SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #101

December 24, 2013

Congratulations to those selected as "people who made a difference in cybersecurity in 2013" (the first story) and a very happy holidays to all NewsBites readers (214,000 when we last looked). Each of you plays an important role in improving cybersecurity; we salute you!

Alan

---

TOP OF THE NEWS

The 2013 People Who Made a Difference in Cybersecurity Awards
RSA Denies Allegations That it Accepted US $10 Million from NSA to Use Faulty PRNG
Legislators Seek Investigations of Target Breach (See especially Shawn Henry's note after the story)
2014 National Defense Authorization Act Attempts to Address Cybersecurity Issues

THE REST OF THE WEEK'S NEWS

Five Interviews Shed Light On What Is Going On Inside NSA
Card Data Stolen in Target Breach Appearing on Black Market Sites
Browser Extension Circumvents Internet Filters
CryptoLocker Gang Likely Amassing Millions
ZeroAccess Botnet Group May be Surrendering Control
Adobe Warning of Fake License Key Delivery eMail
Gaming Company Breach Affects Casinos in Four States

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******* Sponsored By SANS Cyber Threat Intelligence Summit **************
Plan to attend the SANS Cyber Threat Intelligence Summit, February 10th & 11th, in Washington DC! It will focus on Security Information & Event Management, Security Monitoring and Threat Intelligence. Choose from three related classes that take place beforehand (Feb 4th - 9th) including Security Essentials, Reverse Engineering Malware and Advanced Computer Forensics & Incident Response. http://www.sans.org/info/146740
***************************************************************************
TRAINING UPDATE

- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 The nation's largest conference and training program on security of power, oil&gas and other industrial control systems. Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

The 2013 People Who Made a Difference in Cybersecurity Awards (December 20, 2013)

Six government cybersecurity practitioners are among those who received People Who Made a Difference in Cybersecurity Awards: Erica Borggren, Director of Illinois Department of Veterans Affairs; Todd Boudreau, Regimental Chief Warrant Officer at US Army Signal Regiment; Peter Kaplan, Acting Director of the Office of Public Affairs at the Federal Trade Commission; Major TJ O'Connor of the US Military Academy at West Point; Alex Ruiz of the Immigration and Customs Enforcement; and Jonathan Trull, Chief Information Security Officer at the Colorado Governor's Office of Information Technology.
-http://www.nextgov.com/cio-briefing/wired-workplace/2013/12/awards-recognize-bes
t-government-cybersecurity/75830/?oref=ng-HPriver
Complete List of Winners:
-https://www.sans.org/press/people-who-made-difference-cybersecurity-2013.php
[Editor's Note (Pescatore): Alan Paller and I had a lot of fun going through the piles of nominations to select the winners. It really pointed out that since the same security technology and products are available to all, the difference in security between companies always comes back to the skill, creativity and teamwork of their security people. ]

RSA Denies Allegations That it Accepted US $10 Million from NSA to Use Faulty PRNG (December 20 & 23, 2013)

RSA has denied allegations that it was paid US $10 million by the NSA to use a flawed PRNG (pseudo-random number generating) algorithm in its BSafe crypto library. According to a Reuters story, RSA's use of the Dual Elliptic Curve Deterministic Random Bit Generator allowed the NSA to identify its use in government systems and push for its inclusion in the National Institute of Standards and Technology's (NIST's) Recommendation for Random Number Generation Using Deterministic Random Bit generators. In a blog post, RSA said, "we never have entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
-http://www.theregister.co.uk/2013/12/23/rsa_nsa_response/
-http://www.zdnet.com/rsa-denies-taking-10m-from-nsa-to-default-backdoored-algori
thm-7000024591/
-http://www.bbc.co.uk/news/technology-25492461
-http://arstechnica.com/security/2013/12/rsa-issues-non-denying-denial-of-nsa-dea
l-to-favor-flawed-crypto-code/
-http://arstechnica.com/security/2013/12/report-nsa-paid-rsa-to-make-flawed-crypt
o-algorithm-the-default/
RSA Post:
-http://blogs.rsa.com/news-media-2/rsa-response/
[Editor's Note (Ullrich): The Dual Elliptic Curve algorithm had some well-publicized flaws. I am not sure if it looks better for RSA to claim ignorance in this matter. Trust is lost either way.
(Pescatore): I hate to say it, but even if the Reuter's story is false, the RSA quote sounds nearly identical to Huawei's response when reports said Huawei put backdoors into its security products in response to Chinese government demands. Huawei had to invest in a product security testing center in the UK to allow the UK to determine if Huawei's products were safe to use in the UK telecoms system, NSA's activities may require US technology companies to make similar investments for overseas sales. ]

Legislators Seek Investigations of Target Breach (December 23, 2013)

