Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIV - Issue #95

November 30, 2012

TOP OF THE NEWS

CyberCity (Cyber Range) Goes Live In Two Weeks in Washington DC
Think-Tank Report Deems Cyber Capabilities "Crown Jewels" in Defense Budget
Hardcoded Admin Account in Some Samsung Printers Pose Security Risk

THE REST OF THE WEEK'S NEWS

Syria Cut Off From Internet
Piracy Monitoring and Alert Plan Pushed Back Again
Judge Approves Manning's Request to Plead Guilty to Some Charges in WikiLeaks Case
Google Updates Chrome
ENISA Recommends Honeypots
Senate Committee Approves Bill Requiring Warrant for Cloud Data
Romanian Card Hacking Ring Busted
Hackers Stole eMail Addresses from IAEA Server
Cisco Tools Will Help Agencies Detect Counterfeit Products
No Extradition for TVShack Creator
Patco Fraudulent ACH Transfer Case Settles
Reports Say Free Antivirus May Be Better than Commercial Tools
Piwik Code Poisoned


************************** SPONSORED BY Invincea *************************
Inquiring minds want to know what you are dealing with in the threnches. Invincea is conducting a survey of practioners related to current threats. Take the survey now and get a pretty rockin t-shirt in exchange. Less than 20 questions - put your voice to the current state of security. C'mon - you know you want to!
http://www.sans.org/info/118515

****************************************************************************
TRAINING UPDATE

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 Singapore, Singapore February 25-March 2, 2013 6 courses.
http://www.sans.org/event/singapore-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Barcelona, Cairo, Anaheim, New Delhi, and Brussels all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

TOP OF THE NEWS

CyberCity (Cyber Range) Goes Live In Two Weeks in Washington DC

November 29, 2012 The cyber range being deployed in multiple military organizations and critical infrastructure sites for real-world cyber training will have its first test run in Washington DC in a Tournament of Champions where the people who have won every important cyber competition will come together to test their skills and win bragging rights.
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
240142921/cybercity-faces-its-first-attacks-next-month.html

Tournament of Champions:
-http://www.sans.org/special/netwars-champions

Think-Tank Report Deems Cyber Capabilities "Crown Jewels" in Defense Budget (November 27, 2012)

A report titled "Strategic Choices: Navigating Austerity" from the DC-based think tank Center for Strategic and Budgetary Assessments (CSBA) says that despite planned decreases in defense spending, the Pentagon should continue to invest in several certain areas, including both offensive and defensive cyber capabilities. Cyber Ops were designated one of the four "crown jewels" of the country's defense program that needs to be protected during budget cuts.
-http://www.defensenews.com/article/20121127/DEFREG02/311270006/Study-Keep-Invest
ing-Spec-Ops-Cyber?odyssey=tab%7Ctopnews%7Ctext%7CFRONTPAGE

-http://www.csbaonline.org/publications/2012/11/strategic-choices-navigating-aust
erity/

Hardcoded Admin Account in Some Samsung Printers Pose Security Risk (November 28 & 29, 2012)

The US Computer Emergency Response Team (US-CERT) is warning consumers that firmware in some Samsung printers contains a hardcoded backdoor account that could be exploited to allow remote access to affected networks. The administrative account does not require access verification and cannot be disabled by users. The issue affects Samsung products released prior to October 31, 2012. The company plans to issue "updated firmware for all current models by November 30, with all other models receiving an update by the end of the year." The flaw could allow attackers to read print jobs. The problem can be resolved by disabling SNMP (simple network management protocol). Some Dell printers that are manufactured by Samsung are also affected.
-http://www.computerworld.com/s/article/9234118/Samsung_to_issue_firmware_fix_for
_printer_security_flaw_on_Friday?taxonomyId=17

-http://www.zdnet.com/researcher-reveals-backdoor-access-in-samsung-printers-7000
008013/

-http://www.informationweek.com/security/vulnerabilities/samsung-printers-have-hi
dden-security-ri/240142715

-http://news.cnet.com/8301-1009_3-57555820-83/some-samsung-printers-vulnerable-to
-hackers/

