SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #3
January 10, 2012
If your child attends a math/science magnet high school, and/or a high
school with good a computer science program, that school could be
eligible to be included in a national talent development program to find
the next generation of cybersecurity professionals, and you can help get
them connected. Significant scholarship money is available. Email
firstname.lastname@example.org (subject High school talent program) with your city and
state, the school name, and I'll send you the relevant information.
Applies to US only right now.
TOP OF THE NEWSFedRAMP Cloud Security Specifications Release
US Expels Venezuelan Diplomat Over Alleged Cyber Attack Conversations
Israeli Government to Treat Cyber Attacks as Acts of Terrorism
THE REST OF THE WEEK'S NEWSFTC Settles Data Privacy Charges Against Membership Reward College Saving Company
Google Updates Chrome 16, Enhances Download Warnings in Chrome 17 Beta
Man Arrested in US $1.5 Million Skimming Case
Mobile Device Ownership Raises Sticky Legal Questions
Stuxnet is a Product of New Malware Development and Delivery Model
Ballot Scanning Machines Found to Have A Laundry List of Security Problems
Symantec Acknowledges Source Code Accessed
Proof-of-Concept Exploit Code Published for Slow-Read DoS Attack
Judge Denies Request to Block Government's Demand for Twitter Data
************************** SPONSORED BY SANS ***************************
SANS 8th Annual Log and Event Management Survey is Under Way
Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey cited in top technology publications and blogs! Also be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May at www.sans.org/webcasts.
Follow this link to the survey: http://www.sans.org/info/96561
- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP PenTesting: Current Threats and Methods; and Helping Small Businesses with Security.
- --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
- --Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Atlanta, Bangalore, San Francisco, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
FedRAMP Cloud Security Specifications Released (January 9, 2012)The US government has released a list of more than 150 security controls that need to be in place for government agencies and cloud services vendors to be in compliance with the Federal Risk and Authorization Management Program (FedRAMP), which takes effect in June 2012. The General Services Administration (GSA) is expected to release instructions for the compliance auditing process by February 8.
[Editor's Note (Paller): FedRAMP is the most perfect example of "grasping defeat from the jaws of victory" that I have witnessed in federal cybersecurity. Had the authors not been fully briefed on what was wrong with FedRAMP, in the White House conference center, their errors might be excused. Since they were fully aware the opportunity they had and what was at stake, their failure is inexcusable. ]
US Expels Venezuelan Diplomat Over Alleged Cyber Attack Conversations (January 9, 2012)The US State Department has ordered Venezuela's consul general in Miami to leave the country. Livia Acosta Noguera has until Tuesday, January 10, to leave the US in the wake of allegations "that she discussed possible cyber attacks on US soil." A State Department spokesperson did not cite specific reasons for the decision, instead pointing to Article 23 of the Vienna Convention on Consular Relations, which does not require the country to provide a reason for expulsion. But the expulsion does follow a Spanish-language documentary that aired last month in which it was alleged that Acosta discussed possible cyber attacks against the US while she was a diplomat at the Venezuelan Embassy in Mexico.
[Editor's Comment (Northcutt): Hard to know exactly what happened, but here are a couple hints: (warning, some of these articles are politically biased):
Israeli Government to Treat Cyber Attacks as Acts of Terrorism (January 7, 2012)The Israeli government says it will treat cyber attacks as acts of terrorism. The statement comes in the wake of the theft and subsequent posting of Israeli credit card numbers and other data. Deputy Foreign Minister Danny Ayalon said that "no agency or hacker will be immune from a response."
************************** SPONSORED LINK ****************************
1) What devices are accessing what resources and by whom? Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012! Follow this link to the survey: http://www.sans.org/info/96566
2) Do not miss the FIRST Internet Storm Center Update for 2012 tomorrow! Register at http://www.sans.org/info/96571
THE REST OF THE WEEK'S NEWS
FTC Settles Data Privacy Charges Against Membership Reward College Saving Company (January 5 & 9, 2012)The US Federal Trade Commission has settled charges against the company Upromise, which helps students save money for college. Upromise asked customers to download a toolbar that would help them locate participating merchants in the rebate program. The users were told that by enabling the "Personalized Offers" portion of the toolbar, they would receive offers tailored to their needs. The associated data that Upromise collected were transmitted in unencrypted form, despite a company statement that said it would encrypt all confidential data while in transmission. The terms of the settlement require Upromise to erase all customer data gathered through the Personalized Offer portion of the toolbar that it currently holds and to contact all users who have enabled that feature to inform them of the data security issue. Upromise must also clearly disclose its data collection practices.
[Editor's Note (Pescatore): The lack of "clearly disclosing ... data collection practices" is just as serious an issue as not encrypting the collected data. Under the guise of "personalization" they collected usernames, passwords, credit card numbers, social security numbers - anything the user entered in any web site. The tradeoff of getting free Internet-based services in return for some personal information is well understood - but only if the consumer is provided clear and accurate information about how personal "personal" will get ]
Google Updates Chrome 16, Enhances Download Warnings in Chrome 17 Beta (January 9, 2012)Google has updated Chrome 16 and improved download warnings in the beta version of Chrome 17. The update for the Google browser addresses a trio of high risk vulnerabilities. The first beta version of Chrome 17 version expands the functionality of the browser's executable file analysis to help prevent users from allowing downloads that appear to be dangerous. Chrome has incorporated download warnings since version 12 of the browser; Google engineer Dominic Hamon said that they plan to keep expanding the types of files that the anti-malware warnings cover. If Google keeps pace with previous Chrome releases, the stable version of Chrome 17 should be available at the end of this month.
