SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #51

June 28, 2013

TOP OF THE NEWS

Cybersecurity Training Is Missing the Target: Needs to Focus on Critical Technical Skills
Former NSA Official Says Anti-Leak Technology Not Deployed as of Summer 2012
Google Transparency Report Now Includes Safe Browsing Data

THE REST OF THE WEEK'S NEWS

Cyberattacks Hit Government Websites in South and North Korea
HP Will Issue Fix for Hidden Admin Account
Digital Certificate Stolen From Opera Network Used to Sign Malware
FISA Court Says Google and Microsoft May Disclose Procedural Information
Citadel Variant Uses Browser Injection and Localization
Carberp Code Leaked
Organizations are Not Doing Enough to Defend Themselves from Cybercrime
US $675,000 Filesharing Verdict Upheld

---

************************* SPONSORED BY SANS ****************************
NEW paper in the SANS Reading Room: "Implementing Hardware Roots of Trust," includes real case studies, best practices and standards on how to implement hardware security that is ubiquitous in most of today's organizations. http://www.sans.org/info/133687 Listen to the associated webcast: http://www.sans.org/info/133692
*************************************************************************
TRAINING UPDATE

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/specials


Plus Canberra, Austin, Bangkok and Melbourne all in the next 90 days.


For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Cybersecurity Training Is Missing the Target: Needs to Focus on Critical Technical Skills (June 26, 2013)

US government agencies' efforts to train and recruit cybersecurity specialists have not produced the numbers of skilled professionals necessary to adequately protect the country's critical networks. Some programs are focusing on training students in STEM, but there also needs to be training that focuses on real-world experience instead of academics and policy issues. The US Department of Homeland Security (DHS) is introducing rigorous programs like the National Collegiate Cyber Defense Competition which culminates in a national finals round. Defense Department cybersecurity training is continuously changing to meet new technologies and the evolving cyberspace. What is critical is that those providing the training have strong technical skills that match the needs of defending the country's networks.
-http://fcw.com/articles/2013/06/26/cybersecurity-training.aspx
[Editor's Note (Assante): It is long past due for a deeper description of "technical skills", if we can't define them then we can't cultivate them through practice. There are new concepts and tools becoming available that places students into real world situations and presents the flexibility to try to defend and attack systems. We need to marry these new approaches with a stronger understanding of the skills and abilities that have more enduring impact!
(Pescatore): I think we all know the difference between the typical college education (learn how to think) and our first hands on/on the job experience (learn how to do.) You need both but in information security the bigger lack is in the latter. ]

Former NSA Official Says Anti-Leak Technology Not Deployed as of Summer 2012 (June 27, 2013)

A former NSA cybersecurity official said that when he left the agency in the summer of 2012, there was no anti-leak technology on NSA networks. After Bradley Manning's alleged data theft came to light, the US Department of Defense rolled out a Host Based Security System (HBSS) to detect unauthorized activity on DOD networks. One of the system's features is to monitor removable data devices, like those allegedly used by Bradley and more recently by Edward Snowden. The official said that the HBSS was not installed on NSA networks as of last summer. He also commented on NSA Director General Keith Alexander's plan to have the NSA use a two-person rule for data access, saying that it could prove too cumbersome for specialists who need to do fast-paced work, and noted that "the best safeguard would be locking down the content at the source."
-http://www.nextgov.com/cybersecurity/2013/06/nsa-networks-might-have-been-missin
g-anti-leak-technology/65708/

Google Transparency Report Now Includes Safe Browsing Data (June 25, 26, & 27, 2013)

Google is adding a Safe Browsing section to its Transparency Report. The new data will include information about sites that host malware or are being used for phishing, the warnings Google issues about those sites, and information on how long it takes the sites to remove the malware. As an example, during the first week of June, Google detected 37,000 legitimate sites that had been compromised to host malware and 4,000 sites that were created specifically to host malware. Earlier this year, it took websites an average of 50 days to clear themselves of reported malware.
-http://www.darkreading.com/vulnerability/google-now-sharing-web-security-data/24
0157304
-http://www.eweek.com/security/google-adds-malware-phishing-data-to-transparency-
report/
-http://news.cnet.com/8301-1009_3-57591008-83/google-hacked-sites-far-worse-than-
attack-sites/
-http://arstechnica.com/security/2013/06/vast-majority-of-malware-attacks-spawned
-from-legit-sites/
-http://www.h-online.com/security/news/item/Google-s-Transparency-Report-shows-ma
lware-spread-1897051.html
-http://www.scmagazine.com//google-opens-up-about-the-malware-alerts-it-sends-use
rs/article/300401/
-http://www.google.com/transparencyreport/safebrowsing/
[Editor's Note (Pescatore): To make "drive by web compromise" and "watering hole" attacks harder to launch... Actually, let me change that: to move "drive by web compromise" and "watering hole" attacks from today's trivial-to-launch status to at least difficult-to-launch, the overall state of web application security has to be improved. Google's data, and some publicity to create a "hall of shame" has potential to be used to increase the overall visibility of this problem to corporate management.
(Honan): This is a welcome move from Google. As someone who engages with businesses to alert them their sites have been compromised, I know how some are apathetic about the issue as they do not see it directly impacting on them. Google warning users will soon get the attention of such site owners as their visitor traffic drops. ]

