SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XII - Issue #30
April 16, 2010
Three quick questions for CISOs and operations directors, penetration testers, and security architects:
1. Do you know how to find the hackers already inside your systems? More than 1,000 US, Canadian and UK organizations, including the entire defense industrial base and many government agencies, have been penetrated by sophisticated attackers. Many more have malicious software inside their systems. Some of the victims have not yet found the attackers, but in others, system administrators have noticed something out of the ordinary, and in tracking the anomalies, they found the infestations. A new course, pioneered at two US Department of Energy (DoE) nuclear energy laboratories provides system administrators with the tactics, techniques, and procedures (TTPs), along with case studies, showing how to find the wily hackers and verify their presence. For the first time that course is being opened to people outside DoE. Hacker Detection for System Administrators: San Diego, May 14-15, http://www.sans.org/security-west-2010/description.php?tid=4337
Baltimore, June 13-14, http://www.sans.org/sansfire-2010/description.php?tid=4337
2. Are your pen testing techniques current with the newest threats? If they are not your results are misleading your organization and your clients. The Pen Test Summit is the best place to make sure your techniques are current and state of the art. Baltimore, June 14-15 http://www.sans.org/pen-testing-summit-2010/
3. Do you know why most security architecture efforts fail to pay off? And do you hope to be a valuable security architect? The Security Architecture Summit, with Cisco, NSA, and SANS architects and other great speakers, is the only meeting in the world focused on making security architectures and architects successful. May 25-26, Las Vegas, http://www.sans.org/security-architecture-summit-2010/
TOP OF THE NEWSNSA's General Alexander Finally Has His Confirmation Hearing
Intruders Breach Apache Server
THE REST OF THE WEEK'S NEWSDHS Begins Einstein 3 Tests
Report Says Attacks on Water and Power Computer Systems on the Rise
Zeus Exploiting PDF Flaw to Infect PCs
Anti-Piracy Company Defends Aggressive Tactics
Oracle Patches Java Zero-Day
Microsoft, Adobe, and Oracle Issue Patches
Bank of America ATM Malware Author Stole More Than US $300,000
Not All Security Advice is Equal
**************** Sponsored By Entrust Technologies ***********
Entrust Unified Communications Certificates provide greater flexibility to support powerful communications products like Microsoft Exchange Server 2007 and Microsoft Office Communications Server 2007, without sacrificing security controls. Up to 10 host names included, 128/256-bit SSL encryption, quick issuance and one to four year certificate lifetimes available. Now from only $387 per year. Learn more at http://www.sans.org/info/57998
-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
-- SANS Secure Europe Amsterdam 2010, June 21-July 3, 2010 8 courses.
-- SANS Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
-- SANS Boston 2010, August 2-8, 2010 11 courses
Looking for training in your own community? http://sans.org/community/
Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php
Plus Geneva, Toronto, Singapore and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
NSA's General Alexander Finally Has His Confirmation Hearing (April 14 & 15, 2010)Lieutenant General Keith Alexander appeared at his Senate confirmation hearing on Thursday. Alexander is the administration's nominee to head the US military's Cyber Command. Alexander said that US military systems are probed "hundreds of thousands of
a day," but clarified that the probes are scans to detect the kind of software the systems are running. In his written testimony to the Senate Armed Services Committee, Alexander said there is a "policy gap" between the military's cyber attack capabilities and current legal policy and doctrine. The Cyber Command was slated to be established by October 1, 2009, but the committee has delayed its launch because it wants to be clear about exactly what it is approving. Committee chairman Senator Carl Levin (D-Michigan) asked Alexander to provide a list of policy changes necessary for the command's effective operation.
Unclassified portion of written testimony:
[Editor's Note (Paller): Preliminary feedback from staff of both Democrats and Republicans at the hearing point to General Alexander's confirmation. ]
Intruders Breach Apache Server (April 13 & 14, 2010)An Apache Software Foundation server used to keep track of software bugs was breached by attackers. The source code was not affected by the attack. The attackers did gain access to several low-privilege accounts on another server that is used to maintain the people.apache.org website. The attackers exploited a cross-site scripting vulnerability and a password attack to gain access to the servers.
