SANS NewsBites - Volume: XIV, Issue: 87


Several top stories this week focus on failed information sharing. They
are not the first such stories. A simple, proven method for information
sharing, proposed by multiple members of the Commission on Cybersecurity
for the 44th Presidency four years ago would provide exactly the data
seeded in time to act on it. It is based on the Center For Disease
Control (CDC) model where doctors rapidly report the details of
infectious disease cases to CDC, protecting the identities and privacy
of the actual patients. In cybersecurity, the companies that do incident
response are the doctors and could easily provide anonymized versions
of the needed data with a simple change to their non-disclosure contract
clauses. The idea has been thwarted by the lack of interest in giving
private data to government and the lack of a not-for-profit organization
trustworthy enough to be the recipient. The new international
cybersecurity action consortium led by Tony Sager would be ideal,
especially because it is also responsible for ensuring the international
consensus on critical controls reflects the most up-to-date cyber threat
information. Any information shared with it would directly and quickly
enhance protection across a wide swath of the government and private
technology community.

Alan

*************************************************************************
SANS NewsBites                     October 30, 2012                    Volume: XIV, Issue: 87
*************************************************************************
TOP OF THE NEWS

  South Carolina State Dept. of Revenue Suffers Data Theft Affecting All Tax Payers
  Cybersecurity Threat Information Sharing Thwarted by Legal Concerns
  Critical Flaw in CoDeSys Industrial Control System Software
  Pentagon Cyberthreat Information Sharing Pilot is Losing Participants

THE REST OF THE WEEK'S NEWS

  FBI Cyber Specialists Focus on Cyber Attack Attribution
  Yahoo Will Ignore Internet Explorer 10's Do Not Track Preference
  Cyberthieves Steal Banks' Experian Login Credentials, Download Credit Reports
  Facebook Tries to Keep Investigation Into Account Data Leak Quiet
  City Officials Shut Down Electronic Sign After Message is Altered
  US Dept. of Energy Audit Report Reveals Security Concerns at Western Area Power Administration
  Israeli Police Computer Disconnect From Internet After Malware Detected
  TSA Boarding Pass Barcodes Not Encrypted
  US Government Argues Against Unfreezing MegaUpload's Assets
  Peter Neumann Wants to Redesign Computers With a Clean Slate


************************ SPONSORED BY Symantec ****************************
Unrivaled Security: Over 8 Million Users Can't Be Wrong. Join this webcast to find out how you can get unrivaled security, blazing performance and support for virtual environments. Learn about new features of Symantec Endpoint Protection 12.1.2. including VMware vShield integration, support for Windows 8 and Mac Mountain Lion. Register Now. http://www.sans.org/info/116137
****************************************************************************
TRAINING UPDATE
- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses. Special Event evening bonus session: I've Been Geo-Stalked! Now What?
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Tokyo, Barcelona, and Cairo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

South Carolina State Dept. of Revenue Suffers Data Theft Affecting All Tax Payers (October 26, 2012)
A breach of the computer system at the South Carolina state Department of Revenue has compromised the security of the Social Security numbers (SSNs) of 3.6 million people. In addition, the intruders exposed the details of 387,000 payment cards; of those, about 16,000 were not encrypted. None of the SSNs appear to have been encrypted. The incident occurred in September. The breach affects all people who have filed a South Carolina tax return since 1998. State officials learned of the breach on October 16; the vulnerability that the attackers exploited was fixed by October 20.
-http://www.computerworld.com/s/article/9232965/South_Carolina_breach_exposes_3.6
M_SSNs?taxonomyId=17

-http://www.scmagazine.com/monster-breach-hits-south-carolina-taxpayers/article/2
65639/

-http://news.cnet.com/8301-1009_3-57541481-83/millions-of-ssns-lifted-from-south-
carolina-database/

-http://arstechnica.com/security/2012/10/hack-of-south-carolina-network-exposes-s
sns-for-3-6-million-taxpayers/



