SANS NewsBites - Volume: XIII, Issue: 95

*************************************************************************
SANS NewsBites                     December 01, 2011                    Volume: XIII, Issue: 95
*************************************************************************
TOP OF THE NEWS

  FBI Discloses: Hackers Accessed Three Cities' Infrastructure via SCADA
  GAO Report Being Used To Cause Waste and Abuse in Federal Cybersecurity
  House Committee Passes Cyber Threat Info Sharing Legislation

THE REST OF THE WEEK'S NEWS

  Massive Iranian Missile Explosion: Was it Stuxnet 2?
  U.S. Legislator Wants Answers About Carrier IQ
  Windows Data Execution Prevention Could Have Helped Thwart RSA Hack
  Cyber Criminals Using 1-2 Punch of ACH Fraud and DDoS
  Cyber Attacks on Canadian Government Systems Part of Broader Scheme
  US Government Wants Details of Telecoms' Imported Network Components
  Duqu Servers Wiped in October
  US Cyber Command Conducts Week-Long Cyber Exercise
  HP Refutes Claim That Printer Flaw Could Be Exploited to Cause Fire
  Finnish IT Provides Computer Failure Affects Governments, Banks and Businesses
  French IT CEO Aims to Ban eMail Within His Company
  Malls Back Away From Cell Phone Tracking Technology


************************* Sponsored By IBM ******************************

Register today for SANS Analyst webcast sponsored by IBM, "Integrating Security into Development, No Pain Required" FREE SANS Analyst Paper also available at http://www.sans.org/info/92584

**************************************************************************

TRAINING UPDATE

- --SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

- --Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

- --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Perth, Atlanta, Bangalore, and Stuttgart, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************


TOP OF THE NEWS

FBI Discloses: Hackers Accessed Three Cities' Infrastructure via SCADA (November 29, 2011)
The deputy assistant director of the FBI's Cyber Division says hackers recently accessed the infrastructure of three cities through SCADA systems. "Essentially it was an ego trip for the hacker because he had control of those cities's systems and he could dump raw sewage into the lake, he could shut down the power plant at the mall - a wide array of things."
-http://www.information-age.com/channels/security-and-continuity/news/1676243/hac
kers-accessed-city-infrastructure-via-scada-fbi.thtml



GAO Report Being Used To Cause Waste and Abuse in Federal Cybersecurity (December 1, 2011)
An article in the December issue of Government Executive magazine, delivered to government officials this morning, shines a bright light on a GAO report that appears to be causing waste rather than promoting efficiency in federal IT management and cybersecurity. The report is being used to slow the adoption of efficiency-improving technology, thereby allowing waste, documented at more than $300 million each year, to continue. The GAO report evaluated a continuous security monitoring implementation, but failed to compare the continuous monitoring approach against the 3-year, annual or quarterly reporting that continuous monitoring replaces. Instead GAO looked for areas in which continuous monitoring can be expanded. By failing to make the key comparison, the report became useful to people who profit from report writing, allowing them to continue to make money writing reports instead of improving operational security.
-http://www.govexec.com/features/1211-01/1211-01adan1.htm


House Committee Passes Cyber Threat Info Sharing Legislation (November 30 & December 1, 2011)
In a 17-1 vote, the House Intelligence Committee has approved the Cyber Intelligence Sharing and Protection Act of 2011. The bill would encourage cyber threat information sharing between the public and private sectors. Under the proposed legislation, private companies would be exempt from liability for sharing information with the government and for failing to use the information to improve their networks' security. Data sharing would not be required of companies, and they would be permitted to choose which agencies they share information with. Critics of the bill say it does not make provisions for protecting citizens' privacy. Some of the bill's language has been modified to specify that only data that have to do with cyber security and national security could be shared.
-http://www.bloomberg.com/news/2011-12-01/verizon-supported-cybersecurity-bill-ad
vances-in-u-s-house.html

-http://www.politico.com/news/stories/1211/69583.html
-http://www.washingtonpost.com/world/national-security/cybersecurity-bill-promote
s-exchange-of-data-white-house-civil-liberty-groups-fear-measure-could-harm-priv
acy-rights/2011/11/30/gIQAD3EPEO_story.html

-http://gcn.com/articles/2011/12/01/cybersecurity-bill-info-sharing-no-privacy.as
px

[Editor's Note (Murray): It is not simply liability that resists sharing. Sharing is fundamentally dangerous. Too much of it makes leaks inevitable. When government asks the private sector why they do not share, they use liability as an excuse; it is rude to say, "We do not trust you because you leak."
(Honan): Data sharing initiatives look good on paper. However such initiatives have failed often because government agencies do not seem to understand that sharing needs to go both ways. Too often information shared by the private sector is seen to not be acted upon with no feedback given and also government agencies not being transparent enough on how that information will be used.
(Ranum): "Sharing" only makes sense if the information flow is two directional (otherwise it's called "information gathering" not "information sharing") and if it's relevant - if there's something practical that can be done with it. Historically, security alerts from agency sources haven't been much more useful than "be on the lookout for hacking attacks." These sharing initiatives seem to amount to little more than public relations. ]




