SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #57

July 19, 2013

SANS Network Security is in Las Vegas in September with 50 courses, but you may attend 32 of those courses in San Francisco, Boston, Virginia Beach and Washington even before Network Security. See training section below.

---

TOP OF THE NEWS

Cybersecurity Moved From 12th to 3rd Place on Lloyd's Risk Index List
Australian Signals Directorate Releases Guide for Implementing Top Four Strategies
Study Says Half of World's Financial Institutions Experienced Cyberattacks Last Year

THE REST OF THE WEEK'S NEWS

Hackers Hit NASDAQ Community Site
Apple and Samsung Smartphone Antitheft Technologies to be Tested
Ransomware Targets Computers Running OS X
Network Solutions Hit With DDoS Attack
US Financial Services Companies Participate in Cyberattack Drill
Pentagon Defends Decision Not to Test Mobile Security Management Products Before Signing Contract
Microsoft Asserts its Right to Disclose National Security Requests and Denies Giving NSA Unfettered Access to eMail
Apps in Google Play Store Contain Code That Exploits Master Key Vulnerability
Oracle's Quarterly Critical Patch Update

---

*************************** SPONSORED By Bit9 ***************************
eBook: Detecting and Stopping Advanced Attacks. Every enterprise has high-value information that is vital to its success. As cyber-attack techniques become more sophisticated your "digital gold" is increasingly vulnerable. Today's cyber threats have changed in sophistication, in focus, and in their potential impact on your business. Download this eBook to learn more http://www.sans.org/info/135487
***************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

- --Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


- -- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Melbourne, Bangalore, and Baltimore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Cybersecurity Moved From 12th to 3rd Place on Lloyd's Risk Index List (July 2013)

Lloyd's Risk Index 2013 places cybersecurity near the top of the list of risk factors faced by businesses. Risk of cyber incidents was ranked twelfth in the 2011 Index and has moved, in three years, to third, following only high taxation and loss of customers. Cyber issues top the list of political, crime, and security risks. This may be attributable to increased politically and ideologically motivated attacks and the increased cost associated with attacks. The report questions whether organizations "are spending money on the right things" to effectively address cybersecurity, and posits that spending money on security measures and making sure that security recommendations are implemented might be a better investment than purchasing insurance policies that cover cyberattacks. An April 2013 report from the Insurance Information Institute suggests that about two-thirds of cyber incidents are due to issues within organizations' control.
-http://www.lloyds.com/news-and-insight/risk-insight/lloyds-risk-index
-http://www.lloyds.com/lloyds/press-centre/press-releases/2013/07/tax-at-the-top-
of-global-business-concerns
-http://www.lloyds.com/~/media/Files/News%20and%20Insight/Risk%20Insight/Risk%20I
ndex%202013/Report/Lloyds%20Risk%20Index%202013report100713.pdf
[Editor's Note (Pescatore): While the cyber risk section is already a nice advertisement for the Critical Security Controls, I think Lloyds actually underestimated the percentage of cyber incidents due to issues within organization's control. They cite 37% of breaches as caused by malicious attack, but didn't look at how many of the breaches could have been avoided by well known and easily implemented security controls - that would have brought the 63% easily avoidable up to between 80-90%. By the way, it is always humorous to see people pointing to insurance as the ultimate solution to security problems, when the insurance industry consistently points right back to security programs needing to get better.
(Assante): The jump is well deserved as the number of attacks grow and a few non-financial motivated incidents illuminate the potential for more severe consequences. The insurance industry will more uniformly shape how businesses think about cyber risk than "lite" Government policy. We might still be short on data, but their conclusion that organizations may not be investing in the right mix of things is hard to refute.
(Honan): I wonder how long it will be before insurance companies demand customers implement basic security controls, such as those outlined in the piece "Australian Signals Directorate Releases Guide for Implementing Top Four Strategies" before providing insurance coverage? ]

Australian Signals Directorate Releases Guide for Implementing Top Four Strategies (July 18, 2013)

