SANS NewsBites - Volume: XIV, Issue: 74

The international consortium on the 20 Critical Security Controls, led
by the NSA's (recently retired) Tony Sager, will meet for the first time
at the National Cybersecurity Innovation Conference October 3-5 at the
Baltimore Convention Center. In addition federal CIOs and White House
officials will provide insight into how cybersecurity will be
transformed over the next few months. Attendees will also see the top
rated session from RSA - Ed Skoudis on the Five Most Dangerous New
Attack Techniques. You'll get the only U.S. briefing (plus a Q&A
workshop) by the Australians on their breakthrough that stops targeted
attacks (APT) and two very cool NSA innovations. Plus you'll learn how
NASA and HHS were able to automate security risk mitigation quickly and
cost effectively. Senior federal officials will provide policy
discussion on where the government is taking cyber security defense and
automation and you will also be able to attend (at no additional cost)
the co-located DHS/NSA/NIST program on continuous monitoring.
Register at sans.org/ncic-2012

*************************************************************************
SANS NewsBites                     September 14, 2012                    Volume: XIV, Issue: 74
*************************************************************************

TOP OF THE NEWS

  Microsoft Granted Authority to Take Control of Chinese Domain Hosting Botnet
  UK Researchers Find Flaw in Chip-and-PIN
  Cyber Security Budgets Grow While IT Budgets Stagnate

THE REST OF THE WEEK'S NEWS

  Chinese Telecom Executives Grilled by House Committee Over Espionage Concerns
  US House Approves Reauthorization of FISA Amendments Act
  Judge Gives Twitter Until September 14 to Hand Over Data Related to OWS Case
  CERT-EU Becomes Permanent
  Judge Says CitiGroup Case Should Go to Arbitration
  Federal Appeals Court Restores Initial US $222,000 Verdict in Filesharing Case
  Pirate Bay Co-Founder Arrested Upon Return to Sweden
  Justice Dept. Says Counterterrorism Apps Pose Privacy and Security Concerns
  Microsoft Working With Adobe on Patch for IE10 in Windows 8
  GoDaddy Outage Due to Internal Network Error


*********************** Sponsored By Invincea ****************************
Users are contstantly spear-phished. They are the unwitting accomplices to breach. Free whitepaper from Invincea - no registration - discusses the threat and a new approach that protects the network from user error. Non-persistent browsing environments, behavior based detection, real-time kill, and pre-breach threat intelligence feeds. Don't fear the spear - protect every click!
http://www.sans.org/info/113387
****************************************************************************
TRAINING UPDATE
**Featured Conference 1: National Cybersecurity Innovation Conference, Oct 3-5, Baltimore - featuring briefings by and exhibits all the vendors that have tools for automating the 20 critical controls and for continuous monitoring. www.sans.org/ncic-2012
**Featured Conference 2: The IT Security Automation Conference (ITSAC) Oct 3-5, Baltimore - featuring DHS and other government leaders providing a clear picture of the changes coming in federal cybersecurity - - especially in cloud and continuous monitoring. Not to miss. We try never to promote conferences where SANS doesn't control the program, but is an exception because the DHS and NIST folks have done a great job! https://itsac.g2planet.com/itsac2012/

- --SANS Capital Region Fall 2012
http://www.sans.org/capital-region-fall-2012/

- --SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 43 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS London 2012 London, UK November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012 - --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, San Diego, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

Microsoft Granted Authority to Take Control of Chinese Domain Hosting Botnet (September 13, 2012)

A US federal court granted Microsoft an ex parte restraining order that allowed it to take control of 3222<dot>org, a Chinese dynamic DNS (DDNS) provider that was hosting the Nitol botnet and a great deal of other malware. DDNS service allows users to keep websites hosted on servers that change IP addresses. It is a popular option for cybercriminals, because if an IP address they are using is identified as being associated with malicious activity and is taken down, they can reroute their attacks to come from another IP address. The Nitol botnet is believed to be related to counterfeit copies of Windows that were sold in China. Legal documents unsealed this week show that Microsoft researchers bought computers in several Chinese cities and found that 20 percent of the machines were already infected with Nitol malware.
-http://krebsonsecurity.com/2012/09/microsoft-disrupts-nitol-botnet-in-piracy-swe
ep/
-http://arstechnica.com/security/2012/09/microsoft-zaps-botnet-found-pre-installe
d-with-counterfeit-windows/
-http://www.darkreading.com/insider-threat/167801100/security/client-security/240
007333/microsoft-intercepts-nitol-botnet-and-70-000-malicious-domains.html
-http://www.bbc.com/news/technology-19585433
-http://www.v3.co.uk/v3-uk/news/2205475/microsoft-finds-windows-botnet-on-brand-n
ew-computers
-http://noticeofpleadings.com/

