Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #30

April 16, 2013


SANSFIRE (Washington DC's largest cybersecurity training program):
15 days left to get the biggest discounts.
http://www.sans.org/event/sansfire-2013

TOP OF THE NEWS

US Creating Cybersecurity Working Groups With Japan and China
EPIC Urges NIST to Draw Distinction between Cybercrime and Cyberterrorism

THE REST OF THE WEEK'S NEWS

Vaillant Warns of Vulnerability in Internet-Connected Heating Systems
WordPress Blogs Under Botnet Attack
Trojan Deletes Its Own Components
Schnucks Releases More Details About Payment Card Data Breach
Oracle to Issue Update for Java
Teso Acknowledged That Aviation Hack Was Conducted on Simulator
Microsoft Tells Users to Uninstall Troublesome Windows 7 Patch
Guantanamo Bay Defense Attorneys: Computer Files are Missing and eMail was Monitored
Cell Phones Overwhelmed in Boston Bomb Aftermath


*********************** SPONSORED BY Bit9 ***************************
eBook: Detecting and Stopping Advanced Attacks. Today's cyber threat has changed in sophistication, in focus, and in its potential impact on your business. This eBook will tell you how today's advanced attacks require automatic detection and incident response. You will learn how you can most effectively protect your business. Download Today http://www.sans.org/info/129055
**********************************************************************
TRAINING UPDATE

- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS Secure Europe 2013 Amsterdam, Netherlands April 15-April 27, 2013 10 courses.
http://www.sans.org/event/secure-europe-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials
Plus Bangalore, Johannesburg, Malaysia, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

US Creating Cybersecurity Working Groups With Japan and China (April 14 & 15, 2013)

US Secretary of State John Kerry says that the US is creating working groups with Japan and China to address cybersecurity related issues. Because "some of the most serious cyber threats to businesses emanate from" the Asia Pacific Region, it is important to have countries there be part of the solution to the problem.
-http://www.computerworld.com/s/article/9238385/John_Kerry_Cyberdefense_a_major_p
art_of_Asian_security?taxonomyId=17

-http://www.zdnet.com/cn/us-china-to-form-cybersecurity-working-group-7000013976/
[Editor's Note (Pescatore): There are strong parallels between the US/USSR in the Cold War and "Mutually Assured Destruction" nuclear restraint strategies, and today's international cybersecurity issues. Having *both* diplomatic and military initiatives in the cyber area is important.
(Murray): China wants to control the content. (If one is running a single-party state, Facebook is more than a mere inconvenience.) The US wants to defend its fragile infrastructure. That said, both have an interest in an orderly Internet. Before we turn the Internet into a battlefield, we should at least try diplomacy to find mutually agreed state behavior, short of "war," that serves both interests. ]

EPIC Urges NIST to Draw Distinction between Cybercrime and Cyberterrorism (April 15, 2013)

The Electronic Privacy and Information Center (EPIC) wants the US National Institute of Standards and Technology (NIST) to make clear distinctions between cyber crime and cyber terrorism. NIST is developing a cybersecurity platform as part of the president's executive order on cybersecurity, and asked for public comments on the development of that platform. In its comments, EPIC notes that "the overwhelming majority of cybersecurity incidents do not fall within the 'national security' designation."
-http://www.gsnmagazine.com/node/28918?c=cyber_security
[Editor's Note (Pescatore): First: the horrible attacks at the Boston Marathon once again point out the schlockiness of the term "cyberterrorism." After each bombs and blood actual terrorist attack, from Oklahoma City in 1995 through the terrorist attacks against the US in September 2011, someone says "The next terror attack will be cyber" - - no, it will not. With that out the way, EPIC is dead on here. The cyber attack public relations focus shifted from cybercrime to China because that is a great way to go after funding and government budgets. The actual volume of attacks and likelihood of damage most companies face did *not* shift. (Murray): Well, EPIC is right to take the opportunity of the NIST RFC to raise the issue. However, the problem is not limited to NIST. Most of the attacks in the Internet are motivated by things other than terror (e.g., economics). Those that are intended to terrorize represent a "national security" threat only to the extent that we react to them as the terrorists hope. Government policy that treats them all as "war" is not efficient and, at least arguably, is not effective. It is essential that we distinguish between existential threat and the human condition.
(McBride): This is a pivotal distinction that needs to be addressed. Having a set of predetermined criteria to judge between national security issues and non-national security issues would help the federal government provide appropriate support while maintaining civil liberties and conserving taxpayer resources. It would also encourage rather than discourage participation and innovation that comes from private sector cyber security firms.]


