SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Sign Up Now
• Editorial Board

Volume XIV - Issue #57

July 17, 2012

Just heard the best answer ever to the question of whether security
managers need to have hands-on technical skills. An Air Force Major was
complaining to an Air Force course director that the major didn't need
to know networking and security taught in the intensive in house Air
Force course, "My people will do that; I never will; I am a manager."
The course director asked the major, "Do you know what a router access
control list is?"
Major: "Yes."
Course director: "Have you ever sat down at a terminal and written an ACL?"
Major: "No"
Course director: "Then how do you know your netadmin is doing it right,
when just one error in one line can stop all the traffic on your
network?"
Major: eyes wide
Course director: "And how do you know whether your netadmin isn't
blowing smoke?"
Major: "Get me registered for the course."

Alan

---

TOP OF THE NEWS

FDA Investigating Accidental Leak of Confidential Documents
DHS CERT Warns of Security Issue in Niagara Framework Industrial Control Software
Anonymous Targets Oil Companies

THE REST OF THE WEEK'S NEWS

German Court Rules RapidShare Bears Some Responsibility for Infringement
UK Court-Ordered Block of The Pirate Bay Has Little Effect on File-Sharing
Yahoo Says It Has Fixed Security Issue That Was Exploited to Steal User Data
Symantec Fixes Update Problem That Caused PC Crashes
Nvidia Acknowledges Data Breach, Takes Down Developer Forums
FBI Investigating Chinese Company for Selling US Surveillance Technology to Iran
Feds Seize 70 Websites for Allegedly Selling Counterfeit Goods

---

******************* SPONSORED BY ForeScout Technologies *******************
Special white paper: IDC Report on Architecting a Flexible BYOD Strategy IDC security analyst Phil Hochmuth examines a tiered service approach to enterprise mobile security while exploring how NAC and MDM, as complementary controls, offer necessary network and device level defenses to enable IT organizations to realize mobility advantages while reducing security and compliance exposures.
http://www.sans.org/info/110055
****************************************************************************
TRAINING UPDATE
--SANS San Francisco 2012 San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
ttp://www.sans.org/san-francisco-2012/

- - --SANS Boston 2012 Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
http://www.sans.org/boston-2012/

--SCADA Security Advanced Training 2012, The Woodlands, TX August 20-24, 2012
http://www.sans.org/scada-sec-training-2012/

--SANS Virginia Beach 2012 Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
http://www.sans.org/virginia-beach-2012/

--SANS Capital Region Fall 2012 September 6-11 and October 15-20, 2012
http://www.sans.org/capital-region-fall-2012/

--SANS Crystal City 2012 Arlington, VA September 6-11, 2012 6 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response.
http://www.sans.org/crystal-city-2012/

--SANS Baltimore 2012 October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

--SANS Network Security 2012, Las Vegas, NV September 16-24, 2012 46 courses. Bonus evening presentations include Evolving Threats; New Legal Methods for Collecting and Authenticating Cyber Investigation Evidence; and Intrusion Detection is Dead.
http://www.sans.org/network-security-2012/

- - --Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, San Antonio, Melbourne, Prague, and Singapore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

FDA Investigating Accidental Leak of Confidential Documents (July 16, 2012)

The US Food and Drug administration (FDA) is investigating the inadvertent leak of 75,000 pages of confidential files regarding the agency's medical device approval process. A document management company accidently made the files public; these files were submitted to a document management company as part of the process of answering document requests in the lawsuit. Most of the leaked documents are related to surveillance of five scientists at the FDA who had complained about the medical device approval process in 2008. The operation involved keystroke loggers, intercepting email, copying documents from personal flash drives, and tracking messages as they were being drafted. The scientists filed a lawsuit against the FDA.
-http://www.nextgov.com/cio-briefing/2012/07/fda-investigates-how-confidential-fi
les-went-public/56812/?oref=ng-channelriver
[Editor's Comment (Northcutt): Much of the staff are doctors and other scientific personnel with significant and unique skills. This breach of trust may well result in a hostile workplace and the FDA may lose the cream of their workplace crop. Additionally, laws appear to have been broken, some of the communications, at least according to the articles that have been released so far indicated the FDA spied on privileged communications including private Gmail accounts. Finally, this is another example of the slippery slope of failing to protect whistleblowers:
-http://arstechnica.com/tech-policy/2012/02/fda-whistleblowers-say-government-int
ercepted-gmail-yahoo-messages/
-http://www.naturalnews.com/034824_FDA_scientists_hacking_whistleblowers.html]

