SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #55
July 10, 2012
NSA Chief on consensus standards for cyber security:
The Washington Post reported yesterday that General Keith Alexander said
that standards were necessary, but "the hard part" was figuring out how
to set them. He pointed as a possible model to the SANS Institute's 20
Critical Security Controls, a set of baseline measures.
TOP OF THE NEWSHead of Pentagon's Cyber Command Calls for Clear Cyber Security Legislation
Thieves Exploiting Vulnerability in On-Board Diagnostic System to Steal BMWs
THE REST OF THE WEEK'S NEWSISPs Set Up Substitute DNS Servers to Help Customers Infected with DNSChanger
Requests for Data from Mobile Providers on the Rise
Two Sentenced for Phishing Schemes
Malicious App in Apple and Google App Stores Steals Phone Book Data
US Cyber Challenge Co-Hosting Summer Cyber Security Camp
Judge Pushes Back Megaupload Extradition Hearing to March 2013
AT&T Drops Lawsuit Seeking US $900,000 Bill Run Up by Hackers
Linksys Router Users No Longer Forced to Use Cisco Cloud Connect
***************** SPONSORED BY ForeScout Technologies *********************
Special white paper: IDC Report on Architecting a Flexible BYOD Strategy
IDC security analyst Phil Hochmuth examines a tiered service approach to enterprise mobile security while exploring how NAC and MDM, as complementary controls, offer necessary network and device level defenses to enable IT organizations to realize mobility advantages while reducing security and compliance exposures.
--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
--SANS Boston 2012, Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
--SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
--SANS Virginia Beach 2012, Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 46 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
--Looking for training in your own community?
--Save on On-Demand training (30 full courses) - See samples at
Plus Bangkok, San Antonio, Melbourne, Arlington, VA, and Prague all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
Head of Pentagon's Cyber Command Calls for Clear Cyber Security Legislation (July 9, 2012)US Army General Keith Alexander, head of the Pentagon's Cyber Command and the National Security Agency (NSA), has called for legislators to clarify who is responsible for what in defending the country's computer systems from attacks. General Alexander says it's important that the issues get sorted out before the US is the target of a major cyber attack. He pointed to the SANS 20 top controls as a model standard for what organizations need to do to protect their systems. Responsibility for defending the country's computer systems falls to several government agencies, including the Department of Defense, the FBI, and the Department of Homeland Security. General Alexander said, "The probability for crisis is mounting." Video:
[Editor's Note (Pescatore): Actually, the responsibility for defending the "country's computer systems" falls to each organization that owns and operates each individual computer system, much the way protecting a business is the responsibility of that business. ]
Thieves Exploiting Vulnerability in On-Board Diagnostic System to Steal BMWs (July 7 & 9, 2012)Thieves have figured out a way to steal BMWs with keyless entry technology. They are able to bypass alarm systems. It is believed that the thieves are gaining access to the cars' On-Board Diagnostic (OBD) system to program new key fobs. The vehicles' OBD ports are constantly powered, even when the vehicles are off, and they do not require passwords.
[Editor's Note (Pescatore): Another good reason to stick to cars that require a physical key to be inserted into a physical ignition switch so that car thieves have to steal cars the old fashioned way. ]
************************* Sponsored Links: *************************
1) Tool Talk Webcast: Label Based Access Controls in Oracle Database 11g. Thursday, July 12th, 1:00 EDT. http://www.sans.org/info/109799
2) Special Webcast: Endpoint Visibility, Control and Remediation Leveraging NAC. Tuesday, July 10, 2012 at 1:00 PM EDT. http://www.sans.org/info/109804
THE REST OF THE WEEK'S NEWS
ISPs Set Up Substitute DNS Servers to Help Customers Infected with DNSChanger (July 9, 2012)In an attempt to prevent their customers from being cut off from the Internet, some Internet service providers (ISPs) have set up substitute DNS servers to maintain connectivity for customers whose machines are still infected with DNSChanger malware. The DNSChanger Working Group had set up alternative servers when law enforcement authorities took down the DNSChanger command-and-control infrastructure last year; those machines were taken offline on Monday, July 9. The court order allowing the operation of those machines was extended twice.
