SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #84

October 21, 2011

TOP OF THE NEWS

Weatherford Appointed Deputy Undersecretary for Cybersecurity
Administration and Legislators Agree to Make Cyber Security Legislation a Priority
DHS Posts Bulletin Assessing Threat to Control Systems Posted by Anonymous

THE REST OF THE WEEK'S NEWS

Adobe Working on Fix for Clickjacking Flaw
Oracle Releases Security Updates
State Dept. Officer's Security Clearance Suspended for Posting Links to WikiLeaks Docs
Former Employee Says Data Exposure Flaw Existed For Years
Trojan Variant Disables Mac Anti-Malware
Extension to Stuxnet Detected
Google Increasing Secure Browsing
SSA Fails to Disclose Data Breach

---

************************ Sponsored By Fluke Networks ************************

Now Available ONDEMAND, SANS Ask The Expert Webcast: How Attackers Exploit Modern, Secure Wireless Networks FEATURING: Joshua Wright and Jesse Frankel. Please go to: http://www.sans.org/info/89129

**************************************************************************

TRAINING UPDATE

--SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security
http://www.sans.org/chicago-2011/

--SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC
http://www.sans.org/seattle-2011/

--SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home
http://www.sans.org/san-francisco-2011/

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You?
http://www.sans.org/san-antonio-2011/

--SANS London 2011, London, UK, December 3-12, 2011 17 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Sydney, Tokyo and Perth all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

*********************************************************************************

---

TOP OF THE NEWS

Weatherford Appointed Deputy Undersecretary for Cybersecurity (October 20, 2011)

Department of Homeland Security (DHS) secretary Janet Napolitano has appointed Mark Weatherford Deputy Undersecretary for Cybersecurity for the National Protection and Programs Directorate (NPPD). Weatherford was most recently VP and chief security officer of the North American Electric Reliability Corporation (NERC). Prior to joining NERC, Weatherford was the first chief information security officer for the State of California's office of information security after doing the same job for the State of Colorado, where he helped establish the state's first cyber security program. Earlier in his career, Weatherford was a U.S. Navy Cryptologic Officer and he led the Navy's computer network defense operations and the Naval Computer Incident Response Team. Weatherford was awarded SC Magazine's "CSO of the Year" award for 2010. He will start work at NPPD in mid-November.
-http://www.informationweek.com/news/government/security/231901310
-http://www.govinfosecurity.com/articles.php?art_id=4173
-http://www.politico.com/news/stories/1011/66448.html
-http://blog.dhs.gov/2011/10/secretary-napolitano-appoints-mark.html
[Editor's Note (Murray): Imagine. An appointment based upon demonstrated leadership. How refreshing. (Liston): Congratulations, Mark! ]

Administration and Legislators Agree to Make Cyber Security Legislation a Priority (October 20, 2011)

White House officials held a classified briefing with bipartisan leaders of Senate committees with jurisdiction over cyber security to urge the prompt passage of comprehensive cyber security legislation this year. Representatives from the FBI, Department of Homeland Security, the National Security Agency, and the Pentagon also attended the briefing. The administration made cyber security legislation recommendations in May, but efforts have stalled due to the lack of coordination between legislative committees and the agencies involved. Of particular concern is defining the government's authority to require private companies that are part of the country's critical infrastructure to comply with government established cyber security standards.
-http://thehill.com/blogs/hillicon-valley/technology/188837-classified-meeting-st
resses-urgency-of-cybersecurity-legislation
-http://www.reuters.com/article/2011/10/21/us-usa-cyber-senate-idUSTRE79K03H20111
021

[Editor's Note (Murray): When the government leaks like a sieve, as it too often does, it is destroying public trust and comfort. Before government puts requirements on the private sector, it should demonstrate that those same measures applied to government would work. Lead by example, not coercion. Security choices are difficult. The government needs to demonstrate competence at it, before government tries to make risk decisions for the private sector. ]

DHS Posts Bulletin Assessing Threat to Control Systems Posted by Anonymous (October 17 & 18, 2011)

The DHS has issued a bulletin that says the hacking collective Anonymous may be interested in targeting industrial control systems. The bulletin provides an assessment of the ability of Anonymous to cause damage at organizations that comprise critical infrastructure, like power stations and water treatment plants. While Anonymous has called on members to target these organizations, the DHS report says that at this point, Anonymous has neither the necessary skills nor the structure leadership that a concerted attack would require. The report goes on to say that "Anonymous' increased interest may indicate intent to develop an offensive industrial control system capability in the future."
-http://www.theregister.co.uk/2011/10/18/anonymous_threatens_scada/
-http://www.wired.com/threatlevel/2011/10/hacking-industrial-systems/
-http://www.computerworld.com/s/article/9220951/DHS_issues_warning_that_Anonymous
_may_attack_infrastructure?taxonomyId=82
-http://www.informationweek.com/news/security/vulnerabilities/231901046
-http://www.wired.com/images_blogs/threatlevel/2011/10/NCCIC-AnonymousICS.pdf

