SANS NewsBites - Volume: XIV, Issue: 51


The analysts at Team Cymru tweeted a few days ago about a "great Windows
Forensic cheat-sheet poster." I did not know much about it, even though
they said it was from SANS, so I checked. It is the most thorough
step-by-step guide to digital forensics I have ever seen, with specific
guidance and tools (all the ones I saw were free). Everyone who attends
SANS forensics training courses gets one to mount on their wall. You
may download the electronic one showing both sides at
http://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-an
d-Incident-Response-Poster-2012.pdf


Alan

*************************************************************************
SANS NewsBites                     June 26, 2012                    Volume: XIV, Issue: 51
*************************************************************************
TOP OF THE NEWS

  DHS Releases Detailed Specification for Continuous Monitoring and Cloud Boundary Protection Automation
  European Commission Wants All Browsers to Allow Users to Choose Do Not Track Settings
  Proposed Legislation Would Establish National Breach Notification Standards

THE REST OF THE WEEK'S NEWS

  India Creating Foundation for World-Class Role in Cybersecurity
  Mozilla Says it Will Fix Data Exposure Issue in Firefox 13 New Tab Feature
  Malware Side Effect Causes Printers to Spew Reams of Adware Code
  Two Admit Cyber Attacks on CIA and SOCA
  Indian High Court Amends Anti-Piracy Order
  Stuxnet's Pre-Programmed Off Switch a Moot Point
  Flame Can Delete Files From Infected Machines
  Bill Would Help Reduce Purchases of Counterfeit Microchips
  Adobe Updates Flash Player Plugin To Address Firefox 13 Crash Issue


******************** SPONSORED BY ForeScout Technologies ******************
Special white paper: IDC Report on Architecting a Flexible BYOD Strategy
IDC security analyst Phil Hochmuth examines a tiered service approach to enterprise mobile security while exploring how NAC and MDM, as complementary controls, offer necessary network and device level defenses to enable IT organizations to realize mobility advantages while reducing security and compliance exposures.
http://www.sans.org/info/108904
****************************************************************************
TRAINING UPDATE
--SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.
http://www.sans.org/canberra-2012/

--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/

--SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
http://www.sans.org/sansfire-2012/

--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

--SANS Boston 2012, Boston, MA August 6-11, 2012 9 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
********************************************************************

TOP OF THE NEWS

DHS Releases Detailed Specification for Software Tools for Continuous Monitoring and Cloud Boundary Protection Automation (June 25, 2012)
In a meeting at the Wilber Cohen Auditorium in Washington this morning DHS officials rolled out and explained the new Federal Continuous Monitoring and Cloud Boundary Defense product and service specifications. Every major security vendor and integrator was in the room, along with many smaller vendors. (The feds had been briefed yesterday.) The vendors were highly complimentary, saying it was the first time they had seen any specifications from DHS that were as thorough and well thought out as these. A few vendors privately expressed concern that their engineers had "a lot of work to do to meet these specs." The DHS specifications are likely to set the global benchmark for tools that automate continuous monitoring and mitigation. It will be very hard for any security software vendor to sell products if their products cannot meet these specs, especially because the President put $200 million in the 2014 US budget to buy automation tools for continuous monitoring.
-https://www.fbo.gov/utils/view?id=ae650dd0661deab13c6805f94a542a25
[Editor's Note
[Paller): If you are considering acquiring any security software or security services, get a written commitment, signed by an officer of the offering company, that they will comply with the DHS specifications by a date certain (preferably Dec. 31, 2012). To help buyers separate claims from reality, SANS will publish definitive lists of software tools found to be in compliance and those specifications along with those vendors who have made public, dated commitments. We will also highlight the more innovative of the tools that automate the 20 Critical Security Controls at the National Cybersecurity Innovation Conference in October. ]


European Commission Wants All Browsers to Allow Users to Choose Do Not Track Settings (June 25, 2012)
The European Commission supports Microsoft's plan to have Do Not Track switched on by default in Internet Explorer 10 (IE 10). Shortly after Microsoft announced the plan, the Worldwide Web Consortium (W3C) Do Not Track working group said that browsers should not make the choice for users, and that if Microsoft chose to release IE 10 with the option pre-selected, it could not claim compliance with the Do Not Track standard. The European Commission also said that it would like to see all browsers present users with Do Not Track options when they install or first run a browser and allow the users to change the default setting, whatever it might be.
-http://www.computerworld.com/s/article/9228436/EU_regulators_side_with_Microsoft
_in_IE10_s_Do_Not_Track_controversy?taxonomyId=17



