Get an iPad with Online Courses Now!

SANS NewsBites - Volume: XIV, Issue: 96

*************************************************************************
SANS NewsBites                     December 04, 2012                    Volume: XIV, Issue: 96
*************************************************************************
TOP OF THE NEWS

  White House Amends Draft Executive Order on Cybersecurity
  DARPA Introduces Vetting Commodity Software and Firmware Program

THE REST OF THE WEEK'S NEWS

  Lack of Technical Understanding Undermines Cybersecurity Legislation
  Pentagon Directive Seeks to Improve Cybersecurity
  McAfee Unwittingly Exposes Location Through Digital Photo Metadata
  Navy Plans Cybersecurity Major at Annapolis
  Dalai Lama Website Serving Malware
  Reveton Ransomware Includes Phony IC3 Warning
  Syria Has Internet Again
  Microsoft Gets Court Order to Control ZeuS Command and Control Servers for Two Years
  Malware Used To Steal Data on Japanese Solid-Fuel Rocket Project
  40-Month Sentence for Camcorder Piracy
  Malware Exploits AutoRun Vulnerability
  TOR Operator Charged For Content Sent Through His Servers
  Nationwide Insurance Network Breach Affects One Million

CONTROL SYSTEMS SECURITY STORIES

  SHINE Project


************************** SPONSORED BY Bit9 ****************************
Getting (and Staying) Ahead of Advanced Threats - Download this workbook and create a personalized scorecard that assesses the effectiveness of your current security strategy and understand why a trust-based application control and whitelisting solution is your best defense against advanced malware. Download Today
http://www.sans.org/info/118865

****************************************************************************
TRAINING UPDATE

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations. http://www.sans.org/event/cyber-defense-initiative-2012 - --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions. http://www.sans.org/event/security-east-2013 - --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 Singapore, Singapore February 25-March 2, 2013 6 courses.
http://www.sans.org/event/singapore-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Barcelona, Cairo, Anaheim, New Delhi, and Brussels all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

***************************************************************************

TOP OF THE NEWS

White House Amends Draft Executive Order on Cybersecurity (November 30, 2012)
The White House's draft executive order on cybersecurity has been updated to incorporate concerns raised in meetings with representatives from technology trade associations and the US Chamber of Commerce. The changes include language clarifying that the guidance does not dictate the use of one security technology over another. "To enable technical innovation and account for organizational differences, the cybersecurity framework will provide cybersecurity guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the" requirements. The draft has also been amended to include a directive to the Treasury and Commerce Departments to recommend potential incentives for critical infrastructure operators to voluntarily join a program to follow certain cybersecurity standards. The incentives must fall within the purview of an executive order. The order has been anticipated ever since the Senate rejected cybersecurity legislation last month.
-http://thehill.com/blogs/hillicon-valley/technology/270429-white-house-draft-cyb
er-order-adds-changes-to-mollify-tech-industry



DARPA Introduces Vetting Commodity Software and Firmware Program (November 30, 2012)
The Defense Advanced Research Projects Agency (DARPA) has published information about its Vetting Commodity IT Software and Firmware program, which seeks to develop "innovative, large-scale approaches to verifying the security and functionality of commodity IT devices ... to ensure they are free of hidden backdoors and malicious functionality." The program, known as VET, comes in the wake of US Senate hearings in which legislators found that Chinese tech companies Huawei and ZTE "cannot be trusted to be free of foreign state influence and thus pose a security threat to the US
[and its ]
systems." The findings were based not on examination of code but on analysis of the companies' business practices.
-http://www.informationweek.com/security/vulnerabilities/darpa-looks-for-backdoor
s-malware-in-tec/240143043

-http://www.darpa.mil/NewsEvents/Releases/2012/11/30.aspx
[Editor's Note (Honan): The UK has had a similar facility since 2010.
-http://www.zdnet.com/huawei-opens-cybersecurity-testing-centre-in-uk-3040091082/
It is overseen by CESG, which is a part of UK government's intelligence agency GCHQ. ]



