SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #29
April 12, 2013
TOP OF THE NEWSProposed US Budget for FY 2014 Includes Increase for Cybersecurity
Oregon Company is Suing Bank for US $250,000 in Fraudulent ACH Transactions
Air Force Designates Some Cyber Tools as Weapons
THE REST OF THE WEEK'S NEWSResearcher Presents: Hacking Aviation Communication Systems With an Android Device
Aviation Control Hack Refuted
Gaming Developers' Digital Certificates Stolen, Used in Attacks
White House, Privacy Groups Say CISPA Needs Updating
South Korea Says it Traced Attacks to North Korea
Three Plead Guilty to Charges Related to Numerous Cyber Intrusions
Hospital Can Ask ISP for Info to help Identify Alleged Cyber Intruder
IRS Allegedly Reading eMail Without Warrant in Fraud Cases
Microsoft and Adobe Issue Security Updates
NY Students Hone Real World Cybersecurity Skills at Hack Nights
*********************** SPONSORED BY SYMANTEC **************************
Gangs, Watering Holes, and Other Threats To combat cyber gangs, avoid the wrong watering holes, and escape other threats, you need Symantec's annual Internet Security Threat Report (ISTR). Join us for a live video webcast with a panel of IT security experts for an in-depth discussion of key findings from 2012. http://www.sans.org/info/128940
- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
- -- SANS Secure Europe 2013 Amsterdam, Netherlands April 15-April 27, 2013 10 courses.
- -- Critical Security Controls International Summit London, UK April 26-May 2 2013 Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
- -- Looking for training in your own community?
- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials
Plus Bangalore, Johannesburg, Malaysia, and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Proposed US Budget for FY 2014 Includes Increase for Cybersecurity (April 11, 2013)President Obama's proposed budget for FY 2014 includes an increase in funding for cybersecurity defense measures. Spending on Pentagon cybersecurity and weapon development will grow by 21 percent, or US $800 million, bringing the total figure to US $4.7 billion.
[Editor's Note (Pescatore): Five or more years ago the federal government spent a much lower percentage of its IT budget on security than industry, but that's not really true anymore: the government has a "spend smarter" security problem, not a "spend harder" security problem. I think the new OMB PortfolioStat review process will be able to find many places in government security spending (such as an desktop security spending) where cost reductions could be made without reducing security and the savings could be used to address next-generation security needs.
(Paller): A bunch of new money is in that budget for NIST. FedNewsRadio has asked me to discuss NIST's big cyber budget increase Monday morning, and I am having trouble finding anything NIST has done that has substantially and measurably improved agency's ability to withstand attacks or recover quickly from them. Suggestions welcome. I'll give you credit. firstname.lastname@example.org]
Oregon Company is Suing Bank for US $250,000 in Fraudulent ACH Transactions (April 11, 2013)Oregon Hay Products is suing Community Bank for allegedly "fail
to detect and prevent" fraudulent wire transfers in an attack that drained nearly US $250,000 from Oregon Hay's bank account over three days in September 2010. In all, cybercriminals conducted three transactions, each just under Oregon Hay's established daily outgoing wire transaction limit of US $75,000, transferring funds to a bank account in Ukraine. Oregon Hay's complaint alleges that Commercial Bank's security precautions were not commensurate with current threats and that the transaction orders were not accepted in good faith as established by the Uniform Commercial Code. The transactions were initiated from IP addresses that Oregon Hay had never used before. The complaint alleges that Commercial Bank had not implemented security measures recommended by the US Federal Financial Institutions Examination Council, which include using multi-factor authentication for online banking transactions. At the time of the theft, the bank was using a procedure involving cookies and a challenge/response question.
