SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #36

May 07, 2013

TOP OF THE NEWS

Pentagon Report Directly Accuses China of Cyberattacks

THE REST OF THE WEEK'S NEWS

Honeywords Would Serve As Hack Alert
Google's Facility in Sydney, Australia Running Unpatched Building Management System
Judge Sanctions Prenda Law
Alleged SpyEye Developer and Distributor Extradited to US
Microsoft Acknowledges Zero-Day Flaw in Internet Explorer 8
Dell Resellers May Have Sold Equipment to Syria
Pentagon Approves BlackBerry 10 and Samsung Galaxy Devices
Man Allegedly Hacked Former Employer's System
Adobe Will Fix PDF Tracking Issue Next Week
FTC to Hold Hearing on Identity Theft and Senior Citizens
Middle School Students Phish Teachers' Admin Credentials

---

************************* SPONSORED BY SYMANTEC **************************
New Report: Threat Landscape Key Findings
Get an overview and analysis of the year in global threat activity with the Symantec Internet Security Threat Report 2013. This report provides commentary on emerging trends in the dynamic threat landscape, covers key findings and provides best practice guidelines. Download Now.
http://www.sans.org/info/130492
***************************************************************************
TRAINING UPDATE

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Johannesburg, Malaysia, Canberra, Austin and Mumbai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Pentagon Report Directly Accuses China of Cyberattacks (May 6 & 7, 2013)

For the first time, The Pentagon's Annual Report to Congress on Military and Security Developments Involving the People's Republic of China explicitly accuses China of conducting cyperespionage against the US. The report states that last year, "numerous computer systems around the world, including those owned by the US government, continued to be targets for intrusions, some of which appear to be attributable directly to the Chinese government and military." The report says that China appears not only to be targeting information about industrial technology, but also to be seeking information that could help that country develop "a picture of US network defense network, logistics, and related military capabilities that could be exploited during a crisis." (Please note: The New York Times requires a paid subscription.)
-http://www.nytimes.com/2013/05/07/world/asia/us-accuses-chinas-military-in-cyber
attacks.html?hp&_r=0
-http://www.bloomberg.com/news/2013-05-06/china-s-military-ambitions-growing-pent
agon-report-finds.html
[Editor's Note (Assante): The Mandiant report has served to simply open the flood gates in an already swollen river. The direct charges will cement cyber attacks as one of the key diplomatic issues shaping US-Chinese relations. Unlike traditional conventional forces, a web of cyber forces can be a less wieldy sword and may not readily obey the hand of policy makers.

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/130497

2) Having trouble managing your security information? Don't miss our new Analyst webcast: Advanced Intelligence in Action-SANS review of McAfee's Enterprise Security Manager by Dave Shackleford, Wednesday, May 22 at 1:00 PM EDT http://www.sans.org/info/130502

3) SANS Special Webcast: BYOD - Yay or Nay? Featuring Kevin Johnson. Almost everyone has a mobile device and there is a large debate over the decision to allow bring your own device in an organization. A lot goes into making this decision and it is not the same for every organization. Kevin will discuss different considerations when evaluating this decision. Thursday, May 09, 2013 at 1:00 PM EDT http://www.sans.org/info/130507
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Honeywords Would Serve As Hack Alert (May 6, 2013)

Researchers have proposed a technique to thwart account hijacking by seeding cryptographically hashed password files to include dummy passwords, or honeywords. Admins would be alerted when the phony passwords were used. While the technique does not prevent hackers from using dictionary attacks to crack passwords, the attackers will not know if they are using the correct passwords when attempting to access the account.
-http://arstechnica.com/security/2013/05/amid-a-barrage-of-password-breaches-hone
ywords-to-the-rescue/
[Editor's Note (Murray): Santayana scores again. We have been salting data to detect its theft for centuries. For example, salting customer lists with names and addresses that enable us to recognize their compromise and use. Reading history is generally more efficient than repeating it.
(Northcutt): For the context, large social web sites like LivingSocial, this is probably useful. For the average enterprise network, I think this is of marginal use. One of the biggest differences between a large social media network and an enterprise company is the help desk. In a large social media environment, you need to make it possible for the user to retrieve a forgotten password and 99% of the time the key is the email on record. In an enterprise, you set up account lockout after three tries and the user has to contact the help desk. I have to wonder if the Facebook concept of Trusted Contacts is going to be more useful to bridge the gap:
-http://www.facebook.com/help/119897751441086
-http://nakedsecurity.sophos.com/2013/05/04/facebook-introduces-trusted-contacts/
-http://www.digitaltrends.com/social-media/facebook-trusted-contacts/]

