cybercrime_myths_exploded/
-http://www.zdnet.co.uk/news/security-threats/2012/03/29/detica-80-percent-of-int
ernet-crime-is-co-ordinated-40154918/
-http://www.v3.co.uk/v3-uk/news/2164355/gangs-responsible-crimes

Megaupload Drops Suit Against Universal (March 29, 2012)

Megaupload has filed the paperwork to drop a lawsuit it filed against Universal Music over a video the file sharing service produced; the video contained clips of musical artists saying positive things about Megaupload. The suit is likely to have been dropped so that Megaupload can focus its attention on criminal charges its executives face in the US over allegations of facilitating wanton copyright infringement. Megaupload may also be facing changes of copyright infringement in a lawsuit from the Motion Picture Association of America (MPAA)
-http://www.wired.com/threatlevel/2012/03/megaupload-focuses-on-charges/
-http://www.wired.com/images_blogs/threatlevel/2012/03/meguaploadvuniversal.pdf

Adobe Introduces Flash Player Silent Updates (March 28 & 29, 2012)

Adobe's most recent update for Flash Player addresses a pair of critical vulnerabilities. The newest release of Flash, version 11.2, also incorporates silent updates for Windows users, meaning that future updates will be installed in the background with no user interaction. The settings can be changed manually to alert users when updates are available and allow them to decide when they will be installed. This most recent update is the third security update Adobe has released for Flash Player in six weeks. Adobe plans to introduce silent updates for Mac at a later date.
-http://krebsonsecurity.com/2012/03/critical-security-update-for-adobe-flash-play
er-2/
-http://www.computerworld.com/s/article/9225624/Adobe_streamlines_Flash_Player_up
dates_by_going_silent?taxonomyId=17
-http://www.theregister.co.uk/2012/03/29/adobe_flash_auto_update/
[Editor's Note (Murray): Flash is historically broken. This is a solution that is worse than the problem. Enterprises should not be using Flash. ]

EU Proposes Hackers To Face Jail Sentence of Two Years (March 28, 2012)

The Civil Liberties Committee of the European Parliament has issued a number of proposals to tackle the threat posed by cybercrime by harmonizing cybercrime laws across EU member states. Under the proposals, the minimum sentence that would be imposed on someone found guilty of hacking offenses would be two years. Tougher minimum sentences of five years are proposed for those found guilty of disrupting systems using Distributed Denial-of-Service (DDoS) attacks or where financial loss has occurred. German MEP and Committee rapporteur Monika Hohlmeier said, "The financial damage caused for companies, private users and the public side amounts to several billions each year. No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world." Under the proposals, those found possessing or distributing tools that could be used in attacks could also face stiff sentences, something which is raising concerns amongst information security professionals who use these tools for legitimately testing the security of systems.
-http://news.techworld.com/security/3347694/hackers-face-two-year-jail-terms-unde
r-new-eu-proposals/
">http://news.techworld.com/security/3347694/hackers-face-two-year-jail-terms-unde
r-new-eu-proposals/
-http://www.europarl.europa.eu/news/en/pressroom/content/20120326IPR41843/html/Ha
cking-IT-systems-to-become-a-criminal-offence
-http://www.theinquirer.net/inquirer/news/2164249/european-hackers-prison
-http://news.techworld.com/security/3347694/hackers-face-two-year-jail-terms-unde
r-new-eu-proposals/
">http://news.techworld.com/security/3347694/hackers-face-two-year-jail-terms-unde
r-new-eu-proposals/

European Commission Proposes New Cybercrime Center (March 28, 2012)

The European Commission announced that it will create a European Cybercrime Centre to tackle the growing threat of cybercrime. The centre will focus primarily on combating credit card and banking fraud. It will also be responsible for training national experts on cybercrime, be the focal point in coordinating national authorities, and analyze information gathered by national and European police forces. Cecilia Malmstrom, European Commissioner for Home Affairs, said, "As the e-economy grows at a fast pace, cybercrime is following suit," and the centre "will bring together some of Europe's best brains in the field of cybercrime". The cybercrime centre is expected to open in January 2013 in the Hague and form part of Europol, the pan-European police body.
-http://euobserver.com/9/115691
-http://www.bbc.com/news/technology-17541462

Second Kelihos Botnet Taken Down by Security Firms (March 28, 2012)

Several security firms working together have disabled the latest version of the Kelihos botnet. This version of the botnet is said to have been significantly larger than the one taken down by Microsoft and its partners in 2011. The group of security firms consisted of experts from The Honeynet Project, Kaspersky Lab, Crowdstrike and Dell SecureWorks. The Kelihos botnet, also known as Hlux, was primarily used for distributing spam and launching Distributed Denial-of-Service attacks. This version of the botnet was comprised of 110,000 computers of which over 90,000 were running Windows XP, 10,000 were running Windows 7 and 5,000 were Windows 7 with Service Pack 1.
-http://www.infoworld.com/d/security/security-firms-disable-the-second-kelihos-bo
tnet-189710
-http://www.theregister.co.uk/2012/03/28/resurrected_kelihos_botnet_dismantled/
-http://www.scmagazineuk.com/kaspersky-led-quartet-neuters-kelihoss-second-coming
/article/234010/
-http://www.v3.co.uk/v3-uk/news/2164681/kaspersky-takes-kelihos

McCain Says DHS Not Cut Out to be Cyber Defense Leader (March 27, 2012)

