From: The SANS Institute (NewsBitessans.org)
Date: Tue May 07 2013 - 12:22:03 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**************************************************************************
SANS NewsBites May 7, 2013 Vol. 15, Num. 036
**************************************************************************
TOP OF THE NEWS
  Pentagon Report Directly Accuses China of Cyberattacks
THE REST OF THE WEEK'S NEWS
    Honeywords Would Serve As Hack Alert
    Google's Facility in Sydney, Australia Running Unpatched Building
      Management System
    Judge Sanctions Prenda Law
    Alleged SpyEye Developer and Distributor Extradited to US
    Microsoft Acknowledges Zero-Day Flaw in Internet Explorer 8
    Dell Resellers May Have Sold Equipment to Syria
    Pentagon Approves BlackBerry 10 and Samsung Galaxy Devices
    Man Allegedly Hacked Former Employer's System
    Adobe Will Fix PDF Tracking Issue Next Week
    FTC to Hold Hearing on Identity Theft and Senior Citizens
    Middle School Students Phish Teachers' Admin Credentials

************************* SPONSORED BY SYMANTEC **************************

New Report: Threat Landscape Key Findings

Get an overview and analysis of the year in global threat activity with
the Symantec Internet Security Threat Report 2013. This report provides
commentary on emerging trends in the dynamic threat landscape, covers
key findings and provides best practice guidelines. Download Now.

http://www.sans.org/info/130492

***************************************************************************

TRAINING UPDATE
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
(Mostly) Dead.
http://www.sans.org/event/security-west-2013

- -- SANSFIRE 2013 Washington, DC June 14-22, 2013
41 courses. Bonus evening sessions include Avoiding Cyberterrorism
Threats Inside Hydraulic Power Generation Plants; and Automated Analysis
of Android Malware.
http://www.sans.org/event/sansfire-2013

- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013
10 courses. Bonus evening sessions include OODA - The Secret to
Effective Security in Any Environment; and APT: It is Not Time to Pray,
It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013

- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics;
and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013

- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You
Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013

- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Four
dedicated pen test training courses led by five SANS world-class
instructors.
http://www.sans.org/event/pentest-berlin-2013

- -- SANS London Summer 2013 London, UK July 9-July 16, 2013
5 courses. SANS has added a new London date to the security-training
calendar, giving security professionals the opportunity to take one of
four of SANS' most popular 6-day courses and the excellent 2 day
Securing The Human course.
http://www.sans.org/event/london-summer-2013

- -- Looking for training in your own community?
http://www.sans.org/community/

- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Johannesburg, Malaysia, Canberra, Austin and Mumbai all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org

*****************************************************************************

TOP OF THE NEWS
 --Pentagon Report Directly Accuses China of Cyberattacks
(May 6 & 7, 2013)
For the first time, The Pentagon's Annual Report to Congress on Military
and Security Developments Involving the People's Republic of China
explicitly accuses China of conducting cyperespionage against the US.
The report states that last year, "numerous computer systems around the
world, including those owned by the US government, continued to be
targets for intrusions, some of which appear to be attributable directly
to the Chinese government and military." The report says that China
appears not only to be targeting information about industrial
technology, but also to be seeking information that could help that
country develop "a picture of US network defense network, logistics, and
related military capabilities that could be exploited during a crisis."
(Please note: The New York Times requires a paid subscription.)
http://www.nytimes.com/2013/05/07/world/asia/us-accuses-chinas-military-in-cyberattacks.html?hp&_r=0
http://www.bloomberg.com/news/2013-05-06/china-s-military-ambitions-growing-pentagon-report-finds.html
[Editor's Note (Assante): The Mandiant report has served to simply open
the flood gates in an already swollen river. The direct charges will
cement cyber attacks as one of the key diplomatic issues shaping
US-Chinese relations. Unlike traditional conventional forces, a web of
cyber forces can be a less wieldy sword and may not readily obey the
hand of policy makers.

*************************** Sponsored Links: ******************************

1) Free Gartner report on why magic quadrant leadership for NAC is
crucial for your company. http://www.sans.org/info/130497

2) Having trouble managing your security information? Don't miss our new
Analyst webcast: Advanced Intelligence in Action-SANS review of McAfee's
Enterprise Security Manager by Dave Shackleford, Wednesday, May 22 at
1:00 PM EDT http://www.sans.org/info/130502

3) SANS Special Webcast: BYOD - Yay or Nay? Featuring Kevin Johnson.
Almost everyone has a mobile device and there is a large debate over the
decision to allow bring your own device in an organization. A lot goes
into making this decision and it is not the same for every organization.
Kevin will discuss different considerations when evaluating this
decision. Thursday, May 09, 2013 at 1:00 PM EDT
http://www.sans.org/info/130507

