SANS NewsBites - Volume: XIV, Issue: 61

*************************************************************************
SANS NewsBites                     July 31, 2012                    Volume: XIV, Issue: 61
*************************************************************************
TOP OF THE NEWS

  NIST Issues (Flawed) Draft Updates to Cybersecurity Guides
  NSA Director Asks Defcon Attendees to Help Defend Cyberspace
  Proposed Amendment to Cybersecurity Act Would Require Warrants for GPS Tracking

THE REST OF THE WEEK'S NEWS

  Cloud Security Alliance Chooses Singapore for HQ
  Mac OS X Malware Pretends to be Flash Installer
  Two Sentenced in Connection with Payment Card Skimming Scheme
  Company Wants Twitter to Unmask Satirist
  Netflix Agrees to US $9 Million Privacy Settlement
  Korean Police Arrest Pair for Alleged Data Theft and Sale
  Google Tells UK's ICO That It's Found More Street View Data
  Global Payments Estimates Costs of Breach at US $84.4 Million


***************** SPONSORED BY ForeScout Technologies *********************
Special white paper: IDC Report on Architecting a Flexible BYOD Strategy - - IDC security analyst Phil Hochmuth examines a tiered service approach to enterprise mobile security while exploring how NAC and MDM, as complementary controls, offer necessary network and device level defenses to enable IT organizations to realize mobility advantages while reducing security and compliance exposures.
http://www.sans.org/info/110765
****************************************************************************
TRAINING UPDATE
--SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

--SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

--SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

--SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

--SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Melbourne, Prague, Singapore, Dubai, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

NIST Issues (Flawed) Draft Updates to Cybersecurity Guides (July 30, 2012)
The National Institute of Standards and Technology (NIST) has issued updated versions of two publications aimed at helping federal agencies and private organizations protect their networks from attacks, intrusions, and malware infections. The Guide to Intrusion Detection and Prevention Systems and the Guide to Malware Incident Prevention and Handling for Desktop and Laptops have been updated to incorporate current best practices in cybersecurity. NIST is accepting public comment on the documents through August 31, 2012. The intrusion detection publication was originally released in February 2007 and has not been updated since then.
-http://www.informationweek.com/news/government/security/240004585
-http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
-http://csrc.nist.gov/publications/drafts/800-83-rev1/draft_sp800-83-rev1.pdf
[Editor's Note (Paller): The fact that the "Guide to Malware Incident Prevention and Handling for Desktops and Laptops" completely misses the only known path to malware incident prevention (the Australian 4 controls that have proven to stop APT malware infections at scale) speaks volumes about the consultants NIST chose to write these documents. Both documents read like college term papers rather than authoritative guides to what works written by people who have implemented the effective defenses. NIST Director Pat Gallagher and Chief of the Computer Security Division, Donna Dodson, have worked diligently to improve the security value of NIST documents. This time they were let down by the consultants. ]


NSA Director Asks Defcon Attendees to Help Defend Cyberspace (July 27 & 29, 2012)
Speaking at the Defcon hacker conference, General Keith Alexander, who heads both the National Security Agency (NSA) and the US Cyber Command, asked attendees for help securing cyberspace. Alexander told those present that "In this room right here is the talent our nation needs to secure cyberspace," and spoke about the "superb" program called Defcon Kids, which guides kids in the direction of white-hat hacking. Alexander also told his audience that the NSA does not compile dossiers on US citizens. However, a former NSA employee speaking on a panel at the same conference said that the NSA does collect information about US citizens' email messages, tweets, online searches and other information. William Binney is a former NSA technical director who said he left the agency in 2001 after he became aware that it was gathering information of US citizens.
-http://money.cnn.com/2012/07/27/technology/defcon-nsa/index.htm
-http://www.computerworld.com/s/article/9229756/NSA_chief_asks_hackers_at_Defcon_
for_help_securing_cyberspace?taxonomyId=17

-http://www.wired.com/threatlevel/2012/07/nsa-chief-denies-dossiers/
-http://www.wired.com/threatlevel/2012/07/binney-on-alexander-and-nsa/


