SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #42

May 28, 2013

Call for Papers on Operational Technology - the next frontier in cyberspace. The Workshop is called Securing the Internet of Things and features great folks from Cisco and Gartner and other top folks. The only way to guarantee a seat is to get a presentation accepted. John Pescatore is leading the national effort to raise the bar on securing operational technology and will chair the workshop planned for late October in San Francisco. If you are interested in presenting or participating on a panel submit your information to trends@sans.org by July 1, 2013 with the subject "SANS Securing the Internet of Things CFP". Submission guidelines are posted at http://www.sans.org/event/internet-of-things-summit/bonus-sessions/2787/#bonus-b
ox

---

TOP OF THE NEWS

NSA/CyberCom To Get Green Light Response to Cyber Attack
Iranian Hackers Are Targeting US Energy Companies' Industrial Control Systems
Confidential Report Says Chinese Hackers Accessed US Weapons Systems Designs

THE REST OF THE WEEK'S NEWS

Australian Official Will Not Confirm Reports of Cyberespionage
Clearwire Will Shed Huawei Hardware
Western Australian Police Charge Teen
Syrian Electronic Army Hacked Sky's Twitter and Android Apps
Liberty Reserve Digital Currency Founder Arrested
GSA Seeks Comments on Cybersecurity Standards and Purchasing
Google Will Upgrade SSL Encryption Keys
Malware Targets Tibetan Activists

---

************************* SPONSORED BY Invincea ************************
Watering hole, spear-phishing and drive-by download attacks -these attacks work because the bad-guys are using zero-days and polymorphic techniques to bypass your endpoint security controls. Invincea has emerged as a zero-day killer at the endpoint. See how they detected and killed a watering hole attack using a Dept. of Labor website to push an IE-8 zero day - http://www.sans.org/info/131697
***************************************************************************
TRAINING UPDATE

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization. --Houston, TX (June 10-June 15)
http://www.sans.org/event/scada-training-houston-2013 --Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- - -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

NSA/CyberCom To Get Green Light Response to Cyber Attack (May 27, 2013)

DoD is on the verge of approving new standing rules of engagement, rules that will for the first time authorize a U.S. response to cyber attacks. It's part of a general push to move more cyber warfare into the traditional military strategy and away from the often contentious realm of National Security Council debate. The new rules will empower commanders to counter direct cyberattacks with offensive efforts of their own - without White House approval.
-http://www.defensenews.com/article/20130527/DEFREG02/305270014/Slowed-by-Debate-
Uncertainty-New-Rules-Green-Light-Response-Cyber-Attacks

Iranian Hackers Are Targeting US Energy Companies' Industrial Control Systems (May 27, 2013)

US officials say that hackers operating on behalf of the Iranian government are targeting industrial control systems at US energy companies in an attempt to damage the country's critical infrastructure. Thus far, the attacks have focused on gathering intelligence about how the systems operate. Some US officials have posited that Stuxnet, the sophisticated malware attack that targeted centrifuges at an Iranian nuclear facility in 2010 pushed Iran to develop stronger cyberattack capabilities and to retaliate.
-http://www.theregister.co.uk/2013/05/27/iran_payback_stuxnet_ics_attacks/
-http://www.eweek.com/security/iranian-hackers-launching-cyber-attacks-on-us-ener
gy-firms-report/

Confidential Report Says Chinese Hackers Accessed US Weapons Systems Designs (May 27, 2013)

According to a confidential report from the Defense Science Board, Chinese hackers gained access to designs for advanced US weapons systems. The confidential report, which was prepared for the Pentagon, did not specify whether the data were accessed through government networks or through contractor networks. According to the report, DOD "is not prepared to defend against this threat. With present capabilities and technology, it is not possible to defend with confidence against the most sophisticated cyber attacks." An unnamed senior military official told the Washington Post that "in many cases, they don't know they've been hacked until the FBI comes knocking on their door."
-http://www.washingtonpost.com/world/national-security/confidential-report-lists-
us-weapons-system-designs-compromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-
c2dd-11e2-8c3b-0b5e9247e8ca_story.html
-http://uk.reuters.com/article/2013/05/28/uk-usa-china-hacking-idUKBRE94R02H20130
528
-http://news.cnet.com/8301-1009_3-57586355-83/chinese-hackers-reportedly-accessed
-u.s-weapons-designs/
Report:
-http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf

