2 Days Left to Save $200 on SANS Cyber Defense San Diego 2014

SANS NewsBites - Volume: XII, Issue: 57


SANS FLASH ALERT: Siemens SCADA Systems Targeted. Major Unpatched
Windows Vulnerability Already Being Used To Hit More Targets in SCADA
and General Purpose Windows Sites



[SANS FLASH ALERTS are issued infrequently and highlight actions that
will preempt highly-likely attacks that will otherwise result in
substantial damage]



Siemens HMI and Historian systems in multiple European countries were
specifically targeted by the attackers using the huge 0day Windows
vulnerability. Many other sites are being and will be targeted soon.
Symantec is reporting 9,000 attempted compromises a day, worldwide using
the flaw. The problem is so great that Internet Storm Center raised its
Infocon Level to Yellow (the first time in a year). Read the details
and what to do about it at https://isc.sans.edu/diary.html?storyid=9190
and at http://www.microsoft.com/technet/security/advisory/2286198.mspx.
Also see the first two stories in this issue.



Siemens, ABB, GE and two other control system vendors' users from many
nations will meet in London the first week in October to discuss early
action strategies and the best ways to block the advanced persistent
threat now targeting their systems worldwide. If you have control
systems and you have not yet received an invitation from your vendor,
email apaller@sans.org, Subject: SCADA cyber attacks. Mention which
control system manufacturer supplies your systems.



Alan


*************************************************************************
SANS NewsBites                     July 20, 2010                    Volume: XII, Issue: 57
*************************************************************************
TOP OF THE NEWS

  Siemens Industrial Control Systems Targeted By New Virus; Users Told Not To Change Password
  Microsoft Acknowledges Shortcut Flaw
  15 Countries Draft Cyber Arms Control Proposal for UN
  Privacy Implications of Cyber Attack Attribution Technology

THE REST OF THE WEEK'S NEWS

  Washington Post In-Depth Report: Top-Secret America
  Vulnerability Affects Millions of Home Routers
  Blog Service Shut Down
  Man Arrested in Germany for Alleged Webcam Hacking
  The (Duped) Friends of Robin Sage
  Warrant Withdrawn in Gizmodo iPhone Case
  Colorado Businesses at Risk of Fraud Due to Open Registration on Sec. of State's Site


************************ Sponsored By zScaler ****************************
ASK THE EXPERTS: Is Cloud Security Ready For Prime Time? There is pressure to reduce the cost and complexity of the multiple security boxes that clutter an organization's DMZ. Cloud security seems like a promising answer. Join the experts for an educational panel webcast on July 27 with a key panelist from IDC, Chris Christiansen. Register here:
http://www.sans.org/info/62313

***************************************************************************
TRAINING UPDATE -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php

*************************************************************************


TOP OF THE NEWS

Siemens Industrial Control Systems Targeted By New Virus; Users Told Not To Change Password (July 19, 2010)
Siemens is warning customers of a new and highly sophisticated virus that targets the computers used to manage large-scale industrial control systems used by manufacturing and utility companies. Although the worm (using the Microsoft 0day - see the next story) allows criminals to break into Siemens' industrial automation systems using a default password, Siemens is telling customers to leave their passwords alone.
-http://www.computerworld.com/s/article/9179298/New_virus_targets_industrial_secr
ets

-http://www.businessweek.com/idg/2010-07-19/after-worm-siemens-says-don-t-change-
passwords.html



Microsoft Acknowledges Shortcut Flaw (July 19, 2010)
Microsoft has acknowledged the existence of a vulnerability in the code for processing short-cuts. The flaw affects all versions of Windows. The flaw can be exploited by opening a USB drive; it can also be exploited remotely through WebDAV and network shares. There is currently no patch for the vulnerability. Last week, the flaw was being exploited in limited, targeted attacks. As of Sunday, July 18, exploit code for the flaw is been publicly available and Metasploit has a module that assists with exploit. Latest from Internet Storm Center:
-https://isc.sans.edu/diary.html?storyid=9190
-http://www.computerworld.com/s/article/9179358/Experts_predict_extensive_attacks
_of_Windows_zero_day?taxonomyId=17

-http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/
-http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
-http://www.scmagazineuk.com/warnings-of-a-new-microsoft-windows-flaw-as-it-inves
tigates-targeted-attacks-in-the-shell-component/article/174838/

-http://www.microsoft.com/technet/security/advisory/2286198.mspx
[Editor's Note (Pescatore): Disabling shortcut icons is an ugly workaround but probably worth it until a patch is out and deployed, even though there are other paths to exploit this huge hole. (Northcutt): The people predicting extensive attacks may be right; the flaw affects almost all Microsoft operating systems. Hope they get a fix available soon. Read the Microsoft advisory and ISC post above and discuss the workarounds with your staff.
(Honan): One way to help minimize the impact of this flaw is to disable the Autorun feature in Windows. For Windows 7 refer to
-http://blogs.technet.com/b/srd/archive/2009/04/28/autorun-changes-in-windows-7.a
spx

and for other versions of Windows refer to
-http://support.microsoft.com/kb/967715]