*****************************************************************************

THE REST OF THE WEEK'S NEWS
 --Honeywords Would Serve As Hack Alert
(May 6, 2013)
Researchers have proposed a technique to thwart account hijacking by
seeding cryptographically hashed password files to include dummy
passwords, or honeywords. Admins would be alerted when the phony
passwords were used. While the technique does not prevent hackers from
using dictionary attacks to crack passwords, the attackers will not know
if they are using the correct passwords when attempting to access the
account.
http://arstechnica.com/security/2013/05/amid-a-barrage-of-password-breaches-honeywords-to-the-rescue/
[Editor's Note (Murray): Santayana scores again. We have been salting
data to detect its theft for centuries. For example, salting customer
lists with names and addresses that enable us to recognize their
compromise and use. Reading history is generally more efficient than
repeating it.
(Northcutt): For the context, large social web sites like LivingSocial,
this is probably useful. For the average enterprise network, I think
this is of marginal use. One of the biggest differences between a large
social media network and an enterprise company is the help desk. In a
large social media environment, you need to make it possible for the
user to retrieve a forgotten password and 99% of the time the key is the
email on record. In an enterprise, you set up account lockout after
three tries and the user has to contact the help desk. I have to wonder
if the Facebook concept of Trusted Contacts is going to be more useful
to bridge the gap:
http://www.facebook.com/help/119897751441086
http://nakedsecurity.sophos.com/2013/05/04/facebook-introduces-trusted-contacts/
http://www.digitaltrends.com/social-media/facebook-trusted-contacts/ ]

 --Google's Facility in Sydney, Australia Running Unpatched Building
    Management System
(May 6, 2013)
Google Australia's Sydney headquarters was discovered to be running a
building management system with known vulnerabilities. Although a patch
is available for vulnerabilities in the Tridium Niagara AX platform, it
had not yet been applied to Google's system. The people who discovered
that Google was running an unsecured system were able to obtain the
administrative password and gain access to control panels. A Google
spokesperson said that the system has been disconnected from the
Internet. A third-party integrator company set up the building system
at the Google facility.
http://www.wired.com/threatlevel/2013/05/googles-control-system-hacked/
http://www.theregister.co.uk/2013/05/06/google_building_automation_fail/
[Editor's Note (Shpantzer): The Publicly Accessible Control Systems
Working Group ( http://www.pacswg.org/ ) is an ongoing effort to
identify and alert orgs to this issue. If your dangly bits are dangling
on the internet, you too may get a virtual tap on the shoulder from
these fine folks (Yes, I'm involved).]

 --Judge Sanctions Prenda Law
(May 6, 2013)
A federal judge in California sanctioned people involved in a copyright
patent trolling scheme operating under the name of Prenda Law. In
addition to the sanctions he imposed, Judge Otis D. Wright II wrote that
he will "refer the matter to the US Attorney ... [and] to the Criminal
Investigation Division of the Internal Revenue Service." Judge Wright
did not mince words, writing that the Prenda Law attorneys
"outmaneuvered the legal system," and noted that they "suffer from a
form of moral turpitude unbecoming an officer of the court." The order
is prefaced with a quote from a Star Trek movie: "The needs of the many
outweigh the needs of the few," and the references continue throughout
the document.
http://www.wired.com/threatlevel/2013/05/copyright-trolling-attorneys/
http://www.techdirt.com/articles/20130506/16340322966/judge-wright-tells-team-prenda-to-pay-80k-refers-their-activity-to-state-bars-feds-irs.shtml
http://www.wired.com/images_blogs/threatlevel/2013/05/Penda-Sanctions-Ruling.pdf

 --Alleged SpyEye Developer and Distributor Extradited to US
(May 3 & 5, 2013)
Hamza Bendelladj has been extradited from Thailand to the US to face
charges for his alleged involvement with the SpyEye Trojan horse
program. Bendelladj, who is from Algeria, is believed to have helped
develop and distribute the malware, which has been used to hijack online
bank accounts. According to a recently unsealed indictment, Bendelladj
allegedly made millions of dollars by selling SpyEye and through the
information he stole with the malware's help. If convicted on all
charges, Bendelladj faces up to 30 years in prison and a fine of as much
as US $14 million. Another individual is named in the indictment but the
information has been redacted because that person has not yet been
arrested.
http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/
http://arstechnica.com/tech-policy/2013/05/alleged-mastermind-behind-spyeye-botnet-tools-extradited-to-us/
http://www.wired.com/threatlevel/2013/05/spyeye-zeus-botmaster-indicted/
http://www.computerworld.com/s/article/9238913/Accused_SpyEye_virus_creator_extradited_to_the_U.S.?taxonomyId=17
http://krebsonsecurity.com/wp-content/uploads/2013/05/Bx1Indictment.pdf

