SANS NewsBites - Volume: XIII, Issue: 93


Good News!
Yesterday, Mark Weatherford took over as Deputy Undersecretary for Cyber
Security at the U.S. Department of Homeland Security. For the first time
in many years, the U.S. cybersecurity program will be run by a
technologist rather than by a lawyer. There are good reasons to believe
that this change will herald an era of greater balance in national
cybersecurity leadership between NSA and DHS. DHS has made five very
important advancements in cybersecurity leadership, driven by
technologists. The most important one shifts over $400 million per year
away from paper-based checklist security and toward technology-based,
automated, continuous monitoring of security, providing continuous
situational awareness - a goal that DHS and NSA share. By combining the
buying power of civilian agencies through DHS and of military agencies
through NSA/DISA, total situational awareness and rapid risk reduction
can be made very inexpensive across the federal government. That
change, driven by DHS technologists, is in paragraph 28 of the directive
posted at the White House site:
http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf

Paragraph 28 in this White House directive answers the question: "Is a
security reauthorization still required every 3 years or when an
information system has undergone significant change as stated in OMB
Circular A-130?" Answer: "No. Rather than enforcing a static, three-year
reauthorization process, agencies are expected to conduct ongoing
authorizations of information systems through the implementation of
continuous monitoring programs. Continuous monitoring programs thus
fulfill the three year security reauthorization requirement, so a
separate re-authorization process is not necessary."
Alan

PS Because of the enormous security improvements to be gained through
continuous monitoring, and the huge potential cost savings, and because
of the powerful role played by Inspectors General (IGs) in determining
what security initiatives are given priority, an independent oversight
group has been established to evaluate IG and GAO reports on security
over the next several years, measuring how well the IGs assess the
continuous monitoring programs and how effectively they press agencies
to move away from the discredited three-year static process. The
independent group is led by Franklin Reeder who was the top IT official
and Chief of Information Policy at OMB (where he led the development of
the Privacy Act of 1974 and the Computer Security Act of 1987).

*************************************************************************
SANS NewsBites                     November 22, 2011                    Volume: XIII, Issue: 93
*************************************************************************
TOP OF THE NEWS

  More Details Emerge About Cyber Attack at Water Utility
  Anonymous Gains Access to Computer Forensics Specialists Mailing List Archive
  Wyden Says He Will Filibuster Protect IP Act if it Gets to the Floor
  Legislators Investigating Possibility that Chinese Telecom Equipment Enables Spying

THE REST OF THE WEEK'S NEWS

  Bradley Manning Court Date Set
  UK Police Shut Down 2,000+ Websites for Piracy and Theft
  Deadline Extended for HIPAA Transaction Standard Compliance
  Chrome Update Addresses JavaScript Flaw
  AT&T Notifying Customers of Attempted Information Theft
  Senate Will Vote on Cyber Security Legislation in 2012
  Judge Says Warrant Required to Obtain Cell Phone Data
  SOPA Support Dwindling


*************************** Sponsored By IBM ***************************

Register today for SANS Analyst webcast sponsored by IBM, "Integrating Security into Development, No Pain Required" FREE SANS Analyst Paper also available at http://www.sans.org/info/91656

**************************************************************************

TRAINING UPDATE

- --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

- --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

- --SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Perth, Atlanta, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************


TOP OF THE NEWS

More Details Emerge About Cyber Attack at Water Utility (November 19 & 21, 2011)
A hacker reportedly gained access to a Supervisory Control and Data Acquisition (SCADA) system at a water utility in Illinois and tampered with a water pump, causing it to burn out. The attack used IP addresses that originated in Russia. The exploit was conducted through the phpMyAdmin open source tool, which has a significant number of known vulnerabilities; questions are arising about why this particular piece of software was being used at the water utility. Federal authorities are investigating the incident. In a separate incident, a hacker using the online handle "pr0f" claims to have launched an attack against a SCADA system at a Houston, Texas, water treatment facility. That attack, according to the hacker, was made possible through "gross stupidity," as the software he exploited was protected with a three-character password.
-http://www.zdnet.com/blog/security/scada-systems-at-the-water-utilities-in-illin
ois-houston-hacked/9821?tag=mantle_skin;content

-http://www.informationweek.com/news/security/attacks/231903481
-http://www.h-online.com/security/news/item/Hacker-destroys-pump-in-US-water-util
ity-1381968.html

-http://www.bbc.co.uk/news/technology-15817335
-http://krebsonsecurity.com/2011/11/cyber-strike-on-city-water-system/
-http://www.computerworld.com/s/article/9222014/Apparent_cyberattack_destroys_pum
p_at_Ill._water_utility?taxonomyId=82

-http://www.scmagazineus.com/water-utilities-in-illinois-houston-reportedly-hacke
d/article/217173/

