SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #52

July 02, 2013

TOP OF THE NEWS

ICS-CERT Reports Rise in Attacks Against Energy Sector
US Cyber Challenge and Virginia Tech Hosted Cybersecurity Camp and Competition

THE REST OF THE WEEK'S NEWS

Symbiotic Malware
Attack on South Korean Presidential Web Site Exposes User Data
Nasty Malware Targets South Korean Government and Media Networks
Atlassian Fixes Vulnerability in Crowd Single Sign-On Tool
US Senators Want "Public Answers" About Scope of NSA Surveillance
Security Flaws in Phone App Library
Alleged Shadowcrew Member Extradited From Paraguay
US Administrative Office of the Courts' 2012 Wiretap Report
Former Vice Chairman of Joint Chiefs of Staff is Suspect in Stuxnet Leak

---

************************* SPONSORED BY Invincea **************************
Watering hole, spear-phishing and drive-by download attacks - these attacks work because the bad guys are using zero-days and polymorphic techniques to bypass your endpoint security controls. Invincea has emerged as a zero-day killer at the endpoint. See why they were chosen by Dell to protect more than 20 million machines straight from the factory.
http://www.sans.org/info/133947
***************************************************************************
TRAINING UPDATE

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.


--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Austin, Bangkok and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

ICS-CERT Reports Rise in Attacks Against Energy Sector (July 1, 2013)

In the Spring 2013 ICS-CERT Monitor newsletter, the US Department of Homeland Security's (DHS's) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warns of a spike in brute force attacks against process control networks at natural gas companies. The companies targeted were mostly in the Midwest and Great Plains states; the attacks occurred between February 22 and March 8. Between October 1, 2012 and May 2013, ICS-CERT responded to more than 200 incidents involving critical infrastructure systems. Fifty-three percent of those were against energy companies.
-http://www.scmagazine.com//dhs-notes-rise-in-brute-force-attacks-against-natural
-gas-companies/article/301339/
-http://www.theregister.co.uk/2013/07/02/energy_sector_under_increasing_attack_dh
s/
-http://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monitor_April-June2013.
pdf
[Editor's Note (Assante): It is easy to lose sight of the ICS picture over time, but the number of directed attempts to identify and intrude into ICS has been steadily increasing. The effort has been organized; the incidents link together as larger campaigns with specific themes (in this case natural gas entities). The ICS-CERT has stepped up their game and has 'broken the mold' by working with the national security community to responsibly provide actionable information about threats. The challenge is now upon system owners and operators to equip themselves to act on this information and best shape their defenses. Every fly away team assist should establish new targets in both cybersecurity competency and practice for the effected entity!
(Henry): ICS-CERT is one of the programs at DHS that works well, and their partnership with the FBI creates a great synergy. The awareness ICS-CERT brings to the sector is critical, and the intelligence they're able to share is absolutely a step in the right direction for public-private partnership.
(Weatherford): While there is undoubtedly more malicious activity focusing on the oil and natural gas sector (and all those using ICS), part of this spike can be attributed to more awareness of the ICS-CERT and that they are being utilized as a private sector resource more than ever. The ICS-CERT Team has done an excellent job of outreach to critical infrastructures and accomplishes a lot with a surprisingly small number of people. They are one of the organizations in the government that works well and with the right funding, they could be vastly more valuable to the Nation.

US Cyber Challenge and Virginia Tech Hosted Cybersecurity Camp and Competition (July 1, 2013)

Virginia Tech and the US Cyber Challenge (USCC) hosted the US Cyber Challenge Eastern Regional Summer Camp in Roanoke, Virginia during the last week of June. More than 50 people selected in part because of their strong performance in Cyber Quests, an online competition help by USCC in April. The camp included four days of instruction, a career fair, and an Executive Roundtable. It concluded with a team capture-the-flag cyber competition. Members of the winning team received US $1,000 scholarships.
-http://www.prnewswire.com/news-releases/us-cyber-challenge-and-virginia-tech-hos
ted-successful-cyber-security-competition-213841741.html
[Editor's Note (Weatherford): The Nation needs more of these events and competitions and more private sector companies should be coming to the table with funding and resources. The value returned in qualified people vastly outstrips whatever small investment they make. ]

