SANS NewsBites - Volume: XIV, Issue: 40

*************************************************************************
SANS NewsBites                     May 18, 2012                    Volume: XIV, Issue: 40
*************************************************************************

TOP OF THE NEWS

  Budget Official To Replace Howard Schmidt as White House Cyber Czar
  Terrorists and Nation States May Attempt To Exploit Anonymous
  Utah CIO Resigns Over Healthcare Data Breach

THE REST OF THE WEEK'S NEWS

  House Subcommittee Hears Testimony on Geolocation Data Bill
  The Pirate Bay Back Online After DDoS Attack
  Prison Term for Facebook Account Hack
  Survey Finds Energy and Utility Industry Companies Weak on Cyber Risk Management
  Google Releases Chrome 19 Stable; Enabled, In Part, by Security Bug Bounties
  Apple Issues Flashback Removal Tool for Leopard
  Cards Compromised in Global Payments Breach Used in Fraudulent Transactions
  FBI Returns Server Seized in Univ. of Pittsburgh Bomb Threat Investigation
  Appeals Court Turns Down FOIA Request for Google Attack Records


**************** SPONSORED BY Skybox Security, Inc. ***************
Special Webcast: Intelligent Firewall Management: The Key Ingredient for Network Consolidation Success Featuring: Michelle Johnson Cobb. Wednesday, May 23, 2012 at 11:00 AM EDT. http://www.sans.org/info/105480
**************************************************************************
TRAINING UPDATE
--SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/

--Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/

--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.
http://www.sans.org/canberra-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

TOP OF THE NEWS

Budget Official To Replace Howard Schmidt as White House Cyber Czar (May 17, 2012)

White House Cybersecurity Coordinator Howard Schmidt has announced his retirement from public service. Schmidt has held the position as special assistant to the president since late 2009. In a statement, Schmidt said, "We have made real progress in our efforts to better deal with the risks in cyberspace." When he steps down at the end of May, Schmidt will be succeeded by Michael Daniel, who has worked for 17 years in the Office of Management and Budget's National Security Division, the last 10 of which he has focused on cybersecurity as chief of the Intelligence Branch.
-http://abcnews.go.com/Technology/wireStory/budget-official-picked-top-cybersecur
ity-post-16370635#.T7ZuxXlYt-Z
-http://www.washingtonpost.com/world/national-security/white-houses-cybersecurity
-official-retiring/2012/05/16/gIQAX6fmUU_story.html?tid=pm_world_pop
-http://news.cnet.com/8301-1009_3-57436466-83/u.s-cybersecurity-chief-howard-schm
idt-retiring/
-http://www.nextgov.com/cybersecurity/2012/05/schmidt-resigns-white-house-cyber-p
ost/55790/?oref=ng-channeltopstory
[Editor's Note
(Murray): Well done, Howard, and so say all of us!
(Paller); Michael Daniel is the perfect man the job. Legislative initiatives are stalled and cybersecurity cannot wait. The most powerful lever the White House has is budget control over the $80 billion that is spent by the U.S. government each year on IT. Michael is the one person in cybersecurity who knows the financial levers that control that $80 billion, and how they may be used to improve the government's ability to lead by example in cybersecurity and to provide incentives for industry to deliver more secure products and systems.]

Terrorists and Nation States May Attempt To Exploit Anonymous (May 17, 2012)

According to a Microsoft executive, Anonymous could be co-opted by nation states and terrorist groups to use it for their own ends. Lewis Shepherd, director of Microsoft's Institute for Advanced Technology in Governments citied classified evidence and precedents in nation states taking control of other nationalist movements in making the claims.
-http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=791

Utah CIO Resigns Over Healthcare Data Breach (May 15 & 16, 2012)

Earlier this week, Utah State Chief Information Officer (CIO) Stephen Fletcher resigned his position over a data security breach that exposed the Social Security numbers (SSNs) and other personal information of 280,000 Medicaid patients. Utah Governor Gary Herbert announced Fletcher's resignation and said that a third party audit of the state's technology systems is underway. The state has also appointed a new health data security ombudsman.
-http://www.govtech.com/policy-management/Utah-CIO-Steve-Fletcher-Resigns-State-P
romises-Security-Reforms.html
-http://www.computerworld.com/s/article/9227215/Utah_CTO_takes_fall_for_data_brea
ch?taxonomyId=17



