SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIII - Issue #94

November 29, 2011

TOP OF THE NEWS

Feds Say Hacking Was Not Involved in Illinois Water Pump Failure
NIST Has Huge Impact on Cybersecurity With BIOS Special Publication
Small Legal Settlement May Open The Flood Gates For Cyber Suits
Britain Readies Cyber Strike Forces

THE REST OF THE WEEK'S NEWS

Feds Shut Down Sites for Allegedly Selling Counterfeit Merchandise
Four Arrested in Philippines in Connection with AT&T PBX Hack
Appellate Court Says Online Commenter May Remain Unidentified
UK Cyber Security Strategy Includes Information Sharing Pilot Program
Apache Working on Fix for Reverse Proxy Flaw
Apple Fixes Three-Year-Old iTunes Updater Flaw
Google Deploys Forward Secrecy on SSL-Based Services
Three Indicted for Skimming Scheme
Certification and Accreditation Authority Says Doctors Should Not Text Patient Orders
Business Software Alliance CEO Says SOPA Goes Too Far

---

************ Sponsored By Raytheon Trusted Computer Solutions ***********

Hardening operating systems to DISA STIG, PCI, or SANS CAG recommendations can be confusing and time consuming. Automate the assessment, lock down, and baselining of your systems with Security Blanket, for consistent and predictable results. **Now supporting 'targeted' SELinux policy for Red Hat Enterprise Linux. Learn more by registering for a free demonstration today!

http://www.sans.org/info/91971

**************************************************************************

TRAINING UPDATE

--EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them.
http://www.sans.org/eu-scada-2011/

--SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions.
http://www.sans.org/london-2011/

--Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions!
http://www.sans.org/incident-detection-summit-2011/

--SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity.
http://www.sans.org/cyber-defense-initiative-2011/

--SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

--SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

--SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

--Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Perth, Atlanta, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

---

TOP OF THE NEWS

Feds Say Hacking Was Not Involved in Illinois Water Pump Failure (November 23, 2011)

According to a joint statement from the US Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the FBI, federal officials "could not validate the claims" made by the Illinois State Terrorism and Intelligence Center (STIC) that foreign hackers had gained access to a supervisory control and data acquisition (SCADA) system at a water utility in that state. Earlier reports claimed that attackers had gained access to the utility's system and caused a water pump top burn out.
-http://krebsonsecurity.com/2011/11/dhs-blasts-reports-of-illinois-water-station-
hack/
-http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/
-http://www.theregister.co.uk/2011/11/23/water_utility_hack_update/
-http://www.bbc.co.uk/news/technology-15854327
-http://www.informationweek.com/news/security/attacks/232200199
-http://www.computerworld.com/s/article/9222144/DHS_sees_no_evidence_of_cyberatta
ck_on_Ill._water_facility?taxonomyId=82
-http://www.techspot.com/news/46407-fbi-says-hackers-not-responsible-for-illinois
-water-pump-failure.html
-http://techland.time.com/2011/11/28/hackers-blow-up-illinois-water-utility-or-no
t/
[Editors Note (Pescatore): Much of the hysteria was based on the fact that the "attack" came from an IP address in Russia, but the Washington Post reported that a legitimate contractor had made the access while on travel to Russia. This over-focus on where an attack appears to be coming from leads to major distraction from the real problem - the vulnerabilities that enable all attacks.
(Liston): I've tried very hard to stay away from discussing this "incident" since it first came to light. The rush to "conclusion jumping" was astonishing. Our industry needs to do a better job of quashing headline-grabbing sensationalism and keeping ourselves grounded in fact or we'll suffer from the same fate as anyone else who goes around crying "wolf."
(Murray): While the connection of our infrastructure controls to the public networks makes them vulnerable, they are not currently under attack. They may never come under attack. However, fixing the vulnerabilities will take much longer than we will have should they come under attack. We need to fix this now. My sense is that the government is saying "fix it or else" and the utilities or waiting for the "or else." That said, when the government said the same thing to the colleges and universities, most of them closed their networks in a matter of months to years. ]

NIST Has Huge Impact on Cybersecurity With BIOS Special Publication

People who have long known that NIST can have a profoundly positive impact on cyber security, now have a great example and another one coming. The core challenge of the "supply chain problem" is ensuring each element can be trusted, and in most PCs and laptops, the BIOS is the most basic element where trust must be verified. NIST saw that the industry was in transition with the adoption of the Unified Extensible Firmware Interface for BIOS, and that there was an immediate opportunity to influence the next generation of systems. And they did at scale. Because of NIST Special Publication 800-147, every HP computer and many others now is delivered with a secure BIOS - something that was not true just a year ago. Very shortly NIST will release a related Special Publication on how to do integrity measurement, another critical step in the supply chain problem.
-http://gcn.com/articles/2011/04/29/nist-bios-cyber-target.aspx
[Editor's note (Paller): Kudos to Andrew Regenscheid, William Polk, Murugiah Souppaya and their team at NIST.

