SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #21

March 15, 2013

TOP OF THE NEWS

President Calls CEOs to Cybersecurity Meeting in Situation Room
US Director of National Intelligence Says Cyberattacks Top List of Security Threats to US
General Alexander Says Cyber Command is Establishing 13 Offensive Teams

THE REST OF THE WEEK'S NEWS

National Vulnerability Database Taken Offline After Malware is Found on Servers
AT&T Hacker Submits Plea Seeking Lighter Sentence
Plan Would Give US Intelligence Agencies Access to Financial Transaction Database
Google Settles Street View Privacy Case with US States for US $7 Million
Google Site Aims to Help Owners of Hacked Websites
FBI Investigating Theft of Celebrities Credit Report Data
Retail Company Suing Visa Over US $13 Million Fine
Microsoft and Adobe Issue Security Updates
Firmware Update Available for Flaw in HP LaserJet Printers

CONTROL SYSTEMS SECURITY NEWS

ICS-CERT, SCADA Patching Under The Microscope

---

********************** SPONSORED BY Palo Alto Networks ********************
Join a Palo Alto Networks threat webinar discussing findings from Mandiant's analysis of the APT1 and addressing how to use the next-generation firewall to identify and control this style of attack. In this webinar we'll also discuss the latest techniques that malware uses to hide, and tips and tricks for controlling modern malware.

Please go to: http://www.sans.org/info/127187">http://www.sans.org/info/127187
****************************************************************************
TRAINING UPDATE

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013">http://www.sans.org/event/monterey-2013

- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013">http://www.sans.org/event/northern-virginia-2013

- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013">http://www.sans.org/event/cyber-guardian-2013

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013">http://www.sans.org/event/security-west-2013

- -- Secure Canberra 2013 Canberra, Australia March 18-March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth. Bonus evening session: Patching Your Employees' Brains.
https://www.sans.org/event/secure-canberra-2013

- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit">http://www.sans.org/event/critical-security-controls-international-summit

- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013">http://www.sans.org/event/pentest-berlin-2013

- -- Looking for training in your own community?
http://www.sans.org/community/">http://www.sans.org/community/

- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials
Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

President Calls CEOs to Cybersecurity Meeting in Situation Room (March 13 & 14, 2013)

On Wednesday, March 13, CEOs from the US financial, energy, and technology sectors met in the White House Situation Room for a presidential briefing on cybersecurity. The meeting follows close on the heels of an FBI disclosure that hackers stole personal information of celebrities from a credit report site and two US officials testifying at legislative committee hearings about the increased risk of cyberthreats. The meeting aimed to get private industry on board with the president's recent executive order on cybersecurity. Private companies have been resistant to what they see as the government stepping in and telling them how to run their organizations. The private industry CEO's requested a "light touch" from the government regarding cybersecurity legislation. Former White House cybersecurity adviser Howard Schmidt noted that "cybersecurity is much more than a tech issue. We're only going to be able to address this threat if business and government work together," and that "every leader in the c-suite needs to be focused on cybersecurity."
-http://www.usatoday.com/story/tech/2013/03/14/obama-cybersecurity-ceos-situation
-room/1987559/
-http://www.zdnet.com/ceos-ask-obama-for-soft-approach-to-cyberattacks-7000012605
/
-http://www.latimes.com/business/money/la-fi-mo-obama-summons-ceos-to-white-house
-to-talk-cyber-security-20130313,0,5341716.story
[Editor's Note (Pescatore): The President and his cybersecurity advisors need to focus on what the government could do to remove the barriers to industry increasing their security level. The current Executive Order "Yet Another Framework" approach will just bring YAF. ]

US Director of National Intelligence Says Cyberattacks Top List of Security Threats to US (March 12 & 13, 2013)

For the first time, cyberattacks top the list of security threats facing the country, according to the annual Worldwide Threat Assessment of the US Intelligence Community report. In testimony before the Senate Select Committee on Intelligence, US Director of National Intelligence James Clapper said "there is a remote chance of a major cyberattack against US critical infrastructure during the next two years that would result in long-term, wide-scale disruption." Clapper said that most attackers lack the necessary skills to launch such an attack and control systems allow for manual overrides. He added that the countries that have the necessary skills to launch such an attack do not have a motive right now. It is more likely that attacks on critical infrastructure elements would come from non-state sponsored hackers who are not as skilled. While the disruptions they might cause would probably be limited, "there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and Mistakes."
-http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-dire-warn
ing-on-cyberattacks/
-http://www.gsnmagazine.com/node/28722?c=cyber_security
-http://www.wired.com/threatlevel/2013/03/no-cyber-pearl-harbor/
-http://www.v3.co.uk/v3-uk/news/2254196/top-us-security-chief-warns-of-rising-cyb
er-threats
-http://odni.gov/files/documents/Intelligence%20Reports/2013%20ATA%20SFR%20for%20
SSCI%2012%20Mar%202013.pdf

