SANS NewsBites - Volume: XII, Issue: 59


If you want a preview of how security careers and jobs (and government contracts) will be changing, come to this Thursday's (July 29) breakfast that Government Executive is sponsoring (free) at the National Press Club in Washington. The speakers are in a unique position to know what's
coming. The site says for feds only, but the program is open to contractors, as well because so many of the cyber security jobs are filled with contractors and the changes will have a major impact on which contractors win and lose. Register at: www.govexec.com/cyber_insider

Alan

*************************************************************************
SANS NewsBites                     July 27, 2010                    Volume: XII, Issue: 59
*************************************************************************
TOP OF THE NEWS

  Google Obtains Government Security Clearance for Cloud Services
  UK Launches Cyber Security Challenge
  Technician Testifies that PCs on Doomed Oil Rig Troubled by Blue Screen of Death
  SCADA Systems in Iran Hardest Hit by Stuxnet Worm
  Siemens Offers Stuxnet Removal Tool, Warns of Potential for Disruptions

THE REST OF THE WEEK'S NEWS

  Leaked Afghanistan War Document Archive Spans Six Years
  Jailbreaking iPhones Does Not Violate DMCA
  UAE Says Blackberries May be Security Threat
  Man Admits to Infecting Thousands of Computers With Malware
  Mozilla Updates Firefox for Second Time in a Week
  Dell Blames Infected Replacement Motherboards on Human Error
  UK Ministry of Defense Lost 240 Laptops in Two Years


************************ Sponsored By IBM (ISS) **************************
PCI compliance is a challenge for midsize and large companies alike, as there are four phases to meeting the PCI DSS requirements: assessment, remediation, compliance and maintenance. Read this white paper as IBM reveals five key 'sticking points' organizations have been facing on the path to PCI DSS compliance.
http://www.sans.org/info/62668

***************************************************************************
TRAINING UPDATE - -- SANS Boston 2010, August 2-9, 2010 10 courses. Special Events includes Rapid Response Security Strategy Competition; Bonus evening presentations include Exploit Discovery and Development; Embedded System Hacking and My Plot to Take Over the World
http://www.sans.org/boston-2010/

- -- SANS Virginia Beach 2010, August 27-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security; Hack Back! The Advanced Persistent Threat; and Securing the Human.
http://www.sans.org/virginia-beach-2010/

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- -- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

- -- Looking for training in your own community?
http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/index.php

*************************************************************************


TOP OF THE NEWS

Google Obtains Government Security Clearance for Cloud Services (July 26 & 27, 2010)
Google has obtained security clearance to sell its cloud computing services to the US federal government. The clearance given to Google Apps for Government does not apply to classified government data. Google is hopeful now that it has obtained clearance for federal government use, government agencies at the state and local levels will also consider using its products. The clearance marks the first time the US government has given approval for the use of online software.
-http://www.latimes.com/business/la-fi-google-apps-20100727,0,5765918.story
-http://www.msnbc.msn.com/id/38416304/ns/technology_and_science-security/
-http://www.theregister.co.uk/2010/07/26/google_apps_for_government/


UK Launches Cyber Security Challenge (July 26, 2010)
The UK has launched its Cyber Security Challenge to identify the next generation of cyber security talent. The challenge also draws attention to a field that is sorely in need of increasing its skilled workforce. The challenge comprises several competitions. One of the competitions is a virtual treasure hunt in which participants will look for vulnerabilities in a specially-crafted website. That competition will take place on several designated days between September and December 2010. A second challenge will have teams of competitors taking over a simulated network and defending it against attacks launched by professionals. The third competition is a team digital forensics challenge. The strongest competitors will receive vouchers for university study, special cyber security training courses and internships at companies. Registration for the competitions began on Monday, July 26. Cyber Security Challenge Web Site:
-https://cybersecuritychallenge.org.uk/
-http://www.pcworld.com/businesscenter/article/201846/uk_launches_computer_securi
ty_training_exercises.html

-http://www.bbc.co.uk/news/technology-10742588
-http://www.zdnet.co.uk/news/security/2010/07/26/cyber-security-challenge-kicks-o
ff-40089645/

[Editor's Note (Honan): The teaser challenge appears to have been cracked already
-http://www.theregister.co.uk/2010/07/27/uk_challenge_cipher_cracked/?utm_source=
twitterfeed&utm_medium=twitter
]