Google's Facility in Sydney, Australia Running Unpatched Building Management System (May 6, 2013)

Google Australia's Sydney headquarters was discovered to be running a building management system with known vulnerabilities. Although a patch is available for vulnerabilities in the Tridium Niagara AX platform, it had not yet been applied to Google's system. The people who discovered that Google was running an unsecured system were able to obtain the administrative password and gain access to control panels. A Google spokesperson said that the system has been disconnected from the Internet. A third-party integrator company set up the building system at the Google facility.
-http://www.wired.com/threatlevel/2013/05/googles-control-system-hacked/
-http://www.theregister.co.uk/2013/05/06/google_building_automation_fail/
[Editor's Note (Shpantzer): The Publicly Accessible Control Systems Working Group (
-http://www.pacswg.org/
) is an ongoing effort to identify and alert orgs to this issue. If your dangly bits are dangling on the internet, you too may get a virtual tap on the shoulder from these fine folks (Yes, I'm involved). ]

Judge Sanctions Prenda Law (May 6, 2013)

A federal judge in California sanctioned people involved in a copyright patent trolling scheme operating under the name of Prenda Law. In addition to the sanctions he imposed, Judge Otis D. Wright II wrote that he will "refer the matter to the US Attorney ...
[and ]
to the Criminal Investigation Division of the Internal Revenue Service." Judge Wright did not mince words, writing that the Prenda Law attorneys "outmaneuvered the legal system," and noted that they "suffer from a form of moral turpitude unbecoming an officer of the court." The order is prefaced with a quote from a Star Trek movie: "The needs of the many outweigh the needs of the few," and the references continue throughout the document.
-http://www.wired.com/threatlevel/2013/05/copyright-trolling-attorneys/
-http://www.techdirt.com/articles/20130506/16340322966/judge-wright-tells-team-pr
enda-to-pay-80k-refers-their-activity-to-state-bars-feds-irs.shtml
-http://www.wired.com/images_blogs/threatlevel/2013/05/Penda-Sanctions-Ruling.pdf

Alleged SpyEye Developer and Distributor Extradited to US (May 3 & 5, 2013)

Hamza Bendelladj has been extradited from Thailand to the US to face charges for his alleged involvement with the SpyEye Trojan horse program. Bendelladj, who is from Algeria, is believed to have helped develop and distribute the malware, which has been used to hijack online bank accounts. According to a recently unsealed indictment, Bendelladj allegedly made millions of dollars by selling SpyEye and through the information he stole with the malware's help. If convicted on all charges, Bendelladj faces up to 30 years in prison and a fine of as much as US $14 million. Another individual is named in the indictment but the information has been redacted because that person has not yet been arrested.
-http://krebsonsecurity.com/2013/05/alleged-spyeye-seller-bx1-extradited-to-u-s/
-http://arstechnica.com/tech-policy/2013/05/alleged-mastermind-behind-spyeye-botn
et-tools-extradited-to-us/
-http://www.wired.com/threatlevel/2013/05/spyeye-zeus-botmaster-indicted/
-http://www.computerworld.com/s/article/9238913/Accused_SpyEye_virus_creator_extr
adited_to_the_U.S.?taxonomyId=17
-http://krebsonsecurity.com/wp-content/uploads/2013/05/Bx1Indictment.pdf

Microsoft Acknowledges Zero-Day Flaw in Internet Explorer 8 (May 3-6, 2013)