*************************** Sponsored Links: ******************************
1) Attend the Mobile Device Security Summit where experts and practitioners will detail proven approaches to securing BYOD. http://www.sans.org/info/129060

2) Attend the SANS 20 Critical Security Control Briefing, Thursday, April 18, 2013 in Washington, DC at the JW Marriott. Tony Sager and John Pescatore will provide an overview of the 20CC, showcase the 20CC In Action, and also moderate a Vendor Panel. Event is free to Government attendees. For more information go to http://www.sans.org/info/128292 To register for this event via simulcast, visit http://www.sans.org/info/128297

3) "Data Center Virtualization from a Security Perspective," featuring Dave Shackleford and Deepak Thakkar, Wednesday, May 1, at 1 PM EDT http://www.sans.org/info/129065
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Vaillant Warns of Vulnerability in Internet-Connected Heating Systems (April 15, 2013)

Germany company Vaillant is warning customers that its ecoPower 1.0 Internet-connected heating systems contain a security flaw that could be exploited to turn off the system remotely and possibly cause damage to the system. The vulnerability could allow attackers to access not only homeowner controls, but service administrator controls as well. Vaillant recommends that customers using the affected systems disconnect them from the network until they can be fixed onsite.
-http://www.h-online.com/security/news/item/Security-hole-can-damage-heating-syst
ems-1842489.html

[Editor's Note (McBride): Unfortunately, in the dawn of the Internet of things this is likely to be the rule rather than the exception. It is not hard to envision the day when "common" malware will be designed to find and alter the systems that control our everyday physical world - inside our homes. Companies developing cyber-physical systems have to build-in security now. We cannot depend on users to install VPN devices for their air conditioner or apply firmware updates to their heating system -- even if such devices and updates are provided "free of charge to customers with a support contract".]

WordPress Blogs Under Botnet Attack (April 15, 2013)

WordPress, a major blogging platform, has been targeted in a botnet attack. The botnet is using a "brute force dictionary" attack to try to gain administrative access to WordPress sites using a list of common usernames and passwords. The attack involves compromising the sites and installing a backdoor, which allows the attackers to control the site remotely and force it to join the botnet.
-http://www.zdnet.com/wordpress-hit-by-massive-botnet-worse-to-come-experts-warn-
7000014019/

-http://www.computerworld.com/s/article/9238377/Wide_scale_attack_against_WordPre
ss_blogs_reported?taxonomyId=17

-http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/
-http://www.bbc.co.uk/news/technology-22152296
[Editor's Note (Pescatore): Former US President Jimmy Carter has led an effort started in 1986 that has largely eradicated Dracunculiasis (guinea worm disease) in Africa by giving out simple sieves to filter infected watering hole water - forcing a two step process to drink water, but avoiding a very nasty disease. Moving to non-reusable passwords (a la two step authentication and other means) is following about the same timeline as the disease eradication, but attacks like these do help increase the adoption slope.
(Murray): Google Blogspot, a competitor to Wordpress, offers strong authentication to resist brute force attacks and credential replay. The key word is "offers;" the default is user chosen and managed passwords. ]

Trojan Deletes Its Own Components (April 15, 2013)

The Nemim.gen Trojan downloader evades forensic examination by deleting its own components. Nemim.gen has another unusual feature: instead of providing a means for the real payload to be delivered to compromised computers, the Trojan itself is the payload.
-http://www.darkreading.com/security/vulnerabilities/240152960/microsoft-discover
s-trojan-that-erases-evidence-of-its-existence.html

Schnucks Releases More Details About Payment Card Data Breach (April 15, 2013)

On March 14, St. Louis, Missouri-based supermarket chain Schnucks was alerted to a possible credit card data leak by its payment processing company. Five days later, Schnucks hired Mandiant to help with its internal investigation. It took two weeks to locate the source of the leak and fix it. Roughly 2.4 million payment cards used at 79 stores between December 2012 and March 29, 2013 were compromised.
-http://www.computerworld.com/s/article/9238402/Schnucks_supermarket_chain_strugg
led_to_find_breach_that_exposed_2.4M_cards?taxonomyId=17

Oracle to Issue Update for Java (April 15, 2013)

On Tuesday, April 16, Oracle plans to release an update for its Java browser plug-in to address 39 critical security issues. The update also incorporates changes to the plug-in designed to make drive-by attacks more difficult to achieve. Java 7, Update 21 will address a total of 42 security flaws.
-http://arstechnica.com/security/2013/04/new-security-protection-fixes-for-39-exp
loitable-bugs-coming-to-java/

Teso Acknowledged That Aviation Hack Was Conducted on Simulator (April 12 & 14, 2013)

