SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #15
February 22, 2013
The promised status report on implementation of the White House
Executive Order: (1) Days since announcement: 10 (2) Progress on
moving to action: none.
The White House's Michael Daniel and NIST Director Gallagher know
exactly what needs to be done,
(https://csis.org/publication/raising-bar-cybersecurity). Sadly the
people who brought you NIST SP-800-53 and 800-37 appear to be winning
the fight to make federal agencies write another billion dollars worth
of reports admiring the problem instead of using that money to fix the
PS For the press folks on this list, if you are coming to RSA, email me
and I'll send you the list of the sessions that are the game changers.
TOP OF THE NEWSColorado's New CISO Sets A Higher Standard for State's Cybersecurity Issues
Cyberthieves Used DDoS Attack to Hide Fraudulent ACH Transfers
Apple is the Latest Company to be Hit Through Drive-by Waterhole Attack
White House Publishes Strategy to Mitigate Theft of Trade Secrets
THE REST OF THE WEEK'S NEWSBit9 Was First Infiltrated in July 2012
Oracle Releases Java Updates
Apple Issues Java Update and Malware Detection Tool
Adobe Issues Emergency Fixes for Flaws in Reader and Acrobat
Dutch MP Fined for "Hacking"
Firefox 19 Includes Native PDF Viewer
Password Hashing Competition Now Accepting Submissions
************************* SPONSORED BY Symantec ***************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. Learn More. http://www.sans.org/info/125057
- -- SANS 2013 Orlando, FL March 8-March 15, 2013 47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications.
- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
- -Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Colorado's New CISO Sets A Higher Standard for State's Cybersecurity Issues (February 21, 2013)When Jonathan Trull took over as Colorado's Chief Information Security Officer (CISO), he faced state computer systems with numerous security problems and just US $6,000 remaining in his operating budget, which has to last through June 30, 2013. Before becoming CISO, Trull was the Colorado State Auditor. While in that position, he ran penetration tests against state systems that led to "horrifying" results. As auditor, he realized that there was too strong a focus on compliance issues and not enough focus on whether or not policies were actually working to make systems more secure. Trull decided that the SANS 20 Critical Security Controls was the best place to start. He plans to implement the first five controls within the next year and the remaining controls over a three-year period. To make things work with the small sum available until the fiscal year ends at the end of June, Trull says his staff is "using existing technologies
[such as ]
application whitelisting, ...
doing a lot with open source and other tools and features that are already built into
existing software." Trull also stopped buying security products, conducted an inventory of what they had and found that lots of products had been purchased and were not being used. He plans to involve vendors in the security process, holding them accountable for the effectiveness of their products. Trull has also established cybersecurity internships to help build the workforce. He is seeking an increased budget for the next fiscal year.
[Editor's Note (Pescatore): This is sort of like one of the movies where the rich guy and the poor guy get zapped by the same lightning strike and switch lives. Compliance needs to follow security - mostly by documenting the controls and processes put in place to protect and enable business - not the other way around. It is also a good example of the need for most organizations with limited budgets to focus on the highest payback security controls first. ]
Cyberthieves Used DDoS Attack to Hide Fraudulent ACH Transfers (February 19, 2013)In late December 2012, cyberthieves launched a distributed denial-of-service (DDoS) attack against a bank in California as a distraction while they attempted to steal more than US $900,000 from the accounts of a Sacramento construction company with fraudulent automated clearinghouse transactions. The thieves used 62 money mules in the US to help launder the funds. The construction company's president said that when the company controller tried to access the banking page on December 24, she found she was unable to - her computer was actually being controlled by the hackers, preventing her from accessing the bank's online banking services. It is likely that other companies' bank accounts were looted as well.
[Editor/s Note (Henry): DDOS attacks conducted against financial institutions are often used as a smoke screen for the "real" attack against accounts...to keep the consumer from identifying changes occurring as the theft takes place, and to tie up the banks resources and make it more difficult to detect the substantive crime.
(Pescatore): DDoS attacks are like power fluctuations on the AC power to your data center - they have been happening, they will continue to happen, you can't afford to let them impact your systems. DDoS mitigation should be a standard part of business continuity planning for all Internet connectivity. ]
Apple is the Latest Company to be Hit Through "Drive-by Waterhole Attack" (February 20, 2013)The malware that infected computers at Apple, Facebook, and Twitter appears to have come from drive-by download attacks from an iOS developer website. It is called a waterhole attack because the malware was placed on a website that was likely to draw traffic from desirable targets. The attack exploited a then-undisclosed vulnerability in Java; patches for the vulnerability have since been made available. Hackers were able to compromise an administrator account at iPhoneDevSDK's website and insert the Java exploit.