Proposed Amendment to Cybersecurity Act Would Require Warrants for GPS Tracking (July 30, 2012)
One of the proposed amendments to the Cybersecurity Act of 2012 currently being considered in the US Senate would require police to obtain a warrant before collecting GPS location data from US citizens' cellphones or other personal devices that use that technology. Debate on the cybersecurity bill is scheduled to begin on July 30 with a vote to take place later in the week.
-http://www.digitaltrends.com/mobile/cybersecurity-amendment-police-should-need-a
-warrant-to-track-your-cellphone-gps/




************************** Sponsored Links: ****************************
0) SOS: SANS October Singapore 2012 (15-20 October) Featuring SEC 579: Virtualization and Private Cloud Security https://www.sans.org/singapore-sos-2012/
1) Why you need to include your real-time z/OS event data with into your distributed IT security system. http://www.sans.org/info/110770
2) When Breaches Happen: 5 Questions to Prepare For, featuring senior SANS Analyst Dave Shackleford and Solera CTO Joe Levy http://www.sans.org/info/110775 Wed., August 29 at 1 PM EDT
3) New Analyst Webcast! Secure Configuration Management Demystified, featuring senior SANS Analyst Dave Shackleford and Tripwire's Michael Thelander, Tuesday, August 28, 1 PM EDT http://www.sans.org/info/110780
***************************************************************************

THE REST OF THE WEEK'S NEWS

Cloud Security Alliance Chooses Singapore for HQ (July 19 & 24, 2012)
The Cloud Security Alliance (CSA) has chosen Singapore to be home to its corporate headquarters. The CSA will form "a three-year strategic private-public partnership with support from the Singapore government." It will create a Global Research Center, a Global Standards Secretariat, and a Global Centre of Excellence for CCSK training and education. The decision was made in part as the result of efforts from the Infocomm Development Authority of Singapore, the Singapore Economic Development Board, and Trend Micro. The choice could have a positive effect on IT jobs and investments in the region.
-http://www.computerworld.com.sg/resource/cloud-computing/singapore-selected-as-c
sas-corporate-headquarters/

-http://www.asiacloudforum.com/content/multiplier-effect-csa's-corporate-hq-sing
apore

-http://www.marketwire.com/press-release/cloud-security-alliance-selects-singapor
e-as-site-corporate-headquarters-continues-apac-tse-4704-1682155.htm



Mac OS X Malware Pretends to be Flash Installer (July 27 & 30, 2012)
A new piece of malware that targets Apple OS X users has been detected. It arrives disguised as an Adobe Flash Player installer. The malware is known as Crisis or as Morcut and is capable of intercepting email and instant messages. The reality of malware on Macs hit home when Flashback infected more than 600,000 machines earlier this year. In response, Apple patched several versions of its operating system and updated the OSes to disable older versions of Java and Adobe Flash Player. Crisis/Morcut currently appears to depend on social engineering to infect systems.
-http://www.informationweek.com/news/security/attacks/240004583
-http://www.computerworld.com/s/article/9229725/New_Mac_Trojan_hints_at_ties_to_h
igh_priced_commercial_hacking_toolkit?taxonomyId=85

[Editor's Note (Murray): My favorite bait message has always been "Click here to update Adobe...." ]


Two Sentenced in Connection with Payment Card Skimming Scheme (July 30, 2012)
A US District Court Judge in California has sentenced two men to prison terms for using stolen payment card information to withdraw thousands of dollars through ATMs. Last summer, Eduard Arakelyan and Arman Vardanyan admitted to obtaining counterfeit payments cards and using them to make the withdrawals. The card information was stolen from point-of-sales terminals at Michaels craft stores using skimming devices. Arakelyan and Vardanyan were each sentenced to five years in prison; they will also serve five years of supervised release upon completion of their prison terms, and they have been ordered to pay US $42,000 in restitution.
-http://www.bankinfosecurity.com/michaels-breach-fraudsters-sentenced-a-4991
-http://www.scmagazine.com/two-men-sentenced-in-michaels-breach-after-looting-atm
s/article/252538/



Company Wants Twitter to Unmask Satirist (30 July, 2012)
A UK media company is taking legal action to compel Twitter to reveal the identity of an individual who has allegedly broken into an email account. The individual is believed to be responsible for having at least three Twitter accounts that impersonate Steve Auckland, a newspaper group chief executive. Some of the information made public on one of the Twitter accounts was not publicly known, leading to allegations that an email account had been hacked.
-http://www.bbc.com/news/technology-19045633
-http://www.theregister.co.uk/2012/07/30/spoof_unstevedorkland_account_charged_ca
lifornia/



