SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #40

May 21, 2013

SANSFIRE is just four weeks away (Washington DC, June 14-22). With 42 courses it is the largest Washington-based cyber career development program. Also has a vendor expo of the most useful new products and services and a spectacular free evening program of briefings on the newest threats and responses by SANS faculty and Internet Storm Center handlers. Register at http://www.sans.org/event/sansfire-2013

---

TOP OF THE NEWS

Chinese Hackers Accessed Google's Surveillance Database
Chinese Hackers Resume Attacks on US Organizations
SafeNet Cyberespionage Campaign Detected

THE REST OF THE WEEK'S NEWS

Italian Police Arrest Alleged Anonymous Members
Australian Government Shuts Down 1,200 Sites in Effort to Target Just One
Vendors Want Cybersecurity Rule Freeze Until National Standards are Issued
Federal Agency Seeks Funding for Research Into Security Issues of Automated Cars and Associated Networks
Mac OS X Malware Found on Human Rights Activist's Laptop May Have Ties to Cyberespionage-for-Hire Service
Man Jailed for Role in Skimming Scheme Develops Anti-Skimming Device
Apple iOS Approved for US Military Use
Future Version of Firefox Will Block Mixed Active Content by Default
Proposed Legislation Would Require Feds to Obtain Warrant to Seize Phone Records
SSL: Another Reason Not to Ignore IPv6

---

************************** SPONSORED BY Bit9 *****************************
New eBook: Advanced Threat Watch: Looking Ahead. Hacking used to be more of a game. Now it's a business. This eBook examines recent advanced attacks and how they've targeted specific assets within a variety of industries. Learn how you can protect your organization from the advanced threat. Download Today http://www.sans.org/info/131437
***************************************************************************
TRAINING UPDATE

- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials
Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Chinese Hackers Accessed Google's Surveillance Database (May 20, 2013)

The Chinese hackers who broke into Google servers in 2009 and 2010 were able to gain access to Google's database of surveillance orders from the US government. The information was likely sought to determine which Chinese intelligence operatives in the US were under surveillance by law enforcement agencies there. A Microsoft official recently hinted that Microsoft suffered an intrusion at about the same time, and that the attackers appeared to be searching for information about accounts for which the US government legal wiretap orders.
-http://www.washingtonpost.com/world/national-security/chinese-hackers-who-breach
ed-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-b
e34-11e2-89c9-3be8095fe767_story.html#
[Editor's Note (Ullrich): Centralized large scale surveillance systems, just like backdoors, sound like a great convenient idea until the enemy discovers them. Guest Editor's Note (Christopher Burgess): If the PRC learned that their officers or surrogates were being subjected to official US Government inquiry via review of the Google data stores, they could follow two paths: tone down and extract the individual, or light up and misdirect the US security services. A key point is that any service provider which is subject to lawful intercept inquiries by the US Government (in this case for counterintelligence purposes) has had fair warning - you are the target of nation states' CI programs. - --Christopher Burgess, President Co-Founder Prevendra, former career CIA officer and co-author of Secrets Stolen, Fortunes Lost. Full bio:
-http://www.prevendra.com/about/bio-christopher-burgess/]

Chinese Hackers Resume Attacks on US Organizations (May 20, 2013)

After reports emerged earlier this year accusing China of launching persistent cyberattacks against US companies and government agencies, activity from the People's Liberation Army against US sites grew quiet for several months. Now the attacks have resumed; the activity is at about 70 percent of the level previously reached and they attackers are using new techniques to target many of the same organizations.
-http://arstechnica.com/tech-policy/2013/05/chinese-army-hackers-return-from-vaca
tion-renew-attacks-on-us/
-http://www.v3.co.uk/v3-uk/news/2269159/chinese-military-unit-resumes-cyber-attac
ks-on-us-businesses
-http://www.bbc.co.uk/news/technology-22594140
(Please note that The New York Times requires a paid subscription.)
-http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-u
s-targets.html?ref=technology
[Editor's Note (Henry): Does anyone really believe China is going to stop their electronic espionage? The value to them is incredibly high...billions of dollars worth of IP, R&D, corporate strategies, military information...and the risk they face is virtually zero. They've been called out on this again and again, and the rote response is "We don't hack", yet the attacks continue. Yes, we need to practice better defense, but the Chinese will continue their activities unabated until the cost to them exceeds the value of what they're obtaining. That begins when governments engage in dialogue with governments, to identify unacceptable parameters and define responses to those activities that cross the line. ]

SafeNet Cyberespionage Campaign Detected (May 17 & 20, 2013)

