OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #29

April 10, 2012

If you are a Facebook developer and are willing to help Consumer Reports
Magazine with a cool story, email apaller@sans.org describing your
Facebook development experience.
PS SANS largest and coolest Washington DC training program, SANSFIRE
2012, is now open for registration at http://www.sans.org/sansfire-2012/


Economic Development Administration Offline for Months Following Malware Infection
Mobile Device Security Concerns


Megaupload Data Storage Debate Continues
US Dept. of Homeland Security Awards Contract for Gaming Console Hack
Tool Detects Flashback on Macs
What Information Does Facebook Give Law Enforcement When Subpoenaed?
EU Considering Legislative Proposal That Would Criminalize Hacking Tools
Apple Issues Second Fix to Stop Spread of Flashback Trojan
Former Intel Engineer Pleads Guilty to Stealing Sensitive Company Documents
More Details About Utah Medicaid Files Breach
Twitter Sues Five Entities for Spamming

***************************** SPONSORED BY SANS *****************************
Less than 9 percent of organizations have full awareness off the mobile devices accessing their enterprise resources! Join us to learn more results from the SANS First Annual Mobility Security Survey and gain practical advice for securely supporting mobility/BYOD in the enterprise, Thursday, April 12, 1 PM EDT
http://www.sans.org/info/103249 **************************************************************************

- --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack

- --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012.

- --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses.

- --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 10 courses.

- --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux.

- --SANS Toronto 2012, Toronto, ON May 14-19, 2012 5 courses. Bonus evening presentations include I've Been Geo-Stalked! Now What? And What Should Keep You Up at Night: The Big Picture and Emerging Threats.

- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses.

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems; Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?

- --Looking for training in your own community?

Save on On-Demand training (30 full courses) - See samples at

Plus Johannesburg, Atlanta, Brisbane, Jakarta, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ***********************************************************


Economic Development Administration Offline for Months Following Malware Infection (April 9, 2012)

When the computer systems at the US Commerce Department's Economic Development Administration became infected with malware months ago, the bureau unplugged the system from the Internet. The Economic Development Administration (EDA) a small bureau within the Commerce Department which provides grants to distressed communities. The security teams have not been able to isolate the malware and clean the system. The offices are reverting to old fashioned communications technologies: fax machines, telephones, and written phone messages. Employees have contacted clients to ask how they would prefer to communicate without the Internet. EDA has noted that the situation has increased human interaction.


Mobile Device Security Concerns (April 9, 2012)

Two separate studies of mobile devices have found serious privacy and security issues. One of the studies found that smartphones and tablet PCs can be eavesdropped on when they are being used to make purchases, conduct online banking transactions, or access VPNs (virtual private networks). Another study uncovered a number of ways to break into Apple's iOS, its operating system for mobile devices. It is likely that cyber criminals will increasingly turn to mobile devices in their attacks as the devices become more and more commonplace in business transactions.

[Editor's Note (Murray): That said, at least for the moment, one is safer conducting financial transactions from an iOS device than from a PC. Not all vulnerabilities are problems, not all problems are the same size. Harry DeMaio likes to say "Doing business on the Internet is like doing business in Times Square." Still, a lot of business is done there. There are even ATMs there.]

*************************** Sponsored Link: **************************
1) Special Webcast: PCI - Top 5 Issues and Best Practices Surrounding Privileged Passwords and PCI Compliance: Sponsored by Quest Software http://www.sans.org/info/103254


Megaupload Data Storage Debate Continues (April 9, 2012)

A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data - 25 petabytes - are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture association of America (MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets.
[Editor's Note (Honan): This story should serve as an example to those moving to the cloud that backups and business continuity strategies are just as important in the cloud as they are in legacy hosting environments. ]

US Dept. of Homeland Security Awards Contract for Gaming Console Hack (April 9, 2012)

The US Department of Homeland security (DHS) has awarded a California company a contract worth nearly US $180,000 to develop a tool that can harvest data from gaming consoles, like the Xbox 360, Wii, and PlayStation 3. Obscure technologies won the contract and will develop hardware and software tools to perform the functions, the company will also have to purchase gaming consoles from outside the US to see what data left behind by former users can be harvested. DHS plans to use the technology only on devices owned by people outside the US; the research is aimed at targeting pedophiles and terrorists who communicate through the consoles.
[Editor's Note (Honan): The Wired article quotes Simson Garfinkel, a computer science professor associated with the project, as saying "We do not wish to work with data regarding U.S. persons due to Privacy Act considerations. If we find data on U.S. citizens in consoles purchased overseas, we remove the data from our corpus." Mr. Garfinkel should be made aware that the European Union has even stricter privacy laws which they will also need to respect. ]

Tool Detects Flashback on Macs (April 6 & 9, 2012)

A software engineer has posted a tool that allows people running Apple computers to find out whether or not their machines are infected with the Flashback malware. The tool, called FlashBack Checker, was developed by software engineer Juan Leon, who works at Garmin International. Users whose machines are infected can use commercial security software to remove the malware from their computers. Estimates suggest that more than 600,000 Macs have been infected with Flashback.