-http://news.cnet.com/8301-1009_3-57327968-83/hacker-says-he-broke-into-texas-wat
er-plant-others/

-http://www.v3.co.uk/v3-uk/news/2126382/scada-hack-blamed-breach-water-plant


Anonymous Gains Access to Computer Forensics Specialists Mailing List Archive (November 19, 2011)
Members of the hacking collective known as Anonymous have gained access to the Google account of a retired supervisor of a cyber crime investigation organization in southern California and released 38,000 emails taken from that account. Among the information exposed in the hack is the International Association of Computer Investigation Specialists mailing list archive, which includes discussions from specialists around the world.
-http://www.wired.com/threatlevel/2011/11/anonymous-hacks-forensics/


Wyden Says He Will Filibuster Protect IP Act if it Gets to the Floor (November 21, 2011)
US Senator Ron Wyden (D-Oregon) says he will filibuster the Senate's Protect IP Act (PIPA), which is similar to the House's Stop Online Piracy Act (SOPA). Wyden put a hold on the bill earlier this year, but there are rumors that there are enough votes to override the hold after the Thanksgiving recess.
-http://www.wired.com/threatlevel/2011/11/wyden-pipa-filibuster/
[Editor's Note (Murray): This bill is very unpopular with the public. Demand Progress asserts that 20000 of their members have asked Senator Wyden to read their names as part of his threatened filibuster. On the other hand, the bill is popular among the legislators because it is backed by the very generous RIAA and MPAA. The rights of publishers, no matter how legitimate, do not trump all other interests. The legitimacy of the rights that one asserts is not measured by the contribution that accompanies the assertion.]


Legislators Investigating Possibility that Chinese Telecom Equipment Enables Spying (November 17 & 21, 2011)
The US House Permanent Select Committee on Intelligence (HPSCI) will conduct an investigation into the possibility that Chinese telecommunications companies operating in the US are conducting cyber espionage. The committee will examine the possibility that Chinese telecommunications equipment - servers, routers and switches - could be used to help the Chinese government obtain sensitive information from the US.
-http://www.computerworld.com/s/article/9221998/House_committee_to_investigate_Ch
ina_s_Huawei_ZTE

-http://www.theregister.co.uk/2011/11/21/us_probe_chinese_telco_firms/
-http://www.wired.com/dangerroom/2011/11/china-trojan-horse-congress/




THE REST OF THE WEEK'S NEWS

Bradley Manning Court Date Set (November 21, 2011)
More than a year-and-a-half after he was arrested, Pfc Bradley Manning, who allegedly leaked classified documents to WikiLeaks, will have a public hearing at Ft. Meade in Maryland. The Article 32 hearing is set for December 16; it is similar to a civilian court grand jury hearing in that the judge will hear evidence to determine if there are sufficient grounds for a court-martial. If convicted on all charges, Manning could face life in prison. The hearing will be open to the media and the public except when classified information is discussed.
-http://www.wired.com/threatlevel/2011/11/bradley-manning-hearing/


UK Police Shut Down 2,000+ Websites for Piracy and Theft (November 18 & 21, 2011)
Police in the UK have shut down more than 2,000 websites believed to be selling counterfeit or non-existent merchandise. The goods offered for sale include clothing, jewelry and sporting equipment. In some cases, payment was taken but the merchandise was never delivered. UK domain registrar Nominet helped pinpoint and shut down the offending sites. In a separate but related story, proposed changes to Nominet policy would allow the organization to deny requests for site takedowns unless provided with a court order or the site allegedly puts the public at risk, for instance, by selling questionable medications.
-http://www.bbc.co.uk/news/technology-15820758
-http://www.gizmodo.co.uk/2011/11/police-knock-2000-counterfeiting-co-uk-domains-
offline/

-http://www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=3319720
-http://www.eweekeurope.co.uk/news/police-shutter-2000-fraudulent-shopping-sites-
46617

-http://www.theregister.co.uk/2011/11/18/dotuk_takedown_refresh/


Deadline Extended for HIPAA Transaction Standard Compliance (November 17, 2011)
Federal officials are giving healthcare providers an additional three months to comply with the new version of the Health Insurance Portability and Accountability Act (HIPAA) transaction and code set standards. Initially, the deadline was set for January 1, 2012, but now providers have until March 31, 2012 to comply. The standard applies to medical transaction processing, and is aimed at helping to track diagnoses and treatment.
-http://www.computerworld.com/s/article/9221981/Feds_back_off_on_Jan.1_eHealth_st
andards_deadline?taxonomyId=84

-http://www.cms.gov/ICD10/Downloads/CMSStatement5010EnforcementDiscretion111711.p
df



