|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri Jan 18 2013 - 12:58:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A pattern is emerging involving increasing volume and sophistication of
cyber attack against "operational technology (OT)" ranging from SCADA
power systems to oil & gas and manufacturing (and centrifuge) industrial
control; medical technology devices; environmental control systems and
other appliances; essentially all computer-controlled technology not
owned/managed by traditional IT organizations. In many large
organizations OT systems rival IT systems in number and exceed them in
vulnerability and potential damage. Nation-state and other attackers
have been laser focused on OT both as targets and as pathways for
getting to other targets. The first chance to learn the state of the art
in protecting OT, bringing together OT technology leaders and IT
security leaders is in Orlando February 12-13 with intense courses
before and after the workshop (and you have 6 days left to save $500 if
you want to learn about this new threat vector and see how it could
affect your company and your career). Also at this meeting, the top ICS
security guy (who just left DHS) will provide insights and discussion
unlike what has been available anywhere else, and the International
Consortium on ICS Security" will be launching its 2013 projects. (By
invitation - ask Mike Assante to invite you if you work for a major ICS
end-user or supplier and think you can contribute.)
Registration: http://www.sans.org/event/north-american-scada-2013
Alan
PS You also have 6 days (until January 23) to save $500 on courses at
SANS 2013 - the largest training program in cybersecurity - in early
March in Orlando. http://www.sans.org/event/sans-2013
**************************************************************************
SANS NewsBites January 18, 2013 Vol. 15, Num. 005
**************************************************************************
TOP OF THE NEWS
Fake Java Patch Is Actually Malware; Zero Day Java Exploit Is Being Sold
Red October Hackers Exploited Known Java Vulnerability
Iran Will be a "Force to be Reckoned With" in Cyber Arena
THE REST OF THE WEEK'S NEWS
Researchers Find Security Weakness in Systems That Interface with
Medical Devices
Foxit Updates PDF Reader to Fix Critical Flaw
German Federal Criminal Police to Use Interim Surveillance Software
Top Developer Found to Have Outsourced Work to Chinese Subcontractor
Proposed Amendment to CFAA Would Remove Terms of Service Agreements
From the Computer Fraud and Abuse Act
Adobe Releases Fixes for ColdFusion Vulnerabilities
US-CERT Continues to Recommend Disabling Java After Oracle Issues Patch
Fake Java Patch Is Actually Malware
NIST to Test Technology for Secure Health Data Sharing
CONTROL SYSTEMS SECURITY NEWS
The SCADA Patch Problem
************************ SPONSORED BY Bit9 *******************************
LIVE WEBCAST: Trust-based Application Control 101 - 8% of enterprise
endpoints are infected with malware at any given time. And 80% of stolen
data comes from servers the enterprise thinks are secure. These alarming
statistics show why antivirus and other traditional security products
are ineffective against advanced threats and targeted attacks. Register
today for this webcast http://www.sans.org/info/121342
****************************************************************************
TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.
http://www.sans.org/event/security-east-2013
- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for
program managers, control systems engineers, IT security professionals
and critical infrastructure protection specialists from asset owning and
operating organizations along with control systems and security vendors
who have innovative solutions for improving security. Every attendee
leaves with new tools and techniques they can put to work immediately.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID
(smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013
- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are
Failing Us: One Click Is All It Takes ...; Human Nature and Information
Security: Irrational and Extraneous Factors That Matter; and
Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013
- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; and The 13 Absolute Truths of Security.
tp://www.sans.org/event/monterey-2013
- - --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current
Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra
all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
***************************************************************************
TOP OF THE NEWS
--Fake Java Patch Is Actually Malware and Zero Day Java Exploit Is
Being Sold
(January 17, 2013)
In a typically opportunistic move by hackers, malicious software is
masquerading as the latest patch for Java, and connecting infected
machines back to a command and control server. In addition, top ranked
security reporter Brian Krebs wrote on Wednesday that a zero-day Java
exploit for an apparently brand-new vulnerability was being advertised
for US$5,000 in an underground hacking forum. The advertisement was
posted for a short time, then disappeared, Krebs wrote.
http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/
http://www.computerworld.com/s/article/9235946/Malware_masquerades_as_patch_for_Java
--Red October Hackers Exploited Known Java Vulnerability
(January 15 & 16, 2013)
Among the attack vectors employed by those behind the Red October
cyberespionage campaign was an old Java exploit. Red October, which
appears to have been operational for at least five years, targeted
diplomatic, military, and government data on computer systems and mobile
devices. Kaspersky Labs disclosed their discovery of Red October on
Monday, January 14. The research indicated that the perpetrators
exploited vulnerabilities in Excel and Word to launch their attacks. On
Tuesday, a company called Securlert said that the hackers were also
exploiting a known Java vulnerability that Oracle had patched in October
2011.
