Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #80

October 05, 2012


New Section This Week: Security in Control Systems (like power
plants that are currently being targeted). Sean McBride of Critical
Intelligence and Mike Assante, the most knowledgeable person in the
world on security of control systems, chose these stories. If you
like the new section, let us know and we'll ask them to continue.
Alan

TOP OF THE NEWS

DDoS Attacks on Banks Used Variety of Techniques
Federal Trade Commission Cracks Down on Phony Tech Support Schemes
Court Fines Scareware Scheme Ringleader US $163 Million

THE REST OF THE WEEK'S NEWS

Microsoft Faces Criticism Over Do Not Track Decision
Eleven Indicted for Alleged Illegal Export of Technology to Russia
Microsoft's Monthly Update to Address 20 Vulnerabilities
Judge to Hold Hearing About Users' Access to Legitimate Data on MegaUpload Servers
Microsoft Reaches Settlement With Nitol Botnet Host
Google Warns Users of Possible Gmail Account Compromise Attempts
CA Governor Vetoes Law Requiring Warrants for GPS Data From Mobile Devices

CONTROL SYSTEMS SECURITY STORIES

Dial 1-800-cyberrescue
DHS Issued False 'Water Pump Hack' Report; Called It a 'Success'
NERC Enforcement Actions
Compliance Violation Statistics - July/August 2012

IDEAS FOR IMPROVING TLS CERTIFICATE STRUCTURE

Ideas


********************** Sponsored By CounterTack ***************************
White Paper: Active Forensics - Continuous Network Monitoring for In-Progress Attacks. Learn how the Event Horizon platform for active forensics can help organizations detect in-progress cyber attacks. Learn about the cyber intelligence Event Horizon can provide, understand the architecture and see the interaction model.
http://www.sans.org/info/114950
****************************************************************************
TRAINING UPDATE

- - --SANS Forensics Prague 2012 Prague, Czech Republic October 7-13, 2012 6 courses. Bonus evening presentations include Big Brother Forensics: Location-based Artifacts.
http://www.sans.org/forensics-prague-2012/

- - --SANS Singapore 2012 Singapore, Singapore October 8-20, 2012 5 courses, including the new Virtualization and Private Cloud Security course, and Advanced Forensics and Incident Response. Don't miss this opportunity to upgrade your IT skills, work toward your GIAC security certification, and network with other top information security professionals.
http://www.sans.org/singapore-sos-2012/

- - --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- - --SANS Baltimore 2012 Baltimore, MD October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- - --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- - --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses.
http://www.sans.org/event/sydney-2012

- - --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- - --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- - --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- - --Looking for training in your own community?
http://www.sans.org/community/

- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Dubai, Bangalore, Johannesburg, Seoul, Tokyo, and Barcelona all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

DDoS Attacks on Banks Used Variety of Techniques (October 3, 2012)

While the distributed denial-of-service (DDoS) attacks that recently targeted the websites of at least half a dozen US banks used somewhat sophisticated techniques, they do not pose the same type of threat as Stuxnet. In the past, DDoS attacks have used just one methods to overwhelm their targets with traffic, these attacks on the banks' websites used a variety of methods to send the traffic, which made them harder to defend against. Several security experts interviewed for the article said there is no hard evidence linking Iran to these attacks, as has been suggested in some reports.
-http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-s
tuxnet/

-http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-s
tuxnet/

[Editor's Comment (Pescatore): The serious denial of service attacks have been using mixtures of techniques for several years now. Many of the smaller ISPs and hosters have been unable to keep up with the advances but many of the larger ISPs and the specialized DDoS mitigation services have been very effective.
(Murray): Comparing open denial of service attacks to covert state sponsored malicious code attacks is a very indirect way of asking about the level of sophistication of the attacks, of asking whether the attackers were amateur or professional, rogues or states. I think that the more important element in this story was that the attacks relied upon compromised servers rather than compromised end-user systems.
(Northcutt): Back in 2005, there was a rash of DDOS attacks that were associated with extortion attempts. I wonder:
-http://features.techworld.com/security/1452/extortion-via-ddos-on-the-rise/]

