SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #4
January 15, 2013
TOP OF THE NEWSRed October Cyberespionage Operation Steals Data From Computers and Mobile Devices
Dept. of Homeland Security Urging Companies to Protect Industrial Control Systems
New Jersey Gov. Christie's Cybersecurity Competition Offers Intense Training and Six-Month Internships
US Banks Ask NSA for Help Fighting DDoS Attacks
THE REST OF THE WEEK'S NEWSSingapore Amends Computer Misuse Act to Allow Preemptive Measures Against Cyberattacks
Oracle Patches Critical Java Flaws
US Defense Department Wants Automated Systems to Help with Cyberattack Analysis
Microsoft Releases Fix for Critical IE Vulnerability
No Prison Time for Michael Jackson Song Thieves
Australian Intelligence Organization Seeking Broader Device Access Powers to Fight Terrorism
Banks and ISPs Not Forthcoming with Information About Cyberattacks
Global Payments Breach Costs Estimated to be US $94 Million
A Note on the Loss of Adam Swartz
************************ SPONSORED BY Bit9 *******************************
LIVE WEBCAST: Trust-based Application Control 101 - 8% of enterprise endpoints are infected with malware at any given time. And 80% of stolen data comes from servers the enterprise thinks are secure. These alarming statistics show why antivirus and other traditional security products are ineffective against advanced threats and targeted attacks. Register today for this webcast http://www.sans.org/info/121342
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
TOP OF THE NEWS
Red October Cyberespionage Operation Steals Data From Computers and Mobile Devices (January 14, 2013)Several Computer Emergency Response Teams (CERTs) have uncovered evidence of a cyberespionage operation, dubbed Rocra or Red October, that has been targeting organizations in 39 countries, including Iran, the US, and members of the Russian Federation. Red October gathers data from "mobile devices, computer systems, and network may have been active for at least five years.
[Editor's Note (Murray): After five years many of the victims are still not aware that they have been compromised.]
Dept. of Homeland Security Urging Companies to Protect Industrial Control Systems (January 11 & 14, 2013)Researchers used the Shodan search engine to identify vulnerable Internet connected supervisory control and data acquisition (SCADA) systems that support elements of US critical infrastructure. 7,200 systems were found to be using weak default passwords. The US Department of Homeland Security (DHS) has contacted those responsible for the identified systems and warned them about the security issues.
[Editor's Note (McBride): 7200 weakly-protected systems likely includes PLCs that don't require access credentials at all. The biggest issue is that control systems are not generally under the direct purview of risk management teams -- and hence you have automation folks, including system integrators and contractors -- hooking things up without thinking twice. Couple that with the fact that many ICS systems are insecure by design and default, and you get this result. ]
New Jersey Gov. Christie's Cybersecurity Competition Offers Intense Training and Six-Month Internships (January 14, 2013)New Jersey Governor Chris Christie is inviting New Jersey citizens to participate in a cybersecurity competition to win scholarships to the new Jersey CyberCenter, a program that offers intense, advanced, hands-on coursework, certifications, and six-month residencies at banks, the FBI, military organizations, and other organizations that help support the country's critical infrastructure. The top 60 scorers in the initial six-week online competition will earn the chance to participate in a cyberattack simulation competition at Brookdale. From that competition, 15-20 people will be chosen to participate in the program. As of last weekend, more than 700 people had already signed up for the initial competition. The CyberCenter students will be required to achieve accredited certifications in cybersecurity and to take intense, hands-on classes in both defensive and offensive cyber activity. They will also be required to select a specialization area: advanced forensics, advanced penetration testing; or advanced secure configurations. The competition is free and is open to all veterans, current services members, people seeking employment or second jobs, and New Jersey high school and college students.
[Editor's Note (Paller): Today is the last day for New Jersey students and returning veterans to register. Separately, the New Jersey program is a model for the nation; 50 educational leaders and senior federal officials met outside Washington last Saturday to learn from the New Jersey experience and design the national rollout of this critically national cyber manpower pipeline program. ]
US Banks Ask NSA for Help Fighting DDoS Attacks (January 11, 2013)US banks that have been targeted in a recent wave of distributed denial-of-service (DDoS) attacks are calling on the National Security Agency (NSA) for help. The attacks started about a year ago, but became more concentrated last fall. The banks are asking the NSA for technical assistance to assess their own systems and get a better understanding of the attackers' methods. The NSA is permitted to help private sector organizations when the systems are deemed critical to national security. The request for help must come through a government agency that does have the authority to work with the organization(s) in question.
[Editor's Comment (Northcutt): And there is precedent, Google asked NSA for help in 2010:
THE REST OF THE WEEK'S NEWS
Singapore Amends Computer Misuse Act to Allow Preemptive Measures Against Cyberattacks (January 14, 2013)Singapore's Parliament has approved an amendment to the Computer Misuse Act that allows the government to take preemptive action against cyberattacks. The amendment also imposes a fine of SG $50,000 (US $40,800) and a 10-year jail term for failing to comply with ministerial orders to take preemptive action. Prior to the amendment, the Ministry of Home Affairs had the authority to take action only after an attack on critical information infrastructure (CII) has been detected.
