|
NETSEC Archives Date Prev | Date Next | Date Index | Author Index | Historical [Netsec] SANS NewsBites Vol. 13 Num. 95 : FBI Discloses: Hackers Access Three Cities? SCADA Systems; GAO Report Causes Waste in Federal Cybersecurity; House Committee Passes Cyber Threat Info Sharing Legislation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**************************************************************************
SANS NewsBites December 1, 2011 Vol. 13, Num. 95
**************************************************************************
TOP OF THE NEWS
FBI Discloses: Hackers Accessed Three Cities' Infrastructure via SCADA
GAO Report Being Used To Cause Waste and Abuse in Federal Cybersecurity
House Committee Passes Cyber Threat Info Sharing Legislation
THE REST OF THE WEEK'S NEWS
Massive Iranian Missile Explosion: Was it Stuxnet 2?
U.S. Legislator Wants Answers About Carrier IQ
Windows Data Execution Prevention Could Have Helped Thwart RSA Hack
Cyber Criminals Using 1-2 Punch of ACH Fraud and DDoS
Cyber Attacks on Canadian Government Systems Part of Broader Scheme
US Government Wants Details of Telecoms' Imported Network Components
Duqu Servers Wiped in October
US Cyber Command Conducts Week-Long Cyber Exercise
HP Refutes Claim That Printer Flaw Could Be Exploited to Cause Fire
Swedish IT Provides Computer Failure Affects Governments, Banks and
Businesses
French IT CEO Aims to Ban eMail Within His Company
Malls Back Away From Cell Phone Tracking Technology
************************* Sponsored By IBM ******************************
Register today for SANS Analyst webcast sponsored by IBM, "Integrating
Security into Development, No Pain Required" FREE SANS Analyst Paper
also available at http://www.sans.org/info/92584
**************************************************************************
TRAINING UPDATE
- --SANS London 2011, London, UK, December 3-12, 2011
18 courses. Bonus evening presentations include IPv6 Challenges for
Intrusion Detection and Understanding How Attackers Bypass Network and
Content Restrictions.
http://www.sans.org/london-2011/
- --Incident Detection & Log Management Summit, Washington DC,
December 7-8, 2011
Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/
- --SANS CDI 2011, Washington, DC, December 9-16, 2011
27 courses. Bonus evening presentations include Emerging Trends in
Data Law and Investigations, and Critical Infrastructure Control
Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/
- --SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses. Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
with Security.
http://www.sans.org/security-east-2012/
- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses. Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/
- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012
7 courses. Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/
- --Looking for training in your own community?
http:sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Perth, Atlanta, Bangalore, and Stuttgart, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
**************************************************************************
TOP OF THE NEWS
--FBI Discloses: Hackers Accessed Three Cities' Infrastructure via SCADA
(November 29, 2011)
The deputy assistant director of the FBI's Cyber Division says hackers
recently accessed the infrastructure of three cities through SCADA
systems. "Essentially it was an ego trip for the hacker because he had
control of those cities's systems and he could dump raw sewage into the
lake, he could shut down the power plant at the mall - a wide array of
things."
http://www.information-age.com/channels/security-and-continuity/news/1676243/hackers-accessed-city-infrastructure-via-scada-fbi.thtml
--GAO Report Being Used To Cause Waste and Abuse in Federal Cybersecurity
(December 1, 2011)
An article in the December issue of Government Executive magazine,
delivered to government officials this morning, shines a bright light
on a GAO report that appears to be causing waste rather than promoting
efficiency in federal IT management and cybersecurity. The report is
being used to slow the adoption of efficiency-improving technology,
thereby allowing waste, documented at more than $300 million each year,
to continue. The GAO report evaluated a continuous security monitoring
implementation, but failed to compare the continuous monitoring approach
against the 3-year, annual or quarterly reporting that continuous
monitoring replaces. Instead GAO looked for areas in which continuous
monitoring can be expanded. By failing to make the key comparison, the
report became useful to people who profit from report writing, allowing
them to continue to make money writing reports instead of improving
operational security.
http://www.govexec.com/features/1211-01/1211-01adan1.htm
--House Committee Passes Cyber Threat Info Sharing Legislation
(November 30 & December 1, 2011)
In a 17-1 vote, the House Intelligence Committee has approved the Cyber
Intelligence Sharing and Protection Act of 2011. The bill would
encourage cyber threat information sharing between the public and
private sectors. Under the proposed legislation, private companies would
be exempt from liability for sharing information with the government and
for failing to use the information to improve their networks' security.