Federal Trade Commission Cracks Down on Phony Tech Support Schemes (October 3 & 4, 2012)

The US Federal Trade Commission (FTC) has filed charges against 14 companies that are allegedly involved in fraudulent tech support schemes. The scams run operations in which computer users are cold-called from someone pretending to be from a tech support center that has detected that their computer is infected with viruses. In other instances, users are lured in through ads warning them that their computers are infected. They are then instructed to allow the caller remote access to their machines and are charged for the whole process. A US District Court judge has frozen the assets of the companies allegedly involved in the schemes. The FTC has filed complaints against 14 corporate defendants and 17 individual defendants allegedly involved in six schemes.
-http://www.eweek.com/security/ftc-takes-aim-at-tech-support-scareware-scams/
-http://www.informationweek.com/security/privacy/ftc-disconnects-tech-support-tel
emarketi/240008480

-http://www.computerworld.com/s/article/9231996/FTC_hits_scary_tech_support_scamm
ers_that_make_virtual_mayhem_?taxonomyId=82

-http://arstechnica.com/tech-policy/2012/10/hello-im-definitely-not-calling-from-
india-can-i-take-control-of-your-pc/

Court Fines Scareware Scheme Ringleader US $163 Million (October 2 & 3, 2012)

A federal court has imposed a US $163 million fine on Kristy Ross, the ringleader of a "massive scareware scheme." US District Judge Richard D. Bennett handed down the judgment as a result of a Federal Trade Commission (FTC) complaint. Ross is also permanently prohibited from being involved in the marketing or sale of security software or any other software that "interferes with consumer's computer use." Ross and four other defendants operated two businesses that used advertisements to get people to purchase what was billed as security software. The other four defendants have already settled with the FTC.
-http://www.informationweek.com/security/vulnerabilities/fake-antivirus-ringleade
r-must-pay-163-m/240008388

-http://www.bbc.co.uk/news/technology-19816710
-http://www.computerworld.com/s/article/9231968/Scareware_defendant_fined_163M_in
_FTC_suit?taxonomyId=203

[Editor's Note (Murray): The FTC leads the way. Fraudulent business practices are fraudulent business practices, wherever they exist. The FTC understands that we do not need special laws or agencies to deal with them simply because they exploit the Internet and target its users. ]


***************************** Sponsored Links: ************************** 1) Take the SANS Survey on Application Security Policies in Enterprises! Help shape the industry and be entered to win a $300 American Express Card. http://www.sans.org/info/114955
2) Monitoring is Nothing without the Ability to Respond: Using the Principles of Continuous Monitoring for Threat Modeling and Response. Thursday, October 11, 1 PM EST, featuring instructor and federal expert, G. Mark Hardy and Tiffany Jones, senior manager of products at Symantec. http://www.sans.org/info/114960
3) Defending the Smart Grid - Understand the Smart Grid and how to defend it. http://www.sans.org/info/115007
***************************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft Faces Criticism Over Do Not Track Decision (October 4, 2012)

Several large US advertisers have sent a letter to Microsoft expressing their concerns about the company's decision to turn on "Do Not Track" (DNT) by default in Internet Explorer 10 (IE10) and asking the company to meet with them to discuss the issue. In the letter, the companies assert that "the choice being made by Microsoft is one that will ultimately threaten to reduce the vast array of free content and services available to customers," adding that it would "harm consumers, hurt competition, and undermine American innovation." IE10 is scheduled to debut when Windows 8 is shipped later this month. In recent weeks, opponents of DNT have become more vocal.
-http://www.computerworld.com/s/article/9232036/Ad_industry_calls_IE10_s_Do_Not_T
rack_setting_unacceptable_?taxonomyId=17