 --Microsoft Acknowledges Zero-Day Flaw in Internet Explorer 8
(May 3-6, 2013)
Microsoft has acknowledged a vulnerability in Internet Explorer 8 (IE8)
and says the flaw will be fixed, but did not say if the patch would be
part of the company's next scheduled security update, which is set for
Tuesday, May 14. There are reports that the flaw is being exploited to
conduct "watering hole" attacks, in which malicious code is placed on a
web page that is likely to attract certain visitors. Two such recent
incidents occurred at the US Department of Labor and the US Department
of Energy. According to Microsoft's security advisory, the flaw does not
affect Internet Explorer versions 6, 7, 9, or 10. Users still running
IE8 are advised to upgrade to IE9 or 10. If the change is not feasible,
users running IE8 should take steps described in the advisory to protect
their systems as outlined in the "Suggested Actions" section.
http://www.scmagazine.com/us-department-of-labor-website-was-serving-zero-day-internet-explorer-8-exploit/article/292147/
http://krebsonsecurity.com/2013/05/zero-day-exploit-published-for-ie8/
http://arstechnica.com/security/2013/05/internet-explorer-0-day-attacks-on-us-nuke-workers-hit-9-other-sites/
http://www.computerworld.com/s/article/9238922/Microsoft_admits_zero_day_bug_in_IE8_pledges_patch?taxonomyId=17
http://www.zdnet.com/ie8-zero-day-flaw-targets-u-s-nuke-researchers-all-versions-of-windows-affected-7000014908/
Microsoft's Advisory:
http://technet.microsoft.com/en-us/security/advisory/2847140
[Editor' Note (Pescatore): Old versions of IE are very sticky, for some
reason. Google's Chrome Browser (and most mobile apps these days)
doesn't really have versions - just continually incrementally updated.
While there are risks to this approach, the "obsolete version hugging"
risk goes away - security improvements being tied to version upgrades
causes much higher risks.
(Cole): If there is a newer version of a product it usually means
previous versions had vulnerabilities - use the latest version of a
product.]

 --Dell Resellers May Have Sold Equipment to Syria
(May 3, 2013)
Dell is looking into allegations that a reseller sold its products to a
company in Syria, a violation of US export restrictions. According to a
company spokesperson, "Dell requires its resellers to follow US trade
requirements." An April 2012 executive order prohibits US companies from
exporting IT products to Syria and Iran. This is not the first time that
US IT products have found their way into Syria. Several years ago, more
than half-a-million dollars worth of products from Hewlett-Packard were
used in the country as part of a project run by an Italian company that
purchased the products through HP resellers in Italy.
http://www.washingtonpost.com/business/dell-investigating-allegations-of-equipment-resales-to-syria/2013/05/06/efd661ce-b443-11e2-9fb1-62de9581c946_story.html
http://www.computerworld.com/s/article/9238899/Dell_investigates_report_of_its_computers_being_sold_to_Syria?taxonomyId=17

 --Pentagon Approves BlackBerry 10 and Samsung Galaxy Devices
(May 3, 2013)
The US Defense Department (DOD) has cleared Samsung Galaxy smartphones
and tablets and Research in Motion's BlackBerry 10 devices for use by
military officials and government workers. A Pentagon spokesperson
called the approvals "a significant step toward establishing a
multi-vendor environment that supports a variety of state-of-the-art
devices and operating systems." The Pentagon expects to clear Apple iOS6
devices later this month.
http://www.informationweek.com/mobility/smart-phones/blackberry-samsung-get-pentagon-nod-of-a/240154163
http://www.nbcnews.com/technology/technolog/samsung-blackberry-devices-cleared-use-us-defense-networks-6C9761382
http://www.theregister.co.uk/2013/05/03/bbos_10_approved_by_us_defense_department/
[Editor's Note (Pescatore): DoD folks using smartphones carries at worst
equal, and in most cases lower, risks than their equivalent use of the
Windows laptops they've had for years. But, this kind of device approval
approach carries a lot of overhead for Android devices - in 6 months
there will be dozens of new ones that will need to be evaluated. Not a
major problem for Apple, Blackberry where the device vendors owns both
hardware and software, or even Windows Phone devices, where Microsoft
keeps a high level of control on the hardware.]

