SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #60

July 30, 2013

TOP OF THE NEWS

Microsoft Takedown Disrupted Most Citadel Botnets
Judge Bans Publication of Paper on Car Security System Hacking
Governments Ban Lenovo PCs From Accessing Classified Networks

THE REST OF THE WEEK'S NEWS

Hackers Target White House Employees' Personal eMail Accounts
Two Indicted in Oklahoma Gas Pump Skimming Scheme
Professor and Student Spoof Yacht's GPS
Questionable Apps in Google Play Store
Apple Developer Site Partially Restored
Terms and Conditions Documentary Examines Evolution of Internet Privacy Issues
Stanford University Urges Password Changes in Wake of Breach
Oil Field Sensors Vulnerable to Attack Through Radio Waves

---

************************ SPONSORED By Bit9 *****************************
Whitepaper: Top Lessons Learned From Real Attacks. This whitepaper details lessons learned about cyber attacks from extensive interviews with security analysts. One common thread that emerged was the difficulty of preventing the delivery of APT malware to systems and quickly detecting the attack once the malware was active.
Learn More: http://www.sans.org/info/136217
***************************************************************************
TRAINING UPDATE

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Bangkok, Melbourne, Bangalore, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Microsoft Takedown Disrupted Most Citadel Botnets (July 26, 2013)

Microsoft's recent takedown operation aimed at malware known as Citadel disrupted nearly 90 percent of botnets powered by that malware. The takedown was a collaborative effort between Microsoft, the FBI, and other entities in the technology and financial services sectors. The malware has been wiped from nearly 40 percent of computers identified as having been infected with Citadel. Exactly how the machines were cleaned remains unclear. In a June 21 blog post, Microsoft Digital Crimes Unit Assistant General Counsel Richard Domingues Boscovich wrote that a sinkhole the company established to replace Citadel's command-and-control servers had drawn 1.3 million unique IP addresses. Microsoft was working with the Shadowserver Foundation and other entities to identify and "mitigate botnet threats." Some researchers have complained that Microsoft's actions were overly broad; some of the domain names seized in the operation were already under the control of researchers who were monitoring the activity of Citadel botnets. That researcher was also critical of Microsoft's decision to "send configuration files to Citadel-infected computers that were connecting to its sinkhole servers ...
[because ]
this action implicitly modifies settings on those computers without their owners' consent." Boscovich said that because Citadel blocks infected computers' access to security sites, the company obtained a court order allowing it to unblock the sites when infected computers contacted the Citadel command and control system, which is hosted in the US.
-http://www.computerworld.com/s/article/9241117/FBI_Microsoft_takedown_program_bl
unts_most_Citadel_botnets?taxonomyId=17
-http://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/25/public-pri
vate-partnerships-essential-to-fighting-cybercriminals.aspx?Redirected=true

Judge Bans Publication of Paper on Car Security System Hacking (July 29, 2013)

A UK high court judge has ruled that a trio of computer scientists may not publish a paper describing how a weakness in a cryptographic algorithm used to identify automobiles' ignition keys. The injunction was sought by Volkswagen, which also owns Porsche, Audi, Bentley, and Lamborghini. The Megamos Crypto system, which is discussed in the paper, is used by a number of the luxury car brands. Volkswagen asked that the researchers publish a redacted version of the paper because they maintain the information could be used to steal cars. The researchers say that the information is available online. They also notified the manufacturer of the vulnerable chip nine months ago to give the company time to address the security issues before they planned to present the paper.
-http://arstechnica.com/tech-policy/2013/07/high-court-bans-publication-of-car-ha
cking-paper/
-http://www.bbc.co.uk/news/technology-23487928
-http://www.theregister.co.uk/2013/07/28/birmingham_uni_car_cracker_muzzled_by_lo
rds/
-http://www.v3.co.uk/v3-uk/news/2285415/volkswagen-wins-high-court-block-on-luxur
y-car-hack-codes
[Editor's Comment (Murray): It is difficult to find sufficient social value in this paper to justify putting academic freedom on the line for it. Guest Editor's Comment (Adrien de Beaupre): A court injunction against information going public does not in any way prevent it from becoming spread on the Internet, it is already public. The vendor (Volkwagen) should address the problem instead of trying to cover up. The threat exists, the vulnerability exists, and mitigation does not include going to court. ]

Governments Ban Lenovo PCs From Accessing Classified Networks (July 29, 2013)