-http://www.kb.cert.org/vuls/id/281284
[Editor's comment (Northcutt): Friends don't let friends use Samsung printers; they apparently forget to sign their printer drivers from time to time making it hard to protect systems with end-point white listing software (and please do not write me with instructions on how to sign the drivers myself, that misses the point):
-http://aaron-kelley.net/blog/2012/10/installing-the-samsung-ml-1210-printer-driv
er-on-windows-8/

-http://techblog.mirabito.net.au/?p=68
(Honan): Network attached devices such as printers, scanners, and photocopiers have embedded operating systems and large storage capacities installed on them which if accessed by unauthorised users could reveal a lot of sensitive information; many are also accessible via the Internet. A search on the Shodan website for keywords relating to network attached printers came back with over 30,000 hits. ]


************************** SPONSORED LINKS *****************************
1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/118520

2) Analyst Webcast: Secure Content Management in a Mobile Age Tuesday, Dec. 4, 2012 at 1:00PM EST. http://www.sans.org/info/118525

3) Supporting Packet Decryption for Security Scanning by Dave Shackleford http://www.sans.org/info/118530
************************************************************************

THE REST OF THE WEEK'S NEWS

Syria Cut Off From Internet (November 29, 2012)

Reports are indicating that Syrian computer networks have been effectively cut off from the rest of the Internet. Access was severed at 10:26 GMT on Thursday, November 29. According to Internet monitoring company Renesys, "all 84 of Syria's IP address blocks have become unreachable, effectively removing the country from the Internet." The Syrian government is blaming the outage on terrorists.
-http://www.cnn.com/2012/11/28/world/meast/syria-civil-war/index.html?hpt=te_t1
-http://www.nbcnews.com/technology/technolog/syria-drops-internet-1C7319908
-http://www.zdnet.com/syria-suffers-internet-blackout-cut-off-from-the-outside-wo
rld-7000008100/

-http://www.bbc.co.uk/news/technology-20546302

Piracy Monitoring and Alert Plan Pushed Back Again (November 29, 2012)

A plan for US Internet service providers (ISPs) to monitor users' activity for illegal filesharing has been pushed back to at least early next year. The plan was scheduled to start this month, but the Center for Copyright Information, the group overseeing the program, has announced the Copyright Alert System's second delay this year. The first delay was due to ISPs' concerns that consumers would balk at the plan because it had been scheduled to be implemented shortly after SOPA and PIPA failed in the legislature. The organization's executive director said the new delay was due to the effects of Hurricane Sandy, which "seriously affected our final testing schedules."
-http://www.wired.com/threatlevel/2012/11/file-sharing-monitoring/
-http://thehill.com/blogs/hillicon-valley/technology/270163-rollout-of-copyright-
alert-system-delayed

[Editor's Note (Murray): This monitoring may be a contractual issue between ISPs and its customers. However, it establishes a bad precedent. ISPs' Terms of Service forbid all kinds of bad behavior that the carriers do not currently police. Doing so might involve significant violations of the privacy of non-offenders. ]

Judge Approves Manning's Request to Plead Guilty to Some Charges in WikiLeaks Case (November 29, 2012)

A judge has approved Bradley Manning's request to plead guilty to some but not all of the charges he is facing for his role in the leak of hundreds of thousands of classified documents to WikiLeaks. The charges to which Manning has said he is willing to plead guilty carry a maximum prison sentence of 16 years. Manning has not yet formally submitted a plea, but was seeking the court's approval for pleading guilty to some of the charges. His trial date is set for February 2013.
-http://www.wired.com/threatlevel/2012/11/manning-plea-terms-accepted/

Google Updates Chrome (November 29, 2012)

Google has issued updates for all version of its Chrome browser. The Stable Channel of Chrome addresses seven security issues, three of which were rated high. Google has also released new Stable versions of Chrome for iOS and Android. There are new versions of Chrome in the Beta and Developer Channels as well.
-http://www.h-online.com/security/news/item/Google-updates-all-Chrome-editions-17
58946.html

