SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #2

January 08, 2013

TOP OF THE NEWS

Analysts Claim Cyberwarfare Will Go Mainstream in 2013
National Defense Authorization Act for 2013 Addresses Cyber Operations
CIA Nominee a Proponent of Federal Cybersecurity Legislation
CyberCity Simulates "Kinetic Effects" of Cyberwarfare

THE REST OF THE WEEK'S NEWS

Claims That Group Who Attacked Google in 2010 Behind Most Recent IE Attacks
Adobe Warns of Flaw in ColdFusion
Los Alamos National Lab Replaced Huawei Switches Last Fall
DHS Website Attacked Through Directory Traversal Flaw
Guilty Plea Expected in US $100 Million Software Piracy Scheme
Hospice Fined for Potential HIPAA Violations; Fewer Than 500 Patients Affected
Former South Carolina Dept. of Revenue Computer Security Admin Tells State Legislators About Agency Security Problems
USPS to Pilot Federated Identity Management Program
Systems Administrator Cyber Skills Assessment Program

---

****************************************************************************
TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Analysts Say Cyberwarfare Will Go Mainstream in 2013 (January 7, 2013)

Security analysis are predicting that 2013 will be the year that cyberwarfare escalates. Last year, the Iranian government was targeted in large-scale cyberattacks and Iran is rumored to be behind recent distributed denial-of-service (DDoS) attacks launched against major US banks. Some are predicting that governments will step up their cyberwarfare spending. Others say that attacks against power grids and other elements of critical infrastructure could lead to the loss of human life. Still others say that concern is overblown.
-http://money.cnn.com/2013/01/07/technology/security/cyber-war/index.html
[Editor's Note (Assante): The primary regulating factors that have kept us from seeing more cyber initiated destruction are... 1) there is little money in destruction, especially in comparison to the risk, and 2) organizations that deal in violence are slow to change. Unfortunately the latter factor is diminishing in our hyper connected cyber world. I have never liked the term cyber war as it is misleading on many fronts. Our primary take away from these predictions is that traditional attempts at trying to analyze risk (estimating likelihood and consequences) are becoming less relevant than developing a competent and highly skilled defense team.
(McBride): I think its important to remember that causing specific kinetic effects via cyber attack is a different sport than stealing intellectual property. Like rugby and American football, they are similar, but require different skills and techniques. Each industrial automation and control system has different logic controlling the way it operates, different safety systems intended to limit the impact of failures. The current state of cyber attacker-engineer domain competence is not to the point where kinetic effects are going "mainstream", but we are seeing an uptick in interest.]

National Defense Authorization Act for 2013 Addresses Cyber Operations (January 3 & 4, 2013)

The US National Defense Authorization Act (NDAA) for fiscal year 2013 includes requirements that the Defense Department (DOD) "acquire next-generation host-based cybersecurity tools and capabilities" and report to Congress on its cyber activity. It also provides guidelines for reporting cyberintrusions and calls for the military to adopt new testing rules for software development and licensing through the new "baseline software assurance policy," which will require checking for problems from the software throughout its lifetime starting in the software's development phase.
-http://www.informationweek.com/government/security/new-defense-budget-aims-to-im
prove-cyber/240145571
-http://fcw.com/articles/2013/01/03/ndaa-provisions.aspx
-http://www.nextgov.com/cybersecurity/2013/01/defense-law-aims-preempt-software-s
upply-chain-attacks/60495/?oref=ng-channeltopstory
[Editor's Note (Pescatore): Any change in government procurement regs causes change sloooowly but requiring developers and software vendors to demonstrate use of automated vulnerability assessment tools is a very, very good thing. But there is one glaring need: how can such tools be specified or testing, to make sure that quality tools are in use? We need someone like NIST to maintain the "bug-ridden" software standard test database, much the way they maintain test standard in many other areas. ]

CIA Nominee a Proponent of Federal Cybersecurity Legislation (January 7, 2013)

John Brennan, recently nominated by President Obama to be the director of the US Central Intelligence Agency (CIA), has been a vocal advocate of federal cybersecurity legislation. Brennan has been Deputy National Security Advisor for Homeland Security and Counterterrorism. In August, Brennan urged US legislators to pass the Cybersecurity Act of 2012.
-http://www.computerworld.com/s/article/9235378/Obama_s_CIA_nominee_an_advocate_f
or_federal_cybersec_regulations?taxonomyId=17

CyberCity Simulates "Kinetic Effects" of Cyberwarfare (January 4, 2013)

Much cybersecurity simulation training concentrates on the cyber environment, but CyberCity simulates the effects of cyberwarfare on physical infrastructure.
-http://www.theatlantic.com/technology/archive/2013/01/the-future-of-cybersecurit
y-could-be-sitting-in-an-office-in-new-jersey/266849/
[Editor's Note (Paller): CyberCity is the most advanced example so far of the simulators that will revolutionize cyber skills development the way flight simulators revolutionized pilot training. Already more than 1,200 "top guns" and those aspiring to develop advanced skills are using NetWars (the foundation of CyberCity) on a continuous basis to test their skills and then learn more and then test again. SANS is building a new course around NetWars to make this capability available with instructors so people can get the maximum value out hands-on skills development.

