SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #46

June 11, 2013

TOP OF THE NEWS

US Presidential Directive Orders List of Potential Cyberattack Targets
Sophisticated Trojan Targets Android Devices

THE REST OF THE WEEK'S NEWS

Microsoft's Citadel Takedown Affects Researchers' Sinkhole Servers
First Lawsuit Filed Over NSA's Surveillance of Verizon Data
ACLU Asks FISA Court to Disclose Opinion On Constitutionality of Section 215 of Patriot Act
NSA Whistleblower Edward Snowden
Verizon and PRISM Defended
Internet Company Executives Deny Participation in PRISM
Israel is Doing a Great Job of Training Cybersecurity Experts
Warg Faces Hacking Charges in Denmark

---

****************** SPONSORED BY Blue Coat Systems, Inc. *****************
IDC Security Infographic sponsored by Blue Coat If it's your job to protect your company and its workforce from security threats, you know this better than anyone: the risks are real. But there's a new side of security emerging. Security isn't only about prevention. It's also about empowerment.
View the IDC Infographic here: http://www.sans.org/info/132477
***************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.
--Houston, TX (June 10-June 15)
http://www.sans.org/event/scada-training-houston-2013
--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 43 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- Security Impact of IPv6 Summit Washington, DC June 14-16 Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6 Summit offers discussions and panels with IPv6 security experts, ISPs, early adopters, and industry vendors. You will come away with best practices from those who have already implemented IPv6. A two-day, post-summit class follows:
http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials">http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials
http://www.sans.org/event/ipv6-summit-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13 2013 SANS's European forensics summit and dedicated forensics training event. Four of SANS's most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26th - November 7th 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Austin, Mumbai, Bangkok and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

US Presidential Directive Orders List of Potential Cyberattack Targets (June 7, 2013)

According to a secret US government document obtained by UK newspaper The Guardian, President Obama ordered national security officials to compile a list of potential cyberattack targets. The order was made in The Presidential Policy Directive 20, which is dated October 2012, but was never published.
-http://news.cnet.com/8301-1009_3-57588291-83/revealed-u.s-compiled-secret-cybert
argets-list/
-http://www.wired.com/threatlevel/2013/06/presidential-cyber-targets/
-http://www.theatlanticwire.com/politics/2013/06/obamas-cyberwar-target-list-chin
a-xi/66022/
[Editor's Note (McBride): Targeting is not often understood by the organizations that possess, own, and operate high value assets. Taking time to walk through state-sponsored targeting processes might help organizations understand why standard security approaches have not been effective against sophisticated threat actors. ]

Sophisticated Trojan Targets Android Devices (June 7 & 10, 2013) Researchers have discovered a sophisticated Trojan

horse program that targets Android devices. The Trojan, known as Obad, exploits two unknown flaws in the Android mobile platform and a third vulnerability in other software. Obad sends text-messages to premium rate numbers, racking up charges on phone owners' bills, and it downloads additional malware onto infected phones. The two Android vulnerabilities help prevent Obad from being detected and from being removed from infected phones. Obad uses Bluetooth and Wi-Fi to infect other devices.
-http://www.scmagazine.com/researchers-claim-theyve-discovered-the-most-advanced-
android-trojan-yet/article/296703/
-http://www.h-online.com/security/news/item/Sophisticated-Android-Trojan-identifi
ed-1885824.html
-http://arstechnica.com/security/2013/06/behold-the-worlds-most-sophisticated-and
roid-trojan/
-http://www.theregister.co.uk/2013/06/07/android_obad_trojan/

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/132482

2) ALERT: 2013 Website Attack Report- Webinar: Top 10 Vulnerabilities- Data Correlated from Thousands of Websites. http://www.sans.org/info/132487

3) Take the SANS survey on Security Intelligence and Analytics and enter to win an iPad! http://www.sans.org/info/132492
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft's Citadel Takedown Affects Researchers' Sinkhole Servers (June 10, 2013)