UK Researchers Find Flaw in Chip-and-PIN (September 12, 2012)

Researchers at Cambridge University say that criminals have been exploiting certain flaws in the chip-and-pin system meant to prevent payment card fraud at ATMs and point-of-sale terminals. Chip-and-PIN, also known as EMV, relies in an embedded chip that encodes card information; payment cards are authenticated by ATMs or payment devices computing several pieces of data, including an "unpredictable number." But the researchers have found that certain ATMs and payment terminals use incremental numbers rather than random ones. The research was prompted by a rash of reported thefts from European bank card users; the banks refused to refund their losses because they maintained that EMV made the type of fraud they were talking about impossible. The researchers suspected that the thieves had devised a way to predict the "unpredictable" numbers.
-http://krebsonsecurity.com/2012/09/researchers-chip-and-pin-enables-chip-and-ski
m/
-http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf
[Editor's Note (Murray): "There are an infinite number of ways to implement Crypto, most of them wrong." That said, this is not a flaw in EMV but an implementation error in one application. ]

Cyber Security Budgets Grow While IT Budgets Stagnate (September 13, 2012)

Security budgets appear to be comparatively safeguarded, growing 8% to $60 billion in 2012, reaching $86bn by 2016. At the same time IT budgets are relatively flat, according to Gartner.
-http://www.securityweek.com/worldwide-it-security-spending-top-60-billion-2012-s
ays-gartner
-http://www.theregister.co.uk/2012/09/13/gartner_security/



************************** Sponsored Links *****************************
1) New Analyst paper in the SANS.ORG Reading Room: Data Center Server Security: A Review of McAfee Server Security Solutions http://www.sans.org/info/113392
2) SANS Analyst Webcast: Peek into Oracle Identity Governance Solutions reviewed by Senior SANS Analyst, Dave Shackleford Thursday, September 27, 2012, at a SPECIAL TIME of 9 am Pacific/12 Noon Eastern http://www.sans.org/info/113397
***************************************************************************

THE REST OF THE WEEK'S NEWS

Chinese Telecom Executives Grilled by House Committee Over Espionage Concerns (September 13, 2012)

Representatives from two Chinese telecommunications firms told members of the US House Permanent Select Committee on Intelligence that their organizations are not spying on their customers. Executives from Huawei and ZTE told panel members that their companies are examples of success in the free market. Committee chairman Mike Rogers (R-Michigan) alleged that ZTE had backdoor features in its software to gather information about the software's users; ZTE senior VP for North America and Europe Zhu Jinyun refuted those allegations, saying that the issue was the result of a bug that has been fixed. Two US legislators have written a letter to a US law firm "to express
[their ]
disappointment with DLA Piper's decision to represent, and subsequently advise and counsel, the Chinese state-owned telecommunications company ZTE Corporation as it attempts to circumvent US government concerns and gain a larger share of the US marketplace." DLA Piper has 77 offices in 31 countries around the world.
-http://www.nextgov.com/mobile/2012/09/chinese-tech-companies-congress-were-not-s
pies/58099/
-http://www.pcmag.com/article2/0,2817,2409696,00.asp
-http://thehill.com/blogs/hillicon-valley/technology/249359-rogers-unsatsified-wi
th-huawei-and-ztes-testimonies
-http://www.bloomberg.com/news/2012-09-13/huawei-zte-called-uncooperative-with-u-
s-probe-on-spying-risk.html
[Editor's Note (Honan): While scrutinising these companies for sending information on their users back to them, I wonder whether the committee will also bring before it the likes of Microsoft, Apple and Google who have also been known to surreptitiously gather data on users? Also the story on the Nitol botnet closure by Microsoft demonstrates how insecure the supply chain has become. ]

US House Approves Reauthorization of FISA Amendments Act (September 12, 2012)

