SANS NewsBites - Volume: XV, Issue: 41

*************************************************************************
SANS NewsBites                     May 24, 2013                    Volume: XV, Issue: 41
*************************************************************************

TOP OF THE NEWS

  US Electric Grid Under Continuous Attack
  Commission Recommends Stronger Action be Taken to Protect Intellectual Property
  North Carolina Company Loses US $800,000 to ACH Fraud

THE REST OF THE WEEK'S NEWS

  ICS-CERT Warns of Hard-Coded User Accounts in TURCK Programmable Gateways
  Apple Issues Security Update for QuickTime for Windows
  NYPD Detective Arrested for Allegedly Hacking eMail Accounts
  Twitter Launches Two-Factor Authentication
  Citadel Variant Targets Payza Users
  Google Updates Chrome to Version 27
  UK ISPs Block Two More Sites Accused of Enabling Piracy
  Reporters Who Discovered Unprotected Personal Data Are Accused of Being Hackers


********************** SPONSORED BY Tripwire, Inc. **********************
Analyst Webcast: Why Defense, Why Now? Thursday, May 30, 2013 at 1:00pm EDT. High profile breaches capture our attention, and worse, the total number of breaches, especially at small and medium size organizations, has increased significantly over the past 12 months. Eric Cole discusses why all these glum trends provide a great opportunity for security professionals right now to renew focus on cyber defense. Dr. Cole will show how SANS Cyber Security Foundation curriculum will teach you the essential skills required to detect and defend your organization against cyber attacks, improve its overall security posture, and improve your career opportunities. http://www.sans.org/info/131602
***************************************************************************
TRAINING UPDATE


-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization. --Houston, TX (June 10-June 15)
http://www.sans.org/event/scada-training-houston-2013 --Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

US Electric Grid Under Continuous Attack (May 22, 2013)

Computer systems at utility companies that make up the US electric grid are under attack daily, according to a Congressional report. Two legislators sent questionnaires to more than 150 companies and received 112 responses. Just 53 of those actually answered the questions, while the rest provided partial responses or information that did not directly answer the questions. More than a dozen of the responses said their systems were under "daily," "constant," or "frequent" attacks. One company reported it experienced 10,000 attempted attacks a month. None of the companies noted that the attacks had damaged their systems. The report, "Electric Grid Vulnerability: Industry Responses Reveal Security Gaps," looks at threats from both hackers and from natural occurrences. The report strongly urges Congress "to provide a federal entity with the necessary authority to ensure that the grid is protected from potential cyber-attacks and geomagnetic storms."
-http://arstechnica.com/information-technology/2013/05/power-company-targeted-by-
10000-cyber-attacks-per-month/
-http://news.cnet.com/8301-1009_3-57585618-83/power-utilities-claim-daily-and-con
stant-cyberattacks-says-report/
-http://www.computerworld.com/s/article/9239442/U.S._power_companies_under_freque
nt_cyberattack?taxonomyId=17
Report:
-http://markey.house.gov/sites/markey.house.gov/files/documents/Markey%20Grid%20R
eport_05.21.13.pdf
[Editor's Note (Pescatore): Maybe we should let polling companies write laws, since legislators seem to be increasingly creating surveys. Every IP address everywhere is under constant attack, so the top result is pretty similar to what they would have gotten if they asked "do your wires ever get hit by radiation from solar flares?" which of course happens all the time. Oops, turns out they asked about that, too - the Congressmen seem to feel spare transformers are needed there. Oddly, they cited the 2003 northeast US cascading blackout (which was bigger than most realistic cyber-induced scenarios) and the fact that nearness to untrimmed trees and computer error were the causes - but never asked the utility companies about what they have done there to eliminate recurrence.
(McBride): The type of questions asked of the utilities really does show some initiative by the Congressmen and their staff. The disappointing response rate (and the disappointing responses) could have been expected. The industry is clearly driven by compliance concerns.
(Assante): The issue of authorities is a tricky one as the law under Section 215 provides for risk management through standard setting, but does not provide for emergency authorities. Existing federal powers may be used during a crisis, but clarity to deal with an actual event or series of events maybe necessary. The debate is an important one.]

