|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri May 03 2013 - 12:37:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The lead story in this issue highlights (again) the U.S. federal
government infecting citizens' computers with malware. President Bill
Clinton called for the government to "lead by example" in cybersecurity.
How can the government expect industry to do the right thing, he asked,
if the government doesn't protect its own systems and show the way? When
Karen Evans was at OMB as federal CIO and when Sameer Bhalotra was in
the White House as deputy cyber czar, there was real progress. Is it
reasonable to ask why we have gone backwards since they left?
On a related note, the second story highlights one of at least five
major defense contractors, directly overseen by DoD, that have been
looted for massive amounts of technical secrets paid for by the American
taxpayer. That "secret data" was supposed to give the U.S. a
technological edge. What is DoD doing?
Alan
**************************************************************************
SANS NewsBites May 3, 2013 Vol. 15, Num. 035
**************************************************************************
TOP OF THE NEWS
US Government Website Serving Malware
Classified Data Looted in Three-Year Cyberespionage Campaign
Reputation.com Hit by Security Breach
THE REST OF THE WEEK'S NEWS
Foreign Intelligence Surveillance Court Approved All Requests in 2012
Bill in Dutch Legislature Would Give Law Enforcement Broad Cyber Powers
Java Vulnerability in IBM Notes
ISC-CERT Recommendations to Prevent Shamoon Infection
US Army Corps of Engineers' Database Breached
Mozilla Sends Cease-and-Desist Letter to Company Whose Surveillance
Software Pretends to be Firefox
Does Exploiting Firmware Flaw in Video Poker Machine Violate CFAA?
Financial Regulators Consider Implications Of Social Media
Cyberthieves Steal US U$1 Million from Hospital in Fraudulent ACH
Transactions
*************************** SPONSORED BY Bit9 ****************************
eBook: Detecting and Stopping Advanced Attacks. Today's cyber threat
has changed in sophistication, in focus, and in its potential impact on
your business. This eBook will tell you how today's advanced attacks
require automatic detection and incident response. You will learn how
you can most effectively protect your business. Download Today
http://www.sans.org/info/129860
***************************************************************************
TRAINING UPDATE
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
(Mostly) Dead.
http://www.sans.org/event/security-west-2013
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013
41 courses. Bonus evening sessions include Avoiding Cyberterrorism
Threats Inside Hydraulic Power Generation Plants; and Automated Analysis
of Android Malware.
http://www.sans.org/event/sansfire-2013
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013
10 courses. Bonus evening sessions include OODA - The Secret to
Effective Security in Any Environment; and APT: It is Not Time to Pray,
It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013
- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics;
and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013
- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You
Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Four
dedicated pen test training courses led by five SANS world-class
instructors.
http://www.sans.org/event/pentest-berlin-2013
- -- SANS London Summer 2013 London, UK July 9-July 16, 2013
5 courses. SANS has added a new London date to the security-training
calendar, giving security professionals the opportunity to take one of
four of SANS' most popular 6-day courses and the excellent 2 day
Securing The Human course.
http://www.sans.org/event/london-summer-2013
- -- Looking for training in your own community?
http://www.sans.org/community/
- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Malaysia, and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*****************************************************************************
TOP OF THE NEWS
--US Government Is Website Serving Malware To Citizens
(May 1, 2013)
A US Department of Labor website was found to be serving up malware to
unsuspecting citizens through drive-by download attacks. The code
embedded in the Site Exposure Matrices (SEM) page redirects users to
other pages that installed malware on their computers. Once redirected,
a script attempts to exploit a known flaw in Internet Explorer to
install a backdoor that facilitates communication between the infected
computer and machines controlled by the hackers. Sadly far too many
people have not installed the patch, so their systems are being
infected.