************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/118875

2) Supporting Packet Decryption for Security Scanning by Dave Shackleford http://www.sans.org/info/118880

3) SANS Analyst Webcast: Secure Content Management in a Mobile Age sponsored by SAP, Tues. Dec. 4, 1PM EDT http://www.sans.org/info/118885
************************************************************************

THE REST OF THE WEEK'S NEWS

Lack of Technical Understanding Undermines Cybersecurity Legislation (November 30, 2012)
Electronic Frontier Foundation (EFF) staff technologist Dan Auerbach said that legislators who do not have a firm grasp of the technological issues involved in cybersecurity often make missteps when developing legislation. For example, there is a difference between cyberattacks and cybercrime and it is unlikely that both could be adequately addressed in one bill. Also, the idea of attributing activity on the Internet to an individual is "absurd."
-http://www.zdnet.com/clueless-officials-hamper-cybersecurity-law-making-70000081
40/



Pentagon Directive Seeks to Improve Cybersecurity (December 3, 2012)
A US Department of Defense directive dated November 5 aims to "establish policy and assign responsibilities to minimize the risk that DoD's warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system's mission critical functions or critical components." The directive is signed by DoD CIO Teresa Takai and under secretary of Defense for acquisition, technology, and logistics Frank Kendall.
-http://www.nextgov.com/defense/2012/12/pentagon-directive-targets-fake-parts-vul
nerabilities-arms-systems/59897/?oref=ng-channelriver

-http://cryptome.org/dodi/dodi-5200-44.pdf
[Editor's Note (Pescatore): Supply chain risk management is a big, important issue. Making sure products and systems do not have exploitable vulnerabilities or hidden capabilities is doable and needed (see DARPA VET program item), and the improving the system engineering and system development processes in DoD to emphasize that is long overdue. However, having intelligence agencies rate vendors is a potential snake pit.
(Murray): In the unlikely case that it is written in the active voice, it might be mistaken for "policy." ]


McAfee Unwittingly Exposes Location Through Digital Photo Metadata (December 3, 2012)
A person spending time with John McAfee, the founder of the antivirus company now owned by Intel, posted a picture of the man in hiding from Belize officials that pinpointed his location. The story points out something many people don't realize; smart phones and cameras are increasingly location-aware and the GPS information makes it into the media files that those devices create.
-https://isc.sans.edu/diary.html?storyid=14623
More on McAfee:
-http://www.computerworld.com/s/article/9234258/_I_m_foolish_fugitive_anti_virus_
pioneer_McAfee_tells_CNN



Navy Plans Cybersecurity Major at Annapolis (December 3, 2012)
The U.S. Naval Academy hopes to build a $100 million cybersecurity facility and to be among the first colleges to have a cybersecurity major accredited by ABET - the organization that accredits engineering programs in most major colleges.
-http://www.marinecorpstimes.com/news/2012/12/ap-navy-aims-for-cybersecurity-majo
r-120312/



Dalai Lama Website Serving Malware (December 3, 2012)
Malware that exploits a patched Java vulnerability on computers running Mac OS X has been detected on an unofficial Dalai Lama website. It is the same flaw exploited by the Flashback Trojan horse program last spring. The flaw was patched in April. The new malware is called Dockster. It has keystroke logging capabilities and lets hackers download and run other malware on infected machines. The site is also serving a Trojan that targets Windows computers; it exploits a Java flaw that was patched in August. This is not the first time that Tibetan activists have been targeted by malware attacks.
-http://www.scmagazine.com/mac-trojan-dockster-served-on-dalai-lama-site/article/
270971/

-http://arstechnica.com/security/2012/12/new-mac-espionage-trojan-targets-dalai-l
ama-supporters/