Data sharing would not be required of companies, and they would be
permitted to choose which agencies they share information with. Critics
of the bill say it does not make provisions for protecting citizens'
privacy. Some of the bill's language has been modified to specify that
only data that have to do with cyber security and national security
could be shared.
http://www.bloomberg.com/news/2011-12-01/verizon-supported-cybersecurity-bill-advances-in-u-s-house.html
http://www.politico.com/news/stories/1211/69583.html
http://www.washingtonpost.com/world/national-security/cybersecurity-bill-promotes-exchange-of-data-white-house-civil-liberty-groups-fear-measure-could-harm-privacy-rights/2011/11/30/gIQAD3EPEO_story.html
http://gcn.com/articles/2011/12/01/cybersecurity-bill-info-sharing-no-privacy.aspx
[Editor's Note (Murray): It is not simply liability that resists
sharing. Sharing is fundamentally dangerous. Too much of it makes
leaks inevitable. When government asks the private sector why they do
not share, they use liability as an excuse; it is rude to say, "We do
not trust you because you leak."
(Honan): Data sharing initiatives look good on paper. However such
initiatives have failed often because government agencies do not seem
to understand that sharing needs to go both ways. Too often information
shared by the private sector is seen to not be acted upon with no
feedback given and also government agencies not being transparent enough
on how that information will be used.
(Ranum): "Sharing" only makes sense if the information flow is two
directional (otherwise it's called "information gathering" not
"information sharing") and if it's relevant - if there's something
practical that can be done with it. Historically, security alerts from
agency sources haven't been much more useful than "be on the lookout for
hacking attacks." These sharing initiatives seem to amount to little
more than public relations.]
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Massive Iranian Missile Explosion: Was it Stuxnet 2?
(November 18, 2011)
The massive explosion of the Sejil-2 ballistic missile at Iran's
Revolutionary Guards Alghadir base may be due to a technical fault
originating in the computer system controlling the missile and not the
missile itself. The head of Iran's ballistic missile program Maj. Gen.
Hassan Moghaddam was among the 36 officers killed in the blast which
rocked Tehran 46 kilometers away. (Tehran reported 17 deaths although
36 funerals took place.)
http://www.debka.com/article/21496/
Before and after photos of missile explosion.
http://isis-online.org/isis-reports/detail/satellite-image-showing-damage-from-november-12-2011-blast-at-military-base/
[Guest Editor's Note (Eric Bassell): Seems to me there is a third
plausible explanation for the Iran's newest warhead exploding, one the
article does not cover: poor engineering by Iranian scientists,
resulting in an accidental discharge and premature explosion.]
--U.S. Legislator Wants Answers About Carrier IQ
(December 1, 2011)
US Senator Al Franken (D-Minnesota) wants Carrier IQ to explain why its
diagnostic software does not violate the Electronic Communications
Privacy Act and the Computer Fraud and Abuse Act. In a letter to the
company, Senator Franken writes that "it appears that [the] software
captures a broad swath of extremely sensitive information from users
that would appear to have nothing to do with diagnostics." Carrier IQ's
software reportedly runs every time users turn on their smartphones and
logs most every action they take on the device, including phone numbers
dialed, contents of received text messages, contents of online search
queries, even when encrypted, and users' locations while using the
devices. The software is reportedly designed to help carriers learn what
problems users are having and which features of their phones are the
most popular.
http://www.theregister.co.uk/2011/12/01/al_franken_carrier_iq/
http://money.cnn.com/2011/12/01/technology/carrier_iq/index.htm
http://www.zdnet.com/blog/btl/carrier-iq-speaks-out-points-finger-at-networks-customers/64528
http://www.washingtonpost.com/blogs/faster-forward/post/today-in-tech-carrier-iq-draws-consumer-lawmaker-questions/2011/12/01/gIQAeewCIO_blog.html
http://www.wired.com/threatlevel/2011/12/carrier-iq-backlash/
[Editor's Note (Murray): I really do not want to believe that the
carriers want to monetize everything that they know about us. However,
it is difficult to avoid suspicion. Kudos to Senator Franken.]
