SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #48

June 18, 2013

The largest Network Security training conference will be in Las Vegas Las Vegas in 90 days (http://www.sans.org/event/network-security-2013) but if you would like to get advanced security training sooner (in London or San Francisco of Virginia Beach or Boston or Denver) see the Training Update below.

Alan

---

TOP OF THE NEWS

Everybody Snoops
Everybody Snoops 2
Revising What We Know About PRISM
Companies Respond to Governments Rules for Disclosing Number of NSA FISA Requests
Snowden Took Files From NSA on a Thumb Drive
US Extradition of Snowden Will be Carefully Crafted
Microsoft Denies Reports it Shares Zero-Day Flaws with Government

THE REST OF THE WEEK'S NEWS

DHS Does Not Track Contractors' Security Training
Police Using Driver's License Photo Databases in Criminal Investigations
Swedish Court Approves Warg Extradition to Denmark
Critical Flaw in BlackBerry 10 OS
Texas Governor Signs Strict eMail Privacy Bill
Oracle to Issue Critical Patch Update to Address 40 Flaws in Java

---

************************** SPONSORED BY Bit9 ****************************
NEW Whitepaper: APT Confidential - Top Lessons Learned From Real Attacks. It's an unprecedented time of cyber attacks and information about attacker methods is difficult to obtain unless you are the victim, and let's face it, by then, it's too late. Learn what security analysts have to say about today's cyber attacks. http://www.sans.org/info/133232
***************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.


--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 42 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- Security Impact of IPv6 Summit Washington, DC June 14-16 Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6 Summit offers discussions and panels with IPv6 security experts, ISPs, early adopters, and industry vendors. You will come away with best practices from those who have already implemented IPv6. A two-day, post-summit class follows:
http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials">http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials
http://www.sans.org/event/ipv6-summit-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13 2013 SANS's European forensics summit and dedicated forensics training event. Four of SANS's most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26th - November 7th 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach. http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/special">http://www.sans.org/ondemand/special Plus Canberra, Austin, Mumbai, Bangkok and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Everybody Snoops (June 16 & 17, 2013)

According to The Guardian, the UK's Government Communications Headquarters (GCHQ) intelligence agency snooped on foreign delegates during the 2009 London G20 meetings. GCHQ allegedly intercepted email, and monitored phone calls. It also allegedly set up Internet cafes at the meetings for delegate use and stole account login credentials that could be used to continue monitoring the targets after the meetings ended. The Guardian said that evidence of the snooping was included in documents leaked by Edward Snowden.
-http://www.guardian.co.uk/uk/2013/jun/16/gchq-intercepted-communications-g20-sum
mits
-http://www.computerworld.com/s/article/9240107/U.K._spy_agency_reportedly_snoope
d_on_delegates_at_G20_meetings_in_09?taxonomyId=17
[Editor's Note (Murray): This is what governments do. What they can do, they must. Few citizens want to claim what is done in their name but they do not discourage it.]

Everybody Snoops 2 (June 13, 2013)

The Australian government is building a data storage facility outside Canberra, the country's capital, to allow intelligence agencies manage a "data deluge" from the Internet and telecommunications networks. The state-of-the-art facility will support Australia's Defence Signals Directorate. Some of the information that Australian intelligence agencies receive comes from the US's PRISM data gathering program.
-http://www.canberratimes.com.au/it-pro/security-it/black-vault-for-a-deluge-of-s
ecrets-20130612-2o48w.html
-http://www.bordermail.com.au/story/1569837/australia-gets-deluge-of-us-secret-da
ta-prompting-a-new-data-facility/?cs=12

Revising What We Know About PRISM (June 14 & 16, 2013)

Initial reports about the NSA's PRISM surveillance program appear to have gotten the technical details of the program wrong. The stories reported that nine major US Internet companies knowingly allowed NSA access to information on their servers. While the information leak discloses the scope of the NSA's surveillance, the PRISM system described in a leaked PowerPoint presentation apparently helps automate the FBI and NSA requests for data; it does not allow those agencies unfettered access to the servers. PRISM is part of a much larger NSA data-grab, which has been known about for years, in which data are siphoned from the fiber optic cables through which they travel along the Internet's backbone. Traffic data are gathered as the traffic leaves and enters the US, and are routed to the NSA for analysis.
-http://www.zdnet.com/how-did-mainstream-media-get-the-nsa-prism-story-so-hopeles
sly-wrong-7000016822/
-http://bigstory.ap.org/article/secret-prism-success-even-bigger-data-seizure

