SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #88

November 02, 2012

Next Wednesday (November 7) is the last day for large savings on the big
Washington DC-based cyber security training program
(CyberDefenseInitiative Dec 7-16) with 25 immersion courses and the big
Netwars competition and the Tournament of Champions with 150 of the
world's best cyber operators.
Learn more and register: http://www.sans.org/event/cyber-defense-initiative-2012/courses/
Tournament of Champions: http://www.sans.org/special/netwars-champions

If you have ever considered employing a cyber range or cyber simulator
to develop proven hands-on cyber skills, check out Netwars. The military
and banking folks who now use it regularly tell me it is quite
extraordinary. Video at http://www.sans.org/cyber-ranges/netwars
Alan

---

TOP OF THE NEWS

Five Arrested in Japan in Connection with Malware Hidden in Android Apps
Researchers Find More Than a Quarter of Android Apps Pose Data Privacy Concerns
Iran Planning "Indigenous Cyber Defense"

THE REST OF THE WEEK'S NEWS

DHS Recruiting College Grads for Cybersecurity Fellowships
Cybersecurity Reserves
Fourteen Charges in Precision Cyberheist Case
Huawei Seeks Help From Critic
Government Argues Against Returning Files Stored on MegaUpload Servers
UK Police Arrest Three in Connection with Phishing Scheme
Georgian CERT Tricks Alleged Hacker
California AG Tells Mobile App Makers to Post Privacy Policies
Judge Says Police May Use Hidden Surveillance Cameras on Private Property Without a Warrant
Third-Party eMailer Epsilon Found to be Using Weak DKIM Keys
ZeroAccess Botnet Growing

CONTROL SYSTEMS SECURITY STORIES

NERC Strives to Streamline Technical Feasibility Exceptions (TFEs)

---

****************************************************************************
TRAINING UPDATE
- --SANS Sydney 2012 Sydney, Australia November 12-20, 2012 5 courses. Special Event evening bonus session: I've Been Geo-Stalked! Now What?
http://www.sans.org/event/sydney-2012

- --SANS San Diego 2012 San Diego, CA November 12-17, 2012 7 courses. Bonus evening presentations include Cloud Computing and the 20 Critical Security Controls; and Practical, Efficient Unix Auditing (with Scripts).
http://www.sans.org/event/san-diego-2012

- --SANS London 2012 London November 26-December 3, 2012 16 courses.
http://www.sans.org/london-2012/

- --SANS Cyber Defense Initiative 2012 Washington, DC December 7-16, 2012 27 courses. Bonus evening presentations include Gamification: Hacking Your Brain for Better Learning; Building a Portable Private Cloud; and Tactical SecOps: A Guide to precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events.
http://www.sans.org/event/north-american-scada-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Seoul, Tokyo, Barcelona, and Cairo all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

Five Arrested in Japan in Connection with Malware Hidden in Android Apps (October 31 & November 1, 2012)

Police in Japan have arrested five people for their alleged involvement in a scheme that hid malware in smartphone applications. The malware was placed in a video app for Android, and allegedly allowed those behind the scheme to steal information from 90,000 infected devices. The app was distributed through Google Play. Police say that it is the largest data theft case of its type in Japan. In an unrelated incident, a Japanese online dating site executive has been arrested for allegedly distributing malware that claimed it was a battery-saving utility.
-http://www.theregister.co.uk/2012/11/01/japan_android_malware/
-http://www.zdnet.com/five-japanese-detained-for-data-theft-7000006662/

Researchers Find More Than a Quarter of Android Apps Pose Data Privacy Concerns (November 1, 2012)

Researchers say that more than a quarter of apps for Androids available through the Google Play store appear to pose potential security risks to users. The researchers considered the apps to be questionable or suspicious if they had the capability to access personal information such as GPS data, phone calls and phone numbers. Users were led into allowing the apps to collect the data when they were installed; if users do not agree to the apps' requests, the apps will not run on their devices. The practice appeared to be popular among games, entertainment, and wallpaper apps, despite the fact that those apps would seem to have little or no practical use for the information. The researchers state specifically that these apps are not considered malware, simply that they pose a privacy risk to users.
-http://www.informationweek.com/security/application-security/android-apps-fail-r
isk-assessment-check/240012652
-http://www.computerworld.com/s/article/9233139/Security_research_labels_over_290
_000_Google_Play_Android_apps_as_high_risk_?taxonomyId=17
[Editor's Note (Pescatore): The privacy and security checks app stores use definitely need to continue to improve, but accessing GPS data for mobile apps is pretty much like standard Web apps accessing browser type info. So, calling those apps privacy risks overstates things quite a bit. Also, Google has made some very strong progress is rapidly removing apps from Google Play if they show "dodgy" behavior. The biggest issue on the Android side is the ease of users installing apps that did *not* come through Google Play. ]

