SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #18
March 05, 2013
SANS is offering a one-time discount for the Cyber Threat Intelligence
Summit to government employees (e.g., federal, state, local, DoD). This
offer reduces the registration fee from $895 to $395 and will be
available for a limited time only, on a first come, first served basis.
Please register at
http://www.sans.org/event/what-works-cyber-threat-2013 with the code
TOP OF THE NEWSCybersecurity Bubble Bursting Among Government Contractors
Greater Transparency About Cyberattacks Beneficial for Security
Oracle Issues Emergency Java Patches
THE REST OF THE WEEK'S NEWSJailed Cyber Criminal Hacks Prison's Educational Computer System
Evernote Intrusion Prompts Password Reset
FBI Director Emphasizes Need for Public/Private Partnerships to Fight Cyberthreats
Safari Update Blocks All But Most Recent Version of Adobe Flash
Tech Groups Say Do Not Track Legislation is Not Necessary
Omani Bank Targeted in Prepaid Card Scheme
Defense Department Network Security Likely to Feel Pinch From Sequestration
Industrial Control System Sandbox
Senate Committees to Hold Joint Hearing on Cybersecurity Executive Order
*************************** SPONSORED BY SYMANTEC ************************
Gangs, Watering Holes, and Other Threats During the time of the Pony Express, keeping pace with the threat landscape would have required a stable of mustangs. Today, to combat cyber gangs, avoid the wrong watering holes, and escape other threats, you need Symantec's annual Internet Security Threat Report (ISTR). Join us for a live video webcast for an in-depth discussion of key findings from 2012.
- -- SANS 2013 Orlando, FL March 8-March 15, 2013 47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
- --Secure Canberra 2013 Canberra, Australia March 18-March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test courses and summit day.
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Cybersecurity Bubble Bursting Among Government Contractors (March 4, 2013)Several government contractors have been showing some of their cybersecurity staff the door, part of a growing recognition by the industry that while cyber is growing, it will never reach the scale of aircraft or ship programs. "It's the myth and reality of cyber," said Roger Cressey, senior vice president at Booz Allen Hamilton. "The myth is that it's the fastest growing capability around, that there is tremendous pent-up demand and it is a river of milk and honey for everyone, when the reality is that it's not that. There are pockets of need . . . for specialized skills and capabilities."
(Editor's Note (Paller): So far nearly all the layoffs have been in the business development and management layers. These were caused by competition and resulting price pressure. Under Sequestration however, as agencies look for savings and find the $1 billion each year they had been spending on consultants for cybersecurity hadn't made them any safer, they will cut back on the soft-skilled NIST-FISMA report-writing consultants while retaining the ones with "specialized
Greater Transparency About Cyberattacks Beneficial for Security (March 1, 2013)In the past several weeks, at least 19 US financial institutions have disclosed cyberattacks on their computer systems. The disclosures were made in annual financial reports to the US Securities and Exchange Commission (SEC). (In October 2011, the SEC issued guidance requiring companies to report significant computer security incidents.) Nearly all of the institutions reporting incidents say that their systems were targeted in a series of distributed denial-of-service (DDoS) attacks that made headlines in 2012. Officials have suggested that the Iranian government may have been behind those attacks. The increased level of disclosure is beneficial because it "brings greater awareness, greater diagnosis and a desire to find a stronger cure," according to the president of a financial services trade organization. The increased disclosure "is the market solution to cybersecurity," according to a Senate Commerce Committee staff member. "It's getting investors aware of the issue. And it's getting senior executives to manage cyber risk the same way they would manage other business risks."
[Editor's Note (Henry): Recent reporting by many companies across multiple sectors is positive. The long reluctance to report due to concerns about how it will impact the business is subsiding as this threat receives increased publicity, resulting in enhanced awareness. That's all good. But in this case, the banks report they're being attacked, to the tune of hundreds of millions of dollars. It's likely by Iran, and everyone knows it. The banks have taken reasonable and appropriate defensive action, yet 5 months later they're still being attacked. Information sharing that doesn't lead to action by someone who can mitigate the threat is half a solution. (Paller): A great deal of wisdom in Shawn Henry's comment. Tony Sager, NSA's top cyber defender for many years, has often said "information sharing is overrated," clarifying his words by adding that if the organization receiving the shared information is not fully prepared to act on it, sharing doesn't do a lot of good. That means to me that the information should go to technical people in a position to act, and with the right skills and authority to act. Otherwise information sharing is just window dressing.
