SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #103

December 31, 2013

The top story at the end of 2013 could just as well have been the top story ten years ago. Federal chief information security officers continue to "admire the problem" by paying $250/hour consultants to write reports about vulnerabilities rather than paying them to fix the problem. Sadly most of the federal CISOs and more than 85% of the consultants lack sufficient technical skills to do the forensics and security engineering to find and fix the problems. Paying the wrong people to do the wrong job costs the U.S. taxpayer more than a billion dollars each year in wasted spending plus all the costs of cleaning up after the breaches. How about a 2014 New Years resolution to spend federal cybersecurity money usefully: either by ensuring all the sensitive data is encrypted (at rest and in transit) and/or the organization implements the Top 4 Controls on the way to implementing the 20 Critical Security Controls?

Alan

---

TOP OF THE NEWS

DOE Inspector General's Report Notes Lack of Patching as Contributing Factor to Breach

THE REST OF THE WEEK'S NEWS

Intruders Tried to Sell Access to Compromised BBC Server
NSA Tailored Access Operations Unit Provides Specialized Hacking Services
Companies Investigating Reports of NSA Backdoors in Their Products
Judge Rules NSA's Data Collection is Legal
NSA Data Gathering Cases Raise Question of Legal Precedent's Validity in the Digital Age
Target: PINs Were Stolen in Breach
Target Payment Processor Denies it Was Breached
Indian Authorities Arrest Three in Online Bank Account Theft
NatWest Suffers Another Cyber Attack
US Federal Election Commission Audit Finds Computer Security Issues Unaddressed

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Bit9 ******************************
When it comes to endpoint security, large organizations find themselves in a difficult situation. Most enterprises have host-based security software (antivirus software) installed on almost every PC and server, yet their IT assets are constantly attacked - and often compromised - by sophisticated malware and targeted attacks. Download this whitepaper to learn more. http://www.sans.org/info/147795

***************************************************************************
TRAINING UPDATE


--SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


--SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


--SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


-- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 The nation's largest conference and training program on security of power, oil&gas and other industrial control systems. Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


--SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

DOE Inspector General's Report Notes Lack of Patching as Contributing Factor to Breach (December 27, 2013)

The US Department of Energy (DOE) system breached earlier this year was not kept current with patches. According to a report from the Office of Inspector General of DOE, "Critical security vulnerabilities in certain software supporting the management information system (MIS) application had not been patched or otherwise hardened for a number of years." Database administrators may be reluctant to apply patches because they can have the added effect of introducing "behavioral changes."
-http://www.darkreading.com/database/database-risks-increase-as-patch-frequen/240
164981
[Editor's Note (Northcutt): Well that is a new one, who would have ever guessed that failing to patch could lead to compromise:
-http://www.history.navy.mil/library/online/computerattack.htm
-http://www.sans.org/critical-security-controls/guidelines.php
-http://ist.mit.edu/security/patches]

---

************************** Sponsored Links: ******************************
1) Analyst Webcast: Smart buildings, Cars and Other Devices: New SANS Survey Reveals How Internet of Things Impacts IT Risk Management, Wednesday, January 15 at 1 PM EDT http://www.sans.org/info/147800

2) Is the Perimeter Dead (or just Redefined)? Take the SANS Survey on End Point Intelligence and enter to win an iPad! http://www.sans.org/info/147805
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Intruders Tried to Sell Access to Compromised BBC Server (December 30, 2013)

The BBC has acknowledged that an attacker gained access to one of its FTP servers. The intruder tried to sell access to the compromised server to other people. The BBC's security team has taken measures to secure the server.
-http://www.bbc.co.uk/news/technology-25547738
-http://www.theregister.co.uk/2013/12/30/bbc_ftp_server/
-http://www.reuters.com/article/2013/12/29/us-bbc-cyberattack-idUSBRE9BS06K201312
29
[Editor's Note (Murray): FTP is "historically broken" and should not be exposed to the Internet. ]

NSA Tailored Access Operations Unit Provides Specialized Hacking Services (December 29 & 30, 2013)

