SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #26

April 02, 2013

TOP OF THE NEWS

Attacks on US Financial Institutions Continue
US Federal Court Hearing Stingray Case
Russian Government Blocking Websites
Ransomware References Browser History

THE REST OF THE WEEK'S NEWS

Illinois Governor Launches Cybersecurity Competition
DHS and FBI Warn of Telephony DoS Attacks on Public Safety Answering Points
Judge Says First Sale Doctrine Does Not Apply to Digital Content
Appeals Court Says Broadcast Streaming Company Can Continue to Operate
Sprint Nextel-SoftBank Merger Dependent on US Oversight of Networking Equipment
BIND DNS Vulnerability
Documentary Filmmakers' Computers Hacked While Working on Tibet Project
Forty-four Arrested in Connection with Payment Card Fraud Ring
Prison Sentence for Theft of Sensitive Military Information

---

*********************** SPONSORED BY SANS ********************************
Attend the SANS 20 Critical Security Control Briefing, Thursday, April 18, 2013 in Washington, DC at the JW Marriott. Tony Sager and John Pescatore will provide an overview of the 20 CSC, showcase the 20 CSC In Action, and also moderate a Vendor Panel. Event is free to Government attendees. For more information go to http://www.sans.org/info/128292 To register for this event via simulcast, visit http://www.sans.org/info/128297
***************************************************************************
TRAINING UPDATE

- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations. http://www.sans.org/event/cyber-guardian-2013


- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2012 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials

Plus Seoul, Bangalore, Johannesburg, and Malaysia all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Attacks on US Financial Institutions Continue (March 29 & 30, 2013)

A group claiming responsibility for a recent distributed denial-of-service (DDoS) attack against the American Express website is the same one that has been targeting US financial institutions since September 2012. While the primary focus of the group's efforts appears to be crippling the banks' websites, there is concern that the attacks could provide a cover for fraudulent transactions.
-http://arstechnica.com/security/2013/03/funded-hacktivism-or-cyber-terrorists-am
ex-attackers-have-big-bankroll/
-http://www.usatoday.com/story/tech/2013/03/29/american-express-denial-of-service
-hack/2030197/
[Editor's Note (Henry): Six months and counting. Those darn financial institutions must not have invested enough money in security. You have to build a bigger firewall..."higher, higher!!" (For those who can't read through my snark, these type of attacks will continue as long as the adversary wants them to...unless the attackers are stopped.) ]

US Federal Court Hearing Stingray Case (March 29, 2013)

A federal court in Arizona is hearing a case regarding the use of Stingray, a surveillance technology that simulates a cellphone tower to collect suspects' location data. The technology has raised concern among privacy advocates because it gathers information about everyone in the vicinity who is using a wireless communication device. The case involves a man accused of identity theft and tax fraud; the American Civil Liberties Union (ACLU) argued before the court that the use of Stingray violated the defendant's Fourth Amendment protections. The court is expected to make a ruling in the next several weeks, which will determine whether the evidence collected with Stingray is admissible. The lawyers for the defense are also seeking to clarify whether or not the government included information about Stingray in a warrant it used to collect the information, and if so, whether it was clear to the judge how the technology worked.
-http://www.theregister.co.uk/2013/03/29/fbi_stingray_mobile_tracking/
-http://www.wired.com/threatlevel/2013/03/gov-fights-stingray-case/
-http://www.scmagazine.com/federal-judge-to-weigh-in-on-fbis-stingray-cell-phone-
surveillance/article/286729/
[Editor's Note (Murray): The DoJ has given assurance that it has changed its policy. Going forward it will seek warrants in questionable cases. This would seem to represent a departure from the policy of the last four years, where the DoJ has insisted that warrants were not required when using novel forensic technology or techniques. ]

Russian Government Blocking Websites (April 1, 2013)

The Russian government is making good use of a law that took effect in November that allows it to block websites deemed illegal or harmful to children. The government has used the law to issue takedown requests to major social networking sites such as Facebook and Twitter.
-http://news.cnet.com/8301-1009_3-57577239-83/russian-government-selectively-bloc
ks-site-access/

Ransomware References Browser History (April 1, 2013)

