SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #90

November 09, 2012

TOP OF THE NEWS

Stuxnet Hit Chevron in 2010
US Government is Being Sold Phony Equipment and Technology
New Jersey eMail Voting Called "Risky"

THE REST OF THE WEEK'S NEWS

RIM's BlackBerry 10 Receives FIPS Certification Ahead of Launch
Exploit for Zero-Day Flaw in Adobe Reader is Being Sold on Internet
Mastercard Unveils New Card with LCD Display and Keyboard
Chrome 23 Includes Do Not Track Option
MegaUpload Case Carries Privacy and Property Rights Implications for Cloud Storage
Manning is Willing to Take Responsibility for Leaking Documents
Company Sues for Royalties Over Use of SSL and TLS Protocols
Additional Defendants Named in South Carolina Dept. of Revenue Breach Case
Adobe Releases Updates for Flash and AIR
Stolen VMware ESX Code Posted to Internet

---

************************** SPONSORED BY Bit9 *****************************
WEBCAST: Today's Application Control and Whitelisting - November 13th 2pm Eastern - Join EMA Managing Research Director, Scott Crawford, and Bit9 Director of Product Marketing, Ian Lee to learn how today's Application Control and Whitelisting solutions gives organizations more than a strong answer to today's more demanding threats. Attendees will learn how today's technologies make effective security more transparent and adaptable to business requirements. REGISTER TODAY
http://www.sans.org/info/116547
****************************************************************************
TRAINING UPDATE
- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses. Special Event evening bonus sessions: I've Been Geo-Stalked! Now What? And Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Stuxnet Hit Chevron in 2010 (November 8, 2012)

The Stuxnet malware infected Chevron's network in 2010. The malware was detected shortly after it made the jump from its target in Iran to other systems. A Chevron spokesperson says that Stuxnet did not harm its IT systems. Chevron is the first US company to acknowledge that Stuxnet infected its systems; most experts believe that the majority of attacks and infections remain unreported. Other malware aimed at damaging computers has emerged over the past months. A natural gas company in Qatar was attacked last summer, and malware dubbed Shamoon managed to destroy information on 30,000 computers at Saudi Arabian oil company Saudi Aramco in August 2012. Protecting systems from such stealthy and harmful attacks requires expert understanding of cybersecurity and the systems a given organization is running. These people know what network traffic is supposed to look like and the country has far too few of them.
-http://blogs.wsj.com/cio/2012/11/08/stuxnet-infected-chevrons-it-network/?mod=ws
jcio_hps_cioreport
[Editor's note (Murray): The fundamental problem with the use of viruses as weapons is that once deployed, one loses control of it. It is as likely to damage one's friends as one's enemies.
(Paller): Bill Murray is highlighting the difference between cyber weapons and kinetic weapons. Cyber weapons are often enhanced and then launched against their creators. That's why the shortage of advanced technical cyber skills has become an existential issue for the U.S. and several other developed nations. There are no automated defense systems that can protect power systems and other critical infrastructure resources against these advanced attacks. The only defense - admittedly imperfect - is radically improved technical skills.
(McBride): "Escaped" continues to be a puzzling term when applied to a virus that relied on numerous Microsoft 0-day vulnerabilities and propagation vectors. On the other hand, if your system was not the single underground facility in Iran that Stuxnet was intended to disrupt, the infection was benign. Such collateral damage is part of the price industry gets to pay for (what was then) two more years of Iran without a nuclear weapon. ]

US Government is Being Sold Phony Equipment and Technology (November 8, 2012)

According to one study, companies that have been identified as "high risk" have nonetheless been selling technology equipment and products to the US military and other government agencies. Some of the products have been found to be fake, leading to concerns about missiles not firing, airplane parts not working properly, and cyberespionage. The companies that have been given the high-risk identifier are known to be associated with counterfeiting operations, wire fraud, product tampering, and other illegal activity. Of more than 9,500 companies that had been "banned" and had still managed to sell equipment to the government, 10 percent of the instances were found to involve phony parts and/or equipment.
-http://money.cnn.com/2012/11/08/technology/security/counterfeit-tech/index.html
[Editor's Note (Pescatore): Most of the attention paid to "supply chain integrity" has been focused on attacks by foreign nations, while shoddy procurement processes are allowing counterfeit IT devices to routinely be included in procurements. NSA and DoE have pretty strong programs in this area - the U.S. government should enable those best practices to be understood and adopted across agency procurements.
(McBride): Even the stuff that is legit might not work right... not mention back doors. And get this, everyone is being sold software with bugs in it too! Risk management is a matter of understanding your risks to a reasonable depth before accepting them. Inquiring minds are finally getting at little bit of traction, and press coverage, on the supply chain front.
(Murray and Paller): Does anyone know who banned the 9,500 companies and why? ]