---

************************* Sponsored Link: ********************************
1) NEW paper in the SANS reading room: SANS Survey on Application Security Policies in Enterprises http://www.sans.org/info/120622 Associated webcast featuring SANS Analyst Frank Kim:
http://www.sans.org/info/120627
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Claims That Group Who Attacked Google in 2010 Behind Most Recent IE Attacks (January 7, 2013)

Recent attacks exploiting a zero-day flaw in older versions of Internet Explorer (IE) appear to be the work of the same hacker group that infiltrated servers at Google and other companies in 2010. The group, dubbed the Elderwood Gang, "continues to produce new zero-day vulnerabilities for use in watering hole attacks," according to Symantec researchers.
-http://arstechnica.com/security/2013/01/latest-ie-attack-brought-by-same-gang-th
at-hacked-google/
[Editor's Comment (Northcutt): Most of what you read on this topic is a rehash of the Symantec blog. Here is a link to the Elderwood Blog post. Also, in the post is a link to their research paper titled The Elderwood Project which is a fascinating read:
-http://www.symantec.com/connect/blogs/elderwood-project-behind-latest-internet-e
xplorer-zero-day-vulnerability
-http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa
pers/the-elderwood-project.pdf
(McBride): Interesting combination of targets -- remembering of course that that the compromised Web sites are not the actual targets, but the targeting mechanism. The parties behind the attacks have left clues that seem to demonstrate that from a certain perspective, opsec is not all that important to them. Equally important to the analytical conclusions in these write-ups is the question of *why* these Web sites were compromised. ]

Adobe Warns of Flaw in ColdFusion (January 7, 2013)

Adobe has issued a security advisory warning users that hackers are exploiting several unpatched flaws in its ColdFusion application server software. The vulnerabilities affect ColdFusion versions 10, 9.0.2, 9.0.1, and 9.0. One of the flaws can be exploited to take control of vulnerable servers; another can be exploited to access restricted directories; and the third can be exploited to allow information disclosure. Adobe says it is working on patches for the flaws and expects to have them ready for release on January 15; in the mean time, the company has offered suggestions for protecting their machines from attacks through the flaws. Internet Storm Center:
-https://isc.sans.edu/diary/Adobe+ColdFusion+Security+Advisory/14827
-http://www.computerworld.com/s/article/9235358/Adobe_warns_of_actively_exploited
_ColdFusion_flaws?taxonomyId=17
-http://www.adobe.com/support/security/advisories/apsa13-01.html

Los Alamos National Lab Replaced Huawei Switches Last Fall (January 7, 2013)

In a document obtained by Reuters and dated November 5, 2012, the Los Alamos National Laboratory in New Mexico removed a pair of Huawei network switches from its computer systems due to concerns about the equipment's security. The lab replaced the components, which were made by H3T, a joint venture between Huawei and 3Com. The letter in question was sent from the lab to the Department of Energy's security directorate.
-http://www.guardian.co.uk/world/2013/jan/07/los-alamos-chinese-computer-parts
-http://www.zdnet.com/huawei-gear-discovered-removed-from-u-s-nuclear-lab-7000009
476/

DHS Website Attacked Through Directory Traversal Flaw (January 7, 2013)

Hackers claim to have exploited a trivial directory traversal vulnerability to gain access to portions of a US Department of Homeland Security (DHS) website that offers advice for foreigners who are seeking to study in the US. The attackers were reportedly able to access the site's configuration file that contains a password for a database for the blogging software used by the website. The information was posted to a Pastebin page.
-http://www.theregister.co.uk/2013/01/07/nullcrew_dhs_hack/
[Editor's Note (Pescatore): Most CEO's or Agency Heads would not drive their car very far if the "Check Engine" light was pulsing an angry red color on their dashboard. There are many tools that can detect well known vulnerabilities in web code - both for doing so *before* the code goes on the web site (by far the best approach) and against live, production web sites. The lack of use of such tools should automatically trigger a "Check Engine!!" light on any meaningful web site. ]

Guilty Plea Expected in US $100 Million Software Piracy Scheme (January 7, 2013)

