SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #49

June 21, 2013

TOP OF THE NEWS

US and Russia Will Establish Cybersecurity Hotline
Reforming the Computer Fraud and Abuse Act
Microsoft Announces Bug Bounty Programs With a Twist
Future Version of Firefox Will Block Most Tracking

THE REST OF THE WEEK'S NEWS

France Gives Google Three Months to Address User Data Privacy Concerns
US Seized 1,700 Domains Over Three Years in Anti-Piracy Operation
Swedish Court Gives Warg Two-Year Sentence for Hacking
LinkedIn Outage Blamed on Human Error
Yahoo Plans to Recycle Dormant User IDs
India Moves To Increase Number of Government Cybersecurity Experts
Oracle Fixes 40 Vulnerabilities in Java
Google Challenges Constitutionality of Gag Orders Accompanying FISA National Security Orders

---

****************** SPONSORED BY White Hat Security **********************
ALERT: How Hackers Launch the Top Ten Web Attacks Every year the number and creativity of web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year. Learn about the latest and most insidious Web-based attacks researched and compiled from a panel of world-class web application security experts. http://www.sans.org/info/133422
***************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.


--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 42 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- Security Impact of IPv6 Summit Washington, DC June 14-16 Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6 Summit offers discussions and panels with IPv6 security experts, ISPs, early adopters, and industry vendors. You will come away with best practices from those who have already implemented IPv6. A two-day, post-summit class follows:
http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials">http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials
http://www.sans.org/event/ipv6-summit-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS's European forensics summit and dedicated forensics training event. Four of SANS's most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Austin, Bangkok and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

US and Russia Will Establish Cybersecurity Hotline (June 17 & 20, 2013)

The US and Russia have agreed to communicate about cybersecurity issues to help reduce the risk of cyberconflict. Through real-time communication related to that used more than 25 years ago to address nuclear weapons concerns, the countries hope to avoid disasters caused by misunderstandings or lack of information. The countries plan to warn each other about cyber exercises that could be mistaken for aggressive action and to ask about cyber activity that could be perceived as threatening and that appears to emanate from the other country's cyberspace. They will also set up a hotline so that leaders can speak to each other directly if necessary.
-http://www.washingtonpost.com/world/national-security/us-and-russia-sign-pact-to
-create-communication-link-on-cyber-security/2013/06/17/ca57ea04-d788-11e2-9df4-
895344c13c30_story.html
-http://www.h-online.com/security/news/item/US-and-Russia-install-red-telephone-f
or-cyber-threats-1893196.html
-http://www.whitehouse.gov/the-press-office/2013/06/17/fact-sheet-us-russian-coop
eration-information-and-communications-technol
[Editor's Note (Pescatore): The US and Russia first discussed this back in 2011 and it is a good thing. There really are many similarities between the uneasy Cold War years with Mutually Assured Destruction as the stabilizing mechanism deterring the use of nuclear weapons by the major superpowers. But, and this is a gigantic but, governments had a monopoly on the funding and scientists needed to create nuclear weapons. That is *not* true of cyber weapons. The ways nations cooperate to fight crime, and the way businesses and people have to largely protect themselves against criminals is a much more apt analogy. ]

Reforming the Computer Fraud and Abuse Act (June 20, 2013)

US Representative Zoe Lofgren (D-California) and Senator Ron Wyden (D-Oregon) explain in detail why the country's Computer Fraud and Abuse Act (CFAA) needs to be changed and what they believe those changes should be.
-http://www.wired.com/opinion/2013/06/aarons-law-is-finally-here/
[Editor's Noyte (Pescatore): The CFAA was amended in 2008 but hasn't changed much since 1986. I think some of the proposed rewording will need work (requiring that someone "knowingly" circumvented access controls seems hard to prove) but in general the proposed changes are needed. ]

Microsoft Announces Bug Bounty Programs With a Twist (June 19, 2013)

Microsoft has joined Google and Mozilla in offering a bug bounty program. In fact, Microsoft is launching three bounty programs. The first is much like other companies' programs, but with a time constraint. For example, Microsoft plans to release Internet Explorer on June 26; the company will pay up to US $11,000, and in some cases even more, for critical flaws discovered by July 26. The second and third programs do not have established end dates. In those programs the Mitigation Bypass Bounty and the BlueHat Bonus for Defense, Microsoft will pay as much as US $100,000 for attacks that manage to get past Windows 8.1 anti-exploitation mechanisms. Microsoft will also pay US $50,000 for defense techniques for the exploit that are submitted at the same time. Mike Reavey, senior director with the Microsoft Security Response Center is hopeful that the new bug bounty programs will draw hackers away from the Pwn2Own hacking contest.
-http://www.reuters.com/article/2013/06/19/us-microsoft-bounties-idUSBRE95I1AZ201
30619
-http://arstechnica.com/security/2013/06/microsoft-will-pay-up-to-100k-for-new-wi
ndows-exploit-techniques/
-http://www.darkreading.com/vulnerability/microsoft-establishes-rewards-programs-
f/240156968