New Jersey eMail Voting Called "Risky" (November 6 & 7, 2012)

Security experts have called the decision by New Jersey officials to allow residents affected by Hurricane Sandy to vote by email "risky." Some voters were reporting that the email inboxes set up to collect the incoming ballots were full and their votes were being bounced back. Many New Jersey residents have been displaced by the storm due to flooding and lack of utilities. Furthermore, many roads are difficult to drive because of storm damage. The state allows residents living overseas to cast their ballots by email and extended that permission to those dislocated by Hurricane Sandy.
-http://www.nextgov.com/cybersecurity/2012/11/election-takeaway-emergencies-arent
-time-experimenting/59336/?oref=ng-channeltopstory
-http://www.bbc.co.uk/news/technology-20217810
[Editor's Note (Murray): Everything one does is "risky." In this case the risk that some votes might be cast and not counted must be weighed against a far greater number not cast at all.
(Pescatore): Since most companies routinely tell their customers "we would never ask for your password or account information over email" it is not hard to say email voting is extremely risky. It appears NJ did back this up with physical paper ballots to minimize the risk but we'd be much better off if some candidate secure approaches were developed and tried out in advance local elections, and then debugged and vetted for such emergency use in a presidential election. ]

---

************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/116552
2) "New in the SANS Reading Room: SANS Survey on Mobility/BYOD Security Policy and Practices" http://www.sans.org/info/116557
************************************************************************

---

THE REST OF THE WEEK'S NEWS

RIM's BlackBerry 10 Receives FIPS Certification Ahead of Launch (November 8, 2012)

Research in Motion's (RIM's) BlackBerry 10 is the first mobile platform to be awarded US Federal Information Processing Standard 140-2 (FIPS 140-2) certification. This means that government agents can use BlackBerry 10 to send and receive classified information as soon as the platform is released in the first quarter of 2013. RIM has touted its security features in the past: BlackBerry 7 was designed to overwrite deleted data on memory cards instead of just marking them as deleted. The National Institute of Standards and Technology (NIST) manages the FIPS 140-2 certification process.
-http://www.theregister.co.uk/2012/11/08/blackberry_10_fips/
-http://www.computerworld.com/s/article/9233366/BlackBerry_10_is_FIPS_certified_i
n_advance_of_platform_s_release?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57546812-83/blackberry-10-wins-u.s-security-cle
arance-ahead-of-launch/
-http://www.informationweek.com/government/mobile/rim-blackberry-10-gets-governme
nt-securi/240062640
[Editor's Note (Pescatore): RIM's delay in getting this product out has resulted in many government agencies moving to the iPhone. For some reason, the Apple iOS CoreCrypto modules has been stuck the "Review Pending" stage of FIPS 140-2 testing for close to 2 years now. If Apple is still unable to get through that testing when the Blackberry 10 ships, it will help RIM stem the bleeding of market share in the government sector. ]

Exploit for Zero-Day Flaw in Adobe Reader is Being Sold on Internet (November 7 & 8, 2012)

A zero-day flaw in Adobe Reader can be exploited to bypass the software's sandbox protection technology. Exploits are being sold on underground forums for US $30,000 and more. The exploits appear to work against only Windows versions of Reader. The flaw could conceivably be used to perpetrate the attacks that set the groundwork for advanced persistent threats (APTs). The exploit functions even when JavaScript has been disabled in Adobe Reader. It does not work through Google Chrome because of the browser's built-in protection for Reader. Adobe is investigating reports of attacks.
-http://krebsonsecurity.com/2012/11/experts-warn-of-zero-day-exploit-for-adobe-re
ader/
-http://www.theregister.co.uk/2012/11/08/adobe_reader_zero_day/
-http://www.computerworld.com/s/article/9233382/Zero_day_PDF_exploit_reportedly_d
efeats_Adobe_Reader_sandbox_protection?taxonomyId=17
-http://arstechnica.com/security/2012/11/zero-day-attack-reportedly-pierces-key-a
dobe-reader-defense/
-http://www.h-online.com/security/news/item/Alleged-0day-exploit-for-Adobe-Reader
-in-circulation-1746442.html