Text of Complaint:
[Editor's Note (Paller): As organizations discover there is economic liability for lax cybersecurity, and lawyers smell blood in the water, the recognition will dawn on policymakers that their reliance on high level "guidance" was a really bad idea and made government cybersecurity a terrible model for protecting the critical infrastructure and businesses. This week the Australian Attorney General established a legal requirement that all agencies implement a small number of critical security controls. No company can pretend they don't know the basic controls they must implement. The U.S. government will do that, too, but, as Winston Churchill said so long ago, "Americans will always do the right thing - after exhausting all the alternatives." You can get a head start on doing the right thing if you can get to London on May 1-2 (
or listen in on the briefing oN April 18. (
Air Force Designates Some Cyber Tools as Weapons (April 8 & 9, 2013)The US Air Force has reclassified a half-dozen cyber tools as weapons to increase the chances they will receiving funding within the Pentagon's tight budget. Lt. General John Hyten, vice commander of Air Force Space Command, told attendees at a conference that the new designations "mean that the game-changing capability that cyber is, is going to get more attention and recognition than it deserves." Hyten offered no details about the newly classified cyber weapons, but did say that the Air Force is working to integrate cyber capabilities with other existing weapons.
[Editor's Note (McBride) Not that there was much doubt as to whether the United States cyber strategists (term used loosely) prefer offensive to defense... but there you have it.
(Ranum): I wonder if this means that the contractors developing them will now need to fall under ITAR and whether shipping such code will now require an end-user certificate, etc. This might not be just a budget play, it could be an attempt to establish a regulatory cyberframework to prevent some cyber Basil Zaharoff from cyberselling cyberweapons to both cybersides of a cyberwar. :-)]
*************************** Sponsored Links: ******************************
1) The SANS Security Analytics: Putting Big Data to Work Summit will bring together leading practitioners, thought leaders and technology provides to jumpstart the development of powerful new approaches. Register now, http://www.sans.org/info/128945
2) "Data Center Virtualization from a Security Perspective," featuring Dave Shackleford and Deepak Thakkar, Wednesday, May 1, at 1 PM EDT http://www.sans.org/info/128950
3) Attend the SANS 20 Critical Security Control Briefing, Thursday, April 18, 2013 in Washington, DC at the JW Marriott. Featuring Tony Sager and John Pescatore showcasing the 20 CSC In Action, and also moderate a Vendor Panel. Event is free to Government attendees. For more information go to http://www.sans.org/info/128292 To register for this event via simulcast, visit http://www.sans.org/info/128297
THE REST OF THE WEEK'S NEWS
Researcher Presents: Hacking Aviation Communication Systems With an Android Device (April 11, 2013)At a security conference in Amsterdam this week, Hugo Teso presented research he has conducted into vulnerabilities in aviation communication technologies. Armed with nothing more than an Android mobile device and a custom app, Teso was able to hijack systems that provide navigation information to airplanes. Teso ran his tests on secondhand commercial flight system hardware and software he purchased over the Internet.
Aviation Control Hack Refuted (April 11, 2013)The US Federal Aviation Administration (FAA) denies that the attack Teso presented could actually hack in-flight navigation systems. The attack "does not work on certified flight hardware," according to FAA spokesman Les Dorr.
[Editor's Note (Assante): The ability to exploit a vulnerability in a fielded system, a determination of system susceptibility at various states, is essential to understand when considering risk. With that said, it is important to address component and subsystem security weaknesses, in a prioritized manner, based on the anticipated consequences if the systems integrity or availability is lost. Exploitability can be dynamic and will differ based on a specific threat actor and scenario. Pointing out vulnerabilities in a responsible manner is valuable, but drawing conclusions with limited evidence is a risky proposition and can result in entrenching the type of thinking that enabled the vulnerabilities of concern.]
Gaming Developers' Digital Certificates Stolen, Used in Attacks (April 11, 2013)In what is being called an advanced persistent threat on gaming companies, cyberthieves have been using malware known as Winnti to steal digital certificates from companies that develop video games. The certificates have been used in attacks against companies in the aerospace industry, the company that operates South Korea's largest social network, and political activists. It is unclear whether all the attacks were launched by the same organization that originally planted Winnti, or whether the certificates were provided to others who used them in different attacks. The thieves also appear to be mapping the network architecture of the developers' production servers and stealing source code from them.
