|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (NewsBites
sans.org)
Date: Fri May 10 2013 - 12:30:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**************************************************************************
SANS NewsBites May 10, 2013 Vol. 15, Num. 037
**************************************************************************
TOP OF THE NEWS
Eight Charged in Connection with US $45 Million Cybertheft
U.S. Department of Homeland Security ISC-CERT Issues Warning of
Heightened Risk of Attack on Critical Infrastructure
Executive Order Requires US Government Agencies to Adopt Open Data
Standards
THE REST OF THE WEEK'S NEWS
Name.com Customer Data Breach Includes Encrypted Passwords and
Credit Card Info
Patch Tuesday to Include Fix for IE8 Flaw Exploited in Attack on
Dept. of Labor Site
Microsoft Issues Stopgap "Fix-it" Measure for IE8 Flaw
Critical Flaw in Adobe's ColdFusion
China's Success in Cyberespionage Does Not Indicate Technical
Superiority
2012 FBI Domestic Investigation Guide Says No Warrant Needed to
Access eMail
Judge Denies Motion to Suppress Evidence Gathered With Cell Tower
Spoofing Technology
Indian Government Launches Central Monitoring System
Senators Draft Legislation to Respond to Cyberespionage
Hacking Charges Dropped in Video Poker Case
************************* SPONSORED BY BIT9 ****************************
Today's Advanced Threats Require Next-Generation Protection. Are you
using or considering a next-generation threat protection solution? Join
this webcast and learn how you can multiply the value of your investment
by integrating network and endpoint security. Register Today
http://www.sans.org/info/130682
***************************************************************************
TRAINING UPDATE
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
(Mostly) Dead.
http://www.sans.org/event/security-west-2013
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013
41 courses. Bonus evening sessions include Avoiding Cyberterrorism
Threats Inside Hydraulic Power Generation Plants; and Automated Analysis
of Android Malware.
http://www.sans.org/event/sansfire-2013
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013
10 courses. Bonus evening sessions include OODA - The Secret to
Effective Security in Any Environment; and APT: It is Not Time to Pray,
It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013
- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics;
and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013
- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You
Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Four
dedicated pen test training courses led by five SANS world-class
instructors.
http://www.sans.org/event/pentest-berlin-2013
- -- SANS London Summer 2013 London, UK July 9-July 16, 2013
5 courses. SANS has added a new London date to the security-training
calendar, giving security professionals the opportunity to take one of
four of SANS' most popular 6-day courses and the excellent 2 day
Securing The Human course.
http://www.sans.org/event/london-summer-2013
- -- Looking for training in your own community?
http://www.sans.org/community/
- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current
Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
*****************************************************************************
TOP OF THE NEWS
--Eight Charged in Connection with US $45 Million Cybertheft
(May 9, 2013)
US Federal prosecutors have charged eight people for their alleged roles
in a pair of cybertheft schemes that stole more than US $45 million
through ATMs in more than 20 different countries. The schemes involved
breaking into computers at financial institutions that process prepaid
debit cards to steal data and eliminate the withdrawal limits on the
cards. The first attack targeted a processor that managed pre-paid card
transactions for a bank in the United Arab Emirates. The cards data were
sent to accomplices in 20 countries who used them to fraudulently
withdraw US $5 million. The second scheme involved an institution that
processed card transactions for a bank in Oman; accomplices in 24
countries withdrew US $40 million within 10 hours. The eight people
charged in New York participated in both schemes, withdrawing a total
of US $5.2 million through ATMs in New York. All eight live in Yonkers,
New York. They face charges of conspiracy to commit access device fraud,
conspiracy to launder money, and money laundering.
http://www.wired.com/threatlevel/2013/05/eight-charged-in-bank-heist/
http://www.washingtonpost.com/business/economy/atm-thieves-conducted-massive-cyberattack/2013/05/09/0c3c3a1c-b8ec-11e2-92f3-f291801936b8_story.html
http://money.cnn.com/2013/05/09/technology/security/cyber-bank-heist/index.html
http://www.justice.gov/usao/nye/pr/2013/2013may09.html#FOOT1
[Editor's Note (Honan): In 2011 a payment card processor in Florida,
FIS, was victim of a similar attack to the tune of US $13m and RBS
Worldpay suffered a loss of US $9m in 2008. A key element in the success
of these attacks is the lack of Chip and Pin technology, which is
already in place in many European countries and makes cards more
difficult to clone.
(Paller): And while we are waiting - probably years - for the U.S.
