SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #20

March 12, 2013

Cybersecurity debate of the week: Should companies facing targeted
attacks play offense? Shawn Henry (who was America's top cyber cop at
the FBI) and John Pescatore (who was America's top cyber security
analyst at Gartner) debate this question in two wonderfully well-written
and eye-opening counter-essays orchestrated by InformationWeek's Mathew
Schwartz.
http://www.informationweek.com/security/attacks/china-hack-attacks-play-offense-
or-defen/240150482

Another public debate is beginning. Was the published figure of $5
million per day an accurate estimate of what government agencies are
being forced to waste because of OMB's unwillingness to update its
cybersecurity rules? NIST's Adam Sedgewick says the estimate is wrong,
and although he drafted at least one of OMB's annual reports to
Congress on FISMA status and spending, has not provided a more accurate
number. His claim calls into question Senator Carper's veracity. The
Senator's statement entitled "More security; less waste" is posted at
http://www.carper.senate.gov/press/record.cfm?id=319468. Sen. Carper is
the new chair of the Senate Homeland Security and Government Affairs
Committee. To help move this debate forward. Please send us any hard
data or anecdotes that may add clarity (apaller@sans.org) to the
question.

Alan

---

TOP OF THE NEWS

US National Security Adviser Demands China Halt Cyberespionage Attacks
U.S. Department of Defense Not Ready for Cyberwar
VA Disputes IG's Finding That Some Centers Send Unencrypted Data Over Public Internet

THE REST OF THE WEEK'S NEWS

Reserve Bank of Australia Targeted in Cyberattacks
Difficulty in Defining Rules of Engagement for Cyberwarfare
Apple Fixes iOS App Store Encryption Issue
More Details Emerge About Mac Trojan
UK Cyber Security Challenge Names Winner
Harvard Administrators Searched Deans' eMail
Napolitano Says Sequestration Will Force Cuts in DHS Cybersecurity Efforts
Court Says Border Agents Need "Reasonable Suspicion" to Conduct Forensic Searches of Mobile Devices
The Internet of Things: Car Hacking
Two Arrested in Connection with Cybercrime Ring

---

************************** SPONSORED BY Symantec ***************************
The results are in. Once again, Symantec Endpoint Protection is the only security solution to receive a near perfect protection score in independent, real-world tests recently published by Dennis Technology Labs. These tests were designed to more accurately reflect what would happen if a user is actually using one of these products. Read the Report.

http://www.sans.org/info/126802
****************************************************************************
TRAINING UPDATE

-- SANS 2013 Orlando, FL March 8-March 15, 2013 47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013


-- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013


-- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


-- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


-- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


-- Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013


-- Critical Security Controls International Summit London, UK April 26 May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


-- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

US National Security Adviser Demands China Halt Cyberespionage Attacks (March 11, 2013)

In a speech on Monday, President Obama's national security adviser Tom Donilon demanded that China stop stealing data from US computer networks and that China agree to "acceptable norms of behavior in cyberspace."
-http://www.nytimes.com/2013/03/12/world/asia/us-demands-that-china-end-hacking-a
nd-set-cyber-rules.html?hp&_r=0
-http://www.businessweek.com/news/2013-03-11/china-cyber-attacks-harm-u-dot-s-dot
-bid-for-tighter-ties-donilon-says
-http://www.whitehouse.gov/the-press-office/2013/03/11/remarks-tom-donilon-nation
al-security-advisory-president-united-states-a
[Editor's Note (Henry): A public statement naming China, with talks to follow, is a first step. This will be a long process, which needs to move at a brisk pace and with a sense of urgency if risks are to be mitigated.
(Murray): This kind of "public" diplomacy is for domestic consumption and not likely to be helpful in changing Chinese behavior. It might even be counter-productive. The PLA is an authority unto itself, barely responsive to the party, much less the government. To the extent that this activity is independent of the state, the party, or the military, a "crackdown" on hackers is not likely to be more successful there than here. However, China has shown itself willing to punish criminal hacking much more harshly than have western nations. ]

U.S. Department of Defense Not Ready for Cyberwar (March 12, 2013)