The US House of Representatives has voted to reauthorize the 2008 FISA Amendments Act, a law that "allows a secret national security court to approve the interception of communications in and out of the US among groups of people of interest to intelligence agencies." While the law requires that any data collected "incidentally" are subject to rules that hides the individual's identity and limits the use of the information, one congressman observed, "the enforcement of this provision is itself shrouded in secrecy, making the potential for abuse substantial and any remedy unlikely." And Cato Institute analyst Julian Sanchez notes that the breadth of power that FISA allows is similar to the "general warrants" used by agents of the crown in the colonial era, prompting the adoption of the Fourth Amendment rights against unlawful search and seizure. The bill now goes to the Senate.
-http://www.washingtonpost.com/world/national-security/house-votes-to-renew-contr
oversial-surveillance-law/2012/09/12/ba71bc38-fce5-11e1-a31e-804fccb658f9_story.
html
-http://www.wired.com/threatlevel/2012/09/house-approves-spy-bill/
-http://arstechnica.com/tech-policy/2012/09/house-approves-another-five-years-of-
warrantless-wiretapping/
-http://www.nextgov.com/defense/2012/09/obama-administration-pushes-extend-electr
onic-surveillance-law/58039/

Judge Gives Twitter Until September 14 to Hand Over Data Related to OWS Case (September 12, 2012)

Twitter has until September 14 to provide US federal prosecutors with user data related to an Occupy Wall Street (OWS) case or face a fine. The information requested is associated with accounts that belong to Malcolm Harris, who was arrested during an OWS protest in New York last year. New York Supreme Court Judge Matthew A. Sciarrino Jr. gave Twitter the September 14 deadline; if the company does not submit the requested information, it must provide the court with earnings statements so the court can determine the amount of the fine. Several weeks ago, Twitter filed an appeal seeking reconsideration of Sciarrino's earlier rulings; Sciarrino denied Twitter's request to stay the order until the appeals court rules.
-http://www.wired.com/threatlevel/2012/09/twitter-ordered-release/

CERT-EU Becomes Permanent (September 12, 2012)

After a one-year test run, the European Commission (EC) has decided to make its Computer Emergency Response Team (CERT-EU) permanent. CERT-EU manages network security for EU institutions, including the European Court of Justice and the European Central Bank. The decision to make the organization permanent was made because of the increasing volume of cyberthreats.
-http://www.v3.co.uk/v3-uk/news/2204952/european-union-deploys-crack-computer-eme
rgency-response-team
-http://www.h-online.com/security/news/item/EU-gets-Computer-Emergency-Response-T
eam-1705392.html
-http://www.computerworld.com/s/article/9231209/Permanent_cybersecurity_team_esta
blished_for_EU_institutions?taxonomyId=244

Judge Says CitiGroup Case Should Go to Arbitration (September 12, 2012)

A US District Court judge in New York has dismissed a case brought against Citigroup Inc. by customers who allege they were victims of identity theft as a result of a security breach the company suffered in June 2011. The plaintiffs maintained that Citigroup failed to employ adequate security protections and that thieves used the stolen information to withdraw money from their bank account and to use their credit cards fraudulently. The plaintiffs were seeking class action status for the case, but Judge Deborah Batts ruled that the case should be decided by an arbitrator.
-http://www.businessweek.com/news/2012-09-12/citigroup-wins-dismisssal-of-securit
y-breach-lawsuit

Federal Appeals Court Restores Initial US $222,000 Verdict in Filesharing Case (September 11 & 12, 2012)

The 8th US Circuit Court of Appeals in Missouri has reinstated the original verdict against Jammie Thomas-Rasset, the Minnesota woman who since 2006 has been challenging an illegal file-sharing lawsuit brought by the Recording Industry Association of America (RIAA). Thomas-Rasset was initially ordered to pay US $222,000 for illegally downloading and sharing 24 songs through Kazaa. The RIAA says it found more than 1,700 songs on Thomas-Rasset's computer but for the court case, it focused on just 24. After the first trial, the judge declared a mistrial after he decided that he had given the jury inaccurate instructions. The subsequent trial also found Thomas-Rasset guilty and the jury gave a verdict of US $1.92 million, which the judge reduced to UD $54,000. The companies went to third trial on damages, which awarded the RIAA US $1.5 million, but that was reduced to US $54,000 as well. The appeals court ruled that the US $222,000 verdict should stand. Thomas-Rasset's lawyer says his client plans to appeal to the US Supreme Court. The RIAA no longer pursues action against individual file-sharers; instead, it is focused on working with service providers to help identify and punish those who persist in illegal downloading.
-http://www.wired.com/threatlevel/2012/09/riaa-file-sharing-appeal/
-http://arstechnica.com/tech-policy/2012/09/file-sharer-will-take-riaa-case-to-su
preme-court/
-http://www.bbc.com/news/technology-19572817
-http://www.ca8.uscourts.gov/opndir/12/09/112820P.pdf

