SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #25

March 29, 2013

Four amazing new security courses for serious Windows-using enterprises and for people moving beyond basic web app pen testing:
SEC505: Securing Windows and Resisting Malware
FOR526: Windows Memory Forensics In-Depth
SEC642: Advanced Web App Penetration Testing and Ethical Hacking
MGT415: A Practical Introduction to Risk Assessment

Attend any of these 4 new course (or 30 other immersion courses) in
- -- San Diego in May: http://www.sans.org/event/security-west-2013; or
- -- Washington at SANSFIRE in June: http://www.sans.org/event/sansfire-2013

SANSFIRE's evening sessions, free for attendees, and presented primarily by the Internet Storm Center handlers, are richer and more up to date and authoritative than sessions at most other security conferences.
Alan

---

TOP OF THE NEWS

Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity
Social Media World Discovers Cyber Security Competitions
Court Says Bank is Not Liable for Fraudulent US $440,000 ACH Transaction

THE REST OF THE WEEK'S NEWS

"First" Android Trojan
Five-Year Sentence in Phishing Scheme
Spamhaus Targeted in "Largest DDoS Attack Ever"
Wisconsin Man Charged in DDoS Attack
Well Fargo Site Targeted in DDoS Attack
Three Arrested in Egypt for Trying to Cut Undersea Cable
Public/Private Partnership in UK Will Help Guard Against Cyberthreats
Feds' Use of StingRay Cell Phone Tower Simulator Concerns Privacy Advocates
Bill Would Require Breach Notification and Increase Penalties for Cybercrimes
Funding Law Places Restrictions on Federal IT Purchases from Chinese Companies

---

*********************** SPONSORED BY INVINCEA *****************************
Spear-phishing, watering hole attacks and drive-bys should be a primary concern. Your users are the favorite target and attacks are coming at them from every angle. Take a look at how legitimate sites such as Speedtest.net and The National Journal have recently been used to push 0days, how these attacks were spotted and stopped in the wild...and how you can fight back!
http://www.sans.org/info/128287
****************************************************************************
TRAINING UPDATE

- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2012 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus New Delhi, Seoul, Bangalore, Johannesburg, and Malaysia all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity (March 27, 2013)

A new report from the National Academy of Public Administration (led by Karen Evans, and Frank Reeder) provides a "framework to spur the creation of a more effective approach to cybersecurity evaluation." While some U.S. government agencies are moving forward with continuous monitoring and other practices that have a discernible effect on the security of their systems, others are stuck in a compliance model that generates reams of paper in reports but does little to improve their cybersecurity stance. The report does not call for new cybersecurity legislation, but instead offers a roadmap for transforming compliance procedures within the existing Federal Information Security Management Act (FISMA).
-http://www.federalnewsradio.com/241/3264785/Report-offers-pathway-for-cyber-refo
rm-without-legislation
-http://fcw.com/articles/2013/03/27/cybersecurity-without-congress.aspx
-http://www.safegov.org/media/46155/measuring_what_matters_final.pdf
[Editor's Note (Paller): Progress in federal cybersecurity effectiveness depends on the federal inspectors general (IGs) measuring actual security rather than counting less-important, but easy to find, compliance artifacts. OMB action to guide that IG transformation has been desperately needed for at least 6 years; every month OMB delays puts the U.S. another month further behind in the cyber defense race. Perhaps this report will make a difference.
(Pescatore): The underlying guidance to federal Inspectors General (OMB A-130, Appendix III) hasn't been updated since 1999 and better guidance is badly needed. The NAPA paper does say: "Before implementing this approach, agencies must establish and demonstrate that they can manage a cybersecurity and data protection baseline by implementing: Critical security controls; and, Automated continuous monitoring, diagnostics and mitigation." But I'd rather see the IGs focused on auditing security process maturity than estimating risk, and that other mechanisms be required for actually testing and verifying that critical security controls are effective.
(Henry): Continuous monitoring of networks...constantly "hunting" for the adversary...is the most effective way for organizations to reduce the impact from targeted attacks. Assume they're already in. The old performance metric used to be "have you kept the adversary out of the network?"; the new measure today must be "how soon after they make access before we discover them?". That time frame can't be two weeks, two months, or two years. It needs to be two minutes, to minimize the consequences of a breach. ]

Social Media World Discovers Cyber Security Competitions (March 28, 2013)

