Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #4

January 13, 2012


Fascinating new data on SCADA Security - (1) DHS is sharing, for the
first time, what the DHS Flyaway Teams learned on their incident
response visits to control system owners who had experienced cyber
'events,' (2) A massive jump in vulnerabilities of control systems
including 70 new ones not known before; (3) How to outsmart APT attacks
against utilities, and (4) Techniques being used to protect control
system devices on North Sea platforms. All this is just a small part
of the program in Orlando where 200 utility managers and law enforcement
folks from around the world will gather at the 2012 U.S. SCADA Security
Summit.

http://www.sans.org/north-american-scada-2012/
Alan

TOP OF THE NEWS

UK Government Sets 20 Critical Controls as Roadmap For Improving National Cyber Security
US State Department CISO to Become Director of US National Cyber Security

THE REST OF THE WEEK'S NEWS

Reddit Will Go Dark for 12 Hours to Protest SOPA
Senator Leahy Says PIPA's DNS Altering Provision Needs "Some Change"
Rep. Issa Plans to Introduce Alternative to SOPA
Court-Martial Recommended for Manning
Air Force Base Migrates to Linux After Malware Infection
Anonymous Upping the Ante in Israel Hacks
NHS Employee Fined for Unauthorized Patient Data Access
Stratfor Back Online; CEO Accuses Attackers of Censorship
Microsoft and Adobe Patch Flaws
Apple and RIM Deny Backdoor Arrangement with Indian Government


******************* SPONSORED BY Palo Alto Networks ********************

Download Free Modern Malware for Dummies eBook and learn how to stop the most dangerous threats facing your network. This book provides an in-depth analysis of how modern malware works and outlines the specific actions and technologies needed in order to regain control over today's malware.
http://www.sans.org/info/96611

**************************************************************************

TRAINING UPDATE

- --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP PenTesting: Current Threats and Methods; and Helping Small Businesses with Security.
http://www.sans.org/security-east-2012/

- --SANS North American SCADA Security Summit 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012
http://www.sans.org/north-american-scada-2012/

- --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo.
http://www.sans.org/monterey-2012/

- --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker.
http://www.sans.org/phoenix-2012/

- --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ...
http://www.sans.org/singapore-2012/

SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN March 12-15, 2012 Summit: March 12-13, 2012 Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners will discuss the best approaches to this new and evolving challenge. Organizations who have developed successful mobile device security programs will share how they developed and gained management support for their plans.
http://www.sans.org/mobile-device-security-summit-2012/

- --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware.
http://www.sans.org/sans-2012/

- --Looking for training in your own community?
http://www.sans.org/community/

Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Atlanta, Bangalore, San Francisco, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************************************************************

TOP OF THE NEWS

UK Government Sets 20 Critical Controls as Roadmap For Improving National Cyber Security (January 13, 2012)

The UK Centre for the Protection of National Infrastructure (CPNI) has released a new guidance document detailing the 'Top Twenty Critical Security Controls'. These provide a baseline of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defense.
-http://continuitycentral.com/news06099.html

US State Department CISO to Become Director of US National Cyber Security (January 13, 2012)

Federal News Radio announced today that John Streufert, CISO of the US State Department, was to be named Director of the US National Cyber Security Division (NCSD). Streufert is best known for demonstrating how huge security improvement can be generated at low cost in 24-time zones, using "continuous monitoring and mitigation" where daily automated feeds of security status are scored and prioritized and fed to system administrators who correct problems every day. He also showed how to make the 20 Critical Security controls operational in a large agency.
-http://www.federalnewsradio.com/473/2705215/Exclusive-States-John-Streufert-movi
ng-to-DHS-



************************** SPONSORED LINKS ***************************

1) Analyst Webcast: Needle in a Haystack? Attribution in Control Systems, http://www.sans.org/info/96616 February 22, 1:00 PM EDT

2) Don't miss SANS Webcast: Advanced Persistent Threats - Cutting Through the Hype. Sign up at http://www.sans.org/info/96621

************************************************************************

THE REST OF THE WEEK'S NEWS

Reddit Will Go Dark for 12 Hours to Protest SOPA (January 12, 2012)

