SANS NewsBites - Volume: XIV, Issue: 58

A very cool new blog on cloud security (http://www.sans.org/cloud) is
the first I have seen that isn't a collection of vendor-paid consultants
or employees pretending they are writing independently. This site looks
like it is on track to rival the world-class forensics blog at the
bottom of http://computer-forensics.sans.org/ Both blogs are
trustworthy - an increasingly rare characteristic as companies figure
out how to use the web for marketing.

Alan

*************************************************************************
SANS NewsBites                     July 20, 2012                    Volume: XIV, Issue: 58
*************************************************************************

TOP OF THE NEWS

  U.S. President Urges Legislators to Pass Cybersecurity Act
  California AG Starts Privacy Enforcement Unit
  DOJ Suing Telecom For Challenging National Security Letter
  Experts Dismantle Grum Botnet

THE REST OF THE WEEK'S NEWS

  US Senators Seek Investigation Into Power Grid Digital Signature Security Issues
  US Senate Committee Hears Testimony on Electric Grid Cybersecurity Concerns
  Mozilla Fixes New Tab Data Exposure Issue in Firefox 14
  Russian Parliament Passes Net Censorship Bill
  Internet Defense League Launches Alert Effort
  US Seeks Extradition of Man Arrested in Cyprus for Attack on Amazon.com in 2008
  Mahdi Malware Detected on Middle East Computers
  Dropbox Investigating User Reports of Spam
  Man Pleads Guilty to Cyberattacks, Threats


************************** SPONSORED BY SANS ******************************
DATE CHANGE: from 7/31/12 to 9/6/12. SANS Analyst Webcast: Server Security and Compliance: A Review of McAfee's Product Portfolio for Server Security by senior SANS Analyst Jim D. Hietala
http://www.sans.org/info/110134
****************************************************************************
TRAINING UPDATE
--SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
http://www.sans.org/san-francisco-2012/

--SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

--SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

--SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

--SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 46 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, Prague, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

U.S. President Urges Legislators to Pass Cybersecurity Act (July 19, 2012)

In the Wall Street Journal this morning President Obama explains why the nation needs the new cyber legislation. An except; "The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements. Nuclear power plants must have fences and defenses to thwart a terrorist attack. Water treatment plants must test their water regularly for contaminants. Airplanes must have secure cockpit doors. We all understand the need for these kinds of physical security measures. It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries."
-http://online.wsj.com/article/SB10000872396390444330904577535492693044650.html?K
EYWORDS=Obama+cybersecurity#printMode

California AG Starts Privacy Enforcement Unit (July 19, 2012)

California Attorney General Kamala Harris has created a Privacy Enforcement and Protection Unit to focus on privacy practices and hold accountable those organizations that use technology to invade others' privacy in violation of state and federal laws.
-http://www.wired.com/threatlevel/2012/07/california-privacy-unit/
-http://news.cnet.com/8301-1009_3-57476045-83/california-beefing-up-privacy-prote
ction-enforcement/

DOJ Suing Telecom For Challenging National Security Letter (July 18, 2012)

The US Justice Department (DOJ) is suing a telecommunications company for challenging an FBI National Security Letter (NSL) and its accompanying gag order. The federal law regarding NSLs allows both challenges, but the DOJ argued that the company was breaking the law by challenging its authority to serve the letter. NSLs allow the government to obtain personal financial and communications data without a judge's oversight. The only sign-off needed for a NSL is that of the Special Agent in Charge of an FBI office; the FBI must assert that the information sought is relevant to an investigation regarding international terrorism or clandestine intelligence activities.
-http://www.wired.com/threatlevel/2012/07/doj-sues-telecom-over-nsl/

Experts Dismantle Grum Botnet (July 18 & 19, 2012)

Several cybersecurity organizations worked together to dismantle the Grum botnet, best known for serving up pharmaceutical spam messages. The takedown process was completed when command-and-control (C&C) servers in Panama and Russia were shut down. The groups involved in the effort include Spamhaus, FireEye, and Russia's CERT. At its height, Grum was responsible for more than 17 percent of spam worldwide. C&C servers in the Netherlands had been taken down earlier in the week, but those controlling the botnet set up the new servers in Russia.
-http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/24
0003982/final-blow-kills-remainder-of-grum-botnet.html
-http://news.cnet.com/8301-1009_3-57475328-83/experts-take-down-grum-spam-botnet-
worlds-third-largest/
-http://www.bbc.co.uk/news/technology-18898971