On Monday, January 7, 2013, a Chinese national was expected to plead guilty to federal charges for his involvement with a US $100 million software piracy ring. US authorities have called the scheme "one of the most significant copyright infringement cases ever uncovered." The April 2012 indictment alleged that Xiang Li broke access controls on high-end software and that he and a co-conspirator sold the pirated software for a fraction of its retail value. Li and his unnamed accomplice netted US $60,000 from the sale of software that, had it been legitimate, would have been worth more than US $100 million. The products that Li and his associate sold were used for defense, engineering, manufacturing, space exploration, and other purposes.
-http://www.wired.com/threatlevel/2013/01/piracy-scheme/
-http://www.wired.com/images_blogs/threatlevel/2013/01/xingindictment1.pdf

Hospice Fined for Potential HIPAA Violations; Fewer Than 500 Patients Affected (January 2 & 7, 2013)

The Hospice of North Idaho (HONI) is the first entity to be fined for a potential Health Insurance Portability and Accountability Act (HIPAA) Security Rule breach affecting fewer than 500 people. HONI will pay the US Department of Health and Human Services US $50,000. In June 2010, an unencrypted laptop was stolen from an employee's vehicle. The computer contained personally identifiable information, including names, Social Security numbers (SSNs), diagnoses, and other treatment information of 411 HONI patients. HONI was found to have failed to "conduct an accurate and thorough risk analysis to the confidentiality of ePHI (electronic protected health information) as part of its security management process from 2005 through January 2012."
-http://www.scmagazine.com/feds-step-up-hipaa-enforcement-with-hospice-settlement
/article/274916/
-http://www.hhs.gov/news/press/2013pres/01/20130102a.html

Former South Carolina Dept. of Revenue Computer Security Admin Tells State Legislators About Agency Security Problems (January 4, 2013)

In testimony before a special state House committee investigating a significant data security breach at the South Carolina state Department of Revenue (SCDOR), Scott Shealy, a former computer security administrator at the agency, said that the SCDOR computer chief did not heed warnings about cybersecurity problems there. Shealy left his job at SCDOR in September, 2011, because he was frustrated with the situation there. His position remained unfilled for nearly a year and Shealy's responsibilities were farmed out to other, "overtaxed" employees. Shealy also spoke about "a lack of oversight in the day-to-day operations that potentially could have spotted
[the attack ]
and stopped it." Shealy said that his former boss did not act on suggestions to encrypt data or require multiple passwords to access data in SCDOR computers. The attack resulted in the compromise of information belonging to 6.4 million consumers and businesses.
-http://www.thestate.com/2013/01/04/2576982/hacked-sc-agency-failed-to-heed.html#
.UOshgkKVhmC
[Editor's Note (Honan): These are interesting claims as they highlight two challenges we face in infosec. The first is ensuring we know how best to raise our concerns with senior management so they take appropriate action. The second is making sure infosec reports into an appropriate function, too often the focus of infosec is more on Confidentiality and Integrity while for the CIO the focus in on Availability. If these challenges cannot be met then your choice can be either stay and live with the situation, try and escalate it to other senior management outside of IT or to simply change jobs. ]

USPS to Pilot Federated Identity Management Program (January 4, 2013)

The US Postal Service (USPS) will pilot the Federal Cloud Credentialing Exchange, a cloud-based federated identity management program. The scheme would allow US citizens to register for online services at government agencies without having to obtain passwords and usernames for each agency.
-http://www.nextgov.com/cloud-computing/2013/01/postal-service-host-cloud-based-p
ublic-private-id-protection-network/60468/?oref=ng-HPriver
-http://www.informationweek.com/government/security/postal-service-pilots-next-ge
n-authentic/240145559
[Editor's Note (Pescatore): Back in the mid-1990s, back in the hype around PKI, the USPS first tried to get this moving. Since Post Offices play a key role in registering citizens for physical passports, makes sense - but when you think about all the other infrastructure in place to support the physical passport issuance, maintenance, etc the problem is still really, really complex. Focusing on a single agency near term win with digital IDs would be a good way to go, vs. trying to attack the "federation" monster right away. ]

Call for participation: If you are part of the SANS Hacker Guard University Consortium

-https://www.sans.org/newsletters/newsbites/newsbites.php?vol=14&issue=83
and would like to participate in the new GIAC system administrator security skills assessment program, please send a note to swell@sans.org requesting to participate. Many universities are considering administering a skills assessment program prior to allowing an individual to serve as a system administrator or "privileged user".

Call for participation: If you are part of the SANS Hacker Guard University Consortium

-https://www.sans.org/newsletters/newsbites/newsbites.php?vol=14&issue=83
and would like to participate in the new GIAC system administrator security skills assessment program, please send a note to swell@sans.org requesting to participate. Many universities are considering administering a skills assessment program prior to allowing an individual to serve as a system administrator or "privileged user".

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/