Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #58

July 23, 2010


For a great summary of the Siemens attacks and Stuxnet/Windows
Shortcut/SCADA story, read Elinor Mills' story at CNET. It is the top url in the story about the Windows Temporary Fix. Separately, MITRE reports that the specific programming error that enabled the attack is number six on the list of the 25 most critical programming errors. Finally the London meeting of users of ABB, GE, Siemens, and Rockwell control systems which will focus on security of those systems is being merged into the annual SCADA Security Summit so people can attend a single meeting and still get a seat at the hands-on SCADA security training that will follow that meeting. Register at http://www.sans.org/eu-scada-security-summit-2010/ while seats are still available.
Users of each type of system can get a discount code from the participating control system vendors. For more information email apaller@sans.org.

Alan

TOP OF THE NEWS

US Facing Shortage of Skilled Cyber Security Professionals; Current Certifications Dangerously Misleading
Some Dell Replacement Server Motherboards Shipped With Malware
Couple Charged in GM Hybrid Car Technology Theft
Microsoft Issues Temporary Fix for Flaw Exploited by Stuxnet

THE REST OF THE WEEK'S NEWS

Poor Web Site Design by the Georgia Secretary of State Office Compromises Corporate Online Identities
Chinese Military Establishes Information Security Department
Four Arrested in Connection with Mariposa Botnet Code
States Seek Details About Google Data Collection Code
Mozilla Updates Firefox and Thunderbird
Massachusetts Hospital Backup Files Lost
Adobe Will Introduce Sandboxing in Reader Before End of the Year
Gas Pump Card Skimmers Found in Colorado
Blogetery Shutdown Linked to Alleged Al Qaeda Postings


************************ Sponsored By AccelOps ***************************
Exploring, upgrading or advancing SIEM or Log Management? * Real-time analysis, long-term log management and compliance automation * Automated infrastructure and identity discovery with rich device support * Nextgen cross-correlation, search, dashboards and reporting * Instantly detect sophisticated attacks, violations, anomalies and exceptions Fast. Intelligent. Scalable. See reviews on AccelOps.
http://www.sans.org/info/62458

***************************************************************************
TRAINING UPDATE -- SANS Boston 2010, August 2-8, 2010 11 courses. Special Events include Rapid Response Security Strategy Competition
http://www.sans.org/boston-2010/

-- SANS Virginia Beach 2010, August 29-September 3, 2010 9 courses. Bonus evening presentations include Future Trends in Network Security
http://www.sans.org/virginia-beach-2010/

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

-- SOS: SANS October Singapore, October 4-11, 2010 7 courses
http://www.sans.org/singapore-sos-2010/

-- Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Washington DC, Portland, London, Dubai and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

*************************************************************************



TOP OF THE NEWS

US Facing Shortage of Skilled Cyber Security Professionals; Current Certifications Dangerously Misleading (July 19 & 21, 2010)

A "desperate shortage" of qualified and capable cyber security professionals is leaving the US vulnerable to cyber attacks. Not only are there not enough skilled cyber security specialists to protect the systems we have in place, but more are needed to develop new systems, write secure code and create new tools. The US will need an estimated 30,000 more specialists; currently, there are just 1,000 to 2,000 who are up to the challenge. Compounding the issue is the fact that cyber security certifications have not kept pace with the changing times. A study from the Center for Strategic and International Studies (CSIS) notes that "the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security" because the certifications currently emphasize compliance documentation instead of reducing cyber risks.
-http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=226
100078

-http://www.abc.net.au/news/stories/2010/07/22/2961755.htm?section=world
-http://www.npr.org/templates/story/story.php?storyId=128574055
-http://csis.org/publication/prepublication-a-human-capital-crisis-in-cybersecuri
ty

[Editor' Note (Schultz): Could not agree with the CSIS more. Having certifications is better than nothing, but most certifications do not go nearly far enough. The Cisco CCIE certification provides an excellent model of the needed rigor level for the certification process. ]

Some Dell Replacement Server Motherboards Shipped With Malware (July 21 & 22, 2010)

