3 Days left to Save $400 on SANS DFIR Summit

SANS NewsBites - Volume: XV, Issue: 23


Flash: A logic bomb appears to have triggered multiple outages in South
Korea simultaneously and may have had a very short fuse. This is the
union of the Saudi Aramco attack (causing large scale damage requiring
physical action to repair EACH machine) and attacks against banks, and
it is aimed at a U.S. ally, hinting (but only hinting) at the source.
http://www.wired.com/threatlevel/2013/03/logic-bomb-south-korea-attack/

SAP, the business management software from Oracle, may be an
increasingly popular target of cyber attacks. We are considering adding
an intensive course on security for SAP, but won't do it unless there
is significant demand. If you believe your organization would send
people to such a course (2 days at the front or back of a SANS training
conference), send email (no commitment needed) to SAP@SANS.org.

Alan

*************************************************************************
SANS NewsBites                     March 22, 2013                    Volume: XV, Issue: 23
*************************************************************************
TOP OF THE NEWS

  Major Cyberattack Hits South Korean Banks and Broadcasters
  US Government to Broaden Scope of Internet Traffic Scanning
  Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015
  TeamSpy Cyberespionage Campaign a Decade Old

THE REST OF THE WEEK'S NEWS

  Microsoft Discloses Law Enforcement Data Requests and Number of NSLs Received
  London Police Arrest man in Connection with Online Banking Trojan
  Matthew Keys Denies Giving Hackers Login Credentials for Tribune Servers
  Weak Password Hash Algorithm Implementation in Some Cisco Devices
  Microsoft Says High-Profile Xbox Live Accounts Compromised
  House Committee Passes Bill That Would Give Federal CIOs Budget Authority
  Senators Introduce Bill to Amend ECPA
  Adware Trojan Targets OS X Systems
  FBI Arrests Chinese National US Military Contractor as He Tries to Leave Country
  Miami-Dade County Department of Elections Targeted in Absentee Ballot Request Fraud


************************** SPONSORED BY SANS *******************************
Take the New SANS Survey on the Critical Security Controls and enter to win a new iPad! http://www.sans.org/info/127627
****************************************************************************
TRAINING UPDATE

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013


- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013


- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013


- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

Major Cyberattack Hits South Korean Banks and Broadcasters (March 20 & 21, 2013)
A major cyberattack hit South Korean banks and broadcasters earlier this week. Two of the country's large banks and three broadcasters were affected, but government systems were not targeted. The malware wiped files from infected computers. Shortly after the attacks, there was speculation that North Korea was responsible, but there has not been positive attribution. James Barnett, former chief of public safety and homeland security for the US Federal Communications Commission (FCC) notes that, "This needs to be a wake-up call. This can happen anywhere." Investigators think that malware may have been spread through servers that send out automatic updates and patches. Symantec researchers say the attack used a Trojan horse program known as Jokra, which can overwrite computers' master boot records and all the data stored there.
-http://www.washingtonpost.com/business/technology/police-investigating-reports-t
hat-computers-of-south-korean-banks-media-paralyzed/2013/03/20/a7366760-9126-11e
2-9173-7f87cda73b49_story.html

-http://www.latimes.com/news/world/worldnow/la-fg-wn-south-korea-cyber-attack-201
30320,0,1356665.story

-http://www.scmagazine.com/south-korean-corporations-hit-by-widespread-attack-tha
t-wiped-data-and-shut-down-systems/article/285315/

-http://www.foreignpolicy.com/articles/2013/03/21/who_is_whois
[Editor's Note (Honan): There are a lot of lessons to be learnt from this incident, not least that attribution is hard. Initial analysis had Korean officials claiming the attacks came from an IP address in China thus focusing the blame on that country. However, further investigation shows " the IP address that was thought to be from China was determined to be an internal IP address from one of the banks that was infected by the malicious code " Given the recent rhetoric about striking back with both cyber and kinetic weapons let's hope this demonstrates we cannot rely on IP addresses alone for identifying and blaming an attack on someone and more measured responses are required. More details at
-http://edition.cnn.com/2013/03/22/world/asia/south-korea-computer-outage/index.h
tml

