[Netsec] SANS NewsBites Vol. 13 Num. 92 : FLASH: SCADA Attack Bigger Story Than Initially Thought

[an error occurred while processing this directive]
NETSEC Archives
Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 92 : FLASH: SCADA Attack Bigger Story Than Initially Thought
From: The SANS Institute
Date: Fri Nov 18 16:36:15 2011
List-archive: <http://sfpop-mailman01.merit.edu/mailman/private/netsec>
List-help: <mailto:netsec-request@merit.edu?subject=help>
List-id: <netsec.merit.edu>
List-post: <mailto:netsec@merit.edu>
List-subscribe: <http://sfpop-mailman01.merit.edu/mailman/listinfo/netsec>, <mailto:netsec-request@merit.edu?subject=subscribe>
List-unsubscribe: <http://sfpop-mailman01.merit.edu/mailman/options/netsec>, <mailto:netsec-request@merit.edu?subject=unsubscribe>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FLASH: The Nov. 8 attack on a SCADA system in a water district (similar
to the recent attack on MIT) is likely to be a small part of a much
bigger story. First articles:
http://www.wired.com/threatlevel/2011/11/hackers-destroy-water-pump/2
http://www.chicagotribune.com/news/chi-111118water-pump-facility,0,1531638.story
http://news.cnet.com/8301-27080_3-57327030-245/u.s-water-utility-reportedly-hacked-last-week-expert-says/

Also in this week's issue: John Pescatore's characterization of failed
security programs, at the end the first story, is the most insightful I
have ever seen from a Gartner security analyst.  In it, he says:
   "...many of whom focused way more on using policy and 
    awareness/education to shift blame to the users than 
    they did on avoiding incidents."
If you don't get it, ask me (apaller@xxxxxxxx) or if you are a Gartner
client, ask John. If you do get it, and you are (part of) the reason
your organization has shifted or will shift to the more effective
paradigm of security, your chances of having a highly valued and
satisfying career in security have increased enormously.

And kudos to the Ellen Nakashima of the Washington Post for doing a big
story in a major on successes in cybersecurity rather than just focusing
on compromises.
				    Alan

**************************************************************************
SANS NewsBites              November 18, 2011             Vol. 13, Num. 92
**************************************************************************
TOP OF THE NEWS
  Cyber Security Progress
  Norwegian Energy and Defense Companies Targeted by Data Thieves
THE REST OF THE WEEK'S NEWS
  Windows 8 Includes Changes to Windows Update Procedure
  BIND Flaw is Being Actively Exploited to Crash Servers
  Alleged NASA Hacker Arrested in Romania
  House Committee Hears SOPA Debate
  Stolen Computer Holds Unencrypted Data of 4 Million Patients
  Santa Clara University Investigating Grade Hacking
  Google Provides Opt-Out for Wi-Fi Router Location Logging
  Malware Forces New Zealand Ambulance Dispatchers to Turn to Manual Radio

******************** Sponsored By By Silicium Security  *****************

Worried about targeted attacks and APT? Find what AV misses with
Silicium's ECAT Enterprise Compromise and Assessment Tool -
signature-less malware detection.
See ECAT in action, then download our whitepaper, APT in the Enterprise:
http://www.sans.org/info/91406
**************************************************************************
TRAINING UPDATE
 --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011
Pre-Summit Courses November 26-30, 2011
Post-Summit Courses December 3-4, 2011
Gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/
 --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011
7 courses.  Bonus evening presentations include Effective Methods for
Implementing the 20 Critical Security Controls; and Assessing
Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/
 --SANS London 2011, London, UK, December 3-12, 2011
18 courses.  Bonus evening presentations include IPv6 Challenges for
Intrusion Detection and Understanding How Attackers Bypass Network and
Content Restrictions.
http://www.sans.org/london-2011/
 --Incident Detection & Log Management Summit, Washington DC,
December 7-8, 2011
Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/
 --SANS CDI 2011, Washington, DC, December 9-16, 2011
27 courses.  Bonus evening presentations include Emerging Trends in
Data Law and Investigations, and Critical Infrastructure Control
Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/
 --SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses.  Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
with Security.
http://www.sans.org/security-east-2012/
 --Looking for training in your own community?
http:sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Tokyo, Perth and Atlanta all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
**************************************************************************

TOP OF THE NEWS
 --Cyber Security Progress
(November 17, 2011)
Amid a steady stream of reports of serious cyber attacks and dire
predictions of more to come, some organizations are offering a bit of
optimism through successful efforts to help mitigate risks. Many of the
security issues arise from human error or carelessness. Among the
successful projects are a State Department risk-scoring program that has
significantly reduced the number of vulnerabilities in department
computers; a Pentagon risk data sharing program for defense contractors;
and the Australian Defense Signals Directorate's identification of four
security controls that block a significant number of attacks.
http://www.washingtonpost.com/national/national-security/government-companies-taking-steps-to-ward-off-cyberattacks/2011/11/10/gIQAdvERVN_story.html
[Editor's Note (Pescatore): Plenty of organizations have mature security
programs that "lean forward" and do a very good job of keeping up with
new threats while also meeting business demands and dealing with
budgetary pressures. Common denominators tend to be having a "reduce
business impact" goal with a focus on vulnerability avoidance and
minimizing attack apertures. Kinda boring for the press to cover those
- - much more exciting to provide details on the continuing stream of
companies who have been compromised, many of whom focused way more on
using policy and awareness/education to shift blame to the users than
they did on avoiding incidents.
(Liston): One of the things I've noticed over the past few years is that
many organizations are focusing too far "up" the security landscape -
concentrating their efforts on complex, high-level measures and, in the
process, paying less attention to the basics.  When reviewing your
organization's security posture, make sure you've mastered the "Security
101" stuff before you focus on anything else.]