---

*************************** Sponsored Links: ******************************
1) NEW paper in the SANS Reading Room: Results of the SANS Critical Security Controls Survey, featuring John Pescatore http://www.sans.org/info/133697 Listen to the associated Webcast: http://www.sans.org/info/133702

2) Digital Forensics Survey Results released during a July 18 webcast at 1 PM EDT. Register for the webcast and automatically sign up for a copy of the associated report. http://www.sans.org/info/133707

3) Another New Paper in the SANS reading room: SANS survey on Mobile Application Security: http://www.sans.org/info/133712 Associated webcast: http://www.sans.org/info/133717
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyberattacks Hit Government Websites in South and North Korea (June 25 & 26, 2013)

Government, media, and political websites in South Korea have come under attack. The attacks coincide with the anniversary of the start of the Korean War, which began on June 25, 1950. At least some of the attacks on South Korean websites appear to have been launched by a group known as DarkSeoul, which has been conducting such attacks against South Korea and the US since 2009. The recent attacks used malware known as PinkStats. Official websites in North Korea have also come under attack over the past few days.
-http://www.dailytelegraph.com.au/news/breaking-news/south-korea-issues-cyberatta
ck-alert/story-fni0xqlk-1226669528209
-http://www.bloomberg.com/news/2013-06-25/s-korea-president-s-websites-closed-for
-review.html
-http://news.cnet.com/8301-1009_3-57590887-83/south-korean-web-sites-hit-by-hacke
rs/
-http://www.computerworld.com/s/article/9240376/Chinese_malware_attack_affected_d
ozens_of_South_Korean_organizations_researchers_say?taxonomyId=17
-http://www.computerworld.com/s/article/9240394/South_Korean_cyberattacks_linked_
to_known_gang?taxonomyId=17
-http://www.theregister.co.uk/2013/06/25/korean_war_anniversary_ddos_attacks/

HP Will Issue Fix for Hidden Admin Account (June 25 & 26, 2013)

HP says it will issue a fix for a security issue in an undisclosed, hidden administrative account on some of its StoreOnce enterprise storage systems. The issue appears not to affect StoreOnce systems running current software, which is version 3.0. The fix for the vulnerability is scheduled to be made available on July 7. Until then, users can contact HP support to get help manually disabling the backdoor.
-http://www.theregister.co.uk/2013/06/26/storeonce_hp_issues_patch/
-http://www.zdnet.com/hp-enterprise-storage-systems-suffer-secret-admin-account-f
law-7000017355/s
-http://www.crn.com/news/storage/240157434/hp-issues-storeonce-security-bulletin-
after-blogger-finds-problem.htm
-http://www.h-online.com/security/news/item/Backdoor-in-HP-backup-servers-1896120
.html
[Editor's Note (Ullrich): Until then: Good luck valued HP customers! The hash of the password has been leaked, and may easily be "broken" using l33t tools like Google. Hidden backdoor accounts are unacceptable but common. (Northcutt): Backdoors have never been a good idea.
-http://www.md5decrypter.co.uk/sha1-decrypt.aspx
-http://crackstation.net
-http://www.zdnet.com/blog/ou/putting-the-cracking-of-sha-1-in-perspective/409]

Digital Certificate Stolen From Opera Network Used to Sign Malware (June 26 & 27, 2013)

Hackers managed to gain access to the internal network at Opera Software and steal at least one digital certificate that has since been used to sign malware. The malware may have affected several thousand people who were running the Opera browser on Windows for a 26-minute period on June 19.
-http://www.zdnet.com/opera-code-signing-certificate-abused-in-failed-breach-7000
017361/
-http://www.scmagazine.com//maker-of-opera-browser-said-its-network-was-hacked-to
-steal-code-signing-certificate/article/300580/
[Editor's Note (Ullrich): The key fact to understand here is that the Opera update server was compromised and used to distribute malware signed with a genuine Opera certificate. Opera's update check runs automatically without any user interaction, so users updating during the 6 minutes the malware was pushed are unlikely to be aware that they got infected.
(Pescatore): In their blog post on this event, the bad news is that this caused a compromise of the Opera auto-update mechanism, subverting that to allow the attacker to install any malicious payload. The good news is that Opera says only impacts those who were using Opera between 01.00 and 01.36 UTC on June 19th. The really bad news is that the attack worked even though the stolen code signing certificate was expired. Opera says they depend on the operating system to check certificate validity, but "in the future it would certainly be possible to run our own checks on the certificate of downloaded autoupdates.." Please do!! And to the Certificate Authority/ Browser Forum recently formed Code Signing Working Group: please all agree to do so!! ]