Commission Recommends Stronger Action be Taken to Protect Intellectual Property (May 23, 2013)

The Commission on the Theft of American Intellectual Property, a private organization, has issued a report arguing that US companies should be permitted to act aggressively to prevent hackers from stealing their intellectual property. The report notes that "hundreds of billions of dollars" worth of US intellectual property (IP) is stolen each year, and estimates that China is responsible for 50 to 80 percent of international intellectual property theft. In addition, "the slow pace of legal remedies for IP infringement does not meet the needs of companies whose products have rapid product life and profit cycles." The paper also makes a case for creating disincentives to IP theft by making it unprofitable. The report calls for laws to allow intellectual property owners to retrieve or "render inoperable" stolen IP. The process would be helped through increased "meta-tagging," "beaconing," and "watermarking," technology that basically has a phone home effect, letting IP holders known when information has been stolen.
-http://www.computerworld.com/s/article/9239503/U.S._urged_to_let_companies_hack_
back_at_IP_cyber_thieves?taxonomyId=17
-http://www.scmagazine.com//commission-offers-suggestions-for-stemming-online-spy
-threat-from-china/article/294494/
-http://www.zdnet.com/us-urged-to-permit-self-defense-retaliation-on-hackers-7000
015731/
-http://www.forbes.com/sites/emmawoollacott/2013/05/23/us-should-get-tough-on-chi
nese-ip-theft-committee-warns/
Text of Report:
-http://www.ipcommission.org/report/IP_Commission_Report_052213.pdf
Speakers at the Future in Review conference in California this week raised similar issues. Former Director of Global Cyber Security Management for DHS Richard Marshall said that "there are technologies that can be used to protect our intellectual property," and that "We should be the aggressor in protecting our IP."
-http://news.cnet.com/8301-1009_3-57585907-83/is-protecting-intellectual-property
-from-cyberthieves-futile/
[Editor's Note (Pescatore): I'm all for aggressively reducing the rampant vulnerabilities that are enabling these attacks to succeed, and the report recommends that - essentially a "Critical Security Controls" approach. But the report veers into "threat-based deterrence" where enterprises attack thieves before the criminals launch their attacks, which is pure silliness. Imagine that in the physical world of crime and insider information theft, which is vastly larger than the cyber equivalent - it would make for a great Tom Cruise movie, but really bad business or security strategy.
(Murray): Stronger security for the protection of intellectual property is clearly indicated. Watermarking is cheap. However, it operates late, after much of the damage is irremediable. Strong authentication, restrictive access control policy, end-to-end encryption terminating on the application, and yes, even locked-down dedicated hardware are also cheap and they operate to resist the loss in the first place. Let's keep our priorities straight.]

North Carolina Company Loses US $800,000 to ACH Fraud (May 23, 2013)

Thieves stole more than US $800,000 from a North Carolina company in numerous small, fraudulent automated clearinghouse (ACH) transactions. J.T. Alexander & Son Inc., a fuel distributor, and its bank, Peoples Bancorp of North Carolina Inc., did not notice the anomalous transactions for five days. The money was taken from the company's payroll account. J.T. Alexander's 15 employees are normally paid from that account every two weeks, and the usual total amount of payroll is US $30,000. The company does hold an insurance policy that covers losses from cyberfraud, but the coverage does not match the company's losses. According to a J.T. Alexander employee, the bank had recently changed its security procedures so that instead of allowing access to account transactions only from a certain computer at the company along with a login ID, password, and a passcode from the bank, anyone in possession of the login information could access the account from any location.
-http://krebsonsecurity.com/2013/05/nc-fuel-distributor-hit-by-800000-cyberheist/
[Editor's Note (Pescatore): Trying to restrict access to a specific PC is almost inevitably a losing strategy. Business demands invariably include mobility, and if you rely on reusable passwords for access, attackers can compromise the dedicated PC and get the access anyway. Access to high value business services like ACH (Automated Clearing House), or other ecommerce services that put immediate movement of funds at risk, require stronger authentication. Heck, see the Twitter story below - tweets will be more strongly authenticated than ACH transfers. Does that make sense?
(Murray): Hardware is cheap. Is it too much to ask that one not do e-mail and surfing on the same box that one does banking? If Google, Twitter, Dropbox, PayPal and my tiny community bank can offer strong authentication, is it too much to ask that the FFIEC require it for commercial banking. Yes, I understand their reluctance to be prescriptive but this is ridiculous.]



