SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIII - Issue #102
December 27, 2011
SCADA Security is back in the news with DHS's announcement this week of
Siemens' system vulnerabilities. The key issues is not what
vulnerabilities exist, but what to do first to ensure power systems and
other critical infrastructures are defensible. Substantially all the key
players from industry and government are meeting in Orlando at the end
of January to review progress on that question and to launch at least
one and possibly two important new initiatives that may reshape
cybersecurity in the power industry and in other elements of the
critical infrastructure. Hotel and registration information at:
TOP OF THE NEWSDHS ICS-CERT Warns of SCADA Flaws in Siemens Products
Mobile Phone Security Needs Improvement
Hacktivists Expose Those Who Censor and Conduct and Aid Surveillance
Anonymous Targets Think Tank
Indian Court Orders Internet Companies to Remove Objectionable Content
HP Firmware Update Addresses LaserJet Printer Vulnerability
GoDaddy Backs Off SOPA Support
Closing Arguments in Manning Hearing
Koobface Operators Refine Botnet to Maximize Pay-Per-Click revenue
Chinese Computer Users Experience Large Data Breach
THE REST OF THE WEEK'S NEWS
--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses.
--SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click is all It Takes ...; Evolving Threats; and Windows Exploratory Surgery with Process Hacker.
--Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************
TOP OF THE NEWS
DHS ICS-CERT Warns of SCADA Flaws in Siemens Products (December 22 & 23, 2011)The US Department of Homeland Security's (DHS) Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has issued an advisory warning of vulnerabilities in certain Siemens Supervisory Control and Data Acquisition (SCADA) systems that could be exploited to gain access to vulnerable systems with user or administrator privileges. Siemens is developing fixes for the flaws and plans to release an update in January.
Mobile Phone Security Needs Improvement (December 27, 2011)Research scheduled to be presented at a Chaos Computer Club convention later this week indicates that mobile network security is nowhere near as robust as it should be, especially given recent events involving certain British journalists. A study of mobile operators in Morocco, Thailand, and Europe found that most provided weak or non-existent protection from unauthorized surveillance and identity theft. Armed with a seven-year-old mobile phone and free decryption software, the person who will be making the presentation found that he was able to access conversations and text messages and spoof account identities. At least one of the vulnerabilities that allowed him to intercept voice and data could be addressed with the application of an available patch.
Hacktivists Expose Those Who Censor and Conduct and Aid Surveillance (December 26, 2011)In August 2011, an international group of hackers known as Telecomix exploited vulnerabilities in a variety of devices to display warnings to people in Syria that their online activity was being monitored. During that **event***, one of the members noticed an FTP server containing logs of surveillance data that were gathered using an appliance made by an American company. Telecomix published 54 gigabytes of the logs, and the company, California-based Blue Coat Systems, has been forced to admit that its technology is being used in Syria, a violation of international sanctions imposed against the country. Telecomix had its genesis at a 2009 conference in Gothenburg, Sweden; it was formed in reaction to European Union laws that would have severed Internet connections of habitual copyright violators. Telecomix also helped people in Egypt get Internet access after Mubarak shut down all Internet service providers (ISPs) in that country but one.
Anonymous Targets Think Tank (December 23, 25 & 26, 2011)The hacking group known as Anonymous has struck again, this time infiltrating computers at the US security intelligence think tank Strategic Forecasting, which is known as Stratfor. The attack focused on the company's database and reportedly netted the group 200 gigabytes of data, including client lists and as many as 90,000 credit card numbers, which were unencrypted. Some information that the attackers claim to have pilfered from Stratfor computers has been posted to Pastebin. Stratfor's website was down as of Monday morning; visitors were greeted with a page telling them that the site was undergoing maintenance. Stratfor has acknowledged the breach and has warned clients of possible data compromise. The company says that the breach affected information about clients who had purchased its subscription-based publications, but did not access any more detailed information. There have also been statements made that question Anonymous's connection to the attack.