http://www.darkreading.com/attacks-breaches/us-department-of-labor-website-discovere/240153967
http://www.nextgov.com/cybersecurity/2013/05/labors-toxic-exposure-website-serves-spyware-energys-nuclear-workers/62930/?oref=ng-HPtopstory
http://www.computerworld.com/s/article/9238842/U.S._Department_of_Labor_website_infected_with_malware?taxonomyId=17
http://www.h-online.com/security/news/item/Sub-site-of-US-Department-of-Labour-hacked-1854156.html
http://www.theregister.co.uk/2013/05/01/dol_website_hack_malware/
http://www.v3.co.uk/v3-uk/news/2265506/chinese-hackers-hijack-us-government-website-to-spread-malware
[Editor's Note (Pescatore): A good example, and there are many, of where
the US Government could best drive higher levels of security by focusing
on becoming what Presidential Decision Directive 63 back in *1998*
called "a model of information security" on the Internet. Instead, we
have way too much federal focus on monitoring of private industry,
having private industry share information and creating "yet another
framework" for private industry - instead of focusing on making
government systems themselves (and by extension those of contractors and
suppliers) much, much more secure.]
-- Classified Data Looted in Three-Year Cyberespionage Campaign
(May 1 & 2, 2013)
US Defense contractor Qinetiq reportedly bled classified data for three
years after a cyberespionage campaign gained purchase within the
company's computer systems. The surreptitious intrusion and subsequent
exfiltration of data is believed to have been conducted by Comment Crew,
a hacking group with ties to China's People's Liberation Army. One of
three security firms brought in to assess the situation, Terremark
reported that they found traces of the intruders in many of [Qinetiq's]
divisions and across most of their product lines." Qinetiq's projects
include satellites, drones, and robotic weapons systems.
http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-defense-con/240154064
http://www.wired.co.uk/news/archive/2013-05/2/comment-crew-plunder-qinetiq
http://www.theregister.co.uk/2013/05/02/china_us_hacking_qinetiq_apt/
http://www.h-online.com/security/news/item/Cyber-espionage-Military-secrets-served-on-a-silver-platter-1854910.html
--Reputation.com Hit by Security Breach
(May 1, 2013)
Reputation.com, a company whose business it is to manage its customers'
online reputations, has acknowledged that it suffered a data security
breach. The company has sent email notifications to its customers. The
compromised information includes names, email and physical addresses,
and employment information. Some customers' encrypted user passwords
were compromised as well. The company reset user passwords. Experts note
that users should not be reassured by companies' assertions that salted
passwords are unlikely to be cracked. Cracking techniques are improving
and salting does not hinder the task of cracking for just one password,
so if it's a particularly valuable password, the time spent cracking it
is well spent.
http://www.scmagazine.com/company-that-manages-users-online-rep-hit-by-breach/article/291582/
http://www.latimes.com/business/technology/la-fi-tn-hackers-break-into-reputationcom-20130501,0,5121938.story
http://arstechnica.com/security/2013/05/why-you-should-take-hacked-sites-password-assurances-with-a-grain-of-salt/
[Editor's Note (Pescatore): The Reputation Management industry has long
had reputation problems itself. Back in Feb 2012 Bloomberg BusinessWeek
said: "The bottom line: Although cleaning up search results could be a
$5 billion business by 2015, reputation managers can't keep their own
profiles clean."
(Murray): You guys thought I was kidding when I said that one "big data"
business per week was falling over. LivingSocial and NTT DoCoMo also
fell over this week.]
*************************** Sponsored Links: ******************************
1) At the Mobile Device Security Summit experts and practitioners will
detail proven approaches to securing BYOD.
http://www.sans.org/info/130350
2) Having trouble managing your security information? Don't miss our new
Analyst webcast: Advanced Intelligence in Action-SANS review of McAfee's
Enterprise Security Manager by Dave Shackleford, Wednesday, May 22 at
1:00 PM EDT http://www.sans.org/info/130355
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Foreign Intelligence Surveillance Court Approved All Requests in 2012
(May 2, 2013)
The US Justice Department sent a report to Senator Majority Leader Harry
Reid (D-Nevada) detailing certain activity of the Foreign Intelligence
Surveillance Court. In 2012, the court approved every request it
received to authorize physical searches or surveillance of people within
the US "for foreign intelligence purposes." There were 1,856 requests
in all.
http://www.wired.com/threatlevel/2013/05/spy-court-stats/
http://www.wired.com/images_blogs/threatlevel/2013/05/fisacases.pdf
[Editor's Note (Cole): There are no international boundaries in
cyberspace. Information sent electronically could travel through many
different countries without the sender realizing it. Consider secure
email as a smart business enabler that minimizes content that can be
monitored.]