Government to require chip and pin - there is ample evidence that the
processors know how to protect their computers against these attacks and
are not doing it. The PCI standard is so far out of date and the
verification that PCI auditors are doing is missing so much, that this
$45 million will seem small in a couple of years. The key is that the
people who write the standards (PCI and NIST in particular) are the ones
who should be held accountable for these losses because their guidance
is encouraging organizations to implement the wrong defenses.]
--U.S. Department of Homeland Security ISC-CERT Issues Warning of
Heightened Risk of Attack on Critical Infrastructure
(May 9, 2013)
The US Department of Homeland Security (DHS) issued a warning "on a
computer network accessible only to authorized industry and government
users" about an increased threat of a cyberattack against "US critical
infrastructure organizations." The intent appears to be not only theft
of intellectual property, but "to disrupt ... control processes." The
unclassified alert came from DHS's Industrial Control System Computer
Emergency Response Team (US-CERT). It made specific suggestions for
steps to take to protect systems from harm. Another document listed
indicators to determine if systems have been compromised.
http://www.washingtonpost.com/world/national-security/us-warns-industry-of-heightened-risk-of-cyberattack/2013/05/09/39a04852-b8df-11e2-aa9e-a02b765ff0ea_story.html
[Editor's Note (McBride): The mounting evidence of US-led cyber
operations against Iran, including some industrial control systems there
may have been a factor in this reported "escalation".]
--Executive Order Requires US Government Agencies to Adopt Open Data
Standards
(May 9, 2013)
The White House has issued an executive order requiring that "the
default state of new and modernized Government information resources
shall be open and machine readable." Over the next six months, agencies
must compile lists of all the datasets they collect and maintain. They
must also indicate which of those lists are supposed to be available to
the public. They also must make the publicly available data easy to find
and to access and to use.
http://www.nextgov.com/big-data/2013/05/white-house-orders-agencies-follow-new-open-data-standards/63068/?oref=ng-HPtopstory
Text of Executive Order:
http://cdn.govexec.com/media/gbc/docs/pdfs_edit/050913jm1.pdf
[Editor's Note (Pescatore): The EO does contain the required privacy
directives: "It is vital that agencies not release information if doing
so would violate any law or policy, or jeopardize privacy,
confidentiality, or national security." However, it seems to be missing
any concern about the *integrity* of the data. The US CIO and CTO have
30 days to release policy and best practices - I hope they include
requirements for due diligence in web site and web application security
for government sites that will host such data.]
*************************** Sponsored Links: ******************************
1) Special Webcast Friday, 5/24: "The Intractable Problem of Software
Security". Chris Wysopal, Veracode's Co-Founder and CTO, will dive into
the data that drive the predictions detailed in the Veracode's fifth
annual State of Software Security Report.
http://www.sans.org/info/130687
2) At the Mobile Device Security Summit experts and practitioners will
detail proven approaches to securing BYOD - Attend SEC575 and SEC579.
http://www.sans.org/info/130692
3) Having trouble managing your security information? Don't miss our new
Analyst webcast: Advanced Intelligence in Action-SANS review of McAfee's
Enterprise Security Manager by Dave Shackleford, Wednesday, May 22 at
1:00 PM EDT http://www.sans.org/info/130697
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Name.com Customer Data Breach Includes Encrypted Passwords and Credit
Card Info
(May 9, 2013)
Domain name register Name.com has notified customers that their personal
information, including encrypted passwords and payment card data, were
compromised in a security breach. Name.com required all customers to
reset their passwords. The method used - customers were instructed to
click a link to perform the reset - has been criticized because it
resembles tactics used in phishing attacks.
http://www.scmagazine.com/hackers-hit-domain-registrar-access-credit-card-data-and-passwords/article/292696/
http://www.computerworld.com/s/article/9239050/Name.com_forces_customers_to_reset_passwords_following_security_breach?taxonomyId=17
--Patch Tuesday to Include Fix for IE8 Flaw Exploited in Attack on
Dept. of Labor Site
(May 9, 2013)
On Tuesday, May 14, Microsoft will issue 10 security bulletins to
address vulnerabilities in Windows, Internet Explorer, Office and
several other products. The company has indicated that the vulnerability
in IE8 for which it has already recommended a work around and issued a
Fix-it measure, will be patched in one of the bulletins. The bulletins
will address a variety of issues that could be exploited to allow remote
code execution, spoofing, information disclosure, privilege elevation,
or create denial-of-service conditions.
http://www.computerworld.com/s/article/9239064/Microsoft_rushes_IE8_zero_day_fix_into_next_week_s_Patch_Tuesday?taxonomyId=17
https://technet.microsoft.com/en-us/security/bulletin/ms13-may
[Editor's Note (Pescatore): Looks like two Critical patches coming out
in next week's Windows Vulnerability Tuesday. Last month, Microsoft had
a bit of patch quality backsliding and had to rerelease MS13-036 due to
crash problems. Seemed like an isolated incident vs. a trend, but
probably worth a bit more QAing of this month's patches.]