When Microsoft seized thousands of domain names associated with the Citadel botnet, it also took down some domains that had already been sinkholed by researchers. Those researchers were gathering information about the malware so they could figure out the best way to tackle the botnet. The information was also used to inform the owners of compromised computers and help them clear their machines of the infection. This is not the first time that a Microsoft botnet takedown has disrupted researchers' efforts. During a ZeuS takedown effort, several hundred domain names that researchers had sinkholed were also seized. Microsoft has said that it is difficult to distinguish between domains under the control of criminals and those under the control of researchers.
-http://www.networkworld.com/news/2013/061013-microsoft-researcher-citadel-botnet
-270657.html
-http://www.theregister.co.uk/2013/06/10/citadel_botnet_takedown_own_goal_by_micr
osoft/
[Editor's Note (Henry): Deterring illegal adversary activity through dismantlement of their infrastructure is another way to mitigate the threat. The effort described here appears to be an operation with benevolent intentions that had some minor collateral damage. We often talk about the need for good communication and actionable-intelligence sharing between the government and the private sector. This demonstrates the need for similar communication private sector-to-private sector, so efforts are coordinated for maximum impact. A consortium of like-minded experts focused on a specific threat - botnets, in this case - would help to ease unintended consequences. ]

First Lawsuit Filed Over NSA's Surveillance of Verizon Data (June 10, 2013)

A lawsuit had been filed against Verizon, the NSA, President Barack Obama, Attorney General Eric Holder and others over the constitutionality of the NSA's wide surveillance program, which was disclosed late last week. The lawsuit alleges that the surveillance program violates the US Constitution as well as a number of federal laws.
-http://www.wired.com/threatlevel/2013/06/nsa-phone-lawsuit/

ACLU Asks FISA Court to Disclose Opinion On Constitutionality of Section 215 of Patriot Act (June 10, 2013)

The American Civil Liberties Union (ACLU) has filed a motion asking that the Foreign Intelligence Surveillance (FISA) Court "unseal its opinions evaluating the meaning, scope, and constitutionality of Section 215 of the Patriot Act." That section allows the court to issue national security letters (NSLs) at the request of the government, which has to demonstrate only that the information sought is relevant to an "authorized investigation." Senators Mark Udall (D-Colorado) and Ron Wyden (D-Oregon) last year wrote Attorney General Holder, requesting the declassification of the secret court ruling allowing the broader surveillance powers.
-http://www.wired.com/threatlevel/2013/06/nsa-dragnet-legalities/
-http://www.aclu.org/files/assets/fisc_unsealing_motion.pdf

NSA Whistleblower Edward Snowden (June 8, 9 & 10, 2013)

Edward Snowden, who leaked the information about the NSA's data gathering practices, is currently in Hong Kong. Snowden is a former CIA technical assistant and more recently worked as a contractor for the NSA through Booz Allen Hamilton. One of the Guardian journalists who originally reported the story said that Snowden is hoping to obtain asylum in Iceland because of the way that country dealt with WikiLeaks. Icelandic law requires that asylum applications be made from within the country. Snowden told The Guardian that "the government has granted itself power it is not entitled to. There is no public oversight." He also said that he "do
[es ]
not expect to see home again."
-http://www.cnn.com/2013/06/10/politics/nsa-leak/index.html?hpt=te_r1
-http://arstechnica.com/tech-policy/2013/06/whistleblower-who-exposed-nsa-mass-su
rveillance-revealed-by-the-guardian/
-http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-sur
veillance
Interview with Snowden:
-http://www.guardian.co.uk/world/2013/jun/09/nsa-whistleblower-edward-snowden-why

Verizon and PRISM Defended (June 8 & 10, 2013)