Future Version of Firefox Will Block Most Tracking (June 19, 2013)

Mozilla developers are moving ahead with plans to block tracking in future versions of Firefox. Advertisers are opposed to the changes because they say that tracking lets them deliver targeted advertisements that bring revenue to websites. Cookies would still be permitted if users give explicit permission for the website or when users visit a site regularly. The companies that will feel the change the most are those that track users' activity without their knowledge.
-http://www.washingtonpost.com/business/technology/firefox-browser-to-move-ahead-
with-do-not-track/2013/06/19/b0ad618c-d8f6-11e2-a9f2-42ee3912ae0e_story.html

---

*************************** Sponsored Links: ******************************
1) Analyst Webcast: Getting Hitched: Converging Endpoint and Network Data Analysis for Improved Visibility and Control, Featuring Jerry Shenk, Wednesday, July 10, 2013 at 1:00 PM EDT. http://www.sans.org/info/133427

2) Take the SANS survey on Security Intelligence and Analytics and enter to win an iPad! http://www.sans.org/info/133432

3) Analyst Webcast: Critical Security Controls Survey. Tuesday, June 25, 2013 at 1:00 PM EDT. http://www.sans.org/info/133437
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

France Gives Google Three Months to Address User Data Privacy Concerns (June 20, 2013)

French data privacy body, Commission Nationale de l'Informatique et des Libertes (CNIL), has given Google three months to implement changes to the way it collects and manages customer data. The commission found Google to be in violation of the French Data Protection Act. CNIL's June 10 decision lists the changes it expects from Google, including explaining to users how the data they collect will be used, and not retaining data beyond the time necessary for the purpose for which they were collected. If Google does not comply with the order, the company could face sanctions. Google is facing enforcement action over privacy practices in several other EU countries, including Spain and Germany.
-http://news.cnet.com/8301-1009_3-57590216-83/france-orders-google-to-change-its-
privacy-policies/
-http://www.theregister.co.uk/2013/06/20/cnil_gives_google_3_months_to_comply_wit
h_french_data_protection_act/
-http://www.computerworld.com/s/article/9240207/French_privacy_authority_gives_Go
ogle_3_months_to_change_its_ways?taxonomyId=17
[Editor's Note (Pescatore): 90 days is a long time! Google recently shortened to 7 days the time it will give software vendors before it discloses vulnerabilities in their products, so I'm sure that within a week Google will clear up these privacy violations... ]

US Seized 1,700 Domains Over Three Years in Anti-Piracy Operation (June 20, 2013)

"Operation In Our Sites," an ongoing effort by US authorities to thwart intellectual property fraud, has seized more than 1,700 websites in the past three years. The offending sites offered illegally streamed sporting events; sold bogus apparel, accessories and counterfeit drugs; and allowed illegal downloads of music and movies. US authorities were able to seize the sites because the domains - .net, .com, and .org - are controlled by US entities.
-http://www.wired.com/threatlevel/2013/06/domains-seized/

Swedish Court Gives Warg Two-Year Sentence for Hacking (June 20, 2013)

A Swedish court has sentenced Gottfrid Svartholm Warg to two years in prison for hacking into computer systems at Logica, an IT company that provides tax services to the Swedish government, and Scandinavian bank Nordea, from which he made a fraudulent funds transfer. Warg was found guilty of data intrusions, attempted aggravated fraud, and aggravated fraud. An unnamed accomplice was found guilty as well. The court was unconvinced by arguments that someone else was remotely controlling the defendants' computers. Warg could be extradited to Denmark to face hacking charges there.
-http://www.theregister.co.uk/2013/06/20/pirate_bay_founder_warg_jailed_for_two_y
ears_for_hacking_and_fraud/
-http://www.computerworld.com/s/article/9240210/Pirate_Bay_co_founder_sentenced_t
o_two_years_in_prison_for_hacking?taxonomyId=17

LinkedIn Outage Blamed on Human Error (June 20 & 21, 2013)

More than half of LinkedIn users were unable to access their accounts for a number of hours late Wednesday evening and into early Thursday morning US Eastern time. People attempting to access the site were redirected to the wrong site. The company said that the issue resulted from "a problematic response to a DDOS incident by service provider Network Solutions." Earlier reports suggested that the outage was due to DNS hijacking.
-http://www.crn.com.au/News/347508,linkedin-denies-system-hack-confirms-ddos-inci
dent.aspx
-http://www.computerworld.com/s/article/9240212/LinkedIn_outage_prompts_security_
concerns?taxonomyId=17
-http://stats.pingdom.com/2o5z286xb2wl/19213/2013/06