Man Arrested in US $1.5 Million Skimming Case (January 6 & 9, 2012)US authorities have arrested Laurentiu Iulian Bulat in connection with an ATM skimming operation that netted thieves US $1.5 million from machines belonging to HSBC in New York. Bulat, a Romanian living in the US on an expired visa, is believed to be the mastermind of the scheme. He is facing charges of conspiracy to commit bank fraud and bank fraud; if he is convicted, Bulat could face up to 60 years in prison. Bank surveillance video cameras caught Bulat installing skimming devices on ATMs in Manhattan; he was arrested days later when he went to retrieve the devices. The scheme was operational between May 2011 and January 5, 2012.
Mobile Device Ownership Raises Sticky Legal Questions (January 6, 2012)Most companies are now permitting employees to use their own mobile devices for work purposes instead of requiring that they use work-issued devices. The BYOD (bring your own device) practice allows personal and professional data to mingle on the same device, raising legal issues surrounding data protection. There is no body of laws or legal precedents regarding who should legally own the devices used for work purposes and who owns the data that are created and used on the devices. Companies have, on their own, devised strategies to address these issues. The three main approaches that have emerged are shared management, in which employees who access business data from their devices give their employers the right to manage, lock down, or even wipe clean the devices; corporate ownership and provisioning, in which the employer purchases and retains ownership of the device, and may or may not allow its personal use as well; and legal transfer, in which the employer purchases the device from the employee. Often this last approach involves a nominal price, allows employees to use the devices for personal communications, and then allows them to buy the devices back for the same price when they leave the organization. The issue is different in Europe, where privacy rights allow employees to choose not to permit their employers to access their personal information. Mathias Thurman, the pseudonymous author of Computerworld's Security Manager's Journal, writes that BYOD is a good idea, because if it's acknowledged as something that's okay in a work environment, then organizations can begin to establish guidelines to bolster network security, such as securely deployed virtual desktop infrastructure.
[Editor's Note (Pescatore): Companies definitely need policies to define this area, and many companies have developed policies. But the reality is that "BYOD" has been in use at most companies for years now - ever since Outlook Web Access and SSL VPNs began to be widely used, allowing employees to read company email on home PCs and other personally owned devices. There are technologies like Network Access Control and Mobile Device Management that provide visibility into whether unmanaged devices are in use and what risks are present, and support limiting access based on those factors. The real issue here is more the fact that the future of endpoints is consumer-driven and heterogeneous and rapid turnover of devices - it will no long just be Windows PCs and work and Windows PC access from home. That breaks the way IT is used to managing and securing user access - new approaches are needed. Guest Editor Comment (Ben Wright): One size does not fit all. For any enterprise the right BYOD policy must consider risk, cost, corporate culture and employee cooperation. If a policy is impractical, executives can be the worst about violating it. Eventually, technical solutions can help. They might include installing two operating systems on a device (one for work and one for personal) or storing all work data in the cloud.
(Murray): Focus on the data, not the technology. Prefer controls that are close to where the data is stored, not where it is used. Prefer controls that resist gratuitous copies. ]
Stuxnet is a Product of New Malware Development and Delivery Model (January 6, 2012)Researchers from two antivirus companies say that Stuxnet is the product of an operation aimed at creating custom malware with very specific targets. There have been at least seven launcher files that have grown out of a common software platform. Launcher files have the task of injecting malware into computers; they carry with them all the other tools necessary for successful deployment, including payload files and encryption keys. Two of the seven launcher files have been found to be associated with Stuxnet; another two are associated with Duqu. The remaining three do not appear to be associated with either Stuxnet or Duqu, leading to speculation that other destructive and as-yet undetected malware exists in the wild. The discovery of a common platform illuminates a watershed in the evolution of malware: a technique that allows more efficient development of cyber weapons.
Ballot Scanning Machines Found to Have A Laundry List of Security Problems (January 6, 2012)Certain Election Systems & Software (ES&S) ballot scanning machines have been found to be prone to misreading ballots; failing to log critical events; and freezing and locking-up. The DS200 Precinct Count Optical Scanner in the Unity 220.127.116.11 voting system is scheduled to be used in this year's US presidential elections. The results of a Formal Investigative Report from the US Elections Assistance Commission (EAC) found that ballots inserted at an angle were either read incorrectly, as a vote for a candidate the voter did not select, or not read at all. It also found that the machines did not always log votes being cast and touch-screen calibrations. The EAC has issued a notice of non-compliance for the devices, but stopped short of decertifying them altogether.
Symantec Acknowledges Source Code Accessed (January 6, 2012)Symantec has confirmed that attackers have stolen source code for two of its products. Symantec said that the intrusion occurred on a third-party's network, and that the code was for older versions of its security products. One of the affected products has been discontinued. The compromised code does not affect any of the company's Norton products. The data thieves have posted portions of the stolen code to the Internet.
Proof-of-Concept Exploit Code Published for Slow-Read DoS Attack (January 5 & 6, 2012)As its name suggests, a "slow read" denial-of-service attack consumes web server resources by slowing down the rate at which the server's response is read from the buffer. Proof-of-concept for such an attack has been published. The attack sends a legitimate HTTP request, then reads the response slowly, keeping many connections open and swamping the server. The attack exploits a known flaw in the Transmission Control Protocol (TCP). The researcher who published the attacks also offered suggestions for helping to prevent them.
Judge Denies Request to Block Government's Demand for Twitter Data (January 5 & 9, 2012)A US District Judge in Virginia has denied a request to prevent prosecutors from obtaining Twitter records of three people who have publicly supported WikiLeaks. The government is seeking the records under the Stored Communications Act; prosecutors were seeking access to the records while a federal appeals court is considering a challenge to the ruling that allowed the records to be disclosed in the first place. Judge Liam O'Grady said the appeal is unlikely to succeed.
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/