SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #94

November 27, 2012

If you haven't seen the front page of the Washington Post this morning,
try to get a copy. The headline is "CyberCity allows government hackers
to train for attacks." Or see it online at
http://www.washingtonpost.com/investigations/cybercity-allows-government-hackers
-to-train-for-attacks/2012/11/26/588f4dae-1244-11e2-be82-c3411b7680a9_story.html
It is also the first story in Top of the News.

---

TOP OF THE NEWS

Virtual CyberCity Deployed By Military As "Cyber Flight Simulator"
DARPA Project X Aims to Develop Automated Cyber Ops
Presidential Memo to Executive Branch Heads Describes Insider Threat Mitigation Standards
Greek Police Arrest Man for Stealing Most Citizens' Personal Information

THE REST OF THE WEEK'S NEWS

Hewlett-Packard Denies Knowledge of Monitoring Products Sold to Syrian Government
TSA Renames Insider Threat Spyware RFP
Narilam Malware Modifies SQL Databases
Auernheimer Found Guilty in iPad Customer Data Hacking Case
Texas HS Student Fighting Suspension for Refusing to Wear RFID Nametag
South Carolina Governor Faults IRS Standard in State Dept. of Revenue Data Breach
Group Wants to Sell SCADA Zero-Day Flaw Information
French News Outlet Says US Behind Flame Attacks on Sarkozy Staff Computers
Firefox Updated to Version 17, Opera Updated to Version 12.11

---

************************** SPONSORED BY Bit9 ******************************
WHITEPAPER - In the wake of the numerous server data breaches reported this year, it is clear that traditional signature-based blacklisting security strategies are inadequate in addressing today's sophisticated cyber threats. Industry Analyst Frost and Sullivan examines today's advanced threat landscape and recommends that organizations adopt a new approach to server security that is based on trust. Download Whitepaper http://www.sans.org/info/118042
****************************************************************************
TRAINING UPDATE
- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Barcelona, Cairo, Anaheim, New Delhi, and Brussels all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index
***************************************************************************

---

TOP OF THE NEWS

Virtual CyberCity Deployed By Military As "Cyber Flight Simulator" (November 27, 2012)

A virtual city is helping help Air Force cybersecurity specialists practice both defending and attacking networks, assesses their skills reliably, and enhancing those skills. Air Force General Zan Vautrinot said, "We posture ourselves to move at the ever-changing speed of technology. We are able to do this successfully by providing operationally relevant ranges for operator training and operational test activities." The Air Force system, called NetWars CyberCity is modeled after the real thing, including banks, utilities and hospitals as well as 15,000 simulated residents. It cost less than one tenth of the cost of the National Cyber Test Range; nearly all other military organizations and selected private organizations are now using it, as well, because of the low cost.
-http://www.washingtonpost.com/investigations/cybercity-allows-government-hackers
-to-train-for-attacks/2012/11/26/588f4dae-1244-11e2-be82-c3411b7680a9_story.html
.

[Editor's Note (Paller): The Air Force's NetWars cyber simulator won the 2011 National Cybersecurity Innovation Award presented by Howard Schmidt, then White House cyber advisor. CyberCity is the next generation of NetWars. Low cost cybersecurity flight simulators have been the "holy grail" in advanced cybersecurity training for the military, banks and the most advanced consulting firms for more than a decade. Ed Skoudis' team and the Air Force created the first affordable cyber range. NetWars' scorecards show each cyber warrior's skill strengths and areas in need of improvement. The Air Force uses those to customize training to make its cyber warriors more effective faster, and also to build teams that reinforce each other's strengths. They also use it as a graduation requirement for their intermediate training to be sure every cyberwarrior can actually perform effectively in cyberspace. The top scorers in Netwars from around the world are coming together in Washington for the Tournament of Champions on December 12-13. If you have great cyber skills, you won't find a better place to demonstrate them and see where you stand relative to others. Winners of nearly all collegiate and other cyber competitions are playing. (
-http://www.sans.org/special/netwars-champions)
If you need information about using NetWars to test or advance the skills of a large team of cyber defenders, email netwars@sans.org. ]