Small Legal Settlement May Open The Flood Gates For Cyber Suits (November 23, 2011)

A law suit filed by a single victim in the RockYou breach, leading to a $2,000 settlement earned the plaintiff's lawyers $290,000. That's blood in water for legal sharks. And the settlement sets a precedent. How many of the 32 million users whose data was breached in the hack of RockYou in December 2009 will now be represented by lawyers? A commentary in Data Privacy Monitor shows why this could be an important settlement. (
-http://www.dataprivacymonitor.com/data-breaches/rockyou-proposed-settlement-woul
d-leave-decision-standing/)
BTW the attack used a SQL injection vulnerability.
-http://www.darkreading.com/security/privacy/232200192/rockyou-lawsuit-settlement
-leaves-question-marks-on-breach-liability.html

Britain Readies Cyber Strike Forces (November 23, 2011)

Two separate units in the U.K. Defence Cyber Operations Group are working on an offensive capability to strike back at enemies who are trying to start electronic attacks on critical national infrastructure. One technique has already been used when the UK's GCHQ launched a virus to replace an online bomb-making manual with a cupcake recipe.
-http://www.telegraph.co.uk/news/uknews/defence/8916960/Britain-prepares-cyber-at
tacks-on-rogue-states.html

---

THE REST OF THE WEEK'S NEWS

Feds Shut Down Sites for Allegedly Selling Counterfeit Merchandise (November 28, 2011)

The US Department of Immigration and Customs Enforcement has seized 150 domain names suspected of being involved in selling counterfeit merchandise. The seizures were announced on Monday, a big online shopping day, and come amidst heated legislative debate over anti-piracy legislation. The domains are being taken down under the same civil seizure law used to seize bank accounts and property allegedly linked with illegal activity.
-http://www.wired.com/threatlevel/2011/11/operation-in-our-sites-grows/
-http://www.washingtonpost.com/business/economy/justice-dept-cracks-down-on-scams
-on-cyber-monday/2011/11/28/gIQA1clz5N_story.html

Four Arrested in Philippines in Connection with AT&T PBX Hack (November 28, 2011)

Police in Manila, Philippines have arrested four people in connection with a PBX attack on AT&T phone networks that was used to help fund a terrorist organization that is suspected of being behind physical attacks in Mumbai in November 2008. PBX attacks usually involve gaining unauthorized access to phone lines and making calls to premium-rate services. The losses to AT&T were estimated at US $2 million.
-http://www.theregister.co.uk/2011/11/28/philippines_at_and_t_terror_hack_arrests
/
-http://www.informationweek.com/news/security/attacks/232200252

Appellate Court Says Online Commenter May Remain Unidentified (November 26, 2011)

An Illinois Appellate Court Judge has overturned a lower court ruling that ordered a newspaper publisher to divulge the email and IP addresses of an individual who made comments using an online pseudonym and ordered Comcast to reveal the individual's identity. Justice Terrence Lavin wrote in his decision that "putting publishers and website hosts in the position of 'cyber-nanny' is a noxious concept that offends our country's long history of protecting anonymous speech."
-http://www.chicagotribune.com/news/local/ct-met-internet-comment-ruling-20111126
,0,4573864.story

UK Cyber Security Strategy Includes Information Sharing Pilot Program (November 25 & 26, 2011)

The UK government has published its Cyber Security Strategy. One of its features is a cyber security hub that will let public and private sector organizations share information about threats and responses. The information sharing pilot effort will begin in December; organizations from the defense, telecommunications, finance, pharmaceutical, and energy industries will participate. Many organizations have been reluctant to admit having suffered a cyber security breach because of the damage it would do to their reputations. The UK does not have a mandatory security breach reporting requirement.
-http://www.h-online.com/security/news/item/UK-government-lays-out-cyber-security
-plans-1385358.html
-http://www.scmagazineuk.com/governments-cyber-security-strategy-proposes-expansi
on-of-gchq-police-training-and-a-national-hub/article/217583/
-http://www.v3.co.uk/v3-uk/news/2127751/government-finally-announces-cyber-crime-
strategy
-http://www.telegraph.co.uk/news/uknews/defence/8916960/Britain-prepares-cyber-at
tacks-on-rogue-states.html
-http://www.reuters.com/article/2011/11/25/britain-cyberspace-idUSL5E7MP24E201111
25
[Editor's Note (Murray): Information sharing is dangerous. It requires trust, certainly more than the US or UK governments command. Moreover, governments do not trust citizens and will not share with them. All such well-intentioned schemes flounder. ]

Apache Working on Fix for Reverse Proxy Flaw (November 24 & 28, 2011)

Developers at Apache are working on a patch to address a flaw in the Apache HTTP server that could be exploited to access protected resources on internal networks. Installations operating in reverse proxy mode are vulnerable to the attack.
-http://www.theregister.co.uk/2011/11/24/apache_bug/
-http://www.computerworld.com/s/article/9222160/Unpatched_Apache_flaw_allows_acce
ss_to_internal_network?taxonomyId=85
-http://arstechnica.com/tech-policy/news/2011/11/security-flaw-in-apache-could-al
low-attackers-into-internal-networks.ars