Microsoft has acknowledged a vulnerability in Internet Explorer 8 (IE8) and says the flaw will be fixed, but did not say if the patch would be part of the company's next scheduled security update, which is set for Tuesday, May 14. There are reports that the flaw is being exploited to conduct "watering hole" attacks, in which malicious code is placed on a web page that is likely to attract certain visitors. Two such recent incidents occurred at the US Department of Labor and the US Department of Energy. According to Microsoft's security advisory, the flaw does not affect Internet Explorer versions 6, 7, 9, or 10. Users still running IE8 are advised to upgrade to IE9 or 10. If the change is not feasible, users running IE8 should take steps described in the advisory to protect their systems as outlined in the "Suggested Actions" section.
-http://www.scmagazine.com/us-department-of-labor-website-was-serving-zero-day-in
ternet-explorer-8-exploit/article/292147/
-http://krebsonsecurity.com/2013/05/zero-day-exploit-published-for-ie8/
-http://arstechnica.com/security/2013/05/internet-explorer-0-day-attacks-on-us-nu
ke-workers-hit-9-other-sites/
-http://www.computerworld.com/s/article/9238922/Microsoft_admits_zero_day_bug_in_
IE8_pledges_patch?taxonomyId=17
-http://www.zdnet.com/ie8-zero-day-flaw-targets-u-s-nuke-researchers-all-versions
-of-windows-affected-7000014908/
Microsoft's Advisory:
-http://technet.microsoft.com/en-us/security/advisory/2847140
[Editor' Note (Pescatore): Old versions of IE are very sticky, for some reason. Google's Chrome Browser (and most mobile apps these days) doesn't really have versions - just continually incrementally updated. While there are risks to this approach, the "obsolete version hugging" risk goes away - security improvements being tied to version upgrades causes much higher risks.
(Cole): If there is a newer version of a product it usually means previous versions had vulnerabilities - use the latest version of a product. ]

Dell Resellers May Have Sold Equipment to Syria (May 3, 2013)

Dell is looking into allegations that a reseller sold its products to a company in Syria, a violation of US export restrictions. According to a company spokesperson, "Dell requires its resellers to follow US trade requirements." An April 2012 executive order prohibits US companies from exporting IT products to Syria and Iran. This is not the first time that US IT products have found their way into Syria. Several years ago, more than half-a-million dollars worth of products from Hewlett-Packard were used in the country as part of a project run by an Italian company that purchased the products through HP resellers in Italy.
-http://www.washingtonpost.com/business/dell-investigating-allegations-of-equipme
nt-resales-to-syria/2013/05/06/efd661ce-b443-11e2-9fb1-62de9581c946_story.html
-http://www.computerworld.com/s/article/9238899/Dell_investigates_report_of_its_c
omputers_being_sold_to_Syria?taxonomyId=17

Pentagon Approves BlackBerry 10 and Samsung Galaxy Devices (May 3, 2013)

The US Defense Department (DOD) has cleared Samsung Galaxy smartphones and tablets and Research in Motion's BlackBerry 10 devices for use by military officials and government workers. A Pentagon spokesperson called the approvals "a significant step toward establishing a multi-vendor environment that supports a variety of state-of-the-art devices and operating systems." The Pentagon expects to clear Apple iOS6 devices later this month.
-http://www.informationweek.com/mobility/smart-phones/blackberry-samsung-get-pent
agon-nod-of-a/240154163
-http://www.nbcnews.com/technology/technolog/samsung-blackberry-devices-cleared-u
se-us-defense-networks-6C9761382
-http://www.theregister.co.uk/2013/05/03/bbos_10_approved_by_us_defense_departmen
t/
[Editor's Note (Pescatore): DoD folks using smartphones carries at worst equal, and in most cases lower, risks than their equivalent use of the Windows laptops they've had for years. But, this kind of device approval approach carries a lot of overhead for Android devices - in 6 months there will be dozens of new ones that will need to be evaluated. Not a major problem for Apple, Blackberry where the device vendors owns both hardware and software, or even Windows Phone devices, where Microsoft keeps a high level of control on the hardware. ]

Man Allegedly Hacked Former Employer's System (May 3, 2013)