--Bill in Dutch Legislature Would Give Law Enforcement Broad Cyber Powers
(May 2, 2013)
Dutch lawmakers are considering broad legislation that would give law
enforcement the authority to hack into computer systems in the
Netherlands and abroad for research, evidence gathering, or to block
access to specific data. Specifically, the bill would let law
enforcement block illegal content like child pornography; read
communication between criminals; and conduct digital wiretaps. It would
also allow law enforcement to activate GPS capabilities on a suspect's
mobile phone for location tracking purposes. The powers would be subject
to a judge's approval and there must be logs kept of investigation data.
The bill is being criticized for being "rushed" and for creating "new
security risks for citizens."
http://www.computerworld.com/s/article/9238849/Dutch_bill_would_give_police_hacking_powers?taxonomyId=17
--Java Vulnerability in IBM Notes
(May 2, 2013)
IBM has issued a security advisory acknowledging that its Notes mail
client accepts Java applet tags and JavaScript tags inside HTML emails,
which could allow attackers to load applets and scripts from remote
locations. An interim fix is available for Windows, and one is expected
soon for Mac. IBM has also suggested a workaround to disable Java
applets, JavaScript, and Java access from JavaScript.
http://www.h-online.com/security/news/item/Huge-Java-hole-in-Lotus-Notes-1855406.html
http://www.theregister.co.uk/2013/05/02/java_runs_in_note_email/
http://www-01.ibm.com/support/docview.wss?uid=swg21633819
[Editor's Note (Cole): Software patching needs to be viewed as a second
level of protection not primary. The best way to secure a service is
to disable or uninstall it.]
--ISC-CERT Recommendations to Prevent Shamoon Infection
(April 30 & May 1, 2013)
The US Department of Homeland Security's (DHS) Industrial Control
System Cyber Emergency Response Team (ICS-CERT) has issued a bulletin
to operators of critical US computer networks urging them to implement
measures to prevent infection from malware known as Shamoon, which wiped
data from computers at oil companies in the Middle East last summer. The
bulletin includes 31 tactical and strategic mitigations organizations
can employ to protect systems, including daily backups of critical
systems, isolating critical networks from business systems, isolating
network services through secure, multi-tenant virtual technology, and
removing unused functions and applications from host systems.
http://www.nextgov.com/cybersecurity/2013/05/feds-urge-major-industries-take-steps-deflect-data-wipe-virus/62906/?oref=ng-channeltopstory
http://ics-cert.us-cert.gov/jsar/JSAR-12-241-01A
--US Army Corps of Engineers' Database Breached
(May 1 & 2, 2013)
Someone used stolen credentials to gain access to the US Army Corps of
Engineers' National Inventory of Dams (NID) database. The breach
reportedly began in January but was not detected until April. The
intruder gained access to "sensitive fields of information not generally
available to the public." Once the US Army Corps of Engineers realized
that the individual was not "authorized [to have] full access to the
NID," the credentials were revoked. A US Army Corps of Engineers
spokesperson said the breach does not pose a public threat.
http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/
http://www.computerworld.com/s/article/9238863/Breached_dam_data_poses_no_threat_to_public_Army_says?taxonomyId=17
http://www.scmagazine.com/report-army-database-housing-sensitive-data-on-major-us-dams-breached/article/291574/
http://freebeacon.com/the-cyber-dam-breaks/
http://geo.usace.army.mil/pgis/f?p=397:1:0
[Editor's Note (McBride): While it could be significant that this
database was (targeted and) compromised, very similar information
appears to be publicly available elsewhere. See
http://npdp.stanford.edu/node/83 for example. What does this teach us
about reconnaissance surface?]
