SANS NewsBites - Volume: XV, Issue: 12

The Editor's Note, by John Pescatore, about the fatal weakness in the GAO Audit of the FCC, is a "canary in the mine" for IT security auditors. (It is the first story in "THE REST OF THE WEEK'S NEWS.") John has been Gartner's top security analyst and vice president over the past 14 years; he joined SANS in January of this year and is shining a bright light on common practices that are damaging to security. He is also interviewing users of most security products to produce an authoritative collection of web and print-based case studies highlighting the strengths of security products and services that actually work (not all do) to help buyers optimize their spending on cybersecurity.

Alan

*************************************************************************
SANS NewsBites                     February 12, 2013                    Volume: XV, Issue: 12
*************************************************************************

TOP OF THE NEWS

  Hackers Compromise Bit9 Networks and Use Company's Certificate to Sign Malware
  Classified Report Says Chinese Cyberespionage is a Serious Economic Threat to the US

THE REST OF THE WEEK'S NEWS

  Auditors Say FCC's Network Security Project Failed in Several Ways
  Legislators to Reintroduce Cyber Intelligence Sharing and Protection Act
  More Updates for Java Expected on February 19
  Yahoo! SiteBuilder Bundled with Seriously Outdated Version of Java
  Google Warned Journalists in Myanmar of Attacks on Gmail Accounts
  VMware Issues Fixes for Privilege Elevation Vulnerability
  FBI Investigating US Federal Reserve Cyberintrusion
  DHS Office Says Border Agents May Seize Electronic Devices Without Warrant or Suspicion
  NIST Releases Final Public Draft of Security and Privacy Controls Handbook
  Adobe Patches Flash Outside of Scheduled Updates


********************** SPONSORED BY Invincea ***************************
Stop freaking about 0days and fight back - Invincea discovered and killed the Java 7 drive-by onSpeedtest.net last week and we have shown how we kill the latest Adobe exploit (CVE-2013-0634). Analysis of both is found here - rethinking security means protecting the user and using behavioral analytics for malware detection
http://www.sans.org/info/123995
****************************************************************************
TRAINING UPDATE

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013


- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013


- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013


- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013


- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013


- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials Plus Scottsdale, Brussels, Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
***************************************************************************

TOP OF THE NEWS

Hackers Compromise Bit9 Networks and Use Company's Certificate to Sign Malware (February 8, 2013)

Attackers breached corporate systems at security services company Bit9 and accessed code-signing certificates that they used to make malware appear legitimate. Bit9 provides application whitelisting, so the malware appeared to be trusted code. Ironically, the breached Bit9 system was not protected with the company's own software. This attack bears similarities to the 2011 attack on RSA, in which attackers stole information that was likely used to conduct attacks on other organizations. Bit9 provides services to many government agencies and Fortune 100 companies.
-http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malw
are/
-http://www.scmagazine.com/hackers-hijack-bit9-to-target-its-customers-with-malwa
re/article/279777/
-http://arstechnica.com/security/2013/02/cooks-steal-security-firms-crypto-key-us
e-it-to-sign-malware/
[Editor's Note (Pescatore): This is a disaster akin to the various certificate authorities being compromised. The entire value of whitelists and code signing is dependent on security of the systems that do the signing. Just 7 months ago Bit9 received $34M in investment funding - looks like not enough of that went into protecting the crown jewels. Hey, all you guys on the boards of directors of security companies: please, please, please make sure they walking the walk, not just talking the talk.]

Classified Report Says Chinese Cyberespionage is a Serious Economic Threat to the US (February 10, 2013)

According to a National Intelligence Estimate, China more than any other country in the world is targeting the US in a focused cyberespionage campaign that threatens the country's economy. The classified report lists organizations in the energy, finance, aerospace, information technology and other sectors that have been the targets of these attacks. Russia, Israel, and France have also been named as engaging in similar activity, but China's alleged activity outstrips theirs by far.
-http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-ma
ssive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_s
tory.html
[Editor's Note (Henry): Not really sure what the news is; I re-read the article twice to see what I missed. The Chinese and other nations are engaged in cyber espionage against the US...really? While this has been happening for at least 15 years, corporate executives, government agencies, and administration officials have been talking about this openly for the past two or three years. I hope the open dialogue and public recognition of the true impact of this threat move us faster and closer to truly effective mitigation actions. (Ranum): US agencies responsible for protecting the country against cyberespionage have been doing their constituents a disservice. Instead of trading on fears, they could release and document details of the kind of thing that is happening and couple that with specific actions that should be taken by corporations and organizations that might be targeted. Today's taxpayers interpret a full-on fear sell as a request for a blank check and are understandably reluctant to write one.
(Paller): A powerful defense, discovered by another country and validated by U.S. Intelligence agencies, has emerged. Look for an upcoming report from the Center for Strategic and International Studies with evidence of the effectiveness of this defense against the most common methods of attack used in the nation-state espionage attacks. It's time to stop admiring the problem, and start fixing it. ]



