SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #1

January 04, 2013

OT is the new term for operational technology (in contrast to IT) that
runs the power and oil & gas and transportation and hundreds of other
systems on which our worlds depend. OT is in the bulls eye for attackers
and a lot of good is happening. See the first two stories for a little
insight.

---

TOP OF THE NEWS

ICS-CERT Report Says Cyberattacks Against Energy Sector Systems on the Rise
Mike Assante's 2013 Call to Arms for ICS and SCADA Security
Companies Revoke Trust in Unauthorized Google Digital Certificates
DHS Will Pay for Federal Civilian Agencies' Continuous Monitoring Services

THE REST OF THE WEEK'S NEWS

Five-Year Prison Sentence for Filesharer
Some Companies Scatter Phony Data in Systems to Thwart Attackers
Man Facing Prosecution for Licensing Code Used on Online Gambling Sites Abroad
Ruby on Rails Development Team Releases Update
First Patch Tuesday of 2013 Will Comprise Seven Bulletins
Microsoft Releases Temporary Fix for IE Flaw
Two More States Say No to Employers Demanding Social Network Passwords

---

****************************************************************************
TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Anaheim, Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

ICS-CERT Report Says Cyberattacks Against Energy Sector Systems on the Rise (December 31, 2012 & January 2, 2013)

According to a report from the US Department of Homeland Security's (DHS's) Cyber Emergency Response Team for Industrial Control Systems (ICS-CERT) cyberattacks on systems at organizations that are part of the US energy infrastructure are on the rise. In the 12 months ending in September 2012, nearly 200 cyber incidents were reported to ICS-CERT. More than 40 percent of those incidents were directed at energy sector companies. Many industrial control systems used in elements of the country's critical infrastructure are linked directly to the Internet. Some of the systems became infected through USB drives.
-http://blogs.wsj.com/cio/2013/01/02/report-cyber-threats-to-energy-sector-happen
ing-at-alarming-rate/
-http://www.networkworld.com/community/node/82058
-http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Oct-Dec2012.
pdf
[Editor's Note (Assante): ICS-CERT assistance and analysis is helping the sector understand the extent of the problem. Campaigns are widening to include a successful attack against a key supplier of energy control systems and attempts to compromise a sector security consortium. Energy will continue to be an attractive target. Expect to see the use of custom malware and continued targeting of individuals, sector related websites, and connected business partners.
(Henry): My experience with ICS CERT while in the FBI was positive; they had an aggressive outreach program, it was well coordinated with the Bureau and others in the intelligence community, and they were making progress. Not sure if the increase in reported attacks is because adversary activity has gone up, or because the ICS-CERT program is more effective and having an impact. I'd say it's almost certainly a combination of the two.
(McBride): What exactly is an "incident" in ICS-CERT terms? SSH scanning, reports of Shodan search terms, common viruses inserted into control networks via USB sticks that weren't scanned? With a couple of significant exceptions, the incidents themselves are generally UN-alarming. The report does however show that ICS asset owners generally lack the ability to deal with OT (operational technology like SCADA and supporting computers) incidents themselves and that they are increasingly looking for assistance. To successfully combat the ICS security challenge, we need scalable approaches that include the right mix of government and private sector solutions. ]

Mike Assante's 2013 Call to Arms for ICS and OT Security

Given the increasing level of attacks on industrial control systems in power and on other operational technology (OT) the power and ICS industry has launched an important initiative to share best practices and to jointly build and certify the talent to improve cybersecurity in power systems and other OT. The leader of this consortium and the initiative is Mike Assante, the most trusted person in power systems security who served as CSO at both American Electric Power and at NERC. His call to arms appeared this week in the NESCO blog. (If you want to be part of the consortium developing the new initiative, register for the Summit at
-http://www.sans.org/event/north-american-scada-2013
and then email Mike at michael.assante@nbise.org.)
-http://www.us-nesco.org/guest-blog/mike-assante-guest-blog-call-to-arms/
[Editor's Note (McBride): It would be wonderful to shift from building awareness to properly organizing our efforts in 2013. The most salient point to me from the "Call to Arms" is about integrating our system protection/resilience efforts across job functions to properly deal with deeply-understood failure conditions. This won't occur in 2013, but we'd best get moving on it!