Mastercard Unveils New Card with LCD Display and Keyboard (November 8, 2012)

Mastercard has introduced a new version of its credit card that includes an LCD screen and a keyboard. The card was unveiled in Singapore and is scheduled to be launched in January 2013. It has the ability to generate one-time passwords (OTPs). It helps eliminate the need for the security tokens that are often required of customers who conduct online banking. In the future, the card may be able to display other information, such as reward points and transaction history.
-http://www.bbc.co.uk/news/technology-20250441
-http://arstechnica.com/gadgets/2012/11/a-mastercard-with-an-lcd-display-and-touc
h-sensitive-buttons/
-http://www.zdnet.com/sg/mastercard-launching-banking-card-with-otp-capability-70
00007094/

Chrome 23 Includes Do Not Track Option (November 7 & 8, 2012)

Chrome 23 was pushed out to users this week; the newest stable version of Google's browser includes a do not track (DNT) feature. Mozilla introduced DNT in Firefox in June 2011, and Microsoft has been generating controversy for shipping Internet Explorer 10 (IE 10) with DNT turned on by default. Apache and Yahoo have both said that they will ignore the DNT signal from Microsoft because the option should express the user's decision, not a default setting. Chrome has left the feature turned off by default. The DNT mechanism requires the cooperation of websites; some will continue to collect browsing data. Chrome 23 also includes several other improvements, including one that should help improve the battery life of certain computers.
-http://arstechnica.com/tech-policy/2012/11/do-not-track-finally-arrives-with-ver
sion-23-of-chrome/
-http://www.informationweek.com/smb/mobile/google-chrome-adds-do-not-track/240062
616
-http://www.h-online.com/security/news/item/Chrome-23-closes-holes-promises-longe
r-battery-life-1744972.html
-http://www.computerworld.com/s/article/9233354/Chrome_ships_with_Do_Not_Track_su
pport?taxonomyId=17

MegaUpload Case Carries Privacy and Property Rights Implications for Cloud Storage (November 7, 2012)

The MegaUpload case could have far-reaching implications for privacy and property rights of data stored in the cloud. Electronic Frontier Foundation attorney Julie Samuels is representing an Ohio man in his efforts to regain access to files he stored on MegaUpload servers. Kyle Goodwin is a videographer whose only copies of his files remain on MegaUpload servers as his own hard drive crashed. The federal government has put in place requirements that make it virtually impossible for anyone to retrieve their data from MegaUpload servers. They imply that Goodwin will need to produce several witnesses to testify that the content stored in his MegaUpload account actually belongs to him. Furthermore, they maintain that some of his files include MD5 hash values indicating that they contain pirated music, which also indicates that the government has looked at Goodwin's files. Last year, the US government seized domains belonging to overseas gambling sites, but a New York Federal Court judge did eventually establish a process for people to file claims to get back the money in their gambling accounts. The Motion Picture Association of America says that its only concern in solving the problem of returning files to their owners is making sure that there are "safeguards to prevent retrieval of infringing materials."
-http://www.wired.com/threatlevel/2012/11/megaupload-data-what-to-do/
Federal Authorities' Brief:
-http://www.wired.com/images_blogs/threatlevel/2012/10/fedsbrief.pdf
MPAA Response:
-http://www.wired.com/images_blogs/threatlevel/2012/11/mpaadotcom.pdf

Manning is Willing to Take Responsibility for Leaking Documents (November 7, 2012)

Bradley Manning says he is willing to plead guilty to some of the charges brought against him in the WikiLeaks case in exchange for the government dropping other charges. In a plea notice submitted by his attorney, Manning indicated that he is willing to plead guilty to giving hundreds of thousands of documents to WikiLeaks, but not to charges of espionage, aiding the enemy, and exceeding authorized access on government networks. Manning has not pleaded either guilty or not guilty; he has simply indicated that he is willing to take formal responsibility for leaking the documents.
-http://www.wired.com/threatlevel/2012/11/bradley-manning-plea-notice/
-http://arstechnica.com/tech-policy/2012/11/bradley-manning-finally-fesses-up-ove
r-wikileaks/

