Date Prev | Date Next |
Date Index |
Author Index |
[Netsec] SANS NewsBites Vol. 13 Num. 102 : SCADA Security back in the news
- From: The SANS Institute
- Date: Wed Dec 28 11:33:48 2011
-----BEGIN PGP SIGNED MESSAGE-----
SCADA Security is back in the news with DHS's announcement this week of
Siemens' system vulnerabilities. The key issues is not what
vulnerabilities exist, but what to do first to ensure power systems and
other critical infrastructures are defensible. Substantially all the key
players from industry and government are meeting in Orlando at the end
of January to review progress on that question and to launch at least
one and possibly two important new initiatives that may reshape
cybersecurity in the power industry and in other elements of the
critical infrastructure. Hotel and registration information at:
SANS NewsBites December 27, 2011 Vol. 13, Num. 102
DHS ICS-CERT Warns of SCADA Flaws in Siemens Products
Mobile Phone Security Needs Improvement
Hacktivists Expose Those Who Censor and Conduct and Aid Surveillance
Anonymous Targets Think Tank
Indian Court Orders Internet Companies to Remove Objectionable Content
HP Firmware Update Addresses LaserJet Printer Vulnerability
GoDaddy Backs Off SOPA Support
Closing Arguments in Manning Hearing
Koobface Operators Refine Botnet to Maximize Pay-Per-Click revenue
Chinese Computer Users Experience Large Data Breach
--SANS Security East 2012, New Orleans, LA January 17-26, 2012
11 courses. Bonus evening presentations include Advanced VoIP Pen
Testing: Current Threats and Methods; and Helping Small Businesses
--SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012
Gain the most current information regarding SCADA and Control System
threats and learn how to best prepare to defend against them. Hear
what works and what doesn't from peer organizations. Network with top
individuals in the field of SCADA security. Return from the summit
with solutions that you can immediately put to use in your
Pre-Summit courses: January 21-25, 2012
Summit: January 26-27, 2012
Post-Summit Courses: January 28-29, 2012
--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012
6 courses. Bonus evening presentations include Who Do You Trust? SSL
and TLS Under Attack; and IOS Programming Demo.
--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012
7 courses. Bonus evening presentations include Desktop Betrayal:
Exploiting Clients Through the Features They Demand; and Windows
Exploratory Surgery with Process Hacker.
--SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012
--SANS 2012, Orlando, FL March 23-39, 2012
42 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click is all It Takes ...; Evolving Threats; and
Windows Exploratory Surgery with Process Hacker.
--Looking for training in your own community?
http: sans.org/community/ Save on On-Demand training (30 full
courses) - See samples at
Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
NEWS OF THE WEEK
--DHS ICS-CERT Warns of SCADA Flaws in Siemens Products
(December 22 & 23, 2011)
The US Department of Homeland Security's (DHS) Industrial Control
Systems Computer Emergency Response Team (ICS-CERT) has issued an
advisory warning of vulnerabilities in certain Siemens Supervisory
Control and Data Acquisition (SCADA) systems that could be exploited to
gain access to vulnerable systems with user or administrator privileges.
Siemens is developing fixes for the flaws and plans to release an update
--Mobile Phone Security Needs Improvement
(December 27, 2011)
Research scheduled to be presented at a Chaos Computer Club convention
later this week indicates that mobile network security is nowhere near
as robust as it should be, especially given recent events involving
certain British journalists. A study of mobile operators in Morocco,
Thailand, and Europe found that most provided weak or non-existent
protection from unauthorized surveillance and identity theft. Armed with
a seven-year-old mobile phone and free decryption software, the person
who will be making the presentation found that he was able to access
conversations and text messages and spoof account identities. At least
one of the vulnerabilities that allowed him to intercept voice and data
could be addressed with the application of an available patch.
--Hacktivists Expose Those Who Censor and Conduct and Aid Surveillance
(December 26, 2011)
In August 2011, an international group of hackers known as Telecomix
exploited vulnerabilities in a variety of devices to display warnings
to people in Syria that their online activity was being monitored.
During that **event***, one of the members noticed an FTP server
containing logs of surveillance data that were gathered using an
appliance made by an American company. Telecomix published 54 gigabytes
of the logs, and the company, California-based Blue Coat Systems, has
been forced to admit that its technology is being used in Syria, a
violation of international sanctions imposed against the country.
Telecomix had its genesis at a 2009 conference in Gothenburg, Sweden;
it was formed in reaction to European Union laws that would have severed
Internet connections of habitual copyright violators. Telecomix also
helped people in Egypt get Internet access after Mubarak shut down all
Internet service providers (ISPs) in that country but one.
