SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #98

December 11, 2012

A Holiday present from Ed Skoudis, America's top penetration tester, teacher, and cyber simulation creator: Ed's 10th annual cyber game - appropriate for all levels of cybersecurity skills. With 10 levels, starting really easy with lots of hints, it ramps up gradually (but gets hard at the end) to teach skills in web application vulnerability assessment and pen testing of Human Machine Interfaces (HMIs) of industrial control systems (ICS). Ed's team also built CyberCity - the very real cyber simulator used by the military to teach cyber defense to military folks; they know how to build a great game. More than 500 people started this year's "The Year Without a Santa . . . Hack" within the first two days; Twitter traffic is very positive. Try it at http://pen-testing.sans.org/holiday-challenge It runs through the holiday season. There is no charge.

Bonus: This will also be a fun way to get a head start on a growing issue. Many organizations have deployed various appliances and machines that have processors and run software, often called Operational Technology (OT). These systems have vulnerabilities that have fallen prey to worms like Conficker as well as more advanced targeted attacks. A key subset of this area is called Industrial Control Systems (ICS), such as process control and SCADA systems that run critical manufacturing lines and power production and distribution systems. Since many of these systems are part of Critical Infrastructure, they are high visible targets for advanced attacks and many fall under the NERC security requirements. Many IT organizations have already been tasked to take over management and security of OT systems, which were often procured with little or no thought about security.

Mike Assante, who served as CSO at both American Electric Power and at the NERC (the North American power grid regulator) has assembled a consortium of the U.S. and Europe's top people in industrial control systems to help organizations forge and active defense strategy to get ahead of this problem. He'll be running a meeting in February for everyone who has a stake in industrial control systems and operational technology security. If you have a substantive role and want an invitation, email him at the National Board of Information Security Examiners (NBISE) at michael.assante@nbise.org.

---

TOP OF THE NEWS

Saudi Government Says Shamoon Failed to Disrupt Oil Production at Saudi Aramco
Report Says Personally Identifiable Data Theft on the Rise in Health Care
Cyber Activity Warning Accord Fails After Russia Backs Out

THE REST OF THE WEEK'S NEWS

Skynet Botnet Operates Through TOR
FTC Report Finds Kids' Apps Not Forthcoming About Data Collection and Sharing
Hackers Claim to Have Infiltrated Broad Swath of Networks
Australian Medical Center is Victim of Ransomware Attack
Apple Maps Software Endangers Travelers in Australia
Supreme Court Asked to Review Thomas-Rasset Filesharing Case
Federal Grand Jury Indicts Man in Connection with Stratfor Hack
FISA Amendments Act Will Expire if Senate Does Not Vote for Extension by End of Year
Board of UK's IPv6 Group Resigns in Protest Over Government Indifference
UK Man Convicted in Connection with DDoS Attacks on Payment Sites

---

************************* SPONSORED BY Bit9 *******************************
WHITEPAPER - In the wake of the numerous server data breaches reported this year, it is clear that traditional signature-based blacklisting security strategies are inadequate in addressing today's sophisticated cyber threats. Industry Analyst Frost and Sullivan examines today's advanced threat landscape and recommends that organizations adopt a new approach to server security that is based on trust. Download Whitepaper http://www.sans.org/info/119165
****************************************************************************
TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Anaheim, New Delhi, Brussels, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
***************************************************************************

---

TOP OF THE NEWS

Saudi Government Says Shamoon Failed to Disrupt Oil Production at Saudi Aramco (December 10, 2012)

Saudi Aramco and Saudi government officials are speaking about the August Shamoon attack on the company's computer systems that wiped the hard drives of 30,000 PCs. The attack was aimed at disrupting oil production but was unsuccessful. Saudi Aramco supplies ten percent of the world's oil. A Saudi official said that the attack was launched by an "organized group ... from outside the kingdom," with actors on four continents, but declined to provide additional information because of the ongoing investigation.
-http://www.theregister.co.uk/2012/12/10/saudi_aramco_shamoon_inquest/
-http://www.infosecurity-magazine.com/view/29750/shamoon-was-an-external-attack-o
n-saudi-oil-production/
[Editor's Note (Assante): Shamoon was destructive in its own right with the general loss of machines in scale. Future attacks aiming to physically disrupt oil production, processing, and shipment will certainly try to develop and launch ICS specific tools to achieve their desired outcomes. Those that would attempt to disrupt global critical infrastructure have yet to demonstrate ICS know how, but we should not rest easy. ]