[Editor's Note (Honan): Apache provide an excellent write-up of the incident at
THE REST OF THE WEEK'S NEWS
DHS Begins Einstein 3 Tests (April 8, 2010)The US Department of Homeland Security (DHS) is several weeks into the third phase of testing on Einstein 3, a network traffic monitoring program for government agencies. This current stage of testing involves technology developed by the National Security Agency (NSA) that might allow Einstein 3 to detect and pinpoint cyber threats. The test will welp determine whether Einstein 3 makes it easier for agencies to share cyber security information, send out threat alerts to the agencies and target and disarm threats before they cause damage. Einstein 2, which has fewer capabilities, is currently being deployed at agencies. The Einstein program has raised concern among privacy advocates, who say not enough is known about the scope of the program.
[Editor's Note (Pescatore): Network IPS use in private industry is pretty mature, very odd to see government agencies being forced to wait for government-developed technology to be tested. Even odder to see the strange deployment scenario for Einstein 3 which almost guarantees it will only be used for saying "look, that attack just got through to those agencies" vs. simply blocking well known attacks and moving on. ]
Report Says Attacks on Water and Power Computer Systems on the Rise (April 14, 2010)According to data gathered by the Repository of Industrial Security Incidents (RISI), the computer systems used to monitor and control water, wastewater and utility plants have seen the number of cyber security incidents climb over the last five years. The 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems says that incidents involving water and wastewater have increased 300 percent over that period, while incidents involving power and utilities have increased 30 percent. Incidents involving petroleum and petrochemical systems have fallen 80 percent. The data include information from process control, manufacturing and Supervisory Control and Data Acquisition (SCADA) systems. Twenty-five percent of the incidents were intentional system breaches, either by outsiders or insiders; the rest were evenly split between equipment failure and malware infections. Even if systems are not connected to the Internet, they can be vulnerable to Windows-based malware through USB drives and infected laptops, particularly because those systems do not usually get updated in a timely manner.
[Editor's Note (Paller): RISI offers interesting examples. But utilities DO NOT REPORT their breaches; they actively mislead people looking for data about breaches. Drawing conclusions of any kind from the RISI database is silly. The numbers are not representative of anything other than what the researchers found in public articles and what they learned because of access they were given through contractual relationships with individual companies or groups. ]
Zeus Exploiting PDF Flaw to Infect PCs (April 15, 2010)A .pdf flaw that can be used to spread many different types of malware has been found to be spreading a modified Zeus payload. The new variant of Zeus, the malware that turns infected computers into botnet slaves, uses malicious attack code embedded in a PDF document; when users open the document, they are prompted to save a file called Royal_Mail_Delivery_Notice-dot-pdf that is really a malicious Windows executable. Technically, the flaw is not a vulnerability but "a by-design function of Adobe's specification." Just last week, researchers cautioned that attackers were likely to start exploiting this PDF bug. Adobe has posted information to help users mitigate the risk of having their computers infected through this vector.
[Editor's Note (Honan): Zeus is an especially stubborn piece of malware that has proven to be hard to detect and eradicate. A recent survey shows that up to 88% of Fortune 500 companies are infected with Zeus (
and with this move to using PDF as an attack vector that may well increase.
(Northcutt): Zeus is pretty ugly, I have a link to a short summary with pointers to other credible write-ups if you want to learn more. Many of you saw the article saying 88% of Fortune 500 are infected to some extent by Zeus. I think the number is on the high side, but it clearly means organized crime has got a winner that works for them and against us. I also strongly recommend security professionals read the Adobe blog post above, this could be a bad one for the unlucky folks that get stuck with the attack.