US legislators are calling for investigations into the security breach of Target's in-store payment systems. Senator Richard Blumenthal (D-Connecticut) has asked the Federal Trade Commission (FTC) to launch an investigation; Blumenthal says he supports increasing the FTC's authority to impose penalties against organizations that suffer large data breaches. Senator Chuck Schumer (D-New York) has asked the US Consumer Financial Protection Bureau to investigate the breach.
-http://www.computerworld.com/s/article/9244962/Senators_call_on_FTC_to_investiga
te_Target_breach?taxonomyId=17
[Editor's Note (Henry): This is a much bigger issue, and absent completely irresponsible behavior on the part of Target, let's take a look at Congress and the larger problem. Congress has been busy drafting legislation...for more than five years. There are currently over 40 bills and resolutions with provisions relating to cyber security, yet none have been enacted. Despite the growing threat, it has been over a decade since Congress sent a major cyber bill to the President. Congress knows the risk and they love to talk about it, but they fail to act, and when yet ANOTHER company is breached they point at the victim and tell them it's their fault. Yes, let's blame the victim. If there was a neighborhood and all the homes were broken into by a street gang day after day after day, we'd all be looking at the mayor and the police, and we'd ask them what they were doing to stop it. If the mayor got on television and told the citizens "we're going to investigate YOU because you didn't do enough to stop this gang," we'd be outraged. Well, it's about time the citizens of this country were outraged.
(Pescatore): A breach of 40M customer accounts will have direct financial costs to Target on the order of $2B, which will swamp paying a few more lawyers to respond to Congressional inquiries. However, maybe the CEO of Target and its Board of Directors will elevate cybersecurity in corporate priority after having to do the "Walk of Shame" at a Congressional inquiry. ]

2014 National Defense Authorization Act Attempts to Address Cybersecurity Issues (December 20, 2013)

The newly-passed US 2014 National Defense Authorization Act increases funding for CyberCom (US military's Cyber Command) but the organization still lacks clarity about the rules of cyber engagement and is struggling with finding enough talented people. The bill also requires federal agencies to develop "intelligence, law enforcement, and financial sanctions" mechanisms to "suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense." Legislators are particularly concerned about zero-day vulnerabilities being sold on the black market. The bill also requires the administration to develop "principles for controlling the proliferation of cyberweapons that can lead to expanded cooperation and engagement with international partners." The bill does not, however, define "cyberweapon."
-http://www.nextgov.com/cybersecurity/cybersecurity-report/2013/12/agencies-focus
-illegal-cyberweapons-trade-2014/75815/?oref=ng-HPtopstory
-http://www.politico.com/story/2013/12/pentagon-cybersecurity-role-101485.html
-http://www.politico.com/story/2013/12/senate-national-defense-authorization-act-
barack-obama-101364.html?hp=t3_3
[Editor's Note (Pescatore): Sounds like the DoD wants to give export controls yet another try, despite a nearly perfect track record of failure in the past.
(Ullrich): I am very concerned about the language restricting "trade in cyber tools..." (see above for full quote). Even with the disclaimer to allow their use for "self-defense" by the private sector, this looks like an attempt by the government to corner the market on "zero day" exploit for their own use. ]

---

************************** Sponsored Links: ******************************
1) Is the Perimeter Dead (or just Redefined)? Take the SANS Survey on End Point Intelligence and enter to win an iPad! http://www.sans.org/info/146690

2) Analyst Webcast: Smart buildings, Cars and Other Devices: New SANS Survey Reveals How Internet of Things Impacts IT Risk Management, Wednesday, January 15 at 1 PM EDT http://www.sans.org/info/146695
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Five Interviews Shed Light On What Is Going On Inside NSA (December 20, 2013)

The Lawfare Blog got access to five NSA senior officials in a project dubbed "Inside NSA: We Brought in a Recording Device So You Don't Have To." The final interview was released late last week. Each of the five interviews lasts nearly an hour. Because they are senior NSA officials, their positions are those you would expect from NSA, but they are (perhaps surprisingly) quite forthcoming in the discussions.
-http://www.lawfareblog.com/2013/12/lawfare-podcast-episode-56-inside-nsa-part-v-
an-interview-with-fran-fleisch-the-agencys-acting-deputy-director/

Card Data Stolen in Target Breach Appearing on Black Market Sites (December 20, 2013)

Payment card data stolen in the Target breach has begun appearing on black market Internet forums. The breach compromised as 40 million accounts. The attackers managed to steal the card numbers, expiration dates. Target is now saying that only magnetic strip data were compromised, which means the security codes, which are often used to authenticate online purchases, were not compromised. Data for cards issued by banks outside the US are fetching a higher price than those for US cards.
-http://krebsonsecurity.com/2013/12/non-us-cards-used-at-target-fetch-premium/
-http://news.cnet.com/8301-1009_3-57616201-83/target-data-stolen-in-hack-showing-
up-on-black-market/
-http://www.scmagazine.com/cards-pilfered-in-target-breach-for-sale-in-undergroun
d-markets/article/326793/

Browser Extension Circumvents Internet Filters (December 23, 2013)