(Assante): Data erasing overwrites are not new but their use never made much sense as information had value for the attacker. The recent use of these destructive attacks, in scale, demonstrates that cyber has become a political means to send pointed messages and cause harm. There are those willing to loudly assert that they can hold economies and infrastructures at risk. Our response should be simple..."we are not afraid", as we have the practices and technology necessary to blunt these types of attacks. ]


US Government to Broaden Scope of Internet Traffic Scanning (March 21, 2013)
The presidential executive order on cybersecurity issued in February calls for increased scanning of Internet traffic. The scans will be based on classified information provided by US intelligence agencies about emerging and serious cyber espionage and cyber attack threats.
-http://www.reuters.com/article/2013/03/21/net-us-cybersecurity-sharing-idUSBRE92
K11620130321



Cyber Command Will Deploy More than 100 Cyberdefense Teams by End of 2015 (March 19 & 21, 2013)
The US Defense Department's Cyber Command plans to deploy more than 100 military cyberdefense teams by the end of 2015. Most of these teams will focus on protecting military networks, not on attacking systems of adversaries. General Keith Alexander, head of Cyber Command, said last week that by September 2013, 13 cyberwarrior teams will be deployed. These teams will focus on taking action against adversaries' networks to prevent attacks on US critical infrastructure systems.
-http://www.nextgov.com/defense/2013/03/pentagon-plans-deploy-more-100-cyber-team
s-late-2015/61948/?oref=ng-channelriver

-http://www.nextgov.com/cybersecurity/cybersecurity-report/2013/03/military-cyber
-strike-teams-will-soon-guard-private-networks/62010/?oref=ng-HPtopstory



TeamSpy Cyberespionage Campaign a Decade Old (March 21, 2013)
Researchers say they have found evidence of a cyber espionage campaign targeting Eastern Europe and the former Soviet Union, that has been going on for 10 years. The cyberspies installed TeamViewer, a tool usually used to control computers remotely and conduct online meetings, on targeted computers and altered its code to create a backdoor on the systems. Researchers have dubbed the campaign TeamSpy. The group's targets appear to be governments, businesses, and human rights activists. Those behind TeamSpy gathered encryption keys and secret documents.
-http://www.theregister.co.uk/2013/03/21/teamspy_cyber_espionage/
-http://www.computerworld.com/s/article/9237778/TeamViewer_based_cyberespionage_o
peration_targets_activists_researchers_say?taxonomyId=17

-http://arstechnica.com/security/2013/03/decade-old-espionage-malware-found-targe
ting-government-computers/




**************************** Sponsored Link: ******************************
1) Webcast! Meeting the need for speed (and resiliency) in Security Management Systems, Thursday, April 18. http://www.sans.org/info/127632
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft Discloses Law Enforcement Data Requests and Number of NSLs Received (March 21, 2013)
Microsoft has joined Google and Twitter's move toward increased transparency by disclosing data about law enforcement requests for user information. In 2012, Microsoft received 75,378 requests for customer information related to 137,424 accounts or other identifiers. In just over two percent of the requests, Microsoft provided law enforcement agents with content, such as email or photos. In 99 percent of those cases, the recipients of the content were US law enforcement agencies with warrants. In more than 56,000 cases, Microsoft provided non-content data, including user names, email addresses, IP addresses and countries of residence. The majority of the data were provided to law enforcement agencies in the US, the UK, Turkey, Germany, and France. Microsoft has also disclosed ranges of numbers of National Security Letters (NSLs) is has received, along with a range of numbers of identifiers those NSLs covered.
-http://www.computerworld.com/s/article/9237794/Microsoft_details_law_enforcement
_requests_in_new_report?taxonomyId=17

-http://www.wired.com/threatlevel/2013/03/microsoft-nsl-revelation/


London Police Arrest man in Connection with Online Banking Trojan (March 19 & 21, 2013)
Police in London, UK have arrested a man in connection with the Tilon Trojan horse program. The malware was used to conduct bank fraud. Tilon is man-in-the-browser malware, which intercepts information entered on web pages in Internet Explorer, Firefox, Chrome, and possibly other browsers as well. Tilon was designed with detection evasion in mind: it will not install on a virtual machine.
-http://www.theregister.co.uk/2013/03/21/tilon_banking_trojan_arrest/
-http://news.techworld.com/security/3435936/police-arrest-london-man-in-connectio
n-with-tilon-bank-trojan/