Pirate Bay Co-Founder Arrested Upon Return to Sweden (September 11, 2012)

Gottfried Svartholm Warg was deported from Cambodia and arrested as soon as he stepped off the plane in Sweden. Warg, a co-founder of The Pirate Bay, is being investigated for alleged involvement with hacking systems at the Swedish tax authority and one of its contractors, Logica. Two other people have been arrested in connection with the attack. Police in Cambodia arrested Warg based on an international warrant that was issued after Warg failed to appear at his appeal hearing regarding his sentence for Pirate Bay activity and authorities assumed that he had fled the country.
-http://www.wired.com/threatlevel/2012/09/pirate-bay-airport-arrest/
-http://www.theregister.co.uk/2012/09/11/pirate_bay_co_founder_gottfrid_swartholm
_warg_faces_hacking_allegations/
-http://news.cnet.com/8301-1009_3-57510232-83/pirate-bays-warg-back-in-sweden-bus
ted-on-hacking-charges/

Justice Dept. Says Counterterrorism Apps Pose Privacy and Security Concerns (September 11, 2012)

The US Department of Justice (DOJ) is discouraging people from reporting suspicious activity through smartphone apps due to privacy concerns. Normally, information about potential threats reported by citizens is sent to regional analysis centers. Some of those centers are now allowing the reports to come to them through iPhone, iPad and other mobile device apps. The WVa app was introduced in February. The devices have the advantage of sending location information and pictures quickly, but there is concern that the apps could be misused and that they might flood emergency centers with unverified information.
-http://www.nextgov.com/mobile/2012/09/feds-reject-counterterrorism-reporting-app
s-over-privacy-security-concerns/58013/
-http://www.wv.gov/news/Pages/GovernorAnnouncesNewMobileAppEnablesWestVirginiasto
ReportSuspiciousActivity.aspx
[Editor's Note (Murray): The state writing an app to enlist ordinary citizens as snitches and vigilantes; what could possibly go wrong? ]

Microsoft Working With Adobe on Patch for IE10 in Windows 8 (September 11, 2012)

Microsoft now says that it "is working closely with Adobe to release an update for Adobe Flash in IE10," and expects the fix to be ready soon. Last week, Microsoft said it did not plan to address the Flash issue until late October, when Windows 8 is scheduled for full public release. Windows 8 has already been made available to volume license customers so they can test the new OS and have time to deploy it. The patches for Flash in Windows 8 IE10 will come from Microsoft instead of Adobe because it is built in and not a plug-in. This creates a "window of vulnerability" problem because Microsoft and Adobe do not release fixes at the same time.
-http://arstechnica.com/information-technology/2012/09/first-flash-patch-for-wind
ows-8-coming-shortly/
-http://www.pcmag.com/article2/0,2817,2409559,00.asp

GoDaddy Outage Due to Internal Network Error (September 11, 2012)

The GoDaddy outage on Monday, September 10 appears to have been the result of corrupted router tables. In an email, GoDaddy interim CEO Scott Wagner said that "It was not a hack and it was not a denial of service attack." Once the problem was pinpointed, engineers were able to restore service. There was never a risk of customer data exposure from the incident. An individual attempted to claim responsibility for the attacks, but there is no evidence to support that claim.
-http://arstechnica.com/security/2012/09/godaddy-outage-caused-by-router-snafu-no
t-ddos-attack/
-http://www.computerworld.com/s/article/9231180/GoDaddy_blames_outage_on_corrupte
d_router_tables?taxonomyId=82
[Editor's Note (Honan): Never attribute to malice what can be explained by incompetence.
(Murray): To quote Courtney, "The dummies have it hands down now and forever." ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/