SANS NewsBites - Volume: XIV, Issue: 63

Tomorrow is the last day for substantial early registration discounts
for SANS largest West Coast training conference - San Diego in mid September.
Register at http://www.sans.org/network-security-2012/
Alan

*************************************************************************
SANS NewsBites                     August 07, 2012                    Volume: XIV, Issue: 63
*************************************************************************

TOP OF THE NEWS

  Loss to Business Lobby of Cyber Bill Makes Cyber a Winning Campaign Issue for Obama
  Computer Outage Caused Hospitals to Lose Access to Electronic Patient Records
  Lawsuit Filed Against Yahoo Alleges for Negligence in Password Hack
  Bill Would Amend ECPA to Require Probable Cause Warrants for Cloud Data

THE REST OF THE WEEK'S NEWS

  Hackers Target Reuters Blogging Platform and Twitter Account
  Trans-Pacific Partnership Treaty Text Leaked
  Personal Digital Nightmare Started with Social Engineering of Apple Tech Support
  Microsoft Releases Application Security Analysis Tool
  Daily Mail Withdraws Legal Action Seeking Identity of Spoof Twitter Account Holder
  French Culture Minister Hints that Hadopi Might be Shuttered
  Federal Appeals Court Says Embedded Video is Not Infringing Copyright
  EPA Data Breach Exposes Personal Information of 8,000 People


******************** SPONSORED BY SolarWinds.Net, Inc. ********************
SolarWinds(R) Log & Event Manager (LEM) versus Splunk(R) Review the Top 5 Reasons to Choose Log & Event Manager over Splunk. See how SolarWinds LEM delivers powerful Security Information and Event Management (SIEM) capabilities in a highly affordable, easy-to-deploy virtual appliance. SolarWinds LEM delivers the visibility, security, and control you need to overcome everyday IT challenges.
http://www.sans.org/info/111155
****************************************************************************
TRAINING UPDATE
--SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

--SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

--SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

--SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 45 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

--SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

--SANS Seattle 2012 Seattle, WA October 14-19, 2012 6 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Melbourne, Prague, Dubai, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

Loss to Business Lobby of Cyber Bill Makes Cyber a Winning Campaign Issue for Obama (August 7, 2012)

At a minimum, this affords Obama a chance to bash a "do-nothing Congress" for taking a vacation when top officials are warning about severe security threat. But it gives him more: that Republicans have put big business ahead of national security. This will resonate with independent voters much more than the arguments about business and the Chamber of Commerce bullying their way to gaining unfair economic treatment. Read more:
-http://swampland.time.com/2012/08/07/how-cyber-security-could-be-a-winning-issue
-for-obama/?iid=tsmodule

Computer Outage Caused Hospitals to Lose Access to Electronic Patient Records (August 3, 2012)

A computer outage in July caused dozens of hospitals across the US to lose access to electronic patient records for roughly five hours. The outage, which was caused by human error, affected an unspecified number of hospitals that use Kansas City, Missouri-based Cerner Corp. for remote medical record storage. The push to move to electronic medical records aims to improve patient care by giving doctors and other health care providers with immediate access to patient data and to eliminate unnecessary tests and procedures. The government will start imposing fines on hospitals and physicians that do not use electronic records by 2015. While Cerner said that "our clients all have downtime procedures in place to ensure patient safety," doctors and other staff at institutions affected by the outage were concerned about the duration of the outage, and the apparent lack of a Cerner backup system coming into operation. Because most patient notes are now recorded electronically rather than in paper files, staff coming on duty may not have had access to activity regarding patients, which could lead to mistakes.
-http://www.latimes.com/business/la-fi-hospital-data-outage-20120803,0,5302779.st
ory
[Editor's Note (Pescatore): There is an old saying in IT: automating a bad process just leads to getting bad results more quickly. There is a lot of process work still needing to be done around reliability, integrity and privacy of electronic health information before mandated use of electronic health records will lead to any increase in health care effectiveness or efficiency.
(Paller): Theft of health records, for the purpose of extorting money from the insurers or health care providers, is a cottage industry among cyber criminals worth millions. You don't hear much about it because the victims pay the criminals rather than exposing their data losses. Lots of fascinating, related information at
-http://topics.bloomberg.com/putting-patient-privacy-at-risk/
(Murray): The timing of this is unfortunate. Health care remains the least automated and most inefficient sector of our society. We need to avoid incidents that discourage the transition to electronic health records. While this outage could have "led to mistakes," it is the paper that is killing and impoverishing us. ]