http://www.zdnet.com/red-october-hackers-also-used-java-exploit-for-spy-campaign-7000009881/
http://www.theregister.co.uk/2013/01/16/red_october_java_connection/
http://www.computerworld.com/s/article/9235859/Java_exploit_used_in_Red_October_cyberespionage_attacks_researchers_say?taxonomyId=17
--Iran Will be a "Force to be Reckoned With" in Cyber Arena
(January 17, 2013)
The head of the US Air Force Space Command, General William Shelton,
said that in the wake of Stuxnet, Iran has taken steps to strengthen
both its offensive and its defensive cyber powers and will be a "force
to be reckoned with." Analysts say that cyberattacks emanating from Iran
are of increasingly greater sophistication. Iranian officials deny the
country's involvement with the wave of distributed denial-of-service
(DDoS) attacks on US banks.
http://www.nbcnews.com/technology/technolog/iran-beefed-cyber-capabilities-after-stuxnet-us-general-1B8024450
http://www.bloomberg.com/news/2013-01-17/iran-s-cyber-threat-potential-great-u-s-general-says.html
[Editor's Note (Murray): As the first victim of "cyber war" perpetrated
by a nation state, it is unlikely that Iran will sit quietly.
(Paller): Some might argue that Georgia or another nation was an earlier
victim of cyberwar, but that does not make Bill Murray's comment any
less cogent.]
THE REST OF THE WEEK'S NEWS
--Researchers Find Security Weakness in Systems That Interface with
Medical Devices
(January 17, 2013)
Vulnerability researchers have found they were able to gain access to a
medical information management system that interfaces with medical
devices. The pair of researchers was able to attain privileged user
status on the Philips XPER system due to weak remote authentication. One
of the more difficult aspects of their activity was obtaining the
equipment on which to run the tests, as sale of the system in question
is restricted to licensed buyers only. They managed to obtain one from
a reseller; when it arrived, it bore an inventory tag from an unnamed
hospital.
(Please note that Dark Reading now requires a free subscription. They
will ask for your name and email address and that you choose a
password.)
http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/240146474/security-researchers-expose-bug-in-medical-system-used-with-x-ray-machines-other-devices.html.html
www.scmagazine.com/patient-data-revealed-in-medical-device-hack/article/276568/
[Editor's Note (Murray): Vulnerability, high consequence, low threat,
low risk. Publicizing the vulnerability has not made the world better.]
--Foxit Updates PDF Reader to Fix Critical Flaw
(January 17, 2013)
Foxit has released an updated version of its Foxit Reader PDF viewer
plug-in that fixes a critical remote code execution flaw. The
vulnerability affected the browser plug-in for Firefox, Chrome, Opera,
and Safari. Users are urged to upgrade to Foxit Reader version 5.4.5.
http://www.computerworld.com/s/article/9235925/Foxit_patches_critical_flaw_in_PDF_viewer_browser_plug_in?taxonomyId=17
http://www.foxitsoftware.com/support/security_bulletins.php#FRD-18
--German Federal Criminal Police to Use Interim Surveillance Software
(January 17, 2013)
According to a confidential document that has been leaked to the
Internet, the German Federal Criminal Police Office, the
Bundeskriminalamt (BKA), has purchased surveillance software that will
reportedly be used until the organization's custom surveillance software
is ready for use. The software uses a Trojan horse program to record
Internet telephony conversations prior to their encryption from the
sender or after their decryption on the recipient's device.
http://www.h-online.com/security/news/item/German-Federal-Criminal-Police-acquires-interim-government-trojan-from-Gamma-1786026.html
http://qz.com/44208/german-governments-surveillance-software-unsettles-a-nation-that-prizes-privacy/
--Top Developer Found to Have Outsourced Work to Chinese Subcontractor
(January 16 & 17, 2013)
An audit found that a software developer at an unnamed critical
infrastructure organization had outsourced his work to a subcontractor
in China and was spending his days surfing the Internet. The man's
company became suspicious when VPN (virtual private network) traffic
logs showed logins to the company's server from Shenyang, China. They
asked their service provider, Verizon, to investigate. Instead of
finding evidence of malware, they discovered that their top developer
had outsourced his work. He had even gone so far as to send his RSA
token to China by express mail. A subsequent investigation revealed that
the programmer has taken on jobs with other companies and outsourced
that work as well.
http://www.computerworld.com/s/article/9235926/_Bob_outsources_tech_job_to_China_watches_cat_videos_at_work?taxonomyId=17
http://www.bbc.co.uk/news/technology-21043693
http://www.theregister.co.uk/2013/01/16/developer_oursources_job_china/
http://www.v3.co.uk/v3-uk/it-sneak-blog/2236830/developer-outsources-own-job-to-china-but-vpn-logs-give-the-game-away
[Editor's Note (Shpantzer): Proactive review of logs (if you actually
turn logs on, that is) can be both cheap and effective and is perhaps
the most underutilized 'tool' out there. For example, successful VPN
logins from a place nobody should be coming from (as in the story above)
and, the same userID logged in from two different regions within X
hours. Easy way to find potential misuse of legitimate credentials.