THE REST OF THE WEEK'S NEWS

Massive Iranian Missile Explosion: Was it Stuxnet 2? (November 18, 2011)
The massive explosion of the Sejil-2 ballistic missile at Iran's Revolutionary Guards Alghadir base may be due to a technical fault originating in the computer system controlling the missile and not the missile itself. The head of Iran's ballistic missile program Maj. Gen. Hassan Moghaddam was among the 36 officers killed in the blast which rocked Tehran 46 kilometers away. (Tehran reported 17 deaths although 36 funerals took place.)
-http://www.debka.com/article/21496/
Before and after photos of missile explosion.
-http://isis-online.org/isis-reports/detail/satellite-image-showing-damage-from-n
ovember-12-2011-blast-at-military-base/

[Guest Editor's Note (Eric Bassell): Seems to me there is a third plausible explanation for the Iran's newest warhead exploding, one the article does not cover: poor engineering by Iranian scientists, resulting in an accidental discharge and premature explosion. ]


U.S. Legislator Wants Answers About Carrier IQ (December 1, 2011)
US Senator Al Franken (D-Minnesota) wants Carrier IQ to explain why its diagnostic software does not violate the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. In a letter to the company, Senator Franken writes that "it appears that
[the ]
software captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics." Carrier IQ's software reportedly runs every time users turn on their smartphones and logs most every action they take on the device, including phone numbers dialed, contents of received text messages, contents of online search queries, even when encrypted, and users' locations while using the devices. The software is reportedly designed to help carriers learn what problems users are having and which features of their phones are the most popular.
-http://www.theregister.co.uk/2011/12/01/al_franken_carrier_iq/
-http://money.cnn.com/2011/12/01/technology/carrier_iq/index.htm
-http://www.zdnet.com/blog/btl/carrier-iq-speaks-out-points-finger-at-networks-cu
stomers/64528

-http://www.washingtonpost.com/blogs/faster-forward/post/today-in-tech-carrier-iq
-draws-consumer-lawmaker-questions/2011/12/01/gIQAeewCIO_blog.html

-http://www.wired.com/threatlevel/2011/12/carrier-iq-backlash/
[Editor's Note (Murray): I really do not want to believe that the carriers want to monetize everything that they know about us. However, it is difficult to avoid suspicion. Kudos to Senator Franken. ]


Windows Data Execution Prevention Could Have Helped Thwart RSA Hack (December 1, 2011)
New research suggests that the attacks on RSA might have been prevented if the targeted machines had been running Windows 7 instead of Windows XP. The Data Execution Prevention (DEP) that is baked into Windows 7 could have stopped the breach that led to the data breach. The machines compromised in the attack appear to have been running XP without DEP enabled.
-http://www.informationweek.com/news/security/attacks/232200534
[Editor's Note (Ranum): Application white listing could have also helped thwart the attack. So could attachment stripping. It's easy to be Monday morning quarterbacks, isn't it? ]


Cyber Criminals Using 1-2 Punch of ACH Fraud and DDoS (November 30, 2011)
The FBI is warning that cyber criminals are using distributed denial-of-service (DDoS) attacks against banks as a diversionary tactic while simultaneously conducting phishing attacks that solicit sensitive data that are then used in fraudulent ACH transactions. The attackers are using a ZeuS variant known as Gameover. Spear phishing email messages are sent to targets; they are doctored to appear to come from the national Automated Clearing House Association (NACHA) informing the recipient that a transfer was not completed. Once the fraudulent transaction has been made, the group launches a DDoS against the bank's site.
-http://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameover-for-banks-victims
-in-cyber-heists/

-http://www.eweek.com/c/a/Security/Zeus-Criminals-Launch-DDoS-Attacks-to-Hide-Fra
udulent-Wire-Transfers-139436/

-http://7thspace.com/headlines/400763/fbi_denver_cyber_squad_advises_citizens_to_
be_aware_of_a_new_phishing_campaign.html



Cyber Attacks on Canadian Government Systems Part of Broader Scheme (November 30, 2011)
A cyber forensics expert says that the hackers responsible for attacks on Canadian government computers also launched attacks on a number of private sector companies. Daniel Tobok maintains that the attacks were all aimed at gathering information about an attempted corporate takeover. Tobok was called in to investigate a number of intrusions; he and his team began to see similarities between the incidents they were investigating.
-http://news.ca.msn.com/top-stories/foreign-hackers-targeted-canadian-firms-61?oc
id=tweet



US Government Wants Details of Telecoms' Imported Network Components (November 30, 2011)
The US government is asking telecommunications companies to provide detailed information about their networks in an effort to determine if China and other countries are using exported network equipment to conduct espionage. The US Commerce Department has asked the companies to list both foreign-made components of their networks and security incidents. Congress's interest in this issue was prompted by "very specific material provided them
[by the National Security Agency ]
in a classified setting."
-http://www.bloomberg.com/news/2011-11-30/obama-invokes-cold-war-security-powers-
to-unmask-chinese-telecom-spyware.html