As of October 2012, Australia's Protective Security Policy Framework requires all government agencies to adopt the Australian Signals Directorate's (ASD's) Top Four Strategies. Earlier this month, ASD released a technical guide that agencies can use to help deploy the strategies on their systems. ASD says that when properly employed, the strategies - application whitelisting, patching applications, patching operating systems, and minimizing administrative privileges - will "mitigate at least 85 percent of all intrusions that it sees via the Cyber Security Operations Centre."
-http://www.zdnet.com/au/asd-shows-government-how-to-do-security-right-7000018231
/
Top Four Strategies Guide:
-http://www.dsd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm
[Editor's Note (Murray): Well, "Application Whitelisting," that is, a restrictive policy about what application code can run, is a very powerful control which hardly anyone employees. Moreover, most user's will run almost any code that they are asked to if it appeals to greed, lust, fear, sloth, curiosity, or even humor. As MJR likes to say, "Dancing pigs trump security every time."
(Paller): Bill Murray is generally correct about the difficulty of gaining adherence using hash-based application white listing, but the U.S. NSA has pioneered location-based white listing that is catching on very fast across the Department of Defense because it is convenient as well as effective ]

Study Says Half of World's Financial Institutions Experienced Cyberattacks Last Year July 18, 2013)

According to a report from the World Federation of Exchanges and the International Organization of Securities Commissions, half of the world's critical financial exchanges were hit by cyberattacks in the past year. The report notes an increased focus on disrupting financial markets. The financial institutions' executives are aware of the threat, but a quarter of them say that their "current preventative and disaster recover measures may not be able to stand up against a large-scale and coordinated attack."
-http://www.theregister.co.uk/2013/07/18/half_of_all_financial_exchanges_hit_by_c
yber_attacks/
-http://www.zdnet.com/as-nasdaqs-site-hit-by-hackers-report-says-half-of-worlds-e
xchanges-suffered-cyberattacks-7000018243/
-http://www.world-exchanges.org/files/statistics/pdf/IOSCO_WFE_Cyber-crime%20repo
rt_Final_16July.pdf
[Editor's Note (Pescatore): Only half? If it read "Half of the World's Financial Institutions Experienced Fraud Attempts Last Year" we'd all be saying "that seems low." And if the survey were about fraud, 25% would have still admitted they don't know if they could stand up to large scale and coordinated fraudulent actions.
(Honan): It is probably more accurate to say that half of the world's financial institutions detected cyberattacks last year. Time and time again we see breaches. For example TJX, that have been on-going in organisations for months. ]

---

*************************** Sponsored Links: ******************************
1) Jane Lute former Deputy Secretary of the DHS to keynote Critical Security Controls Summit! Register today http://www.sans.org/info/135492

2) In-depth, hands-on technical courses led by top SCADA experts. Industrial Control Systems Training in Washington DC http://www.sans.org/info/135497

3) APP SECURITY RESOURCES -- White papers and videos discussing effective security concepts and tools used in the fight against DDoS attacks. http://www.sans.org/info/135502
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hackers Hit NASDAQ Community Site (July 18, 2013)

The US NASDAQ exchange online community forum was hacked, compromising users account information. NASDAQ has taken the system offline while it fixes the problem. No financial information was compromised, the account data available on the system, such as email addresses and passwords, could be used to launch other attacks. No other NASDAQ systems were breached.
-http://www.v3.co.uk/v3-uk/news/2283311/hackers-target-nasdaq-community-for-passw
ords-and-account-data

Apple and Samsung Smartphone Antitheft Technologies to be Tested (July 18, 2013)

The "Secure Our Smartphone" initiative asks phone makers to implement technology that will help reduce smartphone theft. This week, state and federal prosecutors in California plan to bring in experts who will try to defeat security measures on smartphones provided by Apple and Samsung. Apple's iPhone 5 will have the "Activation Lock" feature enabled, and Samsung's Galaxy S4 will come with the LoJack for Android feature. Federal prosecutors are still hopeful that the companies will eventually manufacture smartphones with kill switches.
-http://news.cnet.com/8301-1009_3-57594392-83/apple-samsungs-latest-phones-face-a
ntitheft-stress-test/
-http://www.computerworld.com/s/article/9240894/_Kill_switch_on_smartphones_takes
_a_step_forward?taxonomyId=17

Ransomware Targets Computers Running OS X (July 16 & 18, 2013)

A new ransomware scheme targets computers running Mas OS X. The attack displays a message that purports to be from the FBI, telling users that they must pay US $300 to unlock their computers which were frozen because the users had been "viewing or distributing prohibited pornographic content." Users will need to reset Safari to get rid of the message.
-http://www.theregister.co.uk/2013/07/18/javascript_ransomware/
-http://www.scmagazine.com/fbi-ransomware-scam-finds-new-home-on-the-mac/article/
303320/
[Editor's Note (Honan): Underlines that today's malware is no longer designed to compromise operating systems but rather targets the human. ]

