SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #11

February 08, 2013

The Internet Storm Center has an upcoming focus on IPv6
See: https://isc.sans.edu/diary/IPv6+Focus+Month/15049

Two corrections in the article on "A Major Shift in Cyber Security of
Industrial Control Systems." The corrected article is the first one in
THE REST OF THE WEEK'S NEWS.
Alan

---

TOP OF THE NEWS

Industrial Control System Flaw Sufficient to Let Attackers Control Critical Systems
Android Phones Often Remain Unpatched
US Federal Reserve Hacked

THE REST OF THE WEEK'S NEWS

A Major Shift in the Cyber Security of Industrial Control Systems
Iran Airs Video Allegedly From Downed US Drone
DOD Faces Hurdles in Finding 4,000 Qualified Cybersecurity Specialists
Microsoft and Symantec Take Down Bamital Botnet
Intel's Network Card Vulnerable to Packet of Death
DOD and VA Scrap New EHR Plan in Favor of Developing Interoperability of Existing Systems
Complex Identity and Card Fraud Scheme Netted Gang US $400 Million
Barracuda Offers Update and Apology
Hackers Stole Documents From Japan's Ministry of Foreign Affairs
Guilty Plea in Operation Ghost Click Case
Microsoft Patch Tuesday to Address 57 Vulnerabilities

---

************************ SPONSORED BY Symantec ***************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned.
Learn More. http://www.sans.org/info/123600
****************************************************************************
TRAINING UPDATE


- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013


- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013


- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013


- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013


- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013


- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials Plus Scottsdale, Brussels, Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org

---

TOP OF THE NEWS

Industrial Control System Flaw Sufficient to Let Attackers Control Critical Systems (February 6 & 7, 2013)

A critical flaw in a widely used industrial control system (ICS) could be exploited to remotely take control of electronic door locks, heating systems, elevators, and other industrial processes at facilities using the vulnerable product. The problem lies in the Tridium Niagara AX Framework. Hackers can access a file on the system that contains all the system's configuration data. Among the information available in this file are usernames and passwords to access operator workstations. A Tridium spokesperson said the company plans to release a patch for the issue by February 13.
-http://www.wired.com/threatlevel/2013/02/tridium-niagara-zero-day/
-http://arstechnica.com/security/2013/02/were-going-to-blow-up-your-boiler-critic
al-bug-threatens-hospital-systems/
[Editor's Note (McBride): The Honeywell/Tridium Niagara security story broken by these two researchers is a much-needed case-study for the convergence of IT and OT networks. If Microsoft reports a 66% patch rate after nine months, what can we expect here?
(Paller): Issuing a patch does NOT fix the problem. Vendor's should not be allowed to get away with leaving major security flaws in software used in the critical national infrastructure without ensuring that (1) each buyer knows about the risk (emails haven't changed, the right person is on the mailing list) and (2) the buyer has confirmed that he/she has the needed knowledge and support from the vendor to install the patch effectively. As an industry, we have to stop pretending that a patch release fixes a security flaw. Too often, a patch is never installed because the right person doesn't know about it or know enough about it and no automated capability is in place to ensure the patch is installed. ]

Android Phones Often Remain Unpatched (February 5 & 6, 2013)

Responsibility for distributing updates for the Android operating system has not been established. Does it lie with Google, the operating system's developer? Or with the phone's hardware manufacturer? Or with the user's wireless service carrier? Although Google responds swiftly when it learns of vulnerabilities in Android, the carriers and hardware manufacturers often do not send the update out in a timely manner. Manufacturers and carriers have to tweak the updates before sending them out. As a result, millions of Android phones remain unpatched for months at a time because carriers and hardware manufacturers do not send out the fixes as soon as they become available. In December, Ars Technica published information about how often Android phones had received updates. Most users had received two updates, even if they had had the phone for years.
-http://www.washingtonpost.com/business/technology/android-phones-vulnerable-to-h
ackers/2013/02/01/f3248922-6723-11e2-9e1b-07db1d2ccd5b_story.html
-http://www.wired.com/threatlevel/2013/02/carriers-fail-to-secure-phones/
[Editor's Note (Pescatore): Android devices have a double security whammy compared to IOS devices: (1) The Google Play App Store white list mechanism is optional, where in IOS it requires the user to actively subvert the phone; and (2) this issue of the OS and the hardware coming from separate vendors. Making the former much more mandatory can go a long way towards mitigating the risks of the latter.
(Shpantzer): Fragmentation in the Android ecosystem has gotten really ridiculous, some estimates peg the 4.x version is only 10% of the userbase. iOS gets to double digits in a matter of DAYS due to the closed nature of the ecosystem and tight HW/SW coupling. Some say (I'm stilll noodling on it) that this kind of fragmentation makes it very difficult to write a mass exploit for Android, since you'd have to properly code for the insane number of HW/SW permutations.
(Murray): It seems unlikely that there are any more implementation-induced Flaws in Android than in iOS. However, patches in iOS have to be tested on only a dozen or so devices. Those devices all look to a single source for updates. If one is interested in security, the iOS strategy has advantages. ]