Reddit says that it will go dark for 12 hours on January 18 to protest the Stop Online Piracy Act (SOPA), the proposed legislation in the House of Representatives that has been generating controversy for its overly broad and some say draconian measures. Reddit plans to go dark between 8AM and 8PM EST on Wednesday, January 18. During its downtime, Reddit plans to "display a simple message about how PIPA/SOPA legislation would shut down sites like Reddit," and live streaming of a House Committee on Oversight and Government Reform hearing on DNS and search engine blocking. Wikipedia co-founder Jimmy Wales has expressed support for Reddit's decision. Wikipedia has also said it may go dark in protest, although at this time it is unclear whether it would be at the same time.
-http://www.computerworld.com/s/article/9223411/Reddit_to_go_dark_in_SOPA_protest
?taxonomyId=17

Senator Leahy Says PIPA's DNS Altering Provision Needs "Some Change" (January 12, 2012)

US Senator Patrick Leahy (D-Vermont), one of the sponsors of the Protect IP Act, or PIPA, now says that the provision in the bill that calls for the alteration of DNS records to prevent users from reaching websites that are believed to be committing copyright violations, may need to be changed itself. A spokesperson for Leahy said it is too soon to say whether the Senator will drop recommending that ISPs do something to block users from offending sites, but he is "clear that some change in that provision is needed." While Leahy's announcement is appreciated, many believe that it does not go far enough, because the bill is overly broad in its approach to fighting piracy.
-http://www.wired.com/threatlevel/2012/01/leahy-pipa-amendment/

Rep. Issa Plans to Introduce Alternative to SOPA (January 12, 2012)

Representative Darrell Issa (R-California) plans to introduce legislation in the US House that would counter the bill known as Stop Online Piracy Act (SOPA). Senator Ron Wyden (D-Oregon) has already introduced similar legislation in the Senate to counter SOPA's companion bill, the Protect IP Act, or PIPA. Issa and Wyden are both vocal opponents of the anti-piracy legislation that Wyden says will "turn websites into web cops." Both PIPA and SOPA would sever access to foreign websites that tout pirated content and counterfeit products. The bills would also cut off funds to those websites. The bills the two legislators plan to introduce when each house convenes later this month would cut funds to foreign websites that are infringing copyright; the implementation would fall to the International Trade Commission rather than the US Department of Justice, as PIPA and SOPA would have.
-http://www.nextgov.com/nextgov/ng_20120112_4160.php?oref=topnews

Court-Martial Recommended for Manning (January 12, 2012)

The presiding officer at Pfc. Bradley Manning's Article 32 hearing has recommended that all charges against Manning should stand and that he should face a court-martial for allegedly leaking classified documents to WikiLeaks. One of the charges Manning faces is aiding the enemy, which holds the possibility of a death penalty, but prosecutors say they will not seek the death penalty in this case.
-http://www.washingtonpost.com/world/national-security/officer-recommends-court-m
artial-for-bradley-manning-in-wikileaks-case/2012/01/12/gIQAqRvEuP_story.html

-http://www.wired.com/threatlevel/2012/01/manning-court-martialed/
-http://www.bbc.co.uk/news/world-16539409

Air Force Base Migrates to Linux After Malware Infection (January 12, 2012)

Following a malware infection at a US Air Force Base in Nevada in September 2011, it appears that the base has moved at least some computers from Microsoft Windows XP to a Linux operating system. The systems at the AFB control Reaper drone aircraft. While the infection seems to have been more of a nuisance than a threat, the incident was nevertheless embarrassing. The malware infected the ground control systems at the base, which "is separate from the flight control system Air Force pilots use to fly aircraft remotely." The malware found its way onto the computers through a portable hard drive; the base uses portable disks to load map updates and to transfer mission videos between computers.
-http://www.theregister.co.uk/2012/01/12/drone_consoles_linux_switch/
-http://www.informationweek.com/news/security/attacks/232400275
[Editor's Comment (Northcutt): There has been a long-standing debate about whether Linux is safer than Windows and I have no intention of taking sides. However a bit more diversity of operating systems certainly makes the attacker have to work harder:
-http://www.pcworld.com/businesscenter/article/202452/why_linux_is_more_secure_th
an_windows.html

-http://www.esecurityplanet.com/trends/article.php/3933491/Is-Linux-Really-More-S
ecure-than-Windows.htm

-http://blogs.computerworld.com/16367/dell_back_tracks_on_linux_being_safer_than_
windows
]

Anonymous Upping the Ante in Israel Hacks (January 12, 2012)