--Windows Data Execution Prevention Could Have Helped Thwart RSA Hack
(December 1, 2011)
New research suggests that the attacks on RSA might have been prevented
if the targeted machines had been running Windows 7 instead of Windows
XP. The Data Execution Prevention (DEP) that is baked into Windows 7
could have stopped the breach that led to the data breach. The machines
compromised in the attack appear to have been running XP without DEP
enabled.
http://www.informationweek.com/news/security/attacks/232200534
[Editor's Note (Ranum): Application white listing could have also helped
thwart the attack. So could attachment stripping. It's easy to be Monday
morning quarterbacks, isn't it?]
--Cyber Criminals Using 1-2 Punch of ACH Fraud and DDoS
(November 30, 2011)
The FBI is warning that cyber criminals are using distributed
denial-of-service (DDoS) attacks against banks as a diversionary tactic
while simultaneously conducting phishing attacks that solicit sensitive
data that are then used in fraudulent ACH transactions. The attackers
are using a ZeuS variant known as Gameover. Spear phishing email
messages are sent to targets; they are doctored to appear to come from
the national Automated Clearing House Association (NACHA) informing the
recipient that a transfer was not completed. Once the fraudulent
transaction has been made, the group launches a DDoS against the bank's
site.
http://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameover-for-banks-victims-in-cyber-heists/
http://www.eweek.com/c/a/Security/Zeus-Criminals-Launch-DDoS-Attacks-to-Hide-Fraudulent-Wire-Transfers-139436/
http://7thspace.com/headlines/400763/fbi_denver_cyber_squad_advises_citizens_to_be_aware_of_a_new_phishing_campaign.html
--Cyber Attacks on Canadian Government Systems Part of Broader Scheme
(November 30, 2011)
A cyber forensics expert says that the hackers responsible for attacks
on Canadian government computers also launched attacks on a number of
private sector companies. Daniel Tobok maintains that the attacks were
all aimed at gathering information about an attempted corporate
takeover. Tobok was called in to investigate a number of intrusions;
he and his team began to see similarities between the incidents they
were investigating.
http://news.ca.msn.com/top-stories/foreign-hackers-targeted-canadian-firms-61?ocid=tweet
--US Government Wants Details of Telecoms' Imported Network Components
(November 30, 2011)
The US government is asking telecommunications companies to provide
detailed information about their networks in an effort to determine if
China and other countries are using exported network equipment to
conduct espionage. The US Commerce Department has asked the companies
to list both foreign-made components of their networks and security
incidents. Congress's interest in this issue was prompted by "very
specific material provided them [by the National Security Agency] in a
classified setting."
http://www.bloomberg.com/news/2011-11-30/obama-invokes-cold-war-security-powers-to-unmask-chinese-telecom-spyware.html
--Duqu Servers Wiped in October
(November 30, 2011)
Researchers at Kaspersky Labs say that those behind the Duqu Trojan have
wiped their command and control servers of digital evidence. The action
was taken on October 20, just days after news of the malware broke.
Kaspersky researchers did manage to gather information about the command
and control infrastructure; Duqu appears to have communicated with
servers in India, Belgium, Vietnam, the Netherlands, Germany, Singapore,
the UK, Switzerland, and South Korea.
http://www.eweek.com/c/a/Security/Duqu-Attackers-Wiped-All-Linux-CC-Servers-to-Cover-Tracks-475981/
http://www.computerworld.com/s/article/9222293/Duqu_hackers_scrub_evidence_from_command_servers_shut_down_spying_op?taxonomyId=82
--US Cyber Command Conducts Week-Long Cyber Exercise
(November 30, 2011)
Three hundred people participated in Cyber Flag, the US Cyber Command's
first major exercise. The event took place at the Air Force Red Flag
Facility at Nellis Air Force Base in Nevada. The US Cyber Command is
part of the US Strategic Command and became operational last September.