Dell has warned that some of the replacement PowerEdge server motherboards it has shipped are infected with the W32.Spybot worm. The worm was discovered in the flash storage of the boards. The issue underscores concerns that because computer component manufacturing is outsourced, malware can become embedded in components without the company's knowledge.
-http://gcn.com/articles/2010/07/22/dell-ships-motherboards-infected-with-worm.as
px?admgarea=TC_SECURITY

-http://www.h-online.com/security/news/item/Dell-replacement-motherboards-contain
ed-malware-1043840.html

-http://www.theregister.co.uk/2010/07/21/dell_server_warning/
-http://www.zdnet.co.uk/news/security-threats/2010/07/22/dell-poweredge-motherboa
rds-ship-with-malware-40089615/

[Editor's Note (Pescatore): Whoa, whoa, whoa - outsourcing manufacturing does *not* in *any* way shift the blame from the company that sells the product to the company that build the product. If a rat gets in a cereal box, the company whose name is on the box gets the blame and deserves the blame.
(Ranum): Supply chain security becomes a problem in transitive trust. A bright future full of pointing fingers is dawning! ]

Couple Charged in GM Hybrid Car Technology Theft (July 22, 2010)

Former General Motors (GM) employee Shanshan Du and her husband Yu Qin have been indicted in Michigan for allegedly stealing hybrid car technology information from GM. They have both been charged with conspiracy to possess trade secrets without authorization, unauthorized possession of trade secrets and wire fraud; one of them has also been charged with obstruction of justice. Between December 2003 and May 2006, Du allegedly shared trade secret information about hybrid cars at GM with her husband while she was employed there. Du allegedly copied thousands of documents to an external hard drive shortly after she was offered a severance package from GM. Several months later, Qin started a new business that sought to provide hybrid car technology to a Chinese company. GM places the value of the stolen documents at US $40 million.
-http://www.networkworld.com/community/node/64031

Microsoft Issues Temporary Fix for Flaw Exploited by Stuxnet (July 21 & 22, 2010)

Microsoft has issued an interim workaround fix for a critical vulnerability in the Windows Shell that is being actively exploited. The vulnerability is tied to malware known as Stuxnet, which can infect machines through USB drives. Microsoft's initial advisory recommended editing the Windows Registry, but users were reluctant to follow those instructions because a mistake could render the computer unusable. The new workaround automates the process, but the temporary fix makes it harder to navigate computers. Stuxnet has been used to steal information through supervisory control and data acquisition (SCADA) systems at companies that support utilities and other elements of critical infrastructure. The emergence of this vulnerability and the attacks exploiting it prompted the SANS Internet Storm Center to raise its threat warning level to yellow. Stuxnet is currently being used in limited targeted attacks, but experts believe it is just a matter of time before exploits are widespread. Elinor Mills' FAQ offers a clear and comprehensive overview of the issue. Elinor Mills' FAQ:
-http://news.cnet.com/8301-27080_3-20011159-245.html
-http://gcn.com/articles/2010/07/22/ecg-automated-workaround-for-windows-shell-fl
aw-released.aspx?admgarea=TC_SECURITY

-http://www.theregister.co.uk/2010/07/21/microsoft_fix_it/
-http://www.computerworld.com/s/article/9179479/Microsoft_issues_tool_to_repel_Wi
ndows_shortcut_attacks?taxonomyId=82s

-http://threatpost.com/en_us/blogs/stuxnet-may-be-new-new-thing-malware-072210?ut
m_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular

-http://krebsonsecurity.com/2010/07/tool-blunts-threat-from-windows-shortcut-flaw
/

-http://www.scmagazineus.com/stuxnet-malware-threat-continues-targets-control-sys
tems/article/175092/



**************************** SPONSORED LINKS **************************
1) Sign up for SANS Special Webcast: The Emergence of Content Aware SIEM on July 27th at 1:00 PM ET. Go to
http://www.sans.org/info/62463

