SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIV - Issue #53
July 03, 2012
Friday at 10 PM EDT is the deadline for nominations for the most
prestigious awards in cyber security - The National Cybersecurity
Innovation Awards. Presented in 2011 by the White House Cyber
Coordinator, Howard Schmidt, these national and international awards are
the only recognition programs where winners have shown actual
cybersecurity risk improvement and may be models for broad adoption.
Products and techniques identified in these awards have seen rapid
broad-scale adoption. See http://www.sans.org/cyber-innovation-awards
PS Some of the best nominations so far are for innovative uses of widely
used products like those from Symantec.
TOP OF THE NEWSReported Attacks on Critical Infrastructure Up Sharply
Time is Running Out for Computers Still Infected With DNSChanger
THE REST OF THE WEEK'S NEWSProgram Helps State and Local Governments Find Best of Breed Products and Save Money
Some Say Credit Card Fraud Bust Means PCI-DSS Isn't Enough
Judge Says Twitter Must Release Account Data Related to Occupy Protester
Hackers Infiltrate Indian Naval Computer Systems
Prison Time for Online Banking Theft Scheme
Researchers Demonstrate GPS Spoofing Drone Takeover
Senator Seeks to Strengthen SEC Breach Reporting Rules
Stratfor Agrees to Settlement in Data Breach Case
Russian Authorities Take Down Huge Banking Botnet
*************************** SPONSORED BY SANS *****************************
Special Webcast: IBM X-Force(R) Declared 2011 the "Year of the Security Breach" Featuring: Peter Szczepankiewicz, Senior Security Engineer. Wednesday, July 11, 2012 at 12:30 pm EDT.
--Security Impact of IPv6 Summit, Washington, DC July 6, 2012 Walk away with best practices from some who have already implemented IPv6, in large networks, for a few years.
--SANSFIRE 2012, Washington, DC July 6-15, 2012 45 courses. Bonus evening presentations include Critical Infrastructure Control Systems Cybersecurity; and Why Don't We Consider Our Cars Critical Infrastructure?, Authentication Issues Between Entities During Protocol Message Exchange in SCADA Systems, many more.
--SANS San Francisco 2012, San Francisco, CA July 30-August 6, 2012 8 courses. Bonus evening presentations include All Your Hash Are Belong to Us: Targeting Windows Password Hashes for Penetration; Spear Phishing and Targeted Attacks; and Assessing Deception.
--SANS Boston 2012, Boston, MA August 6-11, 2012 8 courses. Bonus evening presentations include SIFT Workstation: The Art of Incident Response; and Everything I Know is Wrong! How to Lead a Security Team in a Time of Unprecedented Change and Challenge.
--SANS Virginia Beach 2012, Virginia Beach, VA August 20-31, 2012 10 courses. Bonus evening presentations include Information Assurance Metrics: Practical Steps to Measurement; and Who's Watching the Watchers?
--Looking for training in your own community?
--Save on On-Demand training (30 full courses) - See samples at
Plus Bangkok, San Antonio, Melbourne, and Arlington, VA all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
Reported Attacks on Critical Infrastructure Up Sharply (June 29, 2012)Numbers from the US Industrial Control System Cyber Emergency Response Team (ICS-CERT) show a significant increase in the number of cybersecurity incidents reported between 2009 and 2011. Just nine cybersecurity incidents were reported to ICS-CERT in 2009. In 2010, there were 41 incidents, but in 2011, there were 198 reported incidents. Last year, the reported incidents necessitated the deployment of onsite incident response teams seven times, and 21 additional incidents were dealt with through remote analysis from the Advanced Analytics Lab. Although not all of the reports were cyber attacks, the number indicates a threat level "more severe than expected." In 12 of the 17 incidents that prompted onsite assessments over the last three years, the implementation of security best practices could have reduced the time it took to detect the attacks, reduced their impacts, or even staved them off entirely. ICS-CERT recently noted that many industrial control systems connected to the Internet still have default usernames and passwords.