*************************** Sponsored Links: *************************
1) New Analyst Paper in the SANS Reading Room: Sorting Through the Noise: SANS 8th Annual Log and Event Management Survey Results http://www.sans.org/info/105485
2) Ask The Expert Webcast: Privileged Account Management: Enabling Secure Outsourcing and Cloud. Tuesday May 22 at 1:00 EDT. http://www.sans.org/info/105490
************************************************************************

THE REST OF THE WEEK'S NEWS

House Subcommittee Hears Testimony on Geolocation Data Bill (May 17, 2012)

Law enforcement officers and privacy proponents testified at a US House Judiciary Committee Subcommittee on Crime, Terrorism, and Homeland Security regarding a bill that would require law enforcement officers to obtain warrants before collecting geolocation data from cell phone carriers. Members of the law enforcement community said that the warrant requirement would get in the way of the collection of evidence to make a case; geolocation data are often used to gather information to obtain a probable cause warrant for additional information collection. An American Civil Liberties Union (ACLU) staff attorney disputed the notion that obtaining a warrant is burdensome, saying that the proposed bill would make it easier for law enforcement to obtain warrants for geolocation data than it is for them to obtain warrants for telephone wiretaps. The House's Geolocation Privacy and Surveillance Act and a companion bill in the Senate were introduced following a recent Supreme Court ruling on a geolocation data case that provided only a partial answer to the question.
-http://www.wired.com/threatlevel/2012/05/geo-location-data-protection/

The Pirate Bay Back Online After DDoS Attack (May 16 & 17, 2012)

The Pirate Bay is back online following a distributed denial-of-service (DDoS) attack that kept the site inaccessible for more than a day. Anonymous does not appear to have been behind the attack; an individual who is not a fan of Anonymous has claimed responsibility. Wikipedia has also been the target of a DDoS, but it is not known if the same group or person is responsible for that attack.
-http://www.zdnet.com/blog/security/the-pirate-bay-returns-anonymous-hater-takes-
credit-for-ddos/12233?tag=mantle_skin;content
-http://arstechnica.com/security/2012/05/massive-ddos-attack-keeps-the-pirate-bay
-offline-for-over-a-day/
-http://www.bbc.co.uk/news/technology-18095370

Prison Term for Facebook Account Hack (May 17, 2012)

A UK man will spend one year in prison for hacking another person's Facebook account. Gareth Crosskey broke into the Facebook account of an unnamed US citizen in January 2011. The incident was reported to the FBI, which traced the source of the break-in to the UK and turned the case over to authorities there. Crosskey was arrested in July 2012 and was found guilty of using a computer to gain unauthorized access to a program or data and performing unauthorized acts with intent to impair operation of, or prevent/hinder access to a computer, both offenses under the UK's Computer Misuse Act.
-http://www.theregister.co.uk/2012/05/17/facebook_account_hacker_jailed/
-http://www.zdnet.com/blog/facebook/21-year-old-gets-12-months-for-hacking-facebo
ok-account/13258
[Editor's Note (Honan): A sentence of 12 months in jail for what seems a trivial attack on an individual's FaceBook account seems quite severe. Given that the FBI is involved I think there is a lot more to this than meets the eye.]