Chrome Update Addresses JavaScript Flaw (November 17 & 18, 2011)
Google's latest Chrome update addresses a vulnerability in the browser's JavaScript engine. The out-of-bounds write flaw could be exploited to allow remote code execution, but because Chrome uses native sandboxing, the vulnerability is considered less severe. Google Chrome 15.0.874.121 is available for Windows, Mac OS X, and Linux.
-http://www.computerworld.com/s/article/9222000/Google_Chrome_update_addresses_hi
gh_severity_flaw?taxonomyId=145

-http://www.msnbc.msn.com/id/45357749/ns/technology_and_science-security/
-http://www.h-online.com/open/news/item/Chrome-15-update-fixes-high-risk-vulnerab
ility-1380555.html



AT&T Notifying Customers of Attempted Information Theft (November 21, 2011)
AT&T is letting its customers know that attackers attempted to steal online account data; the company does not believe that any information was actually obtained. The "organized and systematic" effort to gather the data was conducted with the help of auto-script technology to see which AT&T phone numbers are linked to which AT&T online accounts. AT&T spokesman Mark Siegel wrote in an email to customers that an investigation is underway.
-http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/11/21/bloomberg_articlesLV
14976S972L.DTL

-http://www.washingtonpost.com/business/technology/atandt-customer-account-hack-a
ttempted-no-accounts-compromised/2011/11/21/gIQA0tcoiN_story.html

-http://technolog.msnbc.msn.com/_news/2011/11/21/8935345-att-tells-customers-of-h
ack-attempt

-http://www.theregister.co.uk/2011/11/21/att_attack/
[Editor's Comment (Northcutt): I am an ATT customer and I have not received anything by email. The news stories say it was one percent of customers. We will see what next week brings.]


Senate Will Vote on Cyber Security Legislation in 2012 (November 17, 2011)
Senate Majority Leader Harry Reid (D-Nevada) has informed House Republicans that he will bring cyber security legislation to the floor early next year. In a letter to Senate Minority Leader Mitch McConnell (R-Kentucky), Reid wrote that "given the magnitude of the threat
[of cyber attacks and cyber espionage ]
and the gaps in the government's ability to respond, we cannot afford to delay action on this critical legislation."
-http://www.bloomberg.com/news/2011-11-17/reid-to-move-on-senate-cybersecurity-le
gislation-in-early-2012.html

-http://cybersecurityreport.nextgov.com/2011/11/full_senate_to_vote_on_cyber_legi
slation_upon_return_next_year.php?oref=latest_posts



Judge Says Warrant Required to Obtain Cell Phone Data (November 17, 2011)
US District Judge Lynn Hughes has upheld a 2010 ruling that federal authorities need a search warrant to gain access to cell phone data that could be used to track the user's whereabouts. The earlier ruling from a magistrate judge denied three separate requests for cell phone companies to provide the information without a warrant. Hughes's ruling says that the information sought is constitutionally protected and requires a search warrant to be obtained. The authorities were requesting the information under the Stored Communications Act.
-http://www.washingtonpost.com/national/houston-federal-judge-rules-that-feds-nee
d-search-warrant-to-get-cellphone-tracking-data/2011/11/18/gIQABS8OZN_story.html



SOPA Support Dwindling (November 17 & 18, 2011)
Opposition to the House's Stop Online Piracy Act (SOPA) is on the rise. Legislators on both sides of the aisle have voiced opinions that the legislation would not work as currently drafted. According to Representative Darrell Issa (R-California), original sponsors of the bill are showing less support for it as they learn about the impact its provisions could have on the Internet. Issa has called the measure extreme and said that he "didn't like the way
[it ]
was being assembled," acknowledging the need for flexibility because "any rule you write has to assume innovation will make it obsolete quickly." The Department of Energy's Sandia National Laboratory has said that SOPA would thwart the deployment of DNSSEC. Sandia's mission includes research on infrastructure security and cyber security. A hearing on the issue earlier this week drew criticism for heavily favoring supporters of the measure in representation. Organizations that felt unrepresented at the hearing raised public outcry, asking people to contact their legislators and let their opinions be known.
-http://thehill.com/blogs/hillicon-valley/technology/194635-gops-issa-effort-to-g
rease-the-skids-for-online-piracy-bill-has-failed

-http://arstechnica.com/tech-policy/news/2011/11/strange-bedfellows-nancy-pelosi-
ron-paul-join-sopa-opposition.ars

-http://www.theregister.co.uk/2011/11/20/sopa_breaks_dnssec/
-http://news.cnet.com/8301-31921_3-57326956-281/sandia-labs-sopa-will-negatively-
impact-u.s-cybersecurity/

-http://www.wired.com/threatlevel/2011/11/blacklist-bill-analysis/
SOPA FAQ:
-http://www.computerworld.com/s/article/9221979/FAQ_What_the_SOPA_soap_opera_is_a
ll_about?taxonomyId=144



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/