SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #92

November 16, 2012

FLASH: Yesterday, the U.S. Department of Justice reported that they had
indicted two BP executives for multiple counts of manslaughter because
they acted negligently in safety testing. Two critical infrastructure
cybersecurity managers sent us the article and pointed out the potential
for cybersecurity negligence charges when damage is done because people
did not focus on what mattered.
http://www.usatoday.com/story/money/business/2012/11/15/bp-near-settlement-with-
us-over-gulf-spill/1706209/
Alan

PS Three weeks until the largest cybersecurity training conference in
Washington DC until next summer. 25 world-class stories and free
evening sessions better than the best conferences.
http://www.sans.org/event/cyber-defense-initiative-2012

---

TOP OF THE NEWS

South Carolina Dept. of Revenue Security Practices Did Not Detect Breach
President Signs Secret Cybersecurity Policy Directive for US Military
Cybersecurity Bill Fails in Senate, Making Executive Order Likely
DHS Looks at Ways to Attract and Retain Talented Cybersecurity Workers

THE REST OF THE WEEK'S NEWS

DOE IG's Report Finds Out-of-Date Software on Unclassified Systems
Adobe Takes Down Video Conferencing Forum After Data Breach
Hamburg, Germany Prosecutor Says No Criminal Investigation into Google Street View
Man Indicted on Charges of Conspiracy to Commit Computer Intrusion and Extortion
Hacker Could be Mysterious Founder of Antivirus Startup
Skype Fixes Flaw in Password Reset Mechanism
NASA Orders Full-Disk Encryption on Laptops Holding Sensitive Data
Two Indicted for Allegedly Stealing Court System Records and Database Source Code
Microsoft Security Updates for November Include Fixes for Flaws in IE and Windows 8

CONTROL SYSTEMS SECURITY STORIES

SCADA Safety In Numbers

---

************************** SPONSORED BY Bit9 *****************************
Server Security - With 94% of data stolen in 2011 coming from servers, how has the evolution of advanced threats changed your approach to security? Take the 5 minute survey now and be entered to win an iPad Mini! Learn More http://www.sans.org/info/117017
****************************************************************************
TRAINING UPDATE
- --SANS London 2012 London November 26-December 3, 2012 16 courses. Bonus evening presentations include Why to Organizations Get Compromised; Dissecting Smart Meters; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus San Antonio, Barcelona, Cairo, Anaheim, and New Delhi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

South Carolina Dept. of Revenue Security Practices Did Not Detect Breach (November 15, 2012)

The South Carolina Department of Revenue (SCDOR) recently acknowledged a data security breach that compromised the tax records of 4.5 million people and businesses who had filed returns with the agency. The US Secret Service informed that state of the incident a month after it occurred. The contractor hired by SCDOR to attend to network security focused on SCDOR's compliance with requirements regarding entities that retain credit card information rather than stopping malware from infecting systems. While SCDOR ran an antivirus and antimalware scan periodically, it was not able to detect the breach, either. South Carolina Governor Nikki Haley has now ordered her Cabinet to use stronger computer security, including the Division of State Information Technology's computer network monitoring services, which detects anomalous uploads and downloads and suspicious programs quickly. Governor Haley has acknowledged that the state "need
[s ]
somebody in the office 24 hours a day monitoring those computers," which is what the services will provide.
-http://www.goupstate.com/article/20121114/WIRE/211151017/1088/SPORTS?Title=Secur
ity-contractor-didn-t-detect-hacker-from-SCDOR-website
[Editor's Note (Pescatore): We periodically go through cycles where the threats get ahead of the "due diligence" levels of security and active monitoring of the network is generally the first point that will detect this. The key term is "active" monitoring - detecting new threats takes active effort. On the compliance side, other than for extremely small businesses, having the Cardholder Data Environment pass a PCI assessment in no way means the overall network is sufficiently protected from today's targeted attacks.
(Honan): Unfortunately the South Carolina Dept. of Revenue Security is not alone in not detecting breaches. According to the Verizon 2012 Data Breach Investigations Report
-http://www.verizonbusiness.com/about/events/2012dbir/
92% of companies were informed of a security breach by a third party. As an industry we need to move away from compliance led security to properly focused operational security.
(Murray): The quotes attributed to the governor suggest that the state was simply indifferent to its responsibility to protect citizen privacy. Great argument for federalism. It is to be hoped that most states have a more responsible attitude and that the remainder will learn form this event.
(Paller): With this newspaper article, the general public begins to understand the fundamental failure of cybersecurity. Compliance regimes are measuring the wrong things or the consultants implementing them are doing only part of the job. ]

President Signs Secret Cybersecurity Policy Directive for US Military (November 14, 2012)

