SANS NewsBites - Volume: XIV, Issue: 73


Flash: Draft Executive Order (EO) hurts the President
A campaign issue is arising over the White House's approach to
cybersecurity. (See the first story in this issue for background.) The
President's staff has put him between a "rock and a hard place." The
cyber threat is surging - so much so that 70 days ago Jonathan Evans
Director-General of the UK MI5 called it an "astonishing" new level of
attack. Last month's Aramco attack turned 30,000 computers permanently
into bricks and disabled the company. Given the source of the attack,
had it been launched against Exxon instead, Washington Post headlines
would be talking about the "first large scale cyber warfare campaign
against the U.S." For the President, inaction now on a strong Executive
Order is tantamount to inviting debilitating attacks against our
critical infrastructure. But his staff is so afraid of making any
lobbyist or bureaucrat unhappy that they have removed all immediacy from
the EO; leaving only a counterfeit claim to be "doing something." A
promising path forward would be to follow the lead of the UK, in it's
national adoption of the public-private CSIS "20 Critical Controls" for
government and for companies in the critical infrastructure.
(https://www.sans.org/critical-security-controls/,
http://www.theregister.co.uk/2012/09/05/cyber_security_gchq_launch/)
All the respected organizations that have inside data on the threat
(NSA, DHS, UK CPNI and GCHQ, etc.) are moving together, on the CSIS 20
Critical Controls. Since it is based on a public-private consensus, the
Top 20 provide a politically acceptable standard of due care while
moving rapidly to protect the nation, thereby showing the kind of
leadership an electorate has a right to expect from its President and
the people he chooses to serve him.

Alan

On a related note: The international consortium on the CSIS 20 Critical
Controls, led by the NSA's (recently retired) Tony Sager, will have its
first meeting as part of the National Cybersecurity Innovation
Conference October 3-5 at the Baltimore Convention Center. Attendees
will also see the top rated session from RSA - Ed Skoudis on the Five
Most Dangerous New Attack Techniques. You'll get the only U.S. briefing
(plus a Q&A workshop) by the Australians on their breakthrough that
stops targeted attacks (APT) and two very cool NSA innovations. Plus
you'll learn how NASA and HHS were able to automate security risk
mitigation quickly and cost effectively. Senior federal officials will
provide policy discussion on where the government is taking cyber
security defense and automation and you will also be able to attend (at
no additional cost) the co-located DHS/NSA/NIST program on continuous
monitoring at no added cost. Register at sans.org/ncic-2012

*************************************************************************
SANS NewsBites                     September 11, 2012                    Volume: XIV, Issue: 73
*************************************************************************
TOP OF THE NEWS

  White House is Drafting Executive Order on Cybersecurity
  Symantec Report Says Those Who Hacked Google Are Launching Other Attacks
  Stolen Apple UDID Database Came From Florida App Development Company Server

THE REST OF THE WEEK'S NEWS

  GoDaddy Outage Largely Resolved
  Apache Webserver Update Ignores IE10 Privacy Settings
  Creating a Cyber Immune System
  The FBI and Phone Passwords
  Israeli Police Arrest Three in Connection with Court System Database Breach
  DMCA Complaints Complicate Researcher's Work
  German Cities Seek to Cap Penalties for Owners of Unprotected Wi-Fi Networks
  Mozilla Updates Firefox to Version 15.0.1 to Address Private Browsing Flaw
  30-Month Prison Sentence for Man Who Rented Out Botnet
  Cambodia Deports Pirate Bay Co-Founder


********************** Sponsored By SolarWinds.Net, Inc. ********************
Try the FREE SolarWinds Diagnostic Tool for the WSUS Agent to test connections to WSUS resources, validate key Update Agent(R) configuration values & get human readable descriptions of Update Agent errors with steps to fix issues.
http://www.sans.org/info/113252
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012
**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job! https://itsac.g2planet.com/itsac2012/
--SANS Capital Region Fall 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 43 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

--SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

--SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

--SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

--SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

--SANS London 2012 London, UK November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

--Looking for training in your own community?
http://www.sans.org/community/

--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, San Diego, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

