SANS NewsBites - Volume: XIV, Issue: 70


A big week for news - 50% more stories than usual. So many that two
noteworthy emerging stories will have to wait until next week. Here's a
preview: (1) the unveiling of a new minimum standard of due care, in
protecting corporate and government proprietary information, by an
international coalition of governments and leading companies, led by an
ex-NSA executive, and (2) the radical increase in damaging new attacks
in the past 6 months (400% in some major companies, more than 200% in
governments) and the fact that some significant organizations are not
seeing the attacks and are therefore not responding.

Alan

*************************************************************************
SANS NewsBites                     August 31, 2012                    Volume: XIV, Issue: 70
*************************************************************************
TOP OF THE NEWS

  White House May Be Considering Establishing Cyberthreat Information Sharing Program
  Cyber Thieves Target Financial Advisers to Steal Funds From Investment Accounts
  Data Breaches in UK Up More Than Tenfold in Five Years

THE REST OF THE WEEK'S NEWS

  Qatari Gas Company Hit By Malware Attack
  Complaint Alleges Contractor Sabotaged Network and Stole Data
  Judge Rules Funds Transfer Act Overrides Contractual Agreements in Online Fraud Case
  US Government Returns Domains Seized From Spanish Sports Site
  Court Grants Kim Dotcom Access to Frozen Funds to Pay Legal and Living Expenses
  Phishers Spoof US Cyber Command
  Oracle Criticized for Not Patching Pair of Java Flaws Sooner
  WorldPay Money Mule Manager Draws 30-Month Prison Sentence
  Administrative Subpoenas Raise Questions
  Another Arrest in 2011 LulzSec Attack on Sony
  Interior Dept. Seeking Cloud Tool Capable of Wiping Mobile Devices Remotely
  Former Swiss Bank Employee Arrested in Connection with Customer Data Leak


*********************** Sponsored By SonicWall ******************
Ask The Expert Webcast: Windows Kernel Exploitation and Command & Control Malware, featuring Stephen Sims. Tuesday, September 11, 2012 at 11:00 AM EDT. In this presentation Stephen will discuss the basics of Kernel exploitation on the Windows Operating System, as well as the use of command and control malware as a payload. We will also take a look at some examples of exploit mitigation controls being added to protect the Windows Kernel from being exploitable when a vulnerability exists.
http://www.sans.org/info/112662
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012

**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job!
https://itsac.g2planet.com/itsac2012/

--SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Crystal City 2012 Arlington, VA September 6-11, 2012 4 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 44 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

--SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 7 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

--SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

--SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 10 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--SANS London 2012 London, UK November 26-zdecember 3, 2012 16 courses.
http://www.sans.org/london-2012/

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Melbourne, Dubai, San Diego, Johannesburg, Seoul, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

White House May Be Considering Establishing Cyberthreat Information Sharing Program (August 30, 2012)
A draft document circulating in the White House suggests that the President may be considering a new program that would protect government and private industry computer networks that are part of the country's critical infrastructure from cyberattacks. The program would call for the government to establish a continuous threat collection and information dissemination system. The program is being considered in lieu of legislation, as lawmakers have been unable to come to any agreement on a cybersecurity bill. The draft "is not close to being done," according to a White House spokesperson. The document indicates that the program would aim for "a near-real-time common operating picture" for critical infrastructure threats and establish "strong cooperation" between government and private sector entities.
-http://www.businessweek.com/news/2012-08-30/obama-weighs-broad-program-to-defend
-networks-from-cyber-attacks



Cyber Thieves Target Financial Advisers to Steal Funds From Investment Accounts (August 28, 2012)
Cyber thieves have begun targeting financial advisers in the hopes that they can be tricked into wiring funds out of their customers' online investment accounts and into those controlled by the attackers. If the attack is successful, the customer whose money was transferred is left to deal with the adviser. One planner was nearly tricked into transferring more than US $15,000 into an account controlled by thieves after receiving an email that appeared to come from an insurance company executive; the text of the message was similar in style to messages the adviser had received from the client in the past. The transfer was prevented when the planner called his client to make sure he understood which account the funds were supposed to come out of. Similar attacks on small businesses have been gaining attention and banks are starting to establish more stringent transaction authentication criteria, which could explain why fraudsters are turning to financial advisers.
-http://www.usatoday.com/tech/news/story/2012-08-26/wire-transfer-fraud/57335540/
1