Proposed Legislation Would Establish National Breach Notification Standards (June 22 & 25, 2012)
A bill introduced in the US senate would establish national standards for personal data breach notification. The Data Security and Breach Notification Act of 2012 would require that organizations retaining personal information to "take reasonable measures to protect and secure data in electronic form containing personal information." In the event of a breach, the organizations would be required to notify affected individuals as quickly as possible. The organizations must disclose how the data were stolen, exactly what data were stolen, and they must provide a way for affected individuals to contact them for additional information.
-http://www.informationweek.com/news/security/attacks/240002651
-http://thehill.com/blogs/floor-action/senate/234311-gop-senators-introduce-legis
lation-for-disclosing-data-breach

-http://arstechnica.com/tech-policy/2012/06/five-us-senators-propose-latest-data-
breach-notification-bill/

[Editor's Note (Murray); The ISPs and their users are the victims here. The irony is that doing the right thing increases their cost. Whatever one thinks about copyrights, there must be a better way of enforcing them than allowing the holders to use the coercive power of government to force the cost onto others. ]



************************* Sponsored Links: *************************
1) New Analyst Paper in the SANS Reading Room: "Streamlining Risk Management with the SANS 20 Critical Security Controls" by senior SANS analyst and co-editor of the 20 controls document, James Tarala. http://www.sans.org/info/108909
************************************************************************

THE REST OF THE WEEK'S NEWS

India Creating Foundation for World-Class Role in Cybersecurity (May 16, 2012)
Speaking at the release of the Institute of Defence Studies and Analyses' (IDSA) Report on India's Cyber Security Challenges, Indian National Security Advisor, Mr. Shivshankar Menon, said that the country is in the "final stages of preparing a whole-of-government cyber security architecture." Mr. Menon spoke to the importance of "creat
[ing ]
a climate and environment within which security is built into our cyber and communications working methods." The development of a "coherent and comprehensive security policy" is especially necessary due to the "anarchic nature of ... cyberspace" and the understanding that cyber conflicts and attacks are of a different realm from war as most people think of it. Mr. Menon said that India "must find ways to indigenously generate manpower, technologies and equipment that we require for our cyber security."
-http://www.idsa.in/pressrelease/NationalSecurityAdviserReleasesReportonIndiasCyb
erSecurityChallenges

-http://www.thehindu.com/opinion/lead/article3429560.ece?homepage=true
-http://articles.economictimes.indiatimes.com/2012-05-16/news/31727034_1_cyber-se
curity-cbi-website-cyber-attacks



Mozilla Says it Will Fix Data Exposure Issue in Firefox 13 New Tab Feature (June 22 & 25, 2012)
A new feature in Firefox 13 could expose sensitive information. When users open a new tab in Firefox 13, the browser displays thumbnails of frequently visited sites. The problem is that the snapshots include HTTPS session content and could therefore reveal account numbers and email subject lines that users do not want to have exposed. Mozilla has acknowledged that there is an issue with the feature and has said that it will be addressed in future versions of Firefox. Users have the option of deleting the information from their browsing history or set their preferences to private browsing mode to prevent data exposure.
-http://www.h-online.com/security/news/item/Security-concerns-over-Firefox-s-new-
tab-thumbnail-feature-1625761.html

-http://www.theregister.co.uk/2012/06/22/firefox_new_tab_security_concerns/
-http://www.informationweek.com/news/security/privacy/240002552
-http://www.zdnet.com/blog/security/firefox-thumbnails-could-expose-private-data-
fix-coming-soon/12568?tag=main;top-stories



Malware Side Effect Causes Printers to Spew Reams of Adware Code (June 22 & 25, 2012)
A new strain of malware is launching inadvertent print bomb attacks against Windows computers. The malware, known as Trojan.Milicenso, causes printers connected to infected computers to print out page after page of what appears to be nonsense. Researchers determined that the data are part of an adware program. The malware has been detected most frequently in the US and India, as well as parts of Europe and South America. The printing appears to be a side effect of the infection rather than part of a deliberate payload. The goal of the malware appears to be depositing the adware on the computers. Milicenso has been around since at least 2010 and is a known "malware delivery vehicle for hire." Internet Storm Center posts:
-https://isc.sans.edu/diary.html?storyid=13405
-https://isc.sans.edu/diary.html?storyid=13519

-http://www.computerworld.com/s/article/9228464/Malware_infection_forces_printers
_to_print_garbled_data_researchers_say?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57459098-83/is-your-printer-spewing-gibberish-c
ould-be-malware/

-http://www.zdnet.com/blog/security/thousands-of-office-printers-hit-by-gibberish
-malware/12550?tag=mantle_skin;content