Mashable, the principle news source in the social media world, focused this week on the Cyber Aces competitions that identify "players" with the skills necessary to be leaders in the quickly evolving world of cybersecurity. The competition seeks innovative thinkers, "the hunters and the tool builders." Participants include high school and college students as well as people with PhDs and military veterans. Competition winners receive a scholarship for additional, high-level training.
-http://mashable.com/2013/03/28/cyber-aces/
USA Today's op-ed piece today on where these competitions and colleges fit in the national cybersecurity manpower development pipeline.
-http://www.usatoday.com/story/tech/2013/03/28/cyberwar-obama-executive-order-tra
ining-troops/2029309/
[Editor's Note (Murray): One expects the security of the world to be in the hands of mature professionals, not puppies, no matter how bright and shiny.
(Paller) Balderdash, Bill Murray. Under your strategy, soldiers in armies would be drawn from the ranks of senior citizens. Age doesn't define effectiveness - relevant, operational experience does - thousands of hours of hands-on experience cleaning up after today's attacks, finding and analyzing the malicious code, generating active, responsive defenses. You'll find a lot more people in their 20s with thousands of hours of relevant experience than people in their 50s and 60s. ]

Court Says Bank is Not Liable for Fraudulent US $440,000 ACH Transaction (March 26, 2013)

A court in Missouri has ruled that Choice Escrow and Title LLC, which lost US $440,000 in a single fraudulent automated clearinghouse (ACH) transaction in March 2010, cannot hold its financial institution liable for the loss. Choice filed a lawsuit against Bancorp South in November 2010, alleging that Bancorp did not employ adequate security measures and that it should have noticed that the transfer request came from outside the country, an anomaly for Choice. Bancorp countersued, saying that the wire transfer request was made using legitimate account access credentials through an IP address associated with Choice's bank account. The US District Court for the Western District of Missouri said that despite having been warned about just this sort of attack, Choice did not adhere to Bancorp's recommended security procedures to require two people to approve wire requests. Choice also declined to put a daily limit on wire transfers.
-http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheis
t-victim/
-http://www.computerworld.com/s/article/9237919/Victim_of_440K_wire_fraud_can_t_b
lame_bank_for_loss_judge_rules?taxonomyId=17
-http://krebsonsecurity.com/wp-content/uploads/2013/03/Choice-Escrow-SJ-Decision-
031813.pdf
[Editor's Note (Murray): I tend to agree with Krebs that, at least in the general case, dual authorization alone is not commercially reasonable. However, in this case it might well have prevented the loss. On the other hand, the question of commercially reasonable was not considered. Rather, the decision turned on the Article 4a in the UCC which governs the duties of the parties in contract when the security offered is NOT commercially reasonable. I tend to agree with Krebs that the case is not likely to be appealed. However, it is unlikely to set a dangerous precedent, one that might reduce the fundamental responsibility of banks to ensure that transactions are properly authorized.
(Paller): This decision will encourage more banks to refuse to pay for the losses of nearly all small businesses and not-for-profits that are victims of ACH fraud, and may even spill over to persuade some banks to try to make their individual customers (non-business) accountable for their losses. ]

---

*************************** Sponsored Links: ******************************
1) Attend the SANS 20 Critical Security Control Briefing, Thursday, April 18, 2013 in Washington, DC at the JW Marriott. Tony Sager and John Pescatore will provide an overview of the the 20CC, showcase the 20CC In Action, and also moderate a Vendor Panel. Event is free to Government attendees. For more information go to http://www.sans.org/info/128292 To register for this event via simulcast, visit http://www.sans.org/info/128297

2) Take the New SANS Survey on the Critical Security Controls and enter to win a new iPad! http://www.sans.org/info/128302

3) Analyst Webcast: NAC Applied to SANS Critical Security Controls Wednesday, April 03, 2013 at 1:00 PM EDT (1700 UTC/GMT)Featuring: G. Mark Hardy and Scott Gordon. http://www.sans.org/info/128307
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

"First" Android Trojan (March 26 & 28, 2013)

Researchers have identified what is believed to be the first instance of in-the-wild Android malware used to launch targeted attacks. The attacks appear to have been launched by attackers who gained access to a Tibetan activist's email account and used it to send spear phishing messages to other people. The messages were accompanied by a malicious attachment.
-http://www.h-online.com/security/news/item/Tibetan-phishing-attack-now-comes-wit
h-Android-Trojan-1832159.html
-http://www.informationweek.com/security/mobile/android-malware-infects-activists
-phones/240151714

Five-Year Sentence in Phishing Scheme (March 26, 2013)

A Court in Connecticut has sentenced Cristian Busca to five years in prison for his role in a phishing scheme. Busca, who is from Romania, was extradited to the US in December 2011 and pleaded guilty to conspiracy to commit access fraud in November 2012. According to US prosecutors, Busca as found in possession of more than 10,000 stolen credit card account numbers. Busca's arrest and sentence are part of a seven-year US Department of Justice investigation; charges were brought against 19 people from Romania; nine have yet to be arrested.
-http://www.computerworld.com/s/article/9237917/Romanian_citizen_sentenced_to_fiv
e_years_in_phishing_scheme?taxonomyId=17

