SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #63

August 09, 2013

The case studies at next week's workshop on critical security controls in Washington provide a roadmap to the next generation of cyber security consulting. Buyers are getting much more effective in telling the difference between consultants who are guessing and those who have a clear path that has a strong foundation in threat and threat mitigation. If you are looking for opportunities to provide top quality consulting services, don't miss this workshop.

Register at http://www.sans.org/event/critical-security-controls-summit

Alan

---

TOP OF THE NEWS

Chinese Hackers Infiltrated Decoy Water Control System
California Escrow Firm Shuts its Doors After US $1.5 Million Wire Theft
White House Lists Incentives for Companies to Adopt Cyber Security Framework

THE REST OF THE WEEK'S NEWS

Most US Defense Contractors Won't be in Compliance With Counterfeit Equipment Detection Rule
Alleged Gozi Author's Extradition from Latvia Approved, Then Suspended
Microsoft's Patch Tuesday for August
Firefox 23 Includes Mixed-Content Blocking Feature
Three People Sentenced in Connection with US $5 Million Carding Scheme
Secure eMail Provider Lavabit Shuts Down
Google Defends Chrome's Password Manager
Twitter's Two-Factor Authentication
Former College Student Draws One-Year Sentence for Rigging Election

---

************************ SPONSORED By Bit9 *****************************
FREE Trust Assessment Tool: Do you know if you are the target of an advanced threat or have unauthorized software in your organization? How can you trust what's running on your systems if you don't have answers to these questions?
Download Bit9's Trust Assessment Tool to tell you exactly what is running on your system
http://www.sans.org/info/137207
**************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.
- --Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


- -- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Melbourne, Bangalore, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Chinese Hackers Infiltrated Decoy Water Control System (August 2, 2013)

A Chinese hacking group that has been linked to the Chinese army appears to have infiltrated a decoy water control system for a US city. The system, also known as a honeypot, was set up by a research project. The infiltration is evidence that hackers are turning their attention to industrial control systems. Between March and June of this year, a dozen honeypot industrial control systems drew 74 intentional attacks from 16 countries. Of those, 10 managed to take over the system entirely. The researcher who set up these honeypots believes that it is likely that water plants and other facilities using ICS have been successfully compromised but may not know it.
-http://www.technologyreview.com/news/517786/chinese-hacking-team-caught-taking-o
ver-decoy-water-plant/
[Editor's Note (Assante): The research project clearly shows size does not matter, as many cyber attackers are interested and a few are even prepared to compromise Industrial Control Systems (ICS). The researcher's selection of a water system for the decoy was a good one, as many rely upon web-based remote access for engineers and technicians. The fact that 10 of the attacks "gained control" of the system is not surprising, more worrisome is the report that four of the attacks included meddling with the industrial protocol or plant floor devices. I worry about ICS operators that don't possess the capability and necessary competencies to detect real world intrusions and unknowingly operate systems that have lost their integrity to successful compromises. This point may benefit from a quick analog, if plant engineers were pilots, would they be comfortable flying a plane that had unknown parties able to touch the controls that did not share their commitment to keep the plane safely in the air?
(McBride): I find it interesting that this supposed set of threat actors (possibly linked to Chinese military) engaged in opportunistic rather than strategic behavior. Is that because they are honing/practicing their SCADA hacking skills? Do they not have a model/practice infrastructure set up? -- or have they moved beyond that? If the threat actors believed their actions were against operational systems, were they not worried about physical outcomes to real human beings? This gets me thinking: Is there some analogy between SCADA honeypots and other "terrorist" (term used loosely) sting operations?]