-http://www.bbc.co.uk/news/technology-18547935
-http://www.theregister.co.uk/2012/06/22/trojan_spews_gibberish_print_runs/
[Editor's Comment (Northcutt): Inadvertent, side effect, hmmmm. Maybe things have changed, but the old school investigation of cyber crimes had a North Star rule: follow the money; find who benefits? HP printer ink is one of the priciest liquids on planet earth. And those ink jet cartridges are good for only a few hundred pages or perhaps a little more? HPQ sells a lot of ink and it is mostly in volumes of one or two cartridges; really hard to track who bought it, who got hurt. Scenario: HPQ printer division has a banner quarter that causes the company to beat analyst estimates. This results in the stock going up .35 cents on earnings news. The writers of the worm have an options play that pays in phases. They use each phase to fund the next buy. It is the perfect crime because it is nearly indetectable. . . well unless the malware gets detected and people start thinking about what it can be used for. ]


Two Admit Cyber Attacks on CIA and SOCA (June 25, 2012)
Two people have admitted their roles in cyber attacks against the CIA and the UK's Serious Organized Crime Agency (SOCA). In a London court, Ryan Cleary and Jake Davis also admitted to launching distributed denial-of-service (DDoS) attacks against a number of other organizations as part of operations orchestrated by the hacking groups Anonymous, Lulzsec, and Internet Feds. Cleary and Davis both deny allegations that they uploaded stolen data to public websites. Two other men, Ryan Ackroyd and an unnamed 17-year-old, have both denied charges related to the DDoS attacks.
-http://www.theregister.co.uk/2012/06/25/lulzsec_court_hearing/


Indian High Court Amends Anti-Piracy Order (June 22 & 24, 2012)
India's Madras High Court has reversed an order that required Internet service providers (ISPs) to block entire websites to prevent certain films from being shared illegally. The revised order says that ISPs need to block specific web addresses - not entire sites - to prevent users from accessing the pirated content. The original order was issued two months ago and had resulted in the total blocking of sites like Vimeo, Pastebin, and The Pirate Bay, which are all once again available in India.
-http://www.business-standard.com/india/news/no-more-blockingentire-websites/4782
61/

-http://www.bbc.co.uk/news/technology-18551471


Stuxnet's Pre-Programmed Off Switch a Moot Point (June 23, 2012)
Stuxnet is programmed to shut itself down just after midnight June 24. The plan was to cease operations at that point to evade detection, but that point is now irrelevant. Despite its plan for self-deactivation, Stuxnet still provides what some are calling "a template and conceptual model for a far more destructive ... cyber weapon that could be deployed by other nation states or hacktivists for cyber attacks against power grids and other civilian infrastructure."
-http://www.csmonitor.com/USA/2012/0623/Stuxnet-cyberweapon-set-to-stop-operating


Flame Can Delete Files From Infected Machines (June 22, 2012)
Researchers at Symantec say that the Flame malware is capable of deleting files from infected computers. Flame has been in circulation since 2010, but was only recently detected as malware. Initially it was believed to be a piece of espionage and reconnaissance software, gathering information about targeted computer systems; now it is seem more as a tool that can also take action to cause damge. Flame was also the likely tool used to launch cyber attacks against systems in Iran in April.
-http://news.cnet.com/8301-1009_3-57458712-83/flame-can-sabotage-computers-by-del
eting-files-says-symantec/

-http://www.msnbc.msn.com/id/47912823/ns/technology_and_science-security/


Bill Would Help Reduce Purchases of Counterfeit Microchips (June 22, 2012)
A Texas legislator has introduced a bill aimed at helping companies identify counterfeit microchips. A policy shift in 2008 caused the US Department of Homeland Security (DHS) to stop providing US companies with photographs, serial numbers, and other data necessary to identify phony chips. As a result, the US military purchased nearly 60,000 counterfeit microchips from China. Congressman Mike McCaul (R-Texas) called the situation "a tremendous national security risk to our military and our intelligence networks."
-http://www.nextgov.com/emerging-tech/2012/06/bill-would-close-floodgates-counter
feit-microchips/56429/?oref=ng-HPriver



Adobe Updates Flash Player Plugin To Address Firefox 13 Crash Issue (June 22, 2012)
Adobe has released an update for Flash Player 11.3 to address a flaw that was causing Firefox 13 running on Windows to crash. The issue was reportedly related to the Protected Mode, which allows the plugin to run in a sandbox environment. Last week, Mozilla updated Firefox to version 13.0.1 in an attempt to fix the problem, but some users were still reporting crashes. The newest version of the Flash Player plugin, 11.3.300.262, should fix the problem.
-http://www.h-online.com/security/news/item/Adobe-updates-Flash-Player-11-3-to-fi
x-Firefox-crashing-problem-1623783.html


[Editor's Note (Murray): Will we take note of the week that Adobe does not have to publish a fix? That would be news. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/