SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIII - Issue #5
January 18, 2011
TOP OF THE NEWSStuxnet Reportedly Tested at Israeli Nuclear Facility
Cyber War Hyperbole Clouds Focus on Other Important Cyber Threat Issues
Is Cyber Threat Exaggerated?
US Defense Dept. Social Media Policy Set to Expire
THE REST OF THE WEEK'S NEWSFacebook to Share Mobile Phone Numbers, Addresses with App Developers
Customer Exploited Hole at Web Host to Plant Shady Drug Pages
Chinese Authorities to Pursue Android Trojan Schemers
Smartphone OSes Disclose MAC Addresses When Interacting with IPv6
Oracle Quarterly Critical Patch Update Scheduled for January 18
Bank Employee Sold Customer Data
Guilty Plea From Man Who Broke into eMail Accounts, Stole and Posted Pics
Pentagon Failed to Disclose Clandestine Cyber Security Activity to Lawmakers
******************** Sponsored By SANS Mentor @Work ********************
Training at your workplace for groups of 4 or more employees through sans institute Mentor @Work Program. Contact firstname.lastname@example.org for more information. *************************************************************************
-- SANS Security East 2011, New Orleans, LA, January 20-27, 2011 12 courses. Bonus evening presentations and special events include Happy Little Clouds: Governing, Assessing and Auditing Cloud Environments; and Future Trends in Network Security
-- SANS 2011, Orlando, FL, March 27-April 4, 2011 39 courses. Bonus evening presentations and special events include Hiding in Plain Sight: Forensic Techniques to Counter the Advanced Persistent Threat; and Law and the Public's Perception of Data Security
-- "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Learn the answers in Orlando in March:
-- North American SCADA 2011, Lake Buena Vista, FL, February 23-March 2, 2011
-- SANS Phoenix 2011, Phoenix, AZ, February 25-March 2, 2011 6 courses. Bonus evening presentations and special events include Indicators of Compromise: ABCs of IOCs and Network Vulnerability Exploitation, Step By Step From Discovery through to Metasploit Module
-- SANS AppSec 2011: Summit & Training, San Francisco, CA, March 7-14, 2011 7 courses. Bonus evening presentations and special events includes The Road to Sustainable Security
-- 2011 Asia Pacific SCADA and Process Control Summit, Sydney, Australia, March 31-April 7, 2011
-- Looking for training in your own community?
Save on On-Demand training (30 full courses) - See samples at
Plus Atlanta, Bangalore, Singapore, Wellington and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************
TOP OF THE NEWS
Stuxnet Reportedly Tested at Israeli Nuclear Facility (January 15 & 16, 2011)Intelligence and military experts suggest that the Stuxnet worm was tested at the Dimona nuclear arms development facility in Israel's Negev desert and that the worm may be a joint Israeli-US effort. Stuxnet is believed to be responsible for sabotaging nuclear centrifuges in Iran, setting that country's nuclear program back several years. In 2008, Siemens worked with Idaho National Laboratory purportedly to help protect Siemens products from cyber attacks, but the meeting allowed the US to learn about vulnerabilities in Siemens products which are exploited in Stuxnet. It also appears that Stuxnet had a built in capability to record normal operations at the plants where it had infected systems, then played back normal readings while the attacks were underway so plant operators would be unaware of problems. The worm's effectiveness appears to have made the possibility of an imminent military strike against Iran less likely.
[Editor's Note (Schultz): By all appearance, a cyberstrike rather than a bombing mission was used to set back Iran's development of nuclear weapons. And the cyberstrike was really the more palatable of the two options in that it precluded killing and injuring people.
(Northcutt): The Wired article appears to be largely based on the NYTimes article which is short on proof and long on speculation. Attribution is a very hard problem; read these article critically.
(Ranum): The fact that cyber attack invites retaliation in kind shouldn't be lost on anyone. ]
Cyber War Hyperbole Clouds Focus on Other Important Cyber Threat Issues (January 17, 2011)A study from the Organisation for Economic Cooperation and Development (OECD) says that excessive focus on cyber war is getting in the way of government's ability to develop an appropriate and effective strategy to protect against cyber threats. According to the report, "It is unlikely that there will ever be a true cyber war
[for many reasons, including the fact that ]
there is no strategic reason why an aggressor would limit themselves to only one class of weaponry." The sentiment is echoed by White House chief cyber security adviser Howard Schmidt, who finds the metaphor of a cyberwar "terrible," going on to say, "There are no winners in that environment." The study was conducted by researchers from the London School of Economics and Oxford University.
[Editor's Note (Pescatore): Focusing on the threat actors, vs. the vulnerabilities they exploit, *always* creates hyberbole that distracts from making progress in information security. ]
Is Cyber Threat Exaggerated? (December 21, 2010)In answer to a question from Newsweek, the top US cyber security official assessed the US vulnerability to cyber attack. Here is the Q&A: Newsweek: When you see what makes it onto the evening news, would you say the worry about U.S. vulnerability to cyberattack is exaggerated? Or are we not worried enough? Schmidt: I would say it's exaggerated. Things have to be taken in perspective, and if you look at the billions of transactions that take place online every day, whether it's e-commerce
watching online videos
online banking, there's a tremendous amount of really wonderful, rich robust things that are taking place. But like anything else, the things that make the news are the things that aren't working well.
