SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #102

December 28, 2012

TOP OF THE NEWS

Health Care Sector Lagging Behind Others in Cybersecurity
Banking Regulator Issues Warning Regarding DDoS Attacks Against Financial Institutions
FOIA Docs Reveal NSA Industrial Control System Vulnerability Research
US Legislators Approve National Defense Authorization Act Requiring Contractors To Report Breaches

THE REST OF THE WEEK'S NEWS

Conflicting Reports Regarding Industrial Control System Attack in Iran
GSA Awards First FedRAMP Cloud Product Certification
Senate Rejects Privacy Amendments to FISA Amendments Act
Univ. of Michigan Health System Notifies 4,000 of Data Breach
Google's Chrome 25 Will Disable Auto-Install for Extensions
Verizon Says Information Hacker Posted is Not Wireless Customer Data
Microsoft Issues Retooled OpenType Patch
Stabuniq Trojan
US Federal Agency BYOD Policies Could Include Mandatory Data Wiping Software

---

************************* SPONSORED BY Symantec ***************************
The results are in. Symantec Endpoint Protection rated best in independent, real-world tests recently published by Dennis Technology Labs. These tests were designed to more accurately reflect what would happen if a user is actually using one of these products. Symantec Endpoint Protection received a AAA rating and beat all tested competitors in total accuracy. Learn More.
http://www.sans.org/info/120025
****************************************************************************
TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- --Looking for training in your own community? http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Anaheim, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

---

TOP OF THE NEWS

Health Care Sector Lagging Behind Others in Cybersecurity (December 25, 2012)

Researchers say that the health care sector is vulnerable to a variety of cyberattacks. The industry moved quickly to embrace the benefits offered by the Internet but in doing so, exposed medical devices and computers at medical facilities to hackers, who could potentially steal patient information to commit identity fraud and even launch attacks on critical systems within hospitals. Health care "lags behind
[other industries ]
in addressing known problems." Granted, medical facilities have not been the target of attacks as frequently as financial, corporate, and military networks have, but the US Department of Homeland Security (DHS) has recently become concerned that health care could prove an enticing target for hackers. The most recent cybersecurity guidance from the Food and Drug Administration, which oversees medical devices, dates to 2005.
-http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-ha
ckers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html
[Editor's Note (Murray): The healthcare sector lags in use, let alone the management, of IT. Their failure to use electronic healthcare records is killing and impoverishing us. ]

Banking Regulator Issues Warning Regarding DDoS Attacks Against Financial Institutions (December 21, 2012)

The US Office of the Comptroller of the Currency (OCC) has issued an alert about the recent wave of distributed denial-of-service (DDoS) attacks against financial institutions. The alert recommends that banks maintain a "heightened sense of awareness" about the attacks and that they have strategies in place to respond to the attacks. Banks are also advised to look into their Internet service providers' (ISPs') and web-hosting vendors' response plans. Banks are also reminded of their obligation to adhere to the Federal Financial Institutions Examination Council (FFIEC) guidelines, updated in 2011, which directs the financial institutions to "use layered security to protect corporate accounts."
-http://www.scmagazine.com/national-banking-regulator-advises-on-ddos-deluge/arti
cle/273769/
[Editor's Note (Pescatore): DDoS mitigation is one of the simpler security decisions: it is very clearly a cost-of-down-time issue. If cost-of-down-time justified for a web site justified backup power, then the same cost-of-down-time argument justifies reliable Internet connectivity and DDoS mitigation.
(Henry): It's great that the OCC is communicating with banks. Yes, it's a given that banks should put resources into defending their networks, but MOST ALL of the ones I've dealt with in my career do so adequately. They already have a "heightened sense of awareness regarding these attacks," because according to multiple media reports they've been suffering through them for many months. The Financial Services Sector is among the best prepared against the cyber threat. So instead of telling them what they already know, how about the USG focuses on the source of the attacks rather than telling the victim to "just do more?" ]

FOIA Docs Reveal NSA Industrial Control System Vulnerability Research (December 23, 2012)

Documents obtained by the Electronic Privacy Information Center (EPIC) under the Freedom of Information Act (FOIA) indicate that the National Security Agency (NSA) is conducting "vulnerability exploration and research" on industrial control systems that manage elements of the US's critical infrastructure, such as power grids and natural gas pipelines. Known as the "Perfect Citizen" program, the research includes a US $91 million contract with Raytheon. The documents also provide information about how the NSA will defend and attack industrial control systems.
-http://news.cnet.com/8301-1023_3-57560644-93/revealed-nsa-targeting-domestic-com
puter-systems-in-secret-test/
[Editor's Note (Murray): EPIC is not so much interested in exposing NSA's findings as much as shining the light on its domestic activities. One might expect that NSA would use its resources to identify the vulnerabilities of potential adversaries and let the Department of "Homeland" Security worry about domestic infrastructure.
(Paller): Baloney! EPIC's work is misdirected. Power generation is central to the modern way of life. Without it, the military would not be able to defend the country, hospitals would not be able to heal the sick, businesses would grind to a halt causing life-threatening shortages, economic chaos and widespread poverty. DHS does not have the technical talent needed to protect power systems. The power companies themselves, under the able leadership of Mike Assante are coming together and making some progress, but NSA's deep technical expertise is likely to be an important element in protecting critical infrastructure for the foreseeable future. NSA's Information Assurance Directorate's role in protecting DoD operations in the United States and abroad gives it the responsibility to deploy its technical skills in finding vulnerabilities and finding the best ways to protect power systems against those vulnerabilities. ]

