SANS FLASH ALERT: Siemens SCADA Systems Targeted. Major Unpatched
Windows Vulnerability Already Being Used To Hit More Targets in SCADA
and General Purpose Windows Sites
[SANS FLASH ALERTS are issued infrequently and highlight actions that
will preempt highly-likely attacks that will otherwise result in
Siemens HMI and Historian systems in multiple European countries were
specifically targeted by the attackers using the huge 0day Windows
vulnerability. Many other sites are being and will be targeted soon.
Symantec is reporting 9,000 attempted compromises a day, worldwide using
the flaw. The problem is so great that Internet Storm Center raised its
Infocon Level to Yellow (the first time in a year). Read the details
and what to do about it at https://isc.sans.edu/diary.html?storyid=9190 and at http://www.microsoft.com/technet/security/advisory/2286198.mspx. Also see the first two stories in this issue.
Siemens, ABB, GE and two other control system vendors' users from many
nations will meet in London the first week in October to discuss early
action strategies and the best ways to block the advanced persistent
threat now targeting their systems worldwide. If you have control
systems and you have not yet received an invitation from your vendor,
email email@example.com, Subject: SCADA cyber attacks. Mention which
control system manufacturer supplies your systems.
************************************************************************* SANS NewsBites July 20, 2010 Volume: XII, Issue: 57 *************************************************************************
************************ Sponsored By zScaler **************************** ASK THE EXPERTS: Is Cloud Security Ready For Prime Time? There is pressure to reduce the cost and complexity of the multiple security boxes that clutter an organization's DMZ. Cloud security seems like a promising answer. Join the experts for an educational panel webcast on July 27 with a key panelist from IDC, Chris Christiansen. Register here: http://www.sans.org/info/62313
*************************************************************************** TRAINING UPDATE -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition http://www.sans.org/boston-2010/
-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives http://www.sans.org/network-security-2010/
15 Countries Draft Cyber Arms Control Proposal for UN (July 17 & 19, 2010)
Fifteen countries have submitted a cyber arms control proposal to the United Nations. The recommendations include "developing international standards for conduct over the Internet; sharing information about each country's cyber security laws; and helping less-developed nations strengthen their computer defenses." The countries involved in developing the list are: the US, Russia, China, Belarus, Brazil, Britain, Estonia, France, Germany, India, Israel, Qatar, South Africa and South Korea. More than a decade ago, Russia proposed a treaty banning the use of cyber space for military purposes, but the US would not agree. -http://www1.voanews.com/english/news/science-technology/15-Countries-Outline-Pri nciples-on-Cyber-Security-98661289.html -http://homelandsecuritynewswire.com/first-15-nations-agree-start-working-togethe r-cyber-arms-control [Editor's Note (Schultz): It would in theory be a good thing if the countries mentioned in this news item would agree to provisions of a cyber arms control treaty. Even if the countries involved attempted to abide by these provisions, however, I doubt whether they could significantly suppress the activity of cybercriminals within each country. ]
Privacy Implications of Cyber Attack Attribution Technology (July 15, 2010)
In testimony at a US House of Representatives Science and Technology Committee's Subcommittee on Technology and Innovation hearing on cyber attack attribution, experts on cyber security and privacy say that efforts to identify those behind cyber attacks are likely to violate privacy rights. Some voiced concerns that new technologies could be abused by oppressive governments to identify those perceived as enemies. Proposed technologies that would assign Internet identifiers may not be legal in the US, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). -http://www.computerworld.com/s/article/9179215/Some_experts_question_efforts_to_ identify_cyberattackers?taxonomyId=144 -http://www.govinfosecurity.com/articles.php?art_id=2758 -http://science.house.gov/press/PRArticle.aspx?NewsID=2882 [Editor's Note (Pescatore): Many of these proposals are akin to saying "everyone in the physical world has to wear a t-shirt with their real name on it when they walk around the streets so that police can identity criminals." In the physical world, most commerce is anonymous and any merchant can request stronger authentication for non-cash transactions. The same is already true on the Internet. ]
**************************** SPONSORED LINKS ************************** 1) Top Layer Security's new Intrusion Prevention System appliances free with maintenance. Broadest protection, ultra-reliable, and blazing performance. http://www.sans.org/info/62318
2) RETHINKING PROVISIONING: New security and identity management requirements? Get a roadmap for success. Watch webcast! http://www.sans.org/info/62323
3) Did you miss the July 15 WhatWorks Webcast: Moving 100 percent into the Cloud...Securely sponsored by Altor? Available now http://www.sans.org/info/62328
Washington Post In-Depth Report: Top-Secret America (July 19, 2010)