An attack that exploits a known flaw in Microsoft Office has been detected on machines around the world. The attack has been called SafeNet by the researchers at Trend Micro who discovered it. Machines received the initial infection through a spear phishing campaign. The malware is designed to steal information. There appear to be two sets of command-and-control servers, each managing its own attack. The flaw that the malware exploits was patched in April 2012. The malware was named for references within its code and is in no way associated with the information security firm of the same name.
-http://www.theregister.co.uk/2013/05/20/safe_cyber_espionage/
-http://www.computerworld.com/s/article/9239342/Researchers_uncover_new_global_cy
berespionage_operation_dubbed_Safe?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2269242/microsoft-office-security-flaw-hits-thous
ands-in-latest-hacker-attack
Microsoft Security Bulletin With Office Patch:
-http://technet.microsoft.com/en-us/security/bulletin/ms12-027
[Editor's Note (Ullrich): This attack used a very specific user agent string, "Fantasia". The fact that it went undetected for so long shows that the people watching the networks are looking for the equivalent of an 8 oz soda bottle in an x-ray machine stuffed with bombs.
(Shpantzer): It's truly unfortunate (and surely entirely coincidental) that a security vendor calls a malware campaign by the legal trade name of another security vendor. They even capitalize the N in Net, just like the corporate SafeNet does at www.safenet-inc.com does. I wonder how Trend Micro would feel if SafeNet (the company, not the malware) found a flaw in an encryption implementation and called it... Trend Micro.]

---

*************************** Sponsored Links: ******************************
1) Did you know that ForeScout is a Gartner Magic Quadrant Leader for Network Access Control? Download the free report to find out why magic quadrant leadership and network access control are crucial for your company. http://www.sans.org/info/131442

2) Leveraging the First Four Critical Security Controls for Holistic Improvements featuring SANS Analyst James Tarala, co-author of the CSCs. Wednesday, June 12, 1 PM EDT. http://www.sans.org/info/131447

3) At the Mobile Device Security Summit experts and practitioners detail proven approaches to securing BYOD. Maximize your training and attend SEC575: Mobile Device Security & Ethical Hacking or SEC579: Virtualization and Private Cloud Security. http://www.sans.org/info/131452
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Italian Police Arrest Alleged Anonymous Members (May 17 & 19, 2013)

Italian police have arrested four people believed to be active members of the Anonymous hacking collective. The people have been placed under house arrest in four separate cities. Six other people are under investigation. The people allegedly established a "dominant cell" with Anonymous Italy and are believed to be responsible for launching attacks on government and commercial websites. A deputy police chief at the National Center for Computer Crime and the Protection of Critical Infrastructure (CNAIPIC) said the group "had taken over the brand
[of Anonymous ]
and were using it for their own personal benefit."
-http://www.theregister.co.uk/2013/05/19/anon_arrests_italy/
-http://www.computerworld.com/s/article/9239343/Police_arrest_Anonymous_suspects_
in_Italy?taxonomyId=17

Australian Government Shuts Down 1,200 Sites in Effort to Target Just One (May 17, 2013)

In an attempt to block a website believed to be associated with a financial scam, the Australian government shut down 1,200 other sites that were unrelated to the targeted site expect for the fact that they were hosted on the same IP address. Although the Australian government was not initially forthcoming with information the source of the block request, it was finally revealed that the sites had been blocked at the request of the Australian Securities and Investment Commission (ASIC), the country's financial regulator. The block was requested because the site was believed to be in violation of the Telecommunications Act 1997, which obliges service providers "to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of" Australia. All the other sites were affected because ASIC gave ISPs the IP address of the shared server on which the site was being hosted instead of the suspect site's specific domain name.
-http://arstechnica.com/tech-policy/2013/05/aussie-government-tries-to-block-two-
sites-takes-down-1200/s
-http://www.smh.com.au/technology/technology-news/government-accused-of-sneaking-
in-web-filter-20130517-2jq3p.html
[Editor's Note (Pescatore): The Australians do not seem to have used this section of the Telecomms Act of 1997 very often, so this one mistake likely points out they have work to do on the process, such as better vetting of blocking requests. Also, whether IP address blocking vs. site shut down (with better vetting) is what should be done - IP address blocking is easily evaded and error prone - as this incident shows. ]

Vendors Want Cybersecurity Rule Freeze Until National Standards are Issued (May 17, 2013)