General Alexander Says Cyber Command is Establishing 13 Offensive Teams (March 13, 2013)

Speaking before the US House Armed Services Committee, General Keith Alexander, Director of the National Security Agency and chief of Cyber Command, said that he is establishing 13 cyber offensive teams of programmers and other experts to launch retaliatory cyberattacks against foreign adversaries if the US is attacked. Another 27 teams will focus on training and surveillance.
-http://www.scmagazine.com/dod-creating-cyber-offensive-teams-to-strike-back-agai
nst-foreign-attackers/article/284244/
-http://arstechnica.com/security/2013/03/for-first-time-us-military-says-it-would
-use-offensive-cyberweapons/
[Editor's Note (Murray): General Alexander testified before Congress that what he needs from industry is meta-data from ISPs about attacks. However, industry reports that what it is being asked for is content about its subscribers. He also testified that he needs this data to defend national security but that he is allocating his resources to 13 offensive teams. There is still mis-communication somewhere. ]

---

*************************** Sponsored Links: ******************************
1) Analyst Webcast: Secure Configuration in Action Featuring new deployment information from the City of Oregon. http://www.sans.org/info/127192

2) Analyst Webcast: NAC Applied to SANS Critical Security Controls Wednesday, April 03, 2013 at 1:00 PM EDT (1700 UTC/GMT) Featuring: G. Mark Hardy and Scott Gordon. http://www.sans.org/info/127197
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

National Vulnerability Database Taken Offline After Malware is Found on Servers (March 14, 2013)

The National Institute of Standards and Technology (NIST) took the National Vulnerability Database (NVD) offline on Friday, March 8, after learning that it had been hacked. Two NVD servers were found to be infected with malware. The attack was detected when a NIST firewall detected unusual activity. The decision to take the servers offline has affected several other sites as well.
-http://www.theregister.co.uk/2013/03/14/us_malware_catalogue_hacked/
-http://arstechnica.com/security/2013/03/national-vulnerability-database-taken-do
wn-by-vulnerability-exploiting-hack/
-http://www.computerworld.com/s/article/9237605/U.S._NIST_s_vulnerability_databas
e_hacked?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2254958/national-vulnerability-database-falls-vic
tim-to-hackers
[Editor's Note (Pescatore): If you do maturity ratings of security programs, obviously the more mature programs have fewer security incidents - but rarely zero. NIST actually has a pretty good track record in protecting its infrastructure - the next thing we'd all like to hear is how long was the malware on the inside and how long was it active before being detected. That delta shrinking over time is another key process maturity indicator. ]

AT&T Hacker Submits Plea Seeking Lighter Sentence (March 14, 2013)

Andrew Auernheimer has submitted a plea seeking probation rather than jail time for his role in exploiting a flaw on AT&T's website that allowed him and his co-conspirator Daniel Spitler to access information about 120,000 iPad accounts in early 2011. Spitler pled guilty to charges in June 2011. Last fall, Auernheimer was found guilty of identity fraud and conspiracy to violate the Computer Fraud and Abuse Act. The memo submitted seeking a lighter sentence also mentions an internal AT&T email from investigators that says, "I do not believe there is a case here. No security was circumvented. A poorly crafted/designed feature was available and exploited." The losses AT&T cites were incurred by sending notification letters to people affected by the breach.
-http://www.scmagazine.com/att-hacker-to-submit-plea-for-lesser-sentencing/articl
e/284466/

Plan Would Give US Intelligence Agencies Access to Financial Transaction Database (March 13 & 14, 2013)

The White House is seeking to allow US intelligence agencies access to the Financial Crimes Enforcement Network (FinCEN) database, which holds information about suspicious financial transactions. The database is maintained by the Treasury Department. The hope is that the additional information will give the CIA and the NSA more data to identify and track terrorist activity. Privacy advocates are concerned that innocent people could have their information end up in the hands of the intelligence agencies.
-http://www.wired.com/threatlevel/2013/03/spy-agencies-to-get-access-to-u-s-bank-
transactions-database/
-http://www.zdnet.com/spy-agencies-to-be-granted-access-to-us-citizen-finances-70
00012612/

Google Settles Street View Privacy Case with US States for US $7 Million (March 13, 2013)