Companies Respond to Governments Rules for Disclosing Number of NSA FISA Requests (June 14 & 15, 2013)

The US government has granted tech companies permission to disclose certain information about national security orders, which demand customer information. Last week, Google published an open letter to US officials asking that the company be permitted to release the information; several other companies published similar requests. The companies were granted permission to include the data in their transparency reports with certain restrictions, most notably requiring that the statistics be "aggregated with law enforcement requests from all other US local, state, and federal law enforcement agencies." Google has responded to the rules, saying that "lumping the two categories
[NSLs and data requests made by the NSA under FISA ]
together would be a step back for users." Microsoft, Facebook, and Apple have published data.
-http://www.zdnet.com/u-s-government-loosens-gag-order-on-security-related-data-r
equests-7000016863/
-http://www.washingtonpost.com/business/technology/2013/06/14/61a6ff1e-d55c-11e2-
a73e-826d299ff459_story.html
-http://www.computerworld.com/s/article/9240091/Apple_received_thousands_of_perso
nal_data_requests_from_US?taxonomyId=17

Snowden Took Files From NSA on a Thumb Drive (June 13, 2013)

It appears that Edward Snowden used a thumb drive to sneak classified documents from NSA's network out of the office. The US Defense Department banned the use of flash drives in 2008 after DOD systems became infected with malware that was introduced through one of the pocket-sized devices. The ban was lifted, but another was imposed two years later, after Bradley Manning stole hundreds of thousands of government documents from classified networks with thumb drives and other removable storage devices. The December 2010 ban included removable media, but the bans are difficult to enforce. Exceptions are granted to people whose job responsibilities require their uses. In his position as a system administrator, Snowden's use of a thumb drive would not have been perceived as suspicious.
-http://www.wired.com/threatlevel/2013/06/snowden-thumb-drive/

US Extradition of Snowden Will be Carefully Crafted (June 14, 2013)

US officials will pursue extradition of Edward Snowden from Hong Kong. Attorney General Eric Holder has said that Snowden's actions have damaged national security. What is making the extradition process tricky is striking the proper balance. Charges like espionage and treason carry possible sentences of life in prison or even the death penalty, considerations that could prompt Hong Kong to refuse the extradition request. But lighter charges, such as theft of government property and misuse of a government computer carry significantly lighter penalties, which would not satisfy US authorities. Snowden's paths out of Hong Kong have recently diminished. The UK has told airlines worldwide to prevent Snowden from boarding flights to that country because he will be denied entry.
-http://www.cbsnews.com/8301-505263_162-57589330/john-miller-edward-snowden-extra
dition-could-take-months-years/
-http://www.v3.co.uk/v3-uk/news/2275100/prism-snowden-extradition-likely-as-us-at
torney-general-vows-justice

Microsoft Denies Reports it Shares Zero-Day Flaws with Government (June 14, 2013)

Microsoft has denied claims that it shares information about vulnerabilities with the US government for use in gaining access to computers being used by terrorist organizations or military adversaries. The Bloomberg report, written by journalist Michael Riley, suggests that the government provides incentives in the form of threat information to obtain the vulnerability information. Microsoft has issued a statement clarifying several established programs through which it shares advance notice of vulnerabilities and patches. If governments are interested in obtaining zero-day vulnerabilities to exploit against adversaries, there are more effective avenues, such as companies whose business models rely on the sale of such information.
-http://www.h-online.com/security/news/item/Microsoft-denies-providing-US-governm
ent-with-vulnerabilities-1890696.html
-http://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-f
rom-microsoft-others/
-http://www.nextgov.com/cybersecurity/2013/06/prism-20-new-phase-nsa-leaks/64964/
?oref=ng-channelriver
Bloomberg Story:
-http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-tho
usands-of-firms.html

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/133237

2) ALERT: How Hackers Launch the Top Ten Web Application Attacks and Best Practices for Mitigation http://www.sans.org/info/133242

3) SANS Analyst Webcast: Implementing Hardware Roots of Trust With Trusted Platform Modules http://www.sans.org/info/133247
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS Does Not Track Contractors' Security Training (June 17, 2013)

A report from the Office of the Department of Homeland Security (DHS) inspector general says that the agency does not track the security training of contractors it hires to monitor security issues on government networks. (DHS has been responsible for computer security at all government agencies since 2010.) The findings relate specifically to contractors who support CyberScope, a system that receives data that provide information about the security posture of every federal agency's computers.
-http://www.nextgov.com/cybersecurity/2013/06/ig-dhs-does-not-track-security-trai
ning-system-administrator-contractors/64976/?oref=ng-HPriver
-http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-95_Jun13.pdf

