SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #89

November 06, 2012

We heard from two companies this week that their 2012 travel budgets
were used up so they were considering sending people to less effective,
local security training. Clearly, we haven't done a very good job of
getting the word out that 20 of SANS best courses are available online,
with our top teachers and all the hands-on elements. And there is an end
of the year promotion to make the online program more convenient - a
MacBook Air. https://www.sans.org/online-security-training/specials.

Tomorrow (November 7) is the last day for large savings on the big
Washington DC-based cyber security training program
(CyberDefenseInitiative Dec 7-16) with 25 immersion courses and the big
NetwWars competition and the Tournament of Champions with 150 of the
world's best cyber operators.

Learn more and register: http://www.sans.org/event/cyber-defense-initiative-2012/courses/
Tournament of Champions: http://www.sans.org/special/netwars-champions

Alan

---

TOP OF THE NEWS

Lawsuit Filed Over "Experimental" Patches Installed on Voting Machines Without Testing
Consortium for Cybersecurity Action Aims to Help Public and Private Sector

THE REST OF THE WEEK'S NEWS

Justice Dept. Told to Disclose More Information About "Going Dark" Program
Mozilla Introduces Enhanced Security Feature in Firefox
Research Uncovers Smart Meter Privacy Issues
Facebook Fixes Password Flaw
Exposed Apache Status Pages
Companies Conceal Major Breaches
Prison Time and Fines for Two in BitTorrent Copyright Case
US $1.5 Million Award in Film Piracy Case

---

********************** SPONSORED BY Symantec *****************************
Unrivaled Security: Over 8 Million Users Can't Be Wrong. Join this webcast to find out how you can get unrivaled security, blazing performance and support for virtual environments. Learn about new features of Symantec Endpoint Protection 12.1.2. including VMware vShield integration, support for Windows 8 and Mac Mountain Lion. Register Now. http://www.sans.org/info/116452
****************************************************************************
TRAINING UPDATE
- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses. Special Event evening bonus sessions: I've Been Geo-Stalked! Now What? And Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Lawsuit Filed Over "Experimental" Patches Installed on Voting Machines Without Testing (November 5, 2012)

A lawsuit filed in US District Court in Ohio seeks to have Ohio Secretary of State Jon Husted remove "experimental" software patches that were installed on Election Systems and Software (ES&S) vote tabulation machines without testing or certification. The machines are being used in 39 counties in Ohio. Husted's office says that the software is intended to streamline the process of counties reporting election results to the Secretary of State's system. Internal memos at the Ohio Secretary of State's office indicate that the software patches were not tested because they are "not involved with the tabulation or communication of votes." Ohio state law prohibits the installation of untested software updates on voting machines. A Husted spokesperson has called the lawsuit "ridiculous."
-http://www.computerworld.com/s/article/9233274/Update_Lawsuit_filed_in_Ohio_over
_software_updates_to_vote_tabulation_machines?taxonomyId=17
-http://www.sfgate.com/news/article/Ohio-official-Voting-machine-lawsuit-ridiculo
us-4009994.php
[Editor's Comment (Murray): While it is possible to so manage and limit changes to software so as to be able to make statements about the extent of those changes, it is extremely rare to see such management. In its absence, any change calls into question the integrity of the entire system. All that said, it is not difficult to demonstrate the integrity of a tabulation after the fact. We call such demonstrations "recounts." While costly, and sometimes controversial, they are effective.
(Northcutt): Long time readers know my concerns about electronic voting machines, also known as computers. This is one more step to the abyss.
(Paller): Most of the people who are concerned about electronic voting machines and internet-based voting are, like Avi Rubin and Stephen Northcutt, real cybersecurity experts who recognize how vulnerable the technology is to manipulation. The reason that electronic voting is becoming common and ultimately will replace most manual systems is that the manual systems are also subject to massive fraud possibilities - fraud that has changed Presidential election outcomes. In the end decisions will be made locally and will come down to a tradeoff between multiple approaches all of which have substantial vulnerabilities and one of which is faster, less expensive, and more convenient.]

