SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #74

September 17, 2010

That STUXNET worm matters (see the first story and editors' comments). How the power industry and its control systems vendors deal with this huge change in the threat will be a central topic at the multi-national SCADA Security Summit in London in a few weeks (http://www.sans.org/eu-scada-security-summit-2010/).
If you have anything to do with advanced attack techniques or cyber security protection of the critical infrastructure, it's probably worth a trip to London.
Alan

---

TOP OF THE NEWS

Stuxnet is More Sophisticated Than First Thought
U.S. Cyber Strategy Still A Bit Mushy
New Patterns in Attacks Are Actually Old Patterns

THE REST OF THE WEEK'S NEWS

Apple Patches QuickTime for Windows
Google Engineer Fired for Violating Internal Privacy Policies
Microsoft Fixes 11 Vulnerabilities
Microsoft Releases IE 9 Beta
Google Updates Chrome
Mozilla Issues Update to Address Firefox Stability Issue
Report Calls for National Database for Voting Machine Problems
Haystack Privacy Tool Disabled Over Security Concerns
UK ISPs Object to Sharing Cost of Fighting Internet Piracy

---

*********************** Sponsored By SANS ***************************

The #1 Reason that the smart control systems engineers and IT security people in the critical infrastructure are attending the 2010 European SCADA and Control Systems Security Summit is STUXNET. This is the their first chace to hear from the key government and industry analysts on why it worked and what can be done about it. Users of ABB, GE, Siemens, and Rockwell control systems will be in on the ground floor of a coordinated plan for dealing with both of the two most virulent cyber threats facing your systems. And if you use any other control systems, you'll come home with a game plan you can discuss with your vendor. http://www.sans.org/info/64793 *********************************************************************

TRAINING UPDATE New "Combating Malware in the Enterprise" course at SANS (SEC569). How do you fight off malware when you have thousands of hosts? Course debut in Las Vegas (Sept'10) and Washington DC (Dec'10):
http://www.sans.org/security-training/combating-malware-enterprise-1482-mid

- -- SANS Network Security 2010, Las Vegas, September 19-27, 2010 41 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiatives
http://www.sans.org/network-security-2010/

- -- SOS: SANS October Singapore, October 4-11, 2010 5 courses
http://www.sans.org/singapore-sos-2010/

- -- SANS Chicago 2010, Skokie, Illinois, October 25-30, 2010 6 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security and Examining the Global Underground of Malicious Actors
http://www.sans.org/chicago-2010/night.php

- -- SANS San Francisco 2010, November 5-12, 2010 7 courses. Bonus evening presentations include Weaponizing LISP: Advancing the Art of Network Security
http://www.sans.org/san-francisco-2010/

- -- SANS London 2010, November 27-December 6, 2010 14 courses. Bonus evening presentations include Latest Advances in Computer Forensics and Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective
http://www.sans.org/london-2010/

- -- SANS Cyber Defense Initiative 2010, Washington DC, December 10-17, 2010 24 courses. Bonus evening presentations include Browser Based Defenses; Continuous Vulnerability Testing and Remediation: the 20 Critical Security Controls Perspective; and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Efforts
http://www.sans.org/cyber-defense-initiative-2010/

- -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus London, Dubai, Geneva, Bangalore, San Antonio and Sydney all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ********************************************************

---

TOP OF THE NEWS

Stuxnet is "Groundbreaking" Malware (September 14 & 16, 2010)