************************* Sponsored Links: *************************
1) Top 5 Reasons to Choose SolarWinds Log & Event Manager. http://www.sans.org/info/110135
2) New Analyst Paper in the SANS Reading room! Streamline Risk Management by Automating the SANS 20 Critical Security Controls by senor SANS Analyst James Tarala http://www.sans.org/info/110140
************************************************************************

THE REST OF THE WEEK'S NEWS

US Senators Seek Investigation Into Power Grid Digital Signature Security Issues (July 18, 2012)

US Senators Joseph Lieberman (I-Connecticut) and Susan Collins (R-Maine) are calling for a federal investigation into cybersecurity vulnerabilities in the country's power grid, following a report from CNET last month that highlighted those concerns. The senators sent a letter to the Federal Energy Regulatory Commission (FERC) seeking "expeditious comprehensive investigation into ... allegations" that digital signatures used for authentication within the industry have security flaws.
-http://news.cnet.com/8301-1009_3-57475190-83/senators-call-for-probe-of-electric
-grid-cybersecurity/

US Senate Committee Hears Testimony on Electric Grid Cybersecurity Concerns (July 17, 2012)

Representatives from the US government and private industry gave testimony about the security of the country's electric grid at a July 17 Senate Energy and Natural Resources Committee hearing. Committee chairman Senator Jeff Bingaman (D-New Mexico) said that while the electric industry is the only portion of the country's critical infrastructure that has mandatory security requirements, the systems is still vulnerable to attacks. Witnesses noted that cybersecurity of the electric grid is hampered by a complicated regulatory process and weak enforcement. Federal regulators say they lack the authority to establish standards and requirements, and that the industry group responsible for creating security standards lacks the authority to enforce them. And all sides said they have insufficient information about cyberthreats to the grid.
-http://gcn.com/articles/2012/07/17/goverment-hampered-making-electric-grid-secur
e.aspx
[Editor's Note (Honan): The real issue here is not necessarily the security standards or understanding the threats. The fundamental issue is that these systems were developed, deployed and maintained without security being built in as an integral part. ]

Mozilla Fixes New Tab Data Exposure Issue in Firefox 14 (July 19, 2012)

On July 17, Mozilla released Firefox 14. The latest version of the browser addresses privacy issues arising from its new tab feature that exposed snapshots of HTTPS sessions. The feature has been altered so that it "now omits privacy-sensitive websites like banking or webmail sites." The thumbnails can be moved or deleted. The other flaws addressed include a JavaScript URL code execution issue, a cross-site scripting vulnerability, and a number of free-after-use issues. Mozilla has also released updated versions of Thunderbird and SeaMonkey.
-http://www.theregister.co.uk/2012/07/19/firefox_14_new_tab_fix/
-http://www.h-online.com/security/news/item/Critical-holes-closed-in-Firefox-Thun
derbird-and-SeaMonkey-1644530.html
-http://www.h-online.com/security/news/item/Firefox-new-tab-feature-tweaked-follo
wing-privacy-concerns-1647976.html

Russian Parliament Passes Net Censorship Bill (July 19, 2012)

The Federation Council of Russia, which is the upper house of the Russian Parliament, has passed a law that gives the government the authority to blacklist a website without court consent. The bill includes amendments to a number of other laws. Russian IT companies are concerned that the power could be abused to block legitimate content. One law would be amended to allow the blocking of entire domains even when a portion of the hosted content is determined to be illegal. The bill moved through both houses of Parliament in two weeks, allowing little time for protest.
-http://www.computerworld.com/s/article/9229359/Russian_Parliament_39_s_upper_hou
se_approves_Internet_39_censorship_39_bill?taxonomyId=17

Internet Defense League Launches Alert Effort (July 17 & 19, 2012)