**************************** Sponsored Links: ******************************
1) StillSecure - Providing visibility, enforcement, quarantine, and remediation. Safe Access NAC provides network control. http://www.sans.org/info/131607

2) Leveraging the First Four Critical Security Controls for Holistic Improvements featuring SANS Analyst James Tarala, co-author of the CSCs. Wednesday, June 12, 1:00 PM EDT http://www.sans.org/info/131612

3) Attend the SANS Industrial Controls Systems Security Briefing, Monday, June 10, 2013 in Houston, TX at the Westin Houston Memorial City. Featuring Mike Assante, Eric Cornelius, Lior Frenkel, Bart Pestarino and Jonathan Knudsen. This event is free to Oil & Gas constituents participating or evaluating participation in the global consensus on minimum standards for cyber skills for ICS. For more information go to http://www.sans.org/info/131627.
*****************************************************************************

THE REST OF THE WEEK'S NEWS

ICS-CERT Warns of Hard-Coded User Accounts in TURCK Programmable Gateways (May 23, 2013)

The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a warning about a vulnerability in two TURCK programmable gateways. BL20 and BL67 both contain hard-coded login credentials. Attackers could log into vulnerable devices through a file transfer protocol (FTP) service and obtain remote administrative access. TURCK has released updated firmware for the devices to address the vulnerability.
-http://www.scmagazine.com//critical-vulnerablilty-discovered-in-industrial-contr
ol-product/article/294670/
-http://ics-cert.us-cert.gov/advisories/ICSA-13-136-01
[Editor's Note (McBride): At this point you should probably be expecting hard-coded credentials at the PLC level! The next questions should be "Do you care?"; and "What are you going to do about it?" We contacted TURCK to find out what the "latest firmware version" of the affected products was. Tech support responded "There are so many different types of BL20's and BL67's that there isn't a single firmware identifier; we don't have any way to tell you". Conclusion: Hard-coded credentials are only a symptom...]

Apple Issues Security Update for QuickTime for Windows (May 23, 2013)

Apple has issued an update for QuickTime for Windows to address critical vulnerabilities in the multimedia framework. The flaws, which affect QuickTime for Windows 7, Vista, and XP SP2 and later, can be exploited to allow arbitrary code execution and to crash applications. Users are urged to update QuickTime to version 7.7.4.
-http://www.h-online.com/security/news/item/Apple-closes-QuickTime-vulnerabilitie
s-on-Windows-1868186.html
-http://www.v3.co.uk/v3-uk/news/2270004/apple-posts-security-update-for-quicktime
-for-windows

NYPD Detective Arrested for Allegedly Hacking eMail Accounts (May 22 & 23, 2013)

US federal law enforcement agents have arrested a New York City Police Department (NYPD) detective for allegedly hiring a hacking service to break into more than 40 email accounts belonging to NYPD employees and other people. Edwin Vargas also allegedly paid the same group for gaining access to cell phone records. According to evidence gathered from a digital forensic review of Vargas's hard drive, he had obtained access to three months of cellphone records for at least one individual. Vargas also accessed the National crime Information Center (NCIC) database, which he was authorized to use as a law enforcement officer, but he allegedly accessed information outside the realm of his duties.
-http://www.theregister.co.uk/2013/05/23/nypd_black_hat/
-http://www.informationweek.com/security/attacks/fbi-arrests-nypd-detective-on-ha
cking-ch/240155332
-http://www.fbi.gov/newyork/press-releases/2013/manhattan-u.s.-attorney-and-fbi-a
ssistant-director-in-charge-announce-arrest-of-new-york-police-department-detect
ive-for-computer-hacking

Twitter Launches Two-Factor Authentication (May 22 & 23, 2013)