---

*************************** Sponsored Links: ******************************
1) StillSecure - Providing visibility, enforcement, quarantine, and remediation, Safe Access NAC provides network control. http://www.sans.org/info/131702

2) Attend the SANS Industrial Controls Systems Security Briefing, Monday, June 10, 2013 in Houston, TX at the Westin Houston Memorial City. Featuring Mike Assante, Eric Cornelius, Lior Frenkel, Bart Pestarino and Jonathan Knudsen. This event is free to Oil & Gas constituents. For more information go to http://www.sans.org/info/131707 To register for this event via simulcast, visit http://www.sans.org/info/131712

3) SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 http://www.sans.org/info/131717
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Australian Official Will Not Confirm Reports of Cyberespionage (May 27 & 28, 2013)

A report on Australian investigative journalism television program Four Corners said that Chinese hackers stole sensitive documents detailing the layout of the Australian Security Intelligence Organisation's new headquarters. The report said that hackers have targeted other organizations as well, including a company that provides clandestine communications equipment to military organizations around the world and several government departments. The companies and the government are remaining mum on the subject. The companies are concerned about their reputations, and the government doesn't "want to share with the world and potential aggressors what
[it ]
knows about what
[the hackers ]
might be doing, and how they might be doing it." Australian Foreign Minister Bob Carr has refused to confirm the reports of hacking, saying only that the allegations would not affect Australia's "areas of cooperation with China."
-http://www.bbc.co.uk/news/world-asia-22685332
-http://www.zdnet.com/carr-refuses-to-confirm-china-hack-claims-7000015924/
-http://www.abc.net.au/4corners/stories/2013/05/27/3766576.htm

Clearwire Will Shed Huawei Hardware (May 23 & 27, 2013)

Clearwire says it will remove Huawei products from its network. The move comes in response to US concern that the company has ties to the Chinese government. Clearwire parent company Sprint Nextel is negotiating an offer to be acquired by Japan's SoftBank. SoftBank has agreed to allow the US government veto power over the company's choice of the person who will oversee national security issues for Sprint.
-http://www.theregister.co.uk/2013/05/27/clearwire_to_pull_huawei_from_network/
-http://arstechnica.com/tech-policy/2013/05/sprint-to-give-us-government-say-on-b
oard-remove-chinese-hardware/

Western Australian Police Charge Teen (May 27, 2013)

Police in Western Australia have charged a teenager with offenses related to computers, but they have not specified what exactly it is about. Earlier this year, Dylan Wheeler claimed to have broken into Sony and Microsoft developer networks, but the charges are not related to those incidents.
-http://www.computerworld.com/s/article/9239543/Western_Australia_police_silent_o
n_charges_for_17_year_old_hacker?taxonomyId=17

Syrian Electronic Army Hacked Sky's Twitter and Android Apps (May 26 & 27, 2013)

The same group of hackers that has targeted social media accounts belonging to The Onion, the Associated Press, and the BBC in recent weeks has struck Sky, taking over the UK satellite broadcasting service Android apps and Twitter account. Sky has removed the apps, which include Sky Go, Sky News, and Sky Sports news, from the Google Play Store. This appears to be the first time that the Syrian Electronic Army has targeted apps.
-http://news.cnet.com/8301-1009_3-57586245-83/skys-android-apps-twitter-account-h
acked/
-http://www.bbc.co.uk/news/technology-22679099

Liberty Reserve Digital Currency Founder Arrested (May 25 & 27, 2013)