The Stuxnet worm, which targets certain supervisory control and data acquisition (SCADA) software made by Siemens, has infected at least 14 Windows Control Center (WinCC) systems in the US, UK, South Korea and Iran. The malware, which has been dubbed the first known rootkit for SCADA systems, is capable of replacing blocks of Programmable Logic Controller (PLC) code. Described as "groundbreaking," Stuxnet was first detected in June 2010 and was found to be exploiting a flaw in the way Windows manages shortcut files for which Microsoft issued an out-of-cycle patch in August. Researchers have now discovered that Stuxnet exploits four zero-day vulnerabilities in Windows targeting, for example, a vulnerability in the Print Spooler Service that Microsoft patched this week; and two elevation of privileges (EoP) flaws, which will be fixed at a later date. Stuxnet also exploits a known vulnerability for which Microsoft issued a patch in 2008; it is the same flaw that was exploited by Conficker. Researchers believe that although Stuxnet was detected earlier this year, it may have been infecting systems as far back as July 2009. The malware's sophistication has led to speculation that it was developed by professionals with state backing.
-http://krebsonsecurity.com/2010/09/stuxnet-worm-far-more-sophisticated-than-prev
iously-thought/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%
3A+KrebsOnSecurity+%28Krebs+on+Security%29
-http://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_
?taxonomyId=82
-http://www.h-online.com/security/news/item/Stuxnet-worm-can-control-industrial-s
ystems-1080751.html
-http://www.csoonline.com/article/614064/siemens-stuxnet-worm-hit-industrial-syst
emss
-http://www.zdnet.co.uk/news/security-threats/2010/09/16/siemens-stuxnet-infected
-14-industrial-plants-40090140/
[Editor's Note (Pescatore): Just as we learned years ago in the crypto world that governments and government agencies do *not* have a monopoly on crypto talent, the same is true with malware development. It is a mistake to think that sophisticated malware means government sponsorship - - the talent pool putting together financially motivated targeted attacks for cybercrime has been leading the way for a long time.
(Northcutt): I saw my first virus on a SCADA system in 1996, found it simply by installing Norton on the host system. The key problem here is not that Stuxnet is ultra sophisticated, though you have to give points to any multiple vector, multi-zero day infector malware. The huge problem is that the life of these worms is measured in years. Stuxnet will keep coming, keep trying to spread and continue to burrow into control systems. Here is a pointer to a Mandiant talk, while it is a couple years old, it lays the groundwork for the size of the problem, which includes the initial infections, anti-forensics, malware persistence and the successful establishment and maintenance of command and control channels:
-http://files.sans.org/summit/forensics08/PDFs/Mandiant.TacticalPanel.pdf]
]

U.S. Cyber Strategy Still A Bit Mushy (September 17, 2010)

More than a year after the President labeled protection of computer networks a national priority, senior leaders are still uncertain what actions to take to secure government and commercial computers and networks. Jim Lewis of the Center for Strategic and International Studies described the challenge, "You've got a lot of agreement on what the problem is but very little agreement on the solution, both within the government and outside." On the other hand, there is some forward movement. A proposal from the White House for voluntary cyber identity credentials is gaining support and significant progress is being made in the commercial and government adoption of the new standards (S-CAP - Security Content Automation Protocols) that enable continuous monitoring to be "applied across the government and beyond," according to Philip Reitinger, deputy undersecretary of the National Protection and Programs Directorate at DHS. This is an essential first step toward Mr. Reitinger's goal of "build
[ing ]
out a fundamentally more secure ecosystem that can be adopted by the private sector as well."
-http://www.washingtonpost.com/wp-dyn/content/article/2010/09/16/AR2010091606745.
html

New Patterns in Attacks Are Gaining Sophistication (September 16, 2010)

A new analysis of data, using actual attacks and upatched vulnerabilities from tens of thousands of companies, was just published jointly by Tipping Point (HP), Qualys, and SANS Internet Storm Center. The report described attacks on Adobe PDF vulnerabilities that used 10 different cross-referenced streams to hide from AV and IPS tools. The report also documents new challenges exploiting increased consumerization of enterprise computing, prolonged and persistent targetingf of web applications, and unrelenting legacy threats.
-http://www.networkworld.com/community/node/66361
The full report is posted at
-http://dvlabs.tippingpoint.com/toprisks2010

---

************************** Sponsored Link: *******************************
1) REGISTER NOW! Special Webcast with Vikram Phatak, CTO of NSS Labs: IPS in the Real World: Stopping the Latest Threats Without Sacrificing Performance http://www.sans.org/info/64798
2) Hear Lance Spitzner's Security Awareness talk vLive on Wednesday October 20, 2010 at 1:00 EDT. http://www.sans.org/info/64803 ****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Patches QuickTime for Windows (September 16, 2010)

