Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Fri Mar 22 2013 - 13:18:38 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Flash: A logic bomb appears to have triggered multiple outages in South
Korea simultaneously and may have had a very short fuse. This is the
union of the Saudi Aramco attack (causing large scale damage requiring
physical action to repair EACH machine) and attacks against banks, and
it is aimed at a U.S. ally, hinting (but only hinting) at the source.
SAP, the business management software from Oracle, may be an
increasingly popular target of cyber attacks. We are considering adding
an intensive course on security for SAP, but won't do it unless there
is significant demand. If you believe your organization would send
people to such a course (2 days at the front or back of a SANS training
conference), send email (no commitment needed) to SAPSANS.org.
SANS NewsBites March 22, 2013 Vol. 15, Num. 023
TOP OF THE NEWS
Major Cyberattack Hits South Korean Banks and Broadcasters
US Government to Broaden Scope of Internet Traffic Scanning
Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015
TeamSpy Cyberespionage Campaign a Decade Old
THE REST OF THE WEEK'S NEWS
Microsoft Discloses Law Enforcement Data Requests and Number of NSLs
London Police Arrest man in Connection with Online Banking Trojan
Matthew Keys Denies Giving Hackers Login Credentials for Tribune
Weak Password Hash Algorithm Implementation in Some Cisco Devices
Microsoft Says High-Profile Xbox Live Accounts Compromised
House Committee Passes Bill That Would Give Federal CIOs Budget
Senators Introduce Bill to Amend ECPA
Adware Trojan Targets OS X Systems
FBI Arrests Chinese National US Military Contractor as He Tries to
Miami-Dade County Department of Elections Targeted in Absentee
Ballot Request Fraud
************************** SPONSORED BY SANS *******************************
Take the New SANS Survey on the Critical Security Controls and enter to
win a new iPad! http://www.sans.org/info/127627
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! -
The Recon-ng Framework.
- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations. http://www.sans.org/event/cyber-guardian-2013
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
- -- Critical Security Controls International Summit London, UK April 26-May 2 2013
Including SEC566: Implementing and Auditing the 20 Critical Security
Controls led by Dr. Eric Cole.
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Five
dedicated pen test training courses led by five SANS world-class
- -- Looking for training in your own community?
- -- Save on On-Demand training (30 full courses) - See samples at
Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in
the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--Major Cyberattack Hits South Korean Banks and Broadcasters
(March 20 & 21, 2013)
A major cyberattack hit South Korean banks and broadcasters earlier this
week. Two of the country's large banks and three broadcasters were
affected, but government systems were not targeted. The malware wiped
files from infected computers. Shortly after the attacks, there was
speculation that North Korea was responsible, but there has not been
positive attribution. James Barnett, former chief of public safety and
homeland security for the US Federal Communications Commission (FCC)
notes that, "This needs to be a wake-up call. This can happen anywhere."
Investigators think that malware may have been spread through servers
that send out automatic updates and patches. Symantec researchers say
the attack used a Trojan horse program known as Jokra, which can
overwrite computers' master boot records and all the data stored there.
[Editor's Note (Honan): There are a lot of lessons to be learnt from
this incident, not least that attribution is hard. Initial analysis had
Korean officials claiming the attacks came from an IP address in China
thus focusing the blame on that country. However, further investigation
shows " the IP address that was thought to be from China was determined
to be an internal IP address from one of the banks that was infected by
the malicious code " Given the recent rhetoric about striking back with
both cyber and kinetic weapons let's hope this demonstrates we cannot
rely on IP addresses alone for identifying and blaming an attack on
someone and more measured responses are required. More details at
(Assante): Data erasing overwrites are not new but their use never made
much sense as information had value for the attacker. The recent use
of these destructive attacks, in scale, demonstrates that cyber has
become a political means to send pointed messages and cause harm. There
are those willing to loudly assert that they can hold economies and
infrastructures at risk. Our response should be simple..."we are not
afraid", as we have the practices and technology necessary to blunt
these types of attacks.]