US Federal Reserve Hacked (February 6 & 7, 2013)

On Sunday, February 3, hackers broke into internal computer systems at the US Federal Reserve's Emergency Communications System (ECS). The intruders gained access to a database that contains banking executive contact information, stole data of more than 4,000 US banking executives, and posted it to the Internet. The compromised data include names, email addresses, and login credentials. The attack was made through "a temporary vulnerability in a website vendor product," according to a Federal Reserve spokesperson. The vulnerability has since been fixed. The Federal Reserve acknowledged that the stolen data are genuine. ECS provides Federal Reserve status updates during disasters. The stolen data could be used to launch spear phishing attacks. The attack appears to be part of a campaign launched by the Anonymous hacking collective urging justice system reform.
-http://www.theregister.co.uk/2013/02/06/fed_confirms_downplays_anon_superbowl_ha
ck/
-http://www.computerworld.com/s/article/9236566/Federal_Reserve_confirms_its_syst
em_was_breached?taxonomyId=17
-http://www.zdnet.com/anger-rises-as-fed-confirms-anonymous-hack-downplays-us-ban
k-emergency-system-breach-7000010902/
-http://arstechnica.com/security/2013/02/data-siphoned-in-fed-reserve-hack-a-bona
nza-for-spear-phishers/

---

************************ Sponsored Links: *******************************
1) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/123605
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/123610
3) Java Web Security By Example - Featuring: Frank Kim and Andy Chou Tuesday, February 19, 2013 at 4:00 PM EST (2100 UTC/GMT) http://www.sans.org/info/123615
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

A Major Shift in Cyber Security of Industrial Control Systems (February 5, 2013)

Power and energy systems have long been recognized as "critical infrastructure" and everyone has felt the impact personally and to the economy overall when a power outage or a disruption in the flow of oil or gas hits. Cyber attacks have been increasingly targeting those same systems and unless the owners and operators enhance the levels of cybersecurity expertise of their staffs and the protection levels of the critical systems, cyber could be added to the causes for disruptions.
Five of the most trusted technical leaders in control system and IT cybersecurity are joining forces with eleven large companies in the power, oil & gas industries to drive immediate improvement in the ability of the operators of critical infrastructure systems to protect themselves against advanced cyber attacks. The initial focus will be to increase the security skill levels of the operations and security staffs, since they represent both the first line of cyber defense and last line to avoid/manage consequences. The group will quickly establish a consensus set of knowledge and skill needs for the operations and cyber-security positions at critical infrastructure systems, leading towards a comprehensive international security skills program. A longer term effort will be to define the highest priority security practices and controls for greatly reducing power and energy's risk of successful attack.
The leaders are Michael Assante who was CSO of American Electric Power and CSO of NERC; Tim Conway who was Director of NERC Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO); John Pescatore who was Gartner's lead security analyst for the last 13 years; Ed Skoudis who is widely acknowledged as the nation's top expert on malicious software and penetration methods and who developed the training and simulators now used to ensure the skills of cyber warriors and defenders in the U.S. military; and Tony Sager who, in his 34-year career, developed and managed the 750 top cyber vulnerability and defense experts at the National Security Agency.
The initiative will be unveiled in a workshop on February 13 where the man who led the DHS team that handled break-ins at US critical infrastructure will share pragmatic security measures that work. The workshop may be the most important meeting ever held on this topic because it marks the end of the era of "admiring the problem" and the beginning of an international consensus to fix the problem.
-http://www.sans.org/event/north-american-scada-2013

Iran Airs Video Allegedly From Downed US Drone (February 7, 2013)

