SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIV - Issue #99

December 14, 2012

All 3 "top of the news" stories this week illustrate an important
security trend: Internet facing control systems are becoming much more
prevalent allowing easy exploitation of disclosed vulnerabilities for
disruption as well as back door access to other corporate systems. Many
IT security organizations are not even aware of vulnerable
implementations of building management systems, control systems
associated with facility utilities, and data center HVACs. Have a
discussion with your facilities organization about these systems and
consider connections back to your business systems and potential
consequences if they are compromised. Control system security is not
exclusive to power or heavy industry. Mike Assante, who served as CSO
at both American Electric Power and at NERC (the North American
Electric Reliability Corporation that runs the electric grid in Canada
and the U.S.) has assembled a consortium of the U.S. and Europe's top
people in industrial control systems to help organizations forge an
active defense strategy to get ahead of this problem. He'll be chairing
a workshop and training program in Orlando in February for everyone who
has a stake in industrial control systems and operational technology
security. If you have a substantive role and want an invitation, see
http://www.sans.org/event/north-american-scada-2013.

Alan

PS. SANS 2013 will also be in Orlando, but in early March. It is the
largest training program in cyber security anywhere in the world, with
more than 40 immersion courses, and also includes the NetWars
competition for attendees who want to play, a huge SANS at night
conference - at no cost to course attendees - that is equal to or better
in quality and value than any day-time security conference.
http://www.sans.org/event/sans-2013

---

TOP OF THE NEWS

New Jersey Control System Exploited Due To Lack of Due Diligence In Perimeter Security
German Power Grid Operator Hit With DDoS Attack
Web-based SCADA Gathers More Fans

THE REST OF THE WEEK'S NEWS

UK Police Arrest Three in Connection with Ransomware Scam
SMS Trojan Targets Mac Users
Four Convicted in Pump-and-Dump Spam Operation, But Spammers Not Named
Microsoft Launches Anti-Piracy Campaign in China
Japanese Police Offering Reward for Hacker's Arrest
Report From McAfee Supports RSA's Earlier Findings About Project Blitzkrieg
Federal Appeals Court Says Non-Harmful Phone Spoofing is Okay
IE Flaw Allows Cursor Tracking
Agencies Need More Mobile Technology Guidance
Microsoft and Adobe Issue Security Updates
Facebook Helps FBI Take Down Botnet
Dexter Malware Steals Payment Card Data from Point-of-Sale Computers

---

************************* SPONSORED BY Invincea ***************************
You have a spear-phishing problem - there IS a solution. GSN recently named it "Best Anti-malware Solution" and the NSA recently put it through its paces. Invincea puts your users in a bubble when they go out to the internet or open an attachment. Make this the last link you click unprotected - take a free trial! http://www.sans.org/info/119295
****************************************************************************
TRAINING UPDATE
- --SANS Security East 2013 New Orleans, LA January 16-23, 2013 11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013 The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. The Security Summit is an action conference designed so that every attendee leaves with new tools and techniques they can put to work immediately when they return to their office. The Summit is the place to come and interact with top SCADA experts, key government personnel, researchers and asset owners at the multiple special networking events. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013 46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Anaheim, New Delhi, Brussels, and Johannesburg all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
***************************************************************************

---

TOP OF THE NEWS

New Jersey Control System Exploited Due To Lack of Due Diligence In Perimeter Security (December 13, 2012)

Using information obtained online, hackers gained access to a New Jersey company's internal heating and air conditioning system. The attackers exploited a backdoor in an older version of the Niagara AX Framework software, which is used by many organizations, including the Pentagon, the FBI, and the Internal Revenue Service (IRS). They were able to view floor plan layouts of the office. The "Niagara control box was directly connected to the Internet with no ... firewall." The incident was revealed in an FBI memo that was recently made public. The breach occurred in February and March 2012.
-http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system
-using-backdoor-exploit/
-http://www.wired.com/threatlevel/2012/12/hackers-breach-ics/
[Editor's Note (Assante): Technology and business trends are driving more and deeper access to control systems. Community efforts like ISA-99 have developed recommended secure architectures and models that rely upon layers of segmentation. These practices may be difficult to support as newer technology enables better business. ICS supplier and asset owner security teams need to embrace component-level and application security as the need to harden the traditionally softer core is upon us. (Join us in Orlando in early February to see how this can and is being done:
-http://www.sans.org/event/north-american-scada-2013)
(Henry): We've been talking about ICS risk for a number of years, with few publicized examples of compromise; I think we'll see these types of breaches increasing in frequency in the coming year, as awareness of the vulnerabilities increase and adversaries look for new attack vectors. ]

