|
NETSEC Archives Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 94 : Crying Wolf! Illinois Water Pump Failure Not Hacking; NIST Has Huge Impact With BIOS Special Publication; Small Legal Settlement May Open The Flood Gates For Cyber Suits
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**************************************************************************
SANS NewsBites November 29, 2011 Vol. 13, Num. 94
**************************************************************************
TOP OF THE NEWS
Feds Say Hacking Was Not Involved in Illinois Water Pump Failure
NIST Has Huge Impact on Cybersecurity With BIOS Special Publication
Small Legal Settlement May Open The Flood Gates For Cyber Suits
Britain Readies Cyber Strike Forces
THE REST OF THE WEEK'S NEWS
Feds Shut Down Sites for Allegedly Selling Counterfeit Merchandise
Four Arrested in Philippines in Connection with AT&T PBX Hack
Appellate Court Says Online Commenter May Remain Unidentified
UK Cyber Security Strategy Includes Information Sharing Pilot Program
Apache Working on Fix for Reverse Proxy Flaw
Apple Fixes Three-Year-Old iTunes Updater Flaw
Google Deploys Forward Secrecy on SSL-Based Services
Three Indicted for Skimming Scheme
Certification and Accreditation Authority Says Doctors Should Not
Text Patient Orders
Business Software Alliance CEO Says SOPA Goes Too Far
************ Sponsored By Raytheon Trusted Computer Solutions ***********
Hardening operating systems to DISA STIG, PCI, or SANS CAG
recommendations can be confusing and time consuming. Automate the
assessment, lock down, and baselining of your systems with Security
Blanket, for consistent and predictable results. **Now supporting
'targeted' SELinux policy for Red Hat Enterprise Linux. Learn more by
registering for a free demonstration today!
http://www.sans.org/info/91971
**************************************************************************
TRAINING UPDATE
--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011
Post-Summit Courses December 3-4, 2011
Gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/
--SANS London 2011, London, UK, December 3-12, 2011
18 courses. Bonus evening presentations include IPv6 Challenges for
Intrusion Detection and Understanding How Attackers Bypass Network and
Content Restrictions.
http://www.sans.org/london-2011/
--Incident Detection & Log Management Summit, Washington DC,
December 7-8, 2011
Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/
--SANS CDI 2011, Washington, DC, December 9-16, 2011
27 courses. Bonus evening presentations include Emerging Trends in
Data Law and Investigations, and Critical Infrastructure Control
Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/
--SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses. Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
with Security.
http://www.sans.org/security-east-2012/
--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses. Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/
--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012
7 courses. Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/
--Looking for training in your own community?
http:sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Perth, Atlanta, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
**************************************************************************
TOP OF THE NEWS
-- Feds Say Hacking Was Not Involved in Illinois Water Pump Failure
(November 23, 2011)
According to a joint statement from the US Department of Homeland
Security's (DHS) Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT) and the FBI, federal officials "could not validate the
claims" made by the Illinois State Terrorism and Intelligence Center
(STIC) that foreign hackers had gained access to a supervisory control
and data acquisition (SCADA) system at a water utility in that state.
Earlier reports claimed that attackers had gained access to the
utility's system and caused a water pump top burn out.
http://krebsonsecurity.com/2011/11/dhs-blasts-reports-of-illinois-water-station-hack/
http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/
http://www.theregister.co.uk/2011/11/23/water_utility_hack_update/
http://www.bbc.co.uk/news/technology-15854327
http://www.informationweek.com/news/security/attacks/232200199
http://www.computerworld.com/s/article/9222144/DHS_sees_no_evidence_of_cyberattack_on_Ill._water_facility?taxonomyId=82
http://www.techspot.com/news/46407-fbi-says-hackers-not-responsible-for-illinois-water-pump-failure.html
http://techland.time.com/2011/11/28/hackers-blow-up-illinois-water-utility-or-not/
[Editors Note (Pescatore): Much of the hysteria was based on the fact
that the "attack" came from an IP address in Russia, but the Washington
Post reported that a legitimate contractor had made the access while on
travel to Russia. This over-focus on where an attack appears to be
coming from leads to major distraction from the real problem - the
vulnerabilities that enable all attacks.
