SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #37
May 10, 2013
TOP OF THE NEWS
Eight Charged in Connection with US $45 Million CybertheftU.S. Department of Homeland Security ISC-CERT Issues Warning of Heightened Risk of Attack on Critical Infrastructure
Executive Order Requires US Government Agencies to Adopt Open Data Standards
THE REST OF THE WEEK'S NEWS
Name.com Customer Data Breach Includes Encrypted Passwords and Credit Card InfoPatch Tuesday to Include Fix for IE8 Flaw Exploited in Attack on Dept. of Labor Site
Microsoft Issues Stopgap "Fix-it" Measure for IE8 Flaw
Critical Flaw in Adobe's ColdFusion
China's Success in Cyberespionage Does Not Indicate Technical Superiority
2012 FBI Domestic Investigation Guide Says No Warrant Needed to Access eMail
Judge Denies Motion to Suppress Evidence Gathered With Cell Tower Spoofing Technology
Indian Government Launches Central Monitoring System
Senators Draft Legislation to Respond to Cyberespionage
Hacking Charges Dropped in Video Poker Case
************************* SPONSORED BY BIT9 ****************************
Today's Advanced Threats Require Next-Generation Protection. Are you using or considering a next-generation threat protection solution? Join this webcast and learn how you can multiply the value of your investment by integrating network and endpoint security. Register Today http://www.sans.org/info/130682
***************************************************************************
TRAINING UPDATE
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013
- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013
- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013
- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013
- -- Looking for training in your own community?
http://www.sans.org/community/
- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials
Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************
TOP OF THE NEWS
Eight Charged in Connection with US $45 Million Cybertheft (May 9, 2013)
US Federal prosecutors have charged eight people for their alleged roles in a pair of cybertheft schemes that stole more than US $45 million through ATMs in more than 20 different countries. The schemes involved breaking into computers at financial institutions that process prepaid debit cards to steal data and eliminate the withdrawal limits on the cards. The first attack targeted a processor that managed pre-paid card transactions for a bank in the United Arab Emirates. The cards data were sent to accomplices in 20 countries who used them to fraudulently withdraw US $5 million. The second scheme involved an institution that processed card transactions for a bank in Oman; accomplices in 24 countries withdrew US $40 million within 10 hours. The eight people charged in New York participated in both schemes, withdrawing a total of US $5.2 million through ATMs in New York. All eight live in Yonkers, New York. They face charges of conspiracy to commit access device fraud, conspiracy to launder money, and money laundering.-http://www.wired.com/threatlevel/2013/05/eight-charged-in-bank-heist/
-http://www.washingtonpost.com/business/economy/atm-thieves-conducted-massive-cyb
erattack/2013/05/09/0c3c3a1c-b8ec-11e2-92f3-f291801936b8_story.html
-http://money.cnn.com/2013/05/09/technology/security/cyber-bank-heist/index.html
-http://www.justice.gov/usao/nye/pr/2013/2013may09.html#FOOT1
[Editor's Note (Honan): In 2011 a payment card processor in Florida, FIS, was victim of a similar attack to the tune of US $13m and RBS Worldpay suffered a loss of US $9m in 2008. A key element in the success of these attacks is the lack of Chip and Pin technology, which is already in place in many European countries and makes cards more difficult to clone.
(Paller): And while we are waiting - probably years - for the U.S. Government to require chip and pin - there is ample evidence that the processors know how to protect their computers against these attacks and are not doing it. The PCI standard is so far out of date and the verification that PCI auditors are doing is missing so much, that this $45 million will seem small in a couple of years. The key is that the people who write the standards (PCI and NIST in particular) are the ones who should be held accountable for these losses because their guidance is encouraging organizations to implement the wrong defenses. ]
U.S. Department of Homeland Security ISC-CERT Issues Warning of Heightened Risk of Attack on Critical Infrastructure (May 9, 2013)
The US Department of Homeland Security (DHS) issued a warning "on a computer network accessible only to authorized industry and government users" about an increased threat of a cyberattack against "US critical infrastructure organizations." The intent appears to be not only theft of intellectual property, but "to disrupt ... control processes." The unclassified alert came from DHS's Industrial Control System Computer Emergency Response Team (US-CERT). It made specific suggestions for steps to take to protect systems from harm. Another document listed indicators to determine if systems have been compromised.-http://www.washingtonpost.com/world/national-security/us-warns-industry-of-heigh
tened-risk-of-cyberattack/2013/05/09/39a04852-b8df-11e2-aa9e-a02b765ff0ea_story.