White House is Drafting Executive Order on Cybersecurity (September 6 & 7, 2012)
The White House has drafted a preliminary executive order focused on protecting the country's computer systems from attacks. The move comes after legislators were unable to agree on a cybersecurity bill. The executive order would establish voluntary standards to help companies that support the country's critical infrastructure figure out how to best protect those systems from cyberattacks. It would also create a special council with representatives from government agencies including the Office of the Director of National Intelligence and led by the Department of Homeland Security (DHS) to help identify threats. The National Institute of Standards and Technology (NIST) would work with private sector entities to develop the standards. While independent agencies are not bound by executive orders, there are certain sectors in which the administration can impose mandatory standards. Richard A. Clarke, former security adviser under Bill Clinton and George W. Bush, said that if the administration does not impose mandatory standards where it has the authority to do so, "then the administration is not serious." James Lewis, director of the Center for Strategic and International Studies technology and public policy program, is concerned that the program proposed in the document would take too long to implement. Richard Stiennon believes that the order would do more harm that good because by the time it is implemented, the requirements will be outmoded.
-http://www.washingtonpost.com/world/national-security/white-house-drafting-stand
ards-to-guard-us-against-cyberattack-officials-say/2012/09/07/0fbb173e-f8fe-11e1
-a073-78d05495927c_story.html

-http://thehill.com/blogs/hillicon-valley/technology/248079-white-house-circulati
ng-draft-of-executive-order-on-cybersecurity

-http://www.forbes.com/sites/richardstiennon/2012/09/08/there-is-no-need-for-a-cy
bersecurity-executive-order/



Symantec Report Says Those Who Hacked Google Are Launching Other Attacks (September 8, 2012)
According to a new report from Symantec, the hackers behind the attack on Google and more than 30 other companies in 2009 have launched new attacks since then, many of which exploit zero-day vulnerabilities in Microsoft and Adobe software. Most of the targeted organizations have been in the defense, energy, and finance sectors; educational institutions and NGOs have been hit as well. The report posits that the scope and duration of the attacks, together with the difficulties involved with identifying and creating exploits for zero-day flaws means that the campaign must be the work of "a large criminal organization, attackers supported by a nation state, or a nation state itself." Some have expressed skepticism about Symantec's conclusions, noting that zero-days are not "as big a deal as Symantec makes it out to be."
-http://arstechnica.com/security/2012/09/google-hackers-carry-on/
-http://www.informationweek.com/security/attacks/google-aurora-attackers-still-on
-loose-s/240006930

-http://news.cnet.com/8301-1009_3-57508807-83/experts-googles-aurora-hackers-stil
l-at-it-years-later/



Stolen Apple UDID Database Came From Florida App Development Company Server (September 10, 2012)
The database of Apple device UDIDs that a hacker group claimed to have stolen from the laptop of an FBI agent actually came from the server of a Florida application development company. CEO of Blue Toad Paul DeHart told NBC news that the database that the hackers released showed a 98 percent correlation with the one on their own server. DeHart said that a researcher contacted his company and said that the data might have come from its server. When the story first broke, the FBI denied that its laptop had been hacked and that it had the data at all, and Apple maintained that it had never provided the FBI with that information. Because Blue Toad is an app developer, it would have access to the UDIDs, but not associated account information.
-http://www.forbes.com/sites/andygreenberg/2012/09/10/anonymous-hackers-didnt-ste
al-your-apple-id-from-the-fbi-thanks-to-apple-they-didnt-need-to/

-http://redtape.nbcnews.com/_news/2012/09/10/13781440-exclusive-the-real-source-o
f-apple-device-ids-leaked-by-anonymous-last-week?lite

-http://www.wired.com/threatlevel/2012/09/udid-leak-traced-to-blue-toad/
[Editor's Note (Pescatore): Another example of why not taking an "opt-in" approach leads to privacy abuse. BlueToad has stated "Upon Apple's recommendation several months ago, we modified our code base to discontinue the practice of reporting UDIDs. We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base." Of course, not collecting that information in the first place would have meant it was never stored and then never exposed... ]



************************** Sponsored Links *****************************
1) Simplifying Identity Management: SANS Product Review of Oracle Identity Governance Solutions by Senior SANS Analyst, Dave Shackleford Thursday, September 27, 2012, 9 am Pacific/12 Noon Eastern http://www.sans.org/info/113257
2) New Analyst paper in the SANS.ORG Reading Room: Data Center Server Security: A Review of McAfee Server Security Solutions http://www.sans.org/info/113262
***************************************************************************

THE REST OF THE WEEK'S NEWS

GoDaddy Outage Largely Resolved (September 10, 2012)
Webhost provider GoDaddy was experiencing outages on Monday, September 10, which were largely resolved by the end of the day. The outage did not appear to be universal, as some sites were available in certain locations and not in others. Some customers who do not use GoDaddy's hosting services but have registered their domains with the company have reported that users are not being directed to the proper sites. There is no evidence suggesting that the outages are the result of an attack, despite claims from an individual attempting to take credit for the outage.
-http://arstechnica.com/security/2012/09/godaddy-outage-makes-websites-unavailabl
e-for-many-internet-users/