************************ Sponsored Links: *******************************
1) Java Web Security By Example - Featuring: Frank Kim and Andy Chou Tuesday, February 19, 2013 at 4:00 PM EST (2100 UTC/GMT) http://www.sans.org/info/124000

2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/124005
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Auditors Say FCC's Network Security Project Failed in Several Ways (February 11, 2013)

The US Federal Communications Commission's (FCC's) US $10 million "Enhanced Secured Network" project (ESN), which was designed to address security issues in the agency's internal networks, has not been properly implemented, according to the Government Accountability Office (GAO). The FCC "failed to properly implement the fixes
[described in the plan ]
and left software and systems put in place misconfigured." ESN was devised in response to an intrusion of FCC networks that was detected in 2011. In a blog post, senior GCN writer William Jackson points out that the FCC viewed ESN as an "emergency response" and that "the case is a good example of the conflict between the requirements of auditors who evaluate regulatory compliance and the demands on frontline administrators who must deal with real-world threats while keeping systems running."
-http://arstechnica.com/security/2013/02/fcc-invests-10m-in-new-network-security-
but-leaves-backdoor-unlocked/
-http://gcn.com/blogs/cybereye/2013/02/gao-fcc-enhanced-security-network-audit.as
px
GAO Audit:
-http://www.gao.gov/assets/660/651559.pdf
[Editor's Note (Pescatore): This GAO report never once says the FCC did or did not actually protect itself from threats, which is the most important question. The discrepancies found were almost all process issues that are legitimate but not on the critical path towards fixing the immediate problems that had led to a security compromise. Stop the bleeding - then work on lifestyle issues and fill out the paperwork.
(Paller): The Audit community is just beginning to discover that when it reviews security processes instead of security, it owns the responsibility for damage done by subsequent attacks. As CEOs and government leaders take note of the risk from cyber attacks, we are seeing the first firings of auditors, rather than security officers and CIOs, in the aftermath of attacks. Why? "They should have known better; that's their job." Audit thought leaders, like GAO, need to change their audit procedures quickly to avoid endangering the reputation of the entire IT security audit community. ]

Legislators to Reintroduce Cyber Intelligence Sharing and Protection Act (February 8 & 11, 2013)

US Representatives Mike Rogers (R-Michigan) and C.A. "Dutch" Ruppersberger (D-Maryland) plan to reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA) later this week. The bill is aimed at helping public and private sector entities share cyberthreat information. While the bill passed in the House last year, privacy groups have expressed concern about the legislation's provisions that would allow private companies to share information with the government. The bill was also opposed by the Obama administration. Reports suggest that President Obama will issue an executive order on cybersecurity after his February 12 State of the Union Address. That order is expected to include recommendations on information sharing.
-http://www.computerworld.com/s/article/9236691/Lawmakers_to_reintroduce_controve
rsial_info_sharing_bill?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57568513-83/cyberattacks-reanimate-cispa-spark-
move-by-obama-reports/
-http://www.zdnet.com/privacy-killer-cispa-is-coming-back-whether-you-like-it-or-
not-7000011056/
-http://www.scmagazine.com/presidential-cyber-security-order-almost-ready/article
/279973/
-http://thehill.com/blogs/hillicon-valley/technology/282269-white-house-poised-to
-release-cybersecurity-executive-order-on-wednesday

More Updates for Java Expected on February 19 (January 8 & 11, 2013)

Even after updating Java on February 1 outside of its regular patch cycle, Oracle will release updates on February 19. According to a company blog post, several other fixes were not ready for release on February 1, when the company issued the emergency patch to address a flaw that was being actively exploited. The critical patch release is cumulative, so users who did not apply the February 1 update will find those fixes and the new ones in the February 19 release.
-http://www.h-online.com/security/news/item/Oracle-to-bulk-up-Java-update-on-19-F
ebruary-1802105.html
-http://www.computerworld.com/s/article/9236657/Oracle_to_release_yet_more_patche
s_for_Java?taxonomyId=17

Yahoo! SiteBuilder Bundled with Seriously Outdated Version of Java (February 11, 2013)

Yahoo!'s SiteBuilder tool is bundled with Java 6, Update 7, a version, which is more than four years old. Java has made news recently for a series of vulnerabilities and users are being urged to make sure they have upgraded to the most recent version of Java. SiteBuilder requires Java, but the most recent version of Java is Java 6, Update 39, which suggests that the old version of Java that accompanies SiteBuilder contains multiple vulnerabilities.
-http://krebsonsecurity.com/2013/02/yahoo-pushing-java-version-released-in-2008/

Google Warned Journalists in Myanmar of Attacks on Gmail Accounts (February 11, 2013)

Google is warning journalists covering Myanmar that state-sponsored hackers are targeting their Gmail accounts. One journalist said he received the warning, but that his account had not been compromised. Myanmar's government has denied any involvement with the reported activity. Last summer, Google began warning users whose Gmail accounts appear to be targeted by spear phishing or through malware attacks. Other journalists in other areas of the world said they have received similar warnings from Google.
-http://www.computerworld.com/s/article/9236672/Google_warns_reporters_covering_M
yanmar_of_state_sponsored_attack_on_Gmail_accounts?taxonomyId=17