(Liston): I've tried very hard to stay away from discussing this
"incident" since it first came to light. The rush to "conclusion
jumping" was astonishing. Our industry needs to do a better job of
quashing headline-grabbing sensationalism and keeping ourselves grounded
in fact or we'll suffer from the same fate as anyone else who goes
around crying "wolf."
(Murray): While the connection of our infrastructure controls to the
public networks makes them vulnerable, they are not currently under
attack. They may never come under attack. However, fixing the
vulnerabilities will take much longer than we will have should they come
under attack. We need to fix this now. My sense is that the government
is saying "fix it or else" and the utilities or waiting for the "or
else." That said, when the government said the same thing to the
colleges and universities, most of them closed their networks in a
matter of months to years.]
-- NIST Has Huge Impact on Cybersecurity With BIOS Special Publication
People who have long known that NIST can have a profoundly positive
impact on cyber security, now have a great example and another one
coming. The core challenge of the "supply chain problem" is ensuring
each element can be trusted, and in most PCs and laptops, the BIOS is
the most basic element where trust must be verified. NIST saw that the
industry was in transition with the adoption of the Unified Extensible
Firmware Interface for BIOS, and that there was an immediate opportunity
to influence the next generation of systems. And they did at scale.
Because of NIST Special Publication 800-147, every HP computer and many
others now is delivered with a secure BIOS - something that was not true
just a year ago. Very shortly NIST will release a related Special
Publication on how to do integrity measurement, another critical step
in the supply chain problem.
http://gcn.com/articles/2011/04/29/nist-bios-cyber-target.aspx
[Editor's note (Paller): Kudos to Andrew Regenscheid, William Polk,
Murugiah Souppaya and their team at NIST.
--Small Legal Settlement May Open The Flood Gates For Cyber Suits
(November 23, 2011)
A law suit filed by a single victim in the RockYou breach, leading to a
$2,000 settlement earned the plaintiff's lawyers $290,000. That's blood
in water for legal sharks. And the settlement sets a precedent. How many
of the 32 million users whose data was breached in the hack of RockYou
in December 2009 will now be represented by lawyers? A commentary in
Data Privacy Monitor shows why this could be an important settlement.
(http://www.dataprivacymonitor.com/data-breaches/rockyou-proposed-settlement-would-leave-decision-standing/)
BTW the attack used a SQL injection vulnerability.
http://www.darkreading.com/security/privacy/232200192/rockyou-lawsuit-settlement-leaves-question-marks-on-breach-liability.html
--Britain Readies Cyber Strike Forces
(November 23, 2011)
Two separate units in the U.K. Defence Cyber Operations Group are
working on an offensive capability to strike back at enemies who are
trying to start electronic attacks on critical national infrastructure.
One technique has already been used when the UK's GCHQ launched a virus
to replace an online bomb-making manual with a cupcake recipe.
http://www.telegraph.co.uk/news/uknews/defence/8916960/Britain-prepares-cyber-attacks-on-rogue-states.html
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Feds Shut Down Sites for Allegedly Selling Counterfeit Merchandise
(November 28, 2011)
The US Department of Immigration and Customs Enforcement has seized 150
domain names suspected of being involved in selling counterfeit
merchandise. The seizures were announced on Monday, a big online
shopping day, and come amidst heated legislative debate over anti-piracy
legislation. The domains are being taken down under the same civil
seizure law used to seize bank accounts and property allegedly linked
with illegal activity.
http://www.wired.com/threatlevel/2011/11/operation-in-our-sites-grows/
http://www.washingtonpost.com/business/economy/justice-dept-cracks-down-on-scams-on-cyber-monday/2011/11/28/gIQA1clz5N_story.html
-- Four Arrested in Philippines in Connection with AT&T PBX Hack
(November 28, 2011)
Police in Manila, Philippines have arrested four people in connection
with a PBX attack on AT&T phone networks that was used to help fund a
terrorist organization that is suspected of being behind physical
attacks in Mumbai in November 2008. PBX attacks usually involve gaining
unauthorized access to phone lines and making calls to premium-rate
services. The losses to AT&T were estimated at US $2 million.