President Obama has reportedly signed Presidential Policy Directive 20, a secret directive that allows the US military to take action to fend off cyber attacks against the country's critical infrastructure. The directive (which is not the executive order mentioned in the story below - - Ed.) establishes standards for dealing with cyberthreats. The directive gives the Defense Department the authority to take actions against the networks of adversaries when government or private networks are threatened. It distinguishes between network defense and cyberoperations. A senior administration official described it this way: "Network defense is what you're doing inside your own networks,
[and ]
cyber operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes." The directive, which was signed about a month ago, is a classified document. It requires that all actions taken in cyberspace comply with international rules of war. It also says that law enforcement agencies and existing information security defenses are the first line of defense.
-http://www.washingtonpost.com/world/national-security/obama-signs-secret-cyberse
curity-directive-allowing-more-aggressive-military-role/2012/11/14/7bf51512-2cde
-11e2-9ac2-1c61452669c3_story.html
-http://www.nextgov.com/defense/2012/11/obama-directive-would-allow-preemptive-cy
ber-strikes/59522/?oref=ng-channelriver
-http://news.cnet.com/8301-1009_3-57550092-83/obama-reportedly-signs-secretive-cy
bersecurity-policy-directive/
-http://www.informationweek.com/government/security/obama-secret-order-authorizes
-cybersecur/240134945

Cybersecurity Bill Fails in Senate, Making Executive Order Likely (November 14 & 15, 2012)

The US Senate has again failed to pass a cybersecurity bill; in 51-47 vote, legislators rejected a motion to move forward on the Cybersecurity Act of 2012. Earlier this year, Senate Republicans blocked the legislation, saying it placed too heavy a regulatory burden on businesses. President Obama, Defense Secretary Leon Panetta and other national security officials have urged legislators to pass a cybersecurity bill. Senator Joe Lieberman (I-Connecticut) said that if the bill did not move forward, President Obama would likely issue an executive order that would accomplish some, but not all, of the goals set forth in the legislation. Lieberman said that the president "has a responsibility to act because if we don't, we're leaving the American people extremely vulnerable to a cybersecurity attack."
-http://thehill.com/blogs/hillicon-valley/technology/268053-senate-rejects-cybers
ecurity-act-for-second-time
-http://www.computerworld.com/s/article/9233656/Cybersecurity_bill_fails_in_U.S._
Senate?taxonomyId=17
-http://www.nextgov.com/cybersecurity/2012/11/cybersecurity-bill-falls-short-sena
te-again/59538/?oref=ng-channelriver
-http://www.informationweek.com/government/security/congress-kills-cybersecurity-
bill-white/240142198

DHS Looks at Ways to Attract and Retain Talented Cybersecurity Workers (November 13, 2012)

US government agencies are competing against each other to hire talented computer professionals, especially those with cybersecurity expertise. Not only do they have to fight each other for the best employees, but government agencies also have to compete against private sector salaries which regularly outstrip those offered by the CIA, NSA or the Department of Homeland Security (DHS), which is seeking to hire 600 people to work in the cyber arena. Earlier this year, DHS Secretary Janet Napolitano formed a task force to determine how best to develop a cyber security workforce and help her agency recruit and retain talented workers. High on the list of recommendations from the task force is to reserve the "cool jobs," such as penetration testing and incident response, for government employees.
-http://www.washingtonpost.com/world/national-security/federal-agencies-private-f
irms-fiercely-compete-in-hiring-cyber-experts/2012/11/12/a1fb1806-2504-11e2-ba29
-238a6ac36a08_story.html

---

************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/117022
2) Analyst Webcast: Secure Content Management in a Mobile Age Tuesday, Dec. 4, 2012 at 1:00PM EST. http://www.sans.org/info/117027
3) Webcast: APT: It is Not Time to Pray, It is Time to Act Featuring: Dr. Eric Cole. http://www.sans.org/info/117032
************************************************************************

---

THE REST OF THE WEEK'S NEWS

DOE IG's Report Finds Out-of-Date Software on Unclassified Systems (November 15, 2012)

According to a report from the inspector general of the US Department of Energy (DOE), nearly 60 percent of desktop computers at the agency lacked critical software patches. The IG's audit examined unclassified systems at DOE. One of the possible explanations is that applying patches means that the agency would have to pause programs that are used frequently. The larger an organization, the more unwieldy patching all systems becomes. The report also found that 41 percent of DOE network servers were running versions of operating systems that are no longer supported. The report also noted weak access controls and web applications with inadequate validation procedures.
-http://www.nextgov.com/cybersecurity/2012/11/report-fifty-eight-percent-energy-c
omputers-went-months-without-bug-fixes/59559/?oref=ng-channeltopstory
-http://energy.gov/sites/prod/files/IG-0877.pdf
[Editor's Note (Murray): Patching seems to be the default strategy (some seem to think that it is mandatory) it is only one strategy. On the other hand, one is not very hopeful that this agency had an alternative strategy to make patching unnecessary. ]