(McBride): Disclosing in SEC filings is probably a good step 1. We are now admitting we have a challenge. Putting cyber attacks into terms understood by executives and investors (think impact on financial statements) remains a significant hurdle. ]
Oracle Issues Emergency Java Patches (March 1 & 4, 2013)Oracle has released fixes for two more vulnerabilities in Java, one of which is being actively exploited to install malware known as McRat. Oracle has known about the flaw that is now being actively exploited since the beginning of February; a fix for the vulnerability had been planned for April 16, but was pushed up because of the active attacks. Both flaws are remotely exploitable without authentication. The most current versions of Java are now Java 7 Update 17 (7u17) and Java 6 Update 43 (6u43). The update for Java 6 is the last one for that version of Java that will be publicly available; users are urged to upgrade to Java 7. Security journalist Brian Krebs recommends that users who do not need Java disable it, or enable it in only one browser that is used for sites that require Java for functionality. The McRat malware is reportedly signed with security certificates stolen from Bit9. Internet Storm Center:
[Editor's Note (Honan): Given the number of vulnerabilities recently found in Java it is now high time that Oracle review the security model for Java and publish a roadmap on how they plan to make it more secure.
(Paller): The number and criticality of the vulnerabilities in Java, and the damage being done by criminals and others exploiting them, makes Brian's suggestion critically important. It is difficult to see how the cybersecurity staff at Oracle can continue at the current frenetic, and discouraging (perhaps hopeless) task, if the development team doesn't find a systemic solution soon. ]
*************************** Sponsored Links: ******************************
1) Take the Mobile Application security Survey! Enter to Win an iPad! http://www.sans.org/info/126297
2) Analyst Webcast: Secure Configuration in Action Featuring new deployment information from the City of Oregon. http://www.sans.org/info/126302
THE REST OF THE WEEK'S NEWS
Jailed Cyber Criminal Hacks Prison's Educational Computer System (March 3 & 4, 2013)Nicholas Webber, who in May 2011 was sentenced to five years in prison by a UK court, hacked into the prison's computer system after he was permitted to attend technology classes there. Webber was the mastermind responsible for Ghostmarket<dot>net, a forum used to trade malware and stolen credit card information. The site at one point had 8,500 members and the information available there was used to steal GBP 15 million (US $22.6 million) from bank accounts around the world. The educational system that Webber hacked while in prison was a closed network at the time.
[Editor's Note (Henry): Brilliant. This just in..."Convicted embezzler named to handle prison accounting system."
(Murray): Hacking is addictive behavior, recidivism high, and reform unlikely. Rogue hackers should be protected from temptation. We cannot say this too often or too loudly. However, those who most need this message are not part of our audience.
(Pescatore): I think the instructor said he had no idea Webber was in jail for hacking. Might be a good idea to check student's arrest record before letting arsonists into campfire class or cybercriminals into IT class. ]
Evernote Intrusion Prompts Password Reset (March 2 & 4, 2013)All 50 million Evernote users have been notified that they must change their account passwords after the company experienced a cyber intrusion. The compromised information includes usernames, email addresses, and encrypted passwords. There is no evidence that the intruders gained access to user content or payment information. The "suspicious activity
on Evernote's network ... appears to have been a coordinated attempt to access secure areas" of the system, according to a post on the company's website. Security experts have said that Evernote was using weak cryptography to protect user passwords and other data.
[Editor's Note (Honan): Is it just me or am I the only one who thinks how can these attackers be so good as to break into the networks of companies yet those companies always seem to stop the attack just before the attackers gain access to sensitive information? On another note Evernote have announced that they will offer two factor authentication
One does have to ask why it takes a security breach for Evernote, and indeed other companies that suffered similar fates, to subsequently implement two factor authentication? ]
FBI Director Emphasizes Need for Public/Private Partnerships to Fight Cyberthreats (March 1, 2013)Speaking at the RSA Security Conference in San Francisco last week, FBI Director Robert Mueller said that federal law enforcement agents need to work with private industry and other government agencies to take action against cyberthreats. Mueller also said that their focus needs to broaden from just reducing vulnerabilities to attribution and developing effective responses.