Netflix Agrees to US $9 Million Privacy Settlement (July 30, 2012)
Netflix has agreed to a privacy settlement that calls for the company to change its privacy policy and pay US $9 million in attorneys' fees, plaintiff payouts, and charitable donations. Netflix will no longer retain rental history of former customers; the rental data will be unlinked from customer identifiers after customers have been unsubscribed for 12 months. The changes and fines are the result of a class-action lawsuit alleging that Netflix retained and shared former customers' rental information.
-http://arstechnica.com/tech-policy/2012/07/class-action-lawsuit-settlement-force
s-netflix-privacy-changes/

-http://www.theregister.co.uk/2012/07/30/netflix_data_privacy/
[Editor's Comment (Northcutt): I am surprised it was only $9 Million, though I suppose showing harm would have been difficult. For our international readers, the video tape rental disclosure law stems from an event where a US Supreme Court nominee had his video rental history disclosed and some people questioned some of his choices. Here is the law and a bit of history:
-http://www.law.cornell.edu/uscode/text/18/2710
-http://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
And it turns out that Netflix was already trying to dilute the protections and in fact somewhat successful:
-http://www.pcworld.idg.com.au/article/413990/lawmakers_question_proposed_change_
video_privacy_law/

-http://www.pcworld.com/businesscenter/article/249058/lawmakers_question_proposed
_change_to_video_privacy_law.html
]


Korean Police Arrest Pair for Alleged Data Theft and Sale (July 29 & 30, 2012)
Police in South Korea have arrested two people in connection with the theft and reselling of data from Korean telecommunications company KT. The pair reportedly earned one billion won (US $879,000) from the sale of the data, which include contact information and details about customers' mobile service plans. The data theft affects nearly nine million people. The data, which were sold to telemarketers, were stolen over a seven-month period. Seven other people have been charged in connection with buying the information. KT has apologized to its subscribers for the incident and has said it will take steps to improve security.
-http://www.theregister.co.uk/2012/07/29/kt_hackers_arrested/
-http://news.cnet.com/8301-1009_3-57482215-83/hackers-accused-of-stealing-data-fr
om-9m-korean-mobile-users/?tag=txt;title

-http://www.bbc.com/news/technology-19048494


Google Tells UK's ICO That It's Found More Street View Data (July 27, 2012)
Google has admitted to the UK's Information Commissioner's Office (ICO) that it has discovered some more Street View data from that country despite having told the ICO more than 18 months ago that it would destroy all the UK data it held. Google discovered the data on the disks that had been used to store the harvested data. Google asked the ICO what it would like the company to do with the data; the ICO requested that Google turn over the data to them for forensic analysis.
-http://www.computerworld.com/s/article/9229730/Google_failed_to_delete_all_Stree
t_View_data_in_UK?taxonomyId=84

-http://www.v3.co.uk/v3-uk/news/2194977/google-admits-uk-street-view-data-still-u
ndeleted

-http://www.bbc.com/news/technology-19014206
[Editor's Note (Honan): This issue impacted street view data gathered not only in the UK but also in Ireland, France, Belgium, Netherlands, Norway, Sweden, Finland, Switzerland, Austria and Australia. See:
-http://www.telegraph.co.uk/technology/google/9432518/Google-we-failed-to-delete-
all-Streetview-data.html

The UK ICO has recently re-opened its investigation into the gathering of the Street View Data. The "forgotten" data now being handed over to the UK ICO may provide that investigation with more details than if the data had been deleted as per the original request. ]


Global Payments Estimates Costs of Breach at US $84.4 Million (July 26, 2012)
Global Payments says that the costs associated with the data breach that compromised 1.4 million payment cards have reached US $84.4 million. The costs include investigations, fines, and remediation. The figure was submitted as part of its 2012 revenues fiscal report.
-http://www.zdnet.com/data-breach-to-cost-84m-for-global-payments-7000001674/
-http://www.computerworld.com/s/article/9229717/Global_Payments_data_breach_cost_
a_whopping_84.4_million?taxonomyId=17



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/