Lawsuit Filed Against Yahoo Alleges Negligence in Password Hack (August 3, 2012)

A lawsuit filed against Yahoo in federal court in San Jose, California, is seeking class-action status against the Internet giant for negligence that allowed hackers to access a Yahoo database and steal 450,000 account passwords. The lawsuit seeks compensation for account fraud and associated expenses incurred as a result of the breach. The hackers behind the data theft claimed to have used an SQL injection attack to gain access to the information, which was not encrypted. The lawsuit alleges that "the SQL injection technique used against Yahoo has been known for over a decade and had already been used for massive data thefts against Heartland Payment Systems and others."
-http://news.cnet.com/8301-1009_3-57486703-83/yahoo-user-sues-over-password-leak/
[Editor's Note (Honan): This video from UK Information Security professional Javvad Malik is an excellent, and funny, overview of why you should hash passwords.
-http://youtu.be/FYfMZx2hy_8
(Murray): Unchecked inputs, the vulnerabilities exploited by so-called "SQL injection" attacks, do not result from ignorance. Rather they result from inadequate training and management control of programmers. We will not fix the problem until we describe it correctly and put the responsibility in the right place.
(Paller): Bill Murray is correct on this one. The one person in government who could have made a dent in that problem, and who committed to do so, Farnham Jahanian of the National Science Foundation who hands out 80% of all funds going to computer science at US colleges, had a straightforward solution. But he dropped the ball. The nation would be far better off if OMB or Congress gave half his money to DHS and NSA where colleges would have to prove they were ensuring each CS student and others learning programming knew how to write secure code in order to get cybersecurity research/teaching funds. ]

Bill Would Amend ECPA to Require Probable Cause Warrants for Cloud Data (August 6, 2012)

Two US congressmen are proposing an amendment to the Electronic Communications Privacy Act (ECPA) that would require the government to obtain probable-cause warrants before accessing cloud data. The bill proposed by Representatives Jerrold Nadler (D-New York) and John Conyers, Jr. (D-Michigan) aims to "ensure that ECPA strikes the right balance between the interests and needs of law enforcement and the privacy interests of the American people." The law dates back to 1986 and grants the government warrantless access to suspects' email and other stored content as long as it has been on a server for 180 days or more. At the time ECPA became law, email was not stored on servers for long periods of time, so email that was still present after six months was considered abandoned.
-http://www.wired.com/threatlevel/2012/08/ecpa-warrant-reform/
[Editor's Note (Murray): One can applaud the arguments of Conyers and Nadler without taking this proposal seriously. It will be opposed by the Obama Justice Department and is not likely to get committee consideration in the Republican House. Not only will we never know how often the cloud service providers turn over our information to the government but, perhaps more important, in the absence of Congressional hearings, we are unlikely to know whether or not it is even useful in prosecuting crime. ]



************************** Sponsored Links: ****************************
1) Take the SANS 2nd Survey on BYOD Security Policy and WIN Cash Prizes! http://www.sans.org/info/111160
2) When Breaches Happen: 5 Questions to Prepare For, featuring senior SANS Analyst Dave Shackleford and Solera CTO Joe Levy http://www.sans.org/info/111165 Wed., August 29 at 1 PM EDT
***************************************************************************