html
[Editor's Note (McBride): The mounting evidence of US-led cyber operations against Iran, including some industrial control systems there may have been a factor in this reported "escalation". ]
Executive Order Requires US Government Agencies to Adopt Open Data Standards (May 9, 2013)
The White House has issued an executive order requiring that "the default state of new and modernized Government information resources shall be open and machine readable." Over the next six months, agencies must compile lists of all the datasets they collect and maintain. They must also indicate which of those lists are supposed to be available to the public. They also must make the publicly available data easy to find and to access and to use.-http://www.nextgov.com/big-data/2013/05/white-house-orders-agencies-follow-new-o
pen-data-standards/63068/?oref=ng-HPtopstory
Text of Executive Order:
-http://cdn.govexec.com/media/gbc/docs/pdfs_edit/050913jm1.pdf
[Editor's Note (Pescatore): The EO does contain the required privacy directives: "It is vital that agencies not release information if doing so would violate any law or policy, or jeopardize privacy, confidentiality, or national security." However, it seems to be missing any concern about the *integrity* of the data. The US CIO and CTO have 30 days to release policy and best practices - I hope they include requirements for due diligence in web site and web application security for government sites that will host such data. ]
*************************** Sponsored Links: ******************************
1) Special Webcast Friday, 5/24: "The Intractable Problem of Software Security". Chris Wysopal, Veracode's Co-Founder and CTO, will dive into the data that drive the predictions detailed in the Veracode's fifth annual State of Software Security Report. http://www.sans.org/info/130687
2) At the Mobile Device Security Summit experts and practitioners will detail proven approaches to securing BYOD - Attend SEC575 and SEC579. http://www.sans.org/info/130692
3) Having trouble managing your security information? Don't miss our new Analyst webcast: Advanced Intelligence in Action-SANS review of McAfee's Enterprise Security Manager by Dave Shackleford, Wednesday, May 22 at 1:00 PM EDT http://www.sans.org/info/130697
*****************************************************************************
THE REST OF THE WEEK'S NEWS
Name.com Customer Data Breach Includes Encrypted Passwords and Credit Card Info (May 9, 2013)
Domain name register Name.com has notified customers that their personal information, including encrypted passwords and payment card data, were compromised in a security breach. Name.com required all customers to reset their passwords. The method used - customers were instructed to click a link to perform the reset - has been criticized because it resembles tactics used in phishing attacks.-http://www.scmagazine.com/hackers-hit-domain-registrar-access-credit-card-data-a
nd-passwords/article/292696/
-http://www.computerworld.com/s/article/9239050/Name.com_forces_customers_to_rese
t_passwords_following_security_breach?taxonomyId=17
Patch Tuesday to Include Fix for IE8 Flaw Exploited in Attack on Dept. of Labor Site (May 9, 2013)
On Tuesday, May 14, Microsoft will issue 10 security bulletins to address vulnerabilities in Windows, Internet Explorer, Office and several other products. The company has indicated that the vulnerability in IE8 for which it has already recommended a work around and issued a Fix-it measure, will be patched in one of the bulletins. The bulletins will address a variety of issues that could be exploited to allow remote code execution, spoofing, information disclosure, privilege elevation, or create denial-of-service conditions.-http://www.computerworld.com/s/article/9239064/Microsoft_rushes_IE8_zero_day_fix
_into_next_week_s_Patch_Tuesday?taxonomyId=17
-https://technet.microsoft.com/en-us/security/bulletin/ms13-may
[Editor's Note (Pescatore): Looks like two Critical patches coming out in next week's Windows Vulnerability Tuesday. Last month, Microsoft had a bit of patch quality backsliding and had to rerelease MS13-036 due to crash problems. Seemed like an isolated incident vs. a trend, but probably worth a bit more QAing of this month's patches. ]
Microsoft Issues Stopgap "Fix-it" Measure for IE8 Flaw (May 9, 2013)
