SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #6

January 22, 2013

Tomorrow is the last day to save $500 on courses at SANS 2013 - the
largest training program in cybersecurity - in early March in Orlando.
http://www.sans.org/event/sans-2013

---

TOP OF THE NEWS

Australia's National Security Strategy Includes Heavy Focus on Cyber Threats
US Dept. of Health and Human Services Releases HIPAA Omnibus Rule
Critical Infrastructure Systems Seen as Vulnerable to Attack

THE REST OF THE WEEK'S NEWS

Canadian Computer Science Student Expelled Over Live Site Scan
More Details About Attacks Targeting Industrial Control System Passwords
Google Researchers' Paper Describes Encrypted Authentication Token
Indian Police Arrest Two in Connection with Online Bank Account Theft
Polish Domain Registrar Takes Over Virut Botnet Domains
Two Vulnerabilities in ESPN Mobile App
Red October Operators Appear to be Shutting Down Operations
Vulnerability in Cisco Linksys Router
AMD Files Lawsuit Against Former Employees for Alleged Theft of Intellectual Property

---

************************ SPONSORED BY Symantec ****************************
Symantec Endpoint Protection 12 and Critical System Protection are positioned highest in Gartner's Magic Quadrant for completeness of vision and the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned. Learn More. http://www.sans.org/info/121822
****************************************************************************
TRAINING UPDATE
- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --North American Industrial Controls Systems and SCADA Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security.
http://www.sans.org/event/monterey-2013

- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/onCyberdemand/discounts.php#current Plus Cairo, New Delhi, Scottsdale, Brussels, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Australia's National Security Strategy Includes Heavy Focus on Cyber Threats (January 21, 2013)

Australian Prime Minister Julia Gillard will make a speech later this week in which she will describe the government's national security objectives for the next five years. While the document itself has not been officially released, "it is said to focus ... heavily on the threat of cyber intrusions, which has grown massively in the
[last ]
three years," according to a press release.
-http://www.theaustralian.com.au/national-affairs/defence/cyber-war-china-key-to-
security-says-julia-gillard/story-e6frg8yo-1226557811625
[Editor's Note (Paller): The Australians are doing much more than admiring the threat. They have found four specific actions that actually stop the targeted attacks doing all the damage, and they are engaged in a government-wide initiative, led by the nation's leaders, to make sure every agency has those critical controls n place. Those four controls are directly highlighted in the new 20 Critical Controls benchmark document that will be released at RSA and are the target of a U.S. national pilot program in federal, state and commercial organizations designed to measure how well they work and to determine whether any significant disruptions occur when they are implemented. ]

US Dept. of Health and Human Services Releases HIPAA Omnibus Rule (January 18 & 21, 2013)

The US Department of Health and Human Services (HHS) has released the HIPAA omnibus rule, which updates the original HIPAA (Health Insurance Portability and Accountability Act) rule, which dates back to 1996. It clarifies the responsibilities of healthcare providers and other entities that process health insurance claims. The new rule also clarifies when breaches must be reported to HHS. The new rule will take effect on March 26, 2013; entities affected by the rule will have 180 days beyond that date to become compliant.
-http://healthitsecurity.com/2013/01/18/hhs-posts-final-hipaa-omnibus-rule/
-http://www.medpagetoday.com/PracticeManagement/InformationTechnology/36940
[Editor's Note (Henry): Glad to see HHS's recognition of this issue, and the need to promulgate rules for data breach reporting. Unfortunately, in many cases of actual breach, the criteria requiring this reporting cannot be met. For example, the factor that "the protected health information (was) actually viewed or acquired", can often not be determined, even when you're aware there's been a breach. I'd like to see tougher requirements that breaches themselves are reported, regardless of the speculation around what might have occurred while the adversary was prancing around the network.
(Murray): HIPAA has already set such a high hurdle that hospitals and physicians prefer paper records to electronic. 180 days to understand and comply with 550 pages of new rules is called a very high hurdle. We need simplification and clarity. ]

Critical Infrastructure Systems Seen as Vulnerable to Attack (January 17, 2013)

Spear phishing is the starting point for many attacks against the computers run by power companies. A recent test of the resiliency of power systems to social engineering showed 26 percent of employees who work closely with industrial control systems fell victim to the social engineering attack. Among their job titles were: a control room supervisor, a pipeline controller, an automation technician, a process controls engineer and a senior vice president for operations and maintenance.
-http://bits.blogs.nytimes.com/2013/01/17/critical-infrastructure-systems-seen-as
-vulnerable-to-attack/?src=rechp
(McBride): Interesting piece of research here. It seems that we so often focus on technological post-attack remedies (FW, AV, IDS) that we ignore targeting all together. Klingler and associates showed that this is a serious fallacy, especially for firms that operate critical infrastructure ICS.
(Assante): Engineers and operators need tailored awareness/behavior changing programs to reduce the attack surface and understand how cyber realities impact their decisions and work.