In the wake of the September 11 attacks, the US created a world of top-secret organizations "so large, so unwieldy and so secretive that no one knows ... exactly how many agencies do the same work," according to a two-year investigation by the Washington Post. Although just a few people within the US Defense Department are designated Super-Users, meaning they are permitted to know about all activities within the department, one of them noted, "I'm not going to live long enough to be briefed on everything." Because there is no process to coordinate all the counterterrorism, intelligence and related efforts, there is also no way to determine if the efforts are making the country any safer. This is the first in a series of articles. -http://projects.washingtonpost.com/top-secret-america/articles/a-hidden-world-gr owing-beyond-control/print/ -http://projects.washingtonpost.com/top-secret-america/articles/editors-note/
Vulnerability Affects Millions of Home Routers (July 15, 18 & 19, 2010)
US law enforcement officials has ordered Blogetery to shut down. The blogging service, which had an estimated 70,000 users, disappeared on July 9. The permanent shut down came at the "request of law enforcement officials, due to material hosted on the server," according to Blogetery webhosting provider Burstnet.com. Users will not be able to access content they stored with Blogetery. Burstnet went on to say that "this was not a typical case, in which suspension and notification would be the norm." IPBFree, a message board service, was closed earlier this month. IPBFree.com administrators are "legally precluded from discussing the exact bits of what happened," but that service have been permanently shut down as well. -http://www.theregister.co.uk/2010/07/19/blogetery_closure/ -http://news.cnet.com/8301-31001_3-20010877-261.html?tag=mncol;txt
Man Arrested in Germany for Alleged Webcam Hacking (July 19, 2010)
An unnamed man has been arrested in Germany for allegedly using malware to gain access to webcams and spying on 150 girls. The illegal activity was discovered when some girls complained their computers were running erratically; the machines were examined by a specialist who found evidence of a Trojan horse program. The malware appears to have spread through the ICQ messaging program. Analysis traced the communications to the suspect's home. -http://www.theregister.co.uk/2010/07/19/german_webcam_perv_arrest/ [Editor's Note (Northcutt): How hard can it be to put a piece of blue painter's tape over your laptop's (over your daughter's laptop's) camera? So far I have only found a few folks that want to video Skype, but maybe I am running with the wrong crowd. If you take the time to read the article, at the bottom take note of the related stories. There is a lot of this going on. The first time I heard of it was a hacker using Back Orifice 2000 to turn a microphone on to listen to a management meeting using the tricked out PC in the conference room of a defense contractor. ]
The (Duped) Friends of Robin Sage (July 18, 2010)
A series of phony social networking profiles set up by a security consultant gathered nearly 300 connections in less than a month, including members of the US military and the National Reconnaissance Office which oversees deployment of spy satellites. The profiles claimed to belong to Robin Sage, an attractive young woman who claimed to be working as a cyber threat analyst at the US Navy's network Warfare Command. Some of her contacts divulged information they should not have; for instance, a soldier uploaded a photograph of himself in Afghanistan that included embedded data describing his precise location. The profiles contained numerous red flags: the amount of experience she listed would have had her staring to work in cyber security at 15 and the name was taken from the code name of an annual US Special Forces military exercise. -http://www.washingtontimes.com/news/2010/jul/18/fictitious-femme-fatale-fooled-c ybersecurity/ [Editor's Note (Northcutt): Yup, I linked to her. However, I have been trying to build my list of contacts to an edgier world of blacker hats than I run with to try to build content for an Anti Forensics workshop, so I probably have a few more curiosities in my list, but I am surely careful what I post. ]
Warrant Withdrawn in Gizmodo iPhone Case (July 16, 17 & 18, 2010)
Colorado Businesses at Risk of Fraud Due to Open Registration on Sec. of State's Site (July 16, 2010)
Officials in Colorado are warning the state's 800,000 registered businesses about a corporate identity fraud scam. More than US $750,000 in fraudulent purchases have been made at various stores. The problem lies in the Colorado Secretary of State's business registration system. Businesses are required to register details with the office and the information is public record. However, the online system allows anyone to view and alter the information contained in each business's record. At least 35 Colorado businesses have reported that thieves have altered their companies' contact information and established lines of credit with the fraudulent contact information that were then used to make large purchases from stores like Home Depot, Dell and Apple. The state could add a password level of protection to help guard against unauthorized alterations, but a spokesperson for Colorado's Secretary of State said it would have to hire at least half a dozen people to implement and support the plan. Businesses can sign up to be notified by email if changes are made to their records. Five people have been arrested in California in connection with the scheme. -http://www.computerworld.com/s/article/9179251/Colorado_warns_of_major_corporate _ID_theft_scam?taxonomyId=82
The Editorial Board of SANS NewsBites Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
I've been managing multi-million dollar projects for years but always felt muddled as to the formal activities required. Halfway through the SANS PM course, things are becoming clear at last. -Matt Harvey, US DOJ