SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #10
February 05, 2013
In last week's story about the New York Times breach, you read that the
best-selling anti-virus system failed entirely. Every organization that
has gone through a targeted attack learns that same lesson and - too
late - develops an in-house forensics and threat analysis capability.
(The commercial incident handling companies charge as much as $1,000 an
hour after you get breached). The principal hands-on course that
teaches how is SANS 508:
TOP OF THE NEWSDepartment of Energy Nuclear Organization Breached
White House Cyber Security Order Expected Later This Month
U.S. President Has Authority to Order Pre-Emptive Cyberattack
U.S. Considering Response to China's Cyberattacks
THE REST OF THE WEEK'S NEWSA Major Shift in the Cyber Security of Industrial Control Systems
DOD's Plan to Grow Cyber Command to 4,900 Raises Question Of Whether Enough People Are Available
FedRAMP Certifies Second Company's Cloud Services
Oracle Pushes Out Java Update Two Weeks Early
Apple Patches Java SE 6 for Snow Leopard
FTC Makes Mobile App Privacy Recommendations
12-Year Sentence for Payment Card Fraud Scheme
Washington Post Discloses Hackers Targeted its Networks
Lofgren Revises Bill to Amend CFAA
Path Will Pay US $800,000 to Settle FTC Charges of Violating COPPA
************************ SPONSORED BY Bit9 *******************************
Do you have unauthorized software running in your environment? If so, you are vulnerable to advanced threats and malware in ways antivirus, IPS and firewalls can't protect you. The Bit9 Trust-based Security Platform continuously monitors and records activity on servers and endpoints to detect and stop cyber threats that evade traditional security defenses. Learn more
- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials Plus Scottsdale, Brussels, Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Department of Energy Nuclear Organization BreachedFBI agents and Energy Department officials are investigating the attack on servers at the Washington headquarters of the National Nuclear Security Administration at the U.S. Department of Energy. They believe the sophisticated penetration attack was not limited to stealing personal information. There are indications the attackers had other motives, possibly including plans to gain future access to classified and other sensitive information. At least 14 computer servers and 20 workstations at the headquarters were penetrated during the attack.
White House Cyber Security Order Expected Later This Month (January 31 & February 1, 2013)The White House will likely release the cybersecurity executive order later this month, some time after the president's State of the Union address on February 12. Senator Tom Carper (D-Delaware), who heads the Senate Homeland Security and Governmental Affairs Committee, said that he plans to hold a joint hearing with the Commerce and Intelligence Committees to discuss the order, which will establish a set of voluntary cybersecurity standards. The order grew out of what the current administration sees as a pressing need to take steps to protect the computer systems that support the country's critical infrastructure in the wake of failed cybersecurity legislation.
[Editor's Note (Assante): Critical infrastructure protection is a strong argument for raising the bar through voluntary standards. That being the case we must avoid the temptation to simply adopt a general IT framework. One of the lessons from the electric sector's adoption of cybersecurity standards for the bulk power system is to tread carefully when applying a set of controls universally across different applications and systems. A framework that works well for corporate IT systems will most certainly fail to take critical factors into account for the protection of operational technology, such as Industrial Control Systems. This is one of the areas that we will tackle in with the initiative being unveiled in a workshop on February 13.
U.S. President Has Authority to Order Pre-Emptive Cyberattack (February 3 & 4, 2013)A "secret legal review" of the use of the country's cyberweapons found that the president has the authority to launch pre-emptive cyberattacks against another country if there is a credible threat of a significant digital attack from a foreign country. In the next few weeks, the Obama administration is likely to approve rules for defending against or retaliating in reaction to cyberattacks.
(Please note that the New York Times requires a paid subscription after 10 free articles each month.)
US Considering Response to China's Cyberattacks (February 1, 2013)The US is considering what measures should be taken in response to cyberattacks against various US companies that appear to come from China. The US is compiling a National Intelligence Estimate that should help put available information about the cyberattacks in a form that will make it clearer what needs to be done. The report will help lay groundwork to justify the use of trade embargoes and diplomatic measures to move China to stop the cyberattacks.
[Editor's Note (Pescatore): Many newspapers Internet connected systems have long been pretty low hanging fruit for attackers of all levels. A highly mobile user population, continual layoffs and cost cutting while simultaneously expanding online connectivity quite often adds up to many, many open vulnerabilities.