-http://www.chromium.org/getting-involved/dev-channel

ENISA Recommends Honeypots (November 29, 2012)

The European Network and Information Security Agency (ENISA) is recommending that companies use honeypots as a means to detect cyberthreats. ENISA has tested a variety of systems and recommends several that are easy to use. The agency also noted that honeypots could do a better job with data collection; many of the tested systems offered up the data in formats that make analysis difficult. ENISA's recommendations also include open source honeypots.
-http://www.h-online.com/security/news/item/ENISA-promotes-digital-hacker-traps-1
759415.html

[Editor's Note (Murray): I am reminded of the client who wanted his network seeded with honeypots but who gave up monitoring them after two weeks. ]

Senate Committee Approves Bill Requiring Warrant for Cloud Data (November 29, 2012)

The US Senate Judiciary Committee has approved legislation that would require the government to obtain probable cause warrants prior to accessing email and other content that users have stored in the cloud. The bill would amend the 1986 Electronic Communications Privacy Act, nullifying a provision that allows the government to obtain stored content from providers without demonstrating probable cause. The provision applies to messages that have been stored for 180 days or longer. When the legislation was originally passed, most communications were not stored on servers for long periods of time, so those that exceeded the six-month mark were considered to have been abandoned.
-http://www.wired.com/threatlevel/2012/11/ecpa-reform-approved/

Romanian Card Hacking Ring Busted (November 27, 28 & 29, 2012)

The Australian Federal Police, working with authorities in 13 other countries, have helped to shut down a Romanian cybercrime operation that had compromised the security of half a million Australian credit card accounts. About 30,000 of those accounts were used to conduct fraudulent transactions. The Australian credit card data were stolen by breaking into point-of-sale systems at small businesses across the country.
-http://www.zdnet.com/au/afp-shuts-down-crime-ring-in-its-largest-data-breach-inv
estigation-7000008060/

-http://arstechnica.com/security/2012/11/small-business-point-of-sale-systems-hac
ked-subway-style-in-australia/

-http://www.smh.com.au/it-pro/security-it/australias-biggest-ever-data-theft-gang
-busted-over-credit-card-crime-20121129-2agzy.html

-http://www.theregister.co.uk/2012/11/29/australian_federal_police_bust_romanian_
credit_card_fraudsters/

-http://www.computerworld.com/s/article/9234057/Romanian_authorities_dismantle_cy
bercrime_ring_responsible_for_25M_credit_card_fraud?taxonomyId=17

[Editor's Note (Honan): Small businesses are increasingly becoming targets for online criminals as they recognise many of these companies do not have the skills to secure their systems. In Ireland and Australia small businesses have been targeted by criminals who use insecure Remote Desk Protocol (RDP) connections to access servers, encrypt the data on those servers and then extort thousands of dollars from the affected organisation to get their data back
-http://www.net-security.org/secworld.php?id=13969.
As an industry we need to do better at raising awareness of these threats to small businesses and consumers. ]

Hackers Stole eMail Addresses from IAEA Server (November 27 & 28, 2012)

Hackers managed to gain access to a server that belongs to the International Atomic Energy Agency (IAEA) and steal email contact information for some experts who work with the agency. The data were posted to the Internet last several days ago. The post included the email contacts for 167 individuals along with a statement from the hackers indicating they want IAEA to investigate nuclear activities in Israel. The data were taken from "an old server that was shut down some time ago," according to an IAEA spokesperson. The IAEA is headquartered in Vienna, Austria and reports to the UN on international nuclear cooperation matters.
-http://www.computerworld.com/s/article/9234084/Hackers_hit_International_Atomic_
Energy_Agency_server?taxonomyId=17

-http://www.h-online.com/security/news/item/Hackers-break-into-UN-atomic-agency-1
758272.html

-http://news.cnet.com/8301-1009_3-57555539-83/hackers-steal-and-publish-e-mails-f
rom-u.n-nuclear-agency/

-http://www.scmagazine.com/un-nuclear-agency-israel-news-agency-hacked/article/27
0251/

-http://arstechnica.com/security/2012/11/pro-iranian-hackers-stole-data-from-un-a
tomic-agencys-server/