FISA Court Says Google and Microsoft May Disclose Procedural Information (June 26 & 27, 2013)

The US Foreign Intelligence Surveillance Court has granted Microsoft and Google the right to disclose "procedural information" related to their legal challenges of gag orders that accompany national security requests. These orders prohibit the companies from disclosing details about the data they provide to the government. The companies want to clear their names of allegations that they gave the NSA unfettered access to their servers. Both companies say they provide data only when they receive a legal request supported by a court order.
-http://www.theregister.co.uk/2013/06/27/google_microsoft_fisa/
-http://www.politico.com/story/2013/06/microsoft-fisa-petition-nsa-prism-93475.ht
ml?hp=l9
-http://news.cnet.com/8301-13578_3-57591258-38/secret-court-lifts-veil-slightly-o
n-google-microsoft-lawsuits/

Citadel Variant Uses Browser Injection and Localization (June 27, 2013)

A recently detected variant of Citadel malware can modify or replace web pages visited by users whose computers are infected. The malware displays a message telling the users that their accounts have been blocked because of suspicious activity. Users are then promoted to enter access credentials and credit card information to confirm that they are the legitimate account holders. The URL that appears in the browser bar is that of the real website. This variant of Citadel is targeting users in France, Spain, Italy, and Germany.
-http://www.computerworld.com/s/article/9240407/Citadel_malware_targets_localized
_brands_and_users?taxonomyId=17

Carberp Code Leaked (June 26 & 27, 2013)

The leak of the code for Carberp, a kit that helps create botnets, raises concerns that new variants will start to spread. Carberp has been used in online banking theft schemes that have cost banks US $250 million. While the code's availability to potential cybercriminals is worrisome, it also gives security specialists insight into its operations.
-http://krebsonsecurity.com/2013/06/carberp-code-leak-stokes-copycat-fears/
-http://www.darkreading.com/endpoint/carberp-source-code-leak-likely-to-spawn/240
157400

Organizations are Not Doing Enough to Defend Themselves from Cybercrime (June 26, 2013)

According to the 2013 State of Cybercrime Survey from PwC, "Organizations are misjudging the severity of risks they face from a financial, reputational, and regulatory perspective." Current defenses against cyberattacks are not effective because executives either do not understand the scope and import of the threats, or they have stopped paying attention. Many leaders are unaware of who in their organizations is responsible for cybersecurity. They also "underestimate the capabilities of their attackers and the damage they can cause." The leaders also appear not to understand that, while using smart cloud services and other technological advances may help productivity, they introduce their own vulnerabilities.
-http://www.csoonline.com/article/735511/why-business-is-losing-the-war-against-c
ybercrime?source=CSONLE_nlt_update_2013-06-27
-http://www.pwc.com/us/en/press-releases/2013/cybercrime-threats-continue.jhtml
[Editor's Note (Pescatore): I know we would all like to believe that they are "misjudging the severity of risks they face from a financial, reputational, and regulatory perspective" and certainly many are. But the vast majority actually really do weigh those risks, and find the costs of dealing with those risks from a business disruption and budget point of view are actually higher than their anticipated cost of the incident costs they see from *not* funding and deploying mitigation - and they are quite often right. Risk management is *not* making sure you have no cyber risks!! Risk management done right will often take risks when the alternative is worse than avoiding the risk - that is why many battles are won and many new business initiatives succeed, even though many fail. The real leaps forward are not made by convincing management about threat risk, they are made by showing them solutions to the risks that are less disruptive and less expensive to the business than enduring the breach. ]

US $675,000 Filesharing Verdict Upheld (June 26, 2013)

The US Court of Appeals for the First Circuit has ruled that a US $675,000 verdict against Joel Tenenbaum for filesharing is justified. In the ruling, the court wrote that although Sony was suing him for just 30 songs, Tenenbaum appears to have made many more songs than that available for sharing. In addition, "During discovery, Tenenbaum lied about his activities ... . Only at trial did
[he ]
admit that he had distributed as many as five thousand songs."
-http://arstechnica.com/tech-policy/2013/06/appeals-court-upholds-675000-verdict-
for-song-downloads/
-https://www.documentcloud.org/documents/717553-12-2146p-01a.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/