Company Sues for Royalties Over Use of SSL and TLS Protocols (November 7 & 8, 2012)

A Texas company is adding defendants to its long list of companies that have allegedly failed to pay royalties for using certain forms in encryption on their websites. TQP Development reportedly holds a patent titled, "Encrypted data transmission system employing means for randomly altering the encryption keys". The lawsuit maintains that companies whose websites use the secure sockets layer (SSL) and transport layer security (TLS) protocols owe TQP royalties. TQP has filed patent infringement complaints against Google, Apple, eBay, Expedia and other companies. In the past month, TQP has added Yelp, MovieTickets.com, and Intel to that list. None of the cases that TQP has filed have gone to trial, which means that some of the companies have settled.
-http://arstechnica.com/security/2012/11/patent-suits-target-google-intel-hundred
s-more-for-encrypting-web-traffic/
-http://www.theregister.co.uk/2012/11/08/tqp_sues_everyone/
[Editor's Note (Murray): Old News. This kind of trading in, and exploitation of, patents, taints the whole system. ]

Additional Defendants Named in South Carolina Dept. of Revenue Breach Case (November 6, 2012)

Former South Carolina state senator John Hawkins has filed a lawsuit against the state's governor, Nikki Haley, and the South Carolina Department of Revenue over a security breach that exposed information held in a database. Earlier this week, Hawkins added the South Carolina Division of State Information Technology and cybersecurity company Trustwave to the list of defendants in his lawsuit. The suit alleges that the defendants acted negligently in allowing an environment in which the state department of revenue database was breached and failing to disclose the incident for more than two weeks after it was detected. Hawkins has called the events "a systematic failure." The South Carolina Department of revenue had hired Trustwave to monitor the breached systems. Shortly after the breach came to light, Governor Haley said that the encryption of the Social Security numbers was in line with industry practices. While it is "true that most banks don't encrypt customer data, ...
[they ]
do a decent job of instituting strong protections around sensitive customer data," according to Gartner analyst Avivah Litan.
-http://www.postandcourier.com/article/20121106/PC16/121109507/1177/cyber-securit
y-company-among-new-defendants-added-to-sc-hacking-lawsuit
-http://www.computerworld.com/s/article/9233074/S.C._governor_s_post_breach_data_
encryption_claims_are_off_base_analysts_say

Adobe Releases Updates for Flash and AIR (November 6 & 7, 2012)

On November 6, Adobe released updates for Flash Player and Adobe AIR. The updates address seven vulnerabilities in the products and are available for systems running Windows, Mac, Linux, and Android. The new current version of Flash is 11.5.502.110. Users are urged to update their software through the Adobe Flash Player Distribution page. Chrome users should find that their browsers have been automatically updated to the most recent Chrome version of Flash, 11.5.31.2. Users running multiple browsers besides Chrome will need to update Flash for each browser. Microsoft has also released an updated version of IE 10 that includes an updated version of Flash because Flash is now embedded in that version of the browser. Adobe says that future updates for Flash will be released the same day as Microsoft's monthly security updates.
-http://krebsonsecurity.com/2012/11/adobe-ships-election-day-security-update-for-
flash/
-http://www.theregister.co.uk/2012/11/07/adobe_flash_update/
-http://www.h-online.com/security/news/item/Security-updates-for-Flash-and-Air-17
44946.html
-http://www.computerworld.com/s/article/9233342/Adobe_now_married_to_Microsoft_mo
ves_Flash_updates_to_Patch_Tuesday?taxonomyId=82

Stolen VMware ESX Code Posted to Internet (November 5 & 6, 2012)

More stolen source code for VMware ESX has been posted to the Internet. The individual claiming responsibility for the leak also posted a link to what is purported to be VMware ESX Server Kernel. The kernel is from between 1998 and 2004. VMware has acknowledged that the source code is legitimate. Another batch of VMware code was posted to the Internet in April 2012. In a security bulletin, VMware director of platform security Iain Mulholland recommends that users install the most recent patches.
-http://www.informationweek.com/security/application-security/more-vmware-source-
code-leaks-to-interne/240049866
-http://www.theregister.co.uk/2012/11/05/vmware_source_code_leak/

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/