Apple has issued a patch for a critical flaw in QuickTime that could be exploited to hijack Microsoft Windows XP, Vista or Windows 7 running Internet Explorer with the QuickTime ActiveX control. The company was notified of the vulnerability in June through a bug bounty program. The update, QuickTime 7.6.8, also addresses the DLL load hijacking bug. The update is for Windows versions of QuickTime only.
-http://www.csoonline.com/article/614963/apple-patches-months-old-quicktime-bugs?
source=rss_news
-http://www.h-online.com/security/news/item/Apple-closes-back-door-in-QuickTime-7
-1080472.html
-http://www.scmagazineus.com/apple-patches-zero-day-quicktime-flaw-with-768-relea
se/article/178987/

Google Engineer Fired for Violating Internal Privacy Policies (September 15, 2010)

Google has acknowledged that it fired an employee in July for allegedly accessing user accounts without authorization. David Barksdale, a Site Reliability Engineer, allegedly accessed Gmail and Google Voice accounts of at least four minors. There are no allegations of sexual misconduct; it appears Barksdale was attempting to "impress
[the teenagers ]
with his level of access and power." According to a statement from Google senior vice president of engineering Bill Coughran, Google is "significantly increasing" log auditing to make sure privacy policies are being followed. Law enforcement authorities were not contacted about the incidents because one of the families has asked to remain anonymous. Barksdale is not the first Google engineer who was fired for privacy policy violations.
-http://www.theregister.co.uk/2010/09/15/google_dismisses_employee_for_violating_
internal_privacy_policies/
-http://www.cnn.com/2010/TECH/web/09/15/google.privacy.firing/index.html
-http://technolog.msnbc.msn.com/_news/2010/09/15/5116575-google-had-at-least-two-
creepy-stalker-engineers
-http://www.wired.com/threatlevel/2010/09/google-spy/
[Editor's Note (Pescatore): Obviously this same type of abuse of administrative access happens at individual companies. However, when it happens at service providers the impact is much greater. Cloud service providers need to have much higher levels of super user privilege management processes and controls than their customers do. ]

Microsoft Fixes 11 Vulnerabilities (September 14 & 15, 2010)

Microsoft's scheduled security update for September addresses 11 vulnerabilities in Microsoft Windows, Microsoft Office and Microsoft Internet Information Services (IIS). One of the critical vulnerabilities (MS10-061) fixed is a zero-day the Print Spooler Service that is part of the Stuxnet arsenal. Other critical flaws addressed by the patches involve the MPEG-4 codec (MS10-062), the Unicode script processor, and Outlook.
-http://www.computerworld.com/s/article/9185499/Microsoft_patches_new_Windows_bug
_exploited_by_Stuxnet?taxonomyId=85
-http://www.theregister.co.uk/2010/09/14/microsoft_september_patch_tuesday/
-http://www.h-online.com/security/news/item/Patch-Tuesday-Microsoft-closes-worm-h
oles-1079286.html
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=227400369

Microsoft Releases IE 9 Beta (September 16, 2010)

Microsoft has released a beta version of Internet Explorer 9 (IE 9) along with the statement that "improvements to Internet Explorer are as much about what you don't see as what you do see." Among the new features is a download manager that alerts users when files they download from the internet may be malicious. In IE 9, the Download Manager is integrated with the SmartScreen URL filter, which is present in IE 8. IE 9 beta is not compatible with Windows XP SP3.
-http://www.darkreading.com/vulnerability_management/security/app-security/showAr
ticle.jhtml?articleID=227500062&cid=RSSfeed_DR_News
-http://www.eweek.com/c/a/Windows/Microsofts-Internet-Explorer-9-Continues-Compan
y-Cloud-Strategy-614805/
-http://www.scmagazineuk.com/microsoft-releases-internet-explorer-9-browser-with-
pared-down-features-and-improved-speed-and-performance/article/178996/
[Editor's Note (Schultz): Microsoft's efforts with respect to security in IE are admirable--every version of IE seems to get better from a security perspective. ]

Google Updates Chrome (September 15, 2010)

Google has updated Chrome 6.0.472.59 for Windows, Mac OS X and Linux. The updated version of the browser fixes 10 security flaws, six of which developers have given high priority. One of the flaws, which affects only Mac OS X versions of Chrome, was rated critical. Chrome is also affected by the recently disclosed Flash Player vulnerability because the plug-in is activated by default within the browser. Users can protect themselves against attacks by disabling Flash Player until Adobe issues a fix for the problem.
-http://www.h-online.com/security/news/item/Google-closes-10-holes-in-Chrome-6-10
79569.html