Iran has broadcast video footage it says was obtained from a US surveillance drone that was captured in December 2011. Last year, Iran claimed to be building a copy of the aircraft. US officials have previously doubted Iran's ability to crack the encryption on the systems of the drone. US officials have also acknowledged that the captured drone was conducting surveillance of Iran's military and nuclear facilities.
-http://www.bbc.co.uk/news/world-middle-east-21373353
-http://www.cnn.com/2013/02/07/world/meast/iran-drone-video/index.html
-http://www.usatoday.com/story/news/world/2013/02/07/iran-cia-spy-drone-footage/1
898011/

DOD Faces Hurdles in Finding 4,000 Qualified Cybersecurity Specialists (February 6, 2013)

Experts say that the 4,000 cybersecurity experts the US Cyber Command wants to hire simply do not exist right now. The issue is three-fold. First, people need to be identified as having the potential for success in the field. Second, those people must commit to 2,000 and 5,000 hours of hands-on, "stick time" experience. And finally, the DOD will be competing with private industry for the talent; DOD will require its employees to have security clearances, and the private sector offers higher salaries. Programs aimed at training people in cybersecurity have been established, but they are not likely to generate the large number that DOD wants very quickly.
-http://www.defensenews.com/apps/pbcs.dll/article?AID=2013302060013

Microsoft and Symantec Take Down Bamital Botnet (February 7, 2013)

Microsoft and Symantec recently joined forces to take down a botnet known as Bamital, which was reportedly earning more than US $1 million a year for its operators. Earlier this week, technicians from both companies, accompanied by US federal marshals, raided data centers in Virginia and New Jersey to seize evidence. Bamital infected between 300,000 and one million computers by the time it was shut down, and it had been used to attack more than eight million computers over the past two years. It was used to hijack web searches. When users whose computers are infected with Bamital try to search the web, they will now be greeted with a page from Microsoft explaining why they have been redirected and what they should do to clean up their computers.
-http://www.h-online.com/security/news/item/Microsoft-and-Symantec-collaborate-to
-disable-click-fraud-botnet-1799528.html
-http://www.bbc.co.uk/news/technology-21366822
-http://krebsonsecurity.com/2013/02/microsoft-symantec-hijack-bamital-botnet/
-http://news.cnet.com/8301-1009_3-57568067-83/microsoft-symantec-shutter-another-
botnet/
[Editor's Note (Henry): (Henry): The private sector's involvement in identifying and dismantling adversary infrastructure is a growing phenomenon, which I expect to see increase going forward. They have visibility into the networks, and that intelligence is critical for a successful takedown. Coordination with the US Government, in this case the Marshal's Service, should be considered, and the use of authorized judicial process provides a sense of over confidence that this is done fairly and lawfully.
(Murray): Again, kudos to all those responsible for bringing down this and other botnets. That said, the existence of botnets is evidence that there are lots of weak systems connected to the Internet. Botnets have been used for spam and DDoS attacks, but they dramatically reduce the potential cost of Brute Force attacks against passwords, lock-words, and keys. ]

- Intel's Network Card Vulnerable to Packet of Death (February 8, 2013)

A specific SPI packet can "kill" an Intel Gigabit ethernet card. If a card is exposed to this traffic, the system has to be physically power cycled. A reboot will not recover the system.
-https://isc.sans.edu/diary/Intel+Network+Card+%2882574L%29+Packet+of+Death/15109
Intel's statement about the network card "packet of death":
-http://communities.intel.com/community/wired/blog/2013/02/07/intel-82574l-gigabi
t-ethernet-controller-statement

DOD and VA Scrap New EHR Plan in Favor of Developing Interoperability of Existing Systems (February 6, 2013)

The US Departments of Defense (DOD) and Veterans Affairs (VA) will not pursue development of a new electronic health records (EHR) system that would enable data sharing across the departments. Instead, the departments will seek out existing technologies to improve the interoperability of their existing systems. The shift will save money, improve service for patients and care providers, and be complete sooner than the new system would have been. The plan calls for piloting a common interface at seven joint rehabilitation centers this summer. The new system would have been operational in 2017, but the revised plan should be in place by the beginning of 2014.
-http://www.nextgov.com/health/2013/02/cut-costs-defense-and-va-scrap-plans-new-e
lectronic-health-record/61120/?oref=ng-HPtopstory
[Editor's Note (Pescatore): For the last six months my doctor's office has had a sign at the receptionist area: "Please excuse the delays. We are implementing electronic health records." EHR has been overhyped for years, and in many ways the desire to increase efficiency/interoperability has been part of the reasons why HIPAA has been largely a toothless compliance regime. However, nothing will stay "non-electronic" much longer - there is an opportunity to build better security into new systems and software built from scratch. The DoD and VA will need to make sure they pay attention to and *fix* existing vulnerabilities and weaknesses in those legacy systems before they start opening them up for sharing and interoperability.
(Shpantzer): Two places to look for information of concern to us on medical systems are HIMSS and Dartmouth ISTS
-http://www.ists.dartmouth.edu/projects/healthit_security/index.html]