A new variant of ransomware cites the browser history of infected computers to lend more credence to the initial message's authenticity. The message accompanying this new variant appears to be from the US Department of Justice, the Department of Homeland Security, and the FBI, and says that the target's computer has been used to download and share pornography. The malware checks the computer's browsing history against a list of websites associated with the illegal content and if a match is found, names the sites that have been visited on that computer.
-http://www.computerworld.com/s/article/9238040/Ransomware_leverages_victims_39_b
rowser_histories_for_increased_credibility?taxonomyId=17
[Editor's Note (Ullrich): Mass customized social malware. Increasingly we are seeing that malware tries to become "smart" and customizes its sales pitch by harvesting information from social networks and from the victim's computer (as in this case).
(Henry): Using the victim's browser history to gain credibility for their fraud scheme is yet another example of adversaries changing and modifying their offensive techniques. As defenses develop (more signatures added to AV, enhanced user awareness, etc.), sophisticated adversaries raise the stakes...an electronic game of cat and mouse. ]

---

*************************** Sponsored Links: ******************************
1) Webcast! Meeting the need for speed (and resiliency) in Security Management Systems, Thursday, April 18 http://www.sans.org/info/128410

2) Take the New SANS Survey on the Critical Security Controls and enter to win a new iPad! http://www.sans.org/info/128415
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Illinois Governor Launches Cybersecurity Competition (April 1, 2013)

Illinois Governor Pat Quinn has announced the Illinois Cyber Challenge. The competition aims to identify veterans and other people with interest in and talent for cybersecurity. The top finishers will have the opportunity for additional training and cybersecurity residencies. The competition is open to everyone.
-http://www.myfoxchicago.com/story/21845436/governor-illinois-pat-quinn-launches-
cyber-security-contest

DHS and FBI Warn of Telephony DoS Attacks on Public Safety Answering Points (April 1, 2013)

The US Department of Homeland Security (DHS) and the FBI have issued a warning to public safety call centers about telephony denial-of-service (TDoS) attacks. The recent attacks are part of a scheme in which companies receive a call from someone claiming to be from a payday loan company saying that they are collecting unpaid debt. When the organizations refuse to pay, their phone systems are hit with a debilitating flood of calls, which often prevent them from receiving and placing legitimate phone calls.
-http://krebsonsecurity.com/2013/04/dhs-warns-of-tdos-extortion-attacks-on-public
-emergency-networks/
-http://krebsonsecurity.com/wp-content/uploads/2013/04/DHSEM-16-SAU-01-LEO.pdf

Judge Says First Sale Doctrine Does Not Apply to Digital Content (April 1, 2013)

A federal judge in New York has issued a summary judgment, ruling that ReDigi, who opened a marketplace for people to resell digital music files, violates US copyright law. US District Judge Richard Sullivan said in his ruling that the first sale doctrine, which allows people in legal possession of copyrighted material the right to resell that material, does not apply to digital content. The judge's reasoning is that the transaction involves making an illegal copy of the file, despite ReDigi's assertion that this is not the case. The ruling means that digital resale marketplaces will have to obtain consent from copyright holders before reselling content.
-http://www.wired.com/threatlevel/2013/04/reselling-digital-goods/
-http://arstechnica.com/tech-policy/2013/04/can-i-resell-my-mp3s-redux-federal-ju
dge-says-no/
-http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1334&context=h
istorical
[Editor's Comment (Northcutt): This is going all the up to the Supreme Court I wager; here is the DOJ take on the subject:
-http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/crm01854.htm]

Appeals Court Says Broadcast Streaming Company Can Continue to Operate (April 1, 2013)

A three-judge panel of a US federal appeals court has rejected broadcasters' attempt to block Aereo, a subscription service that allows streaming of broadcast television to any Internet-enabled device. At least half a dozen television networks filed the initial lawsuit against Aereo, alleging that the company did not obtain licensing from them and that Aereo's service is tantamount to copyright infringement. The case is likely to be reheard with a larger panel of judges.
-http://www.wired.com/threatlevel/2013/04/cord-cutters-rejoice/
-http://arstechnica.com/tech-policy/2013/04/appeals-court-upholds-legality-of-aer
eos-tiny-antennas-scheme/
-http://www.usatoday.com/story/tech/2013/04/01/aereo-wins-appeals-court-ruling/20
42527/

Sprint Nextel-SoftBank Merger Dependent on US Oversight of Networking Equipment (March 29 & 31, 2013)

