SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #35

May 03, 2013

The lead story in this issue highlights (again) the U.S. federal
government infecting citizens' computers with malware. President Bill
Clinton called for the government to "lead by example" in cybersecurity.
How can the government expect industry to do the right thing, he asked,
if the government doesn't protect its own systems and show the way? When
Karen Evans was at OMB as federal CIO and when Sameer Bhalotra was in
the White House as deputy cyber czar, there was real progress. Is it
reasonable to ask why we have gone backwards since they left?

On a related note, the second story highlights one of at least five
major defense contractors, directly overseen by DoD, that have been
looted for massive amounts of technical secrets paid for by the American
taxpayer. That "secret data" was supposed to give the U.S. a
technological edge. What is DoD doing?
Alan

---

TOP OF THE NEWS

US Government Website Serving Malware
Classified Data Looted in Three-Year Cyberespionage Campaign
Reputation.com Hit by Security Breach

THE REST OF THE WEEK'S NEWS

Foreign Intelligence Surveillance Court Approved All Requests in 2012
Bill in Dutch Legislature Would Give Law Enforcement Broad Cyber Powers
Java Vulnerability in IBM Notes
ISC-CERT Recommendations to Prevent Shamoon Infection
US Army Corps of Engineers' Database Breached
Mozilla Sends Cease-and-Desist Letter to Company Whose Surveillance Software Pretends to be Firefox
Does Exploiting Firmware Flaw in Video Poker Machine Violate CFAA?
Financial Regulators Consider Implications Of Social Media
Cyberthieves Steal US U$1 Million from Hospital in Fraudulent ACH Transactions

---

*************************** SPONSORED BY Bit9 ****************************

eBook: Detecting and Stopping Advanced Attacks. Today's cyber threat has changed in sophistication, in focus, and in its potential impact on your business. This eBook will tell you how today's advanced attacks require automatic detection and incident response. You will learn how you can most effectively protect your business. Download Today http://www.sans.org/info/129860

***************************************************************************

TRAINING UPDATE


- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.

http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.

http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.

http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!

http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.

http://www.sans.org/event/boston-2013


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.

http://www.sans.org/event/pentest-berlin-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.

http://www.sans.org/event/london-summer-2013


- -- Looking for training in your own community?

http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Johannesburg, Malaysia, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

US Government Is Website Serving Malware To Citizens (May 1, 2013)

A US Department of Labor website was found to be serving up malware to unsuspecting citizens through drive-by download attacks. The code embedded in the Site Exposure Matrices (SEM) page redirects users to other pages that installed malware on their computers. Once redirected, a script attempts to exploit a known flaw in Internet Explorer to install a backdoor that facilitates communication between the infected computer and machines controlled by the hackers. Sadly far too many people have not installed the patch, so their systems are being infected.
-http://www.darkreading.com/attacks-breaches/us-department-of-labor-website-disco
vere/240153967
-http://www.nextgov.com/cybersecurity/2013/05/labors-toxic-exposure-website-serve
s-spyware-energys-nuclear-workers/62930/?oref=ng-HPtopstory
-http://www.computerworld.com/s/article/9238842/U.S._Department_of_Labor_website_
infected_with_malware?taxonomyId=17
-http://www.h-online.com/security/news/item/Sub-site-of-US-Department-of-Labour-h
acked-1854156.html
-http://www.theregister.co.uk/2013/05/01/dol_website_hack_malware/
-http://www.v3.co.uk/v3-uk/news/2265506/chinese-hackers-hijack-us-government-webs
ite-to-spread-malware
[Editor's Note (Pescatore): A good example, and there are many, of where the US Government could best drive higher levels of security by focusing on becoming what Presidential Decision Directive 63 back in *1998* called "a model of information security" on the Internet. Instead, we have way too much federal focus on monitoring of private industry, having private industry share information and creating "yet another framework" for private industry - instead of focusing on making government systems themselves (and by extension those of contractors and suppliers) much, much more secure. ]

Classified Data Looted in Three-Year Cyberespionage Campaign (May 1 & 2, 2013)

US Defense contractor Qinetiq reportedly bled classified data for three years after a cyberespionage campaign gained purchase within the company's computer systems. The surreptitious intrusion and subsequent exfiltration of data is believed to have been conducted by Comment Crew, a hacking group with ties to China's People's Liberation Army. One of three security firms brought in to assess the situation, Terremark reported that they found traces of the intruders in many of
[Qinetiq's ]
divisions and across most of their product lines." Qinetiq's projects include satellites, drones, and robotic weapons systems.
-http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-mi
litary-secrets.html
-http://www.informationweek.com/security/government/china-tied-to-3-year-hack-of-
defense-con/240154064
-http://www.wired.co.uk/news/archive/2013-05/2/comment-crew-plunder-qinetiq
-http://www.theregister.co.uk/2013/05/02/china_us_hacking_qinetiq_apt/
-http://www.h-online.com/security/news/item/Cyber-espionage-Military-secrets-serv
ed-on-a-silver-platter-1854910.html

Reputation.com Hit by Security Breach (May 1, 2013)