Cisco Tools Will Help Agencies Detect Counterfeit Products (November 28 & 29, 2012)

Cisco plans to release a tool that can detect counterfeit versions of the company's own products. The tool will be available for federal customers' systems. US government agencies have purchased counterfeit Cisco products for years without knowing they were doing so; the imitation products pose a security threat. The number of suppliers of questionable parts has increased by more than two thirds over the last 10 years.
-http://www.nextgov.com/cio-briefing/2012/11/cisco-takes-rogue-suppliers-device-i
d-counterfeit-parts/59782/?oref=ng-HPtopstory

-http://www.theregister.co.uk/2012/11/29/cisco_counterfeit_items_china/

No Extradition for TVShack Creator (November 28, 2012)

A UK man who created a website that allegedly violates US copyright laws will not be extradited to the US to face charges of copyright violations. Richard O'Dwyer created the TVShack website, which offers links to pirated copies of movies and television shows. The BBC says that O'Dwyer will travel to the US to pay a fine and accept the government's offer of "deferred prosecution," which means that he will not be prosecuted as long as he stays out of similar sorts of trouble.
-http://www.bbc.co.uk/news/uk-england-south-yorkshire-20525891
-http://arstechnica.com/tech-policy/2012/11/uk-tv-shack-admin-wont-face-trial-in-
us-on-copyright-charges/

Patco Fraudulent ACH Transfer Case Settles (November 27, 2012)

A Maine construction company that lost US $345,000 to ACH hackers has settled with its bank over the loss. Patco Construction sued People's United Bank (formerly known as Ocean Bank) in 2009 after cybercriminals attempted to make US $590,000 in unauthorized Automated Clearing House (ACH) transfers from its account. (Nearly US $250,000 was recovered after the company became aware of the fraud.) Patco and the bank have been trying to make the other accept responsibility for the loss. Patco said that the bank should have noticed that the transactions were anomalous with their normal business and maintained that the bank did not employ adequate security measures. The bank asserted that Patco was at fault because the cyberthieves were able to obtain, through targeted attacks, the necessary credentials to initiate the transactions. The US Court of Appeals for the First Circuit agreed with Patco and suggested that the two entities come to a settlement. One of Patco's owners reportedly said that the bank has agreed to reimburse the company for its loss.
-http://www.computerworld.com/s/article/9234054/Construction_company_bank_settle_
dispute_over_345_000_cyber_heist?taxonomyId=17

Reports Say Free Antivirus May Be Better than Commercial Tools (November 27, 2012)

Reports are showing that antivirus software may be waste of money; some studies have found that free antivirus products outperform their paid counterparts. Organizations often purchase antivirus software because security practices dictate that they must to be in compliance with established requirements. Imperva, one of the companies that have conducted studies on antivirus products, recommends that organizations be permitted to use free products and spend their budgets on more effective types of security.
-https://www.networkworld.com/news/2012/112712-antivirus-software-a-waste-of-2645
47.html

[Editor's Note (Honan): Careful reading of the report shows the findings do not advocate companies to not use anti-virus software. Rather it asks whether or not they should purchase commercial anti-virus products or use free anti-virus products. However, the report concentrates mainly on the detection capabilities of anti-virus software without examining the management aspect of deploying anti-virus software into an enterprise. Running free anti-virus software on a small number of PCs is a much different prospect than ensuring thousands of PCs in an enterprise environment are configured, updated and running properly.
(Honan): I prefer to get my software from reliable sources, with whom I have an enforceable contract, and in tamper-evident packaging. (Some would argue that no such terms are available for software. ]

Piwik Code Poisoned (November 27, 2012)

Hackers have poisoned Piwik open-source analytics software with a backdoor. Users who installed Piwik 1.9.2 during an eight-hour period on Monday, November 26 could be running infected software. The malicious code causes servers to send data to a domain that has been associated with scammers in the past.
-http://arstechnica.com/security/2012/11/malicious-code-added-to-open-source-piwi
k-following-website-compromise/



************************************************************************
The Editorial Board of SANS NewsBites


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/