SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #51

June 27, 2014

TOP OF THE NEWS

Havex Malware Targets SCADA Systems
German Government Will Not Renew Verizon Contract
US Supreme Court Says Warrants Required for Cell Phone Searches

THE REST OF THE WEEK'S NEWS

Hospital Networks Leaking Data
High School Student Facing Charges for Changing Grades and Attendance Records
WordPress Vulnerability
Luuuk Bank Theft Scheme Used Man-in-the-Browser Attack
Massachusetts Court Says Man Can be Compelled to Decrypt Computers
Most Servers Vulnerable to NTP Amplification Attacks Have Been Patched
Law Enforcement Using Spyware for Mobile Device Surveillance
Guilty Plea in Computer Intrusions and Data Theft
Microsoft's Interflow Aims to Facilitate Security and Threat Information Sharing
Study Shows Benefits of CISO Reporting to CEO

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************** Sponsored By Bit9 + Carbon Black ********************
Learn the shocking truth about what's running on your endpoints. Let us install Carbon Black for free - on at least 150 machines - for two weeks and we guarantee we will find something that will shock you!
http://www.sans.org/info/162557
***************************************************************************
TRAINING UPDATE


--SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


--SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Havex Malware Targets SCADA Systems (June 23, 24, & 26, 2014)

A report from F-Secure says that attackers intent on infiltrating industrial control systems are breaking into websites of companies that provide software to those organizations and planting a remote access Trojan known as Havex in their installation files. The organizations running the industrial control systems then download the poisoned software, which gives the attackers a foothold in their systems. The attack has been detected on the websites of three northern European companies, two of which provide remote management software.
-http://arstechnica.com/security/2014/06/attackers-poison-legitimate-apps-to-infe
ct-sensitive-industrial-control-systems/
-http://www.darkreading.com/as-stuxnet-anniversary-approaches-new-scada-attack-is
-discovered/d/d-id/1278881?
-http://www.computerworld.com/s/article/9249327/New_Havex_malware_variants_target
_industrial_control_system_SCADA_users?taxonomyId=17
-http://www.theregister.co.uk/2014/06/26/industrial_control_trojan/
-http://www.f-secure.com/weblog/archives/00002718.html
[Editor's Note (Assante): The addition of an OPC exploit module to the Havex Trojan and observed delivery tactic of watering-holes using ICS supply chain related websites, exemplifies the newest chapter in the book of ICS cyber threats. The impact of the OPC exploit is two-fold - 1) targeting OPC gives the attackers a wide swath as it is a common solution designed to exchange data between diverse control systems, and 2) it allows attackers to gather the necessary information on connected ICS devices to select appropriate payloads and perform a successful follow-on attack. This form of directed attack raises the importance of ICS defenders deploying improved defenses and gaining the necessary knowledge and skills to respond effectively.
(Murray): The issue here is "supply chain management," not SCADA.
(McBride): What is most interesting to me is that the malware essentially loads up an OPC client. As OPC is widely used to "translate" control protocols to standard (yet arguably antiquated) Microsoft technology. This is an intelligent way an adversary could ask (in their own tongue): "do I haz SCADA?" I think that it's likely that more future malware will include SCADA/ICS identification functionality as a way of classifying compromises. ]

German Government Will Not Renew Verizon Contract (June 26, 2014)

Germany's government is ending its contract with Verizon over concerns that the company could be allowing US intelligence to eavesdrop on communications. An Interior Ministry spokesperson said that Germany wants to have complete control over sensitive government networks. The Verizon contract is set to expire in 2015.
-http://www.theregister.co.uk/2014/06/26/germany_boots_verizon/
-http://www.zdnet.com/germany-ends-verizon-contract-7000030988/
[Editor's Note (Pescatore): Germany is not the only country moving in this direction, but of course we have no reason to believe Deutsche Telecom has any fewer skeletons in its closet than does Verizon. Trade wars and protectionism rarely stand the test of time, but almost always have short term negative impacts.
(Honan): We are starting to see the real world impact on technology companies resulting from the Edward Snowden allegations of mass surveillance by the US government. Verizon stated "The US Government cannot compel us to produce our customers' data stored in data centres outside the US, and if it attempts to do so, we would challenge that attempt in a court." However, Microsoft are currently appealing a court decision (
-http://www.zdnet.com/apple-cisco-back-microsoft-in-fight-against-global-email-wa
rrant-7000030562/)
compelling them to surrender data held on a server in their Dublin datacentre. The outcome of that appeal will have major implications for US tech companies and in particular cloud service providers.
(Murray): AT&T and Verizon are learning the hard way what every international enterprise should know. Except in war, its duty to the country in which it does business trumps that to the country in which it is chartered. The habit of easy cooperation with the US government, that grew up when they were a state chartered monopoly, is no longer appropriate. ]