Data Breaches in UK Up More Than Tenfold in Five Years (August 30, 2012)
The UK Information Commissioner's Office (ICO) says that over the past five years, data security breaches in the UK have increased more than 1,000 percent. The figure is slightly higher for local government breaches, and slightly lower for National Health Service (NHS) breaches. The dramatic increase may be attributable in part to organizations reporting more breaches than they have in the past because of increased awareness and legal requirements to keep personal data safe. Telecommunications is the only sector that showed a decline in the number of breaches reported over the given period of time.
-http://www.bbc.com/news/technology-19424197
-http://www.v3.co.uk/v3-uk/news/2201863/uk-data-breaches-rocket-by-1-000-percent-
over-past-five-years




************************** Sponsored Links: ****************************
1) Analyst Webcast! A Review of McAfee's Solutions for Securing Physical and Virtualized Servers in the Data Center http://www.sans.org/info/112667
2) Time is Running Out to take the SANS 2nd Survey on BYOD Security Policy and WIN Cash Prizes! http://www.sans.org/info/112672
***************************************************************************

THE REST OF THE WEEK'S NEWS

Qatari Gas Company Hit By Malware Attack (August 30, 2012)
A virus that infected the computer network of Qatar's RasGas, a natural gas provider, has forced the company to cut off Internet access. The attack occurred on August 27, and the company has been disconnected from the Internet ever since. The attack appears to be similar to one that recently affected Saudi Arabia's Saudi Aramco; that attack prompted the company to suspend access to remote and internal networks for more than a week.
-http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/


Complaint Alleges Contractor Sabotaged Network and Stole Data (August 30, 2012)
A civil complaint filed by Toyota in US District Court in Kentucky alleges that a former employee sabotaged applications on the Toyota network and stole data after he was fired. The man, who is in the US on a work visa, worked for a contractor that provides computer services to Toyota. He allegedly accessed Toyota's secure website after he was fired and stole confidential information, trade secrets, proprietary design information and other data. He also allegedly sabotaged applications that caused a supplier website to crash.
-http://www.wired.com/threatlevel/2012/08/toyota-alleges-sabotage/
-http://www.wired.com/images_blogs/threatlevel/2012/08/Toyota_Shahulhameed_Compla
int.pdf



Judge Rules Funds Transfer Act Overrides Contractual Agreements in Online Fraud Case (August 29, 2012)
A US Federal Judge in Missouri has ruled that BancorpSouth cannot use contractual agreements with customers to deflect liability claims over online banking theft that resulted in the unauthorized wire transfer of US $440,000 from a business customer's account in March 2010. Choice Escrow and Title LLC sued BancorpSouth in November 2010, alleging that the bank did not have adequate security protections in place as defined by the Funds Transfer Act provisions of the Uniform Commercial Code. BancorpSouth's countersuit alleged that the Choice Escrow was responsible for the incident because it had allowed the thieves to access its login credentials. Judge John Maughmer said that the Funds Transfer Act preempted any other agreements made between BancorpSouth and its client.
-http://www.computerworld.com/s/article/9230730/Judge_dismisses_BancorpSouth_defe
nse_in_online_theft_suit?taxonomyId=17

[Editor's Note (Murray): Consistent with Patco and Experi-Metals. Seems to go further. The judge seems to suggest that this is a "bad case." ]


US Government Returns Domains Seized From Spanish Sports Site (August 29, 2012)
The US government has returned the Rojadirecta.com and Rojadirecta.org domains to Spanish company Puerto 80; the domains were seized in January 2011 during an investigation into Internet piracy. The domains were seized for allegedly containing links to copyrighted content. The government's motion to dismiss the case noted that the decision was made "as a result of certain recent judicial authority involving issues germane to" the case. A recent ruling from Judge Richard Posner of the Seventh Circuit Court of Appeals said that a video bookmarking site was not in violation of US copyright law.
-http://www.wired.com/threatlevel/2012/08/domain-names-returned/
-http://www.wired.com/images_blogs/threatlevel/2012/08/Endorsed-Order-Vacating-Se
izure-Warrants.pdf