[Editor's Note (Shpantzer): "What could possibly go wrong?" Let's see: Create the impression (via chat rooms, other easily monitored 'threat intel' channels) that competitor X is about to be attacked. Government forces them to institute 'preemptive measures,' etc.]
Oracle Patches Critical Java Flaws (January 13 & 14, 2013)On Sunday, January 13, Oracle released an emergency patch to address a pair of critical flaws in Java. One of the vulnerabilities is being actively exploited. Oracle's decision to release a patch outside of its regular schedule is likely to have been influenced by an advisory from the US Department of Homeland Security's (DHS's) US-Computer Emergency Response Team (US-CERT) strongly recommending that users disable Java in their browsers. Some browsers took their own steps to help prevent users from attacks. For example, Mozilla placed Java 7 on its Click to Play blacklist, which means that Firefox users have to explicitly agree to run the plug-in. Some experts have said that the emergency update does not go far enough.
US Defense Department Wants Automated Systems to Help with Cyberattack Analysis (January 14, 2013)The Defense Department's (DOD's) Department's Defense Advanced Research Projects Agency (DARPA) is hoping to use machines to help analyze network vulnerabilities. The Cyber Targeted Attack Analyzer will gather data from various sources so that anomalies can be more easily detected. DARPA will likely issue a request for proposals in mid-February, following a January 30 briefing for prospective contractors for the project. One of the hurdles the contractors will face is integrating data from devices that are not compatible with each other.
[Editor's Note (Henry): Glad to see DARPA promoting this. You must assume the adversary is on your network. Constantly monitoring and "hunting" for them is the best way to mitigate the consequences of the inevitable breach. Sharing the intelligence gathered, at network speed rather than the speed of humans, is the best opportunity to make the network more resilient. ]
Microsoft Releases Fix for Critical IE Vulnerability (January 14, 2013)Microsoft has released a fix for a critical remote code execution flaw in Internet Explorer that is being actively exploited. The fix, MS13-008, did not appear in Microsoft's monthly scheduled security update, which was released last week. The flaw affects IE6, IE7, and IE8. The update will be pushed out automatically for users who have automatic updating enabled.
No Prison Time for Michael Jackson Song Thieves (January 11 & 14, 2013)Two UK men have escaped prison time after they broke into servers that belong to Sony Music Entertainment and downloaded nearly 8,000 files, including hundreds of unreleased recordings by Michael Jackson and other artists. James Marks and James McCormick were given six-month sentences, suspended for one year, and were each ordered to perform 100 hours of community service.
Australian Intelligence Organization Seeking Broader Device Access Powers to Fight Terrorism (January 13, 2013)The Australian Attorney General's Department is seeking authority for the Australian Security Intelligence Organisation (ASIO) to use private citizens' computers to break into and take control of computers and mobile devices of suspected terrorists. Privacy groups are critical of the proposal, calling it "extraordinarily broad and intrusive." The plan would allow ASIO to gain access to third party computers "for the specific purpose of gaining access to a target computer." The action would require explicit approval from the Attorney General. Currently, ASIO is prohibited from taking action to "add, delete, or alter data or interfere with, interrupt, or obstruct the lawful use of the target computer," but it wants the ban lifted.
Banks and ISPs Not Forthcoming with Information About Cyberattacks (January 11, 2013)There is not much information available about the DDoS attacks being launched against US banks, primarily because of concern that if they speak out, the attackers will intensify efforts against their websites. Website monitoring companies have data indicating downtime at some of the banks, and one web-outage complaint portal has hundreds of reports from the past month. But the banks themselves and their Internet service providers (ISPs) are remaining relatively mum about the attacks.
Global Payments Breach Costs Estimated to be US $94 Million (January 10, 2013)The Global Payments data breach that was disclosed last April has cost the company nearly US $94 million. The breach is estimated to have affected 1.5 million payment cards. The costs are largely the result of changes that Global Payments has made to improve data security and to comply with the Payment Card Industry Data Security Standard (PCI-DSS).
[Editor's Note (Murray): If an enterprise is part of the payment card industry and has contracted to do so, the cost of PCI DSS compliance is a cost of doing business. To attribute that cost to a breach that demonstrated that the enterprise was not compliant is disingenuous. ]
A Note on the Loss of Adam SwartzMany of you know of the tragic loss of Aaron Swartz. I did not know the man, but I have lived through the suicide of someone close to me and fifteen years later I still feel loss, pain, and confusion. So, we want to express our concerns, hopes and prayers for those who did know him and want to express heartfelt sympathy for their loss. - Stephen Northcutt
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/