SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #82

October 12, 2012

Defense Secretary Panetta's explosive speech, with extensive disclosure
of previously classified data (see today's first story), on top of
extraordinary statements by the head of MI5 (Jonathan Evans), combine
to speak volumes about the immediacy, scale, and ominous nature of the
newly emerging threat. In the past few months, more and more senior
officials in corporations and government agencies have concluded that
the people who have claimed that "cybersecurity isn't a technical
problem," were wrong and bear a significant part of the responsibility
for the high degree of cybersecurity vulnerability now faced by their
organizations.

Next Friday is the deadline for veterans and high school students to
register for the Cyber Foundations/CyberCenters program, that includes
on-line tutorials and challenges in three areas that are the essential
foundations of effective cybersecurity careers. Those who show talent
will earn opportunities for acceptance in the new CyberCenters program
where they will get intensive hands-on training and internships in the
only fast-track to high-paying careers in cybersecurity. Fees are very
low ($25) but may still be waived. Tell the veterans and high school
students you know who have IT talent to register at
https://www.cybercenters.org/

Alan

---

TOP OF THE NEWS

Secretary Panetta Declassifies Cyber Attack Information to Illuminate the Immediate threat of Cyber Attack on U.S. Critical Infrastructure
Task Force Recommends DHS Develop Cyber Corps

THE REST OF THE WEEK'S NEWS

Irish Domain Registry Breach
Mozilla Re-Releases Firefox 16
Hackers Steal Data From Computer Systems at Florida College
Supreme Court Declines to Hear Warrantless Wiretapping Case
Microsoft's Patch Tuesday Closes Critical Flaws in Word
Malware Turns Infected Machines Into Proxy Servers
Senator Rockefeller Seeks Information About Data Brokers' Business Practices
Mystery High-Frequency Trading Algorithm Hogged Bandwidth
Cisco Ends Business Relationship with Company That Allegedly Sold Equipment to Iran
Adobe Releases Update for Flash Player
Military Will Require Chips to be Tagged with Plant DNA

SECURITY IN CONTROL SYSTEMS

Electric sector letter to Chairman Rockefeller about cyber security legislation

---

********************* Sponsored By Palo Alto Networks *********************
The Palo Alto Networks Ignite Conference promises to be the network security event of the year - November 12-14, 2012 at the Las Vegas Wynn. Learn how to safely enable your business with over 30 educational sessions, user driven content, on-site CNSE certification, hands-on Expert Lab and networking opportunities with your peers. Learn more at: http://www.sans.org/info/115375
****************************************************************************
TRAINING UPDATE
- --SANS Seattle 2012 Seattle, WA October 14-19, 2012 5 courses. Bonus evening presentations include What's New in Windows 8 and Server 2012?; Assessing Deception; and Linux Forensics for Non-Linux Folks.
http://www.sans.org/seattle-2012/

- --SANS Baltimore 2012 Baltimore, MD October 15-20, 2012 6 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/baltimore-2012/

- --SANS Chicago 2012 Chicago, IL October 27-November 5, 2012 9 courses. Bonus evening presentations include Securing the Kids and Securing the Human.
http://www.sans.org/chicago-2012/

- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses.
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 28 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangalore, Johannesburg, Seoul, Tokyo, Barcelona, and Cairo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Secretary Panetta Declassifies Cyber Attack Information to Illuminate the Immediate threat of Cyber Attack on U.S. Critical Infrastructure (October 12, 2012)