Consortium for Cybersecurity Action Aims to Help Public and Private Sector (November 5, 2012)

The newly-launched Consortium for Cybersecurity Action (CCA) updated the 20 Critical Security Controls to include recommendations to help protect systems from advanced persistent threat (APT) attacks. CCA is headed by former National Security Agency (NSA) Information Assurance Division chief operating officer Tony Sager. Sager says the 20 Critical Security Controls are "the most important defenses that every firm should put in place."
-http://www.nextgov.com/cybersecurity/2012/11/governments-and-companies-band-toge
ther-push-cyber-protections/59270/?oref=ng-channeltopstory
-http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabi
lities/240044454/ex-nsa-official-heads-new-global-consortium-issuing-attack-driv
en-security-controls.html

---

************************** SPONSORED LINKS *****************************
1) SANS Webcast: Why Deception Matters in Today's Web Attacks. With SANS Analyst John Bumgarner and Mykenos president David Koretz. Nov 8, 2012. http://www.sans.org/info/116457
2) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/116462
3) "New in the SANS Reading Room: SANS Survey on Mobility/BYOD Security Policy and Practices" http://www.sans.org/info/116467
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Justice Dept. Told to Disclose More Information About "Going Dark" Program (November 2, 2012)

US District Judge Richard Seeborg "is ordering the Justice Department (DOJ) to disclose more information about" its program to extend its wiretapping capabilities to all types of electronic communications. There is not much known about what is called the "Going Dark" program. The Electronic Frontier Foundation (EFF) sought the information through a Freedom of Information Act (FOIA) request; the DOJ withheld large quantities of pertinent information. Judge Seeborg says the DOJ must disclose more information.
-http://www.wired.com/threatlevel/2012/11/fbi-wiretap-backdoors/
-http://www.wired.com/images_blogs/threatlevel/2012/11/calea.pdf

Mozilla Introduces Enhanced Security Feature in Firefox (November 2, 2012)

Mozilla has introduced a new feature in the beta of the next version of Firefox that will allow certain websites to load only when they can provide the browser a cryptographic certificate that validates the connection's security. The HTTP Strict Transport Security (HSTS) mechanism requires browsers to use secure sockets layer or transport layer security protocols. The new feature in Firefox will include a list of sites known to use HSTS and will allow those sites to connect only with valid certificates. The feature is designed to help prevent certain man-in-the-middle attacks. When browsers connect to HSTS servers for the first time, they do not know that they require secure connections, hence the whitelist of domains that use the protocol.
-http://arstechnica.com/security/2012/11/firefox-gets-strict-about-enforcement-of
-https-protection/
-http://www.computerworld.com/s/article/9233200/Firefox_to_force_secure_connectio
ns_for_selected_domains?taxonomyId=17
[Editor's Note (Honan): Using the HSTS protocol means only that the connection between the server and the client is secure; there are no guarantees that the server and/or the client themselves are secured. ]

Research Uncovers Smart Meter Privacy Issues (November 5, 2012)

A study conducted by researchers at the University of South Carolina found that some smart meters are transmitting unencrypted data. Eavesdroppers could potentially take the information and use it to determine whether or not the residents are at home. The smart readers transmit the data to make it easy for legitimate meter readers to gather the necessary information for billing from street distance. Most smart readers wait for a signal from the legitimate reading device before transmitting data, but at least one type of meter sends information every 30 seconds regardless of whether or not there is a meter reader in the vicinity. The researchers who gathered the information used about US $1,000 worth of equipment and software, as well as knowledge of what they were looking for. In a 2010 report, the National Institute of Standards and Technology's Smart Grid Interoperability Panel recommended that if the devices were to use wireless technology to transmit "energy usage information, then that data must be securely transmitted and have privacy protection."
-http://www.computerworld.com/s/article/9233265/Smart_meters_not_so_clever_about_
privacy_researchers_find?taxonomyId=203
[Editor's Note (Pescatore): There is a long history of encryption being in standards for new technologies but not be implemented (or being implemented badly) in the first wave of the new technology. As Crypto-Barbie once said "Encryption is hard..."
(McBride): AMR-equipped meters might be smarter, but are generally not considered "smart meters"; that would be AMI (Advanced Metering Infrastructure). I don't think anyone in the industry was under the impression that AMR is necessarily encrypted. Tools for reading your AMR are publicly available:
-http://www.gridinsight.com/products/amrusb-1/]

Facebook Fixes Password Flaw (November 2 & 5, 2012)

Facebook has closed a security hole that allowed some accounts to be accessed without passwords. The vulnerability lies in emails that Facebook sends users which contain links allowing them to login to their accounts directly.
-http://news.cnet.com/8301-1009_3-57544933-83/facebook-password-bypass-flaw-fixed
/
-http://www.nbcnews.com/technology/technolog/facebook-fixes-hole-could-let-hacker
s-without-password-1C6833891
-http://www.bbc.co.uk/news/technology-20180229

Exposed Apache Status Pages (November 1 & 5, 2012)

