SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #76

September 24, 2013

Attacks and defenses in nuclear and other power sites are the focus of the top two stories this week. John Pescatore's description of the misallocation of U.S. Energy Department (DoE) cybersecurity funding illuminates a key cause of the continuing weakness - that too many people in the energy sector are beguiled by "shiny new tools" rather than knowing how to implement the low-cost security controls that stop nearly all common attacks. That news story does not mention the good news, which is DOE's groundbreaking work with the Council on Cybersecurity in cyber workforce skills, and its catalytic contribution to the most promising response to the skills challenge: the GICSP. Under the leadership of an international consortium of Shell, BP, Pacific Gas & Electric, ABB, Emerson Process Management, Schneider Electric, Invensys, Rockwell Automation and Yokogawa, the European Commission's Joint Research Centre, KPMG, and several others, a new skills certification will be required for cybersecurity professionals in companies using, building, or consulting on security for industrial control systems. Global Industrial Cyber Security Professional (GICSP) certification testing will begin in eight weeks (November 22). http://www.infosecurity-magazine.com/view/34638/industry-launches-global-certifi
cation-effort-targeting-critical-infrastructure-/

More data on GICSP: http://www.giac.org/certification/global-industrial-cyber-security-professional-
gicsp

Alan

---

TOP OF THE NEWS

Attacks on US Energy Sector Websites Bear Similarities to May Attack on Labor Dept. Site Looking For Nuclear Energy Workers
US Dept. of Energy Spending $30 Million on Critical Infrastructure Security
Unpatched IE Flaw Exploited in Attacks on Japanese Websites
US Defense Department to Consolidate Networks into Joint Information Environment

THE REST OF THE WEEK'S NEWS

Spain Approves More Stringent Anti-Piracy Law
Grace Period Ends for Updated HIPAA Rule Compliance
MPAA, RIAA Help Draft Anti-Piracy Curriculum for Use in California Schools
Some Arrested in Barclays Heist Linked to Attempted Theft from Santander Bank
20 Percent of Cybersecurity Positions at DHS Directorate Remain Unfilled
California Governor Approves Online "Eraser Button"
FBI Warns of Beta Bot Financial Data-Stealing Malware
Cyberespionage Campaign Focused on Drone Technology

---

************************ Sponsored By Bit9 *******************************
Top Lessons Learned From Real Attacks. This whitepaper details lessons learned about cyber attacks from extensive interviews with security analysts. One common thread that emerged was the difficulty of preventing the delivery of APT malware to systems and quickly detecting the attack once the malware was active. Learn More:
http://www.sans.org/info/139870
***************************************************************************
TRAINING UPDATE

- --Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


- --Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


- --SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- --SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- --SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


- --SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Attacks on US Energy Sector Websites Bear Similarities to May Attack on Labor Dept. Site Looking For Nuclear Energy Workers (September 20, 2013)

A recent spate of malware infections affecting visitors to energy sector websites may have ties to a watering-hole attack on a Labor Department website earlier this year. That attack, which occurred in May, focused on a particular web page that was likely to draw visitors who are former Energy Department nuclear personnel. Both attacks used nearly identical versions of an exploit for an Internet Explorer (IE) flaw.
-http://www.nextgov.com/cybersecurity/2013/09/energy-industry-website-hacks-resem
ble-compromises-labor-site-nuclear-workers/70630/?oref=ng-HPtopstory

US Dept. of Energy Spending $30 Million on Critical Infrastructure Security (September 20 & 23, 2013)

The US Department of Energy has awarded US $30 million to 11 vendors for projects aimed at protecting the country's power grid and oil and gas infrastructure from cyberattacks. Currently, all measures to harden these networks are voluntary. A report drawn from a survey sent by US legislators to utility companies earlier this year showed that at some organizations, cyberattacks are constant or frequent. The survey garnered 112 responses, and many of the organizations evaded direct answers to questions about damages from cyberattacks or the number of attacks detected.
-http://www.computerworld.com/s/article/9242544/Energy_Department_spends_30M_to_b
olster_utility_cybersecurity_tools?taxonomyId=17
-http://www.informationweek.com/government/security/energy-dept-invests-30-millio
n-in-utilit/240161651
[Editor's Note (Pescatore): These awards, and $20M in funding the DoE announced in February 2013, seem to largely be in areas where wide choices of commercial off the shelf security products and services already exist. I think I'd rather see $50M go directly to security managers at the critical infrastructure operators to close known vulnerabilities using known proven solutions, a la the Critical Security Controls.
(Assante): Research and development projects to enhance energy control system security is encouraging, but they fall short of demonstrating workable solutions that are attractive enough to warrant investment for broad scale deployment. What are the most urgent and prioritized challenges and where do we focus our collective efforts? Answers to these questions could fuel a multi-year program from design to demonstration. ]

