SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #14
February 19, 2013
In the last 24 hours, most major news outlets highlighted Chinese
military and military-related hacking of American companies.
BusinessWeek's cover this week, in big letters: "Yes the Chinese Army
is Spying on You." Mandiant provided strong documentation. It's a big
But is it the right story? If you know that the People's Liberation Army
is spying on you, do you change your defenses? How? Do you look for
Chinese language intrusion prevention tools. The continuous China
bashing simply reflects the inability of watchers to see evidence of the
stealthier attacks coming from many nations that may take a different
approach to penetrating our telecommunications and banking and power
systems and stealing our national wealth. The number of bad actors,
spread among nations, terrorists, anarchists and criminals, is so great
that their identity is not as important as what we do to defend our
systems - because they usually exploit the same weaknesses. The most
important answer to what we should do was released last week in a White
(https://csis.org/publication/raising-bar-cybersecurity). The defenses
specified in that paper, written by CSIS' Jim Lewis, actually block the
vast majority of the Chinese - and other - attacks. What we as a
community must do is identify the barriers that stop broad based
adoption of these defenses and lower them. Tony Sager and John Pescatore
have taken on that challenge. You can help by reading the paper and
sending them (at CCA@sans.org) the one or two most important challenges
you see slowing adoption.
TOP OF THE NEWSMilitary Leaders Say DOD Cyber Force Underqualified - DoD 8570 Is the Cause
Report Says China Behind Cyber Attacks Against More Than 100 U.S. Companies; Failed Coke Deal Blamed on Chinese Hacking, Too.
US Military Contracts Will Require Continuous Monitoring of Industrial Control Systems
THE REST OF THE WEEK'S NEWSCERT Australia's Critical Infrastructure Breach Report
European Privacy Regulators Consider Action Against Google
Irish Companies More Aware of Need for Data Protection
DNSSEC Adoption Growing in Government, But Unpopular with eCommerce and Finance
Critical Flaws in BlackBerry Enterprise Server
Adobe to Patch Flaws in Reader This Week
Facebook Acknowledges That Company Laptops Were Compromised
Dept. of Energy IG Report Finds Security Concerns at Los Alamos
********************** SPONSORED BY Symantec ****************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. Learn More.
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications.
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at https://www.sans.org/ondemand/specials
Plus Scottsdale, Brussels, Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Military Leaders Say DOD Cyber Force Underqualified - DoD 8570 Is the Cause (February 16, 2013)Twenty-four experts, including uniformed members of all three major branches of the military provided strong evidence that the people who have the task of protecting US Department of Defense (DOD) computer networks lack adequate technical training for their responsibilities. Many who have gained certifications can talk about security but are unable to perform even basic security tasks. DoD CIO Teri Takai says her team is revising qualification and certification policies to make sure that new hires are qualified and capable.
Report Says China Behind Cyber Attacks Against More Than 100 U.S. Companies; Failed Coke Deal Blamed on Chinese Hacking, Too. (February 19, 2013)A new report on Chinese hackers details a huge cyber espionage campaign against of American companies from security providers to power plant suppliers. The failure of a big deal by Coca- Cola was also blamed on Chinese army hackers. In 2008, Coca-Cola bid about $2.4 billion for the China Huiyuan Juice Group, a beverage company based in Beijing, in what would have been one of the biggest foreign acquisitions ever in that country. While the bid was being developed, Chinese hackers were inside Coke's systems reading the details.
US Military Contracts Will Require Continuous Monitoring of Industrial Control Systems (February 15, 2013)Later this year, the Pentagon will issue cybersecurity certification requirements for organizations that operate components of the country's critical infrastructure and those that support the US military. The requirements have been under development for some time, predating the president's executive order that asks the government to consider requiring cybersecurity standards in federal contracts. The owners of critical infrastructure organizations have been asking for cybersecurity guidance, but are reluctant to having requirements imposed. Within the next year, military contracts will include a requirement that industrial control systems (ICS) be continually monitored. Currently, those systems are tested for security every three years.
[Editor's Note (Pescatore): Continuous monitoring is good only if meaningful things are monitored. Also, multiple monitoring and certification requirements can lead to a compliance focus vs. a security focus, ending up with IT systems that look like what today's ladders look like: the same old ladder plastered with lots of warning and safety standard stickers. The Critical Security Controls are a strong starting point for defining a standard baseline set of meaningful controls for continuous monitoring.
(Henry): I know people get all spun up about "regulation" whenever anyone talks about government guidelines, but really? I have to get my car inspected each year so I'm not a hazard to other motorists, and I am comforted that someone is verifying the cleanliness and safety of the food and water I eat and drink. Oh, and I'm always glad to see the little white card in the elevator that assures me someone's recently checked so I don't plummet down the shaft to my death. So when the government starts talking about requirements for monitoring the Industrial Control Systems that run our critical infrastructure? Yeah, I'm ok with that.
(McBride): This is big (and encouraging) news - a significant customer demanding at least some security of ICS networks. Unfortunately, successful implementation will take well over a year. We've got to build a bridge between IT and OT that simply isn't there today. Monitoring is a good start, but without personnel who know from both cyber and operational perspectives what to do, and policies that make sure the right actions occur on ICS/SCADA networks, that monitoring will not be effective. ]
*************************** Sponsored Links: *****************************
1) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/124497
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/124502
THE REST OF THE WEEK'S NEWS
CERT Australia's Critical Infrastructure Breach Report (February 18, 2013)According to a report from the Computer Emergency Response Team (CERT) Australia, 51 operators of critical infrastructure systems in that country reported breaches in 2012. Of those, nine reported that the intruders stole proprietary information. The report was written by the Centre for Internet Safety, and compiled information from 255 organizations responding to requests. The causes of the breaches include device theft, automated hacking tools, software flaws, and misconfigured systems, applications, and network devices. In four instances, a person was charged as a result of the incident. More than half of the reported attacks are believed to be targeted, and 44 percent were launched from within the organizations themselves.
