SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #91

November 13, 2012

Time to stop asking for cybersecurity legislation:
Shifting government and industry from "admiring the problem of
cybersecurity" to taking necessary actions to protect their systems and
networks does not require legislation; the long quest for legislation
has been a massive distraction. It is high time for the U.S. to get on
with necessary actions as British and Australian leaders have done.
General Alexander at NSA and John Streufert and the managers at DHS are
leading the way by agreeing on how to secure systems and networks and
on how to measure their security. Let's help them. As a nation, let's
ask the people at OMB and NIST to stop undermining and delaying the NSA
and DHS solutions, and actively help them accelerate adoption.

Alan

---

TOP OF THE NEWS

General Alexander Frustrated with Lack of Forward Momentum on US Cybersecurity
Australia Becomes First Nation To Discover Reliable Method of Stopping Targeted Attacks
Kaspersky Finds 23 Percent of Browsers in Use Are Out-of-Date

THE REST OF THE WEEK'S NEWS

Singapore Wants to Allow Pre-emptive Action Against Cyberthreats
Pirate Bay Co-Founder Warg Facing Additional Fraud Charges
Malware Attack Against Israeli Police System Helps Researchers Uncover Broader Attacks
SEC Staffers' Laptops Were Not Encrypted
Teenager Sentenced to Probation for Involvement in Cyberattacks
Ransomware Nets Cybercriminals At Least US $5 Million Annually
Michigan Man Arraigned on Charges Stemming From Sale of Pirated Software
Australia Opts for Interpol Black List Over Internet Filtering
Microsoft's Patch Tuesday to Include First Fixes for Windows 8 and Windows RT
Malware Steals Images
Ohio eVoting Machine Software Update Case Thrown Out of Court

---

************************** SPONSORED BY Symantec *************************
Unrivaled Security: Over 8 Million Users Can't Be Wrong. Join this webcast to find out how you can get unrivaled security, blazing performance and support for virtual environments. Learn about new features of Symantec Endpoint Protection 12.1.2. including VMware vShield integration, support for Windows 8 and Mac Mountain Lion.
Register Now. http://www.sans.org/info/116592
****************************************************************************
TRAINING UPDATE
- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

General Alexander Frustrated with Lack of Forward Momentum on US Cybersecurity (November 8, 2012)

NSA Director and US Cyber Command chief General Keith Alexander last week told members of government and the IT security industry attending Symantec's annual government symposium that the country is "stuck at the starting line" when it comes to cybersecurity. Alexander said the US has the capability to secure its networks, but that nothing will happen until Congress moves forward with cybersecurity legislation. He added that the country lacks understanding of how networks operate and how big a threat cyberattacks are to the critical infrastructure. "I'm concerned that attacks like
[the one that targeted Saudi Aramco in August ]
are coming, and we're spending a lot of time talking about what we should do when we should just do it."
-http://www.federalnewsradio.com/473/3110944/On-cyber-defense-US-stuck-at-the-sta
rting-line
[Editor's Note (Pescatore): I think most of the people currently actively "just doing it" and keeping their companies safe as their companies make extensive and profitable use of the Internet would agree about "let's stop talking about legislation and just get back to just doing it."
(Honan): If organisations are waiting for legislation to tell them what to do rather than secure their networks by following guidelines such as the SANS 20 Critical Controls or The Australian Defence Signals Directorate (DSD) Top 35 Mitigation Strategies then the General has a lot more to worry about.
(Paller): The organizations that are making the transition (from admiring the problem to fixing it) are doing so by shifting from the compliance era benchmarks (NIST and ISO) to the action era benchmarks (CCA 20 Critical Controls - See UK plan at
-http://www.cpni.gov.uk/advice/cyber/Critical-controls/)
and the Australian Strategy - see the next story for details on Australia) ]

Australia Becomes First Nation To Discover Reliable Method of Stopping Targeted Attacks (October 30 & 31, 2012)

The cyberthreat environment has shifted from attacks that steal information to those that do real damage to systems and the operations they control. The Australian Defence Signals Directorate (DSD) knows what to do to stop the types of attacks that are coming from nation states. The DSD has developed a list titled Top 35 Mitigation Strategies; it also found that implementing just the top four strategies can block 85 percent of targeted cyberattacks. Topping the list is whitelisting, followed by patching applications, patching operating systems, and limiting administrator rights to people who actually need that access.
-http://www.csoonline.com/article/720272/cyber-attacks-have-changed-but-australia
-is-doing-something-about-it-sans
-http://www.technologyspectator.com.au/keeping-cybergeddon-bay