Unpatched IE Flaw Exploited in Attacks on Japanese Websites (September 23, 2013) Attackers have exploited an unpatched vulnerability

in Internet Explorer (IE) to launch watering hole attacks against visitors to popular websites in Japan. The targeted systems range from government to technology to manufacturing. "Increased evidence of exploits in the wild" prompted the Internet Storm Center to raise its threat level to "Yellow" over the weekend.
-https://isc.sans.edu/diary/Threat+Level+Yellow%3A+Protection+recommendations+reg
arding+Internet+Explorer+exploits+in+the+wild/16634
-http://www.scmagazine.com/hackers-leveraging-ie-zero-day-used-watering-hole-atta
cks-to-compromise-users/article/313075/
-http://threatpost.com/compromised-japanese-media-sites-serving-exploits-for-late
st-ie-zero-day
-http://www.computerworld.com/s/article/9242570/Security_org_raises_Internet_thre
at_level_after_seeing_expanded_IE_attacks?taxonomyId=17

US Defense Department to Consolidate Networks into Joint Information Environment (September 20, 2013)

The US Defense Department's (DOD's) plans to consolidate 15,000 networks into a single "joint information environment," or JIE. The change is expected not only to reduce costs by eliminating redundant systems, but also to improve network security, guarding against leaks like those carried out by Manning and Snowden. In addition, the consolidated network will be easier to defend against attacks.
-http://www.computerworld.com/s/article/9242542/Experts_praise_Pentagon_s_march_t
o_security_standards?taxonomyId=17
-http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?List=7c996cd7-
cbb4-4018-baf8-8825eada7aa2&ID=1267
[Editor's Note (Pescatore): Putting your eggs in fewer baskets is a good thing - as long as you *really*, *really* watch those baskets. However, networks are not easy to consolidate. The US Federal government launched the Trusted Internet Connection program back in 2007 to reduce over 4300 Internet connections from federal systems down to a goal of less than 100 connections. As of 2010 (the latest report I've seen), the number of connections was below 1800, well short of the goal after three years. ]

---

*************************** Sponsored Links: ******************************
1) Meet the challenges of Continuous Diagnostics & Mitigation (CDM). Get real-time discovery and assessment of all network endpoints. Download the tech note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/139875

2) What Works in Advanced Threat Protection: Blocking Complex Malware Threats at Boston Financial, Featuring John Pescatore and Mike Rizzo. Wednesday, September 25 at 1:00 PM EDT. http://www.sans.org/info/139880

3) Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA. The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure. http://www.sans.org/info/139885
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Spain Approves More Stringent Anti-Piracy Law (September 20, 2013)

Spanish Legislators have approved new anti-piracy laws that punish even those who link to pirated content for either "direct or indirect profit." People found guilty of piracy could face up to six years in prison for aggravated circumstances.
-http://arstechnica.com/tech-policy/2013/09/spain-passes-new-anti-piracy-laws-rai
ses-maximum-penalty-to-six-years/

Grace Period Ends for Updated HIPAA Rule Compliance (September 23, 2013)

As of September 23, 2013, US organizations that handle protected health information must abide by updated Health Insurance Portability and Accountability Act (HIPAA) rules. The changes were established in 2009 and took effect in March 2013, but organizations were given a six-month grace period that ended this week. Among the new rules are a requirement that business associates of organizations covered by HIPAA must be in compliance with the rules' security and privacy measures, and new restrictions on covered entities' marketing and sale of personal health information.
-http://www.scmagazine.com/compliance-deadline-on-hipaa-rules-brings-expanded-res
ponsibilities-for-third-parties-handling-data/article/313079/

MPAA, RIAA Help Draft Anti-Piracy Curriculum for Use in California Schools (September 23, 2013)

The Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and several major US ISPs plan to pilot an anti-piracy program in California's elementary schools. The curricula, which are adapted for each age level from kindergarten through sixth grade, were created by the California School Library Association and the Internet Keep Safe Coalition working with the Center for Copyright Infringement, which counts executives from MPAA, RIAA, and several large telecommunications forms among its board members. A draft of the program suggests that using other people's works without permission is worse than copying someone's answers on a test. Those helping to develop the curriculum stress that it is still in draft form.
-http://www.wired.com/threatlevel/2013/09/mpaa-school-propaganda/

Some Arrested in Barclays Heist Linked to Attempted Theft from Santander Bank (September 20 & 23, 2013)