Companies Revoke Trust in Unauthorized Google Digital Certificates (January 3, 2013)

Google, Microsoft, and Mozilla have revoked (trust) for two digital certificates that were released by a Turkish certificate authority (CA). The certificates were issued by an intermediate certificate authority that links back to TURKTRUST, which has acknowledged that in August 2011, it inadvertently issued two intermediate CA certificates to organizations that should have received regular SSL certificates. The certificates are being used in active phishing attacks.
-http://www.computerworld.com/s/article/9235218/Google_finds_unauthorized_google.
com_domain_certificate_scrambles_to_fix?taxonomyId=17
-http://krebsonsecurity.com/2013/01/turkish-registrar-enabled-phishers-to-spoof-g
oogle/
-http://www.darkreading.com/authentication/167901072/security/attacks-breaches/24
0145512/phony-google-digital-certificate-blocked-by-browser-vendors.html
[Editor's Note (Pescatore): The CA/Browser Forum seemed to make little progress (and actually lost members due to intellectual property issues) in 2012 in improving the sorry state of SSL certificate issuance. They met in December; I hope their 2013 New Year's Resolution was a much more aggressive approach this year.
(Shpantzer): A non-technical article about SSL trust and the Turkish CA, including the interesting idea that the browser companies are where the rubber meets the road:
-http://erratasec.blogspot.com/2013/01/notes-on-turktrust-fiasco.html]

DHS Will Pay for Federal Civilian Agencies' Continuous Monitoring Services (January 3, 2013)

US Department of Homeland Security (DHS) officials say the agency will foot the cost of providing civilian agencies with technology to conduct near-real-time threat detection. Th stab could reach US $6 billion if all levels of government and critical infrastructure organizations participate. The White House has called for continuous monitoring since 2010, but many agencies lacked the resources and skills to implement the practice. The initiative, called continuous monitoring as a service (CMaaS), will provide sensors, risk-status displays, and professional consulting. Military, state, and local government agencies will be encouraged to use the same companies that provide the services to the federal government agencies, but DHS will not cover the costs for those entities.
-http://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-survei
llance-systems-every-department/60445/?oref=ng-channeltopstory
[Editor's Note (Henry): Continuous monitoring of networks in real-time is crucial in identifying malicious activity on the network, rather than merely trying to block ever-changing malware signatures. It will require a lot of time and a lot of coordination to do this effectively; it's a lofty goal, but doing this right is absolutely necessary to get ahead of this threat.
(Pescatore): This "Continuous Diagnostics and Monitoring" effort is a very good idea but many Government department heads, agency heads, CIOs, CISOs etc. have been burned before on centrally funded services that turn into unfunded mandates as the wacky federal budget process goes through its yearly erratic undulations. This leads to slow uptake, which leads to vendors not seeing revenue to cover costs, which leads to services falling behind rapidly changing needs, repeat. Hopefully, GSA lessons learned from past such large IDIQ vehicles can help craft procurement and governance structure to avoid those pitfalls.
(Murray): OMB has this one right. Budget belongs where one wants the decision-making authority. Too many security managers lack the authority to make things happen because they fail to ask for the necessary budget to support their initiatives.
(Paller): This is an excellent initiative - taking a program where there is hard evidence of enormous risk reduction, and making it available widely at much lower cost. However, I have been hearing complaints from some federal CISOs and from lots of contractors. There is extensive evidence that the level of the carping is inversely proportional to the competence of the people doing the carping. If you run into someone suggesting the DHS project isn't the right approach, ask him/her to show you the proof that his alternative approach has radically reduced (reliably-measured) risk at scale as the DHS approach has done - or to "please get out of the way." ]

