Last Day for MacBook Air, Dell XPS 13, or $600 Off with Online Training

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIII - Issue #92

November 18, 2011


FLASH: The Nov. 8 attack on a SCADA system in a water district (similar
to the recent attack on MIT) is likely to be a small part of a much
bigger story. First articles:
http://www.wired.com/threatlevel/2011/11/hackers-destroy-water-pump/2
http://www.chicagotribune.com/news/chi-111118water-pump-facility,0,1531638.story
http://news.cnet.com/8301-27080_3-57327030-245/u.s-water-utility-reportedly-hack
ed-last-week-expert-says/


Also in this week's issue: John Pescatore's characterization of failed
security programs, at the end the first story, is the most insightful I
have ever seen from a Gartner security analyst. In it, he says:
"...many of whom focused way more on using policy and
awareness/education to shift blame to the users than
they did on avoiding incidents."
If you don't get it, ask me (apaller@sans.org) or if you are a Gartner
client, ask John. If you do get it, and you are (part of) the reason
your organization has shifted or will shift to the more effective
paradigm of security, your chances of having a highly valued and
satisfying career in security have increased enormously.

And kudos to the Ellen Nakashima of the Washington Post for doing a big
story in a major on successes in cybersecurity rather than just focusing
on compromises.
Alan

TOP OF THE NEWS

Cyber Security Progress
Norwegian Energy and Defense Companies Targeted by Data Thieves

THE REST OF THE WEEK'S NEWS

Windows 8 Includes Changes to Windows Update Procedure
BIND Flaw is Being Actively Exploited to Crash Servers
Alleged NASA Hacker Arrested in Romania
House Committee Hears SOPA Debate
Stolen Computer Holds Unencrypted Data of 4 Million Patients
Santa Clara University Investigating Grade Hacking
Google Provides Opt-Out for Wi-Fi Router Location Logging
Malware Forces New Zealand Ambulance Dispatchers to Turn to Manual Radio


******************** Sponsored By By Silicium Security *****************

Worried about targeted attacks and APT? Find what AV misses with Silicium's ECAT Enterprise Compromise and Assessment Tool - signature-less malware detection.

See ECAT in action, then download our whitepaper, APT in the Enterprise: http://www.sans.org/info/91406

**************************************************************************

TRAINING UPDATE

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Tokyo, Perth and Atlanta all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

TOP OF THE NEWS

Cyber Security Progress (November 17, 2011)

Amid a steady stream of reports of serious cyber attacks and dire predictions of more to come, some organizations are offering a bit of optimism through successful efforts to help mitigate risks. Many of the security issues arise from human error or carelessness. Among the successful projects are a State Department risk-scoring program that has significantly reduced the number of vulnerabilities in department computers; a Pentagon risk data sharing program for defense contractors; and the Australian Defense Signals Directorate's identification of four security controls that block a significant number of attacks.
-http://www.washingtonpost.com/national/national-security/government-companies-ta
king-steps-to-ward-off-cyberattacks/2011/11/10/gIQAdvERVN_story.html

[Editor's Note (Pescatore): Plenty of organizations have mature security programs that "lean forward" and do a very good job of keeping up with new threats while also meeting business demands and dealing with budgetary pressures. Common denominators tend to be having a "reduce business impact" goal with a focus on vulnerability avoidance and minimizing attack apertures. Kinda boring for the press to cover those - - much more exciting to provide details on the continuing stream of companies who have been compromised, many of whom focused way more on using policy and awareness/education to shift blame to the users than they did on avoiding incidents.
(Liston): One of the things I've noticed over the past few years is that many organizations are focusing too far "up" the security landscape - concentrating their efforts on complex, high-level measures and, in the process, paying less attention to the basics. When reviewing your organization's security posture, make sure you've mastered the "Security 101" stuff before you focus on anything else. ]

Norwegian Energy and Defense Companies Targeted by Data Thieves (November 17 & 18, 2011)