Matthew Keys Denies Giving Hackers Login Credentials for Tribune Servers (March 21, 2013)
Matthew Keys, the former Tribune Company employee who was accused of helping hackers gain access to that company's servers, has denied that he gave anyone login credentials. Keys posted a statement to his Facebook page that says, in part, that he "did not 'conspire' to 'cause damage to a protected computer' ...
[or ]
cause 'transmission of malicious code.'" The intruders altered the headlines and byline of one article. Keys's arraignment is scheduled for April 12.
-http://www.computerworld.com/s/article/9237765/Former_Tribune_staffer_denies_giv
ing_hackers_log_in_credentials?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57575499-83/keys-denies-giving-tribune-log-in-c
redentials-to-anonymous/



Weak Password Hash Algorithm Implementation in Some Cisco Devices (March 20 & 21, 2013)
A weak implementation of a password-hashing algorithm in Cisco's IOS operating system version 15 makes passwords significantly more vulnerable to brute force hacking. The algorithm was supposed to have an 80-bit salt value and use 1,000 iterations through SHA256, but instead, the password is not salted at all and undergoes just one SHA256 iteration. The new algorithm is called Type 4 and was intended to be stronger that the Type 5 and Type 7 algorithms.
-http://www.computerworld.com/s/article/9237752/Cisco_inadvertently_weakens_passw
ord_encryption_in_its_IOS_operating_system?taxonomyId=17

-http://www.h-online.com/security/news/item/Weakened-password-hashing-found-in-Ci
sco-devices-1827197.html

-http://www.informationweek.com/security/vulnerabilities/cisco-password-fumble-ha
rdware-security/240151244

-http://www.theregister.co.uk/2013/03/20/cisco_introduces_weak_passwords/


Microsoft Says High-Profile Xbox Live Accounts Compromised (March 20, 2013)
Microsoft said that hackers used social engineering tricks to take over high-profile Xbox live accounts. The accounts that were taken over belong to current and former Microsoft employees. The account hijackings appear to be related to a recent story by security journalist Brian Krebs about a website that sells access to credit reports, driver's license numbers, and Social Security numbers (SSNs). The Xbox hackers used that site to obtain information that they used in their social engineering attacks. Krebs was recently targeted in a SWATting attack: hackers placed an emergency call that appeared to come from Krebs's phone and reported a dangerous situation. The individual alleged to be behind the attack also arranged for Krebs's website to be hit with a denial-of-service attack earlier that same day.
-http://www.computerworld.com/s/article/9237740/Microsoft_Hackers_obtained_high_p
rofile_Xbox_Live_accounts?taxonomyId=17

-http://arstechnica.com/security/2013/03/hackers-that-took-over-xbox-live-account
s-may-be-behind-ddos-attack-on-ars/

-http://krebsonsecurity.com/2013/03/the-obscurest-epoch-is-today/


House Committee Passes Bill That Would Give Federal CIOs Budget Authority (March 20, 2013)
In a unanimous vote, the US House Oversight and Government Reform Committee has passed the Federal Information Technology Acquisition Reform Act, which would give agency CIOs the authority to move funding from one technology project to another. Currently, the Department of Veterans Affairs is the only agency at which the CIO has such authority. The bill also stipulates that each agency would have only one CIO, and it would make federal agency CIOs presidential appointees. The bill now goes before the full House for consideration.
-http://www.nextgov.com/cio-briefing/2013/03/oversight-committee-passes-it-reform
-act/61984/?oref=ng-HPtopstory



Senators Introduce Bill to Amend ECPA (March 20, 2013)
Two US senators have introduced legislation to amend the 1986 Electronic Communications Privacy Act (ECPA), which they say is outdated. The lawmakers want to require law enforcement to obtain warrants before examining citizens' electronic communications. ECPA allows authorities to obtain email that is more than 180 days old with a subpoena. One of the bill's sponsors, Senator Patrick Leahy (D-Vermont), said in a statement, "Privacy laws written in an analog era are no longer suited for privacy threats we face in a digital world."
-http://www.scmagazine.com/lawmakers-propose-change-to-outdated-email-privacy-law
/article/285290/