Anti-Piracy Company Defends Aggressive Tactics (April 15, 2010)DigiProtect, an anti-piracy company based in Germany, is defending its practice of mass mailings to alleged filesharers asking them to pay fines of approximately GBP 700 (US $1,080) or face legal proceedings. UK consumers have complained, and at least one Internet service provider (ISP) has spoken out against the company's actions. DigiProtect acknowledges that it gathers information through an automated process and that some people may be wrongly accused, but is unapologetic in its attempts to protect its clients' rights. The UK's BPI, while an ardent supporter of the recently passed Digital Economy Bill, has distanced itself from the methods used by DigiProtect, saying that legal action should be pursued only in egregious cases of piracy.
Oracle Patches Java Zero-Day (April 14 & 15, 2010)Just two days after its quarterly patch release, Oracle has issued a patch for a critical zero-day remote code execution flaw in Java. According to the researcher who discovered the vulnerability, Java Handlers at Oracle's Sun division initially indicated that they did not believe the issue merited a patch until the company' next scheduled security update in July. However, on Thursday morning, Oracle pushed out Java 6, Update 20 to address the flaw in the Java Network Launch Protocol. The vulnerability is reportedly already being exploited in the wild through drive-by attacks. Users who visit the songlyrics-dot-com website could find their computers compromised. The attack code on the site calls another server that attempts to download the malware.
Microsoft, Adobe, and Oracle Issue Patches (April 13 & 14, 2010)It's a busy week for administrators as Microsoft, Adobe and Oracle all released security patches on Tuesday, April 13. Microsoft issued 11 security bulletins to fix 25 flaws. Adobe released fixes for 15 vulnerabilities in Reader and Acrobat, and Oracle issued 47 updates. Adobe also launched the official version of its automatic patch installer for Reader and Acrobat. Initially, the automatic installer may take up to a week to be activated, but once it has been activated, it will check for updates every three days. Adobe is urging users to jumpstart the downloader manually.
Bank of America ATM Malware Author Stole More Than US $300,000 (April 13, 2010)Rodney Reed Caverly has pleaded guilty to one count of unauthorized computer access for installing malware on Bank of America (BofA) ATMs that allowed them to dispense cash without generating records of the transactions. Caverly stole more than US $300,000 from the bank through his scheme; more than half of the money has been recovered. More than 100 ATMs were infected with the malware. The thefts took place over a seven-month period ending in October 2009; BofA discovered the activity internally. Caverly faces up to five years in prison and a fine of US $250,000.
Not All Security Advice is Equal (April 11 & 15, 2010)A new study says that frequent password changes do not increase security. Cormac Herley, principal researcher for Microsoft Research, said that "Most security advice simply offers a poor cost-benefit trade-off to users." Herley's rough calculation of the cost to employers of time spent by employees following the security advice they are normally given finds that the costs far outweigh the benefits. There is a glut of information about good security practices, but it has not yet been prioritized. Computer security experts lack the hard data that doctors and road-safety professionals have at their disposal to make their points about effective protective measures.
[Editor's Note (Pescatore): Sarbanes Oxley audit nonsense has been one of the largest culprits behind reviving the "changing user passwords every three months is required" silliness. Since auditors can measure when passwords were changed, it becomes an audit item, not for any real security reason. Now, just saying pay for anti-virus and anti-spyware is top of the list is just as silly - using software that isn't constantly vulnerable to viruses and spyware is a much better strategy. (Schultz): I'd hesitate to draw such a sweeping conclusion after the result of just one study concerning the lack of impact on security of frequent password changes. It appears that Herley is not aware of other empirical studies on the impact (or lack thereof) of other password settings. If he were, he could have made a much more powerful argument for his case. For example, Dr. Robert Proctor of Purdue University, Dr. Kim Vu of California State University-Long Beach and I have published the results of empirical studies concerning password policy settings. Some of our findings were that longer passwords were under a number of conditions no more difficult to crack than were shorter ones, something that attests to the power of today's password cracking tools, and that more difficult-to-generate passwords were not significantly more difficult- to-crack, either, although they were more difficult to remember. ]
[Guest commentary: For a counterpoint to the Microsoft paper's assertions see Lance Spitzner's blog:
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.
Alan Paller is director of research at the SANS Institute
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/