Spamhaus Targeted in "Largest DDoS Attack Ever" (March 27 & 28, 2013)

Since the middle of March, anti-spam organization Spamhaus has found its systems under what is being called the largest ever distributed denial-of-service (DDoS) attack. Most DDoS attacks generate traffic volumes of between four Gbps and 10 Gbps. At its peak, the attack on Spamhaus generated traffic at 300 Gbps. The attack is believed to have slowed Internet traffic in Europe. The hackers took advantage of misconfigured Domain Name System (DNS) servers to amplify the power of the attack. Internet Storm Center:
-http://isc.sans.edu/diary/Where+Were+You+During+the+Great+DDoS+Cybergeddon+of+20
13+/15496
-http://www.scmagazine.com/alleged-fight-between-anti-spam-group-and-blacklisted-
company-incites-massive-ddos/article/286348/
-http://www.h-online.com/security/news/item/Large-scale-DNS-DDoS-attack-on-Spamha
us-1831807.html
-http://www.eweek.com/security/largest-ever-ddos-campaign-demonstrates-danger-of-
new-attack-method/
-http://www.zdnet.com/the-largest-ddos-attack-didnt-break-the-internet-but-it-did
-try-7000013225/
-http://www.darkreading.com/vulnerability-management/167901026/security/attacks-b
reaches/240151862/misconfigured-open-dns-servers-used-in-record-breaking-ddos-at
tack.html
-http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/
-http://www.computerworld.com/s/article/9237951/Spamhaus_attacks_expose_huge_open
_DNS_server_dangers?taxonomyId=17
[Guest Editor's Note (John Bambenek - ISC Handler): The media coverage has been highly sensationalized. For instance, the ZDNet link headline, this DDoS did not attempt to break "the internet", it knocked one provider offline. Everyone else on the Internet were bystanders.
(Pescatore): DDoS attacks are real but there is a lot of hype. The "biggest DDoS attack ever" is about as meaningless a phrase as "the world's hottest coffee." ]

Wisconsin Man Charged in DDoS Attack (March 26, 27 & 28, 2013)

A Wisconsin man has been charged in connection with a 2011 cyberattack on Koch Industries that is believed to have been orchestrated by the Anonymous hacking collective. Eric J. Rosol allegedly participated in the Low Orbit Ion Cannon attack on a website belonging to the conglomerate. The indictment indicates that Rosol installed the Low Orbit Ion Canon on his computer to help with the attacks.
-http://www.v3.co.uk/v3-uk/news/2258020/hacker-indicted-in-2011-koch-industries-a
ttack
-http://arstechnica.com/tech-policy/2013/03/two-years-after-anon-kochblock-wiscon
sin-man-charged-with-ddos/
-http://www.justice.gov/usao/ks/PressReleases/2013/March2013/March26a.html

Well Fargo Site Targeted in DDoS Attack (March 26 & 27, 2013)

The Wells Fargo website was hit with a distributed denial-of-service (DDoS) attack earlier this week. The attack caused intermittent problems with the site's availability to customers. The attack is likely part of an orchestrated series of deliberate attacks on US banks in protest of a YouTube video. A problem with the banks' debit cards the following day appears to be unrelated to the attack.
-http://news.investors.com/business/032713-649536-wells-fargo-headaches-cyberatta
ck-debit-card-bug.htm
-http://www.computerworld.com/s/article/9237916/Wells_Fargo_warns_of_ongoing_DDOS
_attacks?taxonomyId=17
-http://www.latimes.com/business/money/la-fi-mo-wells-fargo-cyber-attack-20130326
,0,7634359.story
-http://news.cnet.com/8301-1009_3-57576523-83/wells-fargo-site-hit-by-denial-of-s
ervice-attack/
-http://www.informationweek.com/security/attacks/bank-ddos-attacks-resume-wells-f
argo-con/240151825

Three Arrested in Egypt for Trying to Cut Undersea Cable (March 27 & 28, 2013)