--US Government to Broaden Scope of Internet Traffic Scanning
(March 21, 2013)
The presidential executive order on cybersecurity issued in February
calls for increased scanning of Internet traffic. The scans will be
based on classified information provided by US intelligence agencies
about emerging and serious cyber espionage and cyber attack threats.
--Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015
(March 19 & 21, 2013)
The US Defense Department's Cyber Command plans to deploy more than 100
military cyberdefense teams by the end of 2015. Most of these teams will
focus on protecting military networks, not on attacking systems of
adversaries. General Keith Alexander, head of Cyber Command, said last
week that by September 2013, 13 cyberwarrior teams will be deployed.
These teams will focus on taking action against adversaries' networks
to prevent attacks on US critical infrastructure systems.
--TeamSpy Cyberespionage Campaign a Decade Old
(March 21, 2013)
Researchers say they have found evidence of a cyber espionage campaign
targeting Eastern Europe and the former Soviet Union, that has been
going on for 10 years. The cyberspies installed TeamViewer, a tool
usually used to control computers remotely and conduct online meetings,
on targeted computers and altered its code to create a backdoor on the
systems. Researchers have dubbed the campaign TeamSpy. The group's
targets appear to be governments, businesses, and human rights
activists. Those behind TeamSpy gathered encryption keys and secret
**************************** Sponsored Link: ******************************
1) Webcast! Meeting the need for speed (and resiliency) in Security
Management Systems, Thursday, April 18. http://www.sans.org/info/127632
THE REST OF THE WEEK'S NEWS
--Microsoft Discloses Law Enforcement Data Requests and Number of NSLs
(March 21, 2013)
Microsoft has joined Google and Twitter's move toward increased
transparency by disclosing data about law enforcement requests for user
information. In 2012, Microsoft received 75,378 requests for customer
information related to 137,424 accounts or other identifiers. In just
over two percent of the requests, Microsoft provided law enforcement
agents with content, such as email or photos. In 99 percent of those
cases, the recipients of the content were US law enforcement agencies
with warrants. In more than 56,000 cases, Microsoft provided non-content
data, including user names, email addresses, IP addresses and countries
of residence. The majority of the data were provided to law enforcement
agencies in the US, the UK, Turkey, Germany, and France. Microsoft has
also disclosed ranges of numbers of National Security Letters (NSLs) is
has received, along with a range of numbers of identifiers those NSLs
--London Police Arrest man in Connection with Online Banking Trojan
(March 19 & 21, 2013)
Police in London, UK have arrested a man in connection with the Tilon
Trojan horse program. The malware was used to conduct bank fraud. Tilon
is man-in-the-browser malware, which intercepts information entered on
web pages in Internet Explorer, Firefox, Chrome, and possibly other
browsers as well. Tilon was designed with detection evasion in mind: it
will not install on a virtual machine.
--Matthew Keys Denies Giving Hackers Login Credentials for Tribune Servers
(March 21, 2013)
Matthew Keys, the former Tribune Company employee who was accused of
helping hackers gain access to that company's servers, has denied that
he gave anyone login credentials. Keys posted a statement to his
Facebook page that says, in part, that he "did not 'conspire' to 'cause
damage to a protected computer' ... [or] cause 'transmission of
malicious code.'" The intruders altered the headlines and byline of one
article. Keys's arraignment is scheduled for April 12.
--Weak Password Hash Algorithm Implementation in Some Cisco Devices
(March 20 & 21, 2013)
A weak implementation of a password-hashing algorithm in Cisco's IOS
operating system version 15 makes passwords significantly more
vulnerable to brute force hacking. The algorithm was supposed to have
an 80-bit salt value and use 1,000 iterations through SHA256, but
instead, the password is not salted at all and undergoes just one SHA256
iteration. The new algorithm is called Type 4 and was intended to be
stronger that the Type 5 and Type 7 algorithms.