15 Countries Draft Cyber Arms Control Proposal for UN (July 17 & 19, 2010)
Fifteen countries have submitted a cyber arms control proposal to the United Nations. The recommendations include "developing international standards for conduct over the Internet; sharing information about each country's cyber security laws; and helping less-developed nations strengthen their computer defenses." The countries involved in developing the list are: the US, Russia, China, Belarus, Brazil, Britain, Estonia, France, Germany, India, Israel, Qatar, South Africa and South Korea. More than a decade ago, Russia proposed a treaty banning the use of cyber space for military purposes, but the US would not agree.
-http://www1.voanews.com/english/news/science-technology/15-Countries-Outline-Pri
nciples-on-Cyber-Security-98661289.html

-http://homelandsecuritynewswire.com/first-15-nations-agree-start-working-togethe
r-cyber-arms-control

[Editor's Note (Schultz): It would in theory be a good thing if the countries mentioned in this news item would agree to provisions of a cyber arms control treaty. Even if the countries involved attempted to abide by these provisions, however, I doubt whether they could significantly suppress the activity of cybercriminals within each country. ]


Privacy Implications of Cyber Attack Attribution Technology (July 15, 2010)
In testimony at a US House of Representatives Science and Technology Committee's Subcommittee on Technology and Innovation hearing on cyber attack attribution, experts on cyber security and privacy say that efforts to identify those behind cyber attacks are likely to violate privacy rights. Some voiced concerns that new technologies could be abused by oppressive governments to identify those perceived as enemies. Proposed technologies that would assign Internet identifiers may not be legal in the US, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC).
-http://www.computerworld.com/s/article/9179215/Some_experts_question_efforts_to_
identify_cyberattackers?taxonomyId=144

-http://www.govinfosecurity.com/articles.php?art_id=2758
-http://science.house.gov/press/PRArticle.aspx?NewsID=2882
[Editor's Note (Pescatore): Many of these proposals are akin to saying "everyone in the physical world has to wear a t-shirt with their real name on it when they walk around the streets so that police can identity criminals." In the physical world, most commerce is anonymous and any merchant can request stronger authentication for non-cash transactions. The same is already true on the Internet. ]



**************************** SPONSORED LINKS **************************
1) Top Layer Security's new Intrusion Prevention System appliances free with maintenance. Broadest protection, ultra-reliable, and blazing performance.
http://www.sans.org/info/62318


2) RETHINKING PROVISIONING: New security and identity management requirements? Get a roadmap for success. Watch webcast!
http://www.sans.org/info/62323


3) Did you miss the July 15 WhatWorks Webcast: Moving 100 percent into the Cloud...Securely sponsored by Altor? Available now
http://www.sans.org/info/62328

*************************************************************************


THE REST OF THE WEEK'S NEWS

Washington Post In-Depth Report: Top-Secret America (July 19, 2010)
In the wake of the September 11 attacks, the US created a world of top-secret organizations "so large, so unwieldy and so secretive that no one knows ... exactly how many agencies do the same work," according to a two-year investigation by the Washington Post. Although just a few people within the US Defense Department are designated Super-Users, meaning they are permitted to know about all activities within the department, one of them noted, "I'm not going to live long enough to be briefed on everything." Because there is no process to coordinate all the counterterrorism, intelligence and related efforts, there is also no way to determine if the efforts are making the country any safer. This is the first in a series of articles.
-http://projects.washingtonpost.com/top-secret-america/articles/a-hidden-world-gr
owing-beyond-control/print/

-http://projects.washingtonpost.com/top-secret-america/articles/editors-note/


Vulnerability Affects Millions of Home Routers (July 15, 18 & 19, 2010)
A DNS rebinding vulnerability in millions of routers used in homes could be exploited to hijack the routers, steal data or redirect browsing activity. The vulnerability can reportedly be exploited by tricking users into visiting specially crafted web pages. The flaw will be discussed in detail at the Black Hat conference in Las Vegas, Nevada at the end of July.
-http://www.theregister.co.uk/2010/07/19/home_router_hack/
-http://arstechnica.com/security/news/2010/07/millions-of-soho-routers-vulnerable
-to-new-version-of-old-attack.ars

-http://darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=2259
00016&subSection=Vulnerabilities+and+threats

[Editor's Note (Northcutt): The single most important thing to do is change the default password of your DSL or cable modem router. If you are a NewsBites reader, you have almost certainly done that already. However, take some time to call your mom, your siblings and talk to your neighbors and help them change their passwords as well. None of us benefit if organized crime is able to compromise another twenty five thousand identities. Here is a default password search site to show people how easy it would be for the bad guys:
-http://www.routerpasswords.com/]