Iran Planning "Indigenous Cyber Defense" (October 29, 2012)

One of Iran's top military leaders is proposing that Iran develop an "indigenous cyber defense model" in light of the "special place" cyber attacks have in Iran's enemies' "hositive strategies"
-http://www.nextgov.com/defense/2012/10/iranian-commander-calls-strategy-against-
cyberattacks/59107/

---

*************************** SPONSORED LINKS *******************************
1) SANS Webcast: Blind as a Bat? Or Eagle Vision Into Encrypted Packets? With Dave Shackleford & Tony Zirnoon. Nov 5, 2012. http://www.sans.org/info/116302
2) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/116312
3) "New in the SANS Reading Room: SANS Survey on Mobility/BYOD Security Policy and Practices" http://www.sans.org/info/116317
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS Recruiting College Grads for Cybersecurity Fellowships (October 31 & November 1, 2012)

A new US Department of Homeland Security (DHS) fellowship program seeks to draw college graduates into cybersecurity careers. The DHS's Secretarial Honors Program will offer 50 positions across six disciplines, including IT and cybersecurity. The fellowships willlast between one and two years; the selected participants will have mentorships, professional development training, and rotations through DHS component agencies. Once the fellowships are over, the participants may be able to obtain full-time employment at the department. DHS Secretary Janet Napolitano said that even though the Department has increased its cyber workforce by 600 percent, it still needs to do more to attract more talented cyber specialists.
-http://www.nextgov.com/cio-briefing/wired-workplace/2012/11/dhs-seeks-cyber-fell
ows/59197/?oref=ng-voicestop
-http://www.federalnewsradio.com/473/3101703/Napolitano-wants-NSA-like-hiring-aut
hority-for-DHS-cyber-workforce

Cybersecurity Reserves (October 31, 2012)

Because the US Department of Homeland Security (DHS) is having difficulty recruiting and retaining talented cybersecurity professionals, the agency is considering establishing a cybersecurity reserves corps. The idea came from a task force that the DHS set up to help with the recruitment and retention issue. Many highly qualified cybersecurity professionals feel they can find better jobs and higher salaries in the private sector. As a result, DHS often assigns the most interesting jobs to outside contractors. The task force has recommended that DHS assign the cool jobs to government workers to help retain talented employees.
-http://www.reuters.com/article/2012/10/31/usa-cybersecurity-reserve-idUSL1E8LU4M
Z20121031

Fourteen Charges in Precision Cyberheist Case (October 30, 31 & November 1, 2012)

Fourteen people have been charged in connection with a coordinated cyberheist that netted thieves more than US $1 million through cash-advance kiosks at casinos in Nevada and California. The scheme exploited a flaw in Citibank's system that is supposed to prevent checking accounts from being overdrawn and involved making a coordinated series of withdrawals from accounts in a brief window of time. Ringleader Ara Keshishyan faces up to 30 years in prison and a fine of US $1 million. The others face prison sentences of up to five years and US $250,000 fines.
-http://www.zdnet.com/fbi-catches-gone-in-60-seconds-bank-fraudsters-7000006719/
-http://www.informationweek.com/security/attacks/60-second-cash-kiosk-hackers-ste
al-1-mil/240012604?cid=InformationWeek-Twitter
-http://arstechnica.com/security/2012/10/atm-heist-clears-1-million-exploiting-ci
tigroup-e-payment-flaw/
-https://www.fbi.gov/sandiego/press-releases/2012/fourteen-charged-in-million-dol
lar-gone-in-60-seconds-bank-fraud

Huawei Seeks Help From Critic (October 31 & November 1, 2012)