Google has agreed to pay US $7 million to settle a lawsuit with 37 US states and the District of Columbia over its Street View privacy debacle. For a period of time between 2008 and March 2010, the vehicles used to gather images for Google's Street View feature also gathered packets traveling over unencrypted Wi-Fi networks. Google issued a statement in which it admitted that it didn't "get privacy right" in this instance, but noted that "the project leaders never wanted this data, and didn't use it or even look at it." The terms of the settlement call for Google to educate employees about user privacy and to destroy the data it collected with the Street View vehicles. The training program must continue for 10 years. Google blamed the surreptitious data collection on a "rogue engineer."
-http://www.theregister.co.uk/2013/03/13/google_wifi_multi_million_dollar_settlem
ent/
-http://www.h-online.com/security/news/item/Google-to-pay-7-million-fine-for-Wi-F
i-sniffing-1822460.html
-http://news.cnet.com/8301-1009_3-57573837-83/google-reaches-$7-million-settlemen
t-with-states-over-street-view-case/
-http://money.cnn.com/2013/03/12/technology/google-privacy-settlement/index.html
[Editor's Note (Pescatore): Back in 2010 when this privacy violation became public, Google hired a privacy director and a recent article in the NY Times reports that she (Alma Whitten) now has 350 employees on her team, which is about 1% of the total number of Google employees! Fully loaded, that's costing Google about $70M/year - making the $7M fine meaningless if the 350 person-strong privacy team report is true. Imagine how much money Google could have saved if privacy was a core value in the early phases of development, versus this cost of coming in late. ]

Google Site Aims to Help Owners of Hacked Websites (March 12 & 13, 2013)

Google has launched a website with information to help webmasters when their sites have been hacked. The site offers a series of articles and videos to help the website owners regain control of their sites and tighten their security.
-http://www.eweek.com/security/google-offers-help-advice-for-hacked-website-owner
s/
-http://news.cnet.com/8301-1009_3-57573986-83/google-rolls-out-initiative-to-help
-hacked-sites/
-http://www.computerworld.com/s/article/9237570/Google_launches_site_to_help_webm
asters_of_hacked_sites?taxonomyId=17
-http://www.google.com/webmasters/hacked/
(Please note that The New York Times requires a paid subscription)
-http://www.nytimes.com/2013/03/13/us/intelligence-official-warns-congress-that-c
yberattacks-pose-threat-to-us.html?_r=2&
[Editor's Note (Pescatore): I sort of feel like I'm doing "kick the puppy, pet the puppy" (OK, "kick the behemoth, pet the behemoth") but for several years, Google has quietly been doing really valuable work in warning people away from compromised web sites and notifying site owners that their sites are compromised. This is a great thing for a search engine to do - since you are investing in finding everything on the web and helping people get to good stuff, keeping them away from bad stuff is an awesome feature. Google helping to reduce the number of compromised web sites is another direct feature for Google users - fewer clicks resulting in the "big red hand" warning them away and making the click a waste of their time. A few years ago a number of Google engineers left to form a security company (Dasient) that was acquired by Twitter in 2012 - I hope we see more of that DNA spreading out, especially into web site hosters and ISPs. ]

FBI Investigating Theft of Celebrities Credit Report Data (March 12 & 13, 2013)

The FBI has launched an investigation to find out how the credit reports of a number of celebrities came to be posted to the Internet. At least some of the data came from a website that was designed specifically to make it easy for people to access their credit reports. All three major US credit reporting agencies say that someone gained unauthorized access to customer data.
-http://news.cnet.com/8301-1009_3-57573983-83/fbi-investigating-how-sensitive-cel
ebrity-data-landed-on-web/
-http://www.informationweek.com/security/privacy/hackers-appear-to-target-michell
e-obama/240150592
-http://www.bloomberg.com/news/2013-03-12/equifax-transunion-say-hackers-stole-ce
lebrity-reports.html
-http://arstechnica.com/security/2013/03/celebrity-credit-reports-posted-by-id-th
ieves-taken-from-free-website/
-http://arstechnica.com/security/2013/03/id-thieves-dox-vice-president-jay-z-mich
elle-obama-and-dozens-more/
[Editor's Note (Pescatore): I don't know about this one, but a lot of these celebrity info exposures come from simple password guessing attacks. Banks long ago figured that for high value customers they ought to push a bit harder for stronger authentication and pay more attention to those accounts. Since most of those celebrities have personal assistants, probably a business opportunity for CCCs - Celebrity Cybersecurity Concierges that would make sure their sensitive accounts are not using their dog's name as the password.
(Murray): Given the tens of thousands of people who pay for authorized access to credit reports, leaks are inevitable. ]

Retail Company Suing Visa Over US $13 Million Fine (March 12 & 13, 2013)