White House, Privacy Groups Say CISPA Needs Updating (April 10 & 11, 2013)Although the US House Intelligence Committee has approved the Cyber Intelligence Sharing and Protection Act (CISPA), privacy groups say that legislators have not made adequate changes to the bill to address concerns about government surveillance. Specifically, there are concerns that CISPA, as currently drafted, would let private companies share information with government intelligence agencies. The White House has indicated that it would not support CISPA in its current state and that more must be done to protect personal information.
South Korea Says it Traced Attacks to North Korea (April 10 & 11, 2013)The South Korean government says it has found evidence that the recent attacks on the country's banks and broadcasting companies came from North Korea's military intelligence. The attack, which took place on March 20, involved malware that deleted master boot records of infected PCs; online banking sites and ATMs were affected as well. South Korean investigators were able to trace attacks to an IP address in North Korea. The information was exposed inadvertently while someone conducting the attacks experienced technical difficulties.
Three Plead Guilty to Charges Related to Numerous Cyber Intrusions (April 9 & 10, 2013)Three people have pleaded guilty in a London court to charges stemming from attacks against computer systems at numerous companies and government agencies over a seven-month period in 2011. Ryan Ackroyd, Jake Davis, and Mustafa al-Bassam all entered guilty pleas to various charges. The three men are believed to be members of a hacker group known as LulzSec. The arrests were made as part of a joint investigation by the FBI and the Scotland Yard.
Hospital Can Ask ISP for Info to help Identify Alleged Cyber Intruder (April 10, 2013)A New Jersey appellate court has ruled that St Luke's Warren Hospital may proceed with its request for a subpoena that would require an Internet service provider (ISP) Verizon to turn over information that would help identify a person or persons who allegedly broke into the hospital's email server and sent offensive messages. There have been two separate incidents: in 2008, someone managed to log in to the hospital website's secure mailbox and send offensive messages to hospital employees. In October 2009, someone accessed the hospital's website and gained access to an employee's email account, which was used to send a message containing allegations of "sexual misconduct and other wrongdoings" against hospital employees. The plaintiffs filed a complaint in 2010, calling the incidents "defamatory" and seeking subpoenas from four different ISPS to find out who was behind the messages. This ruling applies to just one of the ISPs.
[Editor's Note (Henry): The private sector's ability to independently pursue these matters, particularly those which may not garner the attention of law enforcement, will add new opportunities to lawfully pursue and/or impact malicious actors. ]
IRS Allegedly Reading eMail Without Warrant in Fraud Cases (April 10, 2013)According to documents obtained by the American Civil Liberties Union (ACLU) through a Freedom of Information Act (FOIA) request, it appears that the US Internal Revenue Service (IRS) may be looking at citizens' email message without warrants. A 2010 ruling established that the IRS must adhere to the same requirements imposed on other law enforcement agencies while investigating tax fraud.
Microsoft and Adobe Issue Security Updates (March 9 & 10, 2013)Microsoft has released nine security bulletins to address a number of security issues, including critical flaws in Windows and Internet Explorer (IE). One of the updates is a cumulative update for IE that fixes two security issues that affect every version of the browser. Adobe has also released security updates for its Flash and Shockwave media players.
Microsoft just issued an alert asking Windows users to roll back one of the patches, update 2823324, due to problems with it
NY Students Hone Real World Cybersecurity Skills at Hack Nights (April 11, 2013)Students at the Polytechnic Institute of New York University (NYU-Poly) are learning hands-on, mission-critical cybersecurity skills. The school offers a hacking club, an annual hacking competition, and weekly "Hack Nights" to hone their white hat hacking skills in protecting computers from attacks. NYU-Poly even has its own "Hacker-in-Residence" to help develop exercises that have the students dealing with real-world scenarios. Nasir Memon, NYU-Poly professor and director of the Information Systems and Internet Security laboratory there, says they teach students real-world skills while staying within the law.
[Editor's Note (Henry): The critical need for capable cybersecurity experts is well-documented. Programs such as this...exposing students to the industry in an exciting and enjoyable environment...will go a long way in filling the ranks with passionate and innovative recruits. ]
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/