Cybersecurity Threat Information Sharing Thwarted by Legal Concerns (October 29, 2012)
A conference about security industrial control systems became a lesson in the complications of information sharing. A number of scheduled presentations at the conference were cancelled due to threatened legal action. Although a nuclear power plant had agreed to have the vulnerabilities discovered there discussed, the equipment vendor said that the presentations would reveal too much information and threatened to sue. Conference attendees also learned that a security firm had found thousands of pieces of equipment to be vulnerable to cyberattacks, but did not tell authorities where those pieces of equipment were because it feared legal action from the entities that own the vulnerable equipment.
-http://wtaq.com/news/articles/2012/oct/29/legal-fears-muffle-warnings-on-cyberse
curity-threats/

[Editor's Note (Murray): IT Security is the only part of the security industry that insists upon washing its linen in public. The problem is not so much "legal" as cultural. We do not have the trusted professional forums in which to share. Too many of those attending are there more for personal aggrandizement than for responsible sharing.
(Honan): We would be much better off if the money, time, and resources spent on legal cases to keep issues quiet were instead used to make those products more secure and to thwart the attackers. ]


Critical Flaw in CoDeSys Industrial Control System Software (October 26 & 29, 2012)
A vulnerability in CoDeSys software leaves industrial control systems (ICS) running the control system development environment open to a network-based attack. CoDeSys is used to execute ladder login on PLCs (programmable logic controllers). It is running on ICS from more than 200 vendors.
-http://www.h-online.com/security/news/item/Industrial-control-systems-vulnerable
-to-remote-attackers-1738208.html

-http://www.theregister.co.uk/2012/10/28/codesys_vulnerability/
-http://krebsonsecurity.com/2012/10/dhs-warns-of-hacktivist-threat-against-indust
rial-control-systems/

-http://www.computerworld.com/s/article/9232956/Critical_flaw_found_in_software_u
sed_by_many_industrial_control_systems?taxonomyId=17

-http://www.digitalbond.com/tools/basecamp/3s-codesys/
[Editor's Note (Assante): The software implementation and application in question provides for a vulnerability that can only be described as being cross-cutting and horizontal in nature. Many ICS suppliers and integrators need to better manage security concerns with third-party applications. Unfortunately, the lack of authentication to perform important functions like changing configurations, set points, and logic is far too common in ICS.
(McBride): These articles are a great illustration of how important ICS security **isn't** to the larger security community. The exact flaws and techniques highlighted have been publicly presented at multiple conferences, starting in January 2012. In fact, DHS is now conducting a show-n-tell road-show at cities throughout the country to raise awareness of these and other ICS security issues. ]


Pentagon Cyberthreat Information Sharing Pilot is Losing Participants (October 25, 2012)
Five of the original 17 organizations participating in the Pentagon's Defense Industrial Base Enhanced Cybersecurity Services pilot group have pulled out of the threat information-sharing program. The organizations that chose to leave the program decided to "reallocate their resources to other corporate priorities," according to a Pentagon spokesperson.
-http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/10/pentagons-cybe
r-pilot-dropout-rate-signals-trouble-ahead/59041/?oref=ng-channelriver

-http://www.nextgov.com/cybersecurity/2012/10/pentagon-cyber-threat-sharing-progr
am-lost-participants/59028/?oref=ng-HPriver

-http://killerapps.foreignpolicy.com/posts/2012/10/24/rogers_was_right_dod_dhs_cy
ber_info_sharing_program_has_shrunk




*************************** SPONSORED LINKS *******************************
1) "New in the SANS Reading Room: SANS Survey on Mobility/BYOD Security Policy and Practices" http://www.sans.org/info/116142
2) SANS Webcast: Why Deception Matters in Today's Web Attacks. With John Bumgarner & David Koretz. Nov 8, 2012. http://www.sans.org/info/116147
3) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/116152
*****************************************************************************

THE REST OF THE WEEK'S NEWS

FBI Cyber Specialists Focus on Cyber Attack Attribution (October 29, 2012)
The FBI's cybercrime division has established a new program that will aim to uncover the identities of cyber intruders. The Next Generation Cyber Initiative focuses on determining attribution for attacks so that an appropriate response can be decided. Attribution involves determining both the entity responsible for the attack and the motive prompting the attack. The FBI has trained cyber specialists "to extract hackers' digital signatures." The information they gather can be sent to the FBI's Cyber Division's Cyber Watch Command, where the data will be analyzed.
-http://www.nextgov.com/cybersecurity/2012/10/fbi-starts-new-initiative-name-hack
ers/59077/?oref=ng-channeltopstory