Technician Testifies that PCs on Doomed Oil Rig Troubled by Blue Screen of Death (July 23, 2010)
The chief electronics technician on the Deepwater Horizon oil rig has testified that a computer on the rig that monitored and controlled drilling operations had been freezing up and experiencing the blue screen of death before the rig's explosion that marked the beginning of the oil leak in the Gulf Coast. The freezes meant the driller did not have access to necessary information about the well. Michael Williams, who is a former Marine, also said that the safety alarm aboard the deepwater horizon had been switched to a bypass mode to avoid waking sleeping crew members. The safety alarm was to alert the crew to dangerous levels of combustible gases.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/07/23/AR2010072305419.
html?hpid=topnews

-http://www.computerworld.com/s/article/9179595/Tech_worker_testifies_of_blue_scr
een_of_death_on_oil_rig_s_computer?taxonomyId=83

[Editor's Note (Shultz): This sad story once again points to the importance of operating system resilience and reliability in critical operational systems. ]


SCADA Systems in Iran Hardest Hit by Stuxnet Worm (July 23, 2010)
Details about the attacks involving the Stuxnet worm continue to emerge. The worm targets systems running certain supervisory control and data acquisition (SCADA) software. The malware appears to be designed with the capability of stealing proprietary information from the companies whose systems it infects. The malware spreads through USB drives. It exploits an unpatched vulnerability, uses real digital certificates, and is tailored to search for specific SCADA systems and download their systems' operations histories. The malware affected systems in Iran, Indonesia, India, Ecuador, the US, Pakistan and Taiwan; Iran is believed to be the hardest hit.
-http://www.csmonitor.com/USA/2010/0723/Stuxnet-spyware-targets-industrial-facili
ties-via-USB-memory-stick

-http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_wo
rm?source=rss_newss



Siemens Offers Stuxnet Removal Tool, Warns of Potential for Disruptions (July 22, 2010)
Siemens, the company that manufactures the SCADA software targeted by the Stuxnet worm, has made available a program called Sysclean that detects and removes the malware, but warns that because each facility is individually configured, the malware removal program could cause unforeseen problems. Siemens has taken flak recently for not fixing the default password flaw exploited by the malware when the problem was first disclosed two years ago.
-http://www.theregister.co.uk/2010/07/22/siemens_scada_worm/
-http://www.computerworld.com/s/article/9179551/Siemens_Removing_SCADA_worm_may_h
arm_industrial_systems?taxonomyId=145

[Editor's Comment (Northcutt): It wasn't that long ago, that you had trouble finding real world story that proved we needed to harden SCADA systems. You would go to security presentations to hear the Vitek Boden sewage release story *again*. Looking back I kind of miss those days.
-http://ddanchev.blogspot.com/2006/10/scada-security-incidents-and-critical.html]



**************************** SPONSORED LINKS **************************
1) Attend the SANS WhatWorks in Virtualization and Cloud Computing Summit and discover real-world solutions for securing your virtual infrastructure recommended by experts and deployed by your peers.
http://www.sans.org/info/62673


2) Did you miss an important SANS webcast event? Available on demand today: WhatWorks Webcast with Alan Paller - Moving 100% into the Cloud Securely
http://www.sans.org/info/62678

*************************************************************************




THE REST OF THE WEEK'S NEWS

Leaked Afghanistan War Document Archive Spans Six Years (July 25, 26 & 27, 2010)
Tens of thousands of secret documents about the war in Afghanistan have been leaked on the WikiLeaks site. The source of the leaks has not been identified, but suspicion has fallen on Pfc Bradley Manning, who earlier this year was arrested for allegedly leaking about 260,000 diplomatic cables and video footage of a US airstrike in Iraq. The Afghanistan documents cover six years and the information they contain has been described as "more grim" than what is offered through traditional news sources. Unsurprisingly, the government has been giving more attention to the "scale and scope" of the leak itself rather than to the content of the documents, saying that the documents contained little or no new information.
-http://www.washingtonpost.com/wp-dyn/content/article/2010/07/26/AR2010072605657_
pf.html

-http://www.google.com/hostednews/afp/article/ALeqM5is8LYL2vSAA3htYM4JeqQ_pygAyQ
-http://www.nytimes.com/2010/07/26/world/asia/26warlogs.html?scp=4&sq=wikilea
ks&st=cse



