SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #44

June 03, 2014

TOP OF THE NEWS

Study Finds Major Utilities Have Fewer Security Incidents Than Other Sectors
Authorities Disrupt Gameover and CryptoLocker Command and Control Systems
Government Agencies Need to Improve Incident Response

THE REST OF THE WEEK'S NEWS

Monsanto Breach Affects 1,300 Customers and Employees
Alleged Gameover and CryptoLocker Ringleader Indicted
WordPress Extension Flaws
Pirate Bay Founder Arrested
More Companies Seeking CISOs
Google Tightening Add-on Restrictions in Chrome
TrueCrypt Shutdown Still a Mystery; Audit Will Go On
British Shoe Store Website Breached

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 *****************************
The Convergence of Security and Compliance: Do security and compliance gaps affect your organization? Learn how to provide visibility, detection, response and protection - all while automating and managing compliance! Close security gaps and ensure the security of your servers and endpoints today. Download The White Paper! http://www.sans.org/info/160665
Download the eBook: http://www.sans.org/info/160525
***************************************************************************
TRAINING UPDATE


--Digital Forensics Incident Response Summit Austin, TX June 3-10, 2014 8 courses. Bonus evening presentations include Extracting User Credentials Using Memory Forensics, and Dealing with Persistent Smartphone Forensic Challenges.
http://www.sans.org/event/dfir-summit-2014


--SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- - --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- - --Looking for training in your own community?
http://www.sans.org/community/


- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Study Finds Major Utilities Have Fewer Security Incidents Than Other Sectors (May 29, 2014)

A new study indicates that major utilities are among the more secure components of critical infrastructure. Utilities ran second to the financial industry in BitSight Technologies' security index, which examines the security performances of the financial, utility, retail, and healthcare sectors. Of the companies included in the study, 82 percent experienced a security incident between April 1, 2013 and March 31, 2014.
-http://www.darkreading.com/vulnerabilities---threats/large-electric-utilities-ea
rn-high-security-scores/d/d-id/1269299?
[Editor's Note (Assante): I like to see good news and do believe larger utilities have been making needed investments in cyber security. Those investments have included market available solutions for enterprise IT networks. But, I would not make a broad statements that utilities are 'more secure' based on an index that measures the time to remove and remediate botnet activity. The security threats utilities worry about are not the ones that set up shop and bang away noisily over the Internet. The headline here should read "utilities catch up to yesterday's unstructured - non-directed cyber threats".
(Weatherford): We need to be careful about reading too much into this without understanding the data, and we certainly don't want to declare victory, but this is welcome information. Many large electric utilities have been making significant investments in security technology and security talent. Much of this investment is the result of NERC's Critical Infrastructure Protection (CIP) standards - which aren't perfect - but have provided the necessary sense of urgency for the industry. What we really need is the SCADA/ICS vendor community to get more aggressive about security. Still a long way to go and we can't take our foot off the gas, but this is good news
(Ullrich): Given that 82% is awfully close to 100%, I suggest that the headline might better read that 18% of companies didn't have sufficient detection capability in place to detect simple, wide spread infections like Zeus, ZeroAccess and Cutwail. None of the malware mentioned in the article is particularly targeted, indicating that these companies don't have controls in place to block well known threats and are likely to be dead in the water when it comes to any kind of targeted threat. ]

Authorities Disrupt Gameover and CryptoLocker Command and Control Systems (June 2, 2014)

Authorities in the UK and the US have warned that people have about two weeks to take steps to protect their systems from a variant of Zeus known as Gameover and ransomware called Cryptolocker. The command and control systems for the malware have been temporarily disrupted thanks to law enforcement. Authorities say that it will be about two weeks before the criminals get the systems operational once again. The shut down of the command and control servers was a joint effort between the US Justice Department (DOJ), the UK's National Crime Agency, and Europol, as well as several security companies and university researchers.
-http://www.nextgov.com/cybersecurity/2014/06/feds-free-thousands-computers-hacke
rs/85639/?oref=ng-channeltopstory
-http://www.zdnet.com/gameover-zeus-botnet-seized-two-week-window-to-protect-your
self-say-authorities-7000030110/
-http://arstechnica.com/tech-policy/2014/06/governments-disrupt-botnet-gameover-z
eus-and-ransomware-cryptolocker/
-http://www.nbcnews.com/tech/security/global-police-crack-down-gameover-zeus-cybe
rcrime-botnet-n120581
-http://www.theregister.co.uk/2014/06/02/nca_gameoverzeus_cryptolocker_warning/
-http://www.computerworld.com/s/article/9248755/U.S._foreign_agents_disrupt_Gamov
er_Zeus_botnet?taxonomyId=17
-http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-
cryptolocker-scourge/
[Editor's Note (Honan): Kudos to everyone involved in this disruption. While it may be a temporary respite it does send a message to criminals that they are not untouchable. Hopefully this will be a template that can be used again for cooperation between law enforcement agencies in different countries and with private industry. For those wishing to check if their machines are infected the US CERT has links to removal tools at
-https://www.us-cert.gov/ncas/alerts/TA14-150A
There is also a free service set up by Anti-Botnet Advisory Centre established by the Association of German Internet Industry at
-https://www.botfrei.de/en/index.html]