--Microsoft Says High-Profile Xbox Live Accounts Compromised
(March 20, 2013)
Microsoft said that hackers used social engineering tricks to take over
high-profile Xbox live accounts. The accounts that were taken over
belong to current and former Microsoft employees. The account hijackings
appear to be related to a recent story by security journalist Brian
Krebs about a website that sells access to credit reports, driver's
license numbers, and Social Security numbers (SSNs). The Xbox hackers
used that site to obtain information that they used in their social
engineering attacks. Krebs was recently targeted in a SWATting attack:
hackers placed an emergency call that appeared to come from Krebs's
phone and reported a dangerous situation. The individual alleged to be
behind the attack also arranged for Krebs's website to be hit with a
denial-of-service attack earlier that same day.
--House Committee Passes Bill That Would Give Federal CIOs Budget
(March 20, 2013)
In a unanimous vote, the US House Oversight and Government Reform
Committee has passed the Federal Information Technology Acquisition
Reform Act, which would give agency CIOs the authority to move funding
from one technology project to another. Currently, the Department of
Veterans Affairs is the only agency at which the CIO has such authority.
The bill also stipulates that each agency would have only one CIO, and
it would make federal agency CIOs presidential appointees. The bill now
goes before the full House for consideration.
--Senators Introduce Bill to Amend ECPA
(March 20, 2013)
Two US senators have introduced legislation to amend the 1986 Electronic
Communications Privacy Act (ECPA), which they say is outdated. The
lawmakers want to require law enforcement to obtain warrants before
examining citizens' electronic communications. ECPA allows authorities
to obtain email that is more than 180 days old with a subpoena. One of
the bill's sponsors, Senator Patrick Leahy (D-Vermont), said in a
statement, "Privacy laws written in an analog era are no longer suited
for privacy threats we face in a digital world."
[Editor's Comment (Northcutt): Outdated? It was only passed in 1986
(grin); I love what I am hearing about requiring warrants, but as it
gets closer to passing I bet we start to hear about terrorists and the
need to keep removing rights from US Citizens. But here is hoping, I
will be keeping a close eye on the EPIC and EFF websites devoted to the
--Adware Trojan Targets OS X Systems
(March 20, 2013)
The Yontoo Trojan horse program installs a plug-in that displays
fraudulent advertisements on web pages. Yontoo targets computers running
Mac OS X. It spreads by disguising itself as a media player, a video
quality enhancement tool, and a download accelerator. The installer asks
users if they want to install an app called Free Twit Tube. If users
click yes, the Trojan is downloaded onto their computers and the malware
monitors their web browsing and through a remote server, injects the ads
onto the sites they visit. Yontoo is being classified as a Trojan
because it uses trickery and disguises to become installed.
Removing Yontoo: http://news.cnet.com/8301-1009_3-57575543-83/how-to-remove-yontoo-adware-trojan-from-your-os-x-system/
[Editor's Note (Frantzen): Original source is the Russian anti-virus
company Dr. Web: http://news.drweb.com/show/?i=3389&lng=en&c=14]
-- FBI Arrests Chinese National US Military Contractor as he Tries to
(March 19, 2013)
On March 16, a Chinese national who is a military contractor was
arrested on an airplane as he tried to leave the country. Bo Jiang
worked at NASA-Langley in Virginia. An FBI affidavit says that Jiang is
being investigated for "substantive violations of the Arms Control Act."
Whistleblowers at Jiang's workplace informed the FBI that he planned to
leave the country with a one-way ticket. The affidavit also states that
Jiang is believed to have left the US previously with a laptop computer
that contained sensitive information. Federal agents boarded the
airplane that Jiang was on and questioned him about what electronic
devices he was taking with him. He did not disclose all electronic media
he was traveling with to federal agents. He has been charged with lying
to federal agents.
--Miami-Dade County Department of Elections Targeted in Absentee Ballot
(March 18, 2013)
According to a grand jury report, a hacker or hackers managed to "create
a computer program that automatically, systematically, and rapidly
submitted" online requests for absentee ballots to the Miami-Dade County
(Florida) Department of Elections. In all, the scam made more than 2,500
fraudulent requests over the course of two-and-a-half weeks. A vendor
saw the requests coming from the same group of computers and at a rate
that would be impossible for humans to enter the information required.
The requests were flagged and the ballots requested were not sent out.
The grand jury report is from December 2012 and the Miami herald
reported the story in February. The attack did not require any
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was Vice
President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----