Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #44

June 01, 2012

FLASH: The New York Times reported this morning that President Obama
(and his predecessor) ordered a sophisticated campaign of cyberattacks
against Iran's nuclear program, and has either attacked or considered
attacking networks in China, Syria, and North Korea as well. Because
the publication of this story is likely to herald substantive and
far-ranging changes in the way cybersecurity is managed in the US and
in many other countries, we have included an analysis by Gautham Nagesh.
Under normal circumstances, his thoughtful, in-depth analyses are
available only to paid subscribers to CQ Roll Call "Executive Briefing
on Technology." This is an abnormal circumstance. There is great value
in the security community understanding that the game has changed, and
what it means.


PS Another very valuable piece of cybersecurity reporting will appear
on the front page of the Washington Post on Sunday or Monday and then
be discussed on National Public Radio (the Diane Rehm show) on Monday


President Obama Ordered Stuxnet and More Cyber Attacks on Iran
Pentagon's Plan X Aims to Develop Robust Cyberwarfare Capabilities
US Legislators Poised to Reauthorize FISA Amendments Act


ACTA Faces Opposition From Three European Parliament Committees
US Legislative Committee to Hold Hearings on Online Banking Fraud
Arrest Made in WHMCS Hack
Developments in the Megaupload Case
Backdoor in Privacy Tool Sparks Concern Over Cyber Surveillance in Iran
UK ISP Sky Broadband Now Blocking The Pirate Bay
White House Anti-Botnet Effort
Researchers Find Backdoor in Chip Used by US Military
DHS Provides Advice for Industrial Control System Users
Pentagon to Issue New Social Media Policy for DoD Employees

************************* SPONSORED BY Cellebrite ************************
Same Trusted UFED, Now 10x Faster - The new industry standard in mobile forensics, the UFED Touch unites high performance with Cellebrite's unrivaled device support. A real-time viewer and new GUI on an adjustable touch screen, integrated battery, redesigned cable tips and technology upgrades make for UFED extractions that are now up to 10 times faster.
- --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised?

- --Forensics & Incident Response Summit & Training, Austin, TX June 20-27, 2012 Pre-Summit Courses: June 20-25, 2012; Summit: June 26-27, 2012 Techniques and solutions to aid organizations and agencies responding to crimes and attacks. Maximize your training by also attending one or more of the 4 pre-summit courses.

- --SANS Canberra 2012, Canberra, Australia July 2-10, 2012 5 courses. Bonus evening presentations include Penetrating Modern Defenses; and Tales From the Crypt: TrueCrypt Analysis.

- --Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.

- --SANSFIRE 2012, Washington, DC July 6-15, 2012 44 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.

- --SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 9 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.

- --Looking for training in your own community?

- --Save on On-Demand training (30 full courses) - See samples at

Plus Malaysia, Bangkok, Boston, and San Antonio all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php


President Obama Ordered Stuxnet and More Attacks on Iran (June 1, 2012)

(By Gautham Nagesh, CQ Executive Briefing on Technology) The New York Times has a bombshell this morning: President Obama began ordering cyberattacks on Iran within days of taking office. The story, which is a must-read, finally confirms what many cybersecurity experts have suspected: the Stuxnet worm, which disabled industrial equipment in Iran and Europe, was originally designed by Israel and the U.S. to slow down Iran's nuclear enrichment plant. The virus' escape from Iran's Natanz plant and subsequent discovery in Germany in 2010 was a mistake that U.S. authorities blamed on Israel. Former CIA chief Michael Hayden also acknowledged to the Times that Stuxnet is the first major cyberattack intended to cause physical destruction (to Iranian centrifuges). "Somebody crossed the Rubicon," he said.
The article includes a history of the classified cyberweapons program, dubbed "Olympic Games," which began under President Bush, and includes details of how President Obama decided that digital attacks were preferable to a potential military conflict between Iran and Israel. But the bottom line is that President Obama (and his predecessor) ordered a sophisticated campaign of cyberattacks against Iran's nuclear program, and has either attacked or considered attacking networks in China, Syria, and North Korea as well. The Obama administration previously acknowledged that it might respond to cyberattacks with physical force, but the report makes it clear that even as the U.S. was making those threats, it was perpetrating cyberattacks on the very nations it accuses of targeting its networks.
In doing so, the White House has seemingly opened a Pandora's box. Administration officials have placed a greater emphasis on cybersecurity and the threat to our nation's networks that any previous administration, doubtless because they had first-hand knowledge of just how much damage sophisticated cyberattacks are capable of causing. Those officials might have also feared reprisals from nations that were targeted by Stuxnet and other digital attacks from the U.S. The revelation also sheds some light on the Pentagon's reluctance to outline its cyberwarfare policies in detail, since doing so might have involved disclosing to Congress that the U.S. already was fully engaged in online battle.
Having taken such an aggressive stance on deploying Stuxnet, it will be very difficult for the U.S. to keep casting itself as the innocent victim of unprovoked attacks by countries looking to steal our economic and military secrets. Today's report makes it clear that the White House long ago decided to embrace digital warfare, and puts the onus squarely back on the administration to clearly explain its rules of engagement online. But the greatest impact may be internationally, where hostile nations now have confirmation the U.S. could be targeting their networks. If hackers in those countries weren't already attempting to take down U.S. critical infrastructure, they probably are now.