The NewInternet publication highlighted Schmidt's comments:
[Editor's note (Paller): This is a bum rap for Schmidt. In the rest of the interview, he put his answer in context. More importantly, from the first clear governmental recognition of the cyber threat 18 years ago, no Administration official was allowed to say how bad the problem is. Scaring the public without giving them something they can do to protect themselves effectively is counterproductive politically. ]
US Defense Dept. Social Media Policy Set to Expire (January 14, 2011)Social media guidelines set by the US Department of Defense (DoD) last year are set to expire on March 1, 2011. Despite concern that the event might leave the future of social media at DoD 'in limbo," a Pentagon spokesperson said that it will not ban the use of social media, noting that "social media tools are pervasive in the 21st century communications environment, and the department intends to fully utilize those capabilities." Reports up through 18 months ago indicated that the US military was considering a wholesale ban on networking tools because of network security concerns.
[Editor's Note (Pescatore): The same week the DoD was considering banning access to social media, the Marine Corps announced it had exceeded its recruiting goals, in large part due to its use of social media. The key to security is providing secure support to meeting mission/business needs; the business side will always win. ]
*************************** Sponsored Links: *****************************
1) Learn how to respond to emerging threats and how to better protect and defend your control systems at the Asia Pacific SCADA and Process Control Summit, http://www.sans.org/info/68974/ March 31 - April 7 in Sydney, Australia. Register by February 16 and save $400.
2) Do you know the most current information on web hacking techniques and how you can guard against them? If not, register for SANS AppSec 2011 http://www.sans.org/info/68979 taking place March 7-14, 2011 in San Francisco. Register by 1/26 and save $400. ****************************************************************************
THE REST OF THE WEEK'S NEWS
Facebook to Share Mobile Phone Numbers, Addresses with App Developers (January 17, 2011)Facebook is expanding the amount of information that applications may access to include users' mobile phone numbers and street addresses. Users must explicitly grant permission for the applications to access the information. In general, however, when users select "don't allow" for applications to access information, they are not able to use that application.
[Editor's Note (Pescatore): An app that won't work if you won't let it know your mobile number and your location is like an email that will send you $10M if you only give it your bank account number and PIN. Wouldn't it be nice if Facebook didn't allow apps to have that behavior? ]
Update: Facebook has temporarily disabled this feature to rework it so that users are "clearly aware of when they are granting access to this data."
Customer Exploited Hole at Web Host to Plant Shady Drug Pages (January 14, 2011)A customer of Utah-based Web hosting provider Bluehost.com reportedly exploited a flaw in a site administration tool to create approximately 40 subdomains on dozens of other websites also using Bluehost. The added pages lured site visitors to shady pharmaceutical sales sites. The sketchy pages were created over a period of four months in 2010 and remained live until Bluehost was contacted about the issue last week. The reason no more pages were added after July 2010 is that Bluehost implemented some security fixes then that fixed the exploited vulnerability.
Chinese Authorities to Pursue Android Trojan Schemers (January 14, 2011)The Chinese government is taking steps to fight scams involving cheap Android-based handsets that are being sold already infected with malware. They send text messages or make calls, ringing up small fees in the process. The scheme aims at accruing profit slowly, hoping the phones owners' do not notice or dispute the charges. The Chinese government will set up an office to manage related complaints.
Smartphone OSes Disclose MAC Addresses When Interacting with IPv6 (January 14, 2011)Smartphones interacting with IPv6-based servers have a privacy hole - the IDs they transmit contain unique hardware IDs. The problem lies not in IPv6, but in the smartphones' operating systems. Devices determine half of their IPv6 addresses themselves, so the operating systems need to be tweaked to generate random IDs. The problem is not currently widespread because IPv6 is not yet in wide use.
Oracle Quarterly Critical Patch Update Scheduled for January 18 (January 14, 2011)On Tuesday, January 18, Oracle will issue patches to address 66 vulnerabilities in 28 of its products, including Oracle Audit Vault, JRockit, Solaris and WebLogic Server. There will also be fixes for flaws in Sun products and OpenOffice and StarOffice productivity suites. Users are urged to apply the updates as soon as possible.
Bank Employee Sold Customer Data (January 13, 2011)A Singaporean bank executive sold customer information to a number of people, including an illegal money lender. Sazaly Selamat was experiencing financial difficulties, including repossession of his car. One of the people repossessing the vehicle discovered that Sazaly could access his employer's customer database and paid him for customer data. An illegal bookmaker also became one of Sazaly's clients and paid Sazaly for information on people who owed him money. Sazaly pleaded guilty to charges of corruption and accessing the bank's customer information system without authorization.
Guilty Plea From Man Who Broke into eMail Accounts, Stole and Posted Pics (January 13 & 14, 2011)George Samuel Bronk has pleaded guilty to seven felony charges, including computer intrusion, for breaking into more than 3,200 email accounts and stealing revealing pictures of women which he then posted to the Internet. He then changed their passwords, stole pictures and uploaded them to the women's Facebook profiles. He posted pictures of 172 women. In one case, he blackmailed a woman into sending him more explicit pictures of herself if she didn't want him to post those he had stolen. Bronk faces up to six years in prison.
[Editor's Comment (Northcutt): It seems like there could be an awareness tip of the day in here somewhere. And a reminder, don't use facts that you talk about on Facebook as your security questions. ]
Pentagon Failed to Disclose Clandestine Cyber Security Activity to Lawmakers (January 12 & 14, 2011)A document of questions posed to undersecretary of Defense for Intelligence nominee and current Pentagon assistant secretary for special operations Michael Vickers and Senate members suggests that the Pentagon did not disclose cyber activities in a quarterly report on clandestine activities submitted to lawmakers. The 33-page document obtained by the Associated Press does not specify what activities were omitted from the report, but experts suggest that they may involve anti-insurgent operations in Iraq and Afghanistan and activity in Yemen or Somalia. Vickers's answer indicated that emergent technologies such as cyber operations are not specifically listed in the law as activities that must be disclosed.
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP, GLSC is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/