THE REST OF THE WEEK'S NEWS

Hackers Target Reuters Blogging Platform and Twitter Account (August 5, 2012)

Reuters has been the target of two cyberattacks over a three-day period. On Friday, August 3, hackers accessed the Reuters blogging platform and posted phony news stories that claimed to be from Reuters. Reuters took the blogging platform offline, after which hackers hijacked the organization's Twitter account, renamed it, and sent out phony posts.
-http://www.theregister.co.uk/2012/08/05/reuters_hacked/
-http://www.zdnet.com/reuters-twitter-account-hacked-7000002142/
-http://news.cnet.com/8301-1009_3-57486971-83/reuters-twitter-account-hijacked-fa
ke-tweets-sent/
[Editor's Note (Honan): According to this ZDNET article Reuters was breached through an old version of Wordpress
-http://www.zdnet.com/reuters-was-hacked-via-an-old-version-of-wordpress-70000022
25/]

Trans-Pacific Partnership Treaty Text Leaked (August 5, 2012)

Several paragraphs of draft terms of service being negotiated by the Trans-Pacific Partnership have been leaked. The negotiations between nine Pacific Rim countries are being conducted in secret and are focused on developing a free-trade agreement that addresses a spectrum of issues, including intellectual property. The draft text suggests that Australia and the US both support a "three-steps test" for copyright exceptions and liabilities.
-http://www.itnews.com.au/News/310956,australia-pushes-for-restrictive-copyright-
in-tpp.aspx
-http://arstechnica.com/tech-policy/2012/08/international-trade-negotiations-reve
al-uncertain-future-for-digital-fair-use/

Personal Digital Nightmare Started with Social Engineering of Apple Tech Support (August 5 & 6, 2012)

Tech journalist Mat Honan (not related to our NewsBites editor) details how a hacker managed to access his iCloud account and through that, was able to remotely gain access to Honan's other accounts and wipe all his Apple devices. The attacker started by resetting Honan's iCloud password and sending the confirmation message to the trash. The attacker then moved on to Honan's Google account, and after that, remotely wiped his iPhone, iPad, and MacBook Air. His Twitter account was hijacked as well. Honan has had contact with the hacker and confirmed that the attack was perpetrated not through a brute force password attack but through social engineering at Apple tech support.
-http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard
-http://www.bbc.com/news/technology-19147407
-http://www.zdnet.com/how-apple-let-a-hacker-remotely-wipe-an-iphone-ipad-macbook
-7000002141/
-http://news.cnet.com/8301-1009_3-57486990-83/journalist-blames-apple-tech-for-al
lowing-icloud-hack/
[Editor's Comment (Northcutt): I read Mr. Honan's account (first link above) and it appears to be long on speculation and short on solid forensic evidence. I would suggest that we should wait till more confirmation is available to draw any conclusions. I am very sorry Mr. Honan lost a year of data, but years ago, I saw a trade show button that was a twist on the Sermon on the Mount, "Blessed are they that make backups". Can I get a hearty amen? " ]

Microsoft Releases Application Security Analysis Tool (August 3, 2012)

Microsoft has released a tool that can help system administrators and other IT security professionals determine whether new applications affect Windows OS security. Attack Surface Analyzer 1.0 scans for several classes of known security risks that affect files, registry keys, services, ActiveX controls, and others. The free tool is already in use at Microsoft's internal product groups and a beta version has been available for download since January 2011. Versions support Windows Vista and newer OSes.
-http://www.computerworld.com/s/article/9229960/Microsoft_tool_shows_whether_apps
_pose_danger_to_Windows?taxonomyId=17
[Editor's Note (Murray): Microsoft is to be applauded for releasing this tool and one hopes that it will be widely used. That said, it contributes to the idea that quality or security can be "tested in" or "added on" at the end of development. ]

Daily Mail Withdraws Legal Action Seeking Identity of Spoof Twitter Account Holder (August 3, 2012)