German Power Grid Operator Hit With DDoS Attack (December 12, 2012)

50Hertz, a German power utility grid operator, was hit with a distributed denial-of-service (DDoS) attack late last month. For a short while, the company's Internet communications systems were unusable. Those issues were addressed quickly, but it took five days to develop and implement a fix to stave off the attack altogether. The attack did not affect electricity supplies. This is the first confirmed digital attack against a European grid operator.
-http://www.h-online.com/security/news/item/Power-grid-operators-attacked-via-DDo
S-1767170.html
-http://www.euractiv.com/energy/european-renewable-power-grid-ro-news-516541
[Editor's Not (McBride): Energy companies in the USA and abroad have been named as targets of attack by DDoS-wielding groups for some time. For example, the EDF Website was reportedly taken offline for about five hours in June 2011 (
-http://www.spiegel.de/netzwelt/web/website-lahmgelegt-hacker-greifen-franzoesisc
hen-atomkonzern-an-a-766703.html).
Attacks on internet facing systems are not likely to affect energy operations, in most circumstances. ]

Web-based SCADA Gathers More Fans (December 5, 2012)

A summary of the trends that affect/afflict SCADA systems today. On one hand there is cause for concern as "common" attacks now work against these systems. On the other hand, there is a small, growing body of security professionals that at least have experience dealing with the technology.
-http://www.automationworld.com/control/web-based-scada-gathers-more-fans

---

************************* Sponsored Links: ********************************
1) Whitepaper: Enhancing Security Through a Trust-Based Approach - Advanced Threats Require Advanced Weapons. Learn More http://www.sans.org/info/119300
2) Supporting Packet Decryption for Security Scanning by Dave Shackleford http://www.sans.org/info/119305
3) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/119310
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK Police Arrest Three in Connection with Ransomware Scam (December 13, 2012)

Police in the UK have arrested three people in connection with a ransomware scheme. The group used the malware to freeze the victims' computers and display a pop-up message that appeared to be from police warning them that the action had been taken because the victims had done something illegal. The scammers told their victims that they could unfreeze their computers by paying a "fine" using pre-paid cash cards or a money transfer system
-http://www.net-security.org/secworld.php?id=14114
-http://www.computeractive.co.uk/ca/news/2231781/uk-police-operation-leads-to-arr
est-of-blackmailing-ransomware-criminals

SMS Trojan Targets Mac Users (December 11, 12, & 13, 2012)

A new variant of the SMSSend Trojan is targeting Mac users. The malware disguises itself as an app called VKMusic 4 Mac. The installer asks users to enter their cell phone numbers as part of the registration process. If users respond to the text message they receive, they will find premium charges added to their mobile phone bills. Apple has added definitions for the malware to its blacklist.
-http://arstechnica.com/security/2012/12/new-mac-trojan-tricks-users-into-paying-
pricey-cell-phone-fees/
-http://www.net-security.org/malware_news.php?id=2358
-http://news.drweb.com/show/?i=3138
-http://www.macrumors.com/2012/12/13/apple-quickly-updates-malware-definitions-to
-detect-new-sms-scam-trojan/

Four Convicted in Pump-and-Dump Spam Operation, But Spammers Not Named (December 13, 2012)

The US Justice Department (DOJ) has obtained securities fraud convictions against three men who ran a pump-and-dump stock scheme. While those who orchestrated the operation were tried and convicted, the supporting players - the botmasters and spammers who helped the group get their phony messages out to a broad audience - were not. Brian Krebs recognized the online moniker of one of the spammers and has drawn connections between that handle and other spamming operations. The spammers were paid more than US $1.4 million through eGold and money wires over the course of the operation.
-http://krebsonsecurity.com/2012/12/feds-convict-stock-scammers-overlook-spammers
/
-http://www.justice.gov/usao/nj/Press/files/Rad,%20Christopher%20Verdict%20PR.htm
l

Microsoft Launches Anti-Piracy Campaign in China (December 13, 2012)