[Editor's Note (Honan): The way that CERTs, ISPs, vendors, voluntary groups, ISC, the FBI and other law enforcement agencies worked together to minimize the impact DNS Changer had on its victims is a great example of how our industry can work together.
(Swa Franzen): The media are blowing this up way out of proportion. Only about 0.01% of internet users are affected. ]
Requests for Data from Mobile Providers on the Rise (July 9, 2012)According to information obtained by US legislators, in the past year, mobile service carriers have responded to 1.3 million requests from law enforcement for subscriber data. The requested information includes text messages and phone location data. The Congressional privacy investigation elicited submissions from nine mobile service carriers. The data also show that law enforcement agencies have been requesting "cell tower dumps," or lists of all phone numbers that have connected to a specified cell phone tower within a given period of time.
Two Sentenced for Phishing Schemes (July 9, 2012)A UK Court has sentenced two men to prison sentences for their roles in phishing scams that netted more than GBP 1.5 million (US $2.33 million). Damola Clement Olatunji was sentenced to 6.5 years, and Amos Njoroge Mwango was sentenced to three years, three months. The two men are not believed to have worked together, but both participated in schemes that targeted UK students through emails that purported to be from government loan organizations.
Malicious App in Apple and Google App Stores Steals Phone Book Data (July 9, 2012)A malicious app managed to slip past security measures and has been available in the iOS Apple App Store and Google Play. The "Find and Call" app steals copies of iPhone and Android contact books and sends them to a remote server controlled by those responsible for the malicious app. The app's end-user license agreement (EULA) does not mention the fact that the data will be sent to a remote server. This appears to be the first significant instance of malware making its way into the iOS Apple App Store.
US Cyber Challenge Co-Hosting Summer Cyber Security Camp (July 9, 2012)The Third Annual Summer Cyber Security Camp is in session this week. Hosted by the US Cyber Challenge and the Delaware USCC Coordinating Council, the invitation-only camp runs from July 9-13 and provides intensive classes, a career fair, and a cyber-attack/defense competition, concluding with an awards ceremony. The camp is part of a response to a report from the Center for Strategic and International Studies that said the country needs 30,000 skilled cybersecurity professionals to effectively defend computer networks. The 30 individuals selected to participated in the camp were chosen based in part on their scores in Cyber Quests competitions; some people who did exceptionally well in other competitions were invited as well.
Judge Pushes Back Megaupload Extradition Hearing to March 2013 (July 9 & 10, 2012)A New Zealand judge has pushed back the extradition hearing for Megaupload founders Kim Dotcom, Mathias Ortmann, Finn Batato, and Bram van der Kolk to March 2013. The extradition had initially been set for August 6 of this year. A High Court judge invalidated the warrants used to seize property and funds from Dotcom. The judge also said that because the warrants were so broad and general, the FBI's sending copies of data from seized hard drives back to the US was also illegal.
AT&T Drops Lawsuit Seeking US $900,000 Bill Run Up by Hackers (July 9, 2012)AT&T will not pursue collection of a US $900,000 phone bill that hackers ran up on a Massachusetts company's account. AT&T initially filed suit seeking payment of US $1.15 million for charges and interest from Ipswich-based Todd Tool and Abrasive Systems, but on June 9, the telecommunications company announced that it has "decided not to pursue the claims." Todd Tool president Michael Smith had filed a countersuit which he has not yet dropped, because "what the AT&T media statement said and what they told
attorney is not the same."
[Editor's Note (Honan): As more and more companies migrate their phone systems to VOIP based solutions or allow for remote workers to access the PBX we are seeing an increase in PBX fraud. The Irish Department of Communications has issued some good guidelines on preventing PBX fraud on their MakeITsecure website at
Linksys Router Users No Longer Forced to Use Cisco Cloud Connect (July 6, 2012)Cisco Connect Cloud service is no longer the default setting for managing Linksys EA Series Wi-Fi routers. Users were upset recently when Cisco pushed out a firmware update that made Connect Cloud the default management setting. Users may now choose to use Cisco Cloud Connect. Cisco has issued an apology and is trying to ease customers' concerns about privacy and automated firmware updates.
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/