US Supreme Court Says Warrants Required for Cell Phone Searches (June 25, 2014)

The US Supreme Court has ruled that law enforcement officers must have a warrant to search cell phones belonging to people they arrest. The ruling makes exceptions for emergencies, such as suspected bomb plots and child abductions. The ruling overturns two convictions, one in Massachusetts and one in California.
-http://www.wired.com/2014/06/supreme-court-rules-cops-cant-search-cell-phones-wi
thout-a-warrant/
-http://arstechnica.com/tech-policy/2014/06/cops-must-have-a-warrant-to-search-ce
ll-phones-rules-supreme-court/
-http://www.bbc.com/news/world-us-canada-28022785
[Editor's Note (Pescatore): This is consistent with past rulings and US societal norms. Not really that big an obstacle to legal search and seizures. ]

---

************************** Sponsored Links: ******************************
1) In case you missed it: More web traffic, more problems. How CARFAX consolidated security concerns, saved money and grew their business Thursday, June 26 at 1:00 PM EDT (17:00:00 UTC) John Pescatore, Chris Thomas and Preston Hogue. http://www.sans.org/info/162562

2) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II. August 1, 2014 in Washington, DC. http://www.sans.org/info/159487

3) Provide input to the Critical Security Controls Survey and enter to win iPad! Tell us your wins, misses and wish lists with the CSCs here: http://www.sans.org/info/162567. At the end of the survey, sign up for the paper and results webcast airing on September 9: http://www.sans.org/info/162000
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hospital Networks Leaking Data (June 25, 2014)

Researchers have found that hospital networks are leaking information to the Internet. In some instances, the leaked data include lists of all computers and devices on a hospital's internal network. In every case, the leakage problem could be traced to an Internet connected computer that was improperly configured. Attackers could potentially identify vulnerable systems because network administrators have enabled Server Message Block (SMB) in a configuration that makes the data externally accessible. These computers were often found to be running Windows XP.
-http://www.wired.com/2014/06/hospital-networks-leaking-data/
[Editor's Note (Murray): I do not see how calling it "research" or even producing useful results can make this kind of activity legal.
(Pescatore): Hospital IT admins are part of the problem. The medical application and machinery manufacturers are at least as big a factor - devices and apps are sold requiring vulnerable configurations, the vendors never patch, etc. ]

High School Student Facing Charges for Changing Grades and Attendance Records (June 26, 2014)

A New Jersey high school student has been charged with unlawful access of a computer system and altering data for allegedly gaining access to the school district's computer system and changing grades and attendance data for more than 30 students. He allegedly accessed the system with a teacher's login credentials.
-http://www.scmagazine.com/new-jersey-teen-charged-after-altering-students-grades
-and-attendance-records/article/358103/
-http://newjersey.news12.com/news/student-charged-with-hacking-computer-changing-
grades-1.8541070

WordPress Vulnerability (June 26, 2014)

A vulnerability in the WebShot feature of the TimThumb image resizing plug-in on WordPress could be exploited to execute code. The WebShot feature lets the tool take screenshots of websites. Users can protect their sites by disabling the WebShot feature of TimThumb. The plug-in is disabled by default, but can become automatically enabled by certain themes and plug-ins.
-http://www.scmagazine.com/rce-vulnerability-in-timthumbs-webshot-feature-puts-wo
rdpress-users-at-risk/article/358095/
-http://arstechnica.com/security/2014/06/running-wordpress-got-webshot-enabled-tu
rn-it-off-or-youre-toast/

Luuuk Bank Theft Scheme Used Man-in-the-Browser Attack (June 25 & 26, 2014)