Report Says Personally Identifiable Data Theft on the Rise in Health Care (December 7, 2012)

A survey of 80 healthcare organizations found that 94 percent had experienced data loss within the past two years. Forty-five percent said they had experienced five or more breaches over the past two years. Identity theft is a growing problem in the healthcare industry. Fifty-two percent of the organizations reported incidents of identity theft; many of those instances were caused by inaccuracies in patient records and in some cases affected patient care. The report is the third annual survey on health care data security from the Ponemon Institute.
-http://www.eweek.com/security/identity-theft-is-a-growing-risk-in-health-care-po
nemon-report/
-http://www.scmagazine.com/nine-out-of-10-hospitals-lost-personal-data-in-last-tw
o-years/article/271795/
[Editor's Note (Henry): Healthcare data is among our most sensitive and private information. 94% experienced data-loss. Really ?! The inability to secure this data is unacceptable, and should be the type of issue that garners a public backlash and better accountability for data holders
(Paller): The attackers' primary economic target in health care attacks has been extortion. "We have your patients' data. If you don't want it disclosed on the Internet -proving you cannot protect the confidentiality of your patient's information, pay us $250,000 (or $2 million) by Thursday." It works; it's a very fast and effective way to turn cyber attack capabilities into cash.
(Murray): A breach of personally identifiable health information does not necessarily equate to "identify theft;" the report addresses how the research identified the breaches, but is silent on identity theft. That said, the payment side of the healthcare industry (insurance companies) appears to be doing a better job of security than the clinical side. Hospitals continue to leak like sieves. The problem appears to be partly cultural. ]

Cyber Activity Warning Accord Fails After Russia Backs Out (December 7, 2012)

Attempts to craft an international accord requiring countries to warn each other about cyber activity have fallen through after Russia backed away from the deal. The transparency measures are aimed at preventing the misinterpretation of cyber activity as hostile. The Organization for Security and Cooperation in Europe (OSCE) needed to reach unanimous consensus for the pact to be approved. It would have been similar to the arrangement between Russia and the US made in the middle of the 20th century to help avoid nuclear war.
-http://www.nextgov.com/cybersecurity/2012/12/cyber-early-warning-deal-collapses-
after-russia-balks/60035/?oref=ng-channelriver
[Editor's Note (Murray): In the symmetric Cold War, Russia and the US did not have to worry much about rogue states, much less amateurs, launching swarms of rockets. However, given the "rules of engagement" that permit US forces to respond with armed force to perceived attacks on the Internet, the Russians might want to reconsider. We need to move toward an Internet with more transparency and accountability but the leadership for this is not likely to come from the nation states currently exploiting it for espionage. ]

---

THE REST OF THE WEEK'S NEWS

Skynet Botnet Operates Through TOR (December 7 & 10, 2012)

The operator of the Skynet botnet is hiding behind the TOR (the Onion Router) network. Skynet can be used to launch distributed denial-of-service (DDoS) attacks, steal online banking credentials, download and execute files, and generate Bitcoins using the processing power of infected machines.
-http://www.h-online.com/security/news/item/Botnet-hidden-in-the-Tor-network-1765
530.html
-http://www.computerworld.com/s/article/9234468/Tor_network_used_to_command_Skyne
t_botnet?taxonomyId=17

FTC Report Finds Kids' Apps Not Forthcoming About Data Collection and Sharing (December 10, 2012)