 --Man Allegedly Hacked Former Employer's System
(May 3, 2013)
A New York man has been arrested for allegedly damaging his former
employer's computer systems. Michael Meneses allegedly caused more than
US $90,000 in damage to the Spellman High Voltage Electronics
Corporation. While employed by Spellman, Meneses co-managed the
company's enterprise resources management application. In late 2011, he
was reportedly angry after he was passed over for a promotion, and he
submitted his resignation. Some former colleagues reported that Meneses
copied files from his company computer to a flash drive. The details of
what he then did are vague. He allegedly stole access credentials and
"corrupt[ed] the network." He allegedly changed the company's business
calendar. That activity was traced to a North Carolina hotel close to
Meneses's new job, and records showed that he had been staying at the
hotel at the time of the intrusions.
http://arstechnica.com/tech-policy/2013/05/sysadmin-passed-over-for-promotion-quits-then-strikes-back/
http://www.computerworld.com/s/article/9238874/Systems_manager_arrested_for_hacking_former_employer_39_s_network?taxonomyId=17
FBI Press Release:
http://www.fbi.gov/newyork/press-releases/2013/long-island-software-programmer-arrested-for-hacking-into-network-of-high-voltage-power-manufacturer
[Editor's Note (Shpantzer): Identity management of departing/former
employees is the consistent aspect of these types of stories for the 11
years I've been reading the NewsBites. There are no shiny-blinky
snap-in appliances that do this for you, you must have a tight HR-IT
feedback loop that enforces basic credential revocation. In the case
of admins, resetting credentials for other admins and systems may be in
order, assuming the departing/former admin has access to those as well
as the ones s/he was formally entrusted with (people share
credentials...) It's also a good idea to proactively image a departing
employee's hard drive and archive it for later. It's not that expensive
and can save time, money and legal/IR fees by spades in the case of a
'former insider' case.]

 --Adobe Will Fix PDF Tracking Issue Next Week
(May 3, 2013)
Adobe says that it will fix a PDF tracking issue in its scheduled May
14 security update for Reader and Acrobat. The vulnerability is
currently being exploited by email marketers. The problem lies in the
way Adobe Reader handles some calls to the JavaScript API. The issue
itself is not considered serious, but it could be exploited as a
reconnaissance tool as it can be exploited to expose a user's IP address
and timestamp. Until the patch is available, users are being advised to
disable JavaScript in Reader. All versions of Reader are affected.
http://www.scmagazine.com/adobe-confirms-pdf-tracking-issue-plans-to-ship-fix-soon/article/291924/
http://www.zdnet.com/adobe-confirms-leaky-pdf-flaw-fix-due-on-14-may-7000014870/
[Editor's Note (Pescatore): Oracle finally did the "everyone put down
your toys, time to clean the playroom" security push for Java that
Microsoft did years ago when Windows vulnerabilities were at their
crescendo. Would be nice to see the same thing happening at Adobe.]

 --FTC to Hold Hearing on Identity Theft and Senior Citizens
(May 3, 2013)
The US Federal Trade Commission (FTC) plans to hold a hearing on
Tuesday, May 7 at which it will look into identity theft schemes
perpetrated on senior citizens, including tax and government benefit
identity theft; long term care identity theft; and medical identity
theft, which is occurring with increasing frequency. One study said that
about two million US citizens are victims of medical identity theft
every year. The incidents cost an average of US $20,000 to resolve. The
hearing will also look at ways of educating senior citizens about these
issues.
http://www.scmagazine.com/medical-identity-theft-to-be-explored-at-ftc-hearing/article/291780/
http://www.ftc.gov/bcp/workshops/senior-identity-theft/

 --Middle School Students Phish Teachers' Admin Credentials
(April 30 & May 3, 2013)
Students at a middle school in Alaska managed to trick teachers into
providing their administrative access credentials and then used the
access to control classmates' computers. The students are 12 and 13
years old. At least 18 students involved in the scheme gained control
of more than 300 computers at Schoenbar Middle School in Ketchikan,
Alaska. The students manipulated the computers so that teachers thought
they were entering their access credentials to allow installation of
software updates.
http://www.bbc.co.uk/news/technology-22398484
http://www.adn.com/2013/04/30/2884902/students-at-ketchikan-middle-school.html
http://www.redorbit.com/news/technology/1112837519/alaskan-teens-hack-into-school-system-050313/

************************************************************************
The Editorial Board of SANS NewsBites
 
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland
Security.

William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.

Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
 
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
 
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.
 
Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
 
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlGJMTMACgkQ+LUG5KFpTkbYJgCgne/dnMFpTORLUd2o6t+ip1Zl
Ng4AoJ7NieS1SMf8cbIocXNJPLsgh8ze
=lWsP
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]