http://www.theregister.co.uk/2011/11/28/philippines_at_and_t_terror_hack_arrests/
http://www.informationweek.com/news/security/attacks/232200252
-- Appellate Court Says Online Commenter May Remain Unidentified
(November 26, 2011)
An Illinois Appellate Court Judge has overturned a lower court ruling
that ordered a newspaper publisher to divulge the email and IP addresses
of an individual who made comments using an online pseudonym and ordered
Comcast to reveal the individual's identity. Justice Terrence Lavin
wrote in his decision that "putting publishers and website hosts in the
position of 'cyber-nanny' is a noxious concept that offends our
country's long history of protecting anonymous speech."
http://www.chicagotribune.com/news/local/ct-met-internet-comment-ruling-20111126,0,4573864.story
-- UK Cyber Security Strategy Includes Information Sharing Pilot Program
(November 25 & 26, 2011)
The UK government has published its Cyber Security Strategy. One of its
features is a cyber security hub that will let public and private sector
organizations share information about threats and responses. The
information sharing pilot effort will begin in December; organizations
from the defense, telecommunications, finance, pharmaceutical, and
energy industries will participate. Many organizations have been
reluctant to admit having suffered a cyber security breach because of
the damage it would do to their reputations. The UK does not have a
mandatory security breach reporting requirement.
http://www.h-online.com/security/news/item/UK-government-lays-out-cyber-security-plans-1385358.html
http://www.scmagazineuk.com/governments-cyber-security-strategy-proposes-expansion-of-gchq-police-training-and-a-national-hub/article/217583/
http://www.v3.co.uk/v3-uk/news/2127751/government-finally-announces-cyber-crime-strategy
http://www.telegraph.co.uk/news/uknews/defence/8916960/Britain-prepares-cyber-attacks-on-rogue-states.html
http://www.reuters.com/article/2011/11/25/britain-cyberspace-idUSL5E7MP24E20111125
[Editor's Note (Murray): Information sharing is dangerous. It requires
trust, certainly more than the US or UK governments command. Moreover,
governments do not trust citizens and will not share with them. All
such well-intentioned schemes flounder.]
--Apache Working on Fix for Reverse Proxy Flaw
(November 24 & 28, 2011)
Developers at Apache are working on a patch to address a flaw in the
Apache HTTP server that could be exploited to access protected resources
on internal networks. Installations operating in reverse proxy mode are
vulnerable to the attack.
http://www.theregister.co.uk/2011/11/24/apache_bug/
http://www.computerworld.com/s/article/9222160/Unpatched_Apache_flaw_allows_access_to_internal_network?taxonomyId=85
http://arstechnica.com/tech-policy/news/2011/11/security-flaw-in-apache-could-allow-attackers-into-internal-networks.ars
-- Apple Fixes Three-Year-Old iTunes Updater Flaw
(November 23, 24 & 25, 2011)
Earlier this month, Apple fixed a vulnerability in its iTunes updater
that could be exploited to distribute malware. Apple had known about the
flaw for more than three years. The flaw was exploitable only in Windows
versions of iTunes, and was fixed in version 10.5.1. Before that, iTunes
updates were conducted through unencrypted HTTP queries, which allowed
attackers with control of users' network to disguise malware as
legitimate updates. The creators of FinFisher, a cyber surveillance tool
that was marketed to government, recommended that it be deployed in the
guise of an iTunes update.
http://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/
http://www.h-online.com/security/news/item/iTunes-security-vulnerability-had-been-present-for-over-three-years-1384718.html
http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/apple-took-years-to-fix-itunes-spyware-vulnerability-10024873/?
http://www.telegraph.co.uk/technology/apple/8912714/Apple-iTunes-flaw-allowed-government-spying-for-3-years.html
-- Google Deploys Forward Secrecy on SSL-Based Services
(November 22 & 23, 2011)
Google's HTTPS-enabled services are now encrypted with a method that
protects traffic from being decrypted in the future. This means that
users of Gmail, Google Docs and Google+ can rest a little easier,
knowing that even with future technological advances, attackers will be
unable to decrypt older communications. The new feature is known as
forward secrecy, in which every online session is encrypted with a
different public key and corresponding private keys are stored only for
short periods of time.