[Editor's Note (Pescatore): The letter is actually from the Association of National Advertisers, whose board of directors has members from many large US companies. The "harm and undermine" argument just doesn't hold water - if users decide they would rather change the default in order to receive the free content, they can easily do so. Opt in allows the free market to convince users to exchange privacy for value, a much better approach than opt out.
(Murray): I seem to recall that there were free services in the Internet before the commercial interests were even allowed in. Wikipedia would still be here if they withdrew. ]

Eleven Indicted for Alleged Illegal Export of Technology to Russia (October 4, 2012)

An FBI operation has resulted in the indictment of 11 people in connection with a secret network that exported high-tech equipment from the US to Russia in violation of US law. The contraband equipment includes analog-to-digital converters, microcontrollers, microprocessors, and static random access memory chips. The devices could be used in missile guidance systems and detonation triggers. Eight of the people have been arrested.
-http://www.zdnet.com/secret-russian-ring-nabbed-for-shipping-50m-of-illegal-tech
-exports-7000005226/

-http://www.fbi.gov/houston/press-releases/2012/russian-agent-and-10-other-member
s-of-procurement-network-for-russian-military-and-intelligence-operating-in-the-
u.s.-and-russia-indicted-in-new-york

Microsoft's Monthly Update to Address 20 Vulnerabilities (October 4, 2012)

On Tuesday, October 8, Microsoft will release seven security bulletins to address a total of 20 vulnerabilities. Just one of the bulletins is rated critical; the other six are rated important. The flaws affect Microsoft Windows, Office, SQL Server, Microsoft Server Software, and Microsoft Lync. The flaws could be exploited to allow remote code execution, privilege elevation, and denial-of-service conditions.
-http://technet.microsoft.com/en-us/security/bulletin/ms12-oct
-http://www.scmagazine.com/microsoft-prepares-seven-patches-for-20-security-issue
s/article/262286/

-http://www.computerworld.com/s/article/9232068/Microsoft_to_patch_20_bugs_next_w
eek_in_month_of_Office_updates?taxonomyId=17

Judge to Hold Hearing About Users' Access to Legitimate Data on MegaUpload Servers (October 4, 2012)

The US District judge who deferred a decision about users' access to legitimate content stored on MegaUpload servers has decided to hold a hearing to discuss how Kyle Goodwin might get his files back. Goodwin tapes Ohio high school sports and stored the content on MegaUpload servers. The hearing will focus on where Goodwin's content is located, the circumstances surrounding the government's decision not to let him access the content, whether he can regain access to it, and if so, how that will happen. Goodwin's attorneys are also pursuing the return of legitimate content of others who stored their files with MegaUpload. The US government seized MegaUpload servers earlier this year and users have been unable to access their files stored on those servers ever since.
-http://arstechnica.com/tech-policy/2012/10/megaupload-users-pleas-to-get-their-f
iles-back-will-be-heard-in-court/

Microsoft Reaches Settlement With Nitol Botnet Host (October 2, 3, & 4, 2012)

Microsoft has dismissed its lawsuit against the Chinese operator of a domain that hosted subdomains associated with the Nitol botnet. Peng Yong, the operator of 3322<dot>org, has agreed to block access to the domains, to collect data on infected systems, and to not allow its subdomains to be used for malicious activity. Microsoft took over the 3322 domain in September, but has now given the reins back to Yong, who has agreed to cooperate with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT).
-http://www.darkreading.com/vulnerability-management/167901026/security/client-se
curity/240008324/microsoft-hands-off-nitol-botnet-sinkhole-operation-to-chinese-
cert.html

-http://www.eweek.com/security/microsoft-ends-lawsuit-as-chinese-botnet-host-sett
les/

-http://www.scmagazine.com/microsoft-and-malicious-domain-operator-settle/article
/261926/

-http://www.theregister.co.uk/2012/10/04/nitol_botnet_settlement/

Google Warns Users of Possible Gmail Account Compromise Attempts (October 3, 2012)