Members of the hacking group Anonymous have published what they claim are login details for Israeli Supervisory Control and Data Acquisition (SCADA) systems. It appears that the data dump is the latest in a game of one-upmanship that started with the theft and exposure of Israeli credit card account information. In apparent retaliation, an Israeli hacker stole and published Saudi credit card account information, and Israeli Deputy Foreign Minister Danny Ayalon said that the country would treat cyber attacks as acts of terrorism.
-http://www.bbc.co.uk/news/world-middle-east-16526067
-http://www.msnbc.msn.com/id/45975943/ns/technology_and_science-security/

NHS Employee Fined for Unauthorized Patient Data Access (January 12, 2012)

A UK NHS employee was fined GBP 500 (US $767) for accessing patients' health records without authorization in 2009. Juliah Kechil, who no longer works at the NHS, looked at the records of five members of her ex-husband's family to find their phone numbers, a breach of the Data Protection Act (DPA). The issue came to light when her former father-in-law, who had changed his phone number to avoid calls from Kechil, became suspicious after the calls resumed. She was also ordered to pay prosecution costs of GBP 1,000 (US $1,534). The NHS used Kechil's ID card to audit her activity.
-http://www.v3.co.uk/v3-uk/news/2137137/nhs-worker-fined-gbp500-illegally-accessi
ng-health-records

Stratfor Back Online; CEO Accuses Attackers of Censorship (January 11, 2012)

The Stratfor Global Intelligence website is back online following a December attack in which intruders stole subscriber data, including credit card information. In a video posted to YouTube, Stratfor CEO George Friedman took responsibility for the company's failure to take adequate security precautions surrounding the data, including failure to encrypt the information. Friedman also lashed out at those responsible for the attack, saying "this is a new censorship that doesn't come openly from governments but from people hiding behind masks." The attackers destroyed four of Stratfor's servers, including all data and backups. Friedman said that "the intent here was clearly to silence us by destroying our records, our archives, and our websites."
-http://www.computerworld.com/s/article/9223370/Stratfor_relaunches_site_CEO_accu
ses_attackers_of_censorship?taxonomyId=17

[Editor's Note (Honan): I commend Mr. Friedman for being so open and transparent in the video,
-http://youtu.be/ItreEs03A2k,
and taking responsibility for the breach and the internal issues that facilitated it. Hopefully other CEO's will view this video and take away the key lessons that information security can no longer be an afterthought to developing and running a business. ]

Microsoft and Adobe Patch Flaws (January 10 & 11, 2012)

On Tuesday, January 10, Microsoft and Adobe both released security fixes for critical flaws in their products. Microsoft issued seven security bulletins to address at least eight vulnerabilities. One of the Microsoft patches is the one that the company pulled at the last minute before its December security update because of third-party compatibility issues; it addresses the SSL/TLS flaw that has been exploited by BEAST. Just one of the Microsoft bulletins is rated critical; it addresses two flaws in Windows Media Player. The other six bulletins are rated important, although in the security community, some consider the flaws they address to be more dangerous than the rating suggests. Adobe issued security fixes for Reader and Acrobat.
-http://krebsonsecurity.com/2012/01/adobe-microsoft-issue-critical-security-fixes
/

-http://www.h-online.com/security/news/item/Security-updates-from-Microsoft-and-A
dobe-1407247.html

-http://www.computerworld.com/s/article/9223326/Microsoft_patches_critical_Window
s_drive_by_bug?taxonomyId=85

-http://www.computerworld.com/s/article/9223344/Adobe_plugs_6_critical_holes_in_R
eader?taxonomyId=82

-http://www.scmagazine.com/adobe-patches-reader-bugs-releases-new-javascript-feat
ure/article/222606/

-http://www.scmagazine.com/microsoft-issues-seven-security-patches-beast-fix-incl
uded/article/222588/

-http://technet.microsoft.com/en-us/security/bulletin/ms12-jan

Apple and RIM Deny Backdoor Arrangement with Indian Government (January 9 & 10, 2012)

Apple and Research in Motion (RIM) say they have not given the Indian government backdoor access to customer data. A memo posted to the Internet suggests that the companies and Nokia made such an arrangement to ensure "Indian
[smartphone ]
market presence." The memo purports to be from the Indian Directorate General of Military Intelligence. It was released by a hacker group that calls itself the Lords of Dharmaraja.
-http://www.theregister.co.uk/2012/01/09/apple_rim_indian_government_backdoor/


************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of InGuardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is a security professional currently involved in independent security research.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and served as President of the InfraGard National Members Alliance - with more than 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/