The Internet Defense League, a grassroots activism group, is introducing a way to alert users to the need to take action like they did when the Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA) were being considered in the US legislature. Successful crowd sourcing helped spell the end of those particular bills, and the IDL wants an easy way to let people know their efforts are needed again. The signal will be a cat symbol on participating websites. The alert system is being launched in several cities around the world at kickoff events with spotlights that shine the cat face symbol into the night sky, just like the bat signal.
-http://arstechnica.com/tech-policy/2012/07/internet-defense-league-creates-cat-s
ignal-to-save-web-from-next-sopa/
-http://www.informationweek.com/news/government/policy/240003971
-http://www.wired.com/threatlevel/2012/07/internet-defense-league/
[Editor's Note (Murray); Everything is vulnerable to attack. Moreover, any security measure will yield to a sufficiently resourceful attack. The absence of evidence about threat is an exception to the rule that "the absence of evidence is not evidence of absence." The issue is risk, not vulnerability, not threat. That said, part of the problem is that the energy sector is regulated by the states for the benefit of the consumer. The regulators are not yet ready to concede that security expenses can be passed to the consumer. Perhaps Congress will grant a tax credit for them.]

US Seeks Extradition of Man Arrested in Cyprus for Attack on Amazon.com in 2008 (July 19, 2012)

A Russian man has been arrested in Cyprus for allegedly launching distributed denial-of-service (DDoS) cyberattacks on Amazon.com and eBay in 2008. Dmitry Olegovitch Zubakha was indicted in US District court in Washington state. Zubakha and an accomplice also launched a DDoS attack against Priceline.com; the accomplice contacted Priceline and offered his services as a security consultant to stop the attack. Law enforcement authorities also traced more than 28,000 stolen credit card numbers to the men. The US Justice Department (DOJ) is seeking Zubakha's extradition from Cyprus.
-http://www.computerworld.com/s/article/9229377/Russian_man_arrested_on_cyberatta
ck_charges?taxonomyId=17

Mahdi Malware Detected on Middle East Computers (July 17 & 18, 2012)

Malware found on computers in the Middle East has been stealing documents and other data using methods less sophisticated than those employed by Flame. Machines become infected with the Mahdi Trojan when users click on malicious email attachments. Most of the infected computers are in Iran and Israel. Researchers have not determined if Mahdi is the work of state-sponsored hackers or not.
-http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/07/mahdi-virus-ac
ts-flames-unsophisticated-cousin/56846/?oref=ng-channelriver
-http://news.cnet.com/8301-1009_3-57474405-83/mahdi-messiah-malware-targeted-isra
el-iran-pcs/
-http://www.wired.com/threatlevel/2012/07/mahdi/
-http://www.computerworld.com/s/article/9229279/Mahdi_cyberespionage_malware_infe
cts_computers_in_Iran_Israel_other_Middle_Eastern_countries?taxonomyId=17
-http://www.scmagazine.com/mahdi-spy-malware-uncovered-but-no-flame-link-yet/arti
cle/250659/

Dropbox Investigating User Reports of Spam (July 18, 2012)

Some Dropbox users in Europe have reported that they are receiving spam at email addresses they use only for the cloud storage service. The unsolicited messages are written in German, English, and Dutch, and advertise gambling websites. Dropbox has brought in an outside team to investigate the matter. One user reportedly closed his Dropbox account after receiving the spam and reopened a new one with a different email address; that email address started receiving the spam right away.
-http://www.computerworld.com/s/article/9229316/Dropbox_brings_in_outside_team_to
_investigate_spam_run?taxonomyId=17
-http://arstechnica.com/security/2012/07/dropbox-hires-outside-experts-to-investi
gate-possible-e-mail-breach/
[Editor's Note (Murray); One of the more serious concerns of cloud service is the compromise of the provisioning controls and the monetization of access to them.]

Man Pleads Guilty to Cyberattacks, Threats (July 17 & 19, 2012)

An Australian man who hacked the servers of an Internet service provider (ISP) will be sentenced in August. Bryce Quilley followed through on an extortion attempt in which he threatened to delete staff email accounts at the company unless he was paid AU $10,000 (US $10,424). Quilley had worked at the company as a contractor. Quilley pleaded guilty to unlawful modification of computer data as well as making threats against the ISP, NuSkope, and its owner.
-http://www.smh.com.au/it-pro/business-it/man-snaps-and-hacks-isp-threatens-staff
-with-an-axe-20120719-22bq5.html
-http://www.theregister.co.uk/2012/07/17/axe_attack_threatened_after_hack/


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/