Microsoft has issued a stopgap measure for a vulnerability in Internet Explorer 8. The flaw first gained attention when it appeared that it had been exploited in a watering-hole attack on a US Department of Labor webpage. Microsoft has also provided a work-around that users can employ until a patch is available.-http://www.h-online.com/security/news/item/Microsoft-releases-Fix-It-for-IE8-hol
e-1859776.html
-http://www.darkreading.com/vulnerability/microsoft-issues-emergency-fix-for-ie-z
e/240154536
-http://www.scmagazine.com/microsoft-offers-temporary-fix-for-live-internet-explo
rer-exploit/article/292621/
-http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-ava
ilable-to-mitigate-internet-explorer-8-vulnerability.aspx?Redirected=true
[Editor's Note (Murray): "Researchers" ("NVPs") publish exploits. Security professionals publish "work-arounds." Can't think of a work-around? Leave the reporting to those who can. ]
Critical Flaw in Adobe's ColdFusion (May 8 & 9, 2013)
Adobe has issued an advisory warning users of a critical vulnerability in its ColdFusion web application development platform. The flaw could be exploited to gain access to files stored on vulnerable computers. The issue affects ColdFusion 10, 9.0.2, 9.0.0, 9.0 and older versions for Windows, Mac, and Unix. An exploit for the flaw is reportedly available. Adobe plans to release a patch for the vulnerability on May 14.-http://www.v3.co.uk/v3-uk/news/2267159/adobe-preps-patch-for-critical-flaw-in-co
ldfusion
-http://www.computerworld.com/s/article/9239054/Adobe_warns_of_unpatched_critical
_flaw_in_ColdFusion?taxonomyId=17
-http://www.h-online.com/security/news/item/Adobe-acknowledges-critical-hole-in-C
oldFusion-1859798.html
-http://www.adobe.com/support/security/advisories/apsa13-03.html
China's Success in Cyberespionage Does Not Indicate Technical Superiority (May 8, 2013)
Experts say that China's success in gaining access to government, military, and corporate computer systems in the US does not indicate the country's "technical superiority" but rather its patience and persistence in targeting systems and individuals and remaining hidden in the network for long periods of time. John Pescatore noted that China is "not smarter in software than[the US ]
. If they were, we would see them starting up new companies" rather than conducting cyberespionage. Rather than concern themselves with the sources of attacks, US companies would be well advised to make sure their systems are as secure as they can make them by addressing basic vulnerabilities and configuration issues. What is notable about China's approach "is that they use the least amount of force necessary to accomplish their goals," according to Dan McWhorter, Mandiant's managing director of threat intelligence.
-http://www.computerworld.com/s/article/9239015/Chinese_hackers_master_the_art_of
_lying_in_wait_?taxonomyId=17
2012 FBI Domestic Investigation Guide Says No Warrant Needed to Access eMail (May 8, 2013)
According to the 2012 edition of FBI's Domestic Investigations and Operations Guide, the FBI believes it is has the authority to access individuals' electronic communications and documents without a search warrant. The ACLU obtained the document through a Freedom of Information Act (FOIA) request. The guide indicates the FBI believes all that is required to access such information is a subpoena signed by a federal prosecutor. This policy appears to fly in the face of a 2010 ruling that requires federal authorities to obtain warrants prior to accessing email accounts. At a Congressional hearing earlier this year, DOJ officials acknowledged that the interpretation of the Electronic Communications Privacy Act (ECPA) of 1986 that allows access to opened email and unopened email more than six months old is not longer applicable.-http://arstechnica.com/tech-policy/2013/05/fbi-claims-right-to-read-your-e-mail-
just-like-other-federal-agencies/
-http://www.zdnet.com/fbi-says-it-doesnt-need-a-warrant-to-snoop-on-private-email
-social-network-messages-7000015075/
-http://www.v3.co.uk/v3-uk/news/2266900/aclu-says-fbi-snooping-emails-without-war
rants
Judge Denies Motion to Suppress Evidence Gathered With Cell Tower Spoofing Technology (May 8, 2013)