Duqu Servers Wiped in October (November 30, 2011)
Researchers at Kaspersky Labs say that those behind the Duqu Trojan have wiped their command and control servers of digital evidence. The action was taken on October 20, just days after news of the malware broke. Kaspersky researchers did manage to gather information about the command and control infrastructure; Duqu appears to have communicated with servers in India, Belgium, Vietnam, the Netherlands, Germany, Singapore, the UK, Switzerland, and South Korea.
-http://www.eweek.com/c/a/Security/Duqu-Attackers-Wiped-All-Linux-CC-Servers-to-C
over-Tracks-475981/

-http://www.computerworld.com/s/article/9222293/Duqu_hackers_scrub_evidence_from_
command_servers_shut_down_spying_op?taxonomyId=82



US Cyber Command Conducts Week-Long Cyber Exercise (November 30, 2011)
Three hundred people participated in Cyber Flag, the US Cyber Command's first major exercise. The event took place at the Air Force Red Flag Facility at Nellis Air Force Base in Nevada. The US Cyber Command is part of the US Strategic Command and became operational last September.
-http://www.informationweek.com/news/government/security/232200508


HP Refutes Claim That Printer Flaw Could Be Exploited to Cause Fire (November 29 & 30, 2011)
Hewlett-Packard acknowledges that there is a vulnerability in some of its LaserJet printers, but says that the claim made by those who disclosed the flaw that it could be exploited to set the machines on fire is untrue. A hardware component of HP printers called the thermal breaker would prevent the overheating the researchers said could start the fire. The researchers claim that the flaw could also be exploited to steal documents and take control of networks. The essence of the problem lies in the fact that the vulnerable printers do not validate the origin of remote firmware updates.
-http://www.scmagazineus.com/hp-says-security-flaw-is-real-but-flames-are-unlikel
y/article/217911/

-http://redtape.msnbc.msn.com/_news/2011/11/29/9076395-exclusive-millions-of-prin
ters-open-to-devastating-hack-attack-researchers-say

-http://www.theregister.co.uk/2011/11/30/hp_probes_fire_started_printer_vuln/
[Editor's Note (Murray): Responsible "security researchers" do not engage in hype to draw attention to their findings. "One must decide to be part of the problem or part of the solution." One cannot have it both ways. ]


Finnish IT Services Provider Computer Failure Affects Swedish Organizations (November 29, 2011)
A massive computer failure has disrupted service for at least 50 Swedish clients of Finnish IT supplier Tieto. The outage affects local governments, state agencies, banks and a major pharmacy. Tieto has not said when the problem will be fixed.
-http://www.stockholmnews.com/more.aspx?NID=8105
-http://spectrum.ieee.org/riskfactor/computing/it/one-major-it-problem-in-pennsyl
vania-fixed-another-in-sweden-goes-on



French IT CEO Aims to Ban eMail Within His Company (November 28, 30 & December 1, 2011)
Thierry Breton, CEO of French IT company Atos SA, has said that he wants to stop using email within his company. Instead, Breton wants his employees to communicate through collaborative social media. Breton hopes to eliminate the use of email within his company completely by spring of 2013. He says that email is a waste of time, and that just 10 percent of the emails his employees receive are actually important.
-http://www.telegraph.co.uk/technology/news/8921033/Staff-to-be-banned-from-sendi
ng-emails.html

-http://news.cnet.com/8301-17852_3-57333849-71/au-revoir-e-mail-and-this-from-an-
it-boss/

-http://www.forbes.com/sites/tykiisel/2011/11/30/ceo-bans-email/
-http://www.theatlantic.com/business/archive/2011/12/the-case-for-banning-email-a
t-work/249252/



Malls Back Away From Cell Phone Tracking Technology (November 28, 2011)
Two US shopping malls have abandoned plans to track shoppers' locations using their cell phones. Senator Charles Schumer (D-New York) contacted the malls, voicing his concerns that the practice violates citizens' privacy. Schumer says consumers should be offered the choice to opt in to being tracked by the FootPath technology, but that they should not have to surrender their privacy rights when they walk into a store or a mall. The technology's developers say people can opt out by turning off their cell phones.
-http://thehill.com/blogs/hillicon-valley/technology/195649-schumer-warns-that-ma
lls-may-track-shoppers-movements

-http://money.cnn.com/2011/11/28/news/economy/malls_track_shoppers_cell_phones/
-http://www.washingtonpost.com/business/economy/the-malls-are-watching/2011/11/30
/gIQAP6B1GO_story.html

[Editor's Note (Murray): If your application cannot succeed if "Opt-in" is the rule, find another line of work. It is disingenuous to suggest that people should turn off their cell phones to "opt out" of your application.
(Northcutt): What could possibly go wrong with yet another system for tracking people's locations? My guess is that within a year or two someone will be killed because the stalker was able to access their cell phone location. Sound impossible? How many hundreds of Apps monitor our location from our cell phones? A lot. It is just a matter of time until someone puts up a "Where's Waldo Website". ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/