Pentagon's Plan X Aims to Develop Robust Cyberwarfare Capabilities (May 30, 2012)

The Pentagon's Defense Advanced Research Projects Agency (DARPA) is launching a five-year, US $110 million research program dubbed Plan X. DARPA is seeking input from private sector organizations, universities, and computer game companies in its effort to develop improved cyberwarfare capabilities. Goals include creating a comprehensive map of cyberspace that is updated continuously, developing an operating system strong enough to launch cyber attacks and withstand counterattacks, and creating systems that allow commanders to launch speed-of-light attacks.

US Legislators Poised to Reauthorize FISA Amendments Act (May 31, 2012)

US legislators appear to be ready to reauthorize the FISA Amendments Act, which grants the government authority to conduct warrantless surveillance on American citizens. The law allows the government to eavesdrop on phone calls and email correspondence of Americans as long as one of the parties in the conversation is outside the US. The FISA Amendments Act requires the Foreign Intelligence Surveillance Act Court to give blanket approval to electronic surveillance requests. The target of the surveillance does not have to be identified, and the surveillance can begin up to a week before the request is made. The FISA Court rulings are not public. Some US legislators did say that intelligence agencies need to be more accountable for how they are using the authority.

********************** SPONSORED LINK ********************************
1) Streamline Risk Management With the SANS 20 Critical Security Controls, featuring senior SANS Analyst and 20 controls co-author, James Tarawa and moderated by G. Mark Hardy. http://www.sans.org/info/106210


ACTA Faces Opposition From Three European Parliament Committees (May 31, 2012)

Three European Parliament Committees - the Industry Committee, the Civil Liberties Committee, and the Legal Affairs Committee - have voted to express "opinions against ACTA," the proposed anti-piracy treaty. ACTA addresses not only physical counterfeiting, such as phony pharmaceuticals, but digital content pirated over the Internet as well. Critics of the treaty have called ACTA a threat to free speech online. Twenty-two EU member states have already signed ACTA (as has the US), but the treaty has not yet been formally ratified. The opinions of the three dissenting committees will be reviewed by the International Trade Committee, which will vote on the matter on June 21 and make a formal recommendation to the European Parliament. Several countries, including Germany, Poland and the Czech Republic, have expressed reservations about ACTA; in the Netherlands, legislators voiced opposition to the treaty, saying that it violated the country's constitution.

[Editor's Note (Murray): Conflating pharmaceuticals and digital content makes bad law for both but provides cover for the politicians. ]

US Legislative Committee to Hold Hearings on Online Banking Fraud (May 31, 2012)

The US House Financial Services Committee will hold a hearing on Friday, June 1, regarding online banking fraud conducted against small- and mid-sized businesses. In the US, more than 1,000 of such businesses have been victims of online banking fraud since 2008. Although consumers are largely protected from liability for cyber theft, these companies must bear the losses.

[Editor's Comment (Northcutt): I am glad to hear that the Financial Services Committee is taking this step. This sort of thing has been going on for years and other than the reporting from Brian Krebs, you just do not hear about it. Two factor authentication can be subverted since the malware steals your money after you have authenticated. The best solution I am aware of is Iron key's but there have to be other great solutions. If you know of one would you kindly drop me a note, if we get some great info, we will put it at the bottom of a future NewsBites. Thanks, Stephen@sans.edu:

Arrest Made in WHMCS Hack (May 31, 2012)

The FBI has arrested a man in connection with a cyber attack on servers belonging to payment services provider WHMCS. The individual is believed to be the leader of a group that allegedly broke into WHMCS systems on May 21, stole information, and posted it online. The group also allegedly took control of WHMCS's Twitter account and rewrote some company blog and forum posts. WHMCS has reset customer passwords. The company also learned of a vulnerability in its payment processing software and promptly issued a patch to address the problem.