Jailbreaking iPhones Does Not Violate DMCA (July 26, 2010)
US federal regulators have said that jailbreaking Apple iPhones is not a violation of the Digital Millennium Copyright Act (DMCA). The USA Librarian of Congress and the US Copyright Office decide every three years on a list of proposed exemptions to 1998's DMCA. The Copyright Office said of the iPhone that "while a copyright holder might try to restrict the programs that can be run on a particular operating system, copyright law is not the vehicle for imposition of such restrictions." The decision, issued on Monday, July 26, covers all smart phones, but does not apply to iPads.
-http://www.wired.com/threatlevel/2010/07/feds-ok-iphone-jailbreaking/
-http://www.wired.com/images_blogs/threatlevel/2010/07/dmcaexemps.pdf
[Editor's note (Pescatore): This mostly means Apple can't use DMCA as a threat in sending out cease and desist letters to sites hosting jailbreaking tools, and there hasn't been much evidence Apple was doing that anyway. This doesn't change Apple's ability to run an application store, nor does it mean enterprises should look positively at any phone or PC that is running modified versions of vendor operating systems. ]


UAE Says Blackberries May be Security Threat (July 26, 2010)
The United Arab Emirates has said that BlackBerry smartphones are potential security threats. According to a UAE government statement, the BlackBerry "operates beyond the jurisdiction of national legislation since it is the only device ... that exports its data off-shore and is managed by a foreign commercial organization." The UAE may decide to monitor or restrict Blackberry use in that country. Research in Motion, Blackberry's parent company, uses encrypted networks, which frustrates the UAE's efforts to monitor communications. In June 2009, a large UAE mobile operator attempted to get BlackBerry users to install an update that RIM maintains was spyware.
-http://www.cnn.com/2010/TECH/mobile/07/26/uae.blackberry.review/index.html
-http://www.bbc.co.uk/news/technology-10761210
-http://www.npr.org/templates/story/story.php?storyId=128767715
[Editor's Note (Pescatore): Generally, governments don't like RIM's architecture because it is very difficult for them to have visibility into email carried by RIM. This is generally a good thing from the email user's perspective, but each country makes its own decisions on the balance between privacy and government surveillance. ]


Man Admits to Infecting Thousands of Computers With Malware (July 26, 2010)
An Australian man has admitted to infecting 74,000 computers and stealing bank and credit card information. Anthony Scott Harrison pleaded guilty to modifying computer data to cause harm or inconvenience, possession and control of data to commit a serious computer offense and dishonestly manipulating a machine for his own benefit. The 20 year old created malware capable of accessing bank accounts around the world.
-http://www.securecomputing.net.au/News/220989,adelaide-hacker-pleads-guilty-to-i
nfecting-3000-pcs.aspx

-http://www.news.com.au/technology/computer-virus-created-by-anthony-scott-harris
on-sparked-worldwide-alert/story-e6frfrnr-1225897175334



Mozilla Updates Firefox for Second Time in a Week (July 26, 2010)
Mozilla pushed out Firefox 3.6.8 to address a critical vulnerability in the browser just days after the company issued Firefox 3.6.7 to address 14 vulnerabilities. The problem addressed in the most recent release is a crash with signs of memory corruption caused by a fix in version 3.6.7 for a plug-in parameter array crash.
-http://www.h-online.com/security/news/item/Mozilla-releases-Firefox-3-6-8-to-clo
se-critical-vulnerability-1044973.html

-http://www.theregister.co.uk/2010/07/26/firefox_plug_in_stability_update/
-http://www.informationweek.com/blog/main/archives/2010/07/mozilla_patches.html
-http://www.mozilla.org/security/announce/2010/mfsa2010-48.html
-http://www.mozilla.com/en-US/firefox/3.6.8/releasenotes/


Dell Blames Infected Replacement Motherboards on Human Error (July 23, 2010)
The spyware embedded in the flash memory of certain replacement server motherboards from Dell has been blamed on human error, according to the company. Dell has not offered any specific information about how the malware was introduced into the products, but did say that it has established procedures to improve processes.
-http://www.theregister.co.uk/2010/07/23/dell_malware_update/
[Editor's Note (Pescatore): As opposed to vegetable or mineral error? This was corporate error, and corporations are composed of humans - at least so far. Failure to detect malware in a shipping product is a corporate error. ]


UK Ministry of Defense Lost 240 Laptops in Two Years (July 22, 2010)
According to statistics obtained through the UK's freedom of Information Act, the UK Ministry of Defense (MoD) lost 340 laptop computers over the course of two years. The majority of the computers were not encrypted; their total value has been estimated at GBP 620,000 (US $960,000). In addition, MoD reported missing 593 CDs, DVDs and floppy disks, 215 memory sticks, 96 removable disk drives and 13 mobile phones. Of the missing laptops, 220 were lost and 120 were stolen.
-http://www.dailymail.co.uk/news/article-1296773/MoD-loses-staggering-340-laptop-
computers-TWO-YEARS--encrypted.html?ito=feeds-newsxml

-http://darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleI
D=226200295&subSection=Storage+security



**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/