SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Sign Up Now
• Editorial Board

Volume XV - Issue #17

March 01, 2013

Quick summary and urls for two extraordinary talks at RSA this week:

1. Ed Skoudis' briefing on cyberwarfare (in the session on the Five Most
Dangerous New Attacks) with a demonstration of how attacks on power
systems actually get through and his eye opening disclosure that the
health electronic medical records system used in many hospitals had so
many security flaws that his team had to harden it before it could be
useful in the CyberCity simulation - it was too easy to take over
without hardening. CyberCity is the cyber range used by the military
that includes actual SCADA systems and trains and water supplies and
missiles. There was a great front page article on it in the Washington
Post. Here's the url if you missed it:
http://www.washingtonpost.com/investigations/cybercity-allows-government-hackers
-to-train-for-attacks/2012/11/26/588f4dae-1244-11e2-be82-c3411b7680a9_story_1.ht
ml

2. Jonathan Trull's talk (he was the IT auditor and is now the CISO of
Colorado) on how Colorado will be implementing the Top 4 across the
state in the next 3-4 months along with his admission that as the IT
security auditor for the state he had audited against the "600 pages of"
NIST 800-53 and how wrong he had been. The proof was overwhelming. He
had made agencies spend far too much on compliance when they should have
been implementing known defenses against active attacks. The large
audience broke into spontaneous applause when a co-panelist said the new
Executive Order was deeply flawed because it went back to the same
agency that wrote 800-53 and gave NIST a year to study the problem
again. The applause came when he said, "the White House should
immediately act to implement the Top 4 controls that stop most of the
attacks." The CSIS report on the Top 4 is posted at
http://csis.org/publication/raising-bar-cybersecurity

Alan

PS Critical Threat Intelligence is one of two fastest growing
professional categories in cybersecurity. All the big banks have threat
intelligence operations and they report that this is their most
important security function. Register by next Wednesday:
http://www.sans.org/event/what-works-cyber-threat-2013

---

TOP OF THE NEWS

Cyberspies Targeted US Natural Gas Pipeline Control Systems
Openness About Security Breaches Helps Security for All
House Judiciary Committee to Consider Modernizing ECPA
Point and Counterpoint: NewsBites Editors Debate Focusing on Improving Defenses vs. Fighting Back

THE REST OF THE WEEK'S NEWS

Bradley Manning Enters Plea
ISPs Disclose Their Illegal Filesharing Penalties Under the Copyright Alert System
UK High Court Says ISPs Must Block Three Filesharing Sites
Trojan Used for International Cyberespionage
Adobe Issues Third Flash Update in One Month
Australian Broadcasting Corporation Investigating Security Breach
Rental Company Facing Lawsuit Over Spyware
Symantec Researcher Say Stuxnet Two Years Older Than Previously Thought
US Justice Department Defers Prosecution of Alleged Channelsurfing Website Operator
Investors Consider Companies' Data Breach History

---

********************** SPONSORED BY Symantec *************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. Learn More. http://www.sans.org/info/125837">http://www.sans.org/info/125837
************************************************************************
TRAINING UPDATE

- -- SANS 2013 Orlando, FL March 8-March 15, 2013 47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013">http://www.sans.org/event/sans-2013

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013">http://www.sans.org/event/monterey-2013

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013">http://www.sans.org/event/northern-virginia-2013

- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013">http://www.sans.org/event/cyber-guardian-2013

- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013">http://www.sans.org/event/security-west-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013">http://www.sans.org/event/singapore-2013

- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- --Looking for training in your own community?
http://www.sans.org/community/">http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
***************************************************************************

---

TOP OF THE NEWS

Cyberspies Targeted US Natural Gas Pipeline Control Systems (February 27, 2013)