Indian Court Orders Internet Companies to Remove Objectionable Content (December 24 & 26, 2011)An Indian court has ordered nearly two dozen Internet companies to remove content it finds objectionable. Indian Minister for Communications Kapil Sibal wants the companies to develop a system to make sure that similar content does not appear online in the future. Critics of the order, which was the result of a private complaint, say that the government is seeking to suppress content that criticizes Indian politicians. The Internet companies, which include Google and Facebook, have until February 6, 2012, to comply with the order. The country's Information Technology Act gives Internet service providers and other similar entities 36 hours to comply with content takedown orders after being notified of the content's presence.
[Editor's Note (Murray): Making the ISPs responsible for content, even at the margins, will break the model on which the Internet is based. States that try to do this will find themselves increasingly isolated. ]
HP Firmware Update Addresses LaserJet Printer Vulnerability (December 23 & 24, 2011)Hewlett-Packard has released a firmware update for its LaserJet printers to "mitigate" a vulnerability that could allow unauthorized access to the devices. No attacks have been reported. HP recommends that users place the printers behind firewalls and that remote firmware uploading be disabled on exposed devices. The update comes in response to a disclosure from researchers that some HP LaserJet printers failed to verify software upgrades within remote firmware updates. The researchers demonstrated that the flaw could be exploited to take control of the printers.
[Editor's Note (Murray): Unlike PC or mobiles, printers and PLCs, are not routinely patched. HP recommends that these devices be operated behind firewalls, i.e., only on private networks. We do not want the public networks to be either balkanized or perfectly flat. Striking the difficult balance is called "security," it is what we are paid for. ]
GoDaddy Backs Off SOPA Support (December 22 & 23, 2011)A boycott of domain registrar GoDaddy has had the desired effect of causing the company to withdraw its support of the US House of Representatives' Stop Online Piracy Act (SOPA). GoDaddy was the only domain registrar whose name appeared on a list of companies that supported the legislation, which has been decried as over-reaching, uninformed about the repercussions of technical aspects involved, and being pushed forward too hastily. On Friday, December 23, GoDaddy issued a statement saying that the effort to stop online piracy is an important endeavor, "but clearly we can do better
[than SOPA ]
. ... Getting it right is worth the wait. GoDaddy will support it when and if the Internet community supports it."
Closing Arguments in Manning Hearing (December 22 & 23, 2011)The US government made its closing statement in a hearing that will decide whether Pfc Bradley Manning will face a court-martial. The hour-long statement contained new exhibits, including excerpts of chat logs between Manning and Julian Assange. In one, Manning appears to ask Assange for help cracking a password that would allow him anonymous access to SIPRnet. Manning's attorney said in his closing arguments that the seriousness of the leaks was being exaggerated and that his client was a disturbed young man. Government attorneys said they have real-time records of Manning's SIPRnet searches and evidence that he uploaded documents to WikiLeaks. It may be several months before Manning learns what charges, if any, he will face. The Article 32 hearing is similar to a civilian grand jury hearing, but it is open rather than closed and the defense is allowed to cross-examine witnesses and present witnesses and evidence of its own.
Koobface Operators Refine Botnet to Maximize Pay-Per-Click revenue (December 23, 2011)The Koobface botnet has been updated to exploit pay-per-click advertising to make money for its operators with a traffic direction system (TDS). Koobface now directs Internet traffic through other sites to generate revenue. The TDS appears to be available to others as well. Koobface has been around since at least December 2008.
Chinese Computer Users Experience Large Data Breach (December 24, 2011)Hackers appear to have leaked the personal information of millions of computer users in China. More than six million users of the China Software Developer Network had their user IDs, passwords, and email addresses exposed in clear text. In addition, an undetermined number of subscribers to various websites, including gaming and social networking sites, had their personal information compromised as well. The total number of accounts reported to be affected has been estimated at 50 million, but the figure has not been verified.
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/