A New York man has been arrested for allegedly damaging his former employer's computer systems. Michael Meneses allegedly caused more than US $90,000 in damage to the Spellman High Voltage Electronics Corporation. While employed by Spellman, Meneses co-managed the company's enterprise resources management application. In late 2011, he was reportedly angry after he was passed over for a promotion, and he submitted his resignation. Some former colleagues reported that Meneses copied files from his company computer to a flash drive. The details of what he then did are vague. He allegedly stole access credentials and "corrupt
[ed ]
the network." He allegedly changed the company's business calendar. That activity was traced to a North Carolina hotel close to Meneses's new job, and records showed that he had been staying at the hotel at the time of the intrusions.
-http://arstechnica.com/tech-policy/2013/05/sysadmin-passed-over-for-promotion-qu
its-then-strikes-back/
-http://www.computerworld.com/s/article/9238874/Systems_manager_arrested_for_hack
ing_former_employer_39_s_network?taxonomyId=17
FBI Press Release:
-http://www.fbi.gov/newyork/press-releases/2013/long-island-software-programmer-a
rrested-for-hacking-into-network-of-high-voltage-power-manufacturer
[Editor's Note (Shpantzer): Identity management of departing/former employees is the consistent aspect of these types of stories for the 11 years I've been reading the NewsBites. There are no shiny-blinky snap-in appliances that do this for you, you must have a tight HR-IT feedback loop that enforces basic credential revocation. In the case of admins, resetting credentials for other admins and systems may be in order, assuming the departing/former admin has access to those as well as the ones s/he was formally entrusted with (people share credentials...) It's also a good idea to proactively image a departing employee's hard drive and archive it for later. It's not that expensive and can save time, money and legal/IR fees by spades in the case of a 'former insider' case. ]

Adobe Will Fix PDF Tracking Issue Next Week (May 3, 2013)

Adobe says that it will fix a PDF tracking issue in its scheduled May 14 security update for Reader and Acrobat. The vulnerability is currently being exploited by email marketers. The problem lies in the way Adobe Reader handles some calls to the JavaScript API. The issue itself is not considered serious, but it could be exploited as a reconnaissance tool as it can be exploited to expose a user's IP address and timestamp. Until the patch is available, users are being advised to disable JavaScript in Reader. All versions of Reader are affected.
-http://www.scmagazine.com/adobe-confirms-pdf-tracking-issue-plans-to-ship-fix-so
on/article/291924/
-http://www.zdnet.com/adobe-confirms-leaky-pdf-flaw-fix-due-on-14-may-7000014870/
[Editor's Note (Pescatore): Oracle finally did the "everyone put down your toys, time to clean the playroom" security push for Java that Microsoft did years ago when Windows vulnerabilities were at their crescendo. Would be nice to see the same thing happening at Adobe. ]

FTC to Hold Hearing on Identity Theft and Senior Citizens (May 3, 2013)

The US Federal Trade Commission (FTC) plans to hold a hearing on Tuesday, May 7 at which it will look into identity theft schemes perpetrated on senior citizens, including tax and government benefit identity theft; long term care identity theft; and medical identity theft, which is occurring with increasing frequency. One study said that about two million US citizens are victims of medical identity theft every year. The incidents cost an average of US $20,000 to resolve. The hearing will also look at ways of educating senior citizens about these issues.
-http://www.scmagazine.com/medical-identity-theft-to-be-explored-at-ftc-hearing/a
rticle/291780/
-http://www.ftc.gov/bcp/workshops/senior-identity-theft/

Middle School Students Phish Teachers' Admin Credentials (April 30 & May 3, 2013)

Students at a middle school in Alaska managed to trick teachers into providing their administrative access credentials and then used the access to control classmates' computers. The students are 12 and 13 years old. At least 18 students involved in the scheme gained control of more than 300 computers at Schoenbar Middle School in Ketchikan, Alaska. The students manipulated the computers so that teachers thought they were entering their access credentials to allow installation of software updates.
-http://www.bbc.co.uk/news/technology-22398484
-http://www.adn.com/2013/04/30/2884902/students-at-ketchikan-middle-school.html
-http://www.redorbit.com/news/technology/1112837519/alaskan-teens-hack-into-schoo
l-system-050313/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/