According to a classified US Department of Homeland Security (DHS) report, Chinese-linked cyberespionage campaigns targeted 23 US natural gas pipeline operators between December 2011 and June 2012. The companies were targeted through spear phishing attacks. The DHS report does not name China, but the indicators of compromise (IOCs) reported to DHS match those that Mandiant has linked to a group, known by several different names, with ties to China's People's Liberation Army. The information stolen in the attacks - usernames, system manuals, and pipeline control system access credentials - could allow attackers to cause damage to compressor stations. The cyberspies also appear to be targeting information related to fracking.
-http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natu
ral-gas-pipelines-vulnerable-to-sabotage?nav=87-frontpage-mostViewed
[Editor's Comment (Assante): The "who" is not insignificant but the important point to consider is the focused interest in pipeline control systems and operations related information, reported here. It is getting more difficult to understand the different motivations associated with these highly targeted attacks. Many people believe the Industrial Control System security model is all about "availability", but I believe the most important element is "Integrity" as it is the foundation for safe and reliable operations. ]

Openness About Security Breaches Helps Security for All (February 27 & 28, 2013)

By disclosing cyberattacks on their computer systems, high profile organizations such as The New York Times and The Wall Street Journal have provided insight into the attackers' methods. The breached organizations are starting to use tools that gather information about how the cyberintruders are operating. Companies are developing tools to analyze and share information about cyberintruders' tactics and goals.
-http://www.usatoday.com/story/tech/2013/02/27/proactive-intelligence-corporate-n
etwork-breaches/1949879/

House Judiciary Committee to Consider Modernizing ECPA (February 27, 2013)

The US House Judiciary Committee will consider a bill that would "modernize the decades-old Electronic Communications Privacy Act (ECPA)," according to committee chairman Representative Bob Goodlatte (R-Virginia). The proposed legislation would require law enforcement agents to obtain warrants before reading people's electronic communications, such as email and Facebook messages. Currently, ECPA requires only a subpoena, available without judicial approval, to read the contents of email that has been opened or is more than 180 days old.
-http://thehill.com/blogs/hillicon-valley/technology/285397-overnight-tech-house-
to-consider-email-privacy-bill
[Editor's Note (Pescatore): The ECPA in 1986 was an update to Title III legislation back in 1968, which was when telephone wiretaps were first made legal - for the first 90 years or so of telephone use, wiretapping was illegal. There are a lot of key provisions in the Title II regulations, like "minimization" and "necessity" that were very key in balancing privacy and law enforcement needs, and making abuse of wiretapping much less likely. As personal and business communications blur, those same considerations are necessary in any update.
(Northcutt): Here is the ACLU's take on this (they support):
-http://www.aclu.org/technology-and-liberty/modernizing-electronic-communications
-privacy-act-ecpa
And there is the Electronic Freedom Foundation's take (they also support):
-https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communicatio
ns-privacy-act
And oh by the way, it has already passed the house:
-http://www.slate.com/blogs/future_tense/2012/11/29/ecpa_leahy_senate_committee_f
inally_update_email_privacy_law_require_warrant.html]

---

*************************** Sponsored Links: *****************************
1) Take the Mobile Application security Survey! Enter to Win an iPad! http://www.sans.org/info/125842

2) Analyst Webcast: Secure Configuration in Action Featuring new deployment information from the City of Oregon. http://www.sans.org/info/125847
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Bradley Manning Enters Plea (February 28, 2013)

Pfc Bradley Manning has pleaded guilty to charges of misusing and transmitting classified information, but not guilty to the charge of aiding the enemy. Manning admitted to downloading more than a quarter of a million sensitive documents including intelligence reports, diplomatic cables, and combat videos from Afghanistan. Manning said that he first attempted to give the information to The New York Times and the Washington Post, but those newspapers were not interested. He then turned to WikiLeaks. Manning disputes government claims that the leaked information could have threatened people's lives and hurt the country. Manning's full court martial is scheduled to start on June 3, 2013 and is expected to take several weeks.
-http://www.theregister.co.uk/2013/02/28/bradley_manning_court_martial_starts/
-http://www.wired.com/threatlevel/2013/02/bradley-manning/