-http://news.cnet.com/8301-1009_3-57509753-83/go-daddy-serviced-web-sites-taken-d
own-in-apparent-attack/

-http://www.latimes.com/business/technology/la-fi-tn-godaddy-outages-20120910,0,2
181207.story

[Editor's Note (Ullrich): Large companies like GoDaddy are some of the the often overlooked choke points in the internet's architecture. The Godaddy outage probably had a larger effect then a root name server outage would have had. In addition, if even Godaddy with it's pretty massive infrastructure can be subject to a denial of service attack, pretty much anybody is vulnerable.
-https://isc.sans.edu/diary/Godaddy+DDoS+Attack/14062]



Apache Webserver Update Ignores IE10 Privacy Settings (September 10, 2012)
An update for the Apache webserver makes websites ignore Do Not Track (DNT) settings in Internet Explorer 10 (IE10). Roy Fielding, a DNT architect, who was vocal in his disapproval of Microsoft's decision earlier this year to make DNT on by default in IE10, wrote the patch. Fielding says that Microsoft violated the standard requiring DNT preferences to be transmitted to websites only when users specifically enable the feature in their configuration settings. Others maintain that Microsoft complies with the requirement by displaying a screen during the operating system set-up process that explicitly tells users that if they choose the Express set-up option, DNT will be turned on in IE10.
-http://arstechnica.com/security/2012/09/apache-webserver-updated-to-ignore-do-no
t-track-settings-in-ie-10/

[Guest Editor's Note (Pescatore): The W3C specification for Do Not Track says "We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled." Microsoft's approach meets this, and other, language in the spec - and is the much better way to go. Apache software ignoring IE 10 settings is equivalent to Google subverting the Safari browser settings and the FTC has already ruled on that.
(Swa Frantzen): The real issue behind the name calling is that the standard is a compromise between an advertising industry that desperately wants to track users and privacy advocates who do not want anybody to be tracked. As with any compromise if one vendor starts to shift the balance of the compromise itself, the entire compromise is at risk. And if that happens those of us who did set DNT manually will get happily ignored by the advertising industry. ]


Creating a Cyber Immune System (September 10, 2012)
According to a request for information from several agencies, the US government is seeking to develop "a capability framework for a healthy and resilient cyber ecosystem using automated collective action." The RFI is seeking input on the overall vision, as well as the capabilities that would be required to implement it and what might prevent it from being successful before going ahead with the development. The system would ideally have computers around the world work together to suppress attacks by taking "collective action." The system would effectively act as a worldwide immune system for the Internet, behaving the same way "the human body responds to an infection," working both at the local level and sending information to the larger system so it can help with defense.
-http://www.nextgov.com/emerging-tech/2012/09/get-ready-computers-worldwide-autom
atically-smother-cyber-strikes/57977/

-http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.p
df



The FBI and Phone Passwords (September 10, 2012)
Earlier this year, Google refused to provide the FBI with access to an Android phone that belonged to a suspect, even in the face of a search warrant. The US Supreme Court's Third Party Doctrine can often allow government agents to access data stored with third parties without the need for a warrant, but the doctrine does not address sensitive data such as passwords, which can be used to gain access to a variety of personal information, like texts and emails. When law enforcement agents have access to a suspect's phone, they often download the device's memory, but occasionally they find they cannot access a phone or that the information is encrypted. When this is the case, they use a grand jury subpoena to ask the phone's owner for the password. This can be seen to run afoul of the Fifth Amendment protection from self-incrimination, so law enforcement agents are now turning to makers of smartphone software to help them bypass the need for passwords. The companies do not always comply, but they have in some cases. (Please note that the Wall Street Journal requires a paid subscription.)
-http://online.wsj.com/article/SB10001424052702303644004577524790015525450.html
-http://www.nextgov.com/big-data/2012/09/fbi-battle-over-phone-passwordsiis-brewi
ng/57972/?oref=ng-channelriver



Israeli Police Arrest Three in Connection with Court System Database Breach (September 10 & 11, 2012)
Police in Israel have arrested a man for allegedly breaking into a court database and accessing case files, some of which are classified. Moshe Halevi and accomplices allegedly hacked the court system's database numerous times over a four-year period and viewed, and in some cases copied, thousands of confidential documents. Halevi maintains that he did not hack the database, but merely found he was able to access the files by signing in with his ID number. Police believe that Halevi was at least in some instances accessing the information at the behest of others. Two other men were arrested in connection with the cyber intrusion. One has been identified as Boaz Guttman an attorney and former high-ranking police officer with Israel's National Fraud Unit. The three allegedly had access to files on some high-profile cases.
-http://www.ynetnews.com/articles/0,7340,L-4279655,00.html
-http://www.timesofisrael.com/hacker-had-a-window-into-thousands-of-secret-court-
documents/