---

************************* Sponsored Links: ********************************
NEW paper in the SANS reading room: SANS Survey on Application Security Policies in Enterprises http://www.sans.org/info/120395 Associated webcast featuring SANS Analyst Frank Kim:
http://www.sans.org/info/120400
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Five-Year Prison Sentence for Filesharer for Violation of DMCA (January 3, 2013)

A Virginia man has been given the lengthiest prison sentence ever handed down for filesharing. Jeramiah Perkins, who was a member of a gang that recorded movies in theaters and offered the pirated content, received a 60-month prison sentence for his role in the operation. Five members of the gang, known as IMAGiNE, have been sentenced for their involvement. They have all pleaded guilty to conspiracy to commit copyright infringement.
-http://www.wired.com/threatlevel/2013/01/record-filing-sharing-term/
-http://www.wired.com/images_blogs/threatlevel/2012/05/lovelady.pdf
[Editor's Note (Murray): At least this is what the DMCA was intended for, not housewives and students.]

Some Companies Scatter Phony Data in Systems to Thwart Attackers (January 3, 2013)

A Minnesota magazine and catalog printing company has begun placing phony data on its servers to trick hackers intent on stealing their valuable databases of subscriber information and online publication content. The company tracked those who took the fake information. Other companies are doing the same thing. The practice of digital deception is a type of active defense against cyberespionage. Other approaches, such as knocking servers offline or gaining access to the cyberthieves' servers and deleting stolen data, are of questionable legality. Disrupting another company's server could result in retaliation. Deceptive data remains on the right side of the law while the information is planted only in the company's own servers and the fake data do not harm other's systems. The practice has been around for a while in the form of honeypots.
-http://www.washingtonpost.com/world/national-security/to-thwart-hackers-firms-sa
lting-their-servers-with-fake-data/2013/01/02/3ce00712-4afa-11e2-9a42-d1ce6d0ed2
78_story.html
[Editor's Comment (Pescatore): For most enterprises eliminating the vulnerabilities that enable the attacks is more in the shareholders' interests than attracting and watching attackers.
(Northcutt): Honeytokens. Interesting, but I would be nervous about working with a direct mail that employed this technique. Direct mail is more or less $1.00 per piece at the low end when you count printing, sorting, mailing, and renting mailing lists. If there is a significant amount of fake data and they do not purge it correctly, the fake mail ends up in the landfill and you eat the cost. There are many forms of honey tokens:
-http://software-security.sans.org/blog/2009/06/04/my-top-6-honeytokens/
(Shpantzer): A balanced article on the spectrum of activities that are generating so much buzz (and FUD) these days:
-https://securosis.com/blog/thoughts-on-active-defense-intrusion-deception-and-co
unter-strikes.]

Man Facing Prosecution for Licensing Code Used on Online Gambling Sites Abroad (January 3, 2013)

An Arizona man is facing prosecution for licensing software that is used by online casinos and bookmakers in other countries. Authorities in New York say that the program licensed by Robert Stuart and his company was used by some for illegal gambling in that state. Stuart, his wife, and his brother-in-law are facing felony charges of promoting gambling in New York. Stuart says he and his company ensure when they license the software that it is only in countries where online gambling is permitted. The software does not place bets, but provides the infrastructure for sites to choose which sporting events they want to offer for betting; it also stores the bets. A hearing is scheduled for January 8. Jennifer Granick, director of civil liberties for the Center for Internet and Society at Stanford University says that prosecuting Stuart would set a dangerous precedent. Stuart maintains that the authorities have pursued him because they wanted to use him to gather information about illegal gambling activity in New York State. He says he was pressured into agreeing to install backdoors in his software and then use them to collect information. Stuart changed his mind and refused the plea deal.
-http://www.wired.com/threatlevel/2013/01/coder-charged-for-gambling-software/all
/
Old Plea Agreement:
-http://www.wired.com/images_blogs/threatlevel/2012/12/Robert-Stuart_Plea-Agreeme
nt.pdf

Ruby on Rails Development Team Releases Update (January 3, 2013)