Genesco, the parent company of numerous sporting wear retail stores, is suing Visa for US $13 million for imposing hefty financial penalties after hackers victimized the stores. The company is seeking to recoup funds that were withdrawn from its merchant bank accounts by two acquiring banks that were fined over a breach of the Genesco payment system for non-compliance with Payment Card Industry (PCI) standards. Genesco's lawsuit maintains that Visa's rules are enforceable only if there was a breach because of failure to comply with PCI; that fines apply only if more than 10,000 cards are compromised; and that there needs to be demonstrable damage from fraud or counterfeiting. The lawsuit says that none of these criteria were met.
-http://www.wired.com/threatlevel/2013/03/genesco-sues-visa/
-http://www.computerworld.com/s/article/9237588/Retailer_hauls_Visa_to_court_over
_13.3M_fine_for_payment_card_data_breach?taxonomyId=17
-http://www.zdnet.com/hacked-retailers-up-in-arms-over-13-million-fine-visa-lands
-up-in-court-7000012468/
-http://www.scmagazine.com/retailer-fights-pci-fines-for-noncompliance-after-brea
ch-sues-visa/article/284088/
-http://www.wired.com/images_blogs/threatlevel/2013/03/Genesco-Complaint.pdf
[Editor's Note (Pescatore): I don't know the chances of this lawsuit succeeding, but the card brands and the PCI enforcement process do need a shakeup. While the merchants do and should always bear the brunt of the costs when they are at fault for an exposure incident, the enforcement process seems to almost invariably shield the card brands and the acquiring banks from any of the PCI compliance enforcement pain.
(Murray): This is a PCI contract dispute. The courts exist in part to resolve such disputes. However, this particular dispute arises in part because the payment processors deduct their "fines" from the revenue they collect for the merchant. The merchant has to sue the payment processor to get his money back rather than the processor having to sue the merchant to collect the fine. There is a presumption in favor of the payment processor built into the system. ]

Microsoft and Adobe Issue Security Updates (March 12, 2013)

Microsoft and Adobe both released critical security updates on Tuesday, March 12. Microsoft issued seven security bulletins to address 20 vulnerabilities. Four of the bulletins are rated critical; they include fixes for flaws in Windows, Internet Explorer, Microsoft Silverlight, Microsoft Office, and Microsoft SharePoint. Adobe released yet another update for its Flash Player as well as an update for Adobe AIR.
-http://krebsonsecurity.com/2013/03/critical-updates-for-windows-adobe-flash-air/
-http://www.theregister.co.uk/2013/03/13/march_black_tuesday_update/
-http://www.h-online.com/security/news/item/Adobe-closes-more-critical-holes-in-F
lash-Player-1821723.html
-http://technet.microsoft.com/en-us/security/bulletin/ms13-mar
-http://blogs.adobe.com/psirt/2013/03/security-updates-available-for-adobe-flash-
player-apsb13-09.html

Firmware Update Available for Flaw in HP LaserJet Printers (March 12, 2013)

A security issue in certain HP LaserJet printers could be exploited to read data without authentication. The flaw lies in a telnet debug shell and can be exploited through the network. The vulnerability affects ten models of the LaserJet Pro series of printers. HP has released updated firmware for the printers that can be downloaded from their support site. US-CERT has issued an advisory about the issue.
-http://www.h-online.com/security/news/item/US-CERT-warns-of-HP-LaserJet-printer-
backdoor-1821334.html
-http://www.kb.cert.org/vuls/id/782451
-http://www8.hp.com/us/en/support-drivers.html

---

CONTROL SYSTEMS SECURITY NEWS

ICS-CERT, SCADA Patching Under The Microscope

Some experts say that the ICS-CERT's vulnerability reporting is not addressing the underlying issue - "that the most serious vulnerabilities in control systems are deliberate design features, not bugs."
-http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabi
lities/240150763/ics-cert-scada-patching-under-the-microscope.html
[Editor's Note (McBride): Let me put the problem another way. If you are on an ICS network, and can access a vulnerable PLC Web server (that's used to configure the device), you can probably already talk directly to/with the PLC! Who cares if a vulnerability allows an attacker do directory traversal and get log-in credentials? The attacker can already interact with the PLC at will (tell it how to manipulate the physical process)! It's not a matter of whether the ICS-CERT is fulfilling some part of its mission, it's a matter of whether that part of the mission makes much sense in the first place.
(Assante): These architectural weaknesses are the reason ICS systems must remain behind defenses and should not rely upon the simple security features of any single component or device. Addressing vulnerabilities will continue to be important, but these systems require holistic defenses and informed engineering decision to compensate for the inherent machine-to-machine trust in the legacy designs. (Pescatore): The same is true across much of Operational Technology, such as medical machinery, kiosks/ATM machines and the like. If the front door doesn't even have a lock, reporting that the hinges can be removed is not all that valuable. Need to get the manufacturers to take responsibility for bad designs and fix them. ]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/