DHS CERT Warns of Security Issue in Niagara Framework Industrial Control Software (July 13, 2012)

The US Department of Homeland Security's (DHS) Cyber Emergency Response Team (CERT) has issued an alert warning that attackers are exploiting a vulnerability in the Niagara Framework industrial control system software. The software is used around the world. DHS CERT recommends that users prohibit guest users, beef up passwords, sever direct Internet access, and take other precautions to protect their systems from attacks. The vulnerability could be exploited to allow directory traversal attacks. Tridium, which makes the Niagara software, warned customers about the issue last week. DHS CERT held back its alert for several days to allow the company to develop a fix.
-http://www.washingtonpost.com/investigations/homeland-security-warns-of-hackers-
targeting-popular-niagara-software/2012/07/13/gJQA0l7NiW_story.html
-http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-195-01.pdf
[Editor's Note (Paller): This is the direct result of some extraordinary reporting by the Washington Post. A great example of journalists making a difference. ]

Anonymous Targets Oil Companies (July 16, 2012)

The hacking collective Anonymous has targeted multinational oil companies, stealing and posting email addresses and hashed and unencrypted passwords. The targeted companies are Shell, Exxon, BP, Gazprom, and Rosneft. The attacks were reportedly launched to protest drilling in the Arctic.
-http://www.wired.com/threatlevel/2012/07/oil-companies-hacked/

---

************************* Sponsored Links: *************************
1) Special Webcast: SEC575 Webcast Series: Session 3: A Taste of SANS Security 575 - 2012: A Mobile Penetration Test. Thursday, July 19, 2012 at 1:00 PM EDT. http://www.sans.org/info/110060
2) SANS Analyst Webcast: Server Security and Compliance: A Review of McAfee's Product Portfolio for Server Security by senior SANS Analyst Jim D. Hietala http://www.sans.org/info/110064
3) Security Policy and Management of Mobile Devices: A SANS Survey Take the survey and be entered in our drawing to win one of TWO $200 American Express gift cards! Link: http://www.sans.org/info/110065
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

German Court Rules RapidShare Bears Some Responsibility for Infringement (July 16, 2012)

Germany's Federal Court of Justice has ruled that a file-sharing site that has been notified of copyright violations by copyright holders bears some responsibility for the infringement. RapidShare had argued that it should not be required to monitor user content. The court did not rule that RapidShare must monitor or filter content in general, but wrote that "the defendant's obligation with respect to
[the pirated content ]
arises only when the defendant has been advised of a clear violation of the law in relation to
[the content. ]
" The court was deliberately vague about what RapidShare must actually do, saying only that it must take "technologically and economically reasonable" actions to prevent sharing of pirated material. The specifics will be decided by a district court.
-http://arstechnica.com/tech-policy/2012/07/top-german-court-says-rapidshare-must
-monitor-link-sites-for-piracy/
[Editor's Note (Murray): There is an important distinction between "shares responsibility" after being put on notice, and a duty to proactively monitor their customers in the absence of notice. ]

UK Court-Ordered Block of The Pirate Bay Has Little Effect on File-Sharing (July 16, 2012)

A dip in file-sharing after a UK court order requiring Internet service providers (ISPs) to block the file-sharing site was short-lived. Just one week after British ISPs put required measures in place to prevent customers from accessing the site, one of the ISPs said that file-sharing activity on its network has returned to pre-block levels. The data do not indicate whether users are downloading content through The Pirate Bay, but merely measure file-sharing traffic.
-http://www.bbc.co.uk/news/technology-18833060
-http://news.cnet.com/8301-13578_3-57472718-38/pirate-bay-blocks-did-little-to-cu
rb-file-sharing/

Yahoo Says It Has Fixed Security Issue That Was Exploited to Steal User Data (July 13, 14, & 16, 2012)