2) Did you miss SANS WhatWorks Webcast: Moving 100 percent into the Cloud...Securely sponsored by Altor? Available now.
http://www.sans.org/info/62468

*************************************************************************



THE REST OF THE WEEK'S NEWS

Poor Web Site Design by the Georgia Secretary of State Office Compromises Corporate Online Identities (July 22, 2010)

A series of corporate identity fraud cases has hit businesses in the US state of Georgia. A similar wave of scams was reported in Colorado earlier this week. The same problem affects businesses in both states. Information on the Secretary of State's Offices' online business registration systems can be accessed and modified by anyone. The thieves used the stolen information to obtain loans and lines of credit, which were then used to make purchases.
-http://www.computerworld.com/s/article/9179526/Corporate_ID_theft_hits_Georgia_b
usinesses_?taxonomyId=84

[Editor's Note (Honan): The ability of criminals to make these changes online simply makes it easier for them to carry out this scam. The same changes can be made by filling in paper forms and posting them to the Secretary of State's Office. Without verification checks within the bureaus to prevent fraudulent changes being submitted, each company should regularly check their documentation is as it should be and monitor their credit rating to ensure they are not victims of this attack. ]

Chinese Military Establishes Information Security Department (July 22, 2010)

China People's Liberation Army has established an information security department. The Information Security Base is reportedly focused on defensive rather than offensive measures. The department will collect information and help protect Chinese military information.
-http://www.guardian.co.uk/world/2010/jul/22/chinese-army-cyber-war-department
-http://timesofindia.indiatimes.com/world/china/PLA-sets-up-cyber-base-assures-it
s-not-for-war/articleshow/6202924.cms

[Editor's Note (Northcutt): I believe this probably is defensive command and control. The PLA already has its offensive group, and has, I think. for about seven years:
-http://online.wsj.com/article/SB10001424052748703399204574508413849779406.html
-http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article2409865
.ece

-http://www.dnaindia.com/world/report_can-india-survive-a-chinese-cyber-attack_11
19824

-http://www.spacewar.com/reports/Analysis_Strategic_strike_capability_999.html]

Four Arrested in Connection with Mariposa Botnet Code (July 22, 2010)

Four people have been arrested in Slovenia for allegedly creating the malware for the Mariposa botnet. Earlier this year, police in Spain arrested three individuals for allegedly distributing the malware and using it to break into online financial accounts.
-http://www.theregister.co.uk/2010/07/22/mariposa_botnet_arrests/

States Seek Details About Google Data Collection Code (July 21 & 22, 2010)

A coalition of 38 US states working together to investigate Google's wireless data gathering is asking the company for the names of the engineers who wrote the code. Earlier this year, Google acknowledged that a program created to gather information for its Street View feature inadvertently collected snippets of personal information from unprotected wireless networks. The states in the coalition also want to know if Google tested the code before using it actively. The group also wants to know where Google collected the data and what has been done with the stored information.
-http://www.bbc.co.uk/news/technology-10724464
-http://www.theregister.co.uk/2010/07/21/google_wifi_snoop_inquiries/
[Editor's Note (Pescatore): The good news is that Google's lack of attention to privacy is turning into a very expensive event. Let's hope Google believes the ROI of fixing the root problem is higher than just lawyering up. ]

Mozilla Updates Firefox and Thunderbird (July 21 & 22, 2010)

Mozilla has pushed out an updated version of its Firefox browser to fix 14 security holes, including seven that have been rated critical. Firefox 3.6.7 also includes changes to improve stability. Mozilla plans to release another Firefox update following the Black Hat conference to fix any flaws divulged there.
-http://www.theregister.co.uk/2010/07/21/firefox_security_update/
-http://www.securecomputing.net.au/News/220607,mozilla-issues-critical-firefox-an
d-thunderbird-patches.aspx

-http://www.computerworld.com/s/article/9179504/Mozilla_patches_16_security_bugs_
in_Firefox_3.6

-http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.
7

Massachusetts Hospital Backup Files Lost (July 19, 20 & 21, 2010)