Yahoo Will Ignore Internet Explorer 10's Do Not Track Preference (October 29, 2012)
Yahoo says it will ignore Do Not Track (DNT) preferences in Microsoft's Internet Explorer 10 (IE 10), saying the decision to turn the control on by default is "signal abuse." Microsoft decision has generated controversy. IE10 launched on October 26. Users are given the option of turning off that setting during the Windows 8 setup process. All other major browsers leave their DNT options in the off position, leaving it up to users to switch on the option. Because the Worldwide Web Consortium (W3C) has said that browser makers cannot set the DNT option for users, websites appear to be feeling no qualms about ignoring the signal from IE 10. Microsoft plans to release a version of IE 10 for Windows 7; DNT will be switched on by default in that version as well.
-http://www.computerworld.com/s/article/9233030/Yahoo_to_ignore_Microsoft_s_Do_No
t_Track_signal_from_IE10?taxonomyId=17



Cyberthieves Steal Banks' Experian Login Credentials, Download Credit Reports (October 29, 2012)
The cyberthieves behind the September 2011 breach of the computers at Abilene Telco Federal Credit Union in Texas stole the financial institution's access credentials for the Experian credit-reporting agency. The thieves downloaded nearly 850 credit reports with the credentials, stealing data about people who were never associated with Abilene Telco. Experian holds data on more than 740 million individuals. The incident illustrates that cybersecurity "is only as strong as its weakest link." Since 2006, more than 17,000 credit reports have been stolen in 86 reported incidents through stolen access credentials.
-http://go.bloomberg.com/tech-blog/2012-10-29-experian-customers-unsafe-as-hacker
s-steal-credit-report-data/

-http://www.theregister.co.uk/2012/10/29/credit_report_data_breach_worries/


Facebook Tries to Keep Investigation Into Account Data Leak Quiet (October 29, 2012)
Facebook is reportedly trying to keep a blogger quiet about his claim that he obtained names and email addresses of nearly one million account holders through an online service. The blogger, Bogomil Shopov, lives in Prague and says he paid US $5 for the information. Facebook is investigating his claims.
-http://arstechnica.com/security/2012/10/facebook-tries-cloaking-probe-into-data-
leak-involving-1-million-accounts/



City Officials Shut Down Electronic Sign After Message is Altered (October 29, 2012)
Officials in Surrey, British Columbia, have shut down an electronic sign it was using to notify motorists about a waste pickup program after someone gained access to the sign's controls and altered its message. The city had rented the sign. Rob Costanzo, Surrey's deputy manager of operations in engineering, said that the city might rent signs again, but only after they have been given assurances that the equipment is more secure.
-http://www.theprovince.com/news/Surrey+shuts+down+electronic+sign+after+hackers+
have+their/7465999/story.html



US Dept. of Energy Audit Report Reveals Security Concerns at Western Area Power Administration (October 26, 2012)
According to the results of an audit from the US Department of Energy's inspector general (IG), the Western Area Power Administration uses a default password on its electricity-scheduling database on a public facing server and does not regularly update security software. Western sells and provides hydroelectric energy to utility companies that serve homes and businesses in 15 states stretching from the north central US to the southwest. It is "the government's largest renewable power transmission agency." The audit examined 105 workstations and found that nearly all have at least one critical vulnerability. The report also noted at least five instances in which former employees were not blocked from accessing Western's systems. Officials at Western say they will implement recommended fixes and improvements.
-http://www.nextgov.com/cybersecurity/2012/10/largest-us-energy-marketing-agency-
used-outdated-security-patches/59058/

-http://energy.gov/sites/prod/files/IG-0873.pdf


Israeli Police Computer Disconnect From Internet After Malware Detected (October 28 & 29, 2012)
A malware infection prompted an order to disconnect Israeli police computers from the Internet. The malware in this case is designed to harvest data. The malware made its way into the Israeli police system through a compressed .RAR email attachment. The email appears to have been spoofed so that it looked like it was coming from the chief of staff of the Israeli Defense Forces. The malware may have been on the computers for as long as a week before it was detected.
-http://www.information-age.com/channels/security-and-continuity/news/2130078/isr
ael-police-disconnect-from-internet-after-cyber-attack.thtml