Twitter has introduced two-factor authentication for account access. Users who opt in to the feature provide Twitter with a mobile phone number, and whenever they want to log in to their accounts, they will be required to provide their regular passwords along with a verification code which will be sent to the specified phone. The introduction of this feature comes just weeks after several high-profile Twitter accounts were compromised and misused.
-http://arstechnica.com/security/2013/05/twitter-launches-two-factor-authenticati
on-too-late-to-save-the-onion/
-http://www.scmagazine.com//twitter-begins-rollout-of-two-factor-authentication-t
o-limit-account-takeovers/article/294495/
-http://www.h-online.com/security/news/item/Twitter-implements-two-factor-authent
ication-1868050.html
[Editor's Note (Ullrich): Good move by Twitter to offer this feature. Now the problem will be if the companies using Twitter will be able to take advantage of this feature.
(Pescatore): It is amazing to see consumer-grade, advertising-supported services leading the way in getting everyday users to adopt strong authentication, while we continue to see traditional enterprises and government services making very little progress moving their users away from reusable passwords. Another example of the consumerization of IT. ]

Citadel Variant Targets Payza Users (May 22, 2013)

A new variant of the malware known as Citadel targets users of the Payza online payment service with a man-in-the-browser attack. The attack involves altering the login page with space for the user's personal identification number (PIN). The PIN, when combined with the other information provided on the form, gives attackers control of users' accounts. Citadel is a Trojan horse program that is used primarily to grab online banking credentials. It has also been used to spread ransomware known as Reveton.
-http://www.computerworld.com/s/article/9239448/New_Citadel_malware_variant_targe
ts_Payza_online_payment_platform?taxonomyId=17

Google Updates Chrome to Version 27 (May 21, 22 & 23, 2013)

Google has released the newest stable version of its Chrome browser, 27.0.1453.93, for Windows, Mac OS X, Linux, and Chrome Frame for Internet Explorer. This version of Chrome addresses 17 security issues and includes a new scheduler among the performance improvements. That feature should help pages render more quickly. Google has updated Chrome for Android as well.
-http://www.h-online.com/security/news/item/Chrome-27-comes-with-better-load-spee
ds-and-security-fixes-1867731.html
-http://arstechnica.com/gadgets/2013/05/chrome-for-android-also-gets-bumped-up-to
-version-27/
-http://news.cnet.com/8301-1001_3-57585598-92/chrome-gets-a-touch-faster/

UK ISPs Block Two More Sites Accused of Enabling Piracy (May 21, 2013)

To comply with a court order obtained by the Motion Picture Association (MPA), major UK ISPs have begun blocking two websites that have been accused of allowing downloads of pirated movies. There are now six sites for which industry groups have obtained court orders requiring blocks. The British Phonographic Industry (BPI) has named 25 sites it would like to see be blocked for aiding illegal downloads of popular music.
-http://www.bbc.co.uk/news/technology-22607298
-http://crave.cnet.co.uk/software/pirate-movie-sites-blocked-by-uk-isps-following
-court-order-50011284/

Reporters Who Discovered Unprotected Personal Data Are Accused of Being Hackers (May 20 & 21, 2013)

Two telecommunications companies are accusing reporters of hacking after the reporters uncovered a cache of personal data on a publicly accessible server. The Scripps reporters say they found the data, which include Social Security numbers (SSNs) and other personally identifiable information, through a Google search, but the companies maintain that the reporters accessed the data and in doing so, violated the Computer Fraud and Abuse Act. The reporters deny those allegations. The data, which were gathered by a third party company on behalf of the two telecommunications firms, were collected as supporting documentation for families seeking to qualify for the US Federal Communications Commission's (FCC's) Lifeline program, which helps low-income Americans obtain phone service. The program allows the telecoms to request the information but specifically says that it may not be retained.
-http://arstechnica.com/security/2013/05/reporters-use-google-find-breach-get-bra
nded-as-hackers/
-http://www.sacbee.com/2013/05/20/5433104/scripps-news-investigation-finds.html
-http://www.npr.org/2013/05/21/185788193/my-social-security-number-is-posted-wher
e
[Editor's Note (Honan): So let me get this straight, the telecoms companies retained information it should not have, then compounded this by leaving it on an internet connected system accessible to anybody including search engines, and then claim a security breach? Just because you don't like the message you should not shoot the messenger.
(Henry): The Computer Fraud and Abuse Act precludes exceeding your authorized access. If the personally identifiable information was posted on a publicly available website, as the journalists suggest, I think there would be little chance of charges being brought against them under Title 18, Section 1030 (CFAA) merely based on the tools used to download them. Calling those who came across information that wasn't sufficiently protected "hackers" appears to be a way to deflect attention from the real issue.]


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

vDr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/