Yahoo says it has closed the hole that allowed attackers to steal the email addresses and passwords of 450,000 users. The SQL-injection attack affected members of Yahoo Contributor Network, previously known as Associated Content. In a blog post, Yahoo wrote, "We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected ... users, enhanced our underlying security controls and are in the process of notifying affected users."
-http://www.scmagazine.com/yahoo-closes-security-hole-that-led-to-password-breach
/article/250426/
-http://www.telegraph.co.uk/technology/news/9402418/Yahoo-fixes-glitch-that-let-h
ackers-access-half-a-million-passwords.html
-http://www.eweek.com/c/a/Security/Yahoo-Says-It-Has-Closed-Security-Hole-Exploit
ed-in-Breach-748818/
-http://www.computerworld.com/s/article/9229136/Yahoo_fixes_password_pilfering_bu
g_explains_who_s_at_risk?taxonomyId=17

Symantec Fixes Update Problem That Caused PC Crashes (July 15 & 16, 2012)

Symantec says it has fixed a problem with a recent update to anti-virus software that was causing PCs to crash. On Wednesday, July 11, Symantec released updates for Symantec Endpoint Protection 12.1, which is used largely in business environments. Users running Windows XP reported crashes that resulted in "the blue screen of death." The issue affected users running a specific combination of software: Windows XP, the most recent version of SONAR technology, the July 11 rev11 SONAR signature set and third party software.
-http://www.v3.co.uk/v3-uk/news/2191762/symantec-claims-to-have-fixed-pccrashing-
antivirus-update
-http://www.h-online.com/security/news/item/Symantec-Endpoint-Protection-causing-
crashes-1641046.html
-http://news.cnet.com/8301-1009_3-57472624-83/symantec-antivirus-software-update-
crashes-some-pcs/
[Editor's Note (Murray): The risk that automatic software updates, now used by many vendors, will de-stabilize a system or interfere with an application, must be balanced against the risk of not applying an update on a timely basis. Therefore, the option as to whether or not to apply updates automatically should be in the hands of the system manager. Of course, an option given to the system manager imposes on her the responsibility to make a choice. ]

Nvidia Acknowledges Data Breach, Takes Down Developer Forums (July 13 & 16, 2012)

Data belonging to approximately 800 Nvidia users has been posted on Pastebin. Nvidia has taken down its developer forums after learning of attacks that may have compromised user passwords. A message in place of the site says that the hackers may have obtained hashed passwords. The company said that other information, including usernames, birthdates, and email addresses, may have been stolen as well. Nvidia has emailed users to let them know about the situation, and is investigating the attacks.
-http://www.h-online.com/security/news/item/NVIDIA-hackers-publish-user-data-1643
038.html
-http://www.computerworld.com/s/article/9229202/Nvidia_probes_breach_of_hashed_pa
sswords?taxonomyId=17
-http://www.theregister.co.uk/2012/07/13/nvidia_hack/
-http://news.cnet.com/8301-1009_3-57471710-83/hackers-strike-again-hit-nvidias-de
veloper-zone/
-http://www.zdnet.com/nvidia-suffers-data-breach-investigation-under-way-70000008
62/
-http://www.h-online.com/security/news/item/NVIDIA-Forums-suspended-after-hack-16
40918.html

FBI Investigating Chinese Company for Selling US Surveillance Technology to Iran (July 12 & 13, 2012)

The FBI is investigating allegations that Chinese telecommunications equipment maker ZTE sold US technology to companies in Iran. It is also believed that ZTE took steps to hide the transactions. ZTE makes phone equipment and allegedly provided hardware and software to Iran; the products include a surveillance system that can monitor landlines as well as mobile and Internet communications. Investigators have turned up evidence that the company planned to thwart a Department of Commerce inquiry into the transactions by shredding documents and altering records.
-http://www.wired.com/threatlevel/2012/07/fbi-zte/
-http://www.theregister.co.uk/2012/07/13/zte_iran_tech_us_fbi_investigation/

Feds Seize 70 Websites for Allegedly Selling Counterfeit Goods (July 12, 2012)

US federal authorities have seized 70 websites that are allegedly involved in selling counterfeit goods. The operation was led by DHS's Immigration and Customs Enforcement (ICE) agency and targeted sites offering a variety of merchandise. The sites were created to appear legitimate and trick users into believing they were buying authentic products. This current round of seizures brings the total number of sites seized over two years to 839.
-http://www.nextgov.com/cio-briefing/2012/07/us-officials-seize-70-websites/56762
/?oref=ng-HPriver
-http://www.pcworld.com/businesscenter/article/259145/us_ice_seizes_70_more_websi
tes_for_alleged_copyright_infringement.html

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/