With the hope of raising awareness about the risks associated with pirated software, Microsoft has started an anti-piracy campaign in China. Microsoft investigated the prevalence of counterfeit software in China by purchasing 169 PCs from a variety of stores there. All of the machines had pirated versions of Windows installed, and 91 percent were found to contain malware and security vulnerabilities as well, including browsers that had been set to send users to phishing sites. More than two-thirds of the machines had Windows Update, Windows Firewall, and user account control warnings disabled. Microsoft has notified some of the resellers in Beijing of its findings.
-http://www.computerworld.com/s/article/9234657/Microsoft_Most_PCs_running_pirate
d_Windows_in_China_have_security_issues?taxonomyId=17
[Editor's Note (Pescatore): The security person part of me agrees: "Yes, supply chain integrity is important, pirated software does have much higher incidences of malware or mal-configuration." The PC user side of me says, "The legitimate versions of Windows that come on PCs include so much bloatware and configurations set to steer the user towards advertising and other privacy-sucking sites that I'm not sure there is much difference." ]

Japanese Police Offering Reward for Hacker's Arrest (December 13, 2012)

Police in Japan are offering a reward of up to three million yen (US $36,000) for information leading to the arrest of a certain unknown hacker. Earlier this year, police arrested four people in connection with a series of threatening messages posted to public bulletin boards. It turned out that the computers of those four individuals had been hacked and used to post the messages. The reward poster lists the attacker's skills, which include the ability to code in C# to create malware known as iesys.exe and use of a "Syberian Post Office" to post messages to bulletin boards anonymously.
-http://www.computerworld.com/s/article/9234658/Japan_police_offer_first_ever_rew
ard_for_wanted_hacker?taxonomyId=17

Report From McAfee Supports RSA's Earlier Findings About Project Blitzkrieg (December 13, 2012)

According to a report from the security company McAfee, hackers have planned a major cyberattack on 30 banks in the US for the spring of 2013. The report from McAfee supports an October report released by RSA, which described a plan by cyberthieves to use a sophisticated Trojan horse program to steal huge sums of money from US bank accounts. The operation, dubbed Project Blitzkrieg, was reportedly tested on more than 300 banks.
-http://money.cnn.com/2012/12/13/technology/security/bank-cyberattack-blitzkrieg/
index.html
-http://krebsonsecurity.com/2012/12/new-findings-lend-credence-to-project-blitzkr
ieg/
[Editor's Comment (Northcutt): Bruce Schneier said it best, authenticate the transaction, not just the user:
-http://www.schneier.com/blog/archives/2012/02/the_failure_of_2.html]

Federal Appeals Court Says Non-Harmful Phone Spoofing is Okay (December 13, 2012)

A US federal appeals court has ruled that phone spoofing is okay as long as it is "non-harmful." The ruling invalidates a 2010 Mississippi law forbidding any type of phone spoofing, which is the practice of disguising a caller's identification to the person being called. The case involved two companies that provide spoofing services. One of the companies offers a card that can be used to disguise a caller's identity so that companies can test their own customer service representatives by pretending to be their customers. "Non-harmful" spoofing is defined as being conducted without "intent to defraud, cause harm, or wrongfully obtain anything of value."
-http://www.wired.com/threatlevel/2012/12/phone-spoofing/
-http://www.wired.com/images_blogs/threatlevel/2012/12/spoofphone.pdf

IE Flaw Allows Cursor Tracking (December 12, 2012)

A vulnerability in Internet Explorer (IE) lets attackers see the position of users' mouse cursors. The company that detected the problem says that several web analytics companies are using the hole to track users' cursor movements. The information can be used to help determine whether or not users are seeing advertisements on various parts of web pages. The flaw could also be exploited to steal data users enter from virtual keyboards and keypads. Microsoft has acknowledged the issue and says there are no immediate plans for a fix. The issue affects all versions of IE from 6.0 onward.
-http://www.wired.co.uk/news/archive/2012-12/12/ie-vulnerability-mouse-tracking
-http://www.zdnet.com/ie-flaw-allows-attackers-advertisers-to-track-cursor-moveme
nt-7000008652/
-http://www.h-online.com/security/news/item/Internet-Explorer-rats-out-the-mouse-
Update-1767877.html
-http://www.theregister.co.uk/2012/12/12/ie_stupidly_exposes_cursor_movements/

Agencies Need More Mobile Technology Guidance (December 12, 2012)