VMware Issues Fixes for Privilege Elevation Vulnerability (February 11, 2013)

VMware has issued updates for several of its products to fix a privilege elevation vulnerability. The issue affects VMware's ESX, Workstation, Fusion, and View virtualization software.
-http://www.h-online.com/security/news/item/VMware-plugs-murky-privilege-escalati
on-hole-1802175.html
-http://www.vmware.com/security/advisories/VMSA-2013-0002.html
[Editor's Note (Pescatore): Another good example of why it is never good practice to trust the infrastructure to secure the infrastructure. Privilege escalation at the virtualization management layer allows bypass of all internal security controls - a separate security control plane is still and will always be needed. ]

FBI Investigating US Federal Reserve Cyberintrusion (February 8, 2013)

The FBI has launched a criminal investigation into the cyberattack on the networks of the US Federal Reserve. Officials have not yet determined which data the attackers compromised, but a Federal Reserve spokesperson said that they "remain confident that this incident did not affect critical operations." The hacking group known as Anonymous last week posted contact details for more than 4,600 bank executives to demonstrate that they had accessed data in Federal Reserve computers. Another document has been posted; this one contains information suggesting that the attackers had access to Federal Reserve servers and internal documents.
-http://www.v3.co.uk/v3-uk/news/2242608/federal-reserve-unsure-of-data-hack-damag
e-as-fbi-investigates
-http://www.zdnet.com/anonymous-reveals-ample-fed-access-fbi-opens-criminal-inves
tigation-7000011073/

DHS Office Says Border Agents May Seize Electronic Devices Without Warrant or Suspicion (February 8, 2013)

The US Department of Homeland Security's (DHS's) Office for Civil Rights and Liberties says that US border agents may seize electronic devices without a warrant or even suspicion of illegal activity. The office released an executive summary of its findings in which it concluded that, "imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits," but adds that "recording more information about why searches are performed would help managers and leadership supervise the use of border search authority." The American Civil Liberties Union (ACLU) has filed a Freedom of Information Act (FOIA) request for the office's full report, which was completed sometime during the 2012 fiscal year.
-http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/
-http://arstechnica.com/tech-policy/2013/02/government-watchdog-warrantless-lapto
p-searches-at-border-are-a-ok/
-http://www.aclu.org/blog/technology-and-liberty-immigrants-rights-national-secur
ity/aclu-files-foia-request-unreleased
Executive Summary:
-http://www.dhs.gov/sites/default/files/publications/crcl-border-search-impact-as
sessment_01-29-13_1.pdf
[Editor's Note (Shpantzer): This article from December, 2012 cites DHS statistics that the digital searches happen about a dozen times a day, out of 36,000 daily 'secondary screenings.'
-http://www.nytimes.com/2012/12/04/business/court-cases-challenge-border-searches
-of-laptops-and-phones.html
Note that ICE/BCP considers it 'reasonable' in some cases to hold electronic devices for several weeks (40+ days), so plan ahead with secure online backups, in case the devices are seized (confidentiality relating to the border search notwithstanding). ]

NIST Releases Final Public Draft of Security and Privacy Controls Handbook (February 8, 2013)

The National Institute of Standards and Technology (NIST) has issued the final public draft of Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This final draft of Revision 4 recommends a two-pronged approach to security: secure development and continuous monitoring. The document takes mobile device security into account, but makes no mention of controls for cloud computing, as those are being addressed in the FedRAMP program's documentation. The public comment period runs through March 1, 2013.
-http://www.informationweek.com/government/security/feds-update-cybersecurity-com
pliance-han/240148126
-http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800_53_r4_draft_fpd.pdf

Adobe Patches Flash Outside of Scheduled Updates (February 7 & 8, 2013)

Adobe has issued an emergency Flash update to fix two vulnerabilities that are being actively exploited. The attacks presently target computers running Windows or Apple's OS X. They attempt to manipulate users into opening Word documents that contain malicious Flash content. Some Mac users are also becoming infected through drive-by downloads. Updates have been released for OS X, Windows, Linux, and Android. Microsoft has made available an update for IE10 for Windows 8 and Windows RT as Flash is now a baked-in component of that browser.
-http://www.theregister.co.uk/2013/02/08/adobe_flash_update/
-http://www.computerworld.com/s/article/9236636/Adobe_releases_emergency_Flash_fi
xes_for_two_zero_day_bugs?taxonomyId=17
-http://arstechnica.com/security/2013/02/adobe-issues-emergency-flash-update-for-
attacks-on-windows-mac-users/
-http://krebsonsecurity.com/2013/02/critical-flash-player-update-fixes-two-zero-d
ays/
-http://www.h-online.com/security/news/item/Adobe-patches-two-Flash-Player-zero-d
ay-holes-1800476.html
-http://www.adobe.com/support/security/bulletins/apsb13-04.html


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/