DARPA Project X Aims to Develop Automated Cyber Ops (November 26, 2012)

The US Defense Department's Defense Advanced Research Projects Agency (DARPA) is establishing a "technology incubator" laboratory for Plan X, a project that aims to combine code to help automate cyber operations. The lab, called the Collaborative Research Space, will be the test ground for developing a system that can "control a cyber battlespace in real-time."
-http://www.nextgov.com/defense/2012/11/pentagon-establish-foundational-cyberwarf
are-incubator/59709/?oref=ng-HPtopstory

Presidential Memo to Executive Branch Heads Describes Insider Threat Mitigation Standards (November 26, 2012)

A new Presidential Memorandum sent to the heads of US executive departments and agencies describes the National Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. The standards aim to "provide direction and guidance to promote the development of effective insider threat programs within departments and agencies to deter, detect, and mitigate actions by employees who may represent a threat to national security." The standards have not been released publicly.
-http://www.scmagazine.com/obama-issues-insider-threat-guidance-for-govt-agencies
/article/269817/
-http://www.whitehouse.gov/the-press-office/2012/11/21/presidential-memorandum-na
tional-insider-threat-policy-and-minimum-stand

Greek Police Arrest Man for Stealing Most Citizens' personal Information (November 21, 2012)

Greek police have arrested a man they say is in possession of the personally identifiable information of nine million people; some of the records are duplicated. The population of Greece is estimated to be between about 10 million people. The unnamed man had in his possession files that contain identity card data, tax numbers, home addresses, and vehicle license plate numbers. Authorities are investigating how the suspect managed to obtain the data.
-http://www.darkreading.com/security/privacy/240142515/greek-man-accused-of-steal
ing-data-on-9-million-citizens.html
-http://www.theregister.co.uk/2012/11/21/greece_mega_privacy_breach/

---

************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/118047
2) Analyst Webcast: Security Intelligence in Action: A Review of LogRhythm's SIEM 2.0 Big Data Security Analytics Platform http://www.sans.org/info/118052
3) Why Deception Matters in Today's Web Attacks by John Bumgarner http://www.sans.org/info/118057
************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hewlett-Packard Denies Knowledge of Monitoring Products Sold to Syrian Government

(November 26, 2012) In a letter to the US Securities and Exchange Commission (SEC), Hewlett-Packard (HP) says that one of its partners sold HP products to a company that in turn sold them to entities in Syria. Neither HP nor its partner was aware of the products' destination. News reports from November 2011 said that an Italian company, Area, installed HP products in Syria to be used as a surveillance and tracking system for monitoring Syrian citizens. The letter is dated October 9, 2012, but has only recently been made public.
-http://www.computerworld.com/s/article/9233997/HP_says_its_products_sold_unknowi
ngly_to_Syria_by_partner?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2227366/hp-denies-selling-tracking-technology-to-
syrian-government
HP Letter to SEC:
-http://www.sec.gov/Archives/edgar/data/47217/000004721712000035/filename1.htm

TSA Renames Insider Threat Spyware RFP (November 20, 2012)

The US Transportation Security Administration (TSA) has reissued a request for proposals for spyware under a different title. The original RFP sought software that aimed to detect and help prevent "insider threats." The new RFP seeks "host-based monitoring and digital forensics software." The technical requirements in the two documents are identical, but contractors' feedback from the June proposal suggested that the scope was too narrow.
-http://www.nextgov.com/cybersecurity/2012/11/tsa-drops-insider-threat-label-spyw
are-buy/59654/?oref=ng-channelriver
[Editor's Note (Shpantzer): For an interesting paper relating to using system logs for insider threat detection (PDF):
-https://media.blackhat.com/bh-us-12/Briefings/Grier/BH_US_12_Grier_Catching_Insi
der_Data_Theft_WP.pdf]

Narilam Malware Modifies SQL Databases (November 22, 23, & 26, 2012)

