SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #13
February 16, 2013
This morning, an important report called "Raising the Bar for Cybersecurity" (https://csis.org/publication/raising-bar-cybersecurity) was released at a briefing by the White House, DHS, NIST and CSIS on next steps in implementing the Executive Order. The paper's executive summary alone changes the dialogue about cybersecurity in the U.S. It shows that we now know how to stop well over 85% of the attacks conducted by the Chinese and other spies and cyber criminals and can do it with tools that most medium and large organizations already have; and the CSIS report by James Lewis includes the hard evidence to prove the defenses actual work. Within two weeks you will know whether the Executive Order is (A) the document that enables the United States to stop the damage now, while we wait for broader frameworks to be established over the next year, or (B) just another piece of paper that won't make a major difference in the vulnerability of the U.S. If they ask NIST to work for a year to determine what needs to be done while the known solutions gather dust, then the answer is B. I'll keep you informed of progress every Tuesday and Friday in NewsBites.
PS John Pescatore (Gartner's Top Cyber Defense analyst for the past 14 years) put it best: "Stop the bleeding; then work on lifestyle issues and fill out the paperwork.")
TOP OF THE NEWSPresident Issues Cybersecurity Executive Order
President Also Issues Presidential Directive 21 Requiring Critical Infrastructure Security Improvements
THE REST OF THE WEEK'S NEWSNapolitano Says Sequestration Will Cut Funding for Critical Infrastructure Cybersecurity
Adobe Suggests Workaround for Reader Flaw that is Being Actively Exploited
Adobe Updates Flash and Shockwave Players
Eleven Arrested in Connection With Ransomware Scheme
Two Charged in Connection with ATM Skimming Case
Push to Amend Computer Fraud and Abuse Act
Los Angeles Times Removes Malware From Subdomain
Zombie Emergency Alert System Hacks Point to Serious Security Issues
Legislators Re-Introduce Cyber Intelligence Sharing and Protection Act (CISPA)
Companies Taking Defensive Measures Against Cyber Intruders
Microsoft Fixes 57 Security Issues
********************** SPONSORED BY NetWars ****************************
Now you can use the same simulator that the U.S. military uses to measure and advance the skills of their top cyber talent. The costs are real, but if you qualify (work for a defense contractor or major company in the U.S. or an allied nation) you can have a free trial. See the video at http://www.sans.org/cyber-ranges/netwars
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead. http://www.sans.org/event/security-west-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications. http://www.sans.org/event/singapore-2013
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth. https://www.sans.org/event/secure-canberra-2013
- --Looking for training in your own community? http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials
Plus Scottsdale, Brussels, Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
President Issues Cybersecurity Executive Order (February 12 & 13, 2013)On Tuesday, February 12, President Obama signed an executive order aimed at protecting the computer networks that support elements of the country's critical infrastructure, like banks, power companies, and water treatment facilities, by facilitating threat information sharing and encouraging the adoption of voluntary cybersecurity standards. The order establishes safeguards to protect the privacy of private citizens.
Text of the Executive Order:
[Editor's Note (Ullrich): The fact that this executive order was issued may actually illustrate the real problem that there is no broad consensus as to what the actual problem is, or how to fix it. I like the focus on information sharing, but in particular in the critical infrastructure space, there are already a number of notable collaborative efforts that should not be overlooked. ]
President Also Issues Presidential Directive 21 Requiring Critical Infrastructure Security Improvements (February 15, 2012)In addition the Executive Order that got all the press, the President also issued Presidential Directive 21. PD21 ensures that, within a year, military contracts to require continuous monitoring of protections for industrial control systems, or ICS -- the networks operating power and water and telecommunications systems on which the military depends, according to Daryl Haegley, Defense program manager leading ICS security efforts. This contrasts sharply with the current process of testing systems every three years.