ISPs Disclose Their Illegal Filesharing Penalties Under the Copyright Alert System (February 28, 2013)

US Internet service providers (ISPs) are starting to describe how they will implement the Copyright Alert System (CAS) warnings and penalties for illegal filesharing. Comcast says that if users do not respond to earlier warnings, it will hijack the browsers of users who persist in illegal filesharing, making it impossible for them to surf the web. Cablevision Systems plans to suspend access for 24 hours for subscribers who continue to engage in illegal filesharing after a fifth offense. The suspension will be imposed only if users do not call Cablevision. Comcast says it does not plan to terminate users' Internet access. Verizon has already said that it may throttle Internet speeds for repeat offenders. AT&T plans to hijack browsers as well and redirect users to an online portal with information about copyright infringement. CAS does not prevent users from being sued by copyright holders.
-http://www.wired.com/threatlevel/2013/02/comcast-browser-hijack/

UK High Court Says ISPs Must Block Three Filesharing Sites (February 28, 2013)

The UK High Court has ordered major Internet service providers (ISPs) there to block Kickass Torrents, H33T, and Fenopy, three websites that provide links to pirated movie and music content. The ISPs have 15 days in which to comply. There is some disagreement as to whether such tactics are effective over the long run. Some evidence suggests that last year's ordered block of The Pirate Bay was effective for a short time, but then peer-to-peer filesharing returned to pre-block levels. Another report indicates that the number of people downloading pirated music has decreased, and more people are using legitimate music streaming sites.
-http://www.bbc.co.uk/news/technology-21601609
-http://www.guardian.co.uk/media/2013/feb/28/online-piracy-isps-block-access

Trojan Used for International Cyberespionage (February 27 & 28, 2013)

A Trojan horse program known as MiniDuke is being used to conduct targeted attacks on international companies and government institutions. It infects computers by exploiting a vulnerability in Adobe Reader's sandbox feature. Adobe issued a fix for the flaw on February 20. MiniDuke spreads through maliciously crafted PDF documents by pretending to be information regarding human rights or NATO issues. Once ensconced on a computer, MiniDuke connects with command and control servers through twitter and Google to get instructions for downloading more code. MiniDuke has infected machines in 23 countries.
-http://www.h-online.com/security/news/item/Highly-specialised-MiniDuke-malware-t
argets-decision-makers-1813304.html
-http://arstechnica.com/security/2013/02/bizarre-old-school-spyware-attacks-gover
nments-sports-mark-of-the-beast/
-http://news.cnet.com/8301-1009_3-57571571-83/miniduke-malware-takes-aim-at-euro-
governments-via-adobe/
-http://www.computerworld.com/s/article/9237201/Researchers_uncover_new_global_cy
ber_espionage_campaign?taxonomyId=17

Adobe Issues Third Flash Update in One Month (February 27, 2013)

Adobe has issued another emergency update to address three critical vulnerabilities in its Flash Player. The flaws can be exploited to crash vulnerable systems and allow attackers to take control of them. Two of the vulnerabilities are being actively exploited. This is the third Flash update and the fourth update overall that Adobe has issued in February. A February 7 update addressed a pair of vulnerabilities that were being actively exploited. On February 12, Adobe released its regularly scheduled security update. Last week, Adobe released an emergency update for Reader.
-http://arstechnica.com/security/2013/02/adobe-releases-third-security-update-thi
s-month-for-flash-player/
-http://krebsonsecurity.com/2013/02/flash-player-update-fixes-zero-day-flaws/
-http://www.zdnet.com/adobe-issues-another-patch-for-flash-vulnerabilities-700001
1872/
-https://www.adobe.com/support/security/bulletins/apsb13-08.html

Australian Broadcasting Corporation Investigating Security Breach (February 27, 2013)