Police Using Driver's License Photo Databases in Criminal Investigations (June 16, 2013)

Over the past several years, US states began collecting searchable photo ID databases for the purpose of thwarting driver's license fraud, but the information is increasingly being used by law enforcement to identify criminal suspects, accomplices, and in some cases, just bystanders related to investigations. The databases are required to be used only for "law enforcement purposes," criteria vague enough to suggest they can be used in a variety of situations. The information is used to develop investigative leads, not to make positive identification. Using facial recognition technology, law enforcement agents have mined the databases for information and caught serious criminals. The problem is, the driver's license photo databases are not criminal databases, but are being used as if they were. The state databases are becoming increasingly interconnected, which is giving law enforcement officers a de facto national identification system. The recent Supreme Court ruling allowing the collection of DNA samples from people who are arrested could just add to the amount of information that law enforcement will have at their fingertips. Thirty-seven US states use facial recognition technology in license registries. Twenty-six of those states permit law enforcement agents at the local, state, and federal levels to search their databases to help identify people relevant to their investigations.
-http://www.washingtonpost.com/business/technology/state-photo-id-databases-becom
e-troves-for-police/2013/06/16/6f014bd4-ced5-11e2-8845-d970ccb04497_story.html
[Editor's Note (Murray): As compared to other biometrics, facial recognition has the advantage that laymen can do it as well as machines. Until recently machines were not fast enough even for authentication, much less recognition in an arbitrary population. No longer true. Google can match a face against any image in its database in seconds. ]

Swedish Court Approves Warg Extradition to Denmark (June 17, 2013)

A Swedish court has approved extradition to Denmark for Gottfrid Svartholm Warg, a co-founder of The Pirate Bay who is currently in custody in Sweden awaiting the verdict in a trial in which he was accused of hacking into the computer system of a company that does contract work with the Swedish tax authority. The Danish charges allege that Warg and an unnamed co-defendant hacked into the Danish driver's license database and several other systems.
-http://arstechnica.com/tech-policy/2013/06/pirate-bay-co-founder-can-be-extradit
ed-to-denmark-over-new-hacking-charges/

Critical Flaw in BlackBerry 10 OS (June 17, 2013)

BlackBerry has issued an advisory warning of a critical privilege vulnerability in BlackBerry 10 OS. The flaw lies in the BlackBerry Protect application, which helps users find phones if they are lost, lock or delete the devices, reset the password, and back up and restore data. The vulnerability could be exploited to gain access to the device. The issue affects only BlackBerry Z10 running versions of the IS prior to 10.0.10.648. BlackBerry Protect is off by default; users must activate the application. For an attack to be successful, users must also be convinced to install a malicious app.
-http://www.h-online.com/security/news/item/Critical-vulnerability-in-Blackberry-
10-OS-1891338.html
-http://arstechnica.com/security/2013/06/blackberry-security-advisory-details-cri
tical-bug-on-z10-phones/

Texas Governor Signs Strict eMail Privacy Bill (June 17, 2013)

Texas Governor Rick Perry has signed House Bill 2268 into law. The measure requires that law enforcement obtain a warrant before snooping on email. The law takes effect immediately. The law makes Texas the first state to have a law that is more stringent that the federal Electronic Communications Privacy Act (ECPA), which requires a warrant only for unopened email that is less than 180 days old.
-http://arstechnica.com/tech-policy/2013/06/texas-becomes-first-state-to-require-
warrant-for-e-mail-snooping/
-http://www.courthousenews.com/2013/06/17/58582.htm
[Editor's Note (Murray): The Department of Justice will likely assert that ECPA trumps any state law. The Attorney General testified before a Congressional committee that what ECPA permits, he will do unless and until Congress changes the law. ]

Oracle to Issue Critical Patch Update to Address 40 Flaws in Java (June 14 & 17, 2013)

On Tuesday, June 18, Oracle plans to release a Critical Patch Update for Java SE to fix 40 security issues. The flaws affect multiple versions of Java. All but three of the vulnerabilities are remotely exploitable without authentication.
-http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
-http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/
-http://www.computerworld.com/s/article/9240061/Oracle_to_ship_40_security_fixes_
for_Java_SE?taxonomyId=17
-http://www.scmagazine.com/the-new-update-for-java-will-close-40-security-vulnera
bilities/article/299084/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/