(Honan): Time after time it has been shown that proving attribution to online attacks is extremely difficult. Instead of focusing on the attacks and laying the blame for poor security at the feet of others perhaps the efforts would be better spent in identifying what our security weaknesses are and thereby providing us with more control on how to defend our systems. ]
************************ Sponsored Links: *******************************
1) Popular Speedtest.net site poisoned to attack unsuspecting users -- read how exploit works and how to protect users with Invincea! http://www.sans.org/info/123120
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/123125
3) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/123130
THE REST OF THE WEEK'S NEWS
A Major Shift in Cyber Security of Industrial Control Systems (February 5, 2013)Power and energy systems have long been recognized as "critical infrastructure" and everyone has felt the impact personally and to the economy overall when a power outage or a disruption in the flow of oil or gas hits. Cyber attacks have been increasingly targeting those same systems and unless the owners and operators enhance the levels of cybersecurity expertise of their staffs and the protection levels of the critical systems, cyber could be added to the causes for disruptions.
Five of the most trusted technical leaders in control system and IT cybersecurity are joining forces with eleven large companies in the power, oil & gas industries to drive immediate improvement in the ability of the operators of critical infrastructure systems to protect themselves against advanced cyber attacks. The initial focus will be to increase the security skill levels of the operations and security staffs, since they represent both the first line of cyber defense and last line to avoid/manage consequences. The group will quickly establish a consensus set of knowledge and skill needs for the operations and cyber-security positions at critical infrastructure systems, leading towards a comprehensive international security skills program. A longer term effort will be to define the highest priority security practices and controls for greatly reducing power and energy's risk of successful attack.
The leaders are Michael Assante who was CSO of American Electric Power and CSO of NERC; Tim Conway, CISO of NISOURCE and chair of the NERC advisory board on cyber standards; John Pescatore who was Gartner's lead security analyst for the last 13 years; Ed Skoudis who is widely acknowledged as the nation's top expert on malicious software and penetration methods and who developed the training and simulators now used to ensure the skills of cyber warriors and defenders in the U.S. military; and Tony Sager who, in his 34-year career, developed and managed the 750 top cyber vulnerability and defense experts at the National Security Agency.
The initiative will be unveiled in a workshop on February 13 where the man who led the DHS team that handled break-ins at US critical infrastructure will share the data his team discovered and the lessons learned. The workshop may be the most important meeting ever held on this topic because it marks the end of the era of "admiring the problem" and the beginning of an international consensus to fix the problem.
DOD's Plan to Grow Cyber Command to 4,900 Raises Question Of Whether Enough People Are Available (January 30 & 31, 2013)The Pentagon's announcement that it plans to add 4,000 people to the US Cyber Command means that 4,000 qualified people need to be identified. The need for talented and capable cybersecurity professionals is far greater than that, as they are needed in other sectors of the economy - banks, telecommunications companies, hospitals, state and local government - as well. At present, there are not enough qualified people to fill those positions. The Air Force is also seeking to increase its cyber personnel by 1,000 over the next two years. Many of those will be taken from existing positions and provided additional training. There is also concern that no agency within the government is immune from misattribution of cyberattacks, which could have serious repercussions if retaliatory measures were to be taken against an innocent party.
[Editor's Comment (Northcutt): The attribution problem really needs to be addressed. The DoD has funded research into the area, but it is not close to foolproof. I was part of a SANS research team in 2005 that investigated this and this problem concerns me big time because a third party could cause two other parties to damage each other at little risk to themselves:
FedRAMP Certifies Second Company's Cloud Services (February 1 & 4, 2013)The US General Services Administration (GSA) has awarded FedRAMP approval for cloud services to a second company. Late last year, Autonomic Resources became the first company to be awarded FedRAMP certification; last week, CGI Federal received FedRAMP certification, which allows it to offer services through GSA's blanket purchase agreement. Agencies that use the certified services do not have to send them through certification processes of their own.
[Editor's Note (Pesactore): Notice no new regulation or executive orders was required for the federal Government to drive the availability of secure services. Using the biggest, most effective lever government has - - its buying power - will have much more positive effects on security than more legislation and more reporting. (Honan): Another good resource for anyone looking to engage with cloud providers is the "Procure Secure" whitepaper published by ENISA (The European Network and Information Security Agency)
Oracle Pushes Out Java Update Two Weeks Early (February 1, 3, & 4, 2013)Oracle has released a critical update for Java outside of its regular patching schedule. The update addresses more than 50 vulnerabilities, including one that is being actively exploited. Users are urged to update Java on their computers as soon as possible. Java 7 Update 13 was scheduled for release on February 19, but Oracle pushed it out more than two weeks ahead of time. The majority of the flaws addressed in this latest update affect only Java in browsers. Java 6 Update 39 is also available.