Complex Identity and Card Fraud Scheme Netted Gang US $200 Million (February 5 & 6, 2013)

A complaint unsealed earlier this week alleges that 18 people ran a complex payment card and bank fraud scheme for six years. The scammers used 7,000 phony identities, opened 169 bank accounts, maintained addresses for mail drops, and created businesses that served as fronts for fraudulent transactions. The group stole an estimated US $200 million. Thirteen of those named in the complaint have been arrested; the rest remain at large.
-http://redtape.nbcnews.com/_news/2013/02/06/16870609-id-theftfraud-ring-netted-2
00-million-and-counting-feds-allege?lite
-http://www.justice.gov/usao/nj/Press/files/Qureshi,%20Babar%20et%20al%20Arrests%
20News%20Release.html
[Editor's Note (Shpantzer): That's a staggering ROI for such a small group of people. Why bother trafficking in narcotics/guns/people if you can do this type of work as a criminal enterprise? ]

Barracuda Offers Update and Apology (February 6 & 7, 2013)

Barracuda Networks has issued a new update to address a vulnerability that could be exploited to access some of its appliances without authorization. The flaw allowed hackers access through backdoors intended to be used for remote support. The update removes unauthorized IP address ranges from product firewall rules. In a blog post, Barracuda CTO Zach Levow apologized for the company's choices and said that they are working on changes to address customers' concerns. Internet Storm Center:
-https://isc.sans.edu/diary/Barracuda+%22Back+Door%22/15004
-http://www.informationweek.com/security/vulnerabilities/barracuda-issues-securit
y-update-apologi/240148096
-http://www.computerworld.com/s/article/9236574/Barracuda_moves_to_shutter_backdo
or_access_to_its_network_gear?taxonomyId=17

Hackers Stole Documents From Japan's Ministry of Foreign Affairs (February 6, 2013)

Japan's Ministry of Foreign Affairs said a compromised computer there led to data theft. Japan's National Information Security Center alerted the ministry to the breach on January 28. Roughly 20 documents are believed to have been copied to an external server; none of the documents was confidential. The incident is being investigated.
-http://www.csoonline.com/article/728343/japan-foreign-ministry-says-pc-leaked-do
cs-to-external-server

Guilty Plea in Operation Ghost Click Case (February 4 & 5, 2013)

An Estonian man has pleaded guilty in US District Court in Manhattan to charges stemming from his role in the DNSChanger click fraud scheme, which earned its operators US $14 million. Valeri Aleksejev pleaded guilty to conspiracy to commit computer intrusion and conspiracy to commit wire fraud. The scheme is believed to have affected half a million computers in the US, including computers at NASA and other government agencies.
-http://www.scmagazine.com/hacker-in-14m-click-fraud-scam-pleads-guilty/article/2
79219/
-http://www.theregister.co.uk/2013/02/04/dns_changer_guilty_plea/

Microsoft Patch Tuesday to Address 57 Vulnerabilities (February 7, 2013)

On Tuesday, February 12, Microsoft will issue 12 security bulletins to address a total of 57 vulnerabilities in various products. Five of the bulletins are rated critical; the other seven are rated important. The critical bulletins address security issues in Windows, Internet Explorer, and Exchange Server.
-http://technet.microsoft.com/en-us/security/bulletin/ms13-feb
-http://www.scmagazine.com/microsoft-to-plug-57-security-holes-next-week/article/
279572/
-http://www.v3.co.uk/v3-uk/news/2242427/microsoft-plans-five-critical-fixes-for-f
ebruary
-http://www.computerworld.com.au/article/453199/microsoft_prepares_monster_securi
ty_update_next_week/

---

************************************************************************
The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.


Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/