Federal contractors are asking the US General Services Administration (GSA) to temporarily suspend cybersecurity rulemaking until the government issues national guidelines later this year. The specific regulations may be "well intentioned" but there is concern that rules created now might conflict with the standards that are expected by November.
-http://www.nextgov.com/cybersecurity/2013/05/contractors-ask-gsa-freeze-cyber-re
lated-regulations/63244/?oref=ng-channelriver
[Editor's Note (Pescatore): Oh, what a tangled web we weave when Yet Another Framework we start to conceive. First off, the proposed rule making makes no sense whatsoever - it appears to have selected a somewhat random basic set of security controls contractors have to implement. I think this is because this change to the FAR actually started in 2010 and has not kept up with other initiatives. There have been many other procurement directives that simply point to existing frameworks (of which there is no shortage) for contractors and suppliers to show they have implemented security programs of sufficient strength - - like 800-53 or ISO 27001. There is no need to wait for YAF. ]

Federal Agency Seeks Funding for Research Into Security Issues of Automated Cars and Associated Networks (May 17 & 18, 2013)

David Strickland, Administrator of the US's National Highway Traffic Safety Administration (NHTSA) told the Senate Committee on Commerce, Science, and Transportation that he intends to look carefully at what security requirements need to be in place for automated cars and proposed vehicle-to-vehicle (V2V) networks. Strickland expressed concern that advances in technology present "growing potential for remotely compromising vehicle security through software and the increased onboard communications services." NHTSA is seeking US $2 million for the research, which will aim to create "a preliminary baseline set of threats and how those threats could be addresses in the vehicle environment."
-http://www.theregister.co.uk/2013/05/17/usa_car_network_security_research/
-http://www.digitaltrends.com/mobile/warning-warning-your-vehicle-has-been-compro
mised/
[Editor's Note (Shpantzer): Some of this research has already been performed, but why ask people who know if you can ask for more money to get your own version of a new framework...]

Mac OS X Malware Found on Human Rights Activist's Laptop May Have Ties to Cyberespionage-for-Hire Service (May 16 & 17, 2013)

Malware that targets Mac OS X has been found on the laptop of an Angolan human rights activist attending the Oslo Freedom Forum. The malware, which spread through a phishing attack, is signed with a valid Apple Developer ID. It takes screenshots of the infected device and sends them to servers under the hackers' control. The malware was discovered during a conference workshop on securing hardware against government intrusion. The malware is believed to have been developed by a group behind an "aggressive" cyberespionage service that hires itself out. That service was used in an attack on Norwegian telecommunications company Telenor earlier this year. Both the Telenor attack and the Mac malware use the same command-and-control server.
-http://arstechnica.com/security/2013/05/mac-malware-signed-with-apple-id-infects
-activists-laptop/
-http://www.theregister.co.uk/2013/05/17/mac_malware_steals_screenshots/
-http://www.computerworld.com/s/article/9239328/New_Mac_spyware_found_on_Angolan_
activist_39_s_computer?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57584804-83/new-mac-spyware-found-in-the-oslo-f
reedom-forum/
-http://www.scmagazine.com/mac-spyware-discovered-on-angolan-dissidents-computer-
at-oslo-freedom-forum/article/293713/
-http://www.zdnet.com/aggressive-espionage-for-hire-operation-behind-new-mac-spyw
are-7000015613/
-http://www.computerworld.com/s/article/9239396/Telenor_cyberespionage_attack_has
_Indian_origins?taxonomyId=17
-http://www.scmagazine.com/espionage-hacking-campaign-operation-hangover-originat
es-in-india/article/294135/
[Editor's Note (Ullrich): This one is interesting as it uses a valid Apple developer certificate. But all it takes is $100 to get such a certificate. The software did not use the Apple "App Store". As of OS X "Mountain Lion", Apple added a "Gatekeeper" feature with three settings: "Only install software from the App Store", "Install Software from anywhere as long as it is signed" and "Install any software". Keep it set to the most strict, first, setting, and temporarily relax the setting to install software if you have to. (e.g. see
-http://www.youtube.com/watch?v=-wC28jTOVHI)
(Shpantzer): What's worse than a worm in your apple? Half a worm in your apple...]

Man Jailed for Role in Skimming Scheme Develops Anti-Skimming Device (May 17, 2013)

A Romanian man currently serving a five-year prison sentence for his role in an ATM skimming operation, has developed a device that he says can prevent ATMs from succumbing to skimming devices. Valentin Boanta was sentenced to prison in Romania "for supplying gadgets to an organized crime gang used to conceal ATM skimmers." His device, called the Secure revolving System (SRS) alters the way that ATMs read cards; the cards are inserted along their width, which makes reading the magnetic strip impossible for current skimming devices.
-http://arstechnica.com/information-technology/2013/05/hacker-serving-5-year-sent
ence-invents-atm-add-on-to-prevent-theft/
-http://www.theregister.co.uk/2013/05/17/romanian_hacker_atm_security/