The people arrested last week in connection with an attack on a branch of Barclays Bank allegedly used the same technique employed by a group arrested the previous week for an attempted attack on Santander bank. One of the people involved allegedly portrayed himself as an IT engineer, telling people at the branch that he was there to fix computers. When he had access to the machines, he placed a KVM switch on a router there. Some of the people arrested in connection with the Barclay's heist are also being charged in connection with the Santander case. Barclays has recovered a "significant amount" of the GBP 1.3 million (US $2.1 million) stolen as a result of the attack.
-http://www.computerworld.com.sg/resource/security/gang-exploits-both-physical-an
d-system-security-during-bank-robbery/?page=1
-http://www.v3.co.uk/v3-uk/news/2295899/met-police-cyber-unit-arrest-gang-behind-
gbp13m-hit-on-barclays-computer-system
-http://www.bloomberg.com/news/2013-09-20/barclays-cybercrime-suspects-arrested-o
ver-2-1-million-theft.html
-http://www.scmagazine.com/kvm-device-used-in-widening-plot-to-steal-from-london-
banks/article/312768/
Editor's Note (Ullrich): Great reminder to not forget about physical security to offices. Large corporations like the banks involved tend to struggle with sufficient access control to buildings (while still maintaining efficient operations.) ]

20 Percent of Cybersecurity Positions at DHS Directorate Remain Unfilled (September 20, 2013)

According to the US's Government Accountability Office (GAO), the Department of Homeland Security's (DHS's) National Protection and Programs Directorate's Office of Cybersecurity and Communications, has more than a 20 percent vacancy rate for jobs. Part of the reason for this is the lag time created by obtaining necessary security clearances for personnel. DHS officials also cite low pay compared to private sector salaries, and the fact that there are not clearly defined skills sets for cybersecurity positions.
-http://www.govinfosecurity.com/dhss-huge-cybersecurity-skills-shortage-a-6080
[Editor's Note (Murray): The clearance is a "Catch 22." One cannot qualify for the job without it and cannot get it without the job. It is expensive and someone must pay. Government contractors make it their stock-in-trade. Moreover, it is an inefficient substitute for supervision.
(Shpantzer): A note on the clearance issue, from someone with experience in the matter. This is hardly a unique experience:
-http://www.washingtonpost.com/opinions/the-wrong-way-to-conduct-security-clearan
ces/2013/02/20/2d0d1e2c-7554-11e2-aa12-e6cf1d31106b_story.html]

California Governor Approves Online "Eraser Button" (September 23, 2013)

California Governor Jerry Brown has signed a bill that requires apps, websites, and online services that target minors to offer an "eraser button." The feature will allow young people to request removal of information that might have negative effects on their chances of getting into schools or gaining employment. The feature must be in place by January 2015. The button does not allow people to request the removal of content others have posted, nor does it require that the content be deleted from sites' servers.
-http://news.cnet.com/8301-1009_3-57604301-83/california-gives-teens-an-eraser-bu
tton-to-hide-online-skeletons/
[Editor's Note (Murray): However well intentioned, implementation of this law is likely to require magic.
(Pescatore): I guess there is long precedence for youthful law offenders having their convictions expunged from legal records if they have no additional offenses. But, even though the scope is limited and some terms are optional, this seems like an enormous unfunded mandate on every business judged to be "geared towards minors."
(Ullrich): This feature was by far the top request in a recent privacy study (see
-http://www.theheartlandvoice.com/wp-content/uploads/2013/06/HeartlandMonitorPoll
.pdf).
However, it goes very much against everything you learn if you are managing an information system (Backups, disaster recovery...). This will be very hard to implement in many cases. ]

FBI Warns of Beta Bot Financial Data-Stealing Malware (September 20, 2013)

The FBI's Internet Crime Complaint Center (IC3) has issued a warning about a botnet called Beta Bot that is capable of disabling antivirus software and blocking access to security websites. Beta Bot steals login credentials and financial information from financial institutions, online shopping sites and payment platforms, and social networking sites. It spreads by pretending to be a message from Microsoft Windows seeking permission to let the "Windows Command Processor" modify the users' computer settings. Beta Bot has also spread through USB drives and Skype.
-http://www.v3.co.uk/v3-uk/news/2295970/fbi-warns-of-bank-robbing-beta-bot-malwar
e-that-disables-antivirus

Cyberespionage Campaign Focused on Drone Technology (September 20, 2013)

Hackers based in China appear to have been targeting data about military drone technology for nearly two years. The hackers targeted numerous foreign defense contractors in their pursuit of information. (Please note that The New York Times requires a paid subscription.)
-http://www.nytimes.com/2013/09/21/world/asia/hacking-us-secrets-china-pushes-for
-drones.html?pagewanted=all&_r=0

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/