Huawei is sending a team of engineers to Germany to meet with Felix Lindner, a former hacker who has criticized Huawei for vulnerabilities in its products. A U.S. House Intelligence Committee report recently recommended that US organizations not do business with Huawei or another Chinese company, ZTE, because of security concerns. Huawei cybersecurity officer John Suffolk says, "I can fix the Felix issues in a few lines of code. But I'm interested in systemic change within Huawei."
-http://www.theregister.co.uk/2012/11/01/huawei_report_security_router_hacker/
-http://www.eweek.com/security/huawei-faces-hacker-critic-to-help-clear-its-name-
report/
-http://www.zdnet.com/huawei-sends-team-of-engineers-to-discuss-router-security-r
evelations-with-hacker-7000006682/
-http://news.cnet.com/8301-1009_3-57542809-83/huawei-looks-to-german-security-res
earchers-for-help/

Government Argues Against Returning Files Stored on MegaUpload Servers (October 31 & November 1, 2012)

US federal prosecutors are offering scant hope for people seeking to obtain their legitimate content stored on MegaUpload's seized servers. Kyle Goodwin, an Ohio man who runs a high school sporting event video company is trying to regain access to his legitimately stored content; his own hard drive crashed just days before the government seized MegaUpload's assets. In a court filing earlier this week, the government proposed a plan that would make it virtually impossible for people to retrieve their files. The federal prosecutors also suggested that Goodwin had uploaded pirated music to his MegaUpload account because some of his videos include soundtracks that have signatures suggesting that the music is pirated. The Electronic Frontier Foundation (EFF), which is aiding Goodwin in his case, says that the government's examination of Goodwin's files is a misuse of data that was seized for the purposes of the case against MegaUpload, not Goodwin, and that if the government was able to find and examine the files, there should also be a way to return them to their owner.
-http://www.v3.co.uk/v3-uk/news/2221523/us-government-criticised-over-handling-of
-megaupload-data
-http://www.wired.com/threatlevel/2012/10/no-dice-megaupload-data
-http://arstechnica.com/tech-policy/2012/10/government-innocent-megaupload-user-u
ploaded-pirated-music/

UK Police Arrest Three in Connection with Phishing Scheme (October 31, 2012)

Police in Great Britain have arrested three people in connection with a phishing scheme that targeted several banks. The men were arrested for alleged money laundering and conspiracy to defraud. The men allegedly placed more than 2,000 phishing web pages on the Internet. The pages looked like legitimate online banking web pages.
-http://www.scmagazineuk.com/police-net-suspected-phishing-gang/article/266148/

Georgian CERT Tricks Alleged Hacker (October 30 & 31, 2012)

The country of Georgia's Computer Emergency Response Team (CERT) recently turned the tables on an alleged Russian hacker. The individual targeted in the scheme allegedly infected computers in Georgia and the US with malware designed to steal sensitive documents. The Georgian CERT placed a document named "Georgian-NATO Agreement" on one of its PCs. The alleged hacker took the file and opened it, which caused his computer to become infected with malware that gave the Georgian CERT control of his machine. The Georgian CERT then took pictures of the suspect with the PC's webcam.
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
240012665/say-cheese-georgian-nation-makes-offense-its-defense.html
-http://arstechnica.com/security/2012/10/hacker-allegedly-behind-advanced-espiona
ge-campaign-caught-on-film/
-http://www.dailymail.co.uk/sciencetech/article-2225743/Alleged-hacker-caught-cam
era-cyber-security-experts-infect-HIS-OWN-virus.html?ito=feeds-newsxml
-http://www.zdnet.com/georgia-turns-the-tables-on-russian-hacker-7000006611/
-http://www.computerworld.com/s/article/9233060/Irked_by_cyberspying_Georgia_outs
_Russia_based_hacker_with_photos?taxonomyId=82
-http://www.theregister.co.uk/2012/10/31/georgia_russia_counter_intelligence/
[Editor's Note (Honan): Many in the industry are hailing this move by the Georgian CERT as an example of hacking back and taking on the bad guys at their own game. Before contemplating a similar action remember that unlike the criminals organisations are bound by legal, regulatory and ethical rules that criminals do not have to adhere to. ]

California AG Tells Mobile App Makers to Post Privacy Policies (October 30, 2012)

