Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: The SANS Institute (NewsBitessans.org)
Date: Fri Jan 04 2013 - 12:49:31 CST
-----BEGIN PGP SIGNED MESSAGE-----
OT is the new term for operational technology (in contrast to IT) that
runs the power and oil & gas and transportation and hundreds of other
systems on which our worlds depend. OT is in the bulls eye for attackers
and a lot of good is happening. See the first two stories for a little
SANS NewsBites January 4, 2013 Vol. 15, Num. 001
TOP OF THE NEWS
ICS-CERT Report Says Cyberattacks Against Energy Sector Systems on the Rise
Mike Assante's 2013 Call to Arms for ICS and SCADA Security
Companies Revoke Trust in Unauthorized Google Digital Certificates
DHS Will Pay for Federal Civilian Agencies' Continuous Monitoring Services
THE REST OF THE WEEK'S NEWS
Five-Year Prison Sentence for Filesharer
Some Companies Scatter Phony Data in Systems to Thwart Attackers
Man Facing Prosecution for Licensing Code Used on Online Gambling
Ruby on Rails Development Team Releases Update
First Patch Tuesday of 2013 Will Comprise Seven Bulletins
Microsoft Releases Temporary Fix for IE Flaw
Two More States Say No to Employers Demanding Social Network Passwords
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for
program managers, control systems engineers, IT security professionals
and critical infrastructure protection specialists from asset owning and
operating organizations along with control systems and security vendors
who have innovative solutions for improving security. Every attendee
leaves with new tools and techniques they can put to work immediately.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; and The 13 Absolute Truths of Security.
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Anaheim, Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and
Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--ICS-CERT Report Says Cyberattacks Against Energy Sector Systems on the Rise
(December 31, 2012 & January 2, 2013)
According to a report from the US Department of Homeland Security's
(DHS's) Cyber Emergency Response Team for Industrial Control Systems
(ICS-CERT) cyberattacks on systems at organizations that are part of the
US energy infrastructure are on the rise. In the 12 months ending in
September 2012, nearly 200 cyber incidents were reported to ICS-CERT.
More than 40 percent of those incidents were directed at energy sector
companies. Many industrial control systems used in elements of the
country's critical infrastructure are linked directly to the Internet.
Some of the systems became infected through USB drives.
[Editor's Note (Assante): ICS-CERT assistance and analysis is helping
the sector understand the extent of the problem. Campaigns are widening
to include a successful attack against a key supplier of energy control
systems and attempts to compromise a sector security consortium. Energy
will continue to be an attractive target. Expect to see the use of
custom malware and continued targeting of individuals, sector related
websites, and connected business partners.
(Henry): My experience with ICS CERT while in the FBI was positive; they
had an aggressive outreach program, it was well coordinated with the
Bureau and others in the intelligence community, and they were making
progress. Not sure if the increase in reported attacks is because
adversary activity has gone up, or because the ICS-CERT program is more
effective and having an impact. I'd say it's almost certainly a
combination of the two.
(McBride): What exactly is an "incident" in ICS-CERT terms? SSH
scanning, reports of Shodan search terms, common viruses inserted into
control networks via USB sticks that weren't scanned? With a couple of
significant exceptions, the incidents themselves are generally
UN-alarming. The report does however show that ICS asset owners
generally lack the ability to deal with OT (operational technology like
SCADA and supporting computers) incidents themselves and that they are
increasingly looking for assistance. To successfully combat the ICS
security challenge, we need scalable approaches that include the right
mix of government and private sector solutions.]
- --Mike Assante's 2013 Call to Arms for ICS and OT Security
Given the increasing level of attacks on industrial control systems in
power and on other operational technology (OT) the power and ICS
industry has launched an important initiative to share best practices
and to jointly build and certify the talent to improve cybersecurity in
power systems and other OT. The leader of this consortium and the
initiative is Mike Assante, the most trusted person in power systems
security who served as CSO at both American Electric Power and at NERC.
His call to arms appeared this week in the NESCO blog. (If you want to
be part of the consortium developing the new initiative, register for
the Summit at http://www.sans.org/event/north-american-scada-2013 and
then email Mike at michael.assantenbise.org.)
[Editor's Note (McBride): It would be wonderful to shift from building
awareness to properly organizing our efforts in 2013. The most salient
point to me from the "Call to Arms" is about integrating our system
protection/resilience efforts across job functions to properly deal with
deeply-understood failure conditions. This won't occur in 2013, but we'd
best get moving on it!