Reveton Ransomware Includes Phony IC3 Warning (November 30 & December 3, 2012)
Malware known as Reveton is using what appears to be a warning from the Internet Crime Complaint Center (IC3) as a means to extort money from users. The warning that pops up on the screens of infected machines tells users that their computers have been locked because the FBI has detected that the computer has been used to access illegal content and warns that all activity on the computer is being recorded. They are offered the opportunity to pay a fine to unlock their machines. Most Reveton infections occur as drive-by downloads.
-http://www.informationweek.com/security/vulnerabilities/ransomware-pays-fbi-upda
tes-reveton-malw/240143047

-http://www.scmagazine.com/latest-reveton-ransomware-strain-includes-ic3-warning/
article/270643/



Syria Has Internet Again (December 1, 2012)
Internet connectivity in Syria appears to have been restored as of Saturday, December 1. Most of the country was without access for two days last week. Syrian State TV blamed the outage on technical issues, while some pro-government sources said that "terrorists" were behind the outage. Organizations outside the country believe that the Syrian government was responsible. Syria has been moving toward a consolidation of its network traffic since the summer.
-http://www.computerworld.com/s/article/9234217/Syrian_Internet_appears_to_be_lar
gely_restored?taxonomyId=244

-http://www.nbcnews.com/technology/technolog/internet-phone-service-largely-resto
red-syria-after-blackout-1C7362915

-http://www.wired.co.uk/news/archive/2012-11/30/syria-offline?page=all
-http://arstechnica.com/information-technology/2012/12/paint-it-black-how-syria-m
ethodically-erased-itself-from-the-net/

-http://www.zdnet.com/how-were-syrias-networks-and-internet-taken-offline-7000008
139/

[Editor's Note (Ullrich): Renesys published an interesting blog post listing the countries most vulnerable to a complete internet shut down due to the limited number of entities controlling outside connectivity.
-http://www.renesys.com/blog/2012/11/could-it-happen-in-your-countr.shtml]



Microsoft Gets Court Order to Control ZeuS Command and Control Servers for Two Years (December 1, 2012)
Microsoft has won a court order allowing the company to retain control of command-and-control servers for two ZeuS botnets for the next two years. A US District Court in New York granted the court order in a default judgment. Microsoft initially took down the servers located in Illinois and Pennsylvania in March 2012. Microsoft intends to help Internet service providers (ISPs) and Computer Emergency Response Teams (CERTs) scrub ZeuS malware from infected machines.
-http://www.eweek.com/security/microsoft-can-retain-control-of-zeus-botnet-under-
federal-court-order/



Malware Used To Steal Data on Japanese Solid-Fuel Rocket Project (November 30, 2012)
Japanese officials say that malware found on a computer at the Japan Aerospace Exploration Agency's Tsukuba Space Center stole data related to a new rocket being developed by that country. The malware harvested data from the machine and sent it to computers elsewhere. The infected machine was detected on November 21 and was removed from the network. No other infected computers were found. Some of the stolen data were related to Japan's Epsilon solid-fuel rocket project. The rocket would be used primarily to launch satellites and space probes and is capable of being controlled remotely through a PC.
-http://arstechnica.com/security/2012/11/malware-siphons-data-on-new-rocket-from-
japanese-space-agency/

-http://www.theregister.co.uk/2012/11/30/jaxa_data_loss/
-http://www.computerworld.com/s/article/9234191/Japan_space_agency_Virus_may_have
_stolen_space_rocket_data?taxonomyId=17



40-Month Sentence for Camcorder Piracy (November 30, 2012)
A federal judge in Virginia has sentenced Gregory A. Cherwonik to 40 months in prison for his activities in a group that took camcorders into theaters to record new movies and make them available over the Internet. Last year, Cherwonik pleaded guilty to conspiracy to commit criminal copyright infringement. His sentence is the longest ever handed down for filesharing. Another member of the group, which calls itself IMAGiNE, has pleaded guilty to the same charge and will be sentenced in March 2013. Two others have already received their sentences and a fifth will be sentenced next month.
-http://www.wired.com/threatlevel/2012/11/camcording-pirate-40-months/
-http://www.wired.com/images_blogs/threatlevel/2012/05/lovelady.pdf