A judge in Arizona will allow evidence collected by federal investigators through the use of technology known as stingray, which mimics a cell phone tower. The defense had filed a motion to suppress the evidence, claiming that the use of stingray violated Daniel Rigmaiden's Fourth Amendment rights because there was no warrant for the search of his apartment. The judge determined that Rigmaiden did not have a reasonable expectation of privacy because he had obtained all of those things fraudulently - using others' identities. Rigmaiden allegedly filed hundreds of phony tax returns using the names of people who had died. He is the alleged mastermind in a scheme that stole US $4 million from the IRS through fraudulent tax returns. The judge also said that the government did not act improperly by failing to inform the magistrate judge who authorized the tracking activities that it planned to use a stingray to track the suspect or explain how the technology worked.-http://www.wired.com/threatlevel/2013/05/rigmaiden-cell-tower-evidence/
-http://arstechnica.com/tech-policy/2013/05/federal-judge-denies-motion-to-throw-
out-evidence-gathered-via-fake-cell-tower/
Judger's order denying motion to suppress evidence:
-https://www.aclunc.org/docs/technology/order_denying_motion_to_suppress,_usa_v._
rigmaiden.pdf
Indian Government Launches Central Monitoring System (May 7 & 8, 2013)
According to a report in the Times of India, the Indian government has introduced its Central Monitoring System that allows interception of phone calls and Internet communications. The system will be used not only by law enforcement, but by tax authorities as well. India's Information Technology Act of 2000 gives the government the authority to "intercept, monitor, or decrypt[data ]
generated, transmitted, received, or stored in any computer resource" if there is a credible threat to security and public safety. Activists are concerned because privacy laws in India may not be adequate to protect individuals.
-http://timesofindia.indiatimes.com/tech/tech-news/internet/Government-can-now-sn
oop-on-your-SMSs-online-chats/articleshow/19932484.cms
-http://www.theregister.co.uk/2013/05/08/india_privacy_woes_central_monitoring_sy
stem/
Senators Draft Legislation to Respond to Cyberespionage (May 7 & 8, 2013)
Following the release of a report that accuses China of conducting cyberespionage on US government, military, and corporate networks, a group of senators proposed legislation aimed at fighting the activity. Called the Deter Cyber Theft Act, the bill would require an annual report from the director of national intelligence that names countries that have engaged in cyberespionage against the US, noting which have been the most "egregious" offenders. The report would also describe what sorts of data are being stolen. The information could be used to support decisions to block imports of products that contain technology stolen from the US.-http://news.cnet.com/8301-1009_3-57583379-83/senators-propose-law-to-go-after-fo
reign-cybercriminals/
-http://www.scmagazine.com/senators-introduce-bill-that-would-flag-countries-prod
ucts-that-benefit-from-espionage/article/292523/
-http://www.computerworld.com/s/article/9239004/Proposed_U.S._law_aims_to_counter
_cybertheft_with_import_bans?taxonomyId=17
Text of draft legislation:
-http://media.scmagazine.com/documents/46/cybertheftlegislation050713_11307.pdf
[Editor's Note (Pescatore): Fish gotta swim, birds gotta fly, senators gotta legislate. There is already an annual Report to Congress of the US-China Economic and Security Review Commission. I have the latest version, dated November 2012, right here at my desk. It weighs in at 491 pages, and has a 23-page section on China's cyber activities. I wonder how many of the sponsors of this bill (or even their aides) actually read that? The bill title sounds good, though - except that the best way to deter cyber theft is to reduce your own vulnerabilities, vs. focus on which country actually exploited your lack of security. ]
Hacking Charges Dropped in Video Poker Case (May 7, 2013)
Federal prosecutors have dropped hacking charges in a case against two men who took advantage of a bug in a video poker game to win hundreds of thousands of dollars. The dismissal of the charges in the indictment removes the question of the applicability of the Computer Fraud and Abuse Act (CFAA) in this case. John Kane and Andre Nestor now each face one charge of conspiracy to commit wire fraud.-http://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/
Motion to Dismiss Counts of Indictment and Order Granting Dismissal:
-http://www.wired.com/images_blogs/threatlevel/2013/05/Government-motion-to-dismi
ss-us-v-Kane.pdf
************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