Spanish authorities have arrested the founder of digital currency Liberty Reserve for alleged money laundering. Late last week, domain registration records for Liberty Reserve and several other digital currency sites were altered to point to Shadowserver, a volunteer organization known for fighting cybercrime. Arthur Bodovsky was arrested in Spain as part of an investigation that was being conducted cooperatively by authorities in the US and Costa Rica. Bodovsky is a citizen of Costa Rica. Liberty Reserve has become a widely used form of payment in the computer underground, as it requires very little personal information from its customers. Over the weekend, Liberty Reserve competitor Perfect Money, posted a message on its own site, saying that it would no longer accept registrations from individuals or companies based in the US, including US citizens living overseas.
-http://krebsonsecurity.com/2013/05/u-s-government-seizes-libertyreserve-com/
-http://www.bbc.co.uk/news/technology-22680297
Bodovsky and six other people have been indicted in connection with what some are calling the largest money laundering prosecution in history -- US $6 billion over the past seven years. Liberty Reserve was used to launder some of the funds stolen in a US $45 million ATM fraud scheme.
-http://www.mercurynews.com/breaking-news/ci_23335928/ny-indictment-filed-6b-mone
y-laundering-case
(Please note: The New York Times requires a paid subscription.)
-http://www.nytimes.com/2013/05/29/nyregion/liberty-reserve-operators-accused-of-
money-laundering.html?hp&_r=0
[Editor's Note (Pescatore): Seems that there is very little demand for these alternative currencies, outside of money laundering. Like digital wallets, they pop up and get a lot of press coverage as the next great thing but there is not a legitimate business model around them. ]

GSA Seeks Comments on Cybersecurity Standards and Purchasing (May 26, 2013)

The US General Services Administration (GSA) and the Pentagon have issued a request for information seeking input from industry on how best to incorporate cybersecurity standards into government purchasing requirements. Some ideas GSA and DOD are considering include establishing an accreditation program and allowing certain acquisitions to be exempt from cybersecurity standards. The goal is to protect government systems while not impeding market entry for potential new contractors. Comments will be accepted through June 12.
-http://www.washingtonpost.com/business/on-it/gsa-seeking-industry-feedback-on-cy
bersecurity/2013/05/24/e3baf740-c183-11e2-8bd8-2788030e6b44_story.html
-https://www.federalregister.gov/articles/2013/05/13/2013-11239/joint-working-gro
up-on-improving-cybersecurity-and-resilience-through-acquisition

Google Will Upgrade SSL Encryption Keys (May 24, 2013)

By the end of 2013, Google plans to upgrade all of its SSL certificates to 2048-bit keys. The change is scheduled to begin in August. Google plans to upgrade its root certificate as well. Certain client software embedded in devices like phones, gaming consoles, and cameras could run into problems with the upgrade; Google has offered advice to help mitigate those issues.
-http://arstechnica.com/security/2013/05/google-builds-bigger-crypto-keys-to-make
-site-forgeries-harder/
-http://www.h-online.com/security/news/item/Google-to-replace-SSL-certificates-18
69281.html
-http://www.zdnet.com/google-upgrading-all-ssl-certificates-to-2048-bit-keys-by-e
nd-of-2013-7000015863/
-http://www.computerworld.com/s/article/9239518/Google_to_lengthen_SSL_encryption
_keys_in_August?taxonomyId=17
[Editor's Note (Pescatore): I think the CA Browser Forum is requiring all CAs to do this by YE2013. Growth in processing power over time, combined with advances in crypto attacks that shorten brute force attacks, means crypto strengths will always have to increase over time. SSL in practice needs more than longer keys - the switchover to longer lengths will drive client/server side software upgrades that need to address various validity checking and revocation issues. But, the security of CAs needs to be addressed in a big way, too. ]

Malware Targets Tibetan Activists (May 24, 2013)

Antivirus company ESET has detected espionage malware that targets Tibetan activists. Known as Win32/Syndicasec.A, the malware bypasses the User Account Control (UAC) feature in Windows by exploiting a flaw in the UAC whitelist function that has been known since 2009. The malware then registers Javascript code in the Windows Management Instrumentation (WMI) subsystem, which means that "malicious code
[is not ]
stored as a regular file on disk."
-http://www.computerworld.com/s/article/9239522/Researchers_find_unusual_malware_
targeting_Tibetan_users_in_cyberespionage_operation?taxonomyId=17
[Editor's Note (Henry): Recent media reports, like the ones highlighted in today's NewsBites, have raised awareness about the PRC using computer networks for electronic espionage from western corporations and governments. Not as well known is the way technology is used to target dissidents, including the Falon Gong, Uyghers, and Tibetan activists. It's not JUST about gaining a competitive edge in the marketplace; it's about stifling those who disagree with the regime. ]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/