---

************************ Sponsored Links: *******************************
1) The recent Java 7 and IE 0days have shaken the industry. Many pundits and even US-CERT advise to uninstall Java or move away from IE - but this is ridiculous advice given how many of your internal apps rely on both...how about a real solution? Kill 0-days in their tracks. See how Invincea stops these 0days WITHOUT signatures - http://www.sans.org/info/121827
2) Take the SANS Survey on Help Desk Security! Enter to win an iPad 4! http://www.sans.org/info/121832
3) SANS Survey on SCADA Security results revealed by SCADA expert, Matt Luallen, Wed, Feb. 20. 1PM EDT. http://www.sans.org/info/121837
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Canadian Computer Science Student Expelled Over Live Site Scan (January 21, 2013)

Dawson College in Quebec has expelled a computer science student for a "serious professional conduct issue." Ahmed Al-Khabaz and another student found a security problem in a mobile application used by the school to manage and allow access to student information. When Al-Khabaz initially informed Dawson of the issue, he was told that the problem would be fixed. The incident escalated when, several days later, Al-Khabaz decided to see if the vulnerability still existed by using a website security scanning tool. The tool is designed to be used with off-line copies of web applications, not on live sites. Dawson deemed Al-Khabaz's actions an attack and expelled him.
-http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-se
curity-white-hat/

More Details About Attacks Targeting Industrial Control System Passwords (January 18, 2013)

The US Department of Homeland Security (DHS) is warning companies that operate elements of the country's critical infrastructure of an attack on industrial control systems that guesses passwords. The attack focuses on Siemens S7 programmable logic controllers. DHS is advising the affected companies to ensure that their industrial control systems are not connected to the Internet and to partition those systems from their business networks.
-http://www.nextgov.com/cybersecurity/2013/01/dhs-warns-password-cracker-targetin
g-industrial-networks/60767/?oref=ng-channeltopstory

Google Paper Describes Encrypted Authentication Token (January 18, 2013)

A paper from Google VP of Security Eric Grosse and Engineer Mayank Upadhyay describes the need to develop technologies to take the place of most passwords. They write that "passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe." The paper also proposes the use of an encrypted device that would be used to allow people to log in to online accounts that are normally protected with passwords. Google paper suggests integrating the authentication token into something people already carry, such as a smartphone or jewelry. The paper will be published later this month in the IEEE Security & Privacy Magazine.
-http://www.computerworld.com/s/article/9235971/Google_sees_one_password_ring_to_
rule_them_all?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57564788-83/googles-password-proposal-one-ring-
to-rule-them-all/
">http://news.cnet.com/8301-1009_3-57564788-83/googles-password-proposal-one-ring-
to-rule-them-all/
-http://www.wired.com/wiredenterprise/2013/01/google-password/?cid=5394044
-http://news.cnet.com/8301-1009_3-57564788-83/googles-password-proposal-one-ring-
to-rule-them-all/
">http://news.cnet.com/8301-1009_3-57564788-83/googles-password-proposal-one-ring-
to-rule-them-all/

Indian Police Arrest Two in Connection with Online Bank Account Theft (January 18 & 21, 2013)

Police in India have arrested two men in connection with theft from online banking accounts. The men allegedly managed to find a way around the bank's two-factor authentication system. They allegedly bought information about the accounts they targeted and used social engineering tactics to convince mobile phone companies to supply the replacement SIM cards that they then used in the scheme.
-http://www.theregister.co.uk/2013/01/21/indian_sms_bank_fraud_arrests/
-http://www.financialexpress.com/news/duo-arrested-for-internet-banking-fraud/106
1205/1

Polish Domain Registrar Takes Over Virut Botnet Domains (January 18 & 21, 2013)