Reputation.com, a company whose business it is to manage its customers' online reputations, has acknowledged that it suffered a data security breach. The company has sent email notifications to its customers. The compromised information includes names, email and physical addresses, and employment information. Some customers' encrypted user passwords were compromised as well. The company reset user passwords. Experts note that users should not be reassured by companies' assertions that salted passwords are unlikely to be cracked. Cracking techniques are improving and salting does not hinder the task of cracking for just one password, so if it's a particularly valuable password, the time spent cracking it is well spent.
-http://www.scmagazine.com/company-that-manages-users-online-rep-hit-by-breach/ar
ticle/291582/
-http://www.latimes.com/business/technology/la-fi-tn-hackers-break-into-reputatio
ncom-20130501,0,5121938.story
-http://arstechnica.com/security/2013/05/why-you-should-take-hacked-sites-passwor
d-assurances-with-a-grain-of-salt/
[Editor's Note (Pescatore): The Reputation Management industry has long had reputation problems itself. Back in Feb 2012 Bloomberg BusinessWeek said: "The bottom line: Although cleaning up search results could be a $5 billion business by 2015, reputation managers can't keep their own profiles clean."
(Murray): You guys thought I was kidding when I said that one "big data" business per week was falling over. LivingSocial and NTT DoCoMo also fell over this week.

---

*************************** Sponsored Links: ******************************
1) At the Mobile Device Security Summit experts and practitioners will detail proven approaches to securing BYOD. http://www.sans.org/info/130350

2) Having trouble managing your security information? Don't miss our new Analyst webcast: Advanced Intelligence in Action-SANS review of McAfee's Enterprise Security Manager by Dave Shackleford, Wednesday, May 22 at 1:00 PM EDT http://www.sans.org/info/130355
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Foreign Intelligence Surveillance Court Approved All Requests in 2012 (May 2, 2013)

The US Justice Department sent a report to Senator Majority Leader Harry Reid (D-Nevada) detailing certain activity of the Foreign Intelligence Surveillance Court. In 2012, the court approved every request it received to authorize physical searches or surveillance of people within the US "for foreign intelligence purposes." There were 1,856 requests in all.
-http://www.wired.com/threatlevel/2013/05/spy-court-stats/
-http://www.wired.com/images_blogs/threatlevel/2013/05/fisacases.pdf
[Editor's Note (Cole): There are no international boundaries in cyberspace. Information sent electronically could travel through many different countries without the sender realizing it. Consider secure email as a smart business enabler that minimizes content that can be monitored. ]

Bill in Dutch Legislature Would Give Law Enforcement Broad Cyber Powers (May 2, 2013)

Dutch lawmakers are considering broad legislation that would give law enforcement the authority to hack into computer systems in the Netherlands and abroad for research, evidence gathering, or to block access to specific data. Specifically, the bill would let law enforcement block illegal content like child pornography; read communication between criminals; and conduct digital wiretaps. It would also allow law enforcement to activate GPS capabilities on a suspect's mobile phone for location tracking purposes. The powers would be subject to a judge's approval and there must be logs kept of investigation data. The bill is being criticized for being "rushed" and for creating "new security risks for citizens."
-http://www.computerworld.com/s/article/9238849/Dutch_bill_would_give_police_hack
ing_powers?taxonomyId=17

Java Vulnerability in IBM Notes (May 2, 2013)

IBM has issued a security advisory acknowledging that its Notes mail client accepts Java applet tags and JavaScript tags inside HTML emails, which could allow attackers to load applets and scripts from remote locations. An interim fix is available for Windows, and one is expected soon for Mac. IBM has also suggested a workaround to disable Java applets, JavaScript, and Java access from JavaScript.
-http://www.h-online.com/security/news/item/Huge-Java-hole-in-Lotus-Notes-1855406
.html
-http://www.theregister.co.uk/2013/05/02/java_runs_in_note_email/
-http://www-01.ibm.com/support/docview.wss?uid=swg21633819
[Editor's Note (Cole): Software patching needs to be viewed as a second level of protection not primary. The best way to secure a service is to disable or uninstall it. ]

ISC-CERT Recommendations to Prevent Shamoon Infection (April 30 & May 1, 2013)

The US Department of Homeland Security's (DHS) Industrial Control System Cyber Emergency Response Team (ICS-CERT) has issued a bulletin to operators of critical US computer networks urging them to implement measures to prevent infection from malware known as Shamoon, which wiped data from computers at oil companies in the Middle East last summer. The bulletin includes 31 tactical and strategic mitigations organizations can employ to protect systems, including daily backups of critical systems, isolating critical networks from business systems, isolating network services through secure, multi-tenant virtual technology, and removing unused functions and applications from host systems.
-http://www.nextgov.com/cybersecurity/2013/05/feds-urge-major-industries-take-ste
ps-deflect-data-wipe-virus/62906/?oref=ng-channeltopstory
-http://ics-cert.us-cert.gov/jsar/JSAR-12-241-01A

US Army Corps of Engineers' Database Breached (May 1 & 2, 2013)