[Editor's Note (Honan): While our industry continues to get hysterical over perceived Advanced Persistent Threats and potential zero day attacks reports like this one, and other industry reports on analysis of actual incidents, highlight again and again that the basic security measures are still not being effectively implemented by many Organizations. By taking actions such as those outlined in the SANS 20 Critical Security Controls
the likelihood of incidents would be reduced dramatically. ]
Time is Running Out for Computers Still Infected With DNSChanger (June 28 & 29, 2012)According to a survey, computer systems at twelve percent of Fortune 500 companies and four percent of US government agencies still appear to be infected with DNSChanger, which means that unless they clean the malware from those computers, they will not be able to connect to the Internet as of July 9. The FBI took control of the DNSChanger command-and-control infrastructure late last year; a series of court orders has allowed the operation of servers that are helping infected machines connect to the Internet, but the order's expiration is fast approaching.
[Editor's Note (Hinan): The DNS Changer Working Group has some good resources on the Trojan, how to determine if you are infected, and how to deal with any infections
************************* Sponsored Link: **************************
1) SANS Analyst Webcast: Server Security and Compliance: A Review of McAfee's Product Portfolio for Server Security by senior SANS Analyst Jim D. Hietala
THE REST OF THE WEEK'S NEWS
Program Helps State and Local Governments Find Best of Breed Products and Save Money (June 28, 2012)The Center for Internet Security (CIS) has established a division called the Trusted Purchasing Alliance, which allows state and local governments to buy IT security products and services at a discount. CIS, which was founded by former New York State CISO William Pelgrin, also operates the Multi-State Information Sharing and Analysis Center (MS-ISAC). The program not only saves money, but allows entities that would not normally have used some of the tools, such as encryption, to deploy them. The Alliance has a product review board which selects the IT security products, vets the vendors, and helps governments to contract their purchases.
Some Say Credit Card Fraud Bust Means PCI-DSS Isn't Enough (June 29 & July 2, 2012)Experts say that the international takedown that resulted in 24 arrests for credit card fraud illustrates problems inherent in the Payment Card Industry Data Security Standard (PCI DSS). The two-year operation, dubbed Operation Card Shop, revealed that cards from 47 different institutions were compromised. It also underscores the need "to move beyond check-the-box regulatory compliance." Some have questioned whether the breached entities will face fines from the PCI Council as a result. Still others say that while news of the arrests is positive, they ultimately will not have an effect of the amount of credit card fraud that is occurring.
[Editor's Note (Murray): We have known this for years. PCI/DSS was never more than a Band-Aid on a fundamentally broken system. Mag-stripe and PIN served us well for forty years on ATMs. They were never intended to be used with un-trusted devices on un-trusted networks.
(Cole): Organizations that do just what PCI says and nothing else, will miss critical security measures. PCI compliance can be very effective if it is integrated with threat intelligence and asset management coupled with continuous monitoring (using the 20 critical controls).]
Judge Says Twitter Must Release Account Data Related to Occupy Protester (July 1 & 2, 2012)Twitter must release account information related to a user who is being prosecuted for disorderly conduct. Malcolm Harris participated in an Occupy Wall Street protest last fall, and the New York City district attorney's office is seeking his tweets and basic account user information. Harris's attempt to stop the subpoena was unsuccessful as was Twitter's own challenge to the order. The criminal court of the city and county of New York upheld the subpoena over the weekend. The judge wrote that despite Twitter's contention that users' data belong to users and not to Twitter, Twitter users have no reasonable expectation of privacy because tweets are public.
In a related story, the US government has made more demands for information from Twitter than any other country in the first half of 2012. The government sought Twitter data 679 times so far this year. In that same period of time, the Japanese government has sought Twitter data 98 times, Canada and the UK have each made 11 requests, and the rest of the countries listed made fewer than 10 requests.