The US Federal Trade Commission (FTC) has published a report which concluded that children's apps are not informing parents about the information they collect and how that information is being shared. Among those data are phone numbers and geolocation information. Nearly 60 percent of the apps examined in the study harvest and share information improperly. The FTC has launched investigations into a number of mobile app companies that are allegedly collecting and sharing personal information without proper authorization.
-http://www.washingtonpost.com/business/technology/ftc-probes-mobile-apps-firms-o
ver-child-privacy-concerns/2012/12/10/c54c45e6-40c0-11e2-a2d9-822f58ac9fd5_story
.html
-http://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-l
acking-in-kids-mobile-appsand-its-getting-worse/
-http://www.wired.com/threatlevel/2012/12/ftc-mobile-kid-privacy-probe/
-http://www.latimes.com/business/technology/la-fi-tn-ftc-most-mobile-kids-apps-se
cretly-collect-and-share-information-20121207,0,1679873.story
FTC Report: Mobile Apps for Kids: Disclosures Still Not Making the Grade:
-http://www.ftc.gov/os/2012/12/121210mobilekidsappreport.pdf
[Editor's Note (Shpantzer): Try this at home: Go to facebook.com with a browser. Then type in m.facebook.com (cleaner, simpler, some less functionality..) Then use the facebook mobile app. Check out the permissions the app requires vs. what can do with your browser to control leaking vs. the app's intrusiveness...]

Hackers Claim to Have Infiltrated Broad Swath of Networks (December 10, 2012)

A hacking group that calls itself Team Ghostshell claims to have broken into computer systems at the European Space Agency, the Japan Aerospace Exploration Agency, the US Department of Defense, NASA, the US Federal Reserve, the FBI and other high profile networks. On Monday, December 10, the group also released what it says are 1.6 million accounts and records stolen during its exploits.
-https://www.informationweek.com/security/attacks/team-ghostshell-hackers-claim-n
asa-inter/240144111

Australian Medical Center is Victim of Ransomware Attack (December 10 & 11, 2012)

The Miami Family Medical Centre in Australia says that hackers have encrypted its patient files and are demanding AUS $4,000 (US $4,200) to release the data. The medical center says that it has "all the antivirus stuff in place
[and that the intruders ]
got in, hijacked the server and then ran their encryption software." The backup disks have been corrupted as well. The organization is looking for someone to help decrypt the files. The attack appears to have originated in Russia.
-http://www.bbc.co.uk/news/technology-20663685
-http://news.techworld.com/security/3415635/ransom-hackers-encrypt-medical-centre
s-entire-database/
-http://www.goldcoast.com.au/article/2012/12/10/443366_gold-coast-news.html
-http://www.theregister.co.uk/2012/12/11/queensland_ransomware_attack/
[Editor's Note (Henry): Were the back-up disks collocated with the originals? A continuity of operations plan necessitates appropriate separation between originals and copies, specifically to protect against this significant risk.
(Murray): If a secondary copy of data is vulnerable to the same event or attack as the primary copy, it cannot properly be called "backup."
(Shpantzer): Help is unlikely forthcoming in the form of decrypting the files. To paraphrase Golda Meir: We don't make foreign policy on the backs of our patients... Might have to pay the money, if that's still an option.
(Honan): At IRISSCERT we have had a number of Irish small businesses report similar attacks. The criminals appear to gain access to the systems via insecure Remote Desktop Protocol configurations on the companies' servers. This may be via weak passwords or unpatched RDP vulnerabilities on the server. If you know of small businesses using RDP for remote connections ask them to ensure their RDP connections are properly secured, patched with the latest updates and are employing secure passwords. ]

Apple Maps Software Endangers Travelers in Australia (December 10, 2012)

Police in Australia are warning that issues with Apple Maps could put travelers' lives in danger. Drivers who used the software to find the town of Mildura, Victoria, instead found themselves in the middle of a national park with no access to water and high temperatures of more than 110 degrees Fahrenheit. They had to be assisted by police, who recommended that the travelers use a different mapping service until the issues with Apple's have been resolved. In September, Apple switched from Google Maps to its own program in its iOS software, which is the operating system for the company's mobile devices. Users quickly began complaining about the systems' inaccuracies and unreliability.
-http://www.bbc.co.uk/news/technology-20663447
-http://www.washingtonpost.com/business/technology/apple-maps-error-called-potent
ially-life-threatening-by-australian-police/2012/12/10/e8f769f4-42c2-11e2-8061-2
53bccfc7532_story.html
[Editor's Note (Frantzen): The data inconsistency has been corrected by Apple in the mean time.:
-http://www.cultofmac.com/205372/apple-quietly-fixes-potentially-life-threatening
-maps-glitch-in-australia/
[Editor's Note (Pescatore): Apple certainly deserves a black eye for putting out bad map data, but this is getting a bit silly. Driving into the desert with a smartphone as your only navigational aid is sort of like sailing across the ocean with a rubber ducky as your only flotation device. ]