Adobe Takes Down Video Conferencing Forum After Data Breach (November 14 & 15, 2012)

Adobe has taken down its Connectusers forum after a hacker leaked stolen information about the forum's users online. The forum is associated with Adobe Connect, a video conferencing service. The leaked data include account login credentials. Adobe plans to reset users' passwords. The hacker claiming responsibility for the attack says he used an SQL injection attack to steal the user data. The hacker says he took the action not to ruin Adobe's business, but to demonstrate that Adobe drags its feet when notified of vulnerabilities. He said that Yahoo would be his text target.
-http://www.darkreading.com/database-security/167901020/security/attacks-breaches
/240134996/adobe-hacker-says-he-used-sql-injection-to-grab-database-of-150-000-u
ser-accounts.html
-http://arstechnica.com/security/2012/11/adobe-breach-reportedly-spills-easy-to-c
rack-password-hashes/
-http://news.cnet.com/8301-1009_3-57550136-83/adobe-suffers-database-leak-user-fo
rum-taken-offline/
-http://www.zdnet.com/adobe-suspends-connect-user-forum-after-apparent-hack-70000
07440/
-http://www.eweek.com/security/adobe-connect-security-breach-exposes-personal-dat
a-of-150k-users/
-http://www.theregister.co.uk/2012/11/15/adobe_forum_breach/

Hamburg, Germany Prosecutor Says No Criminal Investigation into Google Street View (November 15, 2012)

The public prosecutor in Hamburg, Germany will not initiate a criminal investigation into Google Street View's inadvertent gathering of data from unprotected WiFi networks in Germany. Google has acknowledged that its Street View cars collected unencrypted data from open WiFi connections as they cruised along streets taking photographs for the Street View feature. The prosecutor said that German telecommunications law does not prohibit the interception of MAC addresses and SSIDs.
-http://www.computerworld.com/s/article/9233698/Google_will_not_be_prosecuted_for
_Street_View_Wi_Fi_sniffing_in_Germany?taxonomyId=17
[Editor's Note (Murray): The default is that if one broadcasts something, listening is not a crime. This is the reason that Wi-Fi has security features. While these features are not on by default and require some user setup, it is difficult to set up an access point without being aware of them and how to use them. ]

Man Indicted on Charges of Conspiracy to Commit Computer Intrusion and Extortion (November 15, 2012)

A US federal grand just has indicted a Dutch man for allegedly hacking into the computer network of a New Hampshire-based game company, altering sensitive data, and stealing source code that he used to start a competing online game. Anil Kheda allegedly began his intrusions and code theft five years ago after one of his accounts on Outwar, an online role-playing game from Rampid Interactive, was deleted. Kheda allegedly developed his own online game and made about US $10,000 from it. He continued to hack into Rampid's servers and agreed to stop only if Rampid paid him. He claimed that he had discovered vulnerabilities in the Rampid network and source code that he exploited to gain administrator access to the Outwar. His activity allegedly caused Outwar to go down a number of times, costing Rampid more than US $100,000 in lost revenue and other related expenses.
-http://arstechnica.com/security/2012/11/stolen-code-9-month-hacking-spree-lead-t
o-criminal-charges/
-http://www.sfgate.com/news/article/Dutch-gamer-accused-of-hacking-disabling-NH-g
ame-4040861.php
-http://www.justice.gov/opa/pr/2012/November/12-crm-1365.html

Hacker Could be Mysterious Founder of Antivirus Startup (November 14, 2012)

After receiving misleading and evasive answers about the location and founder of antivirus startup Anvisoft, journalist Brian Krebs delved into website registration records and the WHOIS database in an attempt to find out more. What he discovered led to the possibility that Anvisoft may have been started by Tan Dailin, a Chinese hacker who used the online handle "Withered Rose." Krebs acknowledges that there is no conclusive evidence linking Tan Dailin to Anvisoft, and notes that until the company is more forthcoming with information about its founder, it may have trouble establishing itself in the antivirus world.
-http://krebsonsecurity.com/2012/11/infamous-hacker-heading-chinese-antivirus-fir
m/

Skype Fixes Flaw in Password Reset Mechanism (November 14, 2012)

Skype says it has fixed a flaw in its password reset mechanism; the vulnerability has been known for at least two months, but was not addressed until this week. The flaw allowed anyone who knew a Skype user's email address to reset that person's account password. Prior to fixing the problem, Skype disabled the password reset feature.
-http://arstechnica.com/security/2012/11/microsoft-suspends-skype-password-resets
-after-account-hijacking-report/
-http://www.scmagazine.com/skype-dispatches-swift-fix-for-password-reset-flaw/art
icle/268238/
-http://www.informationweek.com/security/vulnerabilities/skype-deals-with-account
-hijacking-explo/240134937
-http://www.h-online.com/security/news/item/Skype-investigating-account-theft-vul
nerability-Update-2-1749720.html
-http://www.computerworld.com/s/article/9233614/Skype_blocks_password_resets_afte
r_account_hijacking_flaw_made_public?taxonomyId=208