Apple iOS Approved for US Military Use (May 17 & 19, 2013)

The US Defense Department has approved Apple iOS for use to connect to DOD networks. The approval places Apple in competition with BlackBerry 10 and Samsung, which received approval several weeks ago. The devices will not be approved for use until the Defense Information Systems Agency (DISA) establishes a mobile device management system. While iPhones and iPads can be used on military networks, they are still not approved as personal devices within the military.
-http://www.eweek.com/mobile/apple-ios-6-platform-cleared-for-use-at-department-o
f-defense/
-http://www.nextgov.com/mobile/2013/05/consumer-smartphones-okd-military-use-lack
-certain-id-protections/63275/?oref=ng-HPriver
-http://www.zdnet.com/iphones-ipads-cleared-for-u-s-military-use-dod-fortifies-cl
oud-7000015549/
-http://www.theregister.co.uk/2013/05/17/department_of_defense_approves_apple_dis
cusses_cloud/

Future Version of Firefox Will Block Mixed Active Content by Default (May 17, 2013)

A future stable version of Firefox will block mixed active content by default. Firefox 23 Aurora is scheduled for stable release in about three months. Mixed active content is described as an HTTPS secured website that loads some HTTP content, which can make the site vulnerable to a variety of attacks. Users will have the option of disabling the content blocker on a site-by-site basis.
-http://news.cnet.com/8301-1009_3-57585096-83/future-firefox-takes-tougher-stance
-on-mixed-content/
-https://developer.mozilla.org/en-US/docs/Security/MixedContent
[Editor's Note (Shpantzer): For an interesting article on the security implications of HTTP/HTTPS mixer-uppers, see
-http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html]

Proposed Legislation Would Require Feds to Obtain Warrant to Seize Phone Records (May 16, 2013)

Four US legislators have introduced a bill that would require federal agencies to obtain a court order prior to obtaining phone records. The proposed legislation follows close on the heels of the disclosure that federal investigators obtained phone records of Associated Press (AP) journalists with just a subpoena. The Telephone Records Act, as currently written, allows federal agents to obtain records from service providers with an administrative subpoena to discover basic subscriber information, such as name, address, payment card number, and phone records. The proposed legislation, The Telephone Records Protection Act, protects all Americans' phone records from being seized by federal agencies without a warrant. Federal agents would need to obtain judicial review before gaining access to those data, and they would have to provide "specific and articulable facts
[that prove the requested data are ]
relevant and material to an ongoing criminal investigation." The US Justice Department has been roundly criticized for the AP incident, in which they obtained phone records for 20 lines, some of which were the work and home numbers of AP reporters. DOJ maintained that it was following procedure when it issued a subpoena for the information.
-http://www.wired.com/threatlevel/2013/05/court-order-for-phone-records/
In a separate, related story, the US Justice Department is coming under fire for its investigation of a reporter involved in an information leak case. Stephen Jin-Woo Kim allegedly leaked sensitive information to a reporter named James Rosen. An FBI agent said in an affidavit that James Rosen, "asked, solicited, and encouraged Mr. Kim to disclose sensitive US ... intelligence information." Investigators called Rosen a co-conspirator and obtained a warrant to access his security badge records, which tracked his coming and going at the State Department, as well as his phone logs and personal emails. Ben Wizner, director of the ACLU's Speech, Privacy, and Technology Project, issued a statement saying, "Never in the history of the Espionage Act has the government accused a reporter of violating the law for urging a source to disclose information. This is a dangerous precedent that threatens to criminalize routine investigative journalism."
-http://www.washingtonpost.com/local/justice-departments-scrutiny-of-fox-news-rep
orter-james-rosen-in-leak-case-draws-fire/2013/05/20/c6289eba-c162-11e2-8bd8-278
8030e6b44_story.html
-http://www.wired.com/threatlevel/2013/05/feds-tracked-fox-news-reporter/

SSL: Another Reason Not to Ignore IPv6 (May 17, 2013)

Sites that use proxies to allow access via IPv6 may find themselves dealing with two different certificates, both of which must be valid.
-http://isc.sans.edu/diary/15833
[Editor's Note (Ullrich): Last year, federal government web sites rushed out IPv6 proxies without properly integrating them into their existing operations. As of last week, the social security.gov web site used an expired certificate if accessed via IPv6. Many common tools used to check for certificate validity will only check IPv4, ignoring IPv6. See also our IPv6 summit in June which will cover another aspect of ignoring IPv6: VPNs.
-https://www.sans.org/event/ipv6-summit-2013]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/