Responding to a recent wave of cyberattacks on large American banks and on the giant oil company Saudi Aramco, which infected and made useless more than 30,000 computers, Defense Secretary Panetta used previously classified data in a speech highlighting the increasingly national vulnerability to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government. He was reacting to increasing aggressiveness and technological advances by the nation's adversaries, which officials identified as China, Russia, Iran and militant groups.
-http://online.wsj.com/article/SB10000872396390444657804578051071681887566.html?m
od=googlenews_wsj
-http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberatt
ack.html?ref=world
[Editor's Note (Assante): Defense Secretary Panetta understands the world only responds to real events vice what is possible. He is also attempting to cross the "this won't happen to me" chasm of disbelief. My biggest concern is what his audience takes away from the message that the DoD is preparing to defend the country in cyberspace. You can't simply transfer the responsibility to protect your system to someone else. Attacks are not easy to characterize as they come in many forms and a system owner is best positioned to understand what is happening to their systems and must always be prepared to take action to safeguard their organization.
As a side note - - - Today's modern military reality provides a poor analogy as we exclusively rely on the DoD to protect us against foreign military threats. A better analogy would be likening this to early days in new western territories. The army was prepared to respond to threats but no one told settlers not to be prepared to defend themselves. Everyone knew the cavalry might or might not be around when you needed them.]

Task Force Recommends DHS Develop Cyber Corps (October 11, 2012)

The Homeland Security Advisory Council's CyberSkills Task Force says the US Department of Homeland Security (DHS) needs to develop a reserve of cyberspecialists from both government and private industry. It would be similar to the National Guard, and could be called out to help reconstitute disabled systems in the event of a cyber emergency. The task force recommended that DHS explore working with the FBI's InfraGard program and the Secret Service's Electronic Crimes Task Forces to help create the cybersecurity reserves.
-http://www.nextgov.com/cybersecurity/2012/10/dhs-urged-create-reserve-cadre-cybe
r-experts/58704/?oref=ng-HPtopstory
-http://www.fiercegovernmentit.com/story/dhs-must-improve-cybersecurity-professio
nal-recruitment-career-path/2012-10-11
-https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report
%20-%20Final.pdf
[Editor's Note (Paller): That was the least immediate of the task force recommendations - implementing the others will have a big impact fast. See:
-http://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report%
20-%20Final.pdf
(McBride): I am wondering what is DHS' long term role/mission in cybersecurity? Current and proposed DHS roles to support the private sector include: an information sharing hub, an alerter, a regulator, a technical expertise provider (consultant), and now potentially an en-mass incident responder. Is this the right role for government? The report itself levies a similar question (among others): "What is the business case for the CyberReserve?"]

---

*************************** Sponsored Link: *****************************
1) Take the SANS Application Security Survey and be entered to win a $300 American Express Card! http://www.sans.org/info/115380
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Irish Domain Registry Breach (October 11, 2012)

Officials in Ireland are investigating a breach of the IE Domain Registry that temporarily hijacked the Irish websites of Yahoo and Google. The problem has been traced to the unauthorized use of a registrar account.
-http://arstechnica.com/security/2012/10/irelands-domain-registry-suspends-some-o
perations-following-security-breach/
-http://www.eweek.com/security/irish-google-yahoo-domains-taken-offline-briefly-a
fter-security-breach/

Mozilla Re-Releases Firefox 16 (October 11, 2012)

Mozilla has re-released Firefox 16 with a fix for the critical vulnerability that prompted the company to pull the just-released browser from distribution on Wednesday. Mid-afternoon (ET) on Thursday, October 11, Mozilla began pushing out Firefox 16.0.1 to users who had downloaded the version with the vulnerability, and to users still running versions 15.x and earlier. Firefox 16.0.1 fixes four flaws in all, including two that were causing crashes. Attack code for the patched flaw is circulating online. The flaw could be exploited to allow websites to harvest information about users' browsing history.
-http://www.computerworld.com/s/article/9232304/Mozilla_re_releases_Firefox_16_af
ter_patching_critical_bugs?taxonomyId=17
-http://arstechnica.com/security/2012/10/firefox-16-vulnerability-attack-code-ava
ilable-online/

Hackers Steal Data From Computer Systems at Florida College (October 10, 2012)

Hackers appear to have stolen confidential information from computer systems at Northwest Florida State College. The breach affects roughly 279,000 students and employees of the Niceville school. The compromised data include names, birth dates, bank routing and account numbers, and Social Security numbers (SSNs). Local, state, and federal authorities are investigating the incident, which occurred between late May and late September 2012. At least 50 people have reported instances of identity fraud that appear to be a result of the breach. This breach appears to be unconnected to the recent breaches at other universities around the world.
-http://www.darkreading.com/database-security/167901020/security/attacks-breaches
/240008928/florida-university-breach-exposes-data-on-279-000.html
-http://news.cnet.com/8301-1009_3-57530164-83/thousands-of-student-records-stolen
-in-florida-college-breach/
-http://www.computerworld.com/s/article/9232276/Hackers_steal_thousands_of_studen
t_records_from_computers_at_Florida_college?taxonomyId=82