US Legislators Approve National Defense Authorization Act Requiring Contractors To Report Breaches (December 21 & 26, 2012)

Last week Congress approved the National Defense Authorization Act, which would require military contractors to notify the Pentagon about breaches of their systems that contain military data. If President Obama signs the legislation, it would codify a portion of the defense industrial base pilot program, in which contractors provided breach information to the Pentagon in exchange for access to cyberthreat intelligence. The bill also makes millions of dollars available for federal government cybersecurity spending.
-http://www.politico.com/story/2012/12/joint-defense-measure-seeks-to-disarm-hack
ers-85373.html
-http://www.nextgov.com/cybersecurity/2012/12/new-mandate-would-require-military-
contractors-report-cyber-breaches/60347/

---

************************* Sponsored Link: ********************************
1) Are You Sufficiently Protected against Modern Malware? Download this workbook and assess your advanced threat protection posture. Learn More: http://www.sans.org/info/120030
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Conflicting Reports Regarding Industrial Control System Attack in Iran (December 27, 2012)

An Iranian government spokesperson said that reports of a new Stuxnet attack on industrial systems in that country are false. Western media outlets have been reporting that an Iranian civil defense organization representative said that a cyberattack on a power station had been thwarted. The confusion is being explained as a miscommunication of a statement of Iran's cyberattack preparedness.
-http://www.h-online.com/security/news/item/Confusion-over-alleged-Stuxnet-attack
-in-Iran-1774496.html
-http://www.computerworld.com/s/article/9235039/Iranian_official_disputes_report_
that_power_station_was_hit_by_virus_attack?taxonomyId=17
-http://www.bbc.co.uk/news/world-middle-east-20842113
-http://news.cnet.com/8301-1009_3-57560799-83/stuxnet-attacks-iran-again-reports-
say/
-http://www.scmagazine.com/another-iran-facility-hit-with-cyber-attack-perhaps/ar
ticle/273964/

GSA Awards First FedRAMP Cloud Product Certification

(December 27, 2012) The US General Services Administration (GSA) has awarded its first FedRAMP security certification to Autonomic Resources, a North Carolina company. FedRAMP, or the Federal Risk and Authorization Management Program, aims to provide blanket security approval for cloud services so that federal agencies can use the services without having to subject the products to their own certification processes. The Autonomic product that won the first certification is an infrastructure-as-service offering that provides managed and unmanaged remote machines. The company also has a webmail product that is currently undergoing the FedRAMP certification process.
-http://www.nextgov.com/cybersecurity/2012/12/small-nc-cloud-company-nabs-first-f
edramp-security-certification/60363/?oref=ng-channeltopstory
[Editor's Note (Pescatore): Good to see some services start to come through the FedRAMP process. Now, agencies will have to make sure they are changing their governance and processes to efficiently and securely make use of cloud-based services.
(Murray): FedRAMP certification is a "third party evaluation;" the evaluators have no skin in the game. It must not be read as a "license to use." It must not be used without reading the evaluation and comparing it to one's own requirements. It does not relieve one of the responsibility for the security of the application. It is not a substitute for reporting, measuring, and management. ]

Senate Rejects Privacy Amendments to FISA Amendments Act (December 26, 2012)

The US Senate was scheduled to debate four privacy-related amendments to the FISA Amendments Act when it returned to work on Thursday, December 27. According to civil liberties groups, the amendments would enhance privacy protections for individuals. The FISA Amendments Act grants US officials authority to conduct warrantless surveillance on suspected terrorists in foreign countries. One of the amendments focuses on oversight and includes a sunset provision for the measure's expiration. Another amendment would require that the Director of National Intelligence tell Congress whether any domestic email and phone communications were gathered under FISA Amendments. Late reports indicate that the Senate rejected the privacy amendments and delayed a final vote on reauthorizing the measure to Friday, December 28.
-http://thehill.com/blogs/hillicon-valley/technology/274595-senate-set-to-debate-
privacy-amendments-to-surveillance-bill-on-thursday-
-http://www.huffingtonpost.com/2012/12/27/fisa-senate-vote_n_2372720.html?utm_hp_
ref=politics

Univ. of Michigan Health System Notifies 4,000 of Data Breach (December 26, 2012)