What Information Does Facebook Give Law Enforcement When Subpoenaed? (April 7, 2012)

When law enforcement authorities subpoena Facebook for account information, the social networking site sends pages of information, including photographs and their captions; the dates the pictures were uploaded; who uploaded them; people tagged; wall posts; messages; contact lists; and past activity. The Boston Phoenix published a document that Facebook provided to Boston police during their search for the Craigslist killer. The document was released publicly. The Phoenix took pains to redact any information about the killer's contacts. The packet of information Facebook provides to law enforcement authorities reveals data about the target user as well as about the user's contacts.

EU Considering Legislative Proposal That Would Criminalize Hacking Tools (April 6, 2012)

The European Commission's Civil Liberties Committee has passed proposed legislation that would criminalize the production and sale of hacking tools. The law is part of an effort to strengthen punishments for malicious cyber attacks. It would impose a sentence of up to five years in prison for breaking into a website or using a botnet to launch a distributed denial-of-service (DDoS) attack. The proposal still faces hurdles before becoming law. Civil liberties groups have expressed concern that the law would criminalize activity of legitimate cyber security researchers. Some are arguing that the law needs to consider intent instead of broadly criminalizing the creation, possession, and use of such tools.
[Editor's Note (Murray): This "attractive" idea surfaces every few years. The problem is that it is impossible to distinguish between "hacking" tools and "audit" tools except by looking at how they are used. ]

Apple Issues Second Fix to Stop Spread of Flashback Trojan (April 6, 2012)

Apple has released a second update to help protect users from the Flashback Trojan horse program. The new variant of the malware exploits a vulnerability in Java to infect computers. It is not clear what the second patch does, but it is just for Mac OS X 10.7, which is known as Lion. Oracle released fixes for the Java vulnerability in February, but Apple had not released a fix until last week, when news of the malware variant exploiting the flaw broke. Apple has a reputation for dragging its feet on releasing patches for third party products. The new variant of Flashback can infect computers when users simply visit specially-crafted web pages.


[Editor's Note (Frantzen): The press is jumping to conclusions. See:

(Murray): "Fixes" are difficult. Fixes that do not break anything else may be even more so. It is almost always cheaper to do it right the first time. Software developers appear resistant to this idea. ]

Former Intel Engineer Pleads Guilty to Stealing Sensitive Company Documents (April 9, 2012)

A man who once worked at Intel designing Itanium processors has pleaded guilty to stealing confidential information from the company. Biswamohan Pani resigned from Intel on May 29, 2008 and used his accrued vacation time to take leave through June 11. However, Pani began working at Advanced Micro Devices (AMD), an Intel rival, on June 2, while he still had access to Intel servers. But in the days before his June 11 exit interview, Pani downloaded 13 proprietary Intel design documents and copied them from his Intel-issued laptop to an external drive. He apparently attempted to access Intel servers again on June 13 because he had not completed the procedure that would have allowed him to view the encrypted documents offline. AMD did not request the information from Pani, nor did his new employer know that he had taken the documents.


More Details About Utah Medicaid Files Breach (April 9, 2012)

Hackers believed to be based in Eastern Europe appear to have stolen personal information from a Utah Department of Technology Services server; the breach affects more than 180,000 people. Initially, the attack was reported to have affected 24,000 individuals, but now it has been revealed that the hackers stole 24,000 files, each of which contained information about numerous people. The breach affects Medicaid and Children's Health Insurance Plan recipients. The hackers exploited a configuration error on the server to gain access to the data.

[Editors Note (Murray): "Configuration error;" polite euphemism for "default password." ]

Twitter Sues Five Entities for Spamming (April 6, 2012)

Twitter has filed a lawsuit against five defendants, accusing them of involvement with spam spreading through the microblogging network. The defendants named in the lawsuit include three companies and two individuals. The lawsuit alleges that the companies named provided tools that sent automated, unsolicited tweets that try to trick users into following links that sell bogus merchandise or spread malware. Twitter maintains that it has spent nearly US $1 million to deal with the effects of the defendants' alleged activity. Each of the defendants had signed up for a twitter account, which means each had agreed to terms that expressly forbid spamming.



The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/