Polish domain registrar NASK has taken over 23 domains that were being used to control the Virut botnet network. Traffic to those domains has been rerouted to a domain under control of CERT Polska, which is run by NASK. Virut has been used to distribute the ZeuS malware and more recently to distribute Waledac malware. Virut has also been using Russian (.ru) and Austrian (.at) domains. The Russian domains have also been shut down and the .at domain registry and Austrian CERT have been notified of the issue.
-http://www.computerworld.com/s/article/9235991/Security_researchers_cripple_Viru
t_botnet?taxonomyId=17
-http://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/
-http://www.theregister.co.uk/2013/01/21/virut_botnet_take_down/
[Editor's Note (Henry): I expect we'll see more government/private sector organizations collaborate to take action against adversary infrastructure...a movement towards focusing on the threat actor rather than merely reducing vulnerabilities. ]

Two Vulnerabilities in ESPN Mobile App (January 18, 2013)

A popular ESPN app appears to be affected by two security issues. A cross-site scripting (XSS) flaw in the ESPN ScoreCenter app could be exploited to circumvent access controls to gain access to user data. The app is also reportedly vulnerable to an attack that could expose account usernames and passwords, which could be problematic for people who use the same usernames and passwords across multiple accounts. ScoreCenter is a free app that is available for Android, iPhone, and Windows phone platforms. The flaws affect version 3.0 of the app. An ESPN spokesperson says that the problems have "been resolved."
-http://www.scmagazine.com/xss-password-flaws-found-in-popular-espn-app/article/2
76723/
[Editor's Note (Murray): Incomplete parameter checking remains the most persistent coding error in "modern" systems. Perhaps we might ostracize programmers after the second offense. ]

Red October Operators Appear to be Shutting Down Operations (January 18 & .21, 2013)

In the week since news of the Red October cyberespionage operation broke, elements of the scheme's infrastructure have been shut down, presumably by the scheme's operators. Red October appears to have been created to steal data from computers and connected mobile devices of embassies, governments, and scientific research facilities around the world. The shutdown is occurring as Kaspersky Lab publishes additional information about Red October and its technical details.
-http://www.h-online.com/security/news/item/Red-October-closes-as-Kaspersky-publi
shes-more-details-1787774.html
-http://arstechnica.com/security/2013/01/red-october-espionage-platform-unplugged
-hours-after-its-discovery/
[Editor's Note (Shpantzer): For some analysis, including the openIOC file, go here:
-http://labs.alienvault.com/labs/index.php/2013/red-october-indicators-of-comprom
ise-and-mitigation-data/]

Vulnerability in Cisco Linksys Router (January 17, 2013)

Cisco has acknowledged that there is a vulnerability in a Linksys router that could be exploited to gain complete control of the device, which is used for wireless home networks. Cisco says that despite earlier reports suggesting that the flaw affects multiple models, it actually occurs only in the Linksys WRT54GL model. Cisco has developed a patch for the issue and is currently testing it. Until the fix is made available users are urged to ensure that they have configured their networks securely and that strangers and other untrusted individuals do not connect to the router with an Ethernet cable.
-http://www.csoonline.com/article/727005/cisco-confirms-linksys-firmware-flaw-say
s-only-one-router?source=CSONLE_nlt_newswatch_2013-01-18
[Editor's Note (Murray): We worry about home router vulnerabilities that can be exploited from the Internet, where most of the attacks come from, even ones that can be exploited from the air side. Less about those that require physical access to the device. ]

AMD Files Lawsuit Against Former Employees for Alleged Theft of Intellectual Property (January 16, 2013)

AMD has filed a lawsuit in Massachusetts district court, alleging that four former managers stole intellectual property from the company before leaving to work for rival Nvidia. The lawsuit calls the events "an extraordinary case of trade secret transfer/misappropriation and strategic employee solicitation." AMD's lawsuit alleges that former AMD manager Robert Feldstein used external hard drives to download licensing agreements and strategic plans form his work computer and that Feldstein recruited three other employees to move to Nvidia and bring proprietary information with them.
-http://www.theregister.co.uk/2013/01/16/amd_nvidia_spying_lawsuit/
[Editor's Note (Shpantzer): From the November 13, 2002 NewsBites: "Some organizations make it a policy to forensically image the computers of departing employees, whether they quit or were fired. This allows them to come back later to a properly archived image and analyze it for potential evidence." I think this comment still holds true, over a decade later.
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=4&issue=46]

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen year. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/