Kaspersky Finds 23 Percent of Browsers in Use Are Out-of-Date (November 9, 2012)

A study from Kaspersky has found that nearly a quarter of all browsers currently in use are not being kept up to date. Of the 23 percent of out-of-date browsers, 14.5 percent are using the previous version of the browser, while 8.5 are using even older versions. All major browsers have automatic update options.
-http://www.computerworld.com/s/article/9233501/Out_of_date_vulnerable_browsers_p
ut_users_at_risk?taxonomyId=17
[Editor's Note (Pescatore): I'll bet most of the out-of-date ones are enterprise browsers where there are still too many apps that were written to specific browser versions, mostly IE. Another good line item in CIO evaluations: No browser specific apps!!
(Honan): It would be interesting to see what percentage of the browsers were also running on outdated Operating Systems such as Windows XP or indeed Windows 2000. Many organisations are still on these platforms for economic reasons and are restricted as a result to the browsers they can deploy on those platforms.
(Paller): John Pescatore's note points out the connection between application standards and cybersecurity effectiveness. As long as application developers and marketers (and the CIOs who buy from them) do not have to make apps conform to security benchmarks, there will be little security people can do to make their environments defensible. ]

---

************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/116597

2) Analyst Webcast: Security Intelligence in Action: LogRhythm's Advanced Analysis Features by SANS Analyst Dave Shackleford, Wed. Nov.28, at 1PM EST. http://www.sans.org/info/116602
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Singapore Wants to Allow Pre-emptive Action Against Cyberthreats (November 12, 2012)

Singapore's Ministry of Home Affairs is seeking to amend the country's Computer Misuse Act to allow the government to have more authority to stop cyberattacks against critical infrastructure before they even start. The change would work like this. When the Ministry of Home Affairs receives credible intelligence regarding the possibility of a cyberattack, the Minister would have the authority to order that certain steps be taken to "strengthen the resilience of the CII against the cyberthreat." The current law allows the Minister to order action inly after an attack has been detected. The amendment would also broaden the scope of what are deemed "essential services" to include aviation, shipping, and health services.
-http://www.zdnet.com/sg/singapore-amends-law-to-counter-cyberattacks-7000007248/
[Editor's Note (Pescatore): This is a reactive strategy trying to be painted as proactive. Why not remove the known vulnerabilities ("strengthen the resilience") on an ongoing basis - better to fix the leaks in the roof *before* the weather forecast says rain, as there are many unannounced storms.
(Assante): Credible intelligence often begins after a bang. What would be interesting is to learn if the Minster feels any of the ordered actions after an attack were useful in mitigating the consequences or preventing the next attack. ]

Pirate Bay Co-Founder Warg Facing Additional Fraud Charges (November 12, 2012)

Pirate Bay co-founder Gottfrid Svartholm Warg, who has been in custody in a Swedish detention facility on charges related to cyber intrusions at IT company Logica since September, may be facing additional charges. A public prosecutor suggested that the new charges are not linked to the Logica attack. Warg has been detained in Sweden for two months already. The new charges are aggravated fraud and attempted aggravated fraud. Sweden allows suspects to be kept in detention even before they are charged with a crime. A judge must review the case every two weeks to determine if the suspect may still be detained.
-http://arstechnica.com/tech-policy/2012/11/pirate-bay-cofounder-now-suspected-of
-attempted-aggravated-fraud/
-http://www.computerworld.com/s/article/9233504/Pirate_Bay_co_founder_suspected_o
f_serious_fraud_and_another_data_intrusion?taxonomyId=17

Malware Attack Against Israeli Police System Helps Researchers Uncover Broader Attacks (November 12, 2012)