This editorial in today's Washington Post, describes and discusses the findings of the Defense Science Board (DSB), probably the most prestigious collection of technical, policy, and industrial leadership the U.S. has ever asked to focus on cybersecurity and cyber warfare. The DSB report "hints that U.S. nuclear weapons, hardened to survive an atomic blast in the Cold War, may not be ready to survive a cyber-onslaught...
[and ]
called for "immediate action" to make sure the nuclear weapons would survive." The report also projected that when open conflict breaks out, potentially, "hundreds" of simultaneous, synchronized offensive and defensive cyber operations would be needed, and yet the task force found the U.S. military is not ready.
-http://www.washingtonpost.com/opinions/the-us-is-not-ready-for-a-cyberwar/2013/0
3/11/782e299a-8838-11e2-98a3-b3db6b9ac586_story.html?hpid=z3
[Editor's Note (Paller): The high probability of hundreds of simultaneous destructive attacks postulated in the DSB report is the reason the nation has to build an educational pipeline of world-class cyber experts - otherwise the first set of attacks will burn out the entire U.S. response capability. David Brown's CyberCenters, that Governor Christie is running first in New Jersey (
-http://www.nextgov.com/cybersecurity/2013/01/new-jersey-invites-vets-compete-cyb
er-residencies-key-institutions/60632/)
and that a dozen other governors will launch in the next 12 months, is the best chance the U.S. has to fill this gap quickly. ]

VA Disputes IG's Finding That Some Centers Send Unencrypted Data Over Public Internet (March 7 & 8, 2013)

The US Department of Veterans Affairs' Office of Information Technology has disputed findings by the agency's Inspector General that it has been sending unencrypted sensitive personal data over the public Internet. The IG looked into the matter following a complaint that three VA medical centers were sending personal data over unencrypted networks. The medical centers named in the complaint are part of the VA's Midwest Health Care Network. The data included Social Security numbers (SSNs), and sensitive health information of veterans and their dependents. The VA's assistant secretary for information and technology said that the VA's carrier services "provide VA with a private network and do not place traffic on the Internet."
-http://www.computerworld.com/s/article/9237456/_VA_disputes_charge_that_it_trans
mits_unencrypted_personal_data_over_public_Internet?taxonomyId=17
-http://fcw.com/articles/2013/03/07/va-unencrypted-data.aspx
[Editor's Note (Shpantzer): An illustrative quote from the original VA OIG report (
-http://www.va.gov/oig/pubs/VAOIG-12-02802-111.pdf)
"OIT management acknowledged...transmitting such data over unencrypted telecommunications carrier networks. However, OIT management formally accepted the security risks associated with the potential loss or misuse of the data... VA developed these system security waivers to delay implementing encryption controls in the near term, while acknowledging the risks associated with the lack of technical configuration controls."
(Paller) Kudos to the VA OIG. This is the first OIG report I have seen that explicitly points out a fundamental flaw in the risk management approach championed by NIST and OMB. Agencies are not required to fix their flaws -just "accept the risk." And they make those decisions almost entirely based on how much pressure they are under to get the systems approved for use with little or no understanding of what is actually at risk. The result is that the vast majority of the funds spent on certification reports do not lead to correction of the key flaws that are allowing government systems to be penetrated. If a journalist is looking for a scandal worth exposing, a few months of investigation will uncover a shocking system of waste by contractors and government agencies. Some of the people involved will provide the details - they are ashamed that they are being forced by OMB and NIST to waste the scarce funds available for improving federal cybersecurity. Journalism students who have an innovative approach to the effort of uncovering the scale and causes of this waste may be eligible for grants from SANS. ]

---

*************************** Sponsored Links: ******************************
1) WEBCAST - Best Practices to Successfully Converge Your Compliance and Security Goals. Register Today http://www.sans.org/info/126807

2) Analyst Webcast: Secure Configuration in Action Featuring new deployment information from the City of Oregon. https://www.sans.org/webcasts/secure-configuration-action-and-apply-it-96240
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Reserve Bank of Australia Targeted in Cyberattacks (March 11, 2013)

The Reserve Bank of Australia (RBA) has acknowledged that in November 2011, hackers managed to gain access to RBA systems through targeted phishing attacks. The information has come to light through a Freedom of Information request and was disclosed in December 2012. The phishing email messages appeared to come from "a possibly legitimate external email address ... from a senior bank employee" and were accompanied by an attachment that installed a Trojan horse program on the computers of those who opened the attachment. An RBA spokesperson said that while the infection posed the threat of data theft, no information was stolen.
-http://www.theage.com.au/it-pro/security-it/hackers-breach-reserve-bank-20130311
-2fv8i.html
-http://www.bbc.co.uk/news/business-21738540
-http://www.v3.co.uk/v3-uk/news/2253724/australian-central-bank-hit-by-cyber-atta
cks
RBA Media Release:
-http://www.rba.gov.au/media-releases/2013/mr-13-05.html