California's attorney general Kamala Harris has notified the makers of mobile applications that they will be held accountable for their handling of Californians' personal data. The first round of notices was sent to the makers of 100 apps that do not have written privacy policies describing what data the app collects and shares. The companies have 30 days to post "conspicuous" privacy policies or face fines of up to US $2,500 each time a California resident downloads the app that does not have such a policy. Harris is extending the privacy requirements imposed on personal computers to smartphones and tablets.
-http://www.latimes.com/business/technology/la-fi-tn-atty-gen-kamala-harris-puts-
mobile-apps-on-notice-about-privacy-20121030,0,6774480.story
[Editor's Note (Pescatore): While the FTC has done a good job going after companies that violate consumer privacy regulations, the US still does not have a national data privacy law. There are something like 40 states that have their own data privacy and breach notification laws and they will and should apply them to mobile app developers. ]

Judge Says Police May Use Hidden Surveillance Cameras on Private Property Without a Warrant (October 30, 2012)

A federal judge in Wisconsin has ruled that law enforcement officers may, in some cases, install hidden surveillance cameras on private property without first obtaining a warrant. US District Judge William Griesbach ruled that the US Drug Enforcement Administration (DEA) acted reasonably when it entered private property without the owners' permission and without a warrant and installed several hidden surveillance cameras in an operation aimed at gathering evidence that the suspects were growing marijuana. The defendants, who could face life in prison and fines of up to US $10 million, maintain that their Fourth Amendment rights were violated because there were "No Trespassing" signs posted on the 22-acre property. Judge Griesbach adopted a recommendation by US Magistrate Judge William Callahan that said the action did not violate the defendants' Fourth Amendment rights. The trial is scheduled to begin in January 2013.
-http://news.cnet.com/8301-13578_3-57542510-38/court-oks-warrantless-use-of-hidde
n-surveillance-cameras/
[Editor's Comment (Northcutt): I am guessing this one will go to the Supreme Court. It is worth reading the story from the link. We only posted only one link because all the other articles appear to be rehashes of the CNET article. If you find a more in-depth analysis and are willing to send it to stephen@sans.edu, I will try to build a blogpost and toss the link to the community in a future NewsBites. ]

Third-Party eMailer Epsilon Found to be Using Weak DKIM Keys (October 30 & 31, 2012)

While companies may have responded to the story about weak DKIM email authentication keys by checking their own and changing out weaker ones for others that are at least 1,024 bits, most companies did not likely check with their third-party mailers to see about the lengths of keys they were sing to send out messages on their behalf. Epsilon, a third-party emailer, believed it had fixed the weak key problem last year, but recently found out that even though it had re-issued stronger keys, it had failed to remove the shorter, weaker keys from its DNS records, meaning that Epsilon clients were still subject to email spoofing.
-http://www.wired.com/threatlevel/2012/10/dkim-third-party-emailers/all/
-http://www.cso.com.au/article/440599/epsilon_fixing_up_hidden_email_spoofing_wea
kness/#closeme

ZeroAccess Botnet Growing (October 30, 2012)

A botnet known as ZeroAccess has infected more than 2.2 million machines around the world. ZeroAccess operates through a peer-to-peer network and has earned its operator as much as US $100,000 a day. It has been growing and has "become the most active botnet ... measured this year," according to a malware report from Kindsight. ZeroAccess is being used primarily to conduct click-fraud.
-http://www.darkreading.com/insider-threat/167801100/security/client-security/240
012561/zeroaccess-botnet-surges.html

---

CONTROL SYSTEMS SECURITY STORIES

CONTROL SYSTEMS SECURITY STORIES

NERC strives to streamline technical feasibility exceptions (TFEs)
-http://insecurity.honeywellprocess.com/index.php/2012/10/good-news-tfes/
-http://www.nerc.com/files/ROP_Summary_Appendix_4D_TFE_20121005.pdf
McBride: TFE's are Technical Feasibility Exceptions to the NERC CIP standards. This is where the asset owners say, "we can't conform to this requirement because it is technically not feasible; here's why." Having gathered and analyzed data on TFE requests, parties saw an opportunity to streamline the TFE process. Any (future?) regulatory regime that deals with ICS will want to learn from this evolution.

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and is President of STI, The Premier Skills-Based Cyber Security Graduate School, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/