[Editor's Note (Paller): DoD is deadly serious about ensuring the nation has reliable sources of power and telecommunications. If the standards they decide on are the 20 critical controls and especially the key ones that block the vast majority of attacks, this will be a great model to lead the national renaissance in cybersecurity. ]
*************************** Sponsored Links: *****************************
1) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/124382
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/124387
THE REST OF THE WEEK'S NEWS
Napolitano Says Sequestration Will Cut Funding for Critical Infrastructure Cybersecurity (February 14, 2013)Janet Napolitano, Secretary of the US Department of Homeland Security (DHS), says that sequestration, if it happens, could "leave critical infrastructure vulnerable to attacks
significantly scale back cybersecurity infrastructure protections that have been developed in recent years." In his executive order, President Obama gave DHS the task of urging dam operators and those who operate other elements of the country's critical infrastructure to adopt voluntary security standards for their computer networks.
[Editor's Note (McBride):Cyber is only one of many DHS functions to be impacted. The headline makes it seem that the Secretary had discovered some way to correlate the amount of investments it makes in cyber security to the number of compromises it prevents. This would be exceptional -- as researchers, academics and practitioners have been trying to accurately quantify the relationship of funding to cyber effectiveness for many years.
(Murray): DHS does not really operate dams. Cyber really was after Customs and immigration, the Coast Guard, TSA, port protection, border patrol, even FEMA, and other time-sensitive missions. Good policy is now politically impossible while the sequester is politically defensible. ]
Adobe Suggests Workaround for Reader Flaw that is Being Actively Exploited (February 13 & 14, 2013)Hackers are actively exploiting unpatched vulnerabilities in Adobe Reader. The flaws in Reader and Acrobat, could be used to cause the programs to crash, possibly allowing the attackers to take control of the compromised system. The attack starts by getting users to click on a maliciously crafted PDF accompanying a message. Adobe has issued an advisory warning of the vulnerabilities and suggesting a workaround for users to protect their machines until a patch is available. The flaw affects Reader versions 9, 10, and 11. At least some of the bait files are labeled Visaform Turkey.pdf, a document required for all visitors to Turkey.
[Editor's Note (Ullrich): Sad how my first reaction was: "Is this news?" We only had a handful of days in recent memory without actively exploited vulnerabilities in Adobe software (or Oracle for that matter).
Adobe Updates Flash and Shockwave Players (February 12, 2013)Adobe has issued updates for its Flash and Shockwave Players to address 19 security flaws. There are now new versions of Flash Player 11 available for Windows, Mac, Linux, and Android. Updated versions of Flash Player will be pushed out in automatic updates for Chrome and Internet IE10. The Flash update fixes 17 vulnerabilities, 16 of which are deemed critical. There are also updated versions of Flash Player 10 available for Windows, Mac, and Linux users who are still running the older version of the software. The updated version of Shockwave, 184.108.40.206, is available for Mac and Windows systems and addresses two critical flaws.
[Editor's Note (Ullrich): These patches are an incomplete bandaid for the larger problem with this software. ]
Eleven Arrested in Connection With Ransomware Scheme (February 13 & 14, 2013)Police in Spain, working with Europol, arrested 11 people from three countries in connection with a ransomware scheme. People whose machines were infected in the scheme were greeted with messages telling them they had viewed illegal content and that they must pay a fine of 100 euros (US $133) to regain access to their files. The message appeared to come from a law enforcement agency. The attackers also allegedly stole information from the infected computers. The scheme had been earning the gang one million euros (US $1.33 million) a year.
[Editor's Note (Honan): Well done to all involved in these arrests. The anti-virus company Trend Micro worked closely with Spanish police on this case and is yet again another good example of public/private partnership in tackling online criminals. More details at the Trend Micro blog
Two Charged in Connection with ATM Skimming Case (February 12, 2013)Two men have been indicted in connection with an ATM skimming scheme that resulted in more than UIS $3 million in losses. Antonio Gabor and Simion Tudor Pintillie allegedly rigged ATMs in New York, New Jersey, Illinois, and Wisconsin with skimmers and pinhole video cameras. They have each been charged with conspiracy to commit bank fraud, conspiracy to commit access device fraud, and aggravated identity theft. The scheme affected more than 6,000 bank accounts at J.P. Morgan Chase and Capital One. Authorities believe there are at least nine other co-conspirators.