The University of Michigan Health System (UMHS) has notified 4,000 people that their personal health information was compromised. UMHS learned of the breach in late November 2012 from Omnicell, a medication management vendor. An unencrypted electronic device was stolen from an Omnicell employee's vehicle on November 14. The compromised data include names, birth dates, and possibly a variety of health-related information.
-http://www.healthcareitnews.com/news/u-michigan-health-system-omnicell-report-pa
tient-data-breach
[Editor's Comment (Pescatore): A lot of this is a legacy of the original and continuing HIPAA approach to security - the P in HIPAA stands for "Portability" not "Privacy." As it became apparent that privacy was necessary to enable portability, the focus became on encrypting electronic personal health information in motion and requiring patient opt in for any information disclosure - both good things. However, protecting the systems that store and access EPHI from attack have never been emphasized and the manufacturers of medical devices and software have never had to build in even a due diligence level of protection into their products.
(Northcutt): Laptop losses do not provide sufficient evidence that any sector is lagging in cybersecurity. A quick trip to the privacy rights data breach chronology site shows there are plenty of problems in every sector:
-http://www.privacyrights.org/data-breach]

Google's Chrome 25 Will Disable Auto-Install for Extensions (December 23 & 24, 2012)

Changes in Chrome 25 will include blocking silent extension installations. The auto-install feature will be replaced with a system that pops up a dialog box asking the user to confirm that the extension is legitimate before it is installed. Google will also scan "every extension that is uploaded to the Chrome Web Store and take down those
[deemed ]
to be malicious."
-http://www.h-online.com/security/news/item/Google-blocks-silent-Chrome-extension
-installation-1774354.html
-http://www.theregister.co.uk/2012/12/23/google_bans_auto_install_chrome_extensio
ns/
[Editor's Note (Pescatore): This is another example of the continued growth in and acceptance of whitelisting being driven by the mobile world. The Apple App Store, Google Play, Chrome Web Store, coming Microsoft equivalent - all are white lists that raise the barrier to malware. Not the end of the problem, but a significant increase in protection. One major thing needed: the browser vendors (mostly like through the CA Browser Forum if it gets rejuvenated) need to agree on common mechanisms and invest in educating the public about how this works - or else everyone will just click though these never-ending pop-ups. ]

Verizon Says Information Hacker Posted is Not Wireless Customer Data (December 22, 2012)

Verizon said that information posted to the Internet by a hacker is not wireless customer data, as the hacker has claimed. The hacker then tweeted that the data are likely to be those of Verizon FiOS fiber customers. The hacker posted roughly 300,000 database entries. He claims to have stolen the data on July 12, 2012 and says that he has three million customer records. He says he posted the data because Verizon did not fix the vulnerability that he exploited to gain access to the information. He also said that all the data were in plaintext.
-http://www.zdnet.com/hacker-verizon-duel-over-customer-record-claims-7000009151/

Microsoft Issues Retooled OpenType Patch (December 21, 2012)

Microsoft has released a reworked version of a security update for a serious vulnerability in OpenType font implementations; the original patch, which addressed remote execution vulnerabilities, caused readability problems with the font in several applications. The patch, MS12-078, was originally released on December 11, 2012. The new version was released on December 20, 2012. Users who run automatic updates do not need to take any special action.
-http://www.h-online.com/security/news/item/Microsoft-brings-back-the-fonts-17737
44.html
-http://www.zdnet.com/microsoft-fixes-faulty-opentype-security-patch-7000009124/
-http://technet.microsoft.com/en-us/security/bulletin/ms12-078

Stabuniq Trojan (December 21, 2012)

The Stabuniq Trojan horse program targets and steals information from US financial institutions and their customers. Stabuniq has been found on mail servers, firewalls, proxy servers, and gateways of US banks and credit unions. The majority of infected systems appear to be in the eastern half of the US, with high levels of infection in and around Chicago and New York. The overall number of infections is relatively small, which suggests that the attackers had specific targets in mind.
-http://arstechnica.com/security/2012/12/symantec-finds-a-new-trojan-that-steals-
data-from-us-banks-customers/
-http://www.computerworld.com/s/article/9234961/Stabuniq_malware_found_on_servers
_at_U.S._financial_institutions?taxonomyId=17

US Federal Agency BYOD Policies Could Include Mandatory Data Wiping Software (December 19, 2012)

Some US government agencies are considering BYOD (bring your own device) policies that would require employees to allow their employers to put remote wiping software on the devices to be used if the devices are ever lost or stolen. The software would remove all business and personal data.
-http://www.govexec.com/technology/2012/12/agencies-might-have-obliterate-private
-photos-devices-go-awol/60246/
[Editor's Note (Pescatore): Very common in private industry policies to require employees to sign usage agreement for BYOD that allows remote wipe with potential private data loss. Not that big of a deal - enterprises are learning to change policies to allow BYOD; employees have to learn to back up any private data that might be at risk. Early adopters have seen this bargain is easily accepted - and legally supportable. ]

NOTE: In the most recent edition of NewsBites, Stephen Northcutt asked if anyone knew which body of law would allow the US to prosecute foreign companies for violations of US intellectual property rights. A number of people wrote in, and the key appears to be jurisdiction. We did get a rather clear answer from a litigator with experience in the field. If you would like to look at it, write to Stephen at snorthcutt@sans.org.

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/