Some false positives possible but you'll see the patterns fairly quickly
and know what's suspicious.]
--Proposed Amendment to CFAA Would Remove Terms of Service Agreements
From the Computer Fraud and Abuse Act
(January 15, 16, & 17, 2013)
US Representative Zoe Lofgren (D-California) has introduced legislation
to amend the Computer Fraud and Abuse Act (CFAA). The CFAA currently
lets prosecutors use a broad definition of unauthorized access, so that
violating an ISP's or web site's terms of service agreement would be
grounds to bring felony charges. Lofgren's bill would remove terms of
service agreement violations from CFAA. Lofgren is calling the proposed
amendment Aaron's Law in memory of Aaron Swartz, who committed suicide
last week. Swartz was facing the possibility of more than 30 years in
prison for 13 felony counts of computer and wire fraud. Swartz wanted
to make millions of pages of academic papers available to the public.
http://www.h-online.com/security/news/item/Aaron-s-Law-hopes-to-blunt-US-computer-crime-law-1786033.html
http://www.theregister.co.uk/2013/01/16/congresswoman_petition_aaron_swartz/
http://www.computerworld.com/s/article/9235854/Swartz_suicide_shines_light_on_federal_anti_hacking_law?taxonomyId=17
http://www.computerworld.com/s/article/9235892/Congresswoman_proposes_computer_fraud_law_amendment_to_honor_Aaron_Swartz?taxonomyId=17
--Adobe Releases Fixes for ColdFusion Vulnerabilities
(January 16, 2013)
Adobe has issued fixes for four critical flaws in its ColdFusion
application server. The vulnerabilities have been actively exploited
since the beginning of the year. Adobe released an advisory about the
flaws on January 4. On January 15, Adobe released Hotfixes for
ColdFusion versions 10, 9.0.2, 9.0.1, and 9.0. Users are urged to
upgrade as soon as possible.
http://www.computerworld.com/s/article/9235894/Adobe_patches_exploited_ColdFusion_flaws?taxonomyId=17
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html
--US-CERT Continues to Recommend Disabling Java After Oracle Issues Patch
(January 14 & 16, 2013)
Although Oracle has released a patch for a vulnerability in Java that
was being actively exploited, the US Department of Homeland Security's
(DHS's) US Computer Emergency Response Team (US-CERT) is still urging
users to disable Java in their browsers. A note from US-CERT said, "This
and previous Java vulnerabilities have been widely targeted by
attackers, and new Java vulnerabilities are likely to be discovered,"
and recommends that users disable Java "until adequate updates are
available."
http://www.nbcnews.com/technology/technolog/homeland-security-still-says-no-java-1B8000547
http://www.computerworld.com/s/article/9235898/Post_patch_US_CERT_continues_call_to_disable_Java_plug_in?taxonomyId=17
http://news.cnet.com/8301-1009_3-57563951-83/homeland-security-still-advises-disabling-java-even-after-update/
--NIST to Test Technology for Secure Health Data Sharing
(January 15, 2013)
The US National Institute of Standards and Technology (NIST) will test
technologies that are designed to help make sure that shared health care
information remains secure. The issue is especially important for small
providers. The project "aims to come up with tools and methods to
support the secure exchange of health information, a process which may
be especially difficult for small providers who might lack the security
infrastructure or expertise of larger healthcare organizations."
http://www.healthcareitnews.com/news/nist-test-data-exchange-security
http://www.ofr.gov/OFRUpload/OFRData/2013-00724_PI.pdf
[Editor's note (Murray): HIPAA has created such a high barrier to
electronic health records that we tolerate the paper health records that
are killing and impoverishing us. Rules are not incentives. As the
source of the HIPAA privacy rules, NIST should be a source of help.]
CONTROL SYSTEMS SECURITY STORIES
--The SCADA Patch Problem
http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/240146355/the-scada-patch-problem.html
(McBride) This article is a positive step in coverage of ICS issues from
the popular security press. It explains things as they really are rather
than how IT security personnel are accustomed to them being.
(Assante) Know when to patch. A decision to simply patch or not can be
dangerous. System owners should evaluate both the risk of applying a
patch and consider how an unaddressed vulnerability could be exploited.
A blanket decision to forgo patching combined with a failure to consider
compensating mitigations could be considered negligent. SEC might
consider additional guidance forcing companies to disclose practices
that keep managers blind to the risks they face.
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt founded the GIAC certification and is President of
STI, the premier skills-based cyber security graduate school,
www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the curriculum lead instructor for the SANS Institute's
computer forensic courses (computer-forensics.sans.org) and a Director
at the incident response company Mandiant.
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlD5lcgACgkQ+LUG5KFpTkZ3owCdGYN/l5GhB+jHeCiVFaRdSUR+
AaIAnjzIxSvMpswAB/4M4hmIijsHTt0V
=XzcR
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]