Ruby on Rails developers have released an update for their open source web application development framework to address an SQL injection vulnerability. The problem lies with the framework's Active Record database query interface. The flaw affects all versions of the framework; the updated versions are 3.2.10, 3.1.9, and 3.0.18. Users are urged to update as soon as possible. For those unable to apply the updates right away, the Ruby on Rails development team has also issued a workaround as well as manual patches for older versions.
-http://www.computerworld.com/s/article/9235208/Ruby_on_Rails_updates_address_SQL
_injection_flaw?taxonomyId=17
-http://www.h-online.com/security/news/item/SQL-injection-vulnerability-hits-all-
Ruby-on-Rails-versions-1776203.html
-http://www.theregister.co.uk/2013/01/03/ruby_on_rails_sql_injection_vuln/
-http://weblog.rubyonrails.org/2013/1/2/Rails-3-2-10--3-1-9--and-3-0-18-have-been
-released/

First Patch Tuesday of 2013 Will Comprise Seven Bulletins (January 3, 2013)

On Tuesday, January 8, 2013, Microsoft plans to issue seven security bulletins to address a total of 12 vulnerabilities. Two of the bulletins are rated critical; the flaws they address could be exploited to allow remote code execution. The other five are rated important; the vulnerabilities they fix could be exploited to elevate privileges, bypass a security feature, or create denial-of-service conditions. Affected software includes Windows, Microsoft Office, Microsoft Developer Tools, Microsoft Server Software, and Microsoft .NET Framework. Notably absent from the patch lineup is the zero-day vulnerability in Internet Explorer (IE).
-http://technet.microsoft.com/en-us/security/bulletin/ms13-jan
-http://news.idg.no/cw/art.cfm?id=17AA537F-C768-35E8-C76ACA61E852FDBF
-http://threatpost.com/en_us/blogs/patch-ie-zero-day-wont-be-among-microsoft-secu
rity-updates-next-week-010313

Microsoft Releases Temporary Fix for IE Flaw (December 28, 29, & January 2, 2013)

Microsoft has released a temporary fix for a zero-day flaw in Internet Explorer (IE) that is being actively exploited in targeted attacks. The vulnerability affects IE 6,7, and 8, but not newer versions of the browser. Microsoft has issued an advisory about the issue and says it is "working around the clock" on a patch for the flaw (but it does not appear to be included in this month's scheduled patch release. -Ed.)
-http://technet.microsoft.com/en-us/security/advisory/2794220
-http://www.theregister.co.uk/2013/01/02/ie_0_day_patch/
-http://www.computerworld.com/s/article/9235137/Microsoft_issues_39_fix_it_39_for
_IE_vulnerability?taxonomyId=17
-http://www.computerworld.com/s/article/9235097/Microsoft_confirms_zero_day_bug_i
n_IE6_Ihttp://arstechnica.com/security/2012/12/microsoft-says-ie-6-7-and-8-vulne
rable-to-remote-code-execution/E7_and_IE8?taxonomyId=17
-http://www.h-online.com/security/news/item/Critical-zero-day-hole-in-Internet-Ex
plorer-Update-2-1775071.html
-http://krebsonsecurity.com/2012/12/attackers-target-internet-explorer-zero-day-f
law/
[Editor's Note (Shpantzer): If you're still using an old version of IE, you'd better have a really good excuse (usually something to do with a horrible backward-compatibility issue for using an application).

Two More States Say No to Employers Demanding Social Network Passwords (January 2, 2013)

As of Tuesday, January 1, six US states now prohibit employers from demanding their employees' social media account passwords. US legislators were unable to gather enough support to pass the Password Protection Act of 2012, so California and Illinois have joined Delaware, Maryland, Michigan, and New Jersey by enacting laws at the state level. Employers still may see their employees' public posts to social media sites.
-http://www.wired.com/threatlevel/2013/01/password-protected-states/
[Editor's Note (Henry): Most social networking sites' Terms of Service will preclude a user from sharing their password or otherwise creating a security vulnerability. Regardless, I just don't get this. You should be obligated to provide private, personal information...not being shared publicly...to a prospective employer? That's a very slippery slope... ]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/