Security researchers have unearthed evidence that the malware infection found on Israeli police computers is likely party of a yearlong cyberespionage operation that targeted entities in Israel and Palestinian territories. Last month, Israeli police took down its computer network after discovering that it had been infected with a remote access Trojan (RAT) known as Xtreme RAT. The malware was delivered through an email that appeared to come from Israeli Defense Forces chief of general staff Benny Gantz. The malware was accompanied by a phony Microsoft certificate, which is what helped researchers at Norwegian company, Norman ASA, determine other attacks conducted by the same group because they used the same phony certificate. The bait documents used in the attacks contained metadata that revealed the names or aliases of some of those involved in their execution. The malware used dynamic DNS providers to change the IP addresses of the control networks. In the earlier attacks against Palestinian targets, most of the addresses were traced to a network in Gaza; when the attackers shifted their focus to Israel, the control servers shifted to the US.
-http://krebsonsecurity.com/2012/11/malware-spy-network-targeted-israelis-palesti
nians/
-http://www.computerworld.com/s/article/9233514/Researchers_identify_year_long_cy
berespionage_effort_against_Israelis_Palestinians?taxonomyId=17

SEC Staffers' Laptops Were Not Encrypted (November 9, 2012)

Employees at the US Securities and Exchange Commission's (SEC's) Trading and Markets Division were found to have failed to encrypt data on their own computers. Ironically, the Trading and Markets Division is responsible for helping financial markets protected themselves from cyberattacks. The staffers attended the Black Hat Conference earlier this year with those unencrypted computers. When the situation was discovered, the SEC hired a third-party firm at a cost of at least US $200,000 to determine whether any security breaches had taken place. Standard SEC procedure requires that data on laptops be encrypted.
-http://news.cnet.com/8301-1009_3-57547678-83/sec-staffers-leave-computers-open-t
o-cyber-attack-report-says/
-http://www.darkreading.com/insider-threat/167801100/security/encryption/24007752
9/sec-left-sensitive-data-vulnerable-report-says.html
-http://www.bbc.co.uk/news/technology-20266783
-http://www.theregister.co.uk/2012/11/09/sec_security_snafu/

Teenager Sentenced to Probation for Involvement in Cyberattacks (November 9, 2012)

A 15-year-old hacker has been sentenced in juvenile court in California. The unnamed teen, who uses the online moniker Cosmo, pleaded guilty to a string of felonies in exchange for probation. The charges stem from credit card fraud, identity theft, bomb threats, and online impersonation. Cosmo was part of a hacker group involved in taking down sites and which was vocally opposed to SOPA. He also gained access to Amazon and PayPal accounts using social engineering techniques. The terms of Cosmo's probation, which will last until his 21st birthday, dictate that he will not be permitted to use the Internet without permission from his probation officer; that he is prohibited from contacting members of hacking groups with which he has been associated; and a number of others. He faces a number of additional restrictions; if he violates the terms of his probation, he will be sent to prison for three years.
-http://www.wired.com/gadgetlab/2012/11/hacker-cosmo-the-god-sentenced-by-califor
nia-court/

Ransomware Nets Cybercriminals At Least US $5 Million Annually (November 8 & 9, 2012)

According to a report from Symantec, ransomware is earning cybercriminals at least US $5 million a year. This species of malware encrypts files and demands payment to unlock them. Although ransomware has been around for several years, only recently has it become more effective and begun to move out of Eastern Europe. Cybercriminals are using increasingly stronger encryption and have begun locking up affected PCs entirely. They have also begun switching from Eastern European targets to those in Germany and the US. Recently detected ransomware displays a message telling the user that the computer has been locked because s/he was viewing pornographic websites. The fines average US $200. Ransomware often makes its way onto computers as a drive-by download, although there have been reports that it has spread through social networks and Skype and other services. The messages displayed often include logos belonging to law enforcement agencies.
-http://www.computerworld.com/s/article/9233421/Ransomware_crooks_make_millions_f
rom_porn_shaming_scams?taxonomyId=82
-http://www.v3.co.uk/v3-uk/news/2223664/scammers-rake-in-usd33-000-a-day-through-
ransomware
-http://arstechnica.com/security/2012/11/mushrooming-growth-of-ransomware-extorts
-5-million-a-year/
Symantec Report:
-http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa
pers/ransomware-a-growing-menace.pdf

Michigan Man Arraigned on Charges Stemming From Sale of Pirated Software (October 8 & 9, 2012)