Apple Fixes Three-Year-Old iTunes Updater Flaw (November 23, 24 & 25, 2011)

Earlier this month, Apple fixed a vulnerability in its iTunes updater that could be exploited to distribute malware. Apple had known about the flaw for more than three years. The flaw was exploitable only in Windows versions of iTunes, and was fixed in version 10.5.1. Before that, iTunes updates were conducted through unencrypted HTTP queries, which allowed attackers with control of users' network to disguise malware as legitimate updates. The creators of FinFisher, a cyber surveillance tool that was marketed to government, recommended that it be deployed in the guise of an iTunes update.
-http://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-ho
le/
-http://www.h-online.com/security/news/item/iTunes-security-vulnerability-had-bee
n-present-for-over-three-years-1384718.html
-http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/apple-took-years-t
o-fix-itunes-spyware-vulnerability-10024873/?
-http://www.telegraph.co.uk/technology/apple/8912714/Apple-iTunes-flaw-allowed-go
vernment-spying-for-3-years.html

Google Deploys Forward Secrecy on SSL-Based Services (November 22 & 23, 2011)

Google's HTTPS-enabled services are now encrypted with a method that protects traffic from being decrypted in the future. This means that users of Gmail, Google Docs and Google+ can rest a little easier, knowing that even with future technological advances, attackers will be unable to decrypt older communications. The new feature is known as forward secrecy, in which every online session is encrypted with a different public key and corresponding private keys are stored only for short periods of time.
-http://www.darkreading.com/authentication/167901072/security/privacy/232200135/g
oogle-ratchets-up-security-of-https.html
-http://www.computerworld.com/s/article/9222129/Google_protects_HTTPS_enabled_ser
vices_against_future_attacks?taxonomyId=83
-http://www.theregister.co.uk/2011/11/22/google_perfect_secrecy/
[Editor's Note (Pescatore): The risks of future decryption of bits in motion is much lower than the risks of misuse of personal data that is collected and stored at Google and other online companies. I'd rather see "perfect forward privacy." ]

Three Indicted for Skimming Scheme (November 22, 2011)

Three men have been indicted for allegedly placing skimming devices on ATMs in New York City. Dimitar Stamatov, Nikolai Ivanov, and Iordan Ivanov face a list of charges, including identity theft, criminal possession of forgery devices, and scheming to defraud. The men allegedly placed skimming devices on four cash machines and used the information they harvested to manufacture cloned payment cards. They then allegedly used those cards to conduct US $264,000 in fraudulent transactions. Two of the men were arrested earlier this year as they were attempting to retrieve one of the skimming devices; the third man is still at large.
-http://www.scmagazineus.com/three-indicted-in-new-york-on-atm-skimming-charges/a
rticle/217419/
-http://www.msnbc.msn.com/id/45344181/ns/technology_and_science-security/
-http://manhattanda.org/press-release/81-count-indictment-unsealed-large-scale-at
m-skimming-case

Certification and Accreditation Authority Says Doctors Should Not Text Patient Orders (November 21, 2011)

The Joint Commission, a US health care organization certification and accreditation organization, has stated that health care professionals should not use text messages to share patient information. "It is not acceptable for
[health care professionals ]
to text orders for patients to the hospital or other health care setting ...
[because it ]
provides no ability to verify the identity of the person sending the text."
-http://www.ihealthbeat.org/articles/2011/11/21/joint-commission-text-messages-sh
ould-not-be-used-in-patient-orders.aspx
-http://www.jointcommission.org/standards_information/jcfaqdetails.aspx?Standards
FaqId=401&ProgramId=1
[Editor's Note (Murray): Rather than raise more barriers to electronic health records, we should be solving the problems with paper ones. Those who think that paper records are safer than electronic ones, simply do not understand paper records.
(Liston): "Wait... what? Someone thought it was *okay* to send medical orders via text?" Lately I've been finding more and more of these "areas" where things just don't seem to work the way that I assumed they did. Because doctors and nurses are required to log their actions on the patient's chart, I would've thought that sending orders via text message (where confidentiality, attribution, delivery notification, etc... can be *highly* problematic) wouldn't even be considered. You know what they say about "assuming"... ]

Business Software Alliance CEO Says SOPA Goes Too Far (November 21 & 22, 2011)

The Business Software Alliance (BSA) appears to be backing off from its support of the Stop Online Piracy Act (SOPA), which was introduced by House Judiciary Committee chairman Lamar Smith (R-Texas). In a recent blog post, BSA President and CEO Robert Holleyman wrote that "Valid and important questions have been raised about the bill," adding that it could "sweep in more than just truly egregious actors."
-http://thehill.com/blogs/hillicon-valley/technology/194947-software-group-backs-
off-support-of-sopa
-http://news.cnet.com/8301-31921_3-57330078-281/surprise-microsoft-quietly-oppose
s-sopa-copyright-bill/
[Editor's Note (Murray): Opposition to this obnoxious legislation is growing but the smart money is still with the RIAA and the MPAA. ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/