--Companies Revoke Trust in Unauthorized Google Digital Certificates
(January 3, 2013)
Google, Microsoft, and Mozilla have revoked (trust) for two digital
certificates that were released by a Turkish certificate authority (CA).
The certificates were issued by an intermediate certificate authority
that links back to TURKTRUST, which has acknowledged that in August
2011, it inadvertently issued two intermediate CA certificates to
organizations that should have received regular SSL certificates. The
certificates are being used in active phishing attacks.
[Editor's Note (Pescatore): The CA/Browser Forum seemed to make little
progress (and actually lost members due to intellectual property issues)
in 2012 in improving the sorry state of SSL certificate issuance. They
met in December; I hope their 2013 New Year's Resolution was a much more
aggressive approach this year.
(Shpantzer): A non-technical article about SSL trust and the Turkish CA,
including the interesting idea that the browser companies are where the
rubber meets the road:
--DHS Will Pay for Federal Civilian Agencies' Continuous Monitoring Services
(January 3, 2013)
US Department of Homeland Security (DHS) officials say the agency will
foot the cost of providing civilian agencies with technology to conduct
near-real-time threat detection. Th stab could reach US $6 billion if
all levels of government and critical infrastructure organizations
participate. The White House has called for continuous monitoring since
2010, but many agencies lacked the resources and skills to implement the
practice. The initiative, called continuous monitoring as a service
(CMaaS), will provide sensors, risk-status displays, and professional
consulting. Military, state, and local government agencies will be
encouraged to use the same companies that provide the services to the
federal government agencies, but DHS will not cover the costs for those
[Editor's Note (Henry): Continuous monitoring of networks in real-time
is crucial in identifying malicious activity on the network, rather than
merely trying to block ever-changing malware signatures. It will
require a lot of time and a lot of coordination to do this effectively;
it's a lofty goal, but doing this right is absolutely necessary to get
ahead of this threat.
(Pescatore): This "Continuous Diagnostics and Monitoring" effort is a
very good idea but many Government department heads, agency heads, CIOs,
CISOs etc. have been burned before on centrally funded services that
turn into unfunded mandates as the wacky federal budget process goes
through its yearly erratic undulations. This leads to slow uptake, which
leads to vendors not seeing revenue to cover costs, which leads to
services falling behind rapidly changing needs, repeat. Hopefully, GSA
lessons learned from past such large IDIQ vehicles can help craft
procurement and governance structure to avoid those pitfalls.
(Murray): OMB has this one right. Budget belongs where one wants the
decision-making authority. Too many security managers lack the
authority to make things happen because they fail to ask for the
necessary budget to support their initiatives.
(Paller): This is an excellent initiative - taking a program where there
is hard evidence of enormous risk reduction, and making it available
widely at much lower cost. However, I have been hearing complaints from
some federal CISOs and from lots of contractors. There is extensive
evidence that the level of the carping is inversely proportional to the
competence of the people doing the carping. If you run into someone
suggesting the DHS project isn't the right approach, ask him/her to show
you the proof that his alternative approach has radically reduced
(reliably-measured) risk at scale as the DHS approach has done - or to
"please get out of the way."]
************************* Sponsored Links: ********************************
NEW paper in the SANS reading room: SANS Survey on Application Security
Policies in Enterprises http://www.sans.org/info/120395 Associated
webcast featuring SANS Analyst Frank Kim:
THE REST OF THE WEEK'S NEWS
--Five-Year Prison Sentence for Filesharer for Violation of DMCA
(January 3, 2013)
A Virginia man has been given the lengthiest prison sentence ever handed
down for filesharing. Jeramiah Perkins, who was a member of a gang that
recorded movies in theaters and offered the pirated content, received a
60-month prison sentence for his role in the operation. Five members of
the gang, known as IMAGiNE, have been sentenced for their involvement.
They have all pleaded guilty to conspiracy to commit copyright
[Editor's Note (Murray): At least this is what the DMCA was intended
for, not housewives and students. ]
--Some Companies Scatter Phony Data in Systems to Thwart Attackers
(January 3, 2013)
A Minnesota magazine and catalog printing company has begun placing
phony data on its servers to trick hackers intent on stealing their
valuable databases of subscriber information and online publication
content. The company tracked those who took the fake information. Other
companies are doing the same thing. The practice of digital deception
is a type of active defense against cyberespionage. Other approaches,
such as knocking servers offline or gaining access to the cyberthieves'
servers and deleting stolen data, are of questionable legality.