 --Norwegian Energy and Defense Companies Targeted by Data Thieves
(November 17 & 18, 2011)
Cyber thieves have siphoned data from Norwegian oil and defense
industries. In what is being called one of the largest cases of data
espionage in the country's history, at least 10 separate attacks stole
sensitive information from oil, gas, energy, and defense organizations,
officials believe the actual breadth of attacks could be much larger
because some of those affected may not realize that they were victims
of attacks. Many of the attacks took place while the companies were
negotiating contracts. Authorities did not name the affected
organizations.
http://www.washingtonpost.com/world/europe/security-watchdog-norwegian-energy-defense-industries-hit-by-extensive-data-theft-attack/2011/11/17/gIQAzbMKUN_story.html
http://www.theregister.co.uk/2011/11/17/noway_data_theft_attack/
http://www.theaustralian.com.au/australian-it/norway-hit-by-major-data-theft-attack/story-e6frgakx-1226198486549
[Editor's Note (Murray): Norway is not a special target.  Can you say
"Defense in Depth?"
http://whmurray.blogspot.com/2011/11/on-resistiing-phishing-attacks.html]


THE REST OF THE WEEK'S NEWS
 --Windows 8 Includes Changes to Windows Update Procedure
(November 16 & 17, 2011)
Microsoft says that Windows 8 will include a reworked process for
Windows Update. All updates that will require restarts will be
consolidated into one event that coincides with the company's Patch
Tuesday. Microsoft will make exceptions to the practice in the event of
critical security issues that necessitate out-of-cycle updates.  Windows
8 will notify users that there will be a restart three days before the
event; IT administrators will still have the option of setting policies
to prevent automatic restarts after updates are automatically installed.
A second notable feature of Windows Update in Windows 8 is that it will
no longer update third party applications.
http://www.eweek.com/c/a/Mobile-and-Wireless/Microsofts-Windows-8-Will-Revamp-Windows-Update-632723/
http://www.theregister.co.uk/2011/11/16/windows_8_auto_updates/
http://www.computerworld.com/s/article/9221879/Microsoft_We_won_t_update_others_Windows_apps?taxonomyId=208
[Editor's Comment (Northcutt): Welcome news. My HTML editor does not
autosave and I have been sad when I lost work multiple times.]

 --BIND Flaw is Being Actively Exploited to Crash Servers
(November 17, 2011)
BIND users are being urged to update as soon as possible to protect
their computers from an attack that exploits a flaw to crash vulnerable
BIND 9 DNS servers. The Internet Systems Consortium (ISC) says that the
flaw is being actively exploited to attack networks; users have reported
simultaneous crashes in Germany, France, and the US. The ISC urges users
to upgrade to BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, or 9.4-ESV-R5-P1.
http://www.v3.co.uk/v3-uk/news/2125807/zero-day-threat-takes-dns-servers-internet
http://www.h-online.com/security/news/item/Unknown-network-event-causing-BIND-9-DNS-server-crashes-1380518.html
http://www.theregister.co.uk/2011/11/16/bind_in_a_bind_again/
[Editor's Note (Murray): BIND is historically broken.  If it does not
work, price is irrelevant.
(Liston): The SANS ISC (Internet Storm Center) is asking that anyone who
may have packet captures of attacks aimed at BIND please forward them
using the "contact" form at http://isc.sans.edu/contact.html]

 --Alleged NASA Hacker Arrested in Romania
(November 16 & 17, 2011)
Authorities in Romania have arrested a suspect in cyber attacks on
servers at the US's National Aeronautics and Space Administration (NASA)
that caused hundreds of thousands of dollars in damage. Robert Butyka
allegedly began launching his attacks in December 2010 using the online
moniker "Iceman." He allegedly altered data and restricted access to
information. Police have seized a number of computers from Butyka's
home.
http://www.scmagazineus.com/romanian-hacker-accused-of-breaking-into-nasa-server/article/217019/
http://www.informationweek.com/news/government/security/231903181