More than 2,000 websites, some belonging to Fortune 500 companies, have their Apache server status pages publicly accessible. The pages contain information that could be helpful to hackers who want to break into those networks. The HTML page provides data meant for administrators to let them know how that particular server is performing. The issue is easy to fix; server administrators should disable server-status or restrict it to the IP addresses that actually need access to the information. All Apache administrators should check to see if the situation exists on their servers. The study scanned more than 10 million websites and found 2,072 with server-status enabled.
-http://www.informationweek.com/security/vulnerabilities/apache-server-setting-mi
stakes-can-aid-h/240012731
-http://arstechnica.com/security/2012/11/misconfigured-apache-sites-expose-user-p
asswords-other-private-data/

Companies Conceal Major Breaches (November 4, 2012)

In March 2009, the FBI informed the Coca-Cola company that hackers had infiltrated its computer systems and stolen files related to the Coca-Cola's attempted takeover of a Chinese beverage company. The hackers appear to have gained purchase in Coca-Cola's systems by sending targeted malicious email messages. The deal fell apart just days later, and Coca-Cola has never publicly acknowledged the attack. Other companies in the US and abroad have also kept silent about major data security breaches. The organizations are concerned that going public with news of breaches could damage their reputations and the value of their stock. Despite guidance from the US Securities and Exchange Commission (SEC) last year recommending that companies disclose material losses from cyberattacks in their reports, no company has yet done so. UK energy company BG Group suffered a large data breach in 2011; the incident was kept secret even within the company.
-http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html
-http://www.bbc.co.uk/news/technology-20204671
-http://www.theregister.co.uk/2012/11/05/coca_cola_breach_china_hackers/
[Editor's Note (Pescatore): It is not true that no company has reported security breaches that resulted in material impact to their revenue/profit. In 2011, both Sony and RSA reported the direct costs of their breaches, and this year Global Payments disclosed costs of $84M. Companies do not have to report every incident of industrial espionage, either - there is no good reason why industrial espionage using computers should be treated differently.
(Honan): Other disclosures:
-http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120
202
and
-http://www.networkworld.com/news/2012/020312-verisign-faq-255697.html
(Murray): These cases always put me in mind of Franklin National Bank that survived a large loss from unauthorized trading but failed when it became public. Sometimes publicity is the most costly consequence of a breach.]

Prison Time and Fines for Two in BitTorrent Copyright Case (November 2 & 3, 2012)

Willie O. Lambert and Sean M. Lovelady have been given prison terms for copyright infringement. The men are part of a larger group that until September 2011 recorded movies in theaters with camcorders and uploaded them to BitTorrent. Last spring, Lambert, Lovelady, and two others - Jeramiah E. Perkins and Gregory A. Cherwonik - were charged with conspiracy, criminal copyright infringement, and distribution of a work prepared for commercial distribution. Lambert was sentenced to 30 months in prison and to pay nearly US $450,000 in restitution. Lovelady was sentenced to 23 months and ordered to pay US $7,500 in restitution. The other two men are scheduled to be sentenced soon.
-http://arstechnica.com/tech-policy/2012/11/two-men-from-indicted-bittorrent-grou
p-imprisoned-for-movie-piracy/
-http://www.wired.com/threatlevel/2012/11/camcording-pirates-prison/
-http://news.cnet.com/8301-1023_3-57544669-93/two-members-of-piracy-group-imagine
-get-prison-terms/
Lovelady Plea Agreement:
-http://www.wired.com/images_blogs/threatlevel/2012/05/loveladypleaagreement.pdf
April 2012 Indictment:
-http://www.wired.com/images_blogs/threatlevel/2012/05/lovelady.pdf

US $1.5 Million Award in Film Piracy Case (November 2 & 5, 2012)

A US federal court in Illinois has ordered two men to pay US $1.5 million for pirating 10 pornographic films and uploading them to a filesharing site. The pirated films were tagged with digital watermarking technology so that the filmmaker could identify the individual who originally purchased the content. The film company said that the 10 films were "infringed or downloaded at least 3,449 times." Because the defendants, Kywan Fisher and Cormelian Brown, failed to appear in court, the judge awarded a default judgment.
-http://www.bbc.co.uk/news/technology-20178171
-http://www.wired.com/threatlevel/2012/11/gay-porn-infringement/
-http://www.wired.com/images_blogs/threatlevel/2012/11/flava.pdf
-http://www.wired.com/images_blogs/threatlevel/2012/11/brownjudgement.pdf

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/