DMCA Complaints Complicate Researcher's Work (September 7 & 10, 2012)
Malware researcher Mila Parkour found her MediaFire cloud account shut down after a third-party firm filed DMCA complaints, alleging that she was violating copyright law. Three files in her account were said to be in violation of DMCA and the account was suspended for 36 hours and then restored to Parkour with the three questionable files inaccessible. The files in question are a 2010 patch for Microsoft Office and two encrypted zip files containing malicious PDFs. A company called LeakID apparently crawled MediaFire searching for possible copyright violations and identified the files in Parkour's account as suspicious. Although she cannot be certain what caused the company to pick those files, Parkour suspects that the patch file might have been mistaken for the full Office 2010. LeakID "did not investigate the internal structure or content, just
[the ]
file name," according to Parkour. A MediaFire executive noted that the company did not hire LeakID. MediaFire has apologized to Parkour and has asked LeakID "to confirm the status of the counterclaim" Parkour has filed.
-http://www.theregister.co.uk/2012/09/10/malware_research_blog_robo_takedown/
-http://www.scmagazine.com/researcher-accused-of-violating-malware-copyright/arti
cle/258100/



German Cities Seek to Cap Penalties for Owners of Unprotected Wi-Fi Networks (September 7, 2012)
Wireless network owners in Germany presently face hefty fines if they do not protect their LANs with passwords or even if their security has been breached and their networks used for criminal purposes. If the actual perpetrator is caught, the owner of the wireless network used to conduct criminal activity can still be held liable as an accessory. Parliaments in the cities of Berlin and Hamburg are seeking to better protect Wi-Fi network owners by capping maximum sentences and fines.
-http://www.zdnet.com/germany-pushes-for-an-end-to-massive-fines-for-hijacked-wi-
fi-7000003844/



Mozilla Updates Firefox to Version 15.0.1 to Address Private Browsing Flaw (September 7, 2012)
Mozilla has released Firefox 15.0.1 to address a flaw in the browser's Private Browsing feature, which lets users visit websites without saving data about which sites they have visited. Firefox 15.0 stored temporary Internet files in the browser's disk cache instead of the memory cache. The memory cache is cleared at the end of each browser session. When users upgrade from Firefox 15.0 to 15.0.1, they will still need to remove the temporary files already stored in the disk cache as the update does not remove these.
-http://www.h-online.com/open/news/item/Mozilla-updates-Firefox-15-to-fix-private
-browsing-problem-1702798.html

-http://www.computerworld.com/s/article/9231050/Firefox_15.0.1_fixes_bug_that_exp
osed_websites_visited_in_private_browsing_mode?taxonomyId=17

How to clear the Firefox cache:
-http://support.mozilla.org/en-US/kb/how-clear-firefox-cache?redirectlocale=en-US
&redirectslug=clear-cache-delete-temporary-files-fix-issues



30-Month Prison Sentence for Man Who Rented Out Botnet (September 6 & 7, 2012)
An Arizona man has been sentenced to 30 months in prison for renting out botnet services. Joshua Schichtel had control of more than 72,000 PCs; he rented access to the botnet to others who used it to install additional malware on the already-compromised computers. He will also serve three years of supervised release once he completes his sentence, and his access to computers will be restricted and monitored. It is not clear how many customers Schichtel had; his conviction was related to his dealings with just one customer.
-http://www.bbc.com/news/technology-19517316
-http://arstechnica.com/security/2012/09/botnet-master-gets-30-month-prison-term-
for-renting-out-infected-pcs

-http://www.justice.gov/opa/pr/2012/September/12-crm-1082.html


Cambodia Deports Pirate Bay Co-Founder (September 7, 10, & 11, 2012)
Cambodia is deporting Pirate Bay co-founder Gottfrid Svarthold Warg home to Sweden on a visa violation. He was arrested in Cambodia late last month at the request of Swedish authorities. The head of the Swedish National Police's international section said Svartholm "is wanted because he has a sentence to serve," dismissing rumors that he is suspected of being part of a hacking incident at a Swedish company called Logica.
-http://pcworld.co.nz/pcworld/pcw.nsf/news/pirate-bay-co-founder-to-be-deported-t
o-sweden-police-say

-http://arstechnica.com/tech-policy/2012/09/cambodia-deports-the-pirate-bay-co-fo
under-to-sweden/

-http://www.washingtonpost.com/business/technology/cambodia-prepares-to-deport-pi
rate-bay-founder-once-interior-minister-gives-approval/2012/09/04/eb72e500-f669-
11e1-a93b-7185e3f88849_story.html



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/