A man has been arraigned in US District Court in Michigan on charges of mail fraud and criminal copyright infringement. Bruce Alan Edward allegedly bought pirated software from sellers in China and Singapore and resold it on eBay. He allegedly earned more than US $140,000 between May 2008 and September 2010. The software he resold had a retail value of more than US $1.2 million. If convicted on all charges, Edward could face up to 45 years in prison and US $1.5 million in fines. He could also be ordered to forfeit the money he allegedly made in the scheme as well as any remaining counterfeit software and equipment used to conduct the scheme.
-http://www.theregister.co.uk/2012/11/09/ebay_counterfeit_ms_software_prosecution
/
-http://www.computerworld.com/s/article/9233417/Michigan_man_charged_with_selling
_counterfeit_Microsoft_software?taxonomyId=17
-http://www.justice.gov/opa/pr/2012/November/12-crm-1335.html

Australia Opts for Interpol Black List Over Internet Filtering (November 8, 2012)

Australia has decided not to filter its domestic Internet, instead opting for a black list of websites put together by Interpol. The "list will help keep children safe from abuse, ... and fulfills the government's commitment to preventing Australian Internet users from accessing child abuse material online."
-http://arstechnica.com/tech-policy/2012/11/australia-comes-to-its-senses-abandon
s-national-internet-filtering-regime/

Microsoft's Patch Tuesday to Include First Fixes for Windows 8 and Windows RT (November 8 & 9, 2012)

On Tuesday, November 13, Microsoft plans to issue six security bulletins to address a total of 19 vulnerabilities in various products. The updates include the first fixes for Windows 8 and Windows RT. Four of the security bulletins are rated critical; these four bulletins address 13 flaws and affect Windows Server 2012, Windows 8, and Windows RT, which is the operating system that supports Microsoft's Surface tablet. One of the critical updates will fix at least one vulnerability in Internet Explorer 9. All the critical updates, as well as one important update, will address remote code execution flaws; an update labeled moderate will address an information disclosure vulnerability in Windows.
-http://www.theregister.co.uk/2012/11/09/nov_patch_tuesday_pre_alert/
-http://www.computerworld.com/s/article/9233393/Microsoft_slates_first_Windows_8_
RT_patches_since_launch?taxonomyId=17
-http://www.scmagazine.com/microsoft-to-patch-19-vulnerabilities-on-tuesday/artic
le/267587/
-http://news.cnet.com/8301-1009_3-57547619-83/windows-8-rt-to-get-first-critical-
security-patches-next-tuesday/
-http://technet.microsoft.com/en-us/security/bulletin/ms12-nov

Malware Steals Images (November 7, 2012)

Researchers have discovered malware designed to steal images from infected devices. The malware, which Sophos named PixSteal-A, targets Windows PCs and searches for JPEG and DMP files. It then connects to a remote server through FTP and uploads the images. The server collecting the images is hosted in Iraq, but the person controlling the operation could be anywhere in the world. One possible solution is to disable FTP connections at the firewall level.
-http://www.v3.co.uk/v3-uk/news/2222922/researchers-warn-of-imagestealing-malware
-http://blog.trendmicro.com/trendlabs-security-intelligence/malware-steals-image-
files-from-systems/
[Editor's Note (Murray): Before acting on this "warning;" one might like to know what the attack vector is and how pervasive the code. Without regard to this malware, the continued presence of FTP is an unnecessary risk. On the other hand, it ships with Windows by default; anyone can use it but one must have administrative privileges to erase or rename it. Hardly seems likely we will get rid of it. ]

Ohio eVoting Machine Software Update Case Thrown Out of Court (November 6, 2012)

A federal judge in Ohio will not hear a case about "experimental" software patches that were applied to certain evoting machines in Ohio just days prior to last week's presidential election. The suit alleged that the untested patches posed a threat to the integrity of the vote count. But Judge Gregory Frost, US District Court for the Southern District of Ohio, said that the plaintiff provided no evidence that the software was capable of altering election results and threw out the lawsuit. Judge Frost wrote that the plaintiff's "alleged harm is purely speculative." The lawsuit alleged that Ohio Secretary of State John Husted violated both state and federal laws by allowing the software patches to be applied to the Election Systems & Software (ES&S) vote tabulation machines. Husted's office said that the patches were designed to reformat the results that had been counted. Husted's office maintained that because the software is not considered part of the certified voting system, it was not subject to the testing and certification requirements.
-http://www.computerworld.com/s/article/9233316/Judge_throws_out_Ohio_lawsuit_ove
r_software_on_vote_tabulation_machines?taxonomyId=208
-http://www.minnpost.com/christian-science-monitor/2012/11/ohio-voting-software-v
ulnerable-fraud-court-hear-election-day-case

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/