[Editor's Note (Henry): Key takeaway from the Director's speech: "For two decades, corporate cyber security has focused principally on reducing vulnerabilities. These are worthwhile efforts, but they cannot fully eliminate our vulnerabilities...We must identify and deter the persons behind those computer keyboards." (See "Transparency" article in Top Of The News.) ]
Safari Update Blocks All But Most Recent Version of Adobe Flash (March 1 & 4, 2013)Apple recently pushed out an update for its Safari browser that blocks all but the most recent release of Adobe Flash. The Safari update was released days after Adobe issued patches for vulnerabilities in Flash that were being actively exploited. If Safari users try to view Flash content with an outdated version of the browser plug-in, they will see a pop-up window informing them that Flash is out of date and providing the option of downloading an updated version of Flash. Internet Storm Center:
Tech Groups Say Do Not Track Legislation is Not Necessary (March 1, 2013)Some groups representing the interests of technology companies are speaking out against proposed legislation that would require all online companies to honor do not track requests from consumers. One of the bill's sponsors, Senator Jay Rockefeller (D-West Virginia), said that companies are not currently honoring those requests. Lou Mastria, managing director of the Digital Advertising Alliance, disagrees, saying that the bill is unnecessary because self-regulation is working. Technology-oriented think tank the Information Technology and Innovation Foundation noted that do-not-track legislation could be ultimately detrimental to consumers because a significant amount of web content is supported by targeted Internet advertising. The proposed legislation would allow the US Federal Trade Commission (FTC) to enforce action against companies that do not comply with consumer do-not-track requests, and would restrict online companies to collect only the data necessary to deliver their content or services.
[Editor's Note (Pescatore): Do Not Track lets users choose between getting free stuff at the price of their privacy or not. Some part of the market may choose *not* to see content that requires privacy invasion in order to be subsidized, some part of the market *will* choose to give away personal info - it is about choice. ]
Omani Bank Targeted in Prepaid Card Scheme (March 1, 2013)Hackers appear to have replicated a dozen prepaid Bank Muscat Travel Cards and then used them to conduct fraudulent transactions from ATMs in cities outside the country. Bank Muscat acknowledged that the cards were compromised on February 20, 2013 and that the fraudulent transactions totaled RO 15 million (US $39 million). Cybersecurity journalist Brian Krebs has observed that the incident resembles two others that took place in late December 2012 as well as a 2011 attack against Fidelity National Information Services and a December 2008 attack on RBS WorldPay accounts.
Late 2012 Heists:
Defense Department Network Security Likely to Feel Pinch From Sequestration (March 1, 2013)Sequestration budget cuts will be felt in Pentagon cybersecurity. While uniformed members of Cyber Command will not have their pay decreased, civilian Cyber Command employees will face furloughs. A portion of the workload will be focused on planning for the sequester instead of on network security operations.
[Editor's Note (Pescatore): This is what we in the Washington DC orbit call the "TSLWC" reflexive reaction to any mandatory budget cut (or lack of increase): "The Statue of Liberty Will Close." ]
Industrial Control System Sandbox (February 28, 2013)The Industrial Control System (ICS) Sandbox allows oil and gas companies in the US, Canada, and Brazil to test the resilience of their systems and learn about real-world effects of cyberattacks in a closed environment. Organizations running control systems need to know how attacks will affect their ability to provide services. In addition, malware attacks on control systems cannot be addressed the way they are in traditional IT environments.
[Editor's Note (Assante): Understanding consequences is important and shared assets like the Sandbox are wonderful additions that promote learning. We need a wider use of tools that allow entire teams of defenders and system operators and engineers to hone their skills and find workable practices to develop a confident play book.
(McBride): The ability to understand how the cyber might affect the physical is a significant missing piece. The efforts covered in this story represent one attempt to bridge that gap.
(Paller): A much more sophisticated simulator, being built for the U.S. military gets right at the heart of building the skills and teams Mike Assante describes. Called CberCity, it was the subject of a front page article in the Washington Post:
Senate Committees to Hold Joint Hearing on Cybersecurity Executive Order (February 28, 2013)The US Senate Commerce and Homeland Security Committees plan to hold a joint hearing on cybersecurity on Thursday, March 7. The hearing will address the implementation of President Obama's cybersecurity order as well as possible cybersecurity legislation. Senator Tom Carper (D-Delaware) said that "while the president's executive order on cybersecurity was an important step, bipartisan legislation is still critically necessary to address" the cybersecurity threats the country faces.
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/