Missing backup files contain personally identifiable information of about 800,000 people. Most were treated as patients at South Shore Hospital in Weymouth, Massachusetts between January 1, 1996 and January 6, 2010. In addition to patients, the files contain information about employees, physicians, volunteers, donors, vendors and partners. The compromised data include Social Security numbers (SSNs), diagnoses and treatments, and financial account information. The files were sent to a data management company to be destroyed, but only some of the files were received and ultimately destroyed. The hospital will begin notifying affected individuals soon.
-http://www.scmagazineus.com/hospital-files-with-personal-medical-data-on-800000-
gone/article/174970/

-http://www.boston.com/news/local/breaking_news/2010/07/hospital_says_8.html
-http://www.eweek.com/c/a/Health-Care-IT/Massachusetts-Hospital-Reports-800000-Pe
rsonal-Records-Missing-638660/

-http://www.thebostonchannel.com/mostpopular/24311150/detail.html
[Editor's Note (Schultz): I have for a long time worried whether so called data management companies really do what they claim to do--destroy data that their customers give them. Here we have an example of one company that didn't. I wonder how many others are also remiss in doing what they are supposed to do--destroying customer data. ]

Adobe Will Introduce Sandboxing in Reader Before End of the Year (July 20 & 22, 2010)

In the next major upgrade of its Reader PDF viewer, Adobe will include sandboxing technology to help protect users' computers from malware. Adobe's products have increasingly been targeted by malware over the last 18 months. Sandboxing isolates processes so that malicious activity is contained. The upgrade is expected to be made available by the end of the year.
-http://darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?art
icleID=226000096&subSection=Application+Security

-http://www.theregister.co.uk/2010/07/20/adobe_reader_sandbox/
-http://www.computerworld.com/s/article/9179403/Adobe_to_beef_up_PDF_security_wit
h_Reader_sandboxing?taxonomyId=208

-http://krebsonsecurity.com/2010/07/adobe-sandbox-will-stave-off-reader-attacks/
-http://news.cnet.com/8301-27080_3-20011015-245.html
-http://www.v3.co.uk/computing/news/2266898/adobe-release-sees-security
[Editor's Note (Northcutt): This will be very useful. I would encourage Adobe to hire some out of the box thinking, skilled, application and web penetration testers before distributing it. ]

Gas Pump Card Skimmers Found in Colorado (July 20, 2010)

More than 30 gas station pump payment devices in the Denver area have recently been hit by skimmers. A string of fraudulent transactions on credit card accounts has been linked to skimmers placed on gas pump payment devices at gas stations along I-25 in the Denver, Colorado area. Local police and US Secret Service agents have reportedly visited several Valero gas stations in the area to look for the devices. A similar set of incidents in Florida used Bluetooth-enabled skimmers so the thieves could access the stolen data without physically revisiting the pumps.
-http://krebsonsecurity.com/2010/07/skimmers-siphoning-card-data-at-the-pump/
[Editor's Note (Pescatore): Bit of exaggeration here - the typical small, low power Bluetooth device range is under 10 meters, so the bad guys still had to be near the pumps. I'm sure soon gas stations will offer both gas pump mitts to keep the gas smell off of your hands *and* aluminum foil skimmer mitts to keep your credit card information inside the pump. ]

Blogetery Shutdown Linked to Alleged Al Qaeda Postings (July 19, 2010)

Details emerging about the shutdown of Blogetery blogging platform suggest that authorities are investigating al Qaeda-related terrorist content found on one of the company's servers. The information allegedly contained links to a list of names of people in the US who had been targeted for assassination and to instructions for making a bomb. Blogetery supported about 70,000 blogs and was hosted by BurstNET, which took down Blogetery on July 9 for violating its acceptable use policy after being contacted by the FBI.
-http://news.cnet.com/8301-31001_3-20010923-261.html
-http://www.wired.com/threatlevel/2010/07/blogetery-al-qaeda/


**********************************************************************

The Editorial Board of SANS NewsBites Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/