In testimony before the Senate Armed Services Committee, Senator John McCain (R-Arizona) argued that the US Department of Homeland Security (DHS) should not be taking the lead in protecting the country's critical infrastructure from cyber attacks. McCain cited the public's lack of confidence in the DHS's Transportation Security Administration's (TSA) technological capabilities as evidence that it shouldn't have those powers. McCain said that the NSA and the US Cyber Command have the necessary expertise to assume that role. Proposed legislation in the Senate would give the DHS authority to require computer systems that are associated with elements of the country's critical infrastructure meet certain security requirements.
-http://thehill.com/blogs/hillicon-valley/technology/218409-mccain-homeland-secur
ity-department-shouldnt-be-trusted-with-cybersecurity

Republican Cyber Security Act Introduced (March 27, 2012)

On Tuesday, March 27, US Representatives Mary Bono Mack (R-California) and Marsha Blackburn (R-Tennessee) introduced a Republican-backed cybersecurity bill. Senators John McCain (R-Arizona) and Kay Bailey Hutchison (R-Texas) along with other Senate Republicans, introduced a similar measure there earlier in March. The bill is offered as an alternative to previously introduced cybersecurity legislation. The Republicans' bill does not give DHS the authority to require that computer systems at private entities that comprise elements of the country's critical infrastructure meet certain cybersecurity standards. Instead, the bill emphasizes information sharing and increasing penalties for online crimes. Representative Jim Langevin (D-Rhode Island) said that although the bill offers "a thoughtful proposal for much-needed improvements in the sharing of cyber threat information,
[it would be ]
a major step backward" because the approach of depending on private companies to take adequate security measures "has failed us over the last decade."
-http://thehill.com/blogs/hillicon-valley/technology/218421-secure-it-act-introdu
ced-in-the-house

Huawei Suffering Setbacks in Global Market (March 27, 2012)

In November, Symantec ended a joint venture with Huawei over concerns that its association with the Chinese telecommunications equipment firm could impede its access to classified US cyberthreat intelligence and hurt its business. The joint venture was established four years ago, with the goal of developing and distributing security appliances to telecommunications companies. Earlier this week, Huawei was blocked from bidding on a broadband contract in Australia over security concerns. In the last 10 years, legislators and regulators in the US have blocked Huawei from three acquisitions and numerous partnerships. Three problems the US government has with Huawei are that its CEO is a former colonel in the People's Liberation Army; that the company has ties with the Chinese government, as do all organizations in that country; and it has in the past supplied Iran with networking equipment which was reportedly used to track citizens. Huawei says it is being mischaracterized.
-http://www.theregister.co.uk/2012/03/27/symantec_huawei_china_spying/
-http://money.cnn.com/2012/03/27/technology/huawei/index.htm
[Editor's Note (Pescatore): Slippery slope here. Many North American and Australian vendors can be portrayed as being cozy with their home governments and DoDs. The key is putting supply chain integrity programs in place, not simple nationalistic approaches. ]

Apple iOS Review Teams Rejecting Apps That Use UDID for Tracking (March 27, 2012)

Apple has started to reject apps that use the unique device identifier (UDID), which is built into Apple devices, to track users. Apple has 10 iOS review teams. Currently, two of those teams are rejecting apps that use UDIDs; the number of teams looking for the issue will increase until all 10 teams are rejecting apps that do this. Apple began warning developers last August that they should not use the numbers to track users.
-http://www.informationweek.com/news/security/privacy/232700326
[Editor's Comment (Pescatore): This is good as a reactive response to discovered abuses. It would be much better to see Apple take a proactive approach to security and privacy testing apps to differentiate themselves as a "safer" app store than competitors.
(Northcutt): Perhaps Secure UDID is a better answer, it would allow developers to distinguish between devices, but not to track:
-http://techcrunch.com/2012/03/27/secureudid-is-an-open-source-solution-to-the-ap
ple-udid-problem/]

Two Teenagers Arrested for Hacking into Dutch Telecoms Operator (March 27, 2012)

Police arrested two teenagers, one in The Netherlands and one in Australia, on suspicion of hacking into numerous servers across nine countries. The teenagers allegedly hacked into the servers of the Korea Advanced Institute of Science and Technology (KAIST), Trondheim University in Norway, and Tokohu University in Japan. The Dutch teenager is also allegedly responsible for hacking into the servers of the Dutch telecommunications provider KPN in January of this year resulting in customer data being compromised and causing damage to KPN's infrastructure. The two arrests were the results of weeks of collaboration between the Dutch police, the Cyber Terror Response Center in South Korea, and the Australian Federal Police. As a result of January's security breach, KPN said it will appoint a Chief Security Officer and will set up a control center to monitor its systems. KPN has also replaced the compromised systems and will spend months checking the security of all its other systems.
-http://www.pcworld.com/businesscenter/article/252641/dutch_police_arrest_17yearo
ld_suspected_of_breaching_hundreds_of_kpn_servers.html
-http://www.news.com.au/breaking-news/australian-teen-arrested-on-hacking-suspici
on/story-e6frfku0-1226313867108
-http://www.computerworld.com/s/article/9225575/Dutch_police_arrest_youth_in_conn
ection_with_breach_of_KPN_servers?taxonomyId=83

TSA Blocks Schneier's Testimony at Body Scanner Hearing (March 26, 2012)

Security expert Bruce Schneier was scheduled to testify at a US House Committee hearing about the TSA's body scanners, but his appearance at the hearing was blocked at the last minute. The House Committee on Oversight on Government Reform and the Committee on Transportation and Infrastructure. The TSA blocked Schneier's appearance because he is currently involved in a legal case regarding the scanners. Schneier has referred to the TSA's security procedures as "security theater."
-http://www.theregister.co.uk/2012/03/26/tsa_schneier_congress_block/
-http://arstechnica.com/tech-policy/news/2012/03/gunshy-tsa-gets-critic-booted-fr
om-congressional-panel.ars
[Editor's Note (Murray): TSA may have blocked Schneier's testimony because he has a reputation for having a low tolerance for foolishness and for speaking truth to power. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/