---

*************************** Sponsored Links: ******************************
1) The Call for Speakers for the SANS Securing the "Internet of Things" Summit on October 22 in San Francisco closes soon. Asheem Chandra of Greylock Partners will keynote, and Earl Perkins of Gartner will also be speaking. We seek user-presented case studies, lessons learned, forecasts and other forms of sharing knowledge and insight with the audience. For more information see
http://www.sans.org/event/internet-of-things-summit, send proposals to
trends@sans.org

2) NEW paper in the SANS Reading Room: "Implementing Hardware Roots of Trust," includes real case studies, best practices and standards on how to implement hardware security that is ubiquitous in most of today's organizations.
http://www.sans.org/info/133687
Listen to the associated webcast:
http://www.sans.org/info/133692

3) Digital Forensics Survey Results released during a July 18 webcast at 1 PM EDT. Register for the webcast and automatically sign up for a copy of the associated report. http://www.sans.org/info/133952
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Symbiotic Malware (July 1, 2013)

Researchers have discovered two pieces of malware that help each other maintain a foothold on the computers they have infected. The two different strains of malware, known as Vobfus and Beebone, download updated versions of each other. The newest versions are often unknown by malware detection programs. Vobfus spreads through malicious links on websites, over network links, or on USB drives, and is normally the first of the two to infect machines. Once installed, Vobfus downloads Beebone, which recruits the infected machine to become part of a botnet.
-http://www.bbc.co.uk/news/technology-23125422
-http://www.computerworld.com/s/article/9240470/Two_malware_programs_help_each_ot
her_stay_on_computers?taxonomyId=17

Attack on South Korean Presidential Web Site Exposes User Data (July 1, 2013)

A recent attack on the website of the South Korean presidential office compromised the personal information of 100,000 people. The exposed data include birth dates, identification numbers, and IP addresses. Users' passwords and registration numbers, which are comparable to US Social Security numbers (SSNs), were encrypted.
-http://www.zdnet.com/south-korea-govt-site-hacking-sees-massive-data-breach-7000
017507/

Nasty Malware Targets South Korean Government and Media Networks (June 28, 2013)

The recent cyberattacks against South Korean government and media networks have been found to involve malware that wipes data from hard drives and makes computers unusable. The malware, called Korhigh, permanently deletes data and overwrites hard drives' master boot records and bears similarities to malware used in attacks on South Korean websites earlier this year.
-http://arstechnica.com/security/2013/06/hard-drive-wiping-malware-part-of-new-wa
ve-of-threats-targeting-south-korea/
-http://www.scmagazine.com/research-sheds-light-on-dark-seoul-sabotage-gang/artic
le/300938/
-http://www.computerworld.com/s/article/9240440/New_disk_wiper_malware_linked_to_
attacks_in_South_Korea_researchers_say?taxonomyId=17

Atlassian Fixes Vulnerability in Crowd Single Sign-On Tool (July 1, 2013)

Atlassian has fixed a critical security issue in its Crowd single sign-on and identity management tool that could have been exploited by hackers to gain access to login credentials and sensitive data. Crowd is used by 1,000 organizations, including government agencies, banks, software companies, and telecommunication companies, in 55 countries.
-http://www.computerworld.com/s/article/9240487/Critical_vulnerabilities_found_in
_single_sign_on_enterprise_tool_Atlassian_Crowd?taxonomyId=17
-http://www.theregister.co.uk/2013/07/01/atlassian_plugs_xml_parsing_vulnerabilit
y/

US Senators Want "Public Answers" About Scope of NSA Surveillance (June 28 & July 1, 2013)

US legislators are calling for "public answers" regarding the scope of the National Security Agency's (NSA's) surveillance of people in the US. In their letter to Director of National Intelligence James R. Clapper, the group of 26 senators asks if the NSA collected personal information, such as credit card purchases, library records, and firearms sales, in addition to phone records. The senators also ask if the collected data include cell-site location data.
-http://www.computerworld.com/s/article/9240469/U.S._senators_demand_that_NSA_dis
close_extent_of_spy_program?taxonomyId=17
-http://www.washingtonpost.com/blogs/post-politics/wp/2013/06/28/26-senators-dema
nd-answers-from-clapper-on-surveillance/
Text of Letter:
-http://www.guardian.co.uk/world/interactive/2013/jun/28/senators-letter-james-cl
apper
[Editor's Note (Honan): The allegations about NSA surveillance could have far reaching consequences. Following revelations alleging the US spied on EU diplomats and embassies there are concerns that US and EU trade talks may be in jeopardy.
-http://rt.com/business/nsa-free-trade-spying-477/]