President Obama said that the program gathering data from Verizon is legal and that "nobody is listening to your telephone calls." As for PRISM, President Obama said that the Internet and email information gathered "does not apply to people living in the United States." Director of National Intelligence James R. Clapper said that "the information acquired
[through the Verizon order ]
does not include the content of any communications or the identity of any subscriber." Clapper also noted that the programs were reviewed by a court and were found to be legal. While some US lawmakers have decried the fact of the broad information gathering conducted by the government on its own citizens, many others appear reluctant to make changes to the current laws that allow the harvesting of information from Verizon and nine Internet companies. Legislators from both parties noted the benefits of the program.
-http://www.nextgov.com/defense/2013/06/administration-declassifies-information-d
efend-citizen-spying-programs/64448/?oref=ng-HPtopstory
-http://www.csoonline.com/article/734593/u.s.-intelligence-chief-defends-surveill
ance-programs?source=CSONLE_nlt_newswatch_2013-06-07
-http://www.nextgov.com/big-data/2013/06/governments-data-grabs-are-unlikely-prom
pt-legislative-action/64544/?oref=ng-HPtopstory
-http://www.informationweek.com/security/privacy/obama-defends-nsa-prism-google-d
enies-ba/240156275
-http://www.zdnet.com/nsa-problem-is-the-secrecy-not-the-program-7000016609/
[Editor's Note (Honan): While PRISM "does not apply to people living in the United States" it does apply to those living outside the United States. In Europe this has raised great concerns regarding the threat to privacy of European citizens. Viviane Reding, the justice commissioner of the European Commission will be raising these concerns at a meeting with the US Attorney General, Eric Holder, at a meeting this week in Dublin.
-http://www.guardian.co.uk/world/2013/jun/10/prism-european-commissions-privacy-g
uarantees?CMP=twt_gu]

Internet Company Executives Deny Participation in PRISM (June 7, 2013)

Executives at Google, Facebook, and seven other companies identified as participating in an NSA surveillance program known as PRISM have denied that they allow intelligence officials direct access to their servers and user data. The companies have denied knowledge of PRISM, although it's likely that the program would have been referred to differently in that circle. There is speculation that the companies' statements have been carefully scripted; many have similar language, including a denial that the government has "direct access" to the data.
-http://www.washingtonpost.com/business/technology/silicon-valley-firms-deny-givi
ng-government-broad-access-to-data/2013/06/07/7e924a18-cf9c-11e2-9f1a-1a7cdee202
87_story.html
-http://www.theatlanticwire.com/politics/2013/06/washington-post-nsa-backtrack-de
nials/65998/
-http://www.wired.com/threatlevel/2013/06/prism-google-facebook/
-http://www.computerworld.com/s/article/9239922/Larry_Page_US_government_has_no_a
ccess_to_information_on_Google_servers?taxonomyId=17

Israel is Doing a Great Job of Training Cybersecurity Experts (June 9, 2013)

Israel has had great success in developing a corps of cybersecurity experts who can write and modify code, identify vulnerabilities, infiltrate and navigate within others' networks without being detected. The skill level per capita is the highest in the world. Israel's efforts to identify and train people with talent in the cybersecurity arena have been successful because they have focused on honing people's technical skills. The country has increased its focus on math and science in schools and has held cybersecurity competitions. Israel has also worked to integrate academia, the IT industry, and the military to focus on cybersecurity. Organizations that are a part of Israel's critical infrastructure are required to protect their systems from cyber attacks.
-http://www.csmonitor.com/World/Middle-East/2013/0609/Israel-accelerates-cybersec
urity-know-how-as-early-as-10th-grade

Warg Faces Hacking Charges in Denmark (June 7, 2013)

Gottfrid Svartholm Warg has been accused of working with a Danish individual to hack into several databases containing sensitive information, including a database of European missing people and wanted criminal suspects. Warg, a co-founder of The Pirate Bay, is awaiting the outcome of a trial in Sweden in which he was accused of hacking into a database belonging to IT Logica and trying to conduct fraudulent funds transfers from accounts at Nordea Bank.
-http://www.theregister.co.uk/2013/06/07/pirate_bay_founder_named_as_suspect_in_p
aneuropean_police_database_hack/
-http://www.bbc.co.uk/news/technology-22812394

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/