Cyber thieves have siphoned data from Norwegian oil and defense industries. In what is being called one of the largest cases of data espionage in the country's history, at least 10 separate attacks stole sensitive information from oil, gas, energy, and defense organizations, officials believe the actual breadth of attacks could be much larger because some of those affected may not realize that they were victims of attacks. Many of the attacks took place while the companies were negotiating contracts. Authorities did not name the affected organizations.
-http://www.washingtonpost.com/world/europe/security-watchdog-norwegian-energy-de
fense-industries-hit-by-extensive-data-theft-attack/2011/11/17/gIQAzbMKUN_story.
html

-http://www.theregister.co.uk/2011/11/17/noway_data_theft_attack/
-http://www.theaustralian.com.au/australian-it/norway-hit-by-major-data-theft-att
ack/story-e6frgakx-1226198486549

[Editor's Note (Murray): Norway is not a special target. Can you say "Defense in Depth?"
-http://whmurray.blogspot.com/2011/11/on-resistiing-phishing-attacks.html]


THE REST OF THE WEEK'S NEWS

Windows 8 Includes Changes to Windows Update Procedure (November 16 & 17, 2011)

Microsoft says that Windows 8 will include a reworked process for Windows Update. All updates that will require restarts will be consolidated into one event that coincides with the company's Patch Tuesday. Microsoft will make exceptions to the practice in the event of critical security issues that necessitate out-of-cycle updates. Windows 8 will notify users that there will be a restart three days before the event; IT administrators will still have the option of setting policies to prevent automatic restarts after updates are automatically installed. A second notable feature of Windows Update in Windows 8 is that it will no longer update third party applications.
-http://www.eweek.com/c/a/Mobile-and-Wireless/Microsofts-Windows-8-Will-Revamp-Wi
ndows-Update-632723/

-http://www.theregister.co.uk/2011/11/16/windows_8_auto_updates/
-http://www.computerworld.com/s/article/9221879/Microsoft_We_won_t_update_others_
Windows_apps?taxonomyId=208

[Editor's Comment (Northcutt): Welcome news. My HTML editor does not autosave and I have been sad when I lost work multiple times. ]

BIND Flaw is Being Actively Exploited to Crash Servers (November 17, 2011)

BIND users are being urged to update as soon as possible to protect their computers from an attack that exploits a flaw to crash vulnerable BIND 9 DNS servers. The Internet Systems Consortium (ISC) says that the flaw is being actively exploited to attack networks; users have reported simultaneous crashes in Germany, France, and the US. The ISC urges users to upgrade to BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, or 9.4-ESV-R5-P1.
-http://www.v3.co.uk/v3-uk/news/2125807/zero-day-threat-takes-dns-servers-interne
t

-http://www.h-online.com/security/news/item/Unknown-network-event-causing-BIND-9-
DNS-server-crashes-1380518.html

-http://www.theregister.co.uk/2011/11/16/bind_in_a_bind_again/
[Editor's Note (Murray): BIND is historically broken. If it does not work, price is irrelevant.
(Liston): The SANS ISC (Internet Storm Center) is asking that anyone who may have packet captures of attacks aimed at BIND please forward them using the "contact" form at
-http://isc.sans.edu/contact.html]

Alleged NASA Hacker Arrested in Romania (November 16 & 17, 2011)

Authorities in Romania have arrested a suspect in cyber attacks on servers at the US's National Aeronautics and Space Administration (NASA) that caused hundreds of thousands of dollars in damage. Robert Butyka allegedly began launching his attacks in December 2010 using the online moniker "Iceman." He allegedly altered data and restricted access to information. Police have seized a number of computers from Butyka's home.
-http://www.scmagazineus.com/romanian-hacker-accused-of-breaking-into-nasa-server
/article/217019/

-http://www.informationweek.com/news/government/security/231903181

House Committee Hears SOPA Debate (November 16, 2011)

In a hearing before the US House Judiciary Committee, legislators and half a dozen witnesses debated the Stop Online Piracy Act (SOPA) that would, if passed in its current form, give the Justice Department the authority to order US Internet service providers (ISPs) to prevent users from accessing sites that are on a blacklist for copyright violations. The Justice Department would also have the authority to order search engines to remove rogue sites from search results. Representative Lamar Smith (R-Texas), one of the bill's chief sponsors, has admitted that he's "not a technical expert on this." A similar piece of legislation, the Protect IP Act, is stalled in the US Senate. The Electronic Frontier Foundation (EFF) has called SOPA "the most extreme, anti-Internet, anti-privacy, anti-free speech copyright proposal in US legislative history." Experts say the plan would break DNSSEC.
-http://www.wired.com/threatlevel/2011/11/piracy-blacklisting-bill/
-http://redtape.msnbc.msn.com/_news/2011/11/16/8841061-congress-takes-up-controve
rsial-anti-piracy-sopa-legislation