Difficulty in Defining Rules of Engagement for Cyberwarfare (March 10, 2013)

A fall 2012 classified presidential directive requires that military cyber action can be taken only in the event of an imminent or ongoing threat of attack that could kill people or damage national security. However, the definition of imminent for cyberwarfare is more difficult to pin down than in physical warfare. Cyberattacks can be launched in fractions of a second. An international group of experts has published the Tallinn Manual, a cyberwarfare handbook, which says that states can take defensive action "when the attacker is clearly committed to launching an armed attack and the victim-State will lose its opportunity to effectively defend itself unless it acts." But it is difficult within the cyber arena to be sure that another country's intent is hostile.
-http://www.washingtonpost.com/world/national-security/in-cyberwarfare-rules-of-e
ngagement-still-hard-to-define/2013/03/10/0442507c-88da-11e2-9d71-f0feafdd1394_s
tory.html

Apple Fixes iOS App Store Encryption Issue (March 8, 9 & 11, 2013)

Apple has fixed a security issue in its iOS App Store that left users vulnerable to man-in-the-middle attacks. The problem existed because the App Store was not encrypting communication between customers' handsets and Apple servers. Apple has now implemented HTTPS for communications. Man-in-the-middle attacks could have been used to steal passwords, trick users into buying apps, prevent apps from being installed, and send out phony upgrades to users' devices.
-http://www.h-online.com/security/news/item/Apple-fixes-iOS-App-Store-man-in-the-
middle-http://arstechnica.com/security/2013/03/after-leaving-users-exposed-apple
-finally-https-protects-ios-app-store/hole-1820275.html
-http://www.zdnet.com/apple-left-app-store-open-to-attack-google-researcher-70000
12372/
-http://news.cnet.com/8301-1009_3-57573334-83/apple-finally-fixes-app-store-flaw-
by-turning-on-encryption/
[Editor's Note (Ullrich): Great example showing how important it is to enable SSL on all post authentication pages. The exploits demonstrated here affect the data integrity more so than the data confidentiality. ]

More Details Emerge About Mac Trojan (March 11, 2013)

Additional information has come to light regarding malware that infected Mac computers at Apple, Facebook, and Twitter. The malware is called Pintsized.A and manages to circumvent OS X's Gatekeeper feature, which lets users designate trusted sources that are permitted to install apps. Pintsized pretends to be Linux printing software. It has also been discovered that the attackers behind Pintsized compromised several different websites to use into infect certain visitors.
-http://arstechnica.com/security/2013/03/mac-malware-that-infected-facebook-bypas
sed-os-x-gatekeeper-protection/
[Editor's Note (Shpantzer): Note that the Facebook team, according to the article, detected the outbound connection to a suspicious domain, then responded to the incident, as practiced in drills. "The attack was discovered when a suspicious domain was detected in Facebook's Domain Name Service request logs." As if we needed evidence that reviewing logs is important, they are at least as much as expensive "blinky light" appliances. ]

UK Cyber Security Challenge Names Winner (March 11, 2013)

The UK Cyber Security Challenge has named Stephen Miller the 2013 winner. Millar is a chemist who has no formal training in IT; he has been participating in the competition since 2010. The competition's prizes include training courses and the opportunity for paid internships in the industry. Stephanie Daman, Cyber Security Challenge UK chief executive, points to Millar's success as "a powerful demonstration of the hidden talent that exists in people from across all types of professional backgrounds." Millar said that cybersecurity should be part of the curriculum in UK schools. (A previous winner was a postman.)
-http://www.v3.co.uk/v3-uk/news/2253847/uk-chemist-crowned-cyber-security-champio
n
-http://www.v3.co.uk/v3-uk/news/2253918/uk-cyber-security-challenge-champ-calls-f
or-greater-push-on-security-skills

Harvard Administrators Searched Deans' eMail (March 9 & 11, 2013)