The Daily Mail newspaper group has withdrawn the legal action it initiated to force Twitter to disclose the identity of a person who has a Twitter account that spoofs a Northcliffe Media chief executive. (Northcliffe Media is a Daily Mail subsidiary.) The subpoena was filed in the US. Northcliffe maintained that some of the tweets made by the satirist caused staff members to "fear for their safety." Twitter refused to disclose the information after the person who has the parody account filed an objection. Although Twitter forbids the use of accounts to impersonate others "in a manner that is intended to mislead, confuse, or deceive," parody, spoof, and satire do not fall under this categorization.
-http://www.bbc.com/news/technology-19107096
-http://www.theregister.co.uk/2012/08/03/northcliffe_media_twitter_account/
-http://www.guardian.co.uk/media/2012/aug/03/northcliffe-media-spoof-twitter-acco
unt?newsfeed=true

French Culture Minister Hints that Hadopi Might be Shuttered (August 3 & 6, 2012)

In an interview with a French magazine, France's new minister of culture appeared to indicate that the country's anti-piracy agency known as Hadopi will be shut down. Aurelie Filippetti told Le Nouvel Observateur that "Hadopi has not fulfilled its mission of developing legal content offerings." She also noted that "the suspension of Internet access seems to be a disproportionate penalty given the intended goal." Hadopi was established as a three-strikes model, with repeat offenders losing Internet connectivity for a set time. Since its inception, Hadopi has sent one million warning emails, 99,000 strike-two letters, and identified 314 individuals as court referrals for possible disconnection. Filippetti has called Hadopi "expensive." The new French president, Francois Hollande, says he prefers to focus efforts on commercial piracy rather than individual piracy.
-http://www.cnet.com.au/french-illegal-downloads-agency-hadopi-may-be-abolished-3
39341011.htm
-http://arstechnica.com/tech-policy/2012/08/french-anti-p2p-agency-hadopi-likely-
to-get-shut-down/
[Editor's Note (Murray): Steve Jobs tried to teach the publishers that the way to make money in a world of falling reproduction cost is to lower one's prices and make up the revenue on volume. Seems simple enough. Instead the publishers have tried to co-opt the coercive power of the state to prop up their obsolete business model and punish those who would gladly be their customers at a competitive price. Perhaps at least one state will refuse to cooperate.]

Federal Appeals Court Says Embedded Video is Not Infringing Copyright (August 3, 2012)

A US federal appeals court has overturned a lower court ruling that embedding video on a website is copyright infringement. A producer of pornography, Flava Works, had sued video bookmarking site myVidster for copyright infringement. A glance at the myVidster site could lead to the mistaken assumption that the site is itself serving the video. However, closer examination would show that the video is being streamed directly from third-party servers to users' computers. Judge Richard Posner of the Seventh Circuit Court of Appeals, writing for the three-judge panel, said that neither myVidster nor its users are directly infringing copyright. The infringer is the individual who copied the video and uploaded it to the Internet. In other words, no matter how many people view an uploaded video, the only infringer is the person who uploaded it in the first place.
-http://arstechnica.com/tech-policy/2012/08/mpaa-embedding-is-infringement-theory
-rejected-by-court/

EPA Data Breach Exposes Personal Information of 8,000 People (August 2, 2012)

A data security breach at the US Environmental Protection Agency (EPA) has exposed personal information of nearly 8,000 people, most of whom are current EPA employees. The compromised data include Social Security numbers (SSNs), bank routing numbers and home addresses. The EPA has acknowledged notifying 5,100 current employees and 2,700 other individuals about the breach, which occurred in March 2012. No details about the incident have been provided.
-http://www.bizjournals.com/washington/news/2012/08/02/epa-security-breach-expose
s-personal.html
[Editor's Note (Murray): One recognizes that the government is a big place and that breaches happen. However, it is past time for the government to lead by example in what it likes to style "cyber war." Until it does so, it should resist the temptation to extend its control over everyone else's computers.]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/