Blog Service Shut Down (July 18 & 19, 2010)
US law enforcement officials has ordered Blogetery to shut down. The blogging service, which had an estimated 70,000 users, disappeared on July 9. The permanent shut down came at the "request of law enforcement officials, due to material hosted on the server," according to Blogetery webhosting provider Burstnet.com. Users will not be able to access content they stored with Blogetery. Burstnet went on to say that "this was not a typical case, in which suspension and notification would be the norm." IPBFree, a message board service, was closed earlier this month. IPBFree.com administrators are "legally precluded from discussing the exact bits of what happened," but that service have been permanently shut down as well.
-http://www.theregister.co.uk/2010/07/19/blogetery_closure/
-http://news.cnet.com/8301-31001_3-20010877-261.html?tag=mncol;txt


Man Arrested in Germany for Alleged Webcam Hacking (July 19, 2010)
An unnamed man has been arrested in Germany for allegedly using malware to gain access to webcams and spying on 150 girls. The illegal activity was discovered when some girls complained their computers were running erratically; the machines were examined by a specialist who found evidence of a Trojan horse program. The malware appears to have spread through the ICQ messaging program. Analysis traced the communications to the suspect's home.
-http://www.theregister.co.uk/2010/07/19/german_webcam_perv_arrest/
[Editor's Note (Northcutt): How hard can it be to put a piece of blue painter's tape over your laptop's (over your daughter's laptop's) camera? So far I have only found a few folks that want to video Skype, but maybe I am running with the wrong crowd. If you take the time to read the article, at the bottom take note of the related stories. There is a lot of this going on. The first time I heard of it was a hacker using Back Orifice 2000 to turn a microphone on to listen to a management meeting using the tricked out PC in the conference room of a defense contractor. ]


The (Duped) Friends of Robin Sage (July 18, 2010)
A series of phony social networking profiles set up by a security consultant gathered nearly 300 connections in less than a month, including members of the US military and the National Reconnaissance Office which oversees deployment of spy satellites. The profiles claimed to belong to Robin Sage, an attractive young woman who claimed to be working as a cyber threat analyst at the US Navy's network Warfare Command. Some of her contacts divulged information they should not have; for instance, a soldier uploaded a photograph of himself in Afghanistan that included embedded data describing his precise location. The profiles contained numerous red flags: the amount of experience she listed would have had her staring to work in cyber security at 15 and the name was taken from the code name of an annual US Special Forces military exercise.
-http://www.washingtontimes.com/news/2010/jul/18/fictitious-femme-fatale-fooled-c
ybersecurity/

[Editor's Note (Northcutt): Yup, I linked to her. However, I have been trying to build my list of contacts to an edgier world of blacker hats than I run with to try to build content for an Anti Forensics workshop, so I probably have a few more curiosities in my list, but I am surely careful what I post. ]


Warrant Withdrawn in Gizmodo iPhone Case (July 16, 17 & 18, 2010)
The San Mateo County (California) District Attorney's office have withdrawn a search warrant in a case against technology blog Gizmodo and editor Jason Chen regarding the alleged theft of an iPhone prototype in April. Chen has agreed to provide authorities with information contained in several of the devices that were taken from his home in a raid. Authorities are trying to determine if a crime was committed when Chen purchased the phone from Brian Hogan, who allegedly found the device in a Redwood City pub. There has been some disagreement as to whether or not the warrant was legal. Some say that journalists do not have to surrender their notes to law enforcement officials, while others say that if a journalist is being investigated for an alleged criminal act, the warrant would be legal. All items seized from Chen's home will be returned.
-http://www.wired.com/threatlevel/2010/07/gizmodo-warrant-void/
-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/07/17/BA4Q1EG2UJ.DTL
-http://www.theregister.co.uk/2010/07/17/chen_search_warrant_withdrawn/
-http://www.eff.org/deeplinks/2010/07/san-mateo-da-withdraws-gizmodo-iphone-warra
nt

-http://www.eff.org/files/gizmodoorder-071610.pdf


Colorado Businesses at Risk of Fraud Due to Open Registration on Sec. of State's Site (July 16, 2010)
Officials in Colorado are warning the state's 800,000 registered businesses about a corporate identity fraud scam. More than US $750,000 in fraudulent purchases have been made at various stores. The problem lies in the Colorado Secretary of State's business registration system. Businesses are required to register details with the office and the information is public record. However, the online system allows anyone to view and alter the information contained in each business's record. At least 35 Colorado businesses have reported that thieves have altered their companies' contact information and established lines of credit with the fraudulent contact information that were then used to make large purchases from stores like Home Depot, Dell and Apple. The state could add a password level of protection to help guard against unauthorized alterations, but a spokesperson for Colorado's Secretary of State said it would have to hire at least half a dozen people to implement and support the plan. Businesses can sign up to be notified by email if changes are made to their records. Five people have been arrested in California in connection with the scheme.
-http://www.computerworld.com/s/article/9179251/Colorado_warns_of_major_corporate
_ID_theft_scam?taxonomyId=82



The Editorial Board of SANS NewsBites Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/