According to a story published in German magazine Der Spiegel, a special NSA unit has a "catalog" of hacking tools that can be used to infiltrate systems and individual computers, steal data, plant backdoors, impersonate GSM base stations to intercept mobile phone calls, and perform a multitude of other high-end cyberespionage tasks. The unit, known as the Office of Tailored Access Operations (TAO), also reportedly hijacks Microsoft's crash reporting system to help gain access to targeted machines.
-http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effor
t-to-spy-on-global-networks-a-940969.html
-http://www.wired.com/threatlevel/2013/12/nsa-hacking-catalogue/
-http://www.csmonitor.com/Innovation/Latest-News-Wires/2013/1229/Elite-team-of-NS
A-hackers-said-to-get-the-ungettable-with-Bond-style-tactics
-http://www.darkreading.com/privacy/nsa-elite-hacking-team-operations-expose/2401
65056
-http://www.computerworld.com/s/article/9245064/The_NSA_intercepts_computer_deliv
eries_to_plant_spyware?taxonomyId=17

Companies Investigating Reports of NSA Backdoors in Their Products (December 30, 2013)

Some technology companies whose products were named in the Der Spiegel article have denied allegations that they were complicit in the NSA's activity and are launching investigations. A spokesperson for Juniper Networks said that the company "is not aware of any so-called 'BIOS implants' in
[their ]
products and has not assisted any organization or individual in the creation of such implants."
-http://www.scmagazine.com/tech-companies-investigate-reports-of-nsa-backdoors-in
-products/article/327367/
[Editor's Note (Murray): While it is possible to design and build products in such a way that one can detect malicious additions, few are so designed and built. Demonstrating that there are no such malicious changes in products not designed and built for it will be expensive and less than satisfying. ]

Judge Rules NSA's Data Collection is Legal (December 27, 2013)

A federal judge in New York has ruled that the NSA's wholesale collection of phone call metadata is legal. US District Judge William Pauley said the data collection is allowed under Section 215 of the Patriot Act, because telecommunications companies collect the data. The ruling comes in a lawsuit brought by the American Civil Liberties Union (ACLU), which challenged the NSA's data collection program. In contrast, a ruling from another district judge earlier this month described the program as "likely unconstitutional."
-http://news.cnet.com/8301-1009_3-57616313-83/judge-nsa-phone-surveillance-is-leg
al-and-a-vital-tool/
-http://arstechnica.com/tech-policy/2013/12/ny-district-judge-rules-that-nsa-phon
e-surveillance-is-legal/
-http://www.theregister.co.uk/2013/12/27/slurp_away_nsa_mass_phone_data_collectio
n_is_legal_rules_federal_judge/
Ruling:
-https://www.aclu.org/sites/default/files/assets/order_granting_governments_motio
n_to_dismiss_and_denying_aclu_motion_for_preliminary_injunction.pdf

NSA Data Gathering Cases Raise Question of Legal Precedent's Validity in the Digital Age (December 27, 2013)

The two diametrically opposed opinions on the legality of the NSA's telephony metadata collection raise the question of whether a 34-year-old US Supreme Court ruling applies in the case. In 1979's Smith v. Maryland, US Supreme Court found that people do not have a "reasonable expectation of privacy" for information that they have voluntarily disclosed to a third party. Last week, US District Judge William Pauley ruled that the precedent does apply and that the NSA's data collection program is legal. However, several weeks ago, US District Judge Richard Leon wrote, "When do present-day circumstances ... become so thoroughly unlike those considered by the Supreme Court thirty-four years ago that a precedent like Smith does not apply? The answer ... is now."
-http://www.theatlantic.com/technology/archive/2013/12/when-does-technology-chang
e-enough-that-the-law-should-too/282683/

Target: PINs Were Stolen in Breach (December 27, 2013)