http://www.informationweek.com/news/government/security/232200508
--HP Refutes Claim That Printer Flaw Could Be Exploited to Cause Fire
(November 29 & 30, 2011)
Hewlett-Packard acknowledges that there is a vulnerability in some of
its LaserJet printers, but says that the claim made by those who
disclosed the flaw that it could be exploited to set the machines on
fire is untrue. A hardware component of HP printers called the thermal
breaker would prevent the overheating the researchers said could start
the fire. The researchers claim that the flaw could also be exploited
to steal documents and take control of networks. The essence of the
problem lies in the fact that the vulnerable printers do not validate
the origin of remote firmware updates.
http://www.scmagazineus.com/hp-says-security-flaw-is-real-but-flames-are-unlikely/article/217911/
http://redtape.msnbc.msn.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say
http://www.theregister.co.uk/2011/11/30/hp_probes_fire_started_printer_vuln/
[Editor's Note (Murray): Responsible "security researchers" do not
engage in hype to draw attention to their findings. "One must decide
to be part of the problem or part of the solution." One cannot have it
both ways.]
--Finnish IT Services Provider Computer Failure Affects Swedish Organizations
(November 29, 2011)
A massive computer failure has disrupted service for at least 50 Swedish
clients of Finnish IT supplier Tieto. The outage affects local
governments, state agencies, banks and a major pharmacy. Tieto has not
said when the problem will be fixed.
http://www.stockholmnews.com/more.aspx?NID=8105
http://spectrum.ieee.org/riskfactor/computing/it/one-major-it-problem-in-pennsylvania-fixed-another-in-sweden-goes-on
--French IT CEO Aims to Ban eMail Within His Company
(November 28, 30 & December 1, 2011)
Thierry Breton, CEO of French IT company Atos SA, has said that he wants
to stop using email within his company. Instead, Breton wants his
employees to communicate through collaborative social media. Breton
hopes to eliminate the use of email within his company completely by
spring of 2013. He says that email is a waste of time, and that just 10
percent of the emails his employees receive are actually important.
http://www.telegraph.co.uk/technology/news/8921033/Staff-to-be-banned-from-sending-emails.html
http://news.cnet.com/8301-17852_3-57333849-71/au-revoir-e-mail-and-this-from-an-it-boss/
http://www.forbes.com/sites/tykiisel/2011/11/30/ceo-bans-email/
http://www.theatlantic.com/business/archive/2011/12/the-case-for-banning-email-at-work/249252/
--Malls Back Away From Cell Phone Tracking Technology
(November 28, 2011)
Two US shopping malls have abandoned plans to track shoppers' locations
using their cell phones. Senator Charles Schumer (D-New York) contacted
the malls, voicing his concerns that the practice violates citizens'
privacy. Schumer says consumers should be offered the choice to opt in
to being tracked by the FootPath technology, but that they should not
have to surrender their privacy rights when they walk into a store or a
mall. The technology's developers say people can opt out by turning off
their cell phones.
http://thehill.com/blogs/hillicon-valley/technology/195649-schumer-warns-that-malls-may-track-shoppers-movements
http://money.cnn.com/2011/11/28/news/economy/malls_track_shoppers_cell_phones/
http://www.washingtonpost.com/business/economy/the-malls-are-watching/2011/11/30/gIQAP6B1GO_story.html
[Editor's Note (Murray): If your application cannot succeed if "Opt-in"
is the rule, find another line of work. It is disingenuous to suggest
that people should turn off their cell phones to "opt out" of your
application.
(Northcutt): What could possibly go wrong with yet another system for
tracking people's locations? My guess is that within a year or two
someone will be killed because the stalker was able to access their cell
phone location. Sound impossible? How many hundreds of Apps monitor our
location from our cell phones? A lot. It is just a matter of time until
someone puts up a "Where's Waldo Website".]
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National
Members Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk7ZFxQACgkQ+LUG5KFpTkZ+PwCePA/UZZ0g01Z3MLZ2v0RFsrx2
c+EAnA1RO1wpoMawOqHDtC02tlc0aYaG
=At96
-----END PGP SIGNATURE-----
|