http://www.darkreading.com/authentication/167901072/security/privacy/232200135/google-ratchets-up-security-of-https.html
http://www.computerworld.com/s/article/9222129/Google_protects_HTTPS_enabled_services_against_future_attacks?taxonomyId=83
http://www.theregister.co.uk/2011/11/22/google_perfect_secrecy/
[Editor's Note (Pescatore): The risks of future decryption of bits in
motion is much lower than the risks of misuse of personal data that is
collected and stored at Google and other online companies. I'd rather
see "perfect forward privacy."]
--Three Indicted for Skimming Scheme
(November 22, 2011)
Three men have been indicted for allegedly placing skimming devices on
ATMs in New York City. Dimitar Stamatov, Nikolai Ivanov, and Iordan
Ivanov face a list of charges, including identity theft, criminal
possession of forgery devices, and scheming to defraud. The men
allegedly placed skimming devices on four cash machines and used the
information they harvested to manufacture cloned payment cards. They
then allegedly used those cards to conduct US $264,000 in fraudulent
transactions. Two of the men were arrested earlier this year as they
were attempting to retrieve one of the skimming devices; the third man
is still at large.
http://www.scmagazineus.com/three-indicted-in-new-york-on-atm-skimming-charges/article/217419/
http://www.msnbc.msn.com/id/45344181/ns/technology_and_science-security/
http://manhattanda.org/press-release/81-count-indictment-unsealed-large-scale-atm-skimming-case
--Certification and Accreditation Authority Says Doctors Should Not
Text Patient Orders
(November 21, 2011)
The Joint Commission, a US health care organization certification and
accreditation organization, has stated that health care professionals
should not use text messages to share patient information. "It is not
acceptable for [health care professionals] to text orders for patients
to the hospital or other health care setting ... [because it] provides
no ability to verify the identity of the person sending the text."
http://www.ihealthbeat.org/articles/2011/11/21/joint-commission-text-messages-should-not-be-used-in-patient-orders.aspx
http://www.jointcommission.org/standards_information/jcfaqdetails.aspx?StandardsFaqId=401&ProgramId=1
[Editor's Note (Murray): Rather than raise more barriers to electronic
health records, we should be solving the problems with paper ones.
Those who think that paper records are safer than electronic ones,
simply do not understand paper records.
(Liston): "Wait... what? Someone thought it was *okay* to send medical
orders via text?" Lately I've been finding more and more of these
"areas" where things just don't seem to work the way that I assumed they
did. Because doctors and nurses are required to log their actions on
the patient's chart, I would've thought that sending orders via text
message (where confidentiality, attribution, delivery notification,
etc... can be *highly* problematic) wouldn't even be considered. You
know what they say about "assuming"...]
--Business Software Alliance CEO Says SOPA Goes Too Far
(November 21 & 22, 2011)
The Business Software Alliance (BSA) appears to be backing off from its
support of the Stop Online Piracy Act (SOPA), which was introduced by
House Judiciary Committee chairman Lamar Smith (R-Texas). In a recent
blog post, BSA President and CEO Robert Holleyman wrote that "Valid and
important questions have been raised about the bill," adding that it
could "sweep in more than just truly egregious actors."
http://thehill.com/blogs/hillicon-valley/technology/194947-software-group-backs-off-support-of-sopa
http://news.cnet.com/8301-31921_3-57330078-281/surprise-microsoft-quietly-opposes-sopa-copyright-bill/
[Editor's Note (Murray): Opposition to this obnoxious legislation is
growing but the smart money is still with the RIAA and the MPAA.]
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk7VPFIACgkQ+LUG5KFpTkaGZACfZKfPvaTsuKHr0O59Ne8Wx/dp
k8kAnir9YNuEVtur+o2WFasaCLv9csok
=7wAF
-----END PGP SIGNATURE-----
|