Push to Amend Computer Fraud and Abuse Act (February 13, 2013)The push to amend the 1986 Computer Fraud and Abuse Act (CFAA) has taken on new urgency since the suicide of Aaron Swartz. As presently written, CFAA allows people to be prosecuted for merely violating terms of service agreements or using minor technical workarounds, and the majority of penalties imposed by the law are felonies. The US Justice Department aggressively pursued its case against Swartz; he was facing up to 35 years in prison and a large fine. Legislators from both parties have said that it is time for CFAA to be revisited. Drafts of revisions to CFAA propose changes to certain definitions to bring charges back into proportion with offenses. The issue has also been taken up by the grass roots organization Demand Progress, of which Swartz was a co-founder with David Segal.
Los Angeles Times Removes Malware From Subdomain (February 13, 2013)The Los Angeles Times has removed from its website malware that appears to have been lurking on one of its subdomains for at least six weeks. The malware was redirecting users' computers to a different website that contained an exploit kit. Users were unaware that their machines were being redirected. The affected subdomain is managed by a third party. The LA Times has acknowledged the issue and has taken steps to improve the security of that subdomain.
Zombie Emergency Alert System Hacks Point to Serious Security Issues (February 12, 13, & 14 2013)Hackers in several states gained access to local broadcasters' Emergency Alert Systems (EAS) and issued bogus warnings of a zombie apocalypse. The hoaxes were carried out in California, New Mexico, Montana, and Michigan. The devices receive the emergency messages and automatically interrupt programming. While these incidents were clearly pranks, attackers could abuse the system to create panic if they issued phony warnings about something more believable. Hackers could also use access to the system to prevent the government from issuing warnings when they are necessary. The US Federal Communications Commission (FCC) has issued an advisory requiring broadcasters to change the passwords on their EAS equipment and to make sure the devices are secured behind firewalls. Broadcasters were also instructed to examine the devices to make sure that the attackers had not set up additional phony alerts for future dates. The advisory says that if broadcasters are unable to change all passwords on the equipment, they should disconnect them from the Internet until they are able to make the changes.
Legislators Re-Introduce Cyber Intelligence Sharing and Protection Act (CISPA) (February 13 & 14, 2013)The House Intelligence Committee planned to examine the Cyber Intelligence Sharing and Protection Act (CISPA) at a cybersecurity hearing on Thursday, February 14. The bill was reintroduced to the House by committee leaders Representative Mike Rogers (R-Michigan) and Dutch Ruppersburger (D-Maryland). Business and industry groups have expressed their support for the legislation, while privacy advocates are concerned that it will put companies in the position of sharing their customers' private information with the government. CISPA passed the House in the last legislative session, but the bill died in the Senate.
[Editor's note (Murray): Fortunately, this is simply legislative posturing. It is easy to vote for it in the House because the Senate is not likely to pass it and the President has promised to veto it. Nonetheless, it is a dangerous game. There is already too little transparency and accountability for information sharing between government and business. ]
Companies Taking Defensive Measures Against Cyber Intruders (February 11 & 12, 2013)In the spring of 2011, Lockheed Martin detected an intruder in its computer network. The intruder was using legitimate credentials, but was performing tasks not associated with that user. To thwart the intruder's effort to steal information, Lockheed launched its Cyber Kill Chain framework. The process tracks an intruder's movement within the network and takes measures to prevent intruders from succeeding at their tasks. The ultimate goal is to prevent the intruders from taking any data out of the network. The process illustrates a shift in thinking from perimeter security to preventing intruders from stealing data. Similarly, New York Times hired Mandiant to help identify and thwart the intruders in its network. The New York Times incident is also notable because it unusual for a company to be so forthright about being breached and detailing what the attackers were trying to do.
Microsoft Fixes 57 Security Issues (February 12, 2013)On Tuesday, February 12, Microsoft issued a dozen security bulletins to fix a total of 57 vulnerabilities. The patches address security issues in Windows, Internet Explorer (IE), and Microsoft Exchange Server. One of the bulletins, MS13-009, is a cumulative update for IE and addresses 13 remote code execution flaws in the browser.
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/