Government Agencies Need to Improve Incident Response (May 30 & June 2, 2014)

According to a report from the US Government Accountability Office (GAO), "twenty-four major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents." The report, Information Security: Agencies Need to Improve Cyber Incident Response Practices, also noted that agencies did not have adequate evidence of what they did to respond to incidents about two-thirds of the time. Many federal agencies would like the Department of Homeland Security (DHS) to enhance the help it offers in managing cyber incidents. Agencies also said that they would like DHS to establish realistic timeframes for reporting incidents, and that incident categories need to be updated because classification attributes are not unique to each category.
-http://www.govinfosecurity.com/agencies-seek-better-dhs-incident-response-aid-a-
6896
-http://www.nextgov.com/cybersecurity/2014/05/gao-agencies-cant-always-prove-they
-respond-breaches/85537/?oref=ng-channeltopstory
-http://www.gao.gov/assets/670/662901.pdf
[Editor's Note (Northcutt): I would go directly to the GAO .pdf link above. All in all it seems well researched and well balanced. A lot of it is a rehash of NIST SP 800-61. That is not so bad, but since they do not provide detailed implementation guidance, building an actionable report to Congress from it is difficult. Metrics for measuring effectiveness begin on page 20. I will be dead and buried before everyone agrees what the right metrics are, but any reasonable metrics make it possible to measure whether progress is being made.
(Honan): Excellent report. Also have a look at the excellent resources for CERT/CSIRTs which is maintained by the European Network and Information Security Agency (ENISA) at
-http://www.enisa.europa.eu/activities/cert/support]

---

************************** Sponsored Links: ******************************
1) Complimentary eBook: "Incident Response with NetFlow for Dummies". Download now. http://www.sans.org/info/160670">http://www.sans.org/info/160670

2) Provide input to the Critical Security Controls! Tell us your wins, misses and wish lists with the CSCs in this quick survey: http://bit.ly/2014CSCSurv. At the end of the survey, sign up for the paper and results webcast airing on September 9 webcast link: http://www.sans.org/info/160675">http://www.sans.org/info/160675

3) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II to learn how the early adopters in government are using CDM to increase security. August 1, 2014 in Washington, DC. http://www.sans
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Monsanto Breach Affects 1,300 Customers and Employees (May 29 & June 2, 2014)

Agricultural giant Monsanto has acknowledged a data breach that compromised the security of names, addresses, tax information and payment card details of 1,300 customers and employees. The incident occurred in March 2014 and affected the company's Precision Planting unit, which makes specialized farming equipment.
-http://www.theregister.co.uk/2014/06/02/seedy_hacker_steals_1300_monsanto_client
_and_staff_records/
-http://www.bloomberg.com/news/2014-05-29/monsanto-data-security-breached-at-prec
ision-planting.html

Alleged Gameover and CryptoLocker Ringleader Indicted (June 2, 2014)

US authorities say that Evgeniy Bogachev is the ringleader of a global malware scheme that stole more than US $100 million from business and personal bank accounts with a ZeuS variant known as Gameover. Bogachev is also believed to be responsible for ransomware known as CryptoLocker, which has infected nearly a quarter of a million computers. Bogachev has been charged with conspiracy; wire, bank, and computer fraud; and money laundering.
-http://www.scmagazine.com/intl-crackdown-on-gameover-botnet-results-in-criminal-
charges/article/349638/
-http://thehill.com/policy/technology/207923-feds-go-after-russian-ukrainian-hack
ers-that-stole-millions
-http://www.cbsnews.com/news/european-bank-hackers-stole-100-million-u-s-says/

WordPress Extension Flaws (June 2, 2014)

Security flaws in a popular WordPress extension leave unpatched websites vulnerable to attacks. There is an update available for the All in One SEO Pack that fixes the flaws; administrators are urged to upgrade to version 2.1.6. The privilege elevation flaws could be exploited to change the administrative password and place backdoor code on websites. Attackers would require only an unprivileged account on the site, such as one that allows them to post reader comments.
-http://arstechnica.com/security/2014/06/bugs-in-widely-used-wordpress-plugin-lea
ve-sites-vulnerable-to-hijacking/
-http://www.scmagazine.com/vulnerabilities-discovered-in-popular-wordpress-plugin
/article/349621/