--Microsoft Issues Stopgap "Fix-it" Measure for IE8 Flaw
(May 9, 2013)
Microsoft has issued a stopgap measure for a vulnerability in Internet
Explorer 8. The flaw first gained attention when it appeared that it had
been exploited in a watering-hole attack on a US Department of Labor
webpage. Microsoft has also provided a work-around that users can employ
until a patch is available.
http://www.h-online.com/security/news/item/Microsoft-releases-Fix-It-for-IE8-hole-1859776.html
http://www.darkreading.com/vulnerability/microsoft-issues-emergency-fix-for-ie-ze/240154536
http://www.scmagazine.com/microsoft-offers-temporary-fix-for-live-internet-explorer-exploit/article/292621/
http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx?Redirected=true
[Editor's Note (Murray): "Researchers" ("NVPs") publish exploits.
Security professionals publish "work-arounds." Can't think of a
work-around? Leave the reporting to those who can.]
--Critical Flaw in Adobe's ColdFusion
(May 8 & 9, 2013)
Adobe has issued an advisory warning users of a critical vulnerability
in its ColdFusion web application development platform. The flaw could
be exploited to gain access to files stored on vulnerable computers. The
issue affects ColdFusion 10, 9.0.2, 9.0.0, 9.0 and older versions for
Windows, Mac, and Unix. An exploit for the flaw is reportedly available.
Adobe plans to release a patch for the vulnerability on May 14.
http://www.v3.co.uk/v3-uk/news/2267159/adobe-preps-patch-for-critical-flaw-in-coldfusion
http://www.computerworld.com/s/article/9239054/Adobe_warns_of_unpatched_critical_flaw_in_ColdFusion?taxonomyId=17
http://www.h-online.com/security/news/item/Adobe-acknowledges-critical-hole-in-ColdFusion-1859798.html
http://www.adobe.com/support/security/advisories/apsa13-03.html
--China's Success in Cyberespionage Does Not Indicate Technical
Superiority
(May 8, 2013)
Experts say that China's success in gaining access to government,
military, and corporate computer systems in the US does not indicate the
country's "technical superiority" but rather its patience and
persistence in targeting systems and individuals and remaining hidden
in the network for long periods of time. John Pescatore noted that China
is "not smarter in software than [the US]. If they were, we would see
them starting up new companies" rather than conducting cyberespionage.
Rather than concern themselves with the sources of attacks, US companies
would be well advised to make sure their systems are as secure as they
can make them by addressing basic vulnerabilities and configuration
issues. What is notable about China's approach "is that they use the
least amount of force necessary to accomplish their goals," according
to Dan McWhorter, Mandiant's managing director of threat intelligence.
http://www.computerworld.com/s/article/9239015/Chinese_hackers_master_the_art_of_lying_in_wait_?taxonomyId=17
--2012 FBI Domestic Investigation Guide Says No Warrant Needed to
Access eMail
(May 8, 2013)
According to the 2012 edition of FBI's Domestic Investigations and
Operations Guide, the FBI believes it is has the authority to access
individuals' electronic communications and documents without a search
warrant. The ACLU obtained the document through a Freedom of Information
Act (FOIA) request. The guide indicates the FBI believes all that is
required to access such information is a subpoena signed by a federal
prosecutor. This policy appears to fly in the face of a 2010 ruling that
requires federal authorities to obtain warrants prior to accessing email
accounts. At a Congressional hearing earlier this year, DOJ officials
acknowledged that the interpretation of the Electronic Communications
Privacy Act (ECPA) of 1986 that allows access to opened email and
unopened email more than six months old is not longer applicable.