Irish Companies More Aware of Need for Data Protection (February 18, 2013)A survey of more than 250 Irish IT professionals found that 80 percent say their organizations have designated employees responsible for data protection. The top two reasons given for increased compliance with the Data Protection Act were avoiding penalties and protecting their organization's reputation. However, 43 percent of organizations responding to the survey said they had experienced a data breach within the past year and that most were the result of employee activity. Fintan Swanton, president of the Association of Data Protection officers noted that while companies "might appreciate the importance of data security, ... they must also instill a culture of compliant data management throughout the company, not just amongst the designated data protection personnel."
DNSSEC Adoption Growing in Government, But Unpopular with eCommerce and Finance (February 18, 2013)Although DNSSEC (DNS Security Extensions) technology helps prevent spoofing of websites, none of the top e-commerce companies or banking and financial services companies have deployed it fully. In contrast, two-thirds of US government agencies are using DNSSEC, although some of the agencies are signing their domains incorrectly.
[Editor's Note (Pescatore): I imagine that in the US in 1963 there were similar stories about the unpopularity of a change required to make delivery of physical messages more reliable. It was called the Zone Improvement Plan - and these days we routinely put ZIP codes on snail mail addresses without grumbling. Need to get over that hump with DNSSEC - and then use the freed-up energy to push BGP and SSL Certificate Authority security improvements up the next hill.
(Ullrich): Having implemented DNSSEC for a few domains, I found out first hand that it is very easy to "mess up" and render a domain non resolvable. Even some notable .gov sites (like for example fbi.gov) fell victim to badly configured DNSSEC in the past. On the other hand, attacks that involve DNS spoofing are rare and not considered a sufficient risk compared to the risk of downtime due to badly configured DNSSEC signatures. This may however change as more commercial DNS providers will offer DNSSEC as a service and as popular DNS servers like BIND make configuring DNSSEC easier.
Critical Flaws in BlackBerry Enterprise Server (February 18, 2013)BlackBerry has acknowledged critical flaws in components of its BlackBerry Enterprise Server (BES). The flaws could be exploited to allow arbitrary code execution. The issue lies in the way BlackBerry MDS Connection Service and BlackBerry Messaging Agent process TIFF images. To exploit the vulnerability through MDS Connection Service, users must be tricked into clicking on a link in a maliciously crafted web page. In Messaging Agent, the flaw can be exploited by embedding an image in an email; there is no need for the user to click on a link. BlackBerry has released security updates to address the issues; administrators can upgrade to version5.0.4 MR2, which addresses these vulnerabilities. There are also workarounds available.
[Editor's Note (Ullrich): It is important to note that the libtiff flaw that is being patched here has been known for a while, and Blackberry is just catching up. ]
Adobe to Patch Flaws in Reader This Week (February 17 & 18, 2013)Adobe plans to release an emergency patch this week to address a pair of memory corruption flaws in Reader and Acrobat. Adobe said the patch would be available the week of February 18, but did not provide a specific date. The vulnerabilities are being actively exploited in attacks that manage to circumvent Adobe's Protected Mode sandbox. The attacks are being made through specially crafted PDF documents attached to emails.
Facebook Acknowledges That Company Laptops Were Compromised (February 15 & 16, 2013)Facebook has acknowledged that several of its employees' computers were infected with malware that exploited a known Java vulnerability, but says that no customer data were compromised. The incidents occurred in January, and involved the employees visiting a mobile-developer website that had been compromised and infected their laptops with malware. In a blog post, Facebook Security writes that "Facebook was not alone in this attack," but did not specify which other organizations had been affected." When Facebook became aware of the situation, the company "remediated all infected machines, informed law enforcement, and began a significant investigation." The company realized that there had been a breach when the security team found a suspicious domain in DNS logs and traced it back to a Facebook laptop. Oracle has since released a patch for the flaw that the attackers exploited.
Dept. of Energy IG Report Finds Security Concerns at Los Alamos (February 15, 2013)An audit report from the US Department of Energy's (DOE's) Office of Inspector General (IG) finds that while Los Alamos National Laboratory
(LANL) has taken steps to improve its cybersecurity posture, there remain a number of concerns regarding risk management, system security testing, and vulnerability management practices at the facility.
[Editor's Note (Henry): If this report is accurate (and I say "if", because I've had experience with various IGs over the years and things are not always accurate or put in proper context), then this should ring alarm bells. The report states "we identified 5 critical and 15 high-risk weaknesses on the 4 national security systems scanned, some of which dated back to 2008." These systems, according to the article, process classified information, which one may surmise relates to the safety and reliability of the Nation's nuclear stockpile. And they've promised to get their systems remediated by no later than March 30, 2014?! They did read the words "critical" and "high-risk", right?
(Murray): My mentor, Bob Courtney, taught me that one should never take security counsel from cryptographers or auditors. My exception to the rule is Bruce Schneier, who is a reformed cryptographer. There was once a reformed auditor but I have forgotten her name.
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/