Pirate Bay Founder Arrested (May 31 & June 2, 2014)

Peter Sunde, one of the founders of The Pirate Bay, has been arrested in Sweden. He was sentenced to eight months in prison for violations of copyright laws. Sunde was convicted in 2009 and was supposed to begin his sentence in 2012, but he never showed up at the facility.
-http://www.bbc.com/news/technology-27663839
-http://arstechnica.com/tech-policy/2014/05/pirate-bay-co-founder-peter-sunde-arr
ested-in-sweden/

More Companies Seeking CISOs (May 30, 2014)

Following the recent eBay and target breaches, major US companies are seeking chief information security officers (CISOs); some are offering substantial salaries for the position. In most companies, the CISO reports to the CIO, but some organizations appear to be considering making the CISO a position on equal footing with the CIO. A recent survey of executives found that just 28 percent of the 500 who responded said their organizations had a CISO or chief security officer. Following the Target breach, the company fired its CEO and the CIO resigned. Target is currently seeking a CISO.
-http://www.v3.co.uk/v3-uk/news/2347566/enterprise-firms-rushing-to-recruit-cisos
-to-avoid-becoming-the-next-ebay
-http://www.reuters.com/article/2014/05/30/us-usa-companies-cybersecurity-exclusi
ve-idUSKBN0EA0BX20140530
[Editor's Note (Ullrich): All enterprises are at their core "data driven". Without the ability to protect customer data, and protect the data they rely on to make business decisions, they don't have a business. Information security can effortlessly align with business needs once this is understood. It looks like companies finally understand this and see information security as an important enabler to move forward. The next challenge they will face is finding the right people to fill these vacancies.
(Murray): One of the qualifications for the job is being just wise enough not to take it. This is often a job without authority commensurate with the accountability, a formula for failure. ]

Google Tightening Add-on Restrictions in Chrome (May 30, 2014)

Google is cracking down on security for its Chrome browser, disabling the majority of add-ons that did not come from its app store, and banning plug-ins based on the outdated NPAPI standard. The changes affect only Windows versions of Chrome.
-http://www.computerworld.com/s/article/9248712/Google_pulls_trigger_cripples_som
e_Chrome_add_ons?taxonomyId=17

TrueCrypt Shutdown Still a Mystery; Audit Will Go On (May 29 & 30, 2014)

When the TrueCrypt open source encryption project shut down last week, possible reasons for its demise made the rounds. The first release of the software made its appearance in February 2004, and since then, has been downloaded about 30 million times. A planned third-party audit of the tool will continue. And in case you're wondering what the experts are doing, Bruce Schneier told The Register that he's switched to PGPDisk.
-http://www.darkreading.com/endpoint/the-mystery-of-the-truecrypt-encryption-soft
ware-shutdown-/d/d-id/1269323?
-http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/
-http://arstechnica.com/security/2014/05/truecrypt-security-audit-presses-on-desp
ite-developers-jumping-ship/

British Shoe Store Website Breached (May 29 & 30, 2014)

UK shoe retailer Office says that intruders breached one of its website's servers and compromised customer names, addresses, emails, and passwords. The company says that no payment card, PayPal, or bank data were affected, and the breach does not affect accounts created after August 2013. Customers are urged to change their account passwords.
-http://www.theregister.co.uk/2014/05/30/office_shoes_breach_passwords_stolen/
-http://www.theguardian.com/technology/2014/may/29/office-shoes-website-hack-pass
words-personal-data
[Editor's Note (Murray): One can understand why a merchant would want to accept multiple forms of payment. One fails to understand when one of those forms is not PayPal. There are now a sufficient number of online merchants that do accept PayPal that it is possible to do business with only those that do. It is ironic that eBay, that owns PayPal, did not recommend it as part of the remedy for its historic fail. PayPal is a remedy for "card not present" fraud for the card brands and issuers and for increasingly frequent merchant breaches for the consumer. ]

---

STORM CENTER TECH CORNER

Gameover Zeus Botnet Takedown
-http://www.justice.gov/opa/gameover-zeus.html

Finding Potential DDoS reflectors inside your network
-https://isc.sans.edu/forums/diary/Using+nmap+to+scan+for+DDOS+reflectors/18193

Huawei E303 USB Modem allows attackers to send SMS via CSRF vulnerability
-http://b.fl7.de/2014/05/huawei-e303-sms-vulnerability-CVE-2014-2946.html

Heartbleed over EAP
-http://www.sysvalue.com/en/heartbleed-cupid-wireless/

Comcast Cable Modems
-https://isc.sans.edu/forums/diary/When+was+the+last+time+you+checked+your+Comcas
t+cable+modem+settings+/18189
-http://www.peterlewis.com/2014/05/30/comcastic/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/