US approval of the SoftBank's pending acquisition of Sprint Nextel is being helped along by the companies' agreement to refrain from using Huawei networking equipment and allowing US national security officials to monitor equipment changes. SoftBank does not use Huawei equipment, and Sprint uses Huawei equipment in one of its subsidiaries; Sprint has said that it would replace the devices.
-http://arstechnica.com/security/2013/03/sprint-softbank-to-shun-chinese-networki
ng-equipment/
-http://www.eweek.com/mobile/huawei-network-security-becomes-issue-in-sprint-soft
bank-merger/
[Editor's Note (Ullrich): Why not include equipment made in China but sold under US brands? ]

BIND DNS Vulnerability (March 29, 2013)

A vulnerability in the BIND Domain Name System (DNS) software could be exploited to crash DNS servers. The problem lies in the way the libdns library processes regular expressions. The flaw affects BIND versions 9.7.x, 9.8.0 through 9.8.5b1, and 9.9.0 through 9.9.3b1 for Linux and UNIX systems. Windows versions are not affected. The Internet Systems Consortium, which maintains BIND, has released versions 9.9.2-P2 and 9.8.4-P2. BIND 9.7 is no longer being maintained.
-http://www.computerworld.com/s/article/9238002/Critical_denial_of_service_flaw_i
n_BIND_software_puts_DNS_servers_at_risk?taxonomyId=17
-http://www.h-online.com/security/news/item/Critical-vulnerability-in-BIND-9-regu
lar-expression-handling-1832816.html
-http://seclists.org/fulldisclosure/2013/Mar/252

Documentary Filmmakers' Computers Hacked While Working on Tibet Project (March 28, 2013)

While much attention is being paid to cyberespionage, the Chinese also appear to be using the Internet to suppress free speech. American filmmakers working on a documentary about human rights abuses in Tibet found themselves the target of cyberattacks. Before even arriving in the country, there was evidence that an unknown person was remotely controlling a crewmember's laptop. After their arrival in Tibet, a laptop was hacked, its operating system wiped, and a web site in Los Angeles associated with the filmmakers succumbed to a denial-of-service attack. The filmmakers believe that the Chinese government is behind the attacks; that country has a long history of quashing information about circumstances in Tibet.
-http://www.washingtonpost.com/world/national-security/tibet-taboo-leads-to-cyber
-assaults/2013/03/28/a6b8a0c2-8cae-11e2-b63f-f53fb9f2fcb4_story.html
[Editor's Note (Henry): I think it's important to recognize the extent to which adversaries will use cyber tools to advance many of their agendas...not necessarily just to pilfer data...and it is woven into our society and technology for as long as I can see. ]

Forty-four Arrested in Connection with Payment Card Fraud Ring (March 28 & April 1, 2013)

Law enforcement agents in Europe have arrested 44 people in connection with a payment card fraud ring. The investigation, dubbed Pandora-Storm, involved more than 400 police from 20 agencies in the US, Australia and Europe, including members of Europol and Romania's Cybercrime Unit.
-http://www.v3.co.uk/v3-uk/news/2258207/europol-smashes-romanian-credit-card-frau
d-gang
-http://www.computerworld.com/s/article/9237963/Authorities_bust_global_credit_ca
rd_fraud_network?taxonomyId=17
-http://www.esecurityplanet.com/hackers/europol-44-arrested-for-credit-card-fraud
.html
[Editor's Note (Honan): It is also great to see Europol's European Cybercrime Centre (EC3) having an impact after only being launched in January of this year. ]

Prison Sentence for Theft of Sensitive Military Information (March 25, 2013)

A Chinese citizen has been sentenced to 70 months in prison for stealing sensitive information from a US military contractor. Sixing Liu took thousands of files related to a device called a disk resonator gyroscope, which is used to help drones, missiles, and rockets find their targets without a satellite. Liu was employed as an engineer at L-3 Communications.
-http://articles.washingtonpost.com/2013-03-25/world/38006926_1_development-of-mi
litary-technologies-information-and-technologies-chinese-citizen
-http://www.dailyherald.com/article/20130326/business/703269904/?interstitial=1
-http://www.justice.gov/usao/nj/Press/files/Liu,%20Sixing%20Verdict%20News%20Rele
ase.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/