Authorities in Egypt have arrested three people for allegedly attempting to sever an undersea Internet cable. The divers, who were operating from a small, inflatable craft, were arrested just off the coast of the Egyptian port city of Alexandria; police say the three were apprehended in the midst of trying to cut the cables that belong to an Egyptian telecommunications company. Earlier reports from African Internet authority Seacom said that damage to the cable was "most probably caused by a larger vessel dragging its anchor across the seabed," but the damage now appears to have been deliberate.
-http://www.bbc.co.uk/news/world-middle-east-21963100
-http://www.v3.co.uk/v3-uk/news/2258023/egypt-arrests-trio-in-cablecutting-attemp
t
-http://www.theregister.co.uk/2013/03/27/egypt_cables_cut_arrest/
[Editor's Comment (Northcutt): There have been a number of cable failures in this area before, more often in the Mediterranean than the Red Sea. Sure will be nice to learn what the motive is. This is also a fairly significant problem in California, try to never run copper and fiber together outside of your buildings:
-http://en.wikipedia.org/wiki/2008_submarine_cable_disruption
-http://www.kmud.org/news-humboldt-california/safety-a-public-awareness/item/2875
-felony-vandalism-fiber-optic-cables-cut-and-removed.html
-http://www.redding.com/news/2012/nov/21/vandals-cut-charter-communications-cable
-crash/
-http://www.utsandiego.com/news/2012/apr/24/thieves-steal-copper-and-fiber-optic-
cables-alpine/
-http://www.fiercetelecom.com/story/t-tweets-california-fiber-cut/2009-04-10]

Public/Private Partnership in UK Will Help Guard Against Cyberthreats (March 27 & 28, 2013)

The UK has launched a public/private partnership to help protect IT systems from cyberattacks. The Cyber Security Information Sharing Partnership will improve the speed with which cyberthreat information is shared so that preventive and defensive action can be taken.
-http://www.zdnet.com/uk/uk-launches-fusion-cell-to-head-off-cyber-attacks-700001
3190/
[Editor's Note (Henry): The proof will be in the execution of this. "Public/Private Partnership" has been the catch phrase for years. If they're able to make changes that enable sharing of actionable intelligence, anonymously, at network speed, they'll do something nobody else yet has. ]

Feds' Use of StingRay Cell Phone Tower Simulator Concerns Privacy Advocates (March 27, 2013)

According to a document obtained under a Freedom of Information Act (FOIA) request, US federal investigators used a surveillance technique to gather information about suspects' whereabouts but did not provide details about the method to the judges who authorized the surveillance efforts. The device used to harvest location data is called StingRay and behaves as a de facto cellphone tower to detect mobile phones' serial numbers and their locations. StingRay also gathers information about other mobile phones in the vicinity of the suspect who is being tracked. Privacy groups are concerned that federal agents may not be fully informing the courts of their surveillance activities and that they may not be providing adequate evidence to justify the use of such an invasive tool. The US Justice Department says a warrant is unnecessary to use the cell tower simulator because they are not gathering the content of communications.
-http://www.washingtonpost.com/world/national-security/little-known-surveillance-
tool-raises-concerns-by-judges-privacy-activists/2013/03/27/8b60e906-9712-11e2-9
7cd-3d8c1afe4f0f_story.html

Bill Would Require Breach Notification and Increase Penalties for Cybercrimes (March 26, 2013)

The US House Judiciary Committee is considering draft legislation that would require that organizations experiencing a security breach report the incident within two weeks of learning about it. A major breach would have to be disclosed within three days. The new requirements would apply to all companies that handle personal data except organizations already governed by Health Insurance Portability and Accountability Act (HIPAA) regulations, and certain financial institutions. One of the reasons for the proposed legislation is that organizations are subject to different requirements based on which industry they are a part of and which states they operate in. The bill would also increase maximum penalties for cybercrimes.
-http://www.nextgov.com/cybersecurity/2013/03/will-businesses-be-forced-say-if-th
eyve-been-hacked/62088/?oref=ng-channelriver
-http://www.scmagazine.com/draft-of-cyber-bill-exacerbates-flaws-of-anti-hacking-
law/article/286146/
-http://thehill.com/blogs/hillicon-valley/technology/290103-draft-cybersecurity-b
ill-aims-to-stiffen-computer-hacking-law
Text of proposed legislation:
-http://www.scribd.com/doc/132249133/House-Judiciary-Committee-discussion-draft

Funding Law Places Restrictions on Federal IT Purchases from Chinese Companies (March 26, 27, & 28, 2013)

A US Congressional spending bill requires certain federal agencies to obtain explicit approval to purchase information technology products from companies linked to China. The law calls for authorities to look closely at all IT system purchases made by the agencies to reduce the risk of cyberespionage and sabotage.
-http://www.v3.co.uk/v3-uk/news/2258009/congressional-bill-aims-to-snuff-out-us-g
overnment-use-of-chinese-tech
-http://www.informationweek.com/government/security/congress-curtails-government-
it-purchase/240151739
-http://www.computerworld.com/s/article/9237947/U.S._to_scrutinize_IT_system_purc
hases_with_ties_to_China?taxonomyId=17

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/