The Australian Broadcasting Corporation (ABC) is investigating reports of a security breach on its website. The individual claiming to have hacked the site has posted information that was allegedly taken from the site. The information includes names, email addresses, hashed passwords and IP addresses of site users. ABC has shut down the affected subdomain and plans to contact users affected by the breach.
-http://www.zdnet.com/au/australian-broadcasting-corporation-confirms-hack-700001
1876/

Rental Company Facing Lawsuit Over Spyware (February 27, 2013)

Court documents filed in a class action lawsuit against rental company Aaron's, Inc. say that spyware installed on computers that the company rented out sent 185,000 email messages to the company's corporate computers. The emails contained sensitive information, including pictures taken surreptitiously by the computers' webcams, and information such as Social Security numbers, account passwords, and straightforward keystroke logging. Aaron's claims that it did not install the spyware on the computers and places the blame for the software on individual franchises. Attorneys for one of the franchises say that the software, called PC Rental Agent, simply shuts down the machines if the renters fall behind on payments. However, the US Federal Trade Commission (FTC) found that the software's "Detective Mode" goes beyond those tasks to take screenshots, webcam images, and log keystrokes and send the harvested information back to Aaron's computers.
-http://www.nbcnews.com/technology/technolog/185-000-spyware-emails-were-sent-aar
ons-computers-1C8595813

Symantec Researcher Say Stuxnet Two Years Older Than Previously Thought (February 26, 2013)

Researchers at Symantec have found evidence that Stuxnet has been around two years longer than had previously been believed. Stuxnet first made headlines in 2010 when it was linked to a 2009 attack on an Iranian uranium enrichment facility. Symantec researchers now say they have found a code string that dates back to 2005.
-http://www.wired.com/threatlevel/2013/02/new-stuxnet-variant-found/
-http://www.washingtonpost.com/world/national-security/stuxnet-worm-targeting-ira
n-in-works-as-early-as-2005-symantec-finds/2013/02/26/4cb562d8-8059-11e2-8074-b2
6a871b165a_story.html
-http://www.symantec.com/connect/blogs/stuxnet-05-how-it-evolved
-http://www.wired.com/threatlevel/2011/07/stuxnet-timeline/

US Justice Department Defers Prosecution of Alleged Channelsurfing Website Operator (February 26, 2013)

The US Justice Department (DOJ) has reached a deal with Brian McCarthy, who was arrested in 2011 for allegedly operating the Channelsurfingnet website, which offered links to unauthorized streamed sporting events. The site was seized in February 2011. The terms of the agreement under which McCarthy's prosecution will be deferred require him to demonstrate good behavior, find a legitimate job, refrain from activity that involves illegal streaming, and repay more than US $350,000 that he allegedly made in profits from the site. Federal prosecutors said that deferring McCarthy's prosecution is in the "interest of the United States," but did not explain how that decision was reached.
-http://arstechnica.com/tech-policy/2013/02/online-sports-streaming-site-owner-av
oids-jail-time-in-new-deal-with-feds/
-http://news.cnet.com/8301-1009_3-57571497-83/feds-strike-a-deal-with-alleged-ill
egal-streaming-site-operator/

Investors Consider Companies' Data Breach History (February 25, 2013)

A survey of 405 US investors found that cybersecurity breaches play a significant role in their investment decisions. Seventy percent of respondents said they would research companies' cybersecurity practices and incidents, and 78 percent said that they would be unlikely to invest in a company that has experienced multiple breaches. Fifty-seven percent of those responding said that they considered customer data theft a more serious problem than theft of intellectual property; 29 percent held the inverse opinion.
-http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breach
es/240149279/investors-value-a-company-s-cybersecurity-record
[Editor's Note (Pescatore): Small surveys like this one tend to come out every few years (especially as part of the derecho of press releases coming out of the annual RSA Conference) but larger longer term investigations into stock valuations and security incidents (or financial shenanigans) at companies does not have any meaningful correlation. ]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/