California Escrow Firm Shuts its Doors After US $1.5 Million Wire Theft (August 7, 2013)

A California escrow company is in receivership after being targeted by US $1.5 million in fraudulent wire transactions late last year. While Efficient Services Escrow Group was able, with the help of its bank, to recover roughly US $430,000 that had been headed to Russia, the remaining US $1.1 million disappeared into accounts in northern China. The company reported the incidents to state regulators and when it was unable to come up with the missing funds within three days, the regulators shut Efficient down. The company's owners have filed a claim with an insurance company and are considering options for seeking help from the bank, First Foundation. The company owners are puzzled that the bank did not question the overseas wire orders, particularly because the company had never conducted such orders in the past. Unfortunately, few banks employ country-blocking capabilities for wire transfers, and many smaller banks use third party service providers for their online banking systems. Companies don't often ask about such measures until after a breach has already occurred.
-http://krebsonsecurity.com/2013/08/1-5-million-cyberheist-ruins-escrow-firm/
Brian Krebs's Online Banking Best Practices for Businesses:
-http://krebsonsecurity.com/online-banking-best-practices-for-businesses/

White House Lists Incentives for Companies to Adopt Cyber Security Framework (August 6 & 7, 2013)

The White House has compiled a list of incentives that it hopes will encourage private sector companies, especially those that support elements of the country's critical infrastructure, to adopt practices described in the Cybersecurity Framework. The incentive areas include cybersecurity insurance, grants, and liability limitation.
-http://www.scmagazine.com/white-house-offers-incentives-for-critical-infrastruct
ure-companies-participating-in-cyber-security-program/article/306472/
-http://news.cnet.com/8301-1009_3-57597303-83/white-house-to-offer-companies-cybe
rsecurity-incentives/
-http://www.computerworld.com/s/article/9241407/Feds_explore_cybersecurity_incent
ives_for_the_private_sector?taxonomyId=17
-http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecur
ity-framework
[Editor's Note (Pescatore): Every April 14th, at about midnight, as I feverishly pound on my tax return preparation software, I wonder if all the incentives in the US tax code for charitable deductions, home mortgages, buying jewel bearings from a supplier in North Dakota, etc. are really worth the effort I go through to prove I deserve them.
(Murray): Encouraging operators to assign their risk to insurance companies and limiting their liability for failures may induce them to participate in the program without improving security. Security, not participation, should be the goal. THE major problem in the electric power industry, the most vulnerable part of the infrastructure, is that the power companies are local and regulated by local politicians whose goal is to keep rates low in the short term.]

---

*************************** Sponsored Links: ******************************
1) Webinar: What used to keep your organization secure and PCI compliant is no longer good enough. Learn how you can protect against today's widening threat landscape http://www.sans.org/info/137212

2) August 21 Webcast! Managing Identities in the Cloud Without Sacrificing Corporate Control: A Review of McAfee's Web-Focused Identity Tools, featuring Dave Shackleford http://www.sans.org/info/137217

3) The Critical Security Controls Summit strives to bring you the most up-todate thinking on the hottest topics. Jane Lute former Deputy Secretary of the DHS to keynote! Register today http://www.sans.org/info/137222
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Most US Defense Contractors Won't be in Compliance With Counterfeit Equipment Detection Rule (August 8, 2013)

Many US Defense Department (DOD) contractors say they will not be able to comply with a rule, scheduled to take effect in March 2014, requiring that they establish a system to detect counterfeit electronic parts or forfeit payment. Part of the reason the contractors will not be in compliance by March is that DOD has not provided guidance as to what constitutes an acceptable detection system.
-http://www.nextgov.com/defense/2013/08/defense-sector-not-ready-comply-2014-anti
-counterfeit-rule/68378/?oref=ng-HPtopstory
[Editor's Note (Pescatore): Several years in the making, the language that came out is still very vague. Since guidance is unclear, where OEM parts are available, top tier suppliers will avoid liability by buying more expensive OEM parts. Where OEM parts are not available (think thousands of legacy systems) they will try to push the liability down to the smaller players, who can't take on that liability. Twenty years ago DoD used to maintain warehouses with critical components for legacy systems, they got out of that business in 1996 or so and created this problem. (Murray): This is a "hard problem." There may not be a (late) solution with a cost proportionate to the risk. It is more efficient to design (early) artifacts to be difficult to counterfeit than to detect (late) counterfeits among a large population of objects with limited anti-counterfeiting features.]