Target now admits that PINs were stolen during a security breach of its in-store payment systems that affected 40 million accounts, but says that the data are encrypted. The PINs are reportedly encrypted at the keypads with Triple DES encryption; Target does not store or even have access to the key necessary to decrypt the data.
-http://www.darkreading.com/attacks-breaches/pins-stolen-in-target-breach/2401650
38
-http://www.computerworld.com/s/article/9245053/Target_confirms_customer_PINs_wer
e_taken_in_breach_maintains_data_is_safe?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57616314-83/target-encrypted-pins-stolen-but-no
t-encryption-key/
-http://money.cnn.com/2013/12/27/technology/target-pin/index.html
-http://www.govinfosecurity.com/target-confirms-encrypted-pins-stolen-a-6323
[Editor's Note (Hoelzer): While normally proving that an attacker could never have had access to the key is adequate, a much more interesting question from the PCI/DSS front should be, 'Why were you storing the PIN data in the first place.' PIN data is among the few pieces of information that a merchant may never store under that standard.
(Murray): The cost of this breach to Target and the industry is estimated to be in the hundreds of millions. That would have gone a long way toward migrating to EMV. Ironically Target can process EMV and, with other large retailers, has been pushing the issuers to move to EMV. As long as the merchants bear the cost of PCI DSS and most of the cost of these breaches, this is not likely to happen. In the absence of legislation, the issuers will continue to drag their feet. ]

Target Payment Processor Denies it Was Breached (December 30, 2013)

First Data Corporation, a company that processes payments for Target, says that they "have no indication that
[their ]
systems were involved in any of the incidents reported by Target." Target has not provided details about the breach that affected payment cards used in its stores over an eighteen-day period in late November through mid-December.
-http://www.scmagazine.com/targets-payment-processor-denies-being-impacted-in-40m
-card-breach/article/327365/

Indian Authorities Arrest Three in Online Bank Account Theft (December 30, 2013)

Authorities in India have arrested three people for allegedly breaking into an online banking account and stealing funds from Hospitality Essentials, an event-management company. The thieves allegedly obtained account access credentials of one of the company's partners. They then allegedly used the information to steal Rs 10 lakh (US $16,181) from the account, transferring it to two accounts they had established elsewhere. By the time the company realized the money was gone, the stolen funds had been withdrawn from the other accounts. A fourth person believed to be the mastermind of the scheme is still at large.
-http://timesofindia.indiatimes.com/city/bhopal/Three-hackers-in-police-net-for-s
iphoning-Rs-10-lakh/articleshow/28137680.cms

NatWest Suffers Another Cyber Attack (December 28, 2013)

NatWest Bank in the UK was the target of a distributed denial-of-service (DDoS) attack that prevented customers from accessing their accounts online on Friday, December 27. The bank says the attack posed no risk to customers. NatWest has faced a series of technical problems this year. A similar attack earlier in December and a hardware problem in March 2013 also prevented customers from being able to access their accounts. A technical error in June lost payments, deposits, and cancelled transactions.
-http://www.mirror.co.uk/news/uk-news/natwest-online-banking-failure-cyber-attack
-2965486
-http://www.ibtimes.co.uk/natwest-bank-targeted-cyber-attack-1430405

US Federal Election Commission Audit Finds Computer Security Issues Unaddressed (December 30, 2013)

An audit report from the Office of Inspector General of the Federal Election Commission (FEC) says the agency has not taken steps to improve computer security. An intrusion in 2012 compromised a Commissioner's user account so that the attackers could use it to access confidential information. FEC has suffered two additional intrusions since August 2013. The audit report notes, "Failure to develop a strong IT security program places FEC at high risk of continued network intrusions."
-http://blogs.rollcall.com/moneyline/inspector-general-issues-harsh-report-on-fec
-computer-security/
Report:
-http://www.fec.gov/fecig/documents/FY2013FinancialStatementAuditReport.pdf

---

STORM CENTER TECH CORNER

OpenSSL Defaced
-http://www.openssl.org

Reflective DoS Attacks Using NTP
-https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300

Hacking MicroSD Cards
-http://www.bunniestudios.com/blog/?p=3554

Feedburner Subdomain used to spread Malware
-http://research.zscaler.com/2013/12/infection-found-on-feedburnercom.html

Crontab Edits to Maintain Access to Compromised Linux Systems
-https://isc.sans.edu/diary/Unfriendly+crontab+additions/17282

Spam installs Malware Sending More Spam
-https://isc.sans.edu/diary/Mr+Jones+wants+you+to+appear+in+court%21/17279

Detecting Unprotected MSSQL Servers Using nmap
-https://isc.sans.edu/diary/Default+configuration+check+for+Microsoft+SQL+Server+
-+Taking+advantage+of+quiet+days+in+holidays/17288

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/