---

*********************** SPONSORED LINK: **********************************

1) ECAT Enterprise Malware Threat Detection finds what AV misses - see the video here http://www.sans.org/info/89134 ECAT: Signature-less detection of APT

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Adobe Working on Fix for Clickjacking Flaw (October 19 & 20, 2011)

Adobe is working to develop a fix for security flaws in the Flash Player Settings manager that could allow web site operators to spy on users through their webcams and microphones. The problem is a server-side flaw, which means users do not have to update their systems. The proof-of-concept exploit involves clickjacking techniques using iFrames that trick users into clicking on buttons that allow access to the webcam and microphone. Although Adobe was aware of this problem earlier and altered the Flash Player setting manager page to prevent it from being inserted into an iFrame, the author of the new exploit determines that the settings manager is a Shockwave Flash file and was able to be loaded into an iFrame.
-http://www.theregister.co.uk/2011/10/20/acobe_flash_webcam_spying/
-http://www.wired.com/threatlevel/2011/10/flash-vulnerability-webcam/
-http://www.computerworld.com/s/article/9221052/Adobe_to_fix_Flash_flaw_that_allo
ws_webcam_spying?taxonomyId=17
-http://news.cnet.com/8301-1009_3-20122887-83/adobe-to-plug-flash-related-webcam-
spying-hole/
[Editor's Note (Murray): This is one more example of gratuitous features and functions that are more exploited than used for any legitimate purpose. While there happens to be a server-side fix, this attack exploits a control on the client side that was placed there for the benefit of the advertisers who buy Flash. The fix is not under the control of the user and rogue servers will not install it. The Flash player continues to be one of the biggest sources of vulnerability for end users. Adobe continues to rely upon others to find these vulnerabilities. They refuse to learn that late fix is more expensive than doing it right in the first place. At some point, one expect them to tire of having the NVPs decide their schedule.
(Liston): Someone (I forget who) said this the other day, and it's very, very true: "Adobe is to secure programming what Tiger Woods is to marriage." ]

Oracle Releases Security Updates (October 19 & 20, 2011)

Oracle has released a security update to address at least 20 vulnerabilities in Java. Most of the flaws are remotely exploitable and require little or no user interaction. One of the vulnerabilities fixed in the update was widely publicized in recent weeks. The Browser Exploit Against SSL/TLS, or BEAST could allow attackers to listen in on encrypted communications. Oracle has also released a Critical Patch Update that addresses 57 vulnerabilities in a variety of other Oracle products.
-http://krebsonsecurity.com/2011/10/critical-java-update-fixes-20-flaws/
-http://www.computerworld.com/s/article/9220990/Oracle_patches_Java_flaw_exploite
d_in_SSL_BEAST_attack?taxonomyId=85
-http://www.h-online.com/security/news/item/Oracle-fixes-77-vulnerabilities-inclu
ding-Java-and-database-holes-1363748.html
Oracle Java SE Critical Patch Update Advisory:
-http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
Oracle October 2011 Critical Patch Update Advisory:
-http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

State Dept. Officer's Security Clearance Suspended for Posting Links to WikiLeaks Docs (October 19, 2011)

Peter Van Buren, a US State Department Foreign Service officer, has had his top secret security clearance suspended after he posted a link to leaked State Department cables on a blog. The cables, which were obtained and released by WikiLeaks, were widely available on the Internet. Van Buren says the decision to suspend the clearance rather than revoke it is a deliberate move. Revocations can be challenged in court, but suspensions remain in effect until the case is closed. "This is just their way of sending a message and creating an extrajudicial punishment that can't be questioned or challenged."
-http://www.wired.com/threatlevel/2011/10/diplomat-loses-security-clearance/

Former Employee Says Data Exposure Flaw Existed For Years (October 19 & 20, 2011)

First State Super has backed away from its initial threat of legal action against a former employee who disclosed a security flaw in the company's online funds management application. First State Super first appeared to be grateful when Patrick Webster notified them of the vulnerability, but later brought in law enforcement and threatened to take legal action against him. The publicity generated by Webster's decision to tell his story publicly appears to be the driving force against the company's decision to withdraw the threat of legal action. The Australian Privacy Commissioner has launched an investigation into the matter. Webster maintains that the company knew about the vulnerabilities for years but did nothing to mitigate the problem. The flaw could be exploited by changing a number in a URL to view others' account information. The flaw existed on the system of Pillar Administration, which hosts First State Super online membership and statements. Webster used to work for Pillar.
-http://www.theregister.co.uk/2011/10/19/first_state_super_tones_it_down/
-http://www.smh.com.au/it-pro/security-it/claims-first-state-super-flaw-ignored-f
or-years-20111020-1m9ao.html