Supreme Court Declines to Hear Warrantless Wiretapping Case (October 9 & 10, 2012)

The US Supreme Court has declined to review a lower court decision that dismissed a lawsuit brought by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) challenging the National Security Agency's (NSA) warrantless wiretapping program. The original lawsuit, filed in 2006, aimed to hold telecommunications companies accountable for letting the US government eavesdrop on residents' communications. In 2008, Congress gave telecommunications companies retroactive immunity from liability for cooperating with the eavesdropping requests after the September 2001 attacks.
-http://arstechnica.com/tech-policy/2012/10/supreme-court-allows-wiretapping-immu
nity-law-to-stand/
-http://news.cnet.com/8301-1009_3-57529255-83/supreme-court-closes-door-on-warran
tless-eavesdropping-suit/

Microsoft's Patch Tuesday Closes Critical Flaws in Word (October 9 & 10, 2012)

On Tuesday, October 9, Microsoft released seven security bulletins to address a total of 20 vulnerabilities in Windows, Office, SQL Server, and Lync. The lone critical patch addresses a pair of flaws in Microsoft Word that could be exploited to allow remote code execution. Successful exploitation would require that users open specially crafted RTF files. The other six bulletins are rated important.
-http://technet.microsoft.com/en-us/security/bulletin/ms12-oct
-http://www.h-online.com/security/news/item/Microsoft-delivers-fix-for-critical-W
ord-vulnerability-1727041.html
-http://krebsonsecurity.com/2012/10/microsoft-patches-windows-office-flaws/
-http://www.scmagazine.com/word-bugs-key-length-issue-addressed-in-microsoft-upda
te/article/263084/
[Editor's Note (Ullrich): Also note that a number of older bulletins were re-released due to an error in signing the binaries included in those bulletins. ]

-https://isc.sans.edu/diary.html?storyid=14272

Malware Turns Infected Machines Into Proxy Servers (October 9, 2012)

Symantec researchers say that there are computers infected with malware that allows them to be used as proxy servers by cybercriminals. Backdoor.Proxybox is a Trojan horse program with rootkit functionality. While botnets are often used to send spam, launch distributed denial-of-service (DDoS) attacks, and other sorts of known illegal activity, the computers infected with Backdoor.Proxybox are being used as a commercial proxy service. There is a website offering access to its services, along with a list of prices for varying numbers of proxy servers in certain countries. Payment accounts associated with the service have been linked to a man in Russia.
-http://www.computerworld.com/s/article/9232197/Malware_infected_computers_rented
_as_proxy_servers_on_the_black_market

Senator Rockefeller Seeks Information About Data Brokers' Business Practices (October 10, 2012)

US Senator Jay Rockefeller (D-West Virginia) has sent letters to nine data brokerage companies, asking them to provide answers to a dozen questions about where and how they gather information, with whom they share the information, and what information is shared. Senator Rockefeller is also asking what level of control individuals have over the information the companies collect. The companies are asked to respond by November 2, 2012. Earlier this year, two US Representatives launched an inquiry into data compilers, and the Federal Trade Commission (FTC) is also looking into some data brokers' practices.
-http://thehill.com/blogs/hillicon-valley/technology/261249-rockefeller-pushes-da
ta-brokers-for-answers-on-business-practices-
Text of letter:
-http://commerce.senate.gov/public/?a=Files.Serve&File_id=3bb94703-5ac8-4157-
a97b-a658c3c3061c

Mystery High-Frequency Trading Algorithm Hogged Bandwidth (October 8 & 9, 2012)