A browser extension for Google Chrome help users get around the pornography-blocking filters that UK Internet service providers (ISPs) have been ordered to put in place. Last week, ISP BT announced that new customers will have the filters implemented by default, and that over the course of the next year, existing customers will be contacted and notified and given the option of activating the filters. The plan aims at protecting children from inappropriate content. However, the filters have already proven faulty, as they are allowing some pornography through while blocking websites that contain information about sex education and organizations that help abused women.
-http://www.wired.co.uk/news/archive/2013-12/23/go-away-cameron

CryptoLocker Gang Likely Amassing Millions (December 23, 2013)

The group responsible for the CryptoLocker ransomware is believed to have obtained nearly US $1 million in Bitcoins in just one day. CryptoLocker has infected an estimated 250,000 machines, and victims are being asked to pay an average of US $300.
-http://www.zdnet.com/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bi
tcoin-7000024579/
-http://www.techcentral.ie/cryptolocker-ransom-trojan-infected-250000-pcs-dell-se
cureworks-estimates/
-http://www.v3.co.uk/v3-uk/news/2320477/dell-catches-cryptolocker-ransomware-stea
ling-nearly-usd1m-in-bitcoins

ZeroAccess Botnet Group May be Surrendering Control (December 22, 2013)

Microsoft's Digital Crime Unit believes that the group behind the ZeroAccess botnet may be calling it quits on that particular endeavor. Earlier this month, Microsoft and its industry partners and law enforcement agencies in the US and Europe took control of several servers integral to ZeroAccess's operation. While the effort did not completely eradicate the botnet, it did disrupt the operation. An initial message sent to machines still infected with the malware after the takedown provided an update, but a more recent communication contained the string "WHITE FLAG," indicating that the group may have decided that resurrecting ZeroAccess might not be worth the effort.
-http://www.eweek.com/security/zeroaccess-crew-throws-up-white-flag-after-botnet-
takedown.html
[Editor's Note (Henry): If this is true, it highlights the value in making things more costly for the adversary. Disruption and dismantlement by Law Enforcement agencies can have an impact when lawfully and successfully executed. Though it may be short-term, this would be a reason for cautious optimism. ]

Adobe Warning of Fake License Key Delivery eMail (December 21, 2013)

Adobe has issued a warning about email messages claiming to be delivering license keys for a number of the company's products. The messages are not a phishing attack, but instead have ZIP file attachments that contain a Trojan horse program that can download additional malware from the Internet. Internet Storm Center:
-https://isc.sans.edu/diary/Adobe+phishing+underway/17261
-http://www.zdnet.com/adobe-warns-of-license-key-email-scam-7000024576/
-https://www.net-security.org/malware_news.php?id=2662
-http://blogs.adobe.com/psirt/2013/12/20/alert-adobe-license-key-email-scam/

Gaming Company Breach Affects Casinos in Four States (December 20, 2013)

Affinity Gaming, a Las Vegas-based casino company, said that a breach of its computer systems has compromised payment card information of customers at 11 casinos in four states. The breach affects people who used their cards at any of the affected facilities between March 14 and October 16, 2013. The affected casinos are in Nevada, Colorado, Iowa, and Missouri.
-http://abcnews.go.com/Technology/wireStory/affinity-casino-company-warns-data-br
eaches-21293510
-http://www.thedenverchannel.com/news/local-news/credit-card-cyberattack-hits-300
k-customers-in-central-city
[Editor's Note (Pescatore): Gambling revenue is enormous, and there were recent reports of a professional poker player having his laptop physically compromised in his hotel room at a poker tournament in Barcelona. Since so many casino games are now basically software driven, those games are prime targets for compromise, by developers, operators and external attackers. The state gaming agencies that certify the equipment will need to step up their testing rigor. ]

---

STORM CENTER TECH CORNER

DNS Amplification Attacks
-https://isc.sans.edu/forums/diary/Strange+DNS+Queries+-+Request+for+Packets/1726
4

OpenSSL Bug Prevented Use of Dual Elliptic Curve PRNG
-http://marc.info/?l=openssl-announce&m=138747119822324&w=2

Java Whitelisting Using AD Group Policies
-https://isc.sans.edu/forums/diary/How-To+s+for+the+Holidays+-+Java+Whitelisting+
using+AD+Group+Policy/17267

Passive Vulnerability Scanning with p0f and PVS
-https://isc.sans.edu/diary.html?storyid=17246

"Left over" authorized_keys Files Used to Gain Access to Removed Accounts
-https://isc.sans.edu/forums/diary/authorized+key+lime+pie/17255

Stolen Developer Keys More Frequently Used to Sign Malware
-http://blogs.technet.com/b/mmpc/archive/2013/12/15/be-a-real-security-pro-keep-y
our-private-keys-private.aspx

OpenX Ad Server SQL Injection 0-day Vulnerability Actively Exploited
-http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-s
ource-2-8-11-and-revive-adserver-3-0-1/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/