A bank theft scheme dubbed Luuuk stole 500,000 euros (US $681,000) from 190 account holders at an unnamed European bank in just one week. The thieves used a man-in-the-browser attack to steal account credentials and transferred stolen funds into accounts controlled by money mules. The thieves likely took advantage of one-time passcodes and skimmed the money at the same time that the legitimate customers were conducting online transactions. Luuuk targeted people in Italy and Turkey. The scheme was discovered in January 2014 when Kaspersky Lab found a command-and-control server for malware used to conduct man-in-the-browser attacks. Within days it had been wiped and shut down.
-http://www.darkreading.com/luuuk-stole-half-million-euros-in-one-week/d/d-id/127
8845?
-http://www.theregister.co.uk/2014/06/26/half_a_imeellioni_euros_stolen_in_weeklo
ng_bank_smash_n_grab/
-http://www.v3.co.uk/v3-uk/news/2351946/luuuk-hack-campaign-steals-eur500-000-in-
one-week-from-european-bank
-http://www.zdnet.com/luuuk-trojan-snatches-500000-from-european-bank-in-one-week
-7000030914/
-http://www.computerworld.com/s/article/9249390/_39_Luuuk_39_banking_malware_may_
have_stolen_682K_in_a_week?taxonomyId=17
-http://www.computerweekly.com/news/2240223299/Cyber-thieves-tap-over-500000-from
-European-bank
[Editor's Note (Murray): The use of one time passwords is not a "silver bullet." In order to effectively resist electronic account takeover, OTPs must be combined with out-of-band transaction confirmations and appropriate back-office controls. However, OTPs do raise the cost of attack and narrow the window of vulnerability. They are an essential control. ]

Massachusetts Court Says Man Can be Compelled to Decrypt Computers (June 25, 2014)

The Massachusetts Supreme Judicial Court has ruled that a man suspected of mortgage fraud can be ordered to decrypt computers seized from his possession. According to the court, the defendant, Leon Gelfgatt, admitted to police that he owned the computers and that he could decrypt them. The court ruled that this information means that decrypting the devices would not reveal anything new to authorities.
-http://arstechnica.com/tech-policy/2014/06/massachusetts-high-court-orders-suspe
ct-to-decrypt-his-computers/
-https://www.documentcloud.org/documents/1209519-commonwealth-vs-gelfgatt.html
[Editor's Note (Murray): One cannot be compelled to make a record. However, having made one, one may not legitimately hide it from a court. Neither mixing it with other records or encrypting it will work.
(Pescatore): This is also consistent with past rulings about suspects being required to provide the combination to a safe or the key to a lock. Not really any major loss in privacy. ]

Most Servers Vulnerable to NTP Amplification Attacks Have Been Patched (June 25, 2014)

A push to patch a vulnerability in Network Time Protocol (NTP) servers appears to have been successful; in December 2013, the number of vulnerable servers was estimated to be 432,120, and as of May 2014, the number is 17,647. The flaw can be exploited to launch amplified distributed denial-of-service (DDoS) attacks.
-http://searchsecurity.techtarget.com/news/2240223342/Enterprises-fix-NTP-amplifi
cation-but-many-DDoS-techniques-remain
-http://www.theregister.co.uk/2014/06/25/sysadmins_rejoice_patch_rampage_killing_
off_nasty_ddos_attack_vector/

Law Enforcement Agencies Using Spyware for Mobile Device Surveillance (June 24 & 25, 2014)

Researchers have uncovered a mobile spyware product known as Remote Control System (RCS), which is being sold by an Italian company to police around the world. RCS can intercept and record communications from devices running Android, iOS, Windows Mobile, Symbian, and BlackBerry operating systems. There are at least 320 command-and-control servers for RCS in more than 40 countries.
-http://www.computerworld.com/s/article/9249352/Police_turning_to_mobile_malware_
for_monitoring?taxonomyId=17
-http://www.theregister.co.uk/2014/06/24/researchers_uncover_massive_mobile_malwa
re_network_and_its_totally_legal/
-http://www.usatoday.com/story/tech/2014/06/25/police-hacking-methods/11348497/
Editor's Note (Northcutt): Hmmm, unless they have a warrant this seems to fly in the face of the unanimous Supreme Court ruling on cell phones. Having said that I know someone is going to write and tell me this is pre-arrest and the ruling is post-arrest:
-http://online.wsj.com/articles/high-court-police-usually-need-warrants-for-cell-
phone-data-1403706571
-http://www.foxnews.com/politics/2014/06/25/supreme-court-limits-cellphone-search
es-after-arrests/
(Murray): One should not draw any conclusions from this report without reading the ones on which it is based. This software is not really so powerful as one might conclude from this report. ]

Guilty Plea in Computer Intrusions and Data Theft (June 23 & 24, 2014)