[Editor's Note (Cole): People feel very comfortable typing anything into their computer but often forget that information posted within social media sites will become public, regardless of the protections that are in place. If you do not want something public, do not post it. This is also a really good lesson to teach our children. ]
Hackers Infiltrate Indian Naval Computer Systems (July 2, 2012)Hackers have reportedly infiltrated computer systems of India's navy. The intrusion was detected in Visakhaptman, the headquarters of India's Eastern Naval Command. The facility is the location of current testing of the country's first nuclear missile submarine. The malware appears to have collected documents and other files and stored them in hidden folders. The purloined data appear to have been sent to Chinese IP addresses. The malware was found on USB drives that were being used to transfer data from standalone computers to other systems. Sensitive data are stored on the standalone computers, and the machines are not supposed to have ports or access points for external storage devices. The incident was detected earlier this year.
Prison Time for Online Banking Theft Scheme (July 2, 2012)Three men have received prison sentences in the UK for their roles in an online banking account theft scheme. Masterminds Pavel Cyganok and Ilja Zakrevski received five- and four-year sentences respectively, while Aldis Krummins received a two year sentence for helping to launder some of the stolen money. Authorities in the UK learned of the scheme from police in Estonia. The scheme involved using the SpyEye Trojan horse program. The scheme had victims in the UK, Denmark, the Netherlands, and New Zealand.
Researchers Demonstrate GPS Spoofing Drone Takeover (June 29, 2012)Researchers from the University of Texas at Austin were able to take control of a drone aircraft using GPS spoofing. The demonstration was made using a mini-helicopter drone that the University owns, and was conducted in the presence of officials from the US Department of Homeland Security. The technique used by the Texas researchers is likely to be similar to that which was used to down an US drone in Iran last year.
In a separate story, a competition sponsored by the Defense Advanced Research Projects Agency (DARPA) to develop a drone capable of executing a specific set of maneuvers has concluded without a winner. The prize, which was not awarded, was US $100,000.
Senator Seeks to Strengthen SEC Breach Reporting Rules (June 29, 2012)Despite a US Securities and Exchange Commission (SEC) rule, Wyndham hotels did not report cyber attacks in their corporate filings. Wyndham is facing legal action from the FTC over security failures that led to the compromise of hundreds of thousands of the hotel chain's customers' credit card details. Senator Jay Rockefeller (D-West Virginia) is adding a provision to cybersecurity legislation that would spell out when companies must disclose breach information in their SEC filings. Presently, disclosure is not mandatory; the guidance, issued last fall, aimed to have companies include "material risks" that investors would want to know about. Rockefeller's provision would clarify when the companies need to disclose information about security breaches and the steps they are taking to protect their networks from attacks.
Stratfor Agrees to Settlement in Data Breach Case (June 28 & 29, 2012)Texas-based global intelligence firm Stratfor has agreed to settle a class action lawsuit filed after a breach that exposed customer email addresses and credit card numbers. A group of hackers broke into Stratfor's systems, stole the data, and posted it on the Internet. The attack also exposed internal company email messages, which were posted on WikiLeaks. Stratfor had not encrypted the stored credit card information. The settlement calls for goods and services provided to those affected by the breach; it will cost the company an estimated US $1.75 million. Stratfor will also pay US $400,000 in legal fees. Several people have been arrested in connection with the attack on Stratfor.
Russian Authorities Take Down Huge Banking Botnet (June 26, 2012)The Russian Ministry of the Interior said that its special crimes division has taken down what might be the largest known botnet, which had at its disposal approximately six million compromised devices. The majority of the infected machines are in the Russian Federation. A 10-month investigation led to the arrest of a Russian man who is allegedly the botnet's creator. The man, who has not been named, also allegedly used botnets to steal more than 150 million Rubles (US $4.6 million) from online banking accounts.
[Editors' Note (Honan and Murray): Well done! ]
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHackChallenges, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting. Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/