Alleged Gozi Author's Extradition from Latvia Approved, Then Suspended (August 8, 2013)

Just one day after Latvian ministers voted to approve the extradition of Deniss Calovskis, who is accused of creating and helping distribute malware known as Gozi, the European Court of Human Rights (ECHR) has suspended his extradition to the US. Calovskis's legal team had appealed to the ECHR after the extradition was approved.
-http://www.scmagazine.com/extradition-suspended-for-gozi-virus-co-conspirator/ar
ticle/306628/
Decision to Extradite:
-http://arstechnica.com/tech-policy/2013/08/latvia-agrees-to-extradite-man-accuse
d-of-helping-gozi-virus-creation/

Microsoft's Patch Tuesday for August (August 8, 2013)

Microsoft plans to issue eight security bulletins on Tuesday, August 13 to address critical flaws in Internet Explorer and Exchange Server, and less severe issues in all supported versions of Windows.
-http://www.computerworld.com/s/article/9241485/Microsoft_to_clean_up_after_Oracl
e_s_patch_mess_again_next_week?taxonomyId=17
-http://www.eweek.com/blogs/security-watch/microsoft-set-to-update-ie-again-for-a
ugust-patch-tuesday.html/
-http://technet.microsoft.com/en-us/security/bulletin/ms13-aug

Firefox 23 Includes Mixed-Content Blocking Feature (August 8, 2013)

Mozilla has released Firefox 23, which fixes five critical vulnerabilities, including a pair of memory safety issues that could be exploited to allow arbitrary code execution or create denial-of-service conditions resulting in memory corruption or application crash. The newest version of the browser also includes a mixed content blocking feature, which is aimed at blocking man-in-the-middle attacks and HTTPS eavesdropping. The feature is on by default; users may disable it on a page-by-page basis. Internet Explorer and Chrome already offer mixed content blocking.
-http://www.scmagazine.com/firefox-23-patches-five-critical-bugs-adds-feature-to-
block-mitm-attacks/article/306537/
[Editor's Note (Ullrich): This is an interesting feature in that it distinguishes active from passive content. Images delivered via http will still be visible on https sites, but javascript will not run if an https site includes scripts via http. We setup a brief test page here:
-https://isc.sans.edu/mixed.html]

Three People Sentenced in Connection with US $5 Million Carding Scheme (August 8, 2013)

Three people have received state prison sentences for their roles in a US $5 million carding scheme. Egor Shevelev is believed to have operated a carding ring between 2004 and 2007; he was sentenced to between 14 and 40 years. Accomplices Anna Ciano and Douglas Latta received sentences of 20 to 47 years and 22 to 44 years, respectively. The variability in the sentences is due to the fact that "state sentences, unlike federal, offer parole, and the parole board would determine the exact sentence once each case comes up for review."
-http://www.wired.com/threatlevel/2013/08/carder-eskalibur-sentenced/
-http://arstechnica.com/tech-policy/2013/08/brooklyn-connection-in-worldwide-cred
it-card-ring-gets-22-years-in-prison/

Secure eMail Provider Lavabit Shuts Down (August 8, 2013)

Lavabit, the secure email server that Edward Snowden had been using, has shut down. The company's owner, Ladar Levison, wrote that he had to decide between "becom
[ing ]
complicit in crimes against the American people or walk
[ing ]
away from nearly ten years of hard work." Levison wrote that although he would like to be able to tell users what prompted his decision, he is not at liberty to disclose that information, leading to speculation that the company received a National Security Letter or a search or eavesdropping warrant. Another encrypted communications service, Silent Circle, has shut down its Silent Mail service, noting, "We see the writing
[on ]
the wall, and we have decided that it is best for us to shut down Silent Mail now."
-http://www.wired.com/threatlevel/2013/08/lavabit-snowden/
-http://www.theregister.co.uk/2013/08/08/lavabit_shuts_down/
-http://arstechnica.com/tech-policy/2013/08/ed-snowdens-encrypted-e-mail-service-
shuts-down-leaving-cryptic-message/
[Editor's Note (Pescatore): There really has been low demand for encrypted messaging services by the general public, even with all the recent hype over NSA surveillance. If there was demand, there would be profit and services such as this would invest some of that profit to vet their customers to avoid any criminal liability. The same has proven true for telephone encryptors over the past 30 years.
(Honan): It says a lot when companies operating in a democratic society fear for the privacy and safety of their customers resulting from government surveillance.
(Murray): If one wants secure e-mail, one cannot rely upon a third party.]