Researchers at Symantec have detected malware that is modifying SQL databases on computer systems in the Middle East. Most of the infected computers appear to be in Iran. The malware, which is known as Narilam, spreads through network shares and removable drives. According to Iran's Computer Emergency Response Team (CERT), Narilam is two years old and the only known victim is an Iranian accounting software package. While the vast majority of Narilam infections have been detected in Iran, there are reports of some infections in the US and the UK. Narilam appears to search for certain words in the SQL databases and replaces those works with random values or, in some cases, deletes fields altogether. Rumors that Narilam is related to Stuxnet and Flame are false.
-http://www.darkreading.com/threat-intelligence/167901121/security/attacks-breach
es/240142595/data-annihilation-malware-still-alive.html
-http://www.theregister.co.uk/2012/11/26/database_thrashing_malware/
-http://www.computerworld.com/s/article/9233940/Symantec_spots_odd_malware_design
ed_to_corrupt_databases?taxonomyId=17
-http://www.h-online.com/security/news/item/Worm-manipulates-databases-in-Iran-17
56339.html
-http://www.informationweek.com/security/application-security/malware-corrupts-ir
anian-financial-datab/240142569
[Editor's Note (Shpantzer): Shamoon and now Narilam show that data destruction is back in vogue.
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
240007232/the-data-annihilation-attack-is-back.html]

Auernheimer Found Guilty in iPad Customer Data Hacking Case (November 20 & 22, 2012)

A jury has found Andrew Auernheimer guilty of conspiracy to gain unauthorized access to computers and identity theft in a case involving the hacking of an AT&T website that allowed him and his accomplice to access the email addresses of 120,000 iPad users. Auernheimer plans to appeal the conviction, saying that his actions were undertaken in the public interest. Auernheimer and his accomplice, Daniel Spitler, were arrested and charged in January 2011. Spitler took a plea bargain last year and provided authorities with information about the pair's intentions to steal private information and use it to conduct phishing attacks and other fraudulent activities. The men used an automated script to exploit a flaw in the AT&T website to obtain the email addresses.
-http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/
-http://www.h-online.com/security/news/item/US-hacker-convicted-for-AT-T-data-the
ft-in-2010-1755551.html
-http://news.cnet.com/8301-1009_3-57552852-83/hacker-found-guilty-of-massive-at-t
-ipad-site-breach/
-http://arstechnica.com/tech-policy/2012/11/internet-troll-who-exploited-att-secu
rity-flaw-faces-5-years-in-jail/
-http://www.theregister.co.uk/2012/11/21/ipad_hacker_conviction/

Texas HS Student Fighting Suspension for Refusing to Wear RFID Nametag (November 21 & 23, 2012)

A Texas high school student has been suspended for refusing to wear an RFID badge. The Northside Independent School District's John Jay High School's Science and Engineering Academy in San Antonio implemented the RFID program to increase state funding. Schools in Texas receive funding based on student attendance; the tags can be used to determine that students are present at the school even if they are not in class. A Texas judge has issued a temporary injunction blocking the girl's suspension pending a hearing scheduled for this week. Student Andrea Hernandez and her parents say that requiring her to wear the tag is a violation of her First Amendment rights.
-http://www.wired.com/threatlevel/2012/11/student-suspension/
-http://arstechnica.com/tech-policy/2012/11/texas-school-districts-rfid-tracking-
of-students-goes-to-court/
-http://www.theregister.co.uk/2012/11/21/schoolgirl_expelled_rfid_chip/
-http://www.bbc.co.uk/news/technology-20461752
In apparent protest, individuals claiming association with the Anonymous hacking collective have taken down the school's website.
-http://www.theregister.co.uk/2012/11/27/annymous_takes_down_northside_independen
t_school_district_as_revenge_for_rfid_tracking/

South Carolina Governor Faults IRS Standard in State Dept. of Revenue Data Breach (November 21 & 26, 2012)