 --House Committee Hears SOPA Debate
(November 16, 2011)
In a hearing before the US House Judiciary Committee, legislators and
half a dozen witnesses debated the Stop Online Piracy Act (SOPA) that
would, if passed in its current form, give the Justice Department the
authority to order US Internet service providers (ISPs) to prevent users
from accessing sites that are on a blacklist for copyright violations.
The Justice Department would also have the authority to order search
engines to remove rogue sites from search results.  Representative Lamar
Smith (R-Texas), one of the bill's chief sponsors, has admitted that
he's "not a technical expert on this." A similar piece of legislation,
the Protect IP Act, is stalled in the US Senate. The Electronic Frontier
Foundation (EFF) has called SOPA "the most extreme, anti-Internet,
anti-privacy, anti-free speech copyright proposal in US legislative
history." Experts say the plan would break DNSSEC.
http://www.wired.com/threatlevel/2011/11/piracy-blacklisting-bill/
http://redtape.msnbc.msn.com/_news/2011/11/16/8841061-congress-takes-up-controversial-anti-piracy-sopa-legislation
http://www.eweek.com/c/a/Security/Security-Experts-Blast-House-AntiPiracy-Bills-DNS-Filtering-Provisions-495532/
[Editor's Note (Murray): Regardless of how much money the publishers
pump into Congress, anti-piracy cannot be permitted to trump all other
values.  Opponents of the bill are beginning to gain some traction but
they have complained that hearings were stacked against them.
(Liston): Once again, we're faced with an issue where the intent of the
legislation (prevention of online criminal activity) is laudable, but
the way that the legislation is written will actually cause more harm
than good (for example, the blacklisting provisions are too draconian
and don't provide targets with due process or sufficient means of
appeal).  What is particularly appalling is that legislators recognize
that they don't sufficiently understand the technical ramifications of
this bill but are content to press forward with the process anyway.]

 --Stolen Computer Holds Unencrypted Data of 4 Million Patients
(November 16, 2011)
A desktop computer stolen from Sutter Medical Foundation in mid-October
holds unencrypted patient information dating back to 1995.  The data
include names, addresses, and diagnoses of more than 4 million patients.
In the last two years, more than 364 breaches at healthcare
organizations have compromised personal data of nearly 18 million
patients.
http://www.mercurynews.com/breaking-news/ci_19351997
http://abcnews.go.com/US/wireStory/theft-data-4m-patients-part-wider-problem-14977828

 --Santa Clara University Investigating Grade Hacking
(November 15, 2011)
Santa Clara University in California said that someone broke into its
computer system and changed grades of more than 60 students. The school
says it sought help from the FBI after a student reported that one of
her grades was different on a recently obtained transcript. In all
cases, grades were raised. The intrusion appears to have occurred
between June 2010 and July 2011.
http://www.wired.com/threatlevel/2011/11/santa-clara-university-hacked/
http://latimesblogs.latimes.com/lanow/2011/11/santa-clara-university-hacked-grades-changed.html
http://www.pcworld.com/businesscenter/article/243853/fbi_investigating_intrusion_into_university_records_system_to_alter_grades.html

 --Google Provides Opt-Out for Wi-Fi Router Location Logging
(November 15, 2011)
Owners of wireless routers who do not want Google to log the locations
of their Wi-Fi routers can edit the wireless network name, or SSID, with
a trailing "_nomap." Google logs the locations of routers to help refine
its location-based services. The company has received criticism for
choosing this method, which some say is too complicated for most home
users. Google Global Privacy Counsel Peter Fleischer said that simpler
methods were too easy to hack, suggesting that attackers could opt
people out without their knowledge.
http://www.theregister.co.uk/2011/11/15/wi_fi_privacy_google/
http://www.eweek.com/c/a/Security/Google-WiFi-Optout-Method-Mocked-by-Media-719215/
http://www.pcworld.com/businesscenter/article/243994/google_offers_optout_method_for_wifi_geolocation_mapping.html
[Editor's Comment (Liston): I've contacted my credit card company in an
effort to get "_nosteal" added to the end of my card number... we'll see
what happens.]

 --Malware Forces New Zealand Ambulance Dispatchers to Turn to Manual Radio
(November 15 & 16, 2011)
A malware infection on the New Zealand Ambulance Service computer
network forced dispatchers to use manual radio systems. The problems
persisted for two days. Dispatchers were unable to communicate with
drivers through on board mobile data terminals. The problems meant that
drivers were not able to receive information about the calls to which
they were responding.
http://www.theregister.co.uk/2011/11/15/nz_ambulance_malware_outbreak/
http://www.msnbc.msn.com/id/45293551/ns/technology_and_science-security/
http://computerworld.co.nz/news.nsf/news/mystery-virus-disrupts-st-johns-ambulance-service
[Editor's Comment (Northcutt): A reminder that if everything is computer
controlled, malware can rule the world, critical systems need an "old
school" method.]

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in
independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa).  He is leading SANS' global initiative to improve
application security.

David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.

Mark Weatherford, Chief Security Officer, North American Electric
Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk7GuiYACgkQ+LUG5KFpTkZ6WwCgjV8ihCn88cp3IRt1aQw/kwf6
1PgAnjQikTI+gJl5OkZUW9cWvgIqy9eX
=Yi4+
-----END PGP SIGNATURE-----
[an error occurred while processing this directive]