Apple Patches Java SE 6 for Snow Leopard (February 4, 2013)Apple has released Java 6 Update 12 for its Snow Leopard operating system. The update addresses several security issues and lifts a block that Apple had placed on Java last week. Users of the newer version of Apple's OS X had Java fixes available from Oracle last week, but users of earlier versions of OS X must depend on Apple for updates. Oracle assumed responsibility for Java on OS X for Java 7 Update 6 and later. Oracle ceases support for Java 6 entirely this month.
FTC Makes Mobile App Privacy Recommendations (February 1 & 4, 2013)The US Federal Trade Commission (FTC) has issued a report that includes recommendations for addressing data privacy in mobile applications. The FTC wants developers to add greater transparency in their apps. Users should know what data apps collect and how those data are used. Personal information, like GPS data, contacts, and pictures, should not be accessible to apps unless users expressly agree to allow access. The FTC also wants a Do Not Track feature to be built into apps. The recommendations are not mandates, but serious violations could result in significant fines (see Path story in this issue). The report says that most consumers are concerned about data privacy, but are not clear about how mobile privacy works.
12-Year Sentence for Payment Card Fraud Scheme (February 1 & 3, 2013)A US District Court judge in Washington State has sentenced David Benjamin Schrooten to 12 years in prison for his role in a payment card fraud scheme that resulted in an estimated US $63 million in damages. Schrooten, who is from the Netherlands, allegedly worked with two men from the US, Christopher A. Schroebel and Charles Tony Williamson, to steal more than 100,000 payment card numbers and sell the information to a carding website, where such data is traded. Schrooten was extradited to the US from Romania last year; in November 2012, he pleaded guilty to conspiracy to commit access device fraud and bank fraud, intentional damage to a protected computer, and aggravated identity theft. Schroebel received a seven-year prison sentence; he broke into the computer systems of a Seattle restaurant supply store and infected the computers with malware that harvested payment card information. Williamson has yet to stand trial.
Washington Post Discloses Hackers Targeted its Networks (February 1, 2013)The Washington Post is the latest major US newspaper to announce that it was targeted by hackers. A former Washington Post IT employee said that newsroom computer networks became infected with malware that is believed to have been placed there by Chinese hackers. Last week, the New York Times ran a story detailing the attack on its computers, allegedly launched by Chinese cyberspies. The Wall Street Journal announced that it, too, had been targeted in a similar attack. The Post attack comprised at least three servers and numerous desktop computers. While the unnamed source said that the National Security Agency and the Defense Department took one of the affected servers to conduct forensic analysis, a Post spokesperson said that they "are confident that did not happen" because of the nature of data held on the machines. The attack on Post systems was first detected in 2011; hackers are believed to have first infiltrated the systems in 2008 or 2009.
Lofgren Revises Bill to Amend CFAA (February 1, 2013)US Representative Zoe Lofgren's (D-California) has published a revised version of a bill to amend the Computer Fraud and Abuse Act (CFAA). Lofgren is proposing changes to CFAA in the wake of Aaron Swartz's suicide. Many are questioning the Justice Department's aggressive pursuit of charges against Swartz for downloading academic papers through MIT's computer system with the intent of making them available to the public. Lofgren posted a draft of her bill on Reddit to solicit input. CFAA prohibits unauthorized access of computer networks. Lofgren's original bill proposed changes that would not allow prosecution under CFAA for merely violating terms of service. The new version specifies that unauthorized access means "circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering" data on protected computers and that changing MAC or IP addresses does not violate CFAA or the wire fraud statute. Senator Ron Wyden (D-Oregon) plans to introduce the measure in the Senate. Lofgren says the proposed changes are "a first step down the road to comprehensive reform" of CFAA and copyright laws.
Path Will Pay US $800,000 to Settle FTC Charges of Violating COPPA (February 1, 2013)Path, a California company behind the social networking app with the same name, has agreed to pay US $800,000 to settle US Federal Trade Commission (FTC) charges that it violated the Children's Online Privacy Protection Act (COPPA) when it gathered data from their mobile device address books without obtaining permission. In separate news, Path was recently alerted to a security issue that detects geographic locations in pictures and pastes them into users' posts even when users have location services disabled. A Path Product manager said that if users have location data turned off when they take pictures with Path camera, there would be no associated location data; the issue affects pictures that users take with Apple Camera and import to Path. Path has changed its code to address the problem and a new version has been submitted to the App Store for approval.
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/