NASA Orders Full-Disk Encryption on Laptops Holding Sensitive Data (November 14 & 15, 2012)

After learning that an unencrypted laptop belonging to a NASA employee was stolen, the agency has begun making sure that full-disk encryption is installed on all of its laptops. The stolen machine contains personal information of at least 10,000 NASA contractors, employees, and other people. The laptop was protected by a password but not by encryption. A similar incident occurred in March of this year. This second incident has prompted NASA to order that full disk encryption be installed as soon as possible on all agency laptops that contain sensitive information. Until all laptops have the encryption installed, no laptops containing sensitive data may leave NASA facilities. Employees have also been ordered not to store sensitive data on mobile phones, tablets, and other portable electronic devices.
-http://www.computerworld.com/s/article/9233645/NASA_scrambles_to_encrypt_laptops
_after_major_breach?taxonomyId=17
-http://www.nbcnews.com/technology/technolog/laptop-nasa-workers-personal-data-st
olen-1C7079170
-http://www.bbc.co.uk/news/technology-20343745
-http://www.v3.co.uk/v3-uk/news/2225129/nasa-laptop-containing-sensitive-data-sto
len
-http://www.computerworld.com/s/article/9233701/NASA_breach_update_Stolen_laptop_
had_data_on_10_000_users?taxonomyId=17
[Editor's Comment (Pescatore): You could see this one coming a mile away. In March 2012 OMB issued a report "Fiscal Year 2011 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002." It included an assessment of Government agency progress on laptop encryption deployment (among other things). It ranked agencies by % of portable devices with encryption and NASA came in *dead last* with only 41% coverage.
(Northcutt): Good move, according to the Ponemon Institute there is positive ROI in FDE:
-http://it.slashdot.org/story/12/09/03/0321205/calculating-the-cost-of-full-disk-
encryption

(Honan): Given that many modern operating systems have encryption facilities built into them and the myriad of third party solutions available it is astounding that NASA has not encrypted all its laptops. ]

Two Indicted for Allegedly Stealing Court System Records and Database Source Code (November 14, 2012)

The US Department of Justice has indicted two former Alabama state court system employees for allegedly stealing source code of a court records database. Michael David Carroll and Jill Hawthorne allegedly stole the code and gave it to an Orlando, Florida company. The two are also accused of stealing thousands of court records from Jefferson County, Alabama. Carroll and Hawthorne worked at Alabama's Administrative Office of the Courts, Carroll as director of information systems and Hawthorne as database administrator. The charges against the pair include stealing property with a value of US $5,000 or more by an employee of a state or local government agency that receives US $10,000 or more in federal assistance.
-http://www.computerworld.com/s/article/9233678/Two_indicted_in_alleged_theft_of_
court_database_source_code?taxonomyId=17
-http://www.justice.gov/opa/pr/2012/November/12-crm-1357.html

Microsoft Security Updates for November Include Fixes for Flaws in IE and Windows 8 (November 13, 2012)

On Tuesday, November 13, Microsoft issued six security bulletins to address a total of 19 vulnerabilities. Four of the bulletins are rated critical. The bulletins include a cumulative update for Internet Explorer (IE) and fixes for four vulnerabilities in Windows 8 and Windows RT.
-http://technet.microsoft.com/en-us/security/bulletin/ms12-nov
-http://www.computerworld.com/s/article/9233585/Microsoft_patches_critical_flaws_
in_Windows_8_Windows_RT?taxonomyId=17
-http://krebsonsecurity.com/2012/11/microsoft-patches-19-security-holes/
-http://www.h-online.com/security/news/item/Important-security-updates-arrive-for
-all-Windows-users-1749542.html
-http://www.scmagazine.com/microsoft-drops-ie-windows-fixes-on-patch-tuesday/arti
cle/268158/
-http://www.theregister.co.uk/2012/11/14/nov_patch_tuesday/

---

CONTROL SYSTEMS SECURITY STORIES

SCADA Safety In Numbers http://www.ptsecurity.com/download/SCADA_analytics_english.pdf

McBride: Nice to see a Russian firm trying to quantify the problem space somewhat. The numbers don't quite jive with previous analysis (see for example:
-http://vimeopro.com/s42012/s4-2012/video/35801119)
but the idea that security bug-finders are looking at SCADA more in the wake of Stuxnet is clear. Assante: Simply playing catchup to IT security vulnerability management is not going to protect our critical infrastructures. ICS Suppliers need to keep making progress by empowering and resourcing their product security officers and place security higher on the design requirements list.

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/