Security Flaws in Phone App Library (June 30 & July 1, 2013)

Vulnerabilities in the GNU ZRTPCPP open-source security library used by some secure mobile phone apps could be exploited to allow arbitrary code execution and crash applications. The flaws include a remote heap overflow, several stack overflows, and information leakage.
-http://www.computerworld.com/s/article/9240473/Vulnerabilities_found_in_code_lib
rary_used_by_encrypted_phone_call_apps?taxonomyId=17
-http://www.theregister.co.uk/2013/06/30/secure_phone_app_library_vulnerable/

Alleged Shadowcrew Member Extradited From Paraguay (July 1, 2013)

Aleksi Kolarov, who has been held in Paraguay since 2011, has been extradited to the US to face charges related to the Shadowcrew carding forum. In 2004, the US charged Kolarov with conspiracy, transferring false identification documents, and offering access devices without authorization.
-http://www.darkreading.com/attacks-breaches/bulgarian-national-charged-in-larges
t-id/240157611
-http://www.wired.com/threatlevel/2013/07/bulgarian-shadowcrew-arrest/
-http://www.justice.gov/usao/nj/Press/files/Kolarov,%20Aleksi%20Extradition%20PR.
html
Indictment:
-http://www.justice.gov/usao/nj/Press/files/pdffiles/2013/Kolarov,%20Aleksi%20Ind
ictment.pdf
[Editor's Note (Henry): Two key points in this piece say a lot about where law enforcement is headed in cybersecurity. First, coordination and collaboration with foreign partners is absolutely critical to successfully track and prosecute adversaries. Secondly, government agencies and prosecutors are taking these crimes seriously; continuing to "hunt" for the adversary for more than seven years demonstrates a commitment to mitigate these threats, and sends a signal to those who believe they are outside the long arm of the law. ]

US Administrative Office of the Courts' 2012 Wiretap Report (June 28, 2013)

The US Administrative Office of the Courts 2012 Wiretap Report notes that 15 wiretaps last year encountered encrypted communications. In previous years, there have been a total of seven other instances. In four of the cases, officials were not able to decrypt the messages. This is the first time that officials have reported being thwarted by encryption "since the AO began collecting encryption data in 2001." According to the report, there were 3,395 authorized wiretaps from state or federal judges in 2012. The numbers do not include "interceptions regulated by the Foreign Intelligence Surveillance Act of 1978."
-http://www.wired.com/threatlevel/2013/06/encryption-foiled-wiretaps/
-http://www.uscourts.gov/Statistics/WiretapReports/wiretap-report-2012.aspx#sa5
[Editor's Note (Pescatore): Encryption foiling .1% of wiretaps shows that strong encryption is hard to do. Which, of course, is also why the penetration of persistent encryption of data is so low - it is hard to do right. Harder than it should be, but many of the same barriers that have resulted in reusable passwords continuing to dominate need to be overcome in order for persistent encryption to break out. ]

Former Vice Chairman of Joint Chiefs of Staff is Suspect in Stuxnet Leak (June 27 & 28, 2013)

Retired US Marine General James Cartwright is being investigated as the possible source of the Stuxnet leak. In June 2012, The New York Times published a detailed story about Stuxnet, but sources were not identified. General Cartwright has also been credited as the person who presented the idea of Stuxnet to the George W. Bush administration. General Cartwright served as vice chairman of the Joint Chiefs of Staff from 2007-2011.
-http://news.cnet.com/8301-1009_3-57591453-83/feds-target-former-high-ranking-gen
eral-in-stuxnet-leak-probe/
-http://www.scmagazine.com/us-marine-general-may-have-been-the-source-of-the-stux
net-leak/article/300939/
-http://www.theatlanticwire.com/national/2013/06/stuxnet-leaker-might-be-general-
credited-getting-it-started/66673/
-http://www.theregister.co.uk/2013/06/28/stuxnet_general_arrested/
[Editor's Note (Pescatore): Two great cartoon captions recently in New Yorker magazine about leaking, in both cases a manager is handing a document across big desk to underling: (1) "Leak this against my wishes." and (2) "Leak to the press that my Administration won't stand for any more leaks." ]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/