Developments in the Megaupload Case (May 30 & 31, 2012)

On Wednesday, May 30, attorneys for Megaupload sought to have the criminal case against the Hong Kong-based filesharing site dismissed. The legal team maintained that because Megaupload is not a US company and does not have any offices in the country, it cannot be prosecuted under the law used in the indictment. On May 29, a court in Auckland, New Zealand, ruled that Megaupload founder Kim Dotcom should be given access to documents containing the evidence to be used against him. Megaupload and another company, along with Dotcom and several colleagues, were indicted in January by a grand jury in Virginia. A Megaupload attorney says he believes that if the case against the company is dismissed, all orders against Megaupload, including those freezing company assets, will be vacated, although Dotcom and his colleagues would still face criminal charges. Dotcom also filed a motion to have company assets unfrozen to pay for defense costs.


Backdoor in Privacy Tool Sparks Concern Over Cyber Surveillance in Iran (May 30, 2012)

Versions of a privacy tool called Simurgh that contain backdoor components have been detected on filesharing sites in Iran, leading to speculation that the government could be using the software to spy on its citizens. Simurgh, a proxy tool, is widely used in Iran to evade censorship technology that the government has put in place. Simurgh in its original form is standalone software that can be run from a USB stick. The version with the backdoor must be installed on PCs. It has the capacity to log users' keystrokes and gather information about which sites they visit. The harvested data are sent to US-based servers that are registered to a Saudi Arabian organization. Because both versions of the software connect with a page that confirms the use of a proxy, the developers are using the opportunity to warn users whose versions appear to be infected.
[Editor's Note (Ullrich): Hashes are good. Even better to have the software digitally signed. If you are publishing software, and you are not offering signatures, you are putting your customers (and with that your reputation) at risk. ]

UK ISP Sky Broadband Now Blocking The Pirate Bay (May 30, 2012)

Sky Broadband, the UK Internet service provider (ISP), has joined Virgin Media and Everything Everywhere in blocking its customers' access to The Pirate Bay. The action was taken following a High Court order arising from complaints from the British Phonographic Industry (BPI). ISPs O2 and Talktalk say they are in the process of implementing similar blocks, and BT has been granted a longer period of time in which to comply. In December, Sky complied with a court order to block the site Newzbin 2. In a separate story, O2 customers who are suspected of uploading pornographic films from a certain company will be receiving letters from the film maker, which obtained a court order forcing O2 to divulge the identities of the customers suspected of illegally sharing the films.

White House Anti-Botnet Effort (May 29 & 30, 2012)

The US government is planning to take a number of steps in an effort to fight botnets. The coordinated efforts will be undertaken by the Departments of Commerce and Homeland Security, the White House Cybersecurity Office, and the Industry Botnet group, a coalition of private organizations. Plans include increased sharing of information about botnets among government agencies and private organizations and a campaign to educate consumers about botnets.




[Editor's Note (Ullrich): The US Govt. might consider just declaring Wednesday "Botnet Day". Appears these efforts spring up about once a week. ]

Researchers Find Backdoor in Chip Used by US Military (May 29 & 30, 2012)

A draft paper from a researcher at Cambridge University says that certain chips used by the US military in defense and industrial systems, including nuclear power plants, contain a backdoor that could be used to reprogram the chip's memory. The ProASIC3 chips from California-based Microsemi/Actel are manufactured in China. The backdoor is hidden within the chip's security; pains had been taken to disguise its presence. The vulnerability cannot be fixed with patches; to ensure that the backdoor is removed, the chips must be replaced. The researcher himself says that the backdoor was placed on the chip by Actel. Many chips have similar backdoors, which is "a byproduct of software complexity." Chips must be debugged before they are shipped, and the backdoor is for the debug interface, which is too expensive to remove prior to shipping.


[Editor's Note (Ullrich): The so-called "backdoor" is a debug feature typically found in FPGA chips, and the device is called "Military" because it complies with milspec. Nothing to see here but FUD. ]

DHS Provides Advice for Industrial Control System Users (May 29, 2012)

The US Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ISC-CERT) recently published a technical paper for organizations using Industrial Control Systems (ICS), also known as SCADA (supervisory control and data acquisition) systems. The organizations are advised to retain data from systems that have come under attack; they should determine the extent of the breach and take steps to prevent intruders from probing further into their systems, but refrain from repairing or disinfecting compromised systems until they have conducted forensic analysis. The organizations are also advised to use intrusion detection systems and intrusion prevention systems, and to adopt a "least privilege" model for permissions.

Pentagon to Issue New Social Media Policy for DoD Employees (May 25 & 29, 2012)

A new policy to be used by the Pentagon will require troops to hide certain identifying information on social media sites. There have been reports that hackers could gather sensitive information, including military unit location, from some social media posts. The new policy comes in the wake of an attack on a dating site that compromised the personal information of military users. The new policy will require that DoD employees "use non-mission related contact information ... to establish personal accounts."

[Editor's Note (Murray): We call this "operational security," OPSEC for short. OPSEC policy must be implemented with training.


The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/