A high-frequency trading algorithm is believed to be responsible for roughly four percent of US stock market trades last week. The peculiar algorithm placed orders and then cancelled them. A company that tracks high-frequency trading reported the incident. The algorithm ceased activity mid-morning Friday, October 5. The algorithm used 10 percent of available trading bandwidth.
-http://www.cnbc.com/id/49333454
-http://investorplace.com/2012/10/unknown-high-frequency-trading-algorithm-detect
ed/

Cisco Ends Business Relationship with Company That Allegedly Sold Equipment to Iran (October 8 & 9, 2012)

Cisco has severed its sales relationship with Chinese company ZTE following allegations that ZTE sold Cisco networking equipment to Iran in violation of US sanctions. The decision made news just after a US congressional report, issued earlier in the week, alleged that ZTE and Huawei pose threats to US national security.
-http://arstechnica.com/tech-policy/2012/10/cisco-cuts-ties-with-chinese-firm-acc
used-of-reselling-gear-to-iran/
-http://www.bloomberg.com/news/2012-10-08/cisco-ends-sales-partnership-with-zte-a
mid-spying-concerns-1-.html

Adobe Releases Update for Flash Player (October 8, 9, & 10, 2012)

Adobe has released an update for its Flash Player to addresses 25 critical flaws. Microsoft and Google have both incorporated Flash into their browsers and so must issue the patches for the media player through their own update systems. Google pushed out an update for Chrome, and Microsoft issued a patch for Flash for Internet Explorer 10 (IE10) on Windows 8. Adobe has issued fixes for Windows, Mac, Linux, and Android. Adobe has also released a security update for Adobe AIR software.
-http://www.whyy.org/tv12/fridayarts/art.html
-http://www.h-online.com/security/news/item/Adobe-releases-25-critical-Flash-patc
hes-1726163.html
-http://krebsonsecurity.com/2012/10/critical-adobe-flash-player-update-nixes-25-f
laws/
[Editor's Note (Murray): "Adobe releases updates..." is no more news than that the sun rises in east every morning. ]

Military Will Require Chips to be Tagged with Plant DNA (October 8, 2012)

In an effort to crack down on counterfeit computer chips, the Defense Logistics Agency (DLA) will start requiring companies that sell the devices to the US military to use DNA-tagging to assure their authenticity. DNA-tagging technology involves engineering plant DNA and mixing the unique strands with ink used on the chips, or mixing the strands into materials used in the chips' manufacture. The technology is used in European banknotes and has helped convict more than 30 counterfeiters. DLA will also issue a formal Request for Information later this fall to seek suggestions for other technologies to assure authenticity of parts. DLA director Vice Admiral Mark Harnitchek has put forth a four-step plan to combat counterfeit chips: test components already in possession; purchase from original manufacturers and authorized distributors; deploy software that can detect anomalies; and require that new microcircuits are tagged with DNA.
-http://defense.aol.com/2012/10/08/dla-demands-chip-makers-tag-products-with-plan
t-dna-a-war-on-co/

---

SECURITY IN CONTROL SYSTEMS

Electric sector letter to Chairman Rockefeller about cyber security legislation 9/27/2012

-http://assets.nationaljournal.com/pdf/1209_ElectricLetterRockefeller.pdf
McBride: This letter represents an effort on behalf of electric sector entities to avoid "duplicative" cyber legislation under a DHS-led regime. The authors seem to feel that "NERC CIP is enough." Well, CIP lets significant portions of the grid (like all distribution) operate without much, if any, security regulation. Hence the authors of the letter view preserving the status quo as compatible with their interests. While an open and detailed discussion about who is subject to any new regulation is bound to leave some parties disappointed, the argument that current regulation exists is an insufficient cover for the underlying problem. On the other hand, there is not a lot of precedent for the effectiveness of cyber security regulation, and who can blame the utilities -- which have already been placed under a stricter cyber regulatory burden than any other sector -- for being a little concerned?
Assante: There are very real challenges with the implementation of existing regulations but new proposals lack both implementation detail and well honed objectives. Industry's worse nightmare is to develop separate compliance regimes to serve different masters. I have experienced that first hand when FERC and NRC were going to share regulatory responsibility for cybersecurity at Nuclear Power Plants.

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/