--Mozilla Sends Cease-and-Desist Letter to Company Whose Surveillance
Software Pretends to be Firefox
(May 1, 2013)
Mozilla has sent a cease-and-desist letter to Gamma International, the
company that makes surveillance software called FinFisher. FinFisher
disguises itself as Mozilla Firefox on users' computers. Mozilla alleges
that FinFisher is riding the coattails of Mozilla's reputation of
trustworthiness. The spyware does not alter Firefox, but represents
itself as the trusted browser. The letter demands that "these illegal
practices stop immediately." FinFisher is reportedly active in 36
countries.
http://www.h-online.com/security/news/item/Mozilla-sends-cease-and-desist-to-spyware-maker-1854088.html
http://www.informationweek.com/security/privacy/fake-firefox-spyware-riles-mozilla/240154020
http://arstechnica.com/information-technology/2013/05/spyware-used-by-governments-poses-as-firefox-and-mozilla-is-angry/
http://www.zdnet.com/mozilla-sends-cease-and-desist-to-surveillance-software-maker-7000014765/
[Editor's Note (Pescatore): Stealing an unlocked car with the keys in
the ignition is still stealing. But, trying to use CFAA in this case
only punishes one of the three guilty parties: the software vendor who
sold a shoddy piece of software and the operator who bought it without
making sure it wouldn't give away the farm go scot free. The seller and
buyer of crappy software, not just the user, need to feel pain in order
to drive less crappy software into the market.]
--Does Exploiting Firmware Flaw in Video Poker Machine Violate CFAA?
(May 1, 2013)
The Computer Fraud and Abuse Act (CFAA) is being tested again, this time
in a case involving two men who took advantage of a bug in a video poker
game to increase their winnings. John Kane and Andre Nestor were charged
with hacking under the Computer Fraud and Abuse Act (CFAA), but a
federal magistrate ruled last fall that the law did not apply in the
case and recommended that the hacking charges be dismissed. The case is
now being argued in US District Court and a ruling is expected later
this month. The men are being charged with exceeding authorized access
to the machines "to obtain or alter information in the computer that the
accesser is not entitled to obtain or alter." Similar charges were
thrown out in a recent case, US v Nosal, in which David Nosal was
charged with exceeding authorized access for convincing former
colleagues to provide him information from his former employer's
database.
http://www.wired.com/threatlevel/2013/05/game-king/
--Financial Regulators Consider Implications Of Social Media
(May 1, 2013)
Federal financial regulators are examining ways to respond to social
media, following a phony tweet from a hacked AP Twitter account that
sent US markets into a brief tailspin. Commodity Futures Trading
Commission (CTFC) Commissioner Bart Chilton proposed establishing
stronger cybersecurity requirements for investment companies and other
trading firms, and holding those companies liable for breaches if they
have not taken adequate security measures. Commissioner Scott O'Malia
noted that regulators should consider how to respond to social media.
http://www.nbcnews.com/technology/technolog/us-regulators-look-dealing-social-media-6C9693063
[Editor's Note (Murray): The flash crash did not result from poor
security in the financial industry but from poor security in social
media, in a Big Data Business, and in journalism. The markets did
exactly what they were designed to do. They responded promptly to both
erroneous news and the correction. What would the regulators have had
them do? Ignore the news?]
--Cyberthieves Steal US U$1 Million from Hospital in Fraudulent ACH
Transactions
(April 30, 2013)
A hospital in Washington State was targeted by hackers who stole more
than US $1 million from its bank account with the help of nearly 100
accomplices. While those behind the attack were in Russian and Ukraine,
the accomplices were in the US. They were recruited when they responded
to work-at-home advertisements. The attack against Chelan County Public
Hospital No. 1, which is managed by Cascade Medical Center, took place
on April 19. The money was transferred to 96 separate bank accounts
across the US. One of the accomplices reported having just over US
$9,000 deposited into his account and being told to portion it out to
four other people in Russia and Ukraine through Moneygram and Western
Union. The hospital has recovered about US $133,000 of the stolen funds.
So far, there is no information about the security procedures the bank
or the hospital had in place regarding the transfer of large sums of
money.
http://krebsonsecurity.com/2013/04/wash-hospital-hit-by-1-03-million-cyberheist/
http://www.wenatcheeworld.com/news/2013/apr/26/cybertheft-heists-1-million-from-leavenworth/
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
Inguardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlGD8fgACgkQ+LUG5KFpTkYUfgCgmrvTUCt0G7sYja2XTwBze9LK
MUMAnjFbTYMzLL2ZgqaRVqmcNPsM1V2m
=BUbP
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]