Cameron Lacroix has pleaded guilty to breaking into computer networks of several law enforcement agencies and a college. Lacroix stole data from law enforcement agencies and changed information in academic records.
-http://www.scmagazine.com/massachusetts-man-pleads-guilty-to-computer-hacking-pa
yment-card-theft/article/357649/
-http://www.fbi.gov/boston/press-releases/2014/massachusetts-man-pleads-guilty-to
-computer-hacking-and-credit-card-theft

Microsoft's Interflow Aims to Facilitate Security and Threat Information Sharing (June 23 & 24, 2014)

Microsoft plans to release a platform that will help analysts and researchers share information about security and threats. Known as Interflow, the Azure-based platform "uses industry specifications to create an automated, machine-readable feed of threat and security information that can be shared across industry and groups in near real-time." The distributed system will allow users to form communities, and decide what information to bring to that community and with whom that information will be shared.
-http://www.theregister.co.uk/2014/06/24/microsoft_brings_own_security_info_excha
nge_to_the_world/
-http://www.darkreading.com/analytics/threat-intelligence/microsoft-unveils-new-i
ntelligence-sharing-platform/d/d-id/1278781

Study Shows Benefits of CISO Reporting to CEO (June 20, 2014)

CSO Online Publisher Bob Bragdon cites findings of the 2014 Global State of Information Security Survey that support the idea that the CISO should report directly to the CEO. Organizations in which the CISO reported to the CIO had 14 percent more downtime than those in which the CISO reported to the CEO. Companies in which the CISO reported to the CIO had higher financial losses. "In fact, having the CISO report to almost any other position in senior management other than the CIO reduced losses from cyber incidents." The study gathered information from more than 9,000 respondents.
-http://www.csoonline.com/article/2365827/security-leadership/maybe-it-really-doe
s-matter-who-the-ciso-reports-to.html
[In the June 17 Newsbites, we ran a story about concerns that Target's new CISO reports to the company's CIO rather than its CEO. The story generated lively discussion among Newsbites editors.
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=16&issue=48]


[Editor's Note (Pescatore): When I downloaded that report from the PwC website, I saw no numbers such as those quoted. In fact, that survey had CEO's listed as one of the highest rated *obstacles* to improving security, while CIOs were the *lowest* rated obstacle! The survey did show better results from what it called "security leaders" who *did* have the CISO report to other than the CIO, but who *also* "Have an overall information security strategy; Have measured and reviewed the effectiveness of security within the past year; Understand exactly what type of security events have occurred in the past year" - in my experience, those three factors are way more important than the reporting. If CSO Magazine or PwC would like to forward me the entire report with showing the data cut by where the CISO reports, I will gladly take a look and comment here or on my SANS blog at
-http://www.sans.org/security-trends]

---

STORM CENTER TECH CORNER

Looking for packet from 116.177.0.0/16
-https://isc.sans.edu/forums/diary/Call+for+packets+-+Traffic+from+116+177+0+0+16
/18311

Windows Releases Patch for Windows Update
-http://support.microsoft.com/kb/2887535

German Court Convicts 5 Individuals over DDoS Extortion Scheme
-http://www.heise.de/security/meldung/Bewaehrungsstrafen-wegen-Erpressung-von-Onl
ine-Shops-2240348.html

Future Android Security Patches May be Available via Google Play
-http://www.androidheadlines.com/2014/06/google-focuses-security-android-l-releas
e-updated-google-play-services.html

Mobile Paypal Apps can be Tricked to Ignore 2FA
-http://threatpost.com/flaw-lets-attackers-bypass-paypal-two-factor-authenticatio
n/106852

Soccer World Cup Security Team Publishes WiFi Password by Mistake
-http://www.theregister.co.uk/2014/06/25/brace_yourselves_brazil_dill_in_world_cu
p_wifi_spill/

NYC Taxi Commission releases insufficiently anonymized trip data
-https://medium.com/@vijayp/f6bc289679a1

McAfee Threat Report Shows Diminishing Returns on Bitcoin Mining Bots
-http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014.pdf

Barclays Bank Rolling Out Voice Recognition
-https://wealth.barclays.com/en_gb/internationalwealth/manage-your-money/banking-
on-the-power-of-speech.html

Kapsersky Analyzes Government Malware
-http://usa.kaspersky.com/about-us/press-center/press-releases/kaspersky-lab-disc
overs-new-android-and-ios-mobile-malware-maps

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/