Mozilla Issues Update to Address Firefox Stability Issue (September 14, 15 & 16, 2010)

Mozilla temporarily stopped serving Firefox updates while the company investigates reports that a bug in the most recent update has been causing crashes. The company has issued new versions of the browser (3.6.10 and 3.5.15) to address the stability issue that was causing the crashes. Firefox 3.6.9, which was released on September 7, was causing crashes on start-up on some systems.
-http://www.theregister.co.uk/2010/09/16/firefox_update_fixes_blocker_bug/
-http://www.computerworld.com/s/article/9185398/Mozilla_halts_Firefox_security_up
dates?taxonomyId=85
-http://www.theregister.co.uk/2010/09/15/moz_suspends_firefox_updates/
-http://news.cnet.com/8301-30685_3-20016631-264.html
-http://www.mozilla.com/en-US/firefox/3.6.10/releasenotes/

Report Calls for National Database for Voting Machine Problems (September 15, 2010)

A report from the Brennan Center for Justice calls on the US government to establish a public clearinghouse for electronic voting machine issues. The report cites several instances in which election officials in one state experienced trouble with voting machines only to discover that other election officials elsewhere in the country experienced the same problems at an earlier date. The report calls for establishing a publicly searchable database of voting machine issues; requiring the machines' vendors to report problems to the database; granting a federal agency the authority to investigate voting machine issues and to enforce the requirements.
-http://www.wired.com/threatlevel/2010/09/voting-machine-database/
-http://www.brennancenter.org/content/resource/voting_system_failures_a_database_
solution

Haystack Privacy Tool Disabled Over Security Concerns (September 14 & 15, 2010)

A software tool designed to help Iranian activists evade government surveillance and censorship online has been disabled due to concerns that the tool, known as Haystack, could reveal users' identities. Haystack encrypts users' traffic and hides it among other packets to avoid being detected by government censors. Flaws discovered in the tool's code could be used by authorities to identify users. The tools' developer maintained that it was in limited and controlled distribution, but other researchers found that it was readily available for download. The developers have asked people with copies of Haystack to destroy them. The software's lead developer has resigned; those who remained with the company say they will have the code reviewed by third-party auditors and release it as open-source.
-http://www.wired.com/threatlevel/2010/09/haystack/
-http://www.theregister.co.uk/2010/09/14/haystack_privacy_debacle/
-http://www.bbc.co.uk/news/technology-11298022s
-http://www.h-online.com/security/news/item/Critical-bugs-stop-Haystack-anti-cens
orship-project-Update-1078540.html
-http://news.cnet.com/8301-1009_3-20016585-83.html?tag=nl.e757
[Editor's Note (Schultz): Anyone who has read the best-selling book _A Time to Betray_ will quickly realize the value of a tool with Haystack's functionality. ]

UK ISPs Object to Sharing Cost of Fighting Internet Piracy (September 14, 2010)

The UK government says that holders of copyrights will shoulder three-quarters of the costs associated with tracking down and stopping Internet piracy. Internet service providers will bear the remaining 25 percent of costs. The current system in the UK as established in the Digital Economy Act involves sending letters to habitual copyright violators; if the users do not stop their actions, users are threatened with a series of graduated actions, including slowing down or even temporarily cutting off Internet service. Users who appeal the notifications will not be charged fees. The ISPA, which represents ISPs in the UK, voiced its disappointment that members would have to bear any of the cost associated with the rules put in place by the Digital Economy Act. The legislation was pushed through hastily near the close of the last Parliament.
-http://www.bbc.co.uk/news/technology-11297033
-http://www.ispreview.co.uk/story/2010/09/14/uk-isps-react-angrily-to-government-
decision-over-internet-piracy-cost-sharing.html
-http://www.telegraph.co.uk/technology/internet/8001996/Rights-holders-to-bear-ma
jority-of-Digital-Economy-Act-piracy-costs.html

---

**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer at the North American Energy Reliability Commission (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/