South Carolina Governor Nikki Haley said that an old Internal Revenue Service (IRS) standard is partly to blame for huge data security breach that hit her state's Department of Revenue (SCDOR). Intruders managed to steal the Social Security numbers (SSNs) of 3.8 million entities who filed electronic returns with SCDOR; some credit card and bank account information was compromised as well. IRS rules do not require SSNs to be encrypted. The system became infected initially through a spear phishing email. Analysis conducted by Mandiant found that the initial infection was made through a phishing attack; the attackers were then able to harvest a user's login credentials.
-http://www.computerworld.com/s/article/9233918/South_Carolina_faults_IRS_standar
d_in_massive_data_breach?taxonomyId=17
-http://www.informationweek.com/security/attacks/how-south-carolina-failed-to-spo
t-hack-a/240142543
[Editor's Note (Shpantzer): This is the analysis available to the public. Plain English, good for executive awareness.
-http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20-%20Departmen
t%20of%20Revenue%20-%2011%2020%202012.pdf]

Group Wants to Sell SCADA Zero-Day Flaw Information (November 21 & 22, 2012)

A group calling itself ReVuln claims to have a stash of nine vulnerabilities in industrial control systems - also known as Supervisory Control and Data Acquisition (SCADA) systems - but says it does not plan to disclose the flaws to the affected vendors. Instead, the group wants to sell the information to governments and other entities willing to pay. The vulnerabilities affect products from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton, and Siemens. ReVuln, which is based in Malta, did not identify which products are affected.
-http://www.h-online.com/security/news/item/ReVuln-claims-0day-vulnerabilities-fo
r-SCADA-systems-1755037.html
-http://www.computerworld.com/s/article/9233916/Security_firm_finds_SCADA_softwar
e_flaws_won_t_report_them_to_vendors?taxonomyId=17

French News Outlet Says US Behind Flame Attacks on Sarkozy Staff Computers (November 20 & 21, 2012)

A report in French news outlet L'Express is pointing the finger at the US for a cyberattack launched against the team of Former French president Nicolas Sarkozy. The report said the attackers used the Flame malware. It claims that the attackers identified people close to Sarkozy through Facebook and sent them phishing emails that sent them to a webpage where the attackers could steal their Elysee Palace login credentials. The attackers reportedly obtained a number of documents, including strategic plans and "secret notes." The US has denied its participation in the attack, which occurred in May 2012, days before the second round of the French election.
-http://news.cnet.com/8301-1009_3-57553153-83/u.s-accused-of-cyberattack-on-frenc
h-government/
-http://arstechnica.com/security/2012/11/french-fried-us-allegedly-hacked-sarkozy
s-office-with-flame/
-http://www.theregister.co.uk/2012/11/21/us_flame_attack_elysee_palace_sarkozy/
-http://thehill.com/blogs/global-affairs/europe/268995-us-accused-of-hacking-into
-french-presidential-computers

Firefox Updated to Version 17, Opera Updated to Version 12.11 (November 21 & 22, 2012)

Mozilla has released Firefox 17, which fixes 29 security issues and is the first version that allows developers to integrate social networks into the browser. The Social API (application programing interface) has so far produced Facebook Messenger for Firefox, which displays a sidebar with active information from the social networking site. Firefox 17 also automatically blocks older versions of widely used browser plug-ins, including Adobe Flash and Reader, and Oracle's Java, from executing content. The feature is called "Click-to-Play," and users may override it if they choose. The Opera browser has also been updated; Opera 12.11 addresses a critical buffer overflow vulnerability as well as an issue that caused problems loading Gmail.
-http://www.computerworld.com/s/article/9233922/Mozilla_bakes_Facebook_features_i
nto_Firefox_17?taxonomyId=17
-http://www.theregister.co.uk/2012/11/22/firefox_opera_browser_updates/
-http://www.washingtonpost.com/world/europe/greek-police-arrest-man-on-suspicion-
of-theft-of-9-million-personal-data-files-on-greeks/2012/11/20/72dc5c64-331a-11e
2-92f0-496af208bf23_story.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/