Google Defends Chrome's Password Manager (August 7 & 8, 2013)

A software developer was surprised to find that Google Chrome lets anyone with access to a computer see in plaintext passwords the browser has stored. Google has acknowledged this characteristic of the browser from the beginning and maintains that it is not a security flaw. Google explains that security "boundaries within the OS user account just aren't reliable," and the company "doesn't want to provide users with a false sense of security" by supporting a security scheme, such as a master password, that doesn't work. "When you grant someone access to your OS user account, they can get at everything."
-http://www.wired.com/threatlevel/2013/08/chrome-password-manager/
-http://www.scmagazine.com/chrome-saved-passwords-in-plain-text-not-a-flaw-accord
ing-to-google/article/306470/
-http://www.v3.co.uk/v3-uk/news/2287735/google-and-security-community-come-to-blo
ws-on-chrome-password-strategy
-http://news.cnet.com/8301-1009_3-57597364-83/chrome-password-security-issue-stir
s-debate/
Developer's Blog:
-http://blog.elliottkember.com/chromes-insane-password-security-strategy
Google's Response:
-https://news.ycombinator.com/item?id=6166731
[Editor's Note (Murray): While I agree with the essence of Google's defense, asking for re-authentication is cheap, would make user's "feel" better, and might add marginally to the cost of re-covering the passwords to someone who compromises the device.

Twitter's Two-Factor Authentication (August 6 & 7, 2013)

Twitter has made changes to the two-factor authentication system it introduced in May, which used text messaging. The new login verification system for its mobile app uses the app itself to authorize account access instead of communicating through text messaging, which can be less than trustworthy. Users who want to update to the new authentication system need only update their mobile twitter apps. Attempted logins will provide rough locations and information about the browser being used. Twitter acknowledges that two-factor authentication is a work-in-progress and says it will continue to improve the process.
-http://www.zdnet.com/twitter-right-to-think-2-factor-authentication-a-journey-no
t-a-destination-7000019128/
-http://arstechnica.com/security/2013/08/twitter-rolls-out-two-factor-authenticat
ion-thats-simpler-more-secure/
-http://www.wired.com/threatlevel/2013/08/twitter-new-two-facto/
-http://www.nbcnews.com/technology/twitters-new-security-measure-ditches-texts-ap
p-alerts-6C10863141
[Editor's Note (Pescatore): I'm a big fan of two factor authentication and we all are familiar with choosing two of the first three forms: what you know, what you have, what you are. The fourth form "where you are" is more problematic. Advertisers love to know where you are, and so do burglars - I'm not wild about that information going out to every advertising network Twitter and others participate in.
(Ullrich): Twitter's biggest problem are high profile accounts that are managed by multiple people / PR departments. I think they need to re-think how users are authenticated for these accounts. Two factor doesn't seem to be the best solution here as long as login credentials are shared. Probably some system that allows multiple users to authenticate using their own credentials to manage a particular account would be appropriate, or better integration with existing social media platforms.
(Murray): Twitter is solving the wrong problem. The problem is not with the implementation of authentication but with the sharing of user IDs. The right solution is to implement multiple user IDs per Twitter account. Sharing of a single ID will inevitably lead to an embarrassing tweet that cannot be unambiguously attributed. Out of band solutions are always preferable to in band. That said, both Google and my community bank permit me to register multiple phone numbers and choose the one I want to use at authentication time. ]

Former College Student Draws One-Year Sentence for Rigging Election (August 6, 2013)

A former California State University San Marcos student has received a one-year sentence for trying to rig the school's election for student body president. Matthew Weaver used keystroke loggers to harvest other students' passwords, then used the stolen access credentials to cast more than 600 fraudulent votes for himself and for his friends.
-http://www.scmagazine.com/student-attempting-to-rig-election-wins-one-year-in-ja
il/article/306314/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/