Supreme Court Asked to Review Thomas-Rasset Filesharing Case (December 10, 2012)

Jammie Thomas-Rasset's legal team has asked the US Supreme Court to review the jury decision that she must pay the recording Industry Association of America (RIAA) US $222,000 for illegally sharing 24 songs over the Kazaa filesharing service. The Supreme Court has declined to hear two other RIAA-related filesharing cases that it has been asked to review. The petition argues that the amount of the damages is unconstitutional.
-http://www.wired.com/threatlevel/2012/12/scotus-thomas-rasset-riaa/
-http://news.cnet.com/8301-1023_3-57558368-93/jammie-thomas-asks-supreme-court-to
-take-file-sharing-case/
-http://csdisco.com/Content/Cert%20Press%20Release.pdf

Federal Grand Jury Indicts Man in Connection with Stratfor Hack (December 7, 8, & 10, 2012)

A federal grand jury in Texas has returned a 12-count indictment against Barrett Brown for possession and transmission of stolen credit card numbers connected to the intrusion into the systems of Stratfor Global Intelligence. Brown faces charges of access device fraud, aggravated identity theft, and other offenses related to the Stratfor hack. Brown was at one time a spokesperson for Anonymous, but distanced himself from the group after members started to turn away from political activism. The FBI arrested Brown in September after he posted a message on YouTube threatening a federal agent.
-http://www.wired.com/threatlevel/2012/12/fbi-charges-barrett-brown/
-http://www.informationweek.com/security/attacks/anonymous-no-longer-hacktivist-s
pokesman/240144134
-http://arstechnica.com/security/2012/12/former-anon-spokesperson-indicted-for-al
legedly-linking-to-stolen-information/
[Editor's note (Honan0: The results of this case could have a lot of far reaching implications for many security researchers and reporters. According to the Wired article Barrett Brown "posted a link to a zipped version of the documents stolen in the Stratfor hack on Christmas day 2011 - that counts as trafficking in "stolen authentication features,"" If found guilty many people will need to be more wary about posting links to dumps of compromised details on the web. ]

FISA Amendments Act Will Expire if Senate Does Not Vote for Extension by End of Year (December 8, 2012)

The FISA Amendments Act expires later this month. The measure allows the government to intercept electronic communications without a warrant. The House approved a five-year extension for the law earlier this year, but the Senate must approve an extension by year's end or FISA Amendments will expire. The law is used to access phone calls and email communications from foreigners who are overseas, but the process also collects communications of US citizens, which concerns civil liberties advocates.
-http://www.washingtonpost.com/world/national-security/sharp-debate-expected-on-e
lectronic-intercept-law/2012/12/08/c5599d4e-3fb8-11e2-a2d9-822f58ac9fd5_story.ht
ml

Board of UK's IPv6 Group Resigns in Protest Over Government Indifference (December 8, 2012)

The entire board of an organization established in the UK to help Internet service providers (ISPs) and other companies make the transition from IPv4 to IPv6 has resigned in protest because it did not have adequate support from the government. The former director of the non-profit organization that called itself 6UK said that the UK government took no steps to encourage the adoption of the new system, such as changing official procurement rules. No UK government websites have IPv6 addresses.
-http://www.bbc.co.uk/news/technology-20646710
-http://www.techweekeurope.co.uk/news/ipv6-6uk-uk-governmen-101413

UK Man Convicted in Connection with DDoS Attacks on Payment Sites (December 6 & 7, 2012)

A London, UK court has convicted Christopher Weatherhead of conspiracy for his role in a series of distributed denial-of-service (DDoS) attacks against MasterCard, Visa, and PayPal after they refused to process payments to WikiLeaks. Three other men have already entered guilty pleas in connection to these attacks. The group also launched DDoS attacks against companies in the music industry that have been vocal in their fight against digital piracy.
-http://www.h-online.com/security/news/item/Student-convicted-for-PayPal-DDoS-att
acks-1764262.html
-http://news.cnet.com/8301-1009_3-57557706-83/u.k-convicts-anonymous-member-nerdo
-for-ddos-attack/
-http://www.computerworld.com/s/article/9234434/Former_Anonymous_member_convicted
_in_attacks_against_PayPal_MasterCard_Visa?taxonomyId=17

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/