-http://www.wired.com/images_blogs/threatlevel/2012/08/8.29.12-cover-letter-to-Ju
dge-Crotty.pdf

(Article about Posner's ruling earlier in August regarding copyright infringement:
-http://arstechnica.com/tech-policy/2012/08/mpaa-embedding-is-infringement-theory
-rejected-by-court/)



Court Grants Kim Dotcom Access to Frozen Funds to Pay Legal and Living Expenses (August 29, 2012)
The New Zealand High Court has ruled that MegaUpload, and its founder Kim Dotcom, may withdraw US $4.83 million from frozen funds to pay Dotcom's legal bills in New Zealand and cover rent for his home. The funds have been frozen since law enforcement agents shut down the file sharing website and seized associated assets. The US is seeking Dotcom's extradition to face criminal copyright charges.
-http://www.wired.com/threatlevel/2012/08/dotcoms-frozen-funds-thawed/
-http://www.computerworld.com/s/article/9230723/Megaupload_wins_fight_in_New_Zeal
and_court_to_pay_its_bills?taxonomyId=17



Phishers Spoof US Cyber Command (August 28, 2012)
The US Cyber Command is reportedly being spoofed in a phishing attack. The US Department of Homeland Security's (DHS) Computer Emergency Readiness Team (US-CERT) has warned that there are "multiple malware campaigns impersonating multiple US government agencies." The attacks present users with messages telling them that a US government agency has said they are involved in criminal activity and instructs the users to pay a fine or lose access to their computers. The users are often told to pay the fine through prepaid money cards. This type of scheme is not new, but this is the first time that the US Cyber Command has been impersonated in such an attack.
-http://www.nextgov.com/cybersecurity/2012/08/software-alert-claiming-be-cyber-co
mmand-aims-steal-money/57715/?oref=ng-HPriver



Oracle Criticized for Not Patching Pair of Java Flaws Sooner (August 28 & 30, 2012)
There is now an exploit that takes advantage of two zero-day vulnerabilities in Java 7, and there are indications that Oracle may have known about the flaws since April. The flaws can be exploited to put malware on machines running Windows, Mac OS X, and Linux operating systems that are running the most recent version of Java. Attacks exploiting these vulnerabilities are increasing, which is being attributed to exploit code for the flaw that was added to the underground BlackHole exploit kit. As there is currently no patch available for the flaw, users are urged to disable Java until a fix is released.
-http://www.v3.co.uk/v3-uk/news/2201775/oracle-lambasted-for-slow-response-to-jav
a-zero-day-flaw-warnings

-http://www.theregister.co.uk/2012/08/30/java_zero_day_latest/
-http://arstechnica.com/security/2012/08/critical-java-exploit-spreads/
-http://www.computerworld.com/s/article/9230699/Unpatched_Java_vulnerability_expl
oited_in_Blackhole_based_attacks?taxonomyId=17

[Editor's Note (Honan): There has been little or no communication from the company as to what exactly they were doing to address the problem leaving many security managers wondering what their best course of action was to protect their systems. Unacceptable. ]


WorldPay Money Mule Manager Draws 30-Month Prison Sentence (August 28, 2012)
A woman who was convicted of managing a team of money mules involved in the WorldPay payment card scheme in 2008 has been sentenced to two-and-a-half years in prison. US District Judge Steve C. Jones sentenced Sonya Martin for conspiracy to commit wire fraud. She was also ordered to pay more than US $89,000 in restitution. The WorldPay scheme involved hackers cracking the security of WorldPay payroll debit cards and raising the limits on those cards. Money mules made coordinated withdrawals totaling more than US $9 million from ATMs on November 8, 2008. The FBI special agent in charge of the case noted that the "sentencing sends a cautionary message to those here in the US who would aid and abet those individuals abroad in such criminal schemes that you will be held accountable."
-http://www.theregister.co.uk/2012/08/28/worldpay_money_mule_mangeress_jailed/
-http://www.fbi.gov/atlanta/press-releases/2012/sentencing-in-major-international
-cyber-crime-prosecution