White House Publishes Strategy to Mitigate Theft of Trade Secrets (February 20 & 21, 2013)The White House has released the Administration Strategy on Mitigating the Theft of US Trade Secrets. The report outlines a five-pronged approach to protecting US intellectual property that incorporates diplomatic efforts; promotion of voluntary best practices in private industry; enhanced domestic law enforcement operations; improved domestic legislation; and public awareness and stakeholder outreach. The report describes incidents of Chinese and Russian cyber espionage, and also notes the threat of insider intellectual property theft.
[Editor's Note (Murray): This is a good start and a good approach. It is addressed to appointees of the President in the active voice. It directs them to do legitimate things within the president's authority; it does not encourage or condone mischief. It has milestones and timetables. It fosters transparency and accountability. It places clear limits on what may be done in its name and cause. That said, the problem that it addresses is cultural and changing culture takes time. ]
*************************** Sponsored Link: *******************************
1) Take the Mobile Application security Survey! Enter to Win an iPad! http://www.sans.org/info/125062
THE REST OF THE WEEK'S NEWS
Bit9 Was First Infiltrated in July 2012 (February 20, 2013)The hackers who broke into systems at Bit9 made their initial intrusion as early as July 2012 with an SQL injection attack, according to experts investigating the incident. The malware used in the attack is the same as malware that was used last year to launch cyberattacks against US Defense contractors. At Bit9, cyberthieves stole a digital certificate, which was then used to make malware appear to be legitimately signed software. Bit9 did not become aware of the breach until late January 2013.
Oracle Releases Java Updates (February 20, 2013)Oracle has released a critical patch update for Java; the update is for all versions of the Java runtime environment from version 1.4 through 7, which is the current version. The update fixes three critical vulnerabilities and two other less severe security issues.
[Editor's Note (Pescatore): Is it just me or is the "Security Update for Java" pop up starting to look like just a new cursor icon? - it is up on my screen constantly. It is like here in the Washington DC area where they seem to get the jackhammers out before the last shovelful of faux-asphalt they dumped in the crater sized pothole has even dried. Might be time to hang a "Road Closed Due to Construction" on WebEx and SSL VPN and those things are still requiring Java to run, dig the road up a bit more, put in a more stable surface, let it cure - and reopen when safe to drive again. ]
Apple Issues Java Update and Malware Detection Tool (February 19 & 20, 2013)After discovering that several company computers were infected with malware (see story above), Apple isolated those machines from the company network. The malware exploited a flaw in the Java plug-in for browsers. Apple has issued an update for Java that addresses 30 vulnerabilities and includes a tool that detects and deletes the malware from infected machines.
Adobe Issues Emergency Fixes for Flaws in Reader and Acrobat (February 20, 2013)On Wednesday, February 20, Adobe released emergency fixes for two vulnerabilities in Reader and Acrobat that are being actively exploited. The flaws are of particular concern because they manage to circumvent the sandbox features in Reader X and XI. The updates bring Reader XI to version 11.0.2 and Reader X to version 10.1.6. Reader 9.x has been updated to 9.5.4. Updates are available for Reader and Acrobat for Windows, Mac, and Linux.
Dutch MP Fined for Hacking (February 19, 2013)A court in the Netherlands has fined a Dutch MP 750 euros (US $988) for gaining illegal access to computer systems at a medical laboratory in that country. The court accepted in part Henk Krol's defense that he was acting in the public's interest to expose weak security practices at the company, but said that Krol had not given the company enough time to address the issues before he went public with his findings and that he had accessed more records that necessary to prove his point.
[Editor's Note (Murray): If one does not have an agreement with the owner of the system, one works alone, and one shows the data to those not authorized to see it, or engages in coercion, then the activity, whatever one wants to call it, is more likely criminal than "ethical." This is not a game of "gotcha." ]
Firefox 19 Includes Native PDF Viewer (February 19 & 20, 2013)Mozilla latest version of its Firefox browser addresses four critical security flaws and includes a native PDF viewer. The addition of this feature aims to reduce the likelihood of infections from malware spread through vulnerabilities in third-party PDF reader browser plug-ins. Another improvement is that Firefox 19 will not execute code until the browser's initial window is visible.
Password Hashing Competition Now Accepting Submissions (February 18, 2013)The Password Hashing Competition is now accepting submissions; the deadline is January 31, 2014. The contest organizers are seeking a cryptographic standard that generates hashed passwords slowly enough to make it more difficult for hackers to use brute force attacks to crack those passwords, but fast enough to be used on websites so that users do not have to wait too long to access the information they want.
[Editor's Note (Pescatore): The Googles and others of the world are slowing nudging users away from reusable passwords, which is a very good thing. Of course, much of the world has been slowly nudging human beings away from smoking cigarettes, another good thing - but people don't make radical change from such addictive processes very quickly... For now, increasing the strength of stored password hashes is a very needed thing - - along with other Internet infrastructure upgrades. See
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/