-http://www.timesofisrael.com/how-israel-police-computers-were-hacked-the-inside-
story/



TSA Boarding Pass Barcodes Not Encrypted (October 23, 25 & 26, 2012)
Boarding passes issued through the US Transportation Security Administration's (TSA's) PreCheck program contain unencrypted information in their barcodes. The information indicates what level of screening the program participant will receive at security checkpoints. PreCheck is a program that allows some passengers expedited screening, including being allowed to leave their shoes on and leave their laptops in their cases, while traveling domestically. The privileges are not guaranteed to all participants on all flights, but instead are randomly meted out. The boarding passes can be printed 24 hours prior to the flights, so if people know how to read bar codes, they can determine whether or not they will receive expedited screening. People with vested interests in evading a thorough screening could potentially print out their passes, alter the bar code graphics in a file and create a new boarding pass.
-http://www.darkreading.com/advanced-threats/167901091/security/news/240009722/ts
a-precheck-program-security-hole-exposes-screening-status.html

-http://www.washingtonpost.com/national/experts-warn-about-security-flaws-in-airl
ine-boarding-passes/2012/10/23/ed408c80-1d3c-11e2-b647-bb1668e64058_story.html

-http://www.theregister.co.uk/2012/10/26/tsa_barcode_boarding_pass/
-http://www.bbc.co.uk/news/technology-20080621
[Editor's Note (Murray): The reporters imply, and perhaps infer, things about PreCheck that are not true. While it is the case that, whether a passenger is enrolled in PreCheck is embedded in the bar code of the boarding pass by the airline issuing the pass, and while that may result in reduced screening, it does not guarantee it. The PreCheck bit may, or may not, be honored by the TSA at the agent's discretion. Since it is binary, it is difficult to encrypt. The whole boarding pass ought to be tokenized.]


US Government Argues Against Unfreezing MegaUpload's Assets (October 26, 2012)
The US government is arguing against unfreezing MegaUpload's assets, claiming that the slow proceedings are the company's fault. MegaUpload founder Kim Dotcom is fighting extradition from New Zealand to the US and has asked a judge to unfreeze the assets. Lawyers representing Dotcom and his associates say that denying their client's access to the company's assets is causing "ongoing, irreparable harm indistinguishable from the sort that would attend ultimate criminal conviction following full criminal process." The US government says that Dotcom doesn't intend to resume operations of MegaUpload, a claim that Dotcom has corroborated, and therefore he is contradicting himself when he says that denial of access to the assets is causing harm.
-http://arstechnica.com/tech-policy/2012/10/us-slow-legal-proceedings-are-megaupl
oads-fault-dont-unfreeze-assets/



Peter Neumann Wants to Redesign Computers With a Clean Slate (October 29, 2012)
Peter G. Neumann is a computer scientist and cybersecurity specialist at SRI International, and engineering research lab in Menlo Park, California. For years, Dr. Neumann has said that the computer industry keeps repeating its mistakes. Steven M. Bellovin, chief technology officer (CTO) of the US Federal Trade Commission (FTC) said that Dr. Neumann stressed that "trouble occurs not because of one failure, but because of the way many different pieces interact," and that "complex systems break in complex ways." Dr. Neumann, along with Robert N. Watson of Cambridge University, is leading a research team focused on redesigning computers and networks from the bottom up to make them more secure and more resilient. (Please note that the New York Times requires a paid subscription.)
-http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html?src
=dayp&pagewanted=all

[Editor's Note (Murray): Count me in. While it is far from a "clean slate," iOS is an illustration of what can be achieved if one is willing to surrender the investment in running codes and systems and start over. Apple has demonstrated a willingness to do this that is unique in the industry. IBM had the opportunity with the FS architecture but did not have the economic courage. Both iOS and FS architectures are (at least semi-) closed, making meta-data reliable. Apple has demonstrated that it can be done and that such systems can co-exist with the archaic systems.]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/