Trojan Variant Disables Mac Anti-Malware (October 19, 2011)

A new variant of the Flashback Trojan horse program has been adapted to disable anti-malware protections that are baked into the Mac OS X platform. Flashback attempts to disable the automatic updater component of an anti-malware program known as XProtect. The malware spreads by pretending to be an Adobe Flash Player update. To be installed, it requires users to enter their administrator passwords. Flashback was first detected in September.
-http://www.scmagazineus.com/new-mac-malware-variant-disables-os-x-defenses/artic
le/214752/
-http://news.cnet.com/8301-1009_3-20122551-83/flashback-os-x-malware-variant-disa
bles-xprotect/
[Editor's Note (Murray): It was only a matter of time until someone decided to exploit auto update procedures. Flash is the obvious candidate because Flash fixes are so frequent and urgent. ]

Extension to Stuxnet Detected (October 18, 19 & 20, 2011)

Researchers at Symantec say they have detected several variants of what they are calling a precursor to Stuxnet but "precursor" is probably the wrong word. Symantec is describing a piece of malware used to target specific information at specific organizations. The malware, dubbed Duqu for its practice of creating files that begin with the prefix DQ, does not self-replicate and appears to be designed to conduct reconnaissance, to gather information for possible later attacks. The malware was reportedly found on computer systems at a small number of companies, some of which are "involved in the manufacturing of industrial control systems." Duqu also removes itself from systems it infects after 36 days. Among its tools of artifice is a stolen Symantec digital certificate, which has since been revoked. Portions of Duqu are nearly identical to Stuxnet. McAfee's analysis of Duqu differs from Symantec's; McAfee says the malware is designed to target certificate authorities in Asia, Europe, and Africa.
-http://www.v3.co.uk/v3-uk/news/2118897/security-giants-split-stuxnet-lookalike-d
uqu
-http://www.bbc.co.uk/news/technology-15367816
-http://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/
-http://www.computerworld.com/s/article/9221028/Symantec_McAfee_differ_on_Duqu_th
reat?taxonomyId=82
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
231901226/waiting-for-son-of-stuxnet-to-attack.html
[Editor's Note (Pescatore): The security firms disagree somewhat on what Duqu is targeting, but the common denominator is the use of fraudulent digital certificates. Since the CA/Browser industry is unfortunately moving very, very slowly to prevent more incidents like the recent Comodo and DigiNotar CA compromises from happening, businesses should review their processes for discovering certificates used in business critical applications and for both validating them and quickly revoking them when necessary. ]

Google Increasing Secure Browsing (October 18, 2011)

Google has begun switching over to default end-to-end encryption for searches that are initiated from the Google homepage. Users who are logged in to Google will automatically have their searches launch from
-https://google.com.
">
-https://google.com.

The new security measures will help protect users from Wi-Fi hackers and others attempting to snoop on their online activity. Over a period of weeks, Google will roll over all searches to
-https://google.com,
even if users do not specifically select the secure browsing option. Users who are not signed in or who do not have Google accounts can still search securely by typing in
-https://google.com.
">
-https://google.com.

Some schools objected to the option when it was first introduced in May 2010 because it prevented them from censoring students' search results. Google will now offer schools an option to disable the secure browsing, but will also spell out to users that their browsing is not private.
-http://www.wired.com/threatlevel/2011/10/google-search-https/
-http://news.cnet.com/8301-1009_3-20122277-83/google-offers-encrypted-web-search-
by-default/
-http://googleblog.blogspot.com/2011/10/making-search-more-secure.html
[Editor's Note (Liston): When I first heard about this, my initial concern was for organizations that have a legitimate reason for monitoring the browsing habits of those using their networks. I'm glad to see that Google has made provisions for those situations and I'm pleased that they will be reminding those users that their browsing is not private. Good decisions all the way around, Google. ]

SSA Fails to Disclose Data Breach (October 13, 2011)

The Social Security Administration (SSA) failed to notify tens of thousands of citizens that their personal information was inadvertently shared with US businesses through a database known as the Death Master File (DMF). Roughly 14,000 people every year are mistakenly placed on the DMF. The compromised information includes names, Social Security numbers (SSNs) and dates of birth. None of the people whose names appeared on the list in error were alerted to the situation by the government. Instead, they learned of the problem through frozen bank accounts and cancelled cell phone service. The SSA first started making the database available in 1980, which means that approximately 400,000 people have been affected by errors.
-http://seattletimes.nwsource.com/html/nationworld/2016498264_socialsecurity14.ht
ml
-http://www.computerworld.com/s/article/9220861/Social_Security_agency_leaks_thou
sands_of_SSNs_every_year_report_says
[Editor's Note (Liston): A few years ago, a friend-of-a-friend went through this. If you think dealing with identity-theft is difficult, being accidentally declared dead is far, far worse. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, Chief Security Officer, North American Electric Reliability Corporation (NERC).

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/