Disrupting another company's server could result in retaliation.
Deceptive data remains on the right side of the law while the
information is planted only in the company's own servers and the fake
data do not harm other's systems. The practice has been around for a
while in the form of honeypots.
[Editor's Comment (Pescatore): For most enterprises eliminating the
vulnerabilities that enable the attacks is more in the shareholders'
interests than attracting and watching attackers.
(Northcutt): Honeytokens. Interesting, but I would be nervous about
working with a direct mail that employed this technique. Direct mail is
more or less $1.00 per piece at the low end when you count printing,
sorting, mailing, and renting mailing lists. If there is a significant
amount of fake data and they do not purge it correctly, the fake mail
ends up in the landfill and you eat the cost. There are many forms of
(Shpantzer): A balanced article on the spectrum of activities that are
generating so much buzz (and FUD) these days:
--Man Facing Prosecution for Licensing Code Used on Online Gambling
(January 3, 2013)
An Arizona man is facing prosecution for licensing software that is used
by online casinos and bookmakers in other countries. Authorities in New
York say that the program licensed by Robert Stuart and his company was
used by some for illegal gambling in that state. Stuart, his wife, and
his brother-in-law are facing felony charges of promoting gambling in
New York. Stuart says he and his company ensure when they license the
software that it is only in countries where online gambling is
permitted. The software does not place bets, but provides the
infrastructure for sites to choose which sporting events they want to
offer for betting; it also stores the bets. A hearing is scheduled for
January 8. Jennifer Granick, director of civil liberties for the Center
for Internet and Society at Stanford University says that prosecuting
Stuart would set a dangerous precedent. Stuart maintains that the
authorities have pursued him because they wanted to use him to gather
information about illegal gambling activity in New York State. He says
he was pressured into agreeing to install backdoors in his software and
then use them to collect information. Stuart changed his mind and
refused the plea deal.
Old Plea Agreement:
--Ruby on Rails Development Team Releases Update
(January 3, 2013)
Ruby on Rails developers have released an update for their open source
web application development framework to address an SQL injection
vulnerability. The problem lies with the framework's Active Record
database query interface. The flaw affects all versions of the
framework; the updated versions are 3.2.10, 3.1.9, and 3.0.18. Users are
urged to update as soon as possible. For those unable to apply the
updates right away, the Ruby on Rails development team has also issued
a workaround as well as manual patches for older versions.
--First Patch Tuesday of 2013 Will Comprise Seven Bulletins
(January 3, 2013)
On Tuesday, January 8, 2013, Microsoft plans to issue seven security
bulletins to address a total of 12 vulnerabilities. Two of the bulletins
are rated critical; the flaws they address could be exploited to allow
remote code execution. The other five are rated important; the
vulnerabilities they fix could be exploited to elevate privileges,
bypass a security feature, or create denial-of-service conditions.
Affected software includes Windows, Microsoft Office, Microsoft
Developer Tools, Microsoft Server Software, and Microsoft .NET
Framework. Notably absent from the patch lineup is the zero-day
vulnerability in Internet Explorer (IE).
--Microsoft Releases Temporary Fix for IE Flaw
(December 28, 29, & January 2, 2013)
Microsoft has released a temporary fix for a zero-day flaw in Internet
Explorer (IE) that is being actively exploited in targeted attacks. The
vulnerability affects IE 6,7, and 8, but not newer versions of the
browser. Microsoft has issued an advisory about the issue and says it
is "working around the clock" on a patch for the flaw (but it does not
appear to be included in this month's scheduled patch release. -Ed.)
[Editor's Note (Shpantzer): If you're still using an old version of IE,
you'd better have a really good excuse (usually something to do with a
horrible backward-compatibility issue for using an application).
--Two More States Say No to Employers Demanding Social Network Passwords
(January 2, 2013)
As of Tuesday, January 1, six US states now prohibit employers from
demanding their employees' social media account passwords. US
legislators were unable to gather enough support to pass the Password
Protection Act of 2012, so California and Illinois have joined Delaware,
Maryland, Michigan, and New Jersey by enacting laws at the state level.
Employers still may see their employees' public posts to social media
[Editor's Note (Henry): Most social networking sites' Terms of Service
will preclude a user from sharing their password or otherwise creating
a security vulnerability. Regardless, I just don't get this. You should
be obligated to provide private, personal information...not being shared
publicly...to a prospective employer? That's a very slippery slope...]
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of
STI, the premier skills-based cyber security graduate school,
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----