Administrators at Harvard University reportedly searched email accounts belonging to 16 resident deans without the deans' knowledge. The search was done, say administrators, to find the source of a leak regarding a cheating scandal at the school; the deans whose messages were searched sit on the committee that is handling the cheating scandal. Just the subject lines were searched, not the content. One of the deans was told about the search shortly after it had occurred. The others were not informed. The email accounts searched were used primarily for the deans' administrative duties.
-http://www.boston.com/metrodesk/2013/03/09/harvard-university-administrators-sec
retly-searched-deans-email-accounts-hunting-for-media-leak/d5lYY8vXLyZQYWtTNGxWk
L/story.html
-http://www.computerworld.com/s/article/9237501/Harvard_scrambles_to_explain_why_
it_secretly_searched_deans_emails?taxonomyId=17

Napolitano Says Sequestration Will Force Cuts in DHS Cybersecurity Efforts (March 8, 2013)

Department of Homeland Security (DHS) Secretary Janet Napolitano told legislators that sequestration will hurt DHS cybersecurity programs. Napolitano said the budget cuts would force DHS to trim back development of cyber capabilities that could prevent malicious traffic from gaining access to federal computer networks. She also noted that the sequester will hinder DHS's planned expansion of its cybersecurity workforce.
-http://www.federaltimes.com/article/20130308/IT01/303080001/DHS-Sequester-harm-c
ybersecurity-programs?odyssey=tab%7Ctopnews%7Ctext%7CIT

Court Says Border Agents Need "Reasonable Suspicion" to Conduct Forensic Searches of Mobile Devices (March 8, 2013)

A US federal appeals court in San Francisco has ruled that US border agents cannot search travelers' mobile devices without "reasonable suspicion." An 11-judge panel of the US Court of Appeals for the 9th Circuit made the ruling in a divided decision. The ruling challenges the 2008 rules established by the George W. Bush administration, which allowed suspicion-independent electronic searches. The appeals court said that while border agents could manually inspect devices' contents, forensic examinations of devices requires "reasonable suspicion."
-http://www.wired.com/threatlevel/2013/03/gadget-border-searches/
-http://arstechnica.com/tech-policy/2013/03/appeals-court-raises-standard-for-lap
top-searches-at-us-border/
-http://cdn.ca9.uscourts.gov/datastore/opinions/2013/03/08/09-10139.pdf
[Editor's Note (Murray): While DHS/ICE asserts that they have not abused their authority to examine computers for contraband, I advise clients to take precautions against the possibility that computers containing business data might be held for weeks without cause or even "reasonable suspicion." ]

The Internet of Things: Car Hacking (March 8, 2013)

Although automobiles are becoming increasingly reliant on computers and connected to networks, there are presently no cyber safety regulations for cars. The National Highway Transportation Safety Administration issued a statement saying that it "is aware of the potential for hackers and other cybersecurity issues whenever technology is involved; however, the agency is not aware of any real-world cybersecurity issues in vehicles." Researchers have demonstrated that determined attackers could gain access to all aspects of automobiles' operations. Regulating automobile cybersecurity would be difficult because threats evolve more rapidly than rule-making processes. However, NHTSA's 2013 budget includes US $10 million to study cyber risks in cars. Some car manufacturers have incorporated cybersecurity measures into their assembly processes. Some say that the automobile makes should take the lead in this case instead of turning to the government for regulation. Others say federal regulations would protect drivers.
-http://www.nextgov.com/emerging-tech/2013/03/carhacking/61774/?oref=ng-HPtopstor
y
[Editor's Note (Pescator): There are a lot of different "things" in the Internet of Things. Regulations around automobiles and information security wouldn't work for medical machinery or home control systems or even aircraft. However, each industry does have its consortium or other ways of agreeing on standards - they need to be assuring their design and certification processes incorporate the security process requirements and focus on community efforts like the Critical Security Controls.
(McBride): Certain similarities exist between this advancing challenge
(vehicle cyber security) and the state of ICS security: possible physical consequences including loss of life, lack of expertise, self-regulation, long lead time required for standards, increasing reliance on new technology... Securing cyber physical systems is a fast-emerging domain that requires teams and professionals with new competencies. ]

Two Arrested in Connection with Cybercrime Ring (March 8, 2013)

In a coordinated effort among law enforcement agencies, an Asian cybercrime network has been dismantled. The group reportedly stole information of 15,000 credit cards. The group allegedly made a profit of 70,000 euros (US $91,000) through fraudulent credit card transactions in Europe. Two people have been arrested. The agencies participating in the takedown were Europol's European Cybercrime Centre (EC3) and Finnish law enforcement.
-http://www.v3.co.uk/v3-uk/news/2253543/europol-takes-down-eur70-000-cyber-gang-i
n-coordinated-sting

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/