Yahoo Plans to Recycle Dormant User IDs (June 19 & 20, 2013)

Yahoo plans to recycle Yahoo user IDs that have been inactive for a year or more. The company is aware of concerns about the old IDs falling into hands of people with malicious intents, but says it is going to "extraordinary lengths to ensure that nothing bad happens to our users." One concern that has been voiced is that is someone acquiring a Yahoo ID that is linked with someone's Gmail account could request a password reset for the Gmail account and take control of it. The same thing could potentially be done with social media and financial accounts. Yahoo released a statement noting that "any personal data and private content associated with these accounts will be deleted and will not be accessible to the account holder."
-http://news.cnet.com/8301-1009_3-57590202-83/yahoo-dont-fret-about-hack-attacks-
on-recycled-user-ids/
-http://www.wired.com/threatlevel/2013/06/yahoos-very-bad-idea/
[Editor's Note (Shpantzer): "Own the email, own the person," indeed:
-http://threatpost.com/own-email-own-person-082012/]

India Moves To Increase Number of Government Cybersecurity Experts (June 19, 2013)

Although India is a recognized "information technology superpower," the number of cybersecurity experts working in the country's government is a fraction of the number working in China, the US, and Russia. India has just 556 experts total in all government departments, a "grossly inadequate" figure. The US has more than 91,000 and China 125,000. India intends to increase the number of cybersecurity experts in government to 5,000.
-http://www.thehindu.com/todays-paper/an-it-superpower-india-has-just-556-cyber-s
ecurity-experts/article4828521.eces
-http://www.thehindu.com/todays-paper/tp-national/india-to-step-up-cyber-security
/article4828682.ece
[Editor's Note (Pescatore): Well, more cybersecurity expertise is better than less but I'm not sure where they got their numbers. For example, they say "Similarly, the U.S. has 91,080 experts in its cyber security workforce, of whom 88,169 are in the Department of Defense alone." That implies that there are only 3,000 cyber security experts in private industry in the US, which makes no sense.
(Paller): The DoD numbers are close to correct - approximately 100,000 people in DoD and the major defense contractors call themselves cybersecurity professionals. The military services and Cyber Command have discovered that very few of those professionals have the mission-critical, hands-on skills needed to protect the nation. They don't know how to do network traffic analysis or reverse engineering or deep forensics or counter-intelligence based script development or advanced penetration testing and exploitation. That's why you heard about U.S. Cyber Command's new technical skills recruiting program seeking 4,000 people. India is starting out on the right track with a national "train the trainer" program focused on developing hands-on cybersecurity skills. The first program is in Mumbai at the end of July (
-https://www.sans.org/event/mumbai-2013).
Those who do best in that training program and the associated certification exams can qualify to advance into a national teacher development program. ]

Oracle Fixes 40 Vulnerabilities in Java (June 18 & 19, 2013)

On Tuesday, June 18, Oracle issued a Critical Patch Update for Java 7 for Mac and for Windows. The update fixes 40 security issues and enables online certificate revocation checking by default. On the same day, Apple issued an updated version of Java 6 for OS X Snow Leopard, Lion, and Mountain Lion. Snow Leopard users cannot upgrade to Java 7.
-http://krebsonsecurity.com/2013/06/critical-update-plugs-40-security-holes-in-ja
va/
-http://www.scmagazine.com//oracle-releases-java-update-to-close-37-high-risk-vul
nerabilities/article/299264/
-http://www.computerworld.com/s/article/9240173/Java_7_Update_fixes_40_security_i
ssues_turns_on_certificate_revocation_check?taxonomyId=17
-http://www.computerworld.com/s/article/9240171/Apple_pours_OS_X_Snow_Leopard_ano
ther_Java_fix?taxonomyId=17

Google Challenges Constitutionality of Gag Orders Accompanying FISA National Security Orders (June 18, 2013)

Google has filed legal documents with the Foreign Intelligence Surveillance Court challenging the constitutionality of the gag orders that accompany FISA court orders. The legal challenge asserts that the orders tread on the Google's First Amendment rights. Google is asking to publish the number of requests for data it receives from the government as discrete categories. Google was the first company to publish data about National Security letters (NSLs) in its transparency reports. The government has granted permission for the number to be aggregated with the number of NSLs, but Google wants to list them separately.
-http://www.wired.com/threatlevel/2013/06/google-fisa-gag-orders/
-http://www.politico.com/story/2013/06/google-fisa-court-data-requests-92996.html
-http://www.pcworld.com/article/2042125/facebook-microsoft-disclose-fisa-requests
-sort-of.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/