-http://www.eweek.com/c/a/Security/Security-Experts-Blast-House-AntiPiracy-Bills-
DNS-Filtering-Provisions-495532/

[Editor's Note (Murray): Regardless of how much money the publishers pump into Congress, anti-piracy cannot be permitted to trump all other values. Opponents of the bill are beginning to gain some traction but they have complained that hearings were stacked against them.
(Liston): Once again, we're faced with an issue where the intent of the legislation (prevention of online criminal activity) is laudable, but the way that the legislation is written will actually cause more harm than good (for example, the blacklisting provisions are too draconian and don't provide targets with due process or sufficient means of appeal). What is particularly appalling is that legislators recognize that they don't sufficiently understand the technical ramifications of this bill but are content to press forward with the process anyway. ]

Stolen Computer Holds Unencrypted Data of 4 Million Patients (November 16, 2011)

A desktop computer stolen from Sutter Medical Foundation in mid-October holds unencrypted patient information dating back to 1995. The data include names, addresses, and diagnoses of more than 4 million patients. In the last two years, more than 364 breaches at healthcare organizations have compromised personal data of nearly 18 million patients.
-http://www.mercurynews.com/breaking-news/ci_19351997
-http://abcnews.go.com/US/wireStory/theft-data-4m-patients-part-wider-problem-149
77828

Santa Clara University Investigating Grade Hacking (November 15, 2011)

Santa Clara University in California said that someone broke into its computer system and changed grades of more than 60 students. The school says it sought help from the FBI after a student reported that one of her grades was different on a recently obtained transcript. In all cases, grades were raised. The intrusion appears to have occurred between June 2010 and July 2011.
-http://www.wired.com/threatlevel/2011/11/santa-clara-university-hacked/
-http://latimesblogs.latimes.com/lanow/2011/11/santa-clara-university-hacked-grad
es-changed.html

-http://www.pcworld.com/businesscenter/article/243853/fbi_investigating_intrusion
_into_university_records_system_to_alter_grades.html

Google Provides Opt-Out for Wi-Fi Router Location Logging (November 15, 2011)

Owners of wireless routers who do not want Google to log the locations of their Wi-Fi routers can edit the wireless network name, or SSID, with a trailing "_nomap." Google logs the locations of routers to help refine its location-based services. The company has received criticism for choosing this method, which some say is too complicated for most home users. Google Global Privacy Counsel Peter Fleischer said that simpler methods were too easy to hack, suggesting that attackers could opt people out without their knowledge.
-http://www.theregister.co.uk/2011/11/15/wi_fi_privacy_google/
-http://www.eweek.com/c/a/Security/Google-WiFi-Optout-Method-Mocked-by-Media-7192
15/

-http://www.pcworld.com/businesscenter/article/243994/google_offers_optout_method
_for_wifi_geolocation_mapping.html

[Editor's Comment (Liston): I've contacted my credit card company in an effort to get "_nosteal" added to the end of my card number... we'll see what happens. ]

Malware Forces New Zealand Ambulance Dispatchers to Turn to Manual Radio (November 15 & 16, 2011)

A malware infection on the New Zealand Ambulance Service computer network forced dispatchers to use manual radio systems. The problems persisted for two days. Dispatchers were unable to communicate with drivers through on board mobile data terminals. The problems meant that drivers were not able to receive information about the calls to which they were responding.
-http://www.theregister.co.uk/2011/11/15/nz_ambulance_malware_outbreak/
-http://www.msnbc.msn.com/id/45293551/ns/technology_and_science-security/
-http://computerworld.co.nz/news.nsf/news/mystery-virus-disrupts-st-johns-ambulan
ce-service

[Editor's Comment (Northcutt): A reminder that if everything is computer controlled, malware can rule the world, critical systems need an "old school" method. ]


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/