Administrative Subpoenas Raise Questions (August 28, 2012)
Administrative subpoenas, which carry the signature of a federal official but not that of a judge, require telecommunications companies, Internet service providers, banks, bookstores, hospitals, and utility companies in the US to "turn over" customer records if the US Drug Enforcement Administration (DEA) or agents from other government departments believe the information is relevant to an investigation. The DEA obtained the power through a piece of 1970 legislation; that agency is believed to be one of the major users of administrative subpoenas. A DEA spokesperson said that the agency does not keep a database of the administrative subpoenas it issues. There are reportedly more than 300 US statutes that allow federal officials to bypass Fourth Amendment protections by issuing these subpoenas; government agencies are not obligated to disclose the frequency with which they use administrative subpoenas. Administrative subpoenas can be issued not only for drug investigations, but also for hazardous waste disposal, atomic energy, child exploitation, medical insurance fraud, student loans, and other investigations.
-http://www.wired.com/threatlevel/2012/08/administrative-subpoenas/all/


Another Arrest in 2011 LulzSec Attack on Sony (August 28 & 29, 2012)
A man believed to have been involved in the June 2011 SQL injection attack on the Sony Pictures Entertainment website has been arrested. According to a statement from the FBI, Raynaldo Rivera surrendered to authorities in Phoenix, Arizona, on August 28. An indictment charges Rivera with conspiracy and unauthorized impairment of a protected computer. Several other people believed to have been involved with the attack have been arrested in the US, the UK, and Ireland. Those involved in the attack allegedly stole personal data of thousands of Sony's customers and posted the information to Pastebin.
-http://news.cnet.com/8301-1009_3-57502233-83/second-accused-lulzsec-hacker-arres
ted-in-sony-breach/

-http://www.theregister.co.uk/2012/08/29/second_lulzsec_arrest/
-http://www.computerworld.com/s/article/9230721/FBI_nabs_alleged_LulzSec_member_i
n_Sony_Pictures_hack_case?taxonomyId=17

-http://www.bbc.com/news/technology-19409205


Interior Dept. Seeking Cloud Tool Capable of Wiping Mobile Devices Remotely (August 27 & 28, 2012)
The US Department of the Interior has issued a request for information (RFI) seeking a tool that would allow the agency to remotely update, monitor, shut down, or wipe employees' mobile devices, even when they are overseas. The product sought would have to work on Apple, Android, BlackBerry and Windows mobile devices; the agency prefers cloud-based tools. Just one compromised device could infect other portions of the department's computer systems. A 2011 study from the Government Accountability Office (GAO) noted that the Interior Department had not put in place "effective controls to prevent, limit, and detect unauthorized access to its systems" nor had it "manage
[d ]
the configuration of network devices to prevent unauthorized access and ensure system integrity." The RFI wants tools that can determine when a mobile device is being compromised. The Interior Department is seeking to have proposals submitted by September 7, 2012.
-http://fcw.com/articles/2012/08/28/interior-mobile-device-international-travel.a
spx

-http://www.nextgov.com/mobile/2012/08/interior-seeks-ability-wipe-employees-mobi
le-devices-while-theyre-abroad/57682/?oref=ng-channelriver

-https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=4d56e0
801e8cdbdd7a64eadfd0f9a17f



Former Swiss Bank Employee Arrested in Connection with Customer Data Leak (August 26 & 27, 2012)
An employee at a private Swiss bank has been arrested for allegedly stealing data from the institution. An internal investigation turned up evidence of data abuse and an alleged perpetrator was identified. The suspect is a Zurich-based employee of the Julius Baer bank; he has been fired and was subsequently arrested. The bank has contacted customers in Germany who may have been affected by the incident. The stolen data were found on a CD that is now in the possession of German tax investigators. A German magazine recently reported that tax investigators raided the homes of several Julius Baer clients in Germany in connection with allegations of untaxed funds being held in Swiss bank accounts.
-http://www.bloomberg.com/news/2012-08-27/julius-baer-says-employee-stole-data-on
-german-offshore-clients.html

-http://www.swissinfo.ch/eng/business/Swiss_bank_Julius_Baer_confirms_data_theft.
html?cid=33387790



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/