A recent report from Australia's Financial Review revealed that for the past seven years, the governments of the US, the UK, Australia, New Zealand, and Canada have banned the use of Lenovo PCs to access classified networks. Together, these countries make up the "five eyes" electronic eavesdropping alliance. The ban was prompted by concerns that the Chinese government may have installed backdoors to allow monitoring. Lenovo acquired IBM's PC division in 2005. When the US State Department purchased 16,000 Lenovo PCs in 2006, legislators' security concerns resulted in the machines being relegated to use only on unclassified networks.
-http://www.informationweek.com/security/government/intelligence-agencies-banned-
lenovo-pcs/240159087
-http://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/
-http://qz.com/109356/move-over-huawei-theres-a-new-bogeyman-in-town-and-its-call
ed-lenovo/

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/136222

2) ALERT: Learn the latest attacks gleamed from interviews with real hackers and how to leverage this intel http://www.sans.org/info/136237

3) Former Deputy Secretary of the DHS, Jane Holl Lute, to keynote Critical Security Controls Summit! Register today. http://www.sans.org/info/136227
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hackers Target White House Employees' Personal eMail Accounts (July 29, 2013)

Hackers have breached the Gmail accounts of three White House staffers. The compromised accounts were used to send suspect messages to other White House employees. The messages contain links that, if clicked, could harvest users' email logins and Twitter account access credentials. The malicious links purport to be to BBC or CNN articles and lead to Gmail and Twitter login screens that look genuine, but which are designed to trick users into disclosing account access information. While White House employees are mot supposed to use personal webmail accounts for official communications, not everyone abides by the restriction.
-http://www.nextgov.com/cybersecurity/2013/07/white-house-employees-personal-emai
l-hacked/67556/?oref=ng-channeltopstory

Two Indicted in Oklahoma Gas Pump Skimming Scheme (July 29, 2013)

Two men have been indicted in Oklahoma on charges related to a skimming attack that lifted payment card data from gas pumps at Wal-Mart stores. The scheme allegedly netted the pair US $400,000 before they were nabbed. The skimming devices were left in place for up to two months at a time. Once retrieved, the data they had collected were used to create counterfeit cards, which were then used to withdraw cash from ATMs. The scheme ran from April 2012 through January 2013.
-http://krebsonsecurity.com/2013/07/dont-get-sucker-pumped/
-http://www.tulsaworld.com/article.aspx/Two_men_charged_in_gas_pump_skimming_cons
piracy/20130725_11_A9_CUTLIN266292?subj=1
[Editor's Note (Murray): When BP in the UK equipped their pumps to accept EMV cards to address the vulnerability of mag-stripe and PIN, they remained vulnerable because of backward compatibility. The vulnerability is now so vast that it may be too late for EMV to fix it. It is ironic that Wal-Mart has been ready for years to accept EMV cards that the card companies have not issued. (PCI-DSS is "lipstick on a pig.")]

Professor and Student Spoof Yacht's GPS (July 29, 2013)

University of Texas Assistant Professor Todd Humphreys and his students demonstrated how easily the Global Positioning System (GPS) equipment on a luxury yacht could be spoofed. The experiment was conducted with consent of the ship's captain. GPS signals travel from satellites to earth without encryption or authentication; Humphreys and his students tricked the yacht's GPS receiver into accepting signals from their own device, which was aboard the boat. Humphreys has been warning about the possibility of such attacks for the last several years. At a conference last year, he demonstrated how a drone's GPS could be tricked into accepting false information. Humphreys has also written a paper about how to thwart such attacks.
-http://arstechnica.com/security/2013/07/professor-spoofs-80m-superyachts-gps-rec
eiver-on-the-high-seas/

Questionable Apps in Google Play Store (July 28 & 29, 2013)

Symantec says that over the last seven months, it has detected more than 1,200 suspicious or questionable apps in the Google Play store for Android. Most are removed from the store shortly after their appearance, but some remain available for several days. The objective of apps can be difficult to discern, especially when they employ several layers to obfuscate their intent.
-http://www.informationweek.com/security/mobile/scam-android-apps-plague-google-p
lay/240159084
-http://www.computerworld.com/s/article/9241173/Google_Play_store_inundated_with_
scam_apps_Symantec_says?taxonomyId=17

Apple Developer Site Partially Restored (July 27, 2013)