Google is warning Gmail users that "state-sponsored attackers may be attempting to compromise
[their ]
account or computer." Google sent out a similar warning in June. The warning says that the attacks may come in the form of malicious attachments, and links to malicious downloads or to maliciously constructed websites and that they try to steal account passwords and other personal information. Google says that its "internal systems are not compromised and that
[the ]
message does not refer to one specific campaign."
-http://www.nbcnews.com/technology/technolog/google-users-your-account-may-be-und
er-attack-6259428

-http://www.v3.co.uk/v3-uk/news/2214294/google-warning-targets-of-statesponsored-
cyber-attacks

-http://news.cnet.com/8301-1009_3-57525334-83/middle-east-cyberattacks-on-google-
users-increasing/

CA Governor Vetoes Law Requiring Warrants for GPS Data From Mobile Devices (October 2, 2012)

California Governor Jerry Brown has vetoed legislation that would have required state authorities to obtain probable cause warrants to gain access to location data from mobile electronic devices like cell phones, tablets, and laptops. Both branches of the California legislature passed the bill earlier this year. The veto was not unexpected, as last year, Governor Brown vetoed a bill that would have required police officers to obtain warrants before searching the cell phones of people they arrested.
-http://www.wired.com/threatlevel/2012/10/mobile-privacy-law-vetoed/

CONTROL SYSTEMS SECURITY STORIES

Dial 1-800-cyberrescue

McBride: This post provides a counter-balance to the "government to the rescue" mentality that seems to be pervasive.
-http://www.langner.com/en/2012/09/15/dial-1-800-cyberrescue/

DHS Issued False 'Water Pump Hack' Report; Called It a 'Success' (October 2, 2012)

McBride: This gets at some underlying weakness of DHS analytical programs and products -- at least in the cyber realm. Analytical competence in cyber security is a challenging art. The technological details escape many trained analytical types. Moreover DHS may seem pushed to find evidence of "badness" that justifies its programs/budgets. It is inherently a challenging situation because some DHS programs are at the mercy of infrastructure owners/operators to give them intelligence in the first place. In some cases the owners and operators providing that intelligence lack analytical competence themselves.
-http://www.wired.com/threatlevel/2012/10/dhs-false-water-pump-hack/

NERC Enforcement Actions

McBride: This month's enforcement actions include a couple of the heftier fines we have seen to date for CIP violations. It is always enlightening to read through the issues that entities get dinged for - -- see the compliance enforcement mechanism spreadsheet. NERC now has a pretty good body of this type of information, that is relatively public knowledge.
-http://www.nerc.com/filez/enforcement/index.html

Compliance Violation Statistics - July/August 2012

McBride: CIP-007 is the clear "winner" at this point. Despite the long effort that has gone into security management in the IT space (e.g. ISO 27002), it appears that verifiable implementation in the electric sector has a ways to go.
-http://www.nerc.com/files/BOTCC-%20Key%20Compliance%20Trends-%20Sept%202012-%20R
EVISED%20SLIDES-%20for%20public%20posting%20%5BRead-Only%5D.pdf


IDEAS FOR IMPROVING TLS CERTIFICATE STRUCTURE

Ideas:

We asked if anyone had a better idea to improve the TLS certificate structure. Here are some of the thoughts that were sent in. Thank you for your suggestions: Certificate Transparency, publish all the signed certs to a registry:
-http://www.certificate-transparency.org
= = =
On its own, DNS-Based Authentication of Named Entities (DANE) (RFC 6698) addresses the vast majority of vulnerabilities associated with our current use of third-parties to vouch for identity.
-https://tools.ietf.org/html/rfc6698
With DANE, you could trust the certificate just as much as you can the DNS A/AAAA record you get now, since the same entity would be providing both. It requires implementation of DNSSEC, admittedly, but without that the A/AAAA record can't be trusted anyway. The client support is the main hurdle to deployment at this point; RFC 6698 is already supported in BIND. In cases where you don't trust your top-level domain, DANE can't help you; this is the only threat that Sovereign Keys would address (see A.2):
-https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=H
EAD



************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account/