Hugo Teso, whose presentation at a recent conference in Amsterdam described how he had used a custom app for an Android device to hack into aircraft navigation systems, acknowledged that he tested his app on a flight simulator, not a certified system. The system Teso used in his demonstration was running training software for commercial jet navigation systems. The US Federal Aviation Administration has refuted Teso's claims that he could hack into aircraft flight management systems, and the European Aviation Safety Administration (EASA) noted that "the FMS simulation software does not have the same overwriting protection and redundancies that is included in the certified flight software."
-http://www.computerworld.com/s/article/9238387/FAA_says_hijack_a_jet_app_works_o
nly_on_simulator?taxonomyId=17

-http://www.nextgov.com/cybersecurity/2013/04/no-german-hacker-probably-cant-hija
ck-airplane-software/62465/?oref=ng-channelriver

-http://www.h-online.com/security/news/item/Android-app-hacks-virtual-aeroplanes-
1840832.html

-http://www.informationweek.com/security/application-security/faa-dismisses-andro
id-app-airplane-takeo/240152838

[Editor's Note (Murray): That the vulnerability does not really exist does not make any difference; the important thing is that now everyone knows his name. ]

Microsoft Tells Users to Uninstall Troublesome Windows 7 Patch (April 12, 2013)

Microsoft is urging users to uninstall a patch it released last week after some reported that it was causing blue screen of death errors on Windows 7 computers. The bulletin in question is MS01-036, which addressed a total of four vulnerabilities. Microsoft has removed the patch, security update 28383324, from the bulletin. The update was designed to fix an issue that had been given a moderate severity rating.
-http://krebsonsecurity.com/2013/04/microsoft-hold-off-installing-ms13-036/
-http://www.zdnet.com/microsoft-pulls-patch-tuesday-security-fix-7000013942/
-http://arstechnica.com/security/2013/04/microsoft-tells-windows-7-users-to-unins
tall-faulty-security-update/

-http://www.h-online.com/security/news/item/Microsoft-pulls-security-update-for-W
indows-and-Windows-Server-1840815.html

-http://support.microsoft.com/kb/2823324

Guantanamo Bay Defense Attorneys: Computer Files are Missing and eMail was Monitored (April 11 & 12, 2013)

Defense attorneys for people detained at Guantanamo Bay Prison say that legal files have been disappearing from their computers since February. They also say there is evidence that their email communications have been monitored. The Washington Post reported that more than half a million defense email messages wound up on prosecutors' computers. Some of the messages contained attorney-client communications. After learning that the prosecution had access to the emails, chief military defense counsel Col. Karen Mayberry ordered attorneys representing people detained at Guantanamo to refrain from using Defense Department networks to send privileged or confidential information. A Pentagon spokesperson explained the email situation as being the result of "miscommunicated ... search parameters" and that when prosecutors "realized the search results included privileged material, the searches completely ceased, and ... the IT department deleted all the search results." He also explained the lost files as being the result of a "nearly catastrophic server crash."
-http://news.cnet.com/8301-1009_3-57579239-83/guantanamo-legal-files-mysteriously
-disappear-from-pcs/

-http://www.washingtonpost.com/national/guantanamo-dogged-by-new-controversy-afte
r-mishandling-of-e-mails/2013/04/11/1973bf9a-a2dd-11e2-82bc-511538ae90a4_story.h
tml

-http://www.politico.com/blogs/under-the-radar/2013/04/guantanamo-defense-lawyers
-ordered-to-stop-computer-161430.html?hp=r7

-http://www.propublica.org/article/gitmo-defense-lawyers-say-somebody-has-been-ac
cessing-their-emails

Cell Phones Overwhelmed in Boston Bomb Aftermath (April 15, 2013)

Frantic calls to determine if loved ones are OK overloaded the cell phone system in Boston near the bombing area. ATT and Verizon recommend trying text messages. And everyone affected by the disaster, our prayers and kind thoughts are with you!
-http://bostonglobe.com/business/2013/04/15/businesses-evacuate-back-bay-and-cell
phones-jam-across-boston-wake-bomb-blasts/efO6TaaT1YDNSFcmBgy6kJ/story.html

-http://publicknowledge.org/blog/right-cell-phone-policy-boston
[Editor's Comment (Northcutt): Communications are overwhelmed after most disasters and that serves to remind us all that a communications plan is one of the crown jewels of a disaster recovery, business continuity plan:
-http://www.fcc.gov/blog/fcc-and-fema-how-communicate-during-and-after-major-disa
ster

-http://www.wnd.com/2006/11/38859/


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in

Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/