US government agencies want guidance about mobile technology, according to a report from the Federal CIO Council titled "Government Use of Mobile Technology." Without centralized guidance regarding security, policy, and other matters, agencies could waste money and place sensitive information at risk. Guidance will be especially useful for agencies seeking to develop bring-your-own-device (BYOD) policies.
-http://www.nextgov.com/cloud-computing/2012/12/agencies-seek-more-guidance-mobil
e/60121/?oref=ng-HPtopstory
-https://cio.gov/wp-content/uploads/downloads/2012/12/Government_Mobile_Technolog
y_Barriers_Opportunities_and_Gaps.pdf
[Editor's Note (Murray): Guidance from whom? With what authority? At what cost? In any case, this is not a technology problem; it is a data problem. Government wrote the book on data classification and protection. They know what to do; they just do not want to do it. They do not want guidance; they want forgiveness. ]

Microsoft and Adobe Issue Security Updates (December 12, 2012)

Microsoft and Adobe have both issued security updates for their products. On Tuesday, December 11, Microsoft issued seven security bulletins to address a total of 12 vulnerabilities, including a fix for a critical flaw in Rich Text Format processing in Microsoft Word. Another critical bulletin addresses several flaws in Internet Explorer 9 and 10. Adobe has released security updates to address critical flaws in Flash Player and the company's AIR software.
-http://www.theregister.co.uk/2012/12/12/dec_patch_tuesday/
-http://www.computerworld.com/s/article/9234598/Microsoft_quashes_critical_bugs_i
n_IE10_Windows_8_Word?taxonomyId=17
-http://krebsonsecurity.com/2012/12/critical-updates-for-flash-player-microsoft-w
indows/
-http://www.h-online.com/security/news/item/Adobe-updates-Flash-Player-and-Cold-F
usion-1767017.html
-http://www.h-online.com/security/news/item/Microsoft-s-patch-package-includes-cr
itical-Word-http://www.zdnet.com/microsoft-fixes-critical-windows-8-ie10-flaws-f
or-patch-tuesday-7000008636/fix-1766834.html
-http://technet.microsoft.com/en-us/security/bulletin/ms12-dec
[Editor's Note (Shpantzer): Adobe is to infosec as Tampa socialites are to four-star Generals. ]

Facebook Helps FBI Take Down Botnet (December 11 & 12, 2012)

Facebook helped the FBI with a botnet takedown operation that resulted in the arrests of 10 people from seven countries. This botnet, a variant of the Butterfly botnet, targeted Facebook users. It infected more than 11 million computers with the Yahos malware and caused over US $850 million in losses through stealing financial account and other personal information. Facebook helped authorities determine the source of the attacks and identifying users who had been affected by the botnet.
-http://www.computerworld.com/s/article/9234617/US_law_enforcement_busts_cybercri
me_rings_with_help_from_Facebook?taxonomyId=17
-http://www.bbc.co.uk/news/technology-20693213
-http://news.cnet.com/8301-1009_3-57558654-83/facebook-helps-fbi-take-down-$850m-
botnet-crime-ring/
-http://arstechnica.com/tech-policy/2012/12/fbi-snares-850-million-butterfly-botn
et-ring-with-help-of-facebook/
-http://www.zdnet.com/facebook-helps-fbi-smash-global-11-million-strong-botnet-70
00008671/
-http://www.gsnmagazine.com/node/28021?c=cyber_security
[Editor's Note (Henry): The FBI has successfully partnered with industry in the past to facilitate attribution and to mitigate adversary infrastructure. This collaboration is required for continued success, as the private sector owns the majority of the networks, and the critical intelligence contained therein. ]

Dexter Malware Steals Payment Card Data from Point-of-Sale Computers (December 11, 2012)

Malware, known as Dexter, steals payment card data from point-of-sale terminals. Dexter has infected devices at many well-known retailers, hotels, restaurants, and other businesses in 40 countries. It targets Window-based systems. Dexter sends the data it collects to a server in the Seychelles, where the valuable data are identified and culled. Targeting point-of-sale machines is more efficient than trying to infect thousands of individuals' computers.
-http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/
240144190/dexter-directly-attacks-point-of-sale-systems.html
-http://arstechnica.com/security/2012/12/dexter-malware-steals-credit-card-data-f
rom-point-of-sale-terminals/
-http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html

---

************************************************************************

The Editorial Board of SANS NewsBites

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/