Malware Exploits AutoRun Vulnerability (November 30, 2012)
Security companies are warning users about malware that infects computers via a vulnerability in the Windows AutoRun software. Machines running Windows 7 and Windows 8 will not launch autorun.inf files and Microsoft has released patches for older versions of Windows to protect them from similar exploits. Experts think that the increase in infections is due to unpatched computers, network shares, and social media. Users are urged to protect their computers by disabling AutoRun on all Windows systems and by restricting write permissions to share files.
-http://www.csoonline.com/article/722724/security-firms-warn-of-spreading-windows
-autorun-malware?source=CSONLE_nlt_update_2012-12-02

[Editor's Note (Ullrich): If you still have auto run enabled on a Windows PC, take the time to take a close look at what else it is infected with.
-https://isc.sans.edu/diary.html?storyid=14584]



TOR Operator Charged For Content Sent Through His Servers (November 29 & 30, 2012)
An Austrian man who operated TOR servers has been charged with distributing child pornography. Authorities detected the images passing through the servers maintained by the man. Police seized 20 computers and other equipment from William Weber's home. TOR is an acronym for The Onion Router, a project developed by the US Naval Research Laboratory that allows people surf the web anonymously. It is often used by political dissidents, journalists, and law enforcement officers, and has also been used by criminals. The offending images were being distributed by a server in Poland and sent through Weber's servers. Weber operated exit servers; traffic from these nodes can be traced back to the servers' IP addresses. While the authorities became "friendlier" after understanding where the images came from, there is a precedent for holding TOR operators liable for content that passes through servers they operate. The Electronic Frontier Foundations acknowledges the risk that accompanies operating exit nodes and advises that "it's best not to run your exit relay in your home or using your home Internet connection."
-http://arstechnica.com/tech-policy/2012/11/tor-operator-charged-for-child-porn-t
ransmitted-over-his-servers/

-http://www.bbc.co.uk/news/technology-20554788
-http://www.zdnet.com/austrian-man-raided-for-operating-tor-exit-node-7000008133/
[Editor's Note (Ullrich): IMHO, the TOR operator acted like a transit ISP/NSP in this case.
(Hoan): In many countries it is not illegal to run a Tor exit node. However, for anyone considering, or are already, running a Tor exit node you should familiarise yourself with the Electronic Frontier Foundation's Legal FAQ on the topic at
-https://www.eff.org/torchallenge/legal-faq/]



Nationwide Insurance Network Breach Affects One Million (November 29, 2012)
A security breach of the Nationwide Insurance computer network compromised the personal information of approximately one million people. The data include names, Social Security Numbers (SSNs) and other personally identifiable information; the breach affects people in all 50 states. Those affected by the breach include both policy holders and individuals who requested quotes from the company. Employee data were not exposed. The incident occurred on October 3, 2012. The FBI is investigating.
-http://www.scmagazine.com/personal-info-of-1m-compromised-in-nationwide-breach/a
rticle/270448/



CONTROL SYSTEMS SECURITY STORIES

SHINE Project
SHINE is a project to identify how much and what kinds of control systems are running in the open, on the Internet. The researchers express reluctance to disclose the information in raw form, because "it contains such a high volume of sensitive sites that we believe it could be turned in to a weapon." They say that preliminary discussions are underway with DHS, the FBI, and the RCMP on data management and handling protocols.
-http://news.infracritical.com/pipermail/scadasec/2012-December/010162.html
[Editor's Note (McBride): Nice to see a public statement from the group conducting the research into ICS/SCADA systems online. The most significant implications seem to be related to supply chain and wireless network providers. ]


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/