-http://www.csoonline.com/article/730506/senate-bill-would-require-warrant-to-obt
ain-emails-from-internet-companies

[Editor's Comment (Northcutt): Outdated? It was only passed in 1986 (grin); I love what I am hearing about requiring warrants, but as it gets closer to passing I bet we start to hear about terrorists and the need to keep removing rights from US Citizens. But here is hoping, I will be keeping a close eye on the EPIC and EFF websites devoted to the topic:
-http://epic.org/privacy/ecpa/
-https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communicatio
ns-privacy-act
]


Adware Trojan Targets OS X Systems (March 20, 2013)
The Yontoo Trojan horse program installs a plug-in that displays fraudulent advertisements on web pages. Yontoo targets computers running Mac OS X. It spreads by disguising itself as a media player, a video quality enhancement tool, and a download accelerator. The installer asks users if they want to install an app called Free Twit Tube. If users click yes, the Trojan is downloaded onto their computers and the malware monitors their web browsing and through a remote server, injects the ads onto the sites they visit. Yontoo is being classified as a Trojan because it uses trickery and disguises to become installed.
-http://arstechnica.com/apple/2013/03/ad-injecting-trojan-targets-mac-users-on-sa
fari-firefox-and-chrome/

-http://news.cnet.com/8301-1009_3-57575503-83/new-adware-trojan-circulating-that-
targets-mac-os-x-systems/

-http://www.zdnet.com/is-the-new-mac-trojan-hitting-os-x-browsers-really-a-trojan
-7000012937/

Removing Yontoo:
-http://news.cnet.com/8301-1009_3-57575543-83/how-to-remove-yontoo-adware-trojan-
from-your-os-x-system/

[Editor's Note (Frantzen): Original source is the Russian anti-virus company Dr. Web:
-http://news.drweb.com/show/?i=3389&lng=en&c=14]



FBI Arrests Chinese National US Military Contractor as he Tries to Leave Country (March 19, 2013)
On March 16, a Chinese national who is a military contractor was arrested on an airplane as he tried to leave the country. Bo Jiang worked at NASA-Langley in Virginia. An FBI affidavit says that Jiang is being investigated for "substantive violations of the Arms Control Act." Whistleblowers at Jiang's workplace informed the FBI that he planned to leave the country with a one-way ticket. The affidavit also states that Jiang is believed to have left the US previously with a laptop computer that contained sensitive information. Federal agents boarded the airplane that Jiang was on and questioned him about what electronic devices he was taking with him. He did not disclose all electronic media he was traveling with to federal agents. He has been charged with lying to federal agents.
-http://www.federalnewsradio.com/490/3255952/FBI-arrests-NASA-contractor-about-to
-leave-US-for-China

-http://www.scienceworldreport.com/articles/5673/20130320/fbi-arrests-nasa-contra
ctor-employee-fleeing-to-china.htm



Miami-Dade County Department of Elections Targeted in Absentee Ballot Request Fraud (March 18, 2013)
According to a grand jury report, a hacker or hackers managed to "create a computer program that automatically, systematically, and rapidly submitted" online requests for absentee ballots to the Miami-Dade County (Florida) Department of Elections. In all, the scam made more than 2,500 fraudulent requests over the course of two-and-a-half weeks. A vendor saw the requests coming from the same group of computers and at a rate that would be impossible for humans to enter the information required. The requests were flagged and the ballots requested were not sent out. The grand jury report is from December 2012 and the Miami herald reported the story in February. The attack did not require any sophisticated skills.
-http://www.nextgov.com/cybersecurity/2013/03/miamis-voter-fraud-only-beginning-e
lection-hacking/61944/?oref=ng-channelriver

-http://www.cnn.com/2013/03/18/tech/web/florida-election-cyberattack/index.html
-http://www.miamiherald.com/2013/02/23/v-fullstory/3250726/the-case-of-the-phanto
m-ballots.html

-http://www.miamisao.com/publications/grand_jury/2000s/gj2012s.pdf


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/