Someone used stolen credentials to gain access to the US Army Corps of Engineers' National Inventory of Dams (NID) database. The breach reportedly began in January but was not detected until April. The intruder gained access to "sensitive fields of information not generally available to the public." Once the US Army Corps of Engineers realized that the individual was not "authorized
[to have ]
full access to the NID," the credentials were revoked. A US Army Corps of Engineers spokesperson said the breach does not pose a public threat.
-http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/
-http://www.computerworld.com/s/article/9238863/Breached_dam_data_poses_no_threat
_to_public_Army_says?taxonomyId=17
-http://www.scmagazine.com/report-army-database-housing-sensitive-data-on-major-u
s-dams-breached/article/291574/
-http://freebeacon.com/the-cyber-dam-breaks/
-http://geo.usace.army.mil/pgis/f?p=397:1:0
[Editor's Note (McBride): While it could be significant that this database was (targeted and) compromised, very similar information appears to be publicly available elsewhere. See
-http://npdp.stanford.edu/node/83
for example. What does this teach us about reconnaissance surface? ]

Mozilla Sends Cease-and-Desist Letter to Company Whose Surveillance Software Pretends to be Firefox (May 1, 2013)

Mozilla has sent a cease-and-desist letter to Gamma International, the company that makes surveillance software called FinFisher. FinFisher disguises itself as Mozilla Firefox on users' computers. Mozilla alleges that FinFisher is riding the coattails of Mozilla's reputation of trustworthiness. The spyware does not alter Firefox, but represents itself as the trusted browser. The letter demands that "these illegal practices stop immediately." FinFisher is reportedly active in 36 countries.
-http://www.h-online.com/security/news/item/Mozilla-sends-cease-and-desist-to-spy
ware-maker-1854088.html
-http://www.informationweek.com/security/privacy/fake-firefox-spyware-riles-mozil
la/240154020
-http://arstechnica.com/information-technology/2013/05/spyware-used-by-government
s-poses-as-firefox-and-mozilla-is-angry/
-http://www.zdnet.com/mozilla-sends-cease-and-desist-to-surveillance-software-mak
er-7000014765/
[Editor's Note (Pescatore): Stealing an unlocked car with the keys in the ignition is still stealing. But, trying to use CFAA in this case only punishes one of the three guilty parties: the software vendor who sold a shoddy piece of software and the operator who bought it without making sure it wouldn't give away the farm go scot free. The seller and buyer of crappy software, not just the user, need to feel pain in order to drive less crappy software into the market. ]

Does Exploiting Firmware Flaw in Video Poker Machine Violate CFAA? (May 1, 2013)

The Computer Fraud and Abuse Act (CFAA) is being tested again, this time in a case involving two men who took advantage of a bug in a video poker game to increase their winnings. John Kane and Andre Nestor were charged with hacking under the Computer Fraud and Abuse Act (CFAA), but a federal magistrate ruled last fall that the law did not apply in the case and recommended that the hacking charges be dismissed. The case is now being argued in US District Court and a ruling is expected later this month. The men are being charged with exceeding authorized access to the machines "to obtain or alter information in the computer that the accesser is not entitled to obtain or alter." Similar charges were thrown out in a recent case, US v Nosal, in which David Nosal was charged with exceeding authorized access for convincing former colleagues to provide him information from his former employer's database.
-http://www.wired.com/threatlevel/2013/05/game-king/

Financial Regulators Consider Implications Of Social Media (May 1, 2013)

Federal financial regulators are examining ways to respond to social media, following a phony tweet from a hacked AP Twitter account that sent US markets into a brief tailspin. Commodity Futures Trading Commission (CTFC) Commissioner Bart Chilton proposed establishing stronger cybersecurity requirements for investment companies and other trading firms, and holding those companies liable for breaches if they have not taken adequate security measures. Commissioner Scott O'Malia noted that regulators should consider how to respond to social media.
-http://www.nbcnews.com/technology/technolog/us-regulators-look-dealing-social-me
dia-6C9693063
[Editor's Note (Murray): The flash crash did not result from poor security in the financial industry but from poor security in social media, in a Big Data Business, and in journalism. The markets did exactly what they were designed to do. They responded promptly to both erroneous news and the correction. What would the regulators have had them do? Ignore the news? ]

Cyberthieves Steal US U$1 Million from Hospital in Fraudulent ACH Transactions (April 30, 2013)

A hospital in Washington State was targeted by hackers who stole more than US $1 million from its bank account with the help of nearly 100 accomplices. While those behind the attack were in Russian and Ukraine, the accomplices were in the US. They were recruited when they responded to work-at-home advertisements. The attack against Chelan County Public Hospital No. 1, which is managed by Cascade Medical Center, took place on April 19. The money was transferred to 96 separate bank accounts across the US. One of the accomplices reported having just over US $9,000 deposited into his account and being told to portion it out to four other people in Russia and Ukraine through Moneygram and Western Union. The hospital has recovered about US $133,000 of the stolen funds. So far, there is no information about the security procedures the bank or the hospital had in place regarding the transfer of large sums of money.
-http://krebsonsecurity.com/2013/04/wash-hospital-hit-by-1-03-million-cyberheist/
-http://www.wenatcheeworld.com/news/2013/apr/26/cybertheft-heists-1-million-from-
leavenworth/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/