--Anonymous Targets Think Tank
(December 23, 25 & 26, 2011)
The hacking group known as Anonymous has struck again, this time
infiltrating computers at the US security intelligence think tank
Strategic Forecasting, which is known as Stratfor. The attack focused
on the company's database and reportedly netted the group 200 gigabytes
of data, including client lists and as many as 90,000 credit card
numbers, which were unencrypted. Some information that the attackers
claim to have pilfered from Stratfor computers has been posted to
Pastebin. Stratfor's website was down as of Monday morning; visitors
were greeted with a page telling them that the site was undergoing
maintenance. Stratfor has acknowledged the breach and has warned clients
of possible data compromise. The company says that the breach affected
information about clients who had purchased its subscription-based
publications, but did not access any more detailed information. There
have also been statements made that question Anonymous's connection to
--Indian Court Orders Internet Companies to Remove Objectionable Content
(December 24 & 26, 2011)
An Indian court has ordered nearly two dozen Internet companies to
remove content it finds objectionable. Indian Minister for
Communications Kapil Sibal wants the companies to develop a system to
make sure that similar content does not appear online in the future.
Critics of the order, which was the result of a private complaint, say
that the government is seeking to suppress content that criticizes
Indian politicians. The Internet companies, which include Google and
Facebook, have until February 6, 2012, to comply with the order. The
country's Information Technology Act gives Internet service providers
and other similar entities 36 hours to comply with content takedown
orders after being notified of the content's presence.
[Editor's Note (Murray): Making the ISPs responsible for content, even
at the margins, will break the model on which the Internet is based.
States that try to do this will find themselves increasingly isolated.]
--HP Firmware Update Addresses LaserJet Printer Vulnerability
(December 23 & 24, 2011)
Hewlett-Packard has released a firmware update for its LaserJet printers
to "mitigate" a vulnerability that could allow unauthorized access to
the devices. No attacks have been reported. HP recommends that users
place the printers behind firewalls and that remote firmware uploading
be disabled on exposed devices. The update comes in response to a
disclosure from researchers that some HP LaserJet printers failed to
verify software upgrades within remote firmware updates. The researchers
demonstrated that the flaw could be exploited to take control of the
[Editor's Note (Murray): Unlike PC or mobiles, printers and PLCs, are
not routinely patched. HP recommends that these devices be operated
behind firewalls, i.e., only on private networks. We do not want the
public networks to be either balkanized or perfectly flat. Striking the
difficult balance is called "security," it is what we are paid for.]
--GoDaddy Backs Off SOPA Support
(December 22 & 23, 2011)
A boycott of domain registrar GoDaddy has had the desired effect of
causing the company to withdraw its support of the US House of
Representatives' Stop Online Piracy Act (SOPA). GoDaddy was the only
domain registrar whose name appeared on a list of companies that
supported the legislation, which has been decried as over-reaching,
uninformed about the repercussions of technical aspects involved, and
being pushed forward too hastily. On Friday, December 23, GoDaddy issued
a statement saying that the effort to stop online piracy is an important
endeavor, "but clearly we can do better [than SOPA]. ... Getting it
right is worth the wait. GoDaddy will support it when and if the
Internet community supports it."
--Closing Arguments in Manning Hearing
(December 22 & 23, 2011)
The US government made its closing statement in a hearing that will
decide whether Pfc Bradley Manning will face a court-martial. The
hour-long statement contained new exhibits, including excerpts of chat
logs between Manning and Julian Assange. In one, Manning appears to ask
Assange for help cracking a password that would allow him anonymous
access to SIPRnet. Manning's attorney said in his closing arguments that
the seriousness of the leaks was being exaggerated and that his client
was a disturbed young man. Government attorneys said they have real-time
records of Manning's SIPRnet searches and evidence that he uploaded
documents to WikiLeaks. It may be several months before Manning learns
what charges, if any, he will face. The Article 32 hearing is similar
to a civilian grand jury hearing, but it is open rather than closed and
the defense is allowed to cross-examine witnesses and present witnesses
and evidence of its own.
--Koobface Operators Refine Botnet to Maximize Pay-Per-Click revenue
(December 23, 2011)
The Koobface botnet has been updated to exploit pay-per-click
advertising to make money for its operators with a traffic direction
system (TDS). Koobface now directs Internet traffic through other sites
to generate revenue. The TDS appears to be available to others as well.
Koobface has been around since at least December 2008.
--Chinese Computer Users Experience Large Data Breach
(December 24, 2011)
Hackers appear to have leaked the personal information of millions of
computer users in China. More than six million users of the China
Software Developer Network had their user IDs, passwords, and email
addresses exposed in clear text. In addition, an undetermined number of
subscribers to various websites, including gaming and social networking
sites, had their personal information compromised as well. The total
number of accounts reported to be affected has been estimated at 50
million, but the figure has not been verified.
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and is President of
STI, The Premier Skills-Based Cyber Security Graduate School,
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of InGuardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Rohit Dhamankar is a security professional currently involved in
independent security research.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Ron Dick directed the National Infrastructure Protection Center (NIPC)
at the FBI and served as President of the InfraGard National Members
Alliance - with more than 22,000 members.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Alan Paller is director of research at the SANS Institute.
Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
Clint Kreitner is the founding President and CEO of The Center for
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----