More than a week after Apple's developer website was taken offline, certain portions of the site have been restored. Among the sections that have been restored are iOS, Mac, and Safari Dev Centers as well as Software Downloads, digital certificates, and the company's bug-reporting system. Developer-to-developer discussion forums remained offline as of late last week. The developer site was taken offline on July 18, but it was not until four days later, on July 22, that the company acknowledged that "an intruder attempted to secure personal information of our registered developers" from the site. While registered users' personal data were encrypted, the company could not rule out the possibility that some users' names, email addresses, and mailing addresses may have been compromised. Apple has specified on the Developer System Status Page the order in which it plans to restore sections of the website.
-http://www.computerworld.com/s/article/9241148/Apple_restores_key_parts_of_dev_s
ite_after_attack?taxonomyId=17
-http://www.zdnet.com/apple-developer-center-comes-back-online-partially-after-ma
ssive-outage-7000018618/

Terms and Conditions Documentary Examines Evolution of Internet Privacy Issues (July 27, 2013)

Terms and Conditions is a recently released documentary that examines the evolution of Internet privacy policies over the last 15 years. A dozen Internet privacy bills were introduced prior to September 11, 2001, but all were abandoned in the wake of the attacks. Instead, the PATRIOT Act was put in place, which led to the NSA's wide-reaching data gathering practices. Assurances of anonymity have disappeared. The film compares Google's privacy policy from December 2000 with that from December 2001. In short, the earlier policy clearly states that users' identities are not traceable through cookies, but the one from a year later indicates that cookies might be able to be used to identify a particular user. That later policy says, in part, "Google will not disclose its cookies to third parties except as required by a valid legal process such as a search warrant, subpoena, statute or court order." The film also addresses Facebook's data retention practice. When users delete or remove content from their profiles, it merely gets flagged as deleted, but it still remains in the Facebook data banks and is accessible to Facebook or government agencies.
-http://arstechnica.com/tech-policy/2013/07/terms-and-conditions-a-movie-about-pr
ivacy-policies-youll-actually-want-to-watch/

Stanford University Urges Password Changes in Wake of Breach (July 26, 2013)

Users of Stanford University's computer network are being asked to reset their passwords in the wake of a cyberattack. The university has not been forthcoming with details about the incident, which is presumed to be part of a series of attacks on systems of organizations in the US. Stanford University VP for business affairs Randy Livingston sent an email warning users of an "apparent breach" last week. The message recommended that users change their passwords "as a precautionary measure." The school is not aware that sensitive data, such as health and financial information or Social Security numbers (SSNs) have been compromised and Livingston noted that "Stanford does not conduct classified research." The attack is also believed to have been confined to the Stanford University campus.
-http://www.v3.co.uk/v3-uk/news/2284971/stanford-university-warns-of-threats-from
-user-hacks
-http://www.informationweek.com/education/security/stanford-university-network-ha
cked/240158977

Oil Field Sensors Vulnerable to Attack Through Radio Waves (July 25, 2013)

Researchers at computer security company IOActive say that certain sensors used in oil fields that are vulnerable to attacks with radio transmitters from as far away as 40 miles from the site. The sensors are used in the field to monitor temperature, pipeline pressure, and other measurements. The researchers plan to present their findings at the Black Hat security conference this week in Las Vegas. Attacks on these devices are particularly alarming because they have the potential to cause physical harm to people. The researchers looked at sensors from three manufacturers. The security issues discovered on the sensors include weak cryptographic keys for communication authentication, configuration problems, and other software vulnerabilities. Certain groups of sensors were found to have shipped with identical cryptographic keys. Using the type of radio antennae the sensors use to communicate with their "home networks," the researchers found that they could alter sensor readings or even disable them from as far as 40 miles away. And because the attacks are conducted over radio waves and not the Internet, they are virtually impossible to trace. Fixing the vulnerabilities requires firmware updates, which in turn require physical connection with the devices. The vendors have not been identified, but the researchers have provided their findings to the US Computer Emergency Response Team (US-CERT), which will notify the vendors.
-http://www.computerworld.com/s/article/9241109/Oil_gas_field_sensors_vulnerable_
to_attack_via_radio_waves?taxonomyId=17
[Editor's Note (Assante): Field communication vulnerabilities are too common. It would be nice if Smart Grid security lessons were more broadly digested by vendors developing field solutions. Weak encryption implementation, poor key management, and the inherent constraints of addressing problems in firmware-based systems leave asset owners with difficult decisions. ]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/