Survey Finds Energy and Utility Industry Companies Weak on Cyber Risk Management (May 16, 2012)

A recent survey of 108 global companies conducted by the Carnegie Mellon University CyLab and sponsored by RSA and Forbes found that those in the financial sector have the best cyber and information risk management practices, while companies in the energy and utility industries have the worst. While more than 90 percent of respondents said that they are actively addressing risk management at their organizations, only 33 percent said they were attending to cyber and information security, 29 percent said they were attending to information technology operations, and just 13 percent said they were attending to managing vendors who provide software and other services.
-http://www.washingtonpost.com/blogs/checkpoint-washington/post/survey-critical-s
ectors-less-attuned-to-cyber-threat/2012/05/16/gIQA3lDqTU_blog.html
-http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf

Google Releases Chrome 19 Stable; Enabled, In Part, by Security Bug Bounties (May 16, 2012)

Google has released Chrome 19, the newest stable version of its browser. Chrome 19 incorporates 20 security fixes. Google paid out US $16,500 in bounties and rewards for security bugs found by the security community. The only new major feature supported in this newest version of Chrome is tab synchronization, which allows signed in users to synchronize their tabs on different systems. Tab synchronization will be rolled out to Chrome 19 users over the next few weeks.
-http://www.h-online.com/security/news/item/Chrome-19-released-with-tab-syncing-1
577047.html
-http://www.computerworld.com/s/article/9227196/Google_releases_Chrome_19_adds_ta
b_sync_and_patches_20_bugs?taxonomyId=17
-http://www.theregister.co.uk/2012/05/16/google_chrome_update/

Apple Issues Flashback Removal Tool for Leopard (May 15, 2012)

Apple has released a tool that will remove the Flashback malware from infected machines running OS X 10.5, also known as Leopard. Apple has already released similar tools for OS X 10.6 (Snow Leopard) and OS X 10.7 (Lion). Flashback had infected an estimated 600,000 computers worldwide. The tool also disables the Java plug-in in Apple's Safari web browser. In addition, Apple has released a security update for Leopard that disables older versions of Adobe Flash Player.
-http://www.eweek.com/c/a/Security/Apple-Protects-OS-X-105-Leopard-From-Flashback
-Malware-609591/
-http://www.h-online.com/security/news/item/Flashback-removal-tool-arrives-for-Ma
c-OS-X-10-5-Leopard-1575554.html
-http://www.theregister.co.uk/2012/05/15/mac_leopard_security_update/

Cards Compromised in Global Payments Breach Used in Fraudulent Transactions (May 14, 2012)

Debit cards that were compromised in a data security breach at Global Payments have reportedly been used to conduct fraudulent transactions. In March 2012, Union Savings Bank (United) in Danbury, Connecticut started noticing debit cards it had issued were involved in fraud. United determined that the location of the fraudulent transactions, a nearby private school, was a customer of Global Payments, so the bank contacted Visa to let them know of a possible breach at the processor. United was then contacted by a fraud investigator from Vons, a chain of grocery stores in the southwestern US, regarding a scam that was being conducted using the stolen card information.
-http://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fr
aud/

FBI Returns Server Seized in Univ. of Pittsburgh Bomb Threat Investigation (May 11, 2012)

FBI agents returned a server seized from a New York co-location facility four days after the equipment was taken from the organization. The seizure was related to an investigation into the bomb threats delivered by email against the University of Pittsburgh earlier this year. The people who own the server run an organization that provides a number of web tools, including email and mailing list support; the company also encrypts all data, so users' anonymity is assured. The article provides details of the events surrounding the seizure and the actions taken by the co-location center's owner/operators. It appears that someone linked to the bomb threats used an anonymization service that subcontracted space on a server from an organization that subcontracted server space from the New York company.
-http://redtape.msnbc.msn.com/_news/2012/05/11/11647813-the-fbi-took-and-mysterio
usly-returned-their-server-heres-their-story

Appeals Court Turns Down FOIA Request for Google Attack Records (May 11, 2012)

A three-judge panel of the US Court of appeals for District of Columbia has denied a Freedom of Information Act (FOIA) request from the Electronic Privacy Information Center (EPIC) to unseal records pertaining to a cyber attack against Google users in China that occurred in 2010. EPIC was seeking communications between Google and the National Security Agency (NSA), which has neither confirmed nor denied a relationship with Google.
-http://www.washingtonpost.com/business/appeals-court-wont-order-public-release-o
f-google-nsa-communications-following-cyberattack/2012/05/11/gIQAxcyAIU_story.ht
ml


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/