http://arstechnica.com/tech-policy/2013/05/fbi-claims-right-to-read-your-e-mail-just-like-other-federal-agencies/
http://www.zdnet.com/fbi-says-it-doesnt-need-a-warrant-to-snoop-on-private-email-social-network-messages-7000015075/
http://www.v3.co.uk/v3-uk/news/2266900/aclu-says-fbi-snooping-emails-without-warrants
--Judge Denies Motion to Suppress Evidence Gathered With Cell Tower
Spoofing Technology
(May 8, 2013)
A judge in Arizona will allow evidence collected by federal
investigators through the use of technology known as stingray, which
mimics a cell phone tower. The defense had filed a motion to suppress
the evidence, claiming that the use of stingray violated Daniel
Rigmaiden's Fourth Amendment rights because there was no warrant for the
search of his apartment. The judge determined that Rigmaiden did not
have a reasonable expectation of privacy because he had obtained all of
those things fraudulently - using others' identities. Rigmaiden
allegedly filed hundreds of phony tax returns using the names of people
who had died. He is the alleged mastermind in a scheme that stole US $4
million from the IRS through fraudulent tax returns. The judge also said
that the government did not act improperly by failing to inform the
magistrate judge who authorized the tracking activities that it planned
to use a stingray to track the suspect or explain how the technology
worked.
http://www.wired.com/threatlevel/2013/05/rigmaiden-cell-tower-evidence/
http://arstechnica.com/tech-policy/2013/05/federal-judge-denies-motion-to-throw-out-evidence-gathered-via-fake-cell-tower/
Judger's order denying motion to suppress evidence:
https://www.aclunc.org/docs/technology/order_denying_motion_to_suppress,_usa_v._rigmaiden.pdf
--Indian Government Launches Central Monitoring System
(May 7 & 8, 2013)
According to a report in the Times of India, the Indian government has
introduced its Central Monitoring System that allows interception of
phone calls and Internet communications. The system will be used not
only by law enforcement, but by tax authorities as well. India's
Information Technology Act of 2000 gives the government the authority
to "intercept, monitor, or decrypt [data] generated, transmitted,
received, or stored in any computer resource" if there is a credible
threat to security and public safety. Activists are concerned because
privacy laws in India may not be adequate to protect individuals.
http://timesofindia.indiatimes.com/tech/tech-news/internet/Government-can-now-snoop-on-your-SMSs-online-chats/articleshow/19932484.cms
http://www.theregister.co.uk/2013/05/08/india_privacy_woes_central_monitoring_system/
--Senators Draft Legislation to Respond to Cyberespionage
(May 7 & 8, 2013)
Following the release of a report that accuses China of conducting
cyberespionage on US government, military, and corporate networks, a
group of senators proposed legislation aimed at fighting the activity.
Called the Deter Cyber Theft Act, the bill would require an annual
report from the director of national intelligence that names countries
that have engaged in cyberespionage against the US, noting which have
been the most "egregious" offenders. The report would also describe what
sorts of data are being stolen. The information could be used to support
decisions to block imports of products that contain technology stolen
from the US.
http://news.cnet.com/8301-1009_3-57583379-83/senators-propose-law-to-go-after-foreign-cybercriminals/
http://www.scmagazine.com/senators-introduce-bill-that-would-flag-countries-products-that-benefit-from-espionage/article/292523/
http://www.computerworld.com/s/article/9239004/Proposed_U.S._law_aims_to_counter_cybertheft_with_import_bans?taxonomyId=17
Text of draft legislation:
http://media.scmagazine.com/documents/46/cybertheftlegislation050713_11307.pdf
[Editor's Note (Pescatore): Fish gotta swim, birds gotta fly, senators
gotta legislate. There is already an annual Report to Congress of the
US-China Economic and Security Review Commission. I have the latest
version, dated November 2012, right here at my desk. It weighs in at 491
pages, and has a 23-page section on China's cyber activities. I wonder
how many of the sponsors of this bill (or even their aides) actually
read that? The bill title sounds good, though - except that the best way
to deter cyber theft is to reduce your own vulnerabilities, vs. focus
on which country actually exploited your lack of security.]
--Hacking Charges Dropped in Video Poker Case
(May 7, 2013)
Federal prosecutors have dropped hacking charges in a case against two
men who took advantage of a bug in a video poker game to win hundreds
of thousands of dollars. The dismissal of the charges in the indictment
removes the question of the applicability of the Computer Fraud and
Abuse Act (CFAA) in this case. John Kane and Andre Nestor now each face
one charge of conspiracy to commit wire fraud.
http://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/
Motion to Dismiss Counts of Indictment and Order Granting Dismissal:
http://www.wired.com/images_blogs/threatlevel/2013/05/Government-motion-to-dismiss-us-v-Kane.pdf
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
School.
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
application security.
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlGNKCgACgkQ+LUG5KFpTkaRKwCdHzgHT0KJ1boScEChKCyklb/E
yLAAoJ66hf1pZVlj3cFxyV6sFmH2PrtE
=uyHS
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]