Network Solutions Hit With DDoS Attack (July 17 & 18, 2013)

Network Solutions was the target of a distributed denial-of-service (DDoS) attack on Wednesday, July 17. That same day, it claimed to have restored services, although some customers were complaining that they were still experiencing downtime.
-http://www.v3.co.uk/v3-uk/news/2283238/hackers-knock-network-solutions-websites-
offline-with-ddos-attack
-http://www.computerworld.com/s/article/9240872/Network_Solutions_restores_servic
e_after_DDoS_attack?taxonomyId=17
[Editor's Note (Pescatore): if you are using a hosting provider, ask about their SLAs around DDoS attacks - much the way if you are renting office space you should ask about power backup systems. ]

US Financial Services Companies Participate in Cyberattack Drill (July 17 & 18, 2013)

Fifty major financial institutions, along with US government agencies, will participate in a cyberattack drill on Thursday, July 18. The exercise, known as Quantum Dawn 2, aims to test participants' incident response and information sharing capabilities. The event is being organized by the Securities Industry and Financial Markets Association (SIFMA).
-http://money.cnn.com/2013/07/18/technology/security/bank-cyberattack/index.html
-http://www.computerworld.com/s/article/9240859/Quantum_Dawn_2_will_test_Wall_Str
eet_s_cyber_readiness

Pentagon Defends Decision Not to Test Mobile Security Management Products Before Signing Contract (July 17 & 18, 2013)

Last month, the Pentagon's Defense Information Systems Agency (DISA) signed a three-year, US $16 million contract for mobile security management services that will cover smartphones and tablets for more than 300,000 military personnel. Contract filings indicate that the process did not include demonstrations of the technology. The system is reportedly designed to make sure unclassified devices that access military networks do not infect those systems or leak data if they are lost or stolen. It will remotely install software, erase lost or stolen devices, lock down device settings, supply software that allows secure browsing and email access, and provide access to an app store so personnel can download approved apps. Pentagon officials defended the decision not to run live demonstrations before inking the contract, saying that the decision was based in part on "a need to simplify the procurement process." DISA also noted that the service required is "unique in scale and functionality"
-http://www.nextgov.com/mobile/2013/07/pentagon-buys-untested-mobile-security-sys
tem-300000-users/66854/?oref=ng-HPtopstory
-http://www.nextgov.com/mobile/2013/07/pentagon-denies-inadequately-vetting-defen
sewide-smartphone-security-service/66938/?oref=ng-HPriver
[Editor's Note (Pescatore): Given the speed of evolution of mobile technology, better to see DISA move quickly on mobile device management, rather than move slowly and deliver security technology only after it is largely obsolete. ]

Microsoft Asserts its Right to Disclose National Security Requests and Denies Giving NSA Unfettered Access to eMail (July 16 & 17, 2013)

Microsoft says it is within its First Amendment rights to disclose national security requests for user data. Microsoft also says that it does not provide the NSA with encryption keys to access email, despite reports that they were helping the intelligence agency bypass security measures to access web chats through Outlook and putting backdoor access in its products to aid federal investigations.
-http://www.eweek.com/security/microsoft-declares-right-to-disclose-government-re
quests/
-http://www.theregister.co.uk/2013/07/16/microsoft_denies_it_gives_backdoor_acces
s_to_outlook_encryption/
-http://www.computerworld.com/s/article/9240835/Microsoft_denies_giving_NSA_direc
t_access_to_email?taxonomyId=17
-http://www.zdnet.com/microsoft-we-do-not-give-the-nsa-keys-to-bypass-email-encry
ption-7000018146/

Apps in Google Play Store Contain Code That Exploits Master Key Vulnerability (July 17, 2013)

At lease two apps available in the Google Play app store have been found to take advantage of the master key vulnerability present in nearly all Android devices. The two detected apps do not appear to have malicious intent, but their presence raises questions about Google's scanning of apps offered for sale in the store. Researchers say that the apps "do not pose a threat for users." The researchers who found the problem apps have notified Google and the apps' developers. The exploit's presence could be either a coding error or the result of using a certain development toolkit. Android users who have updated their devices to run the most recent version of the operating system or who have installed security software that blocks the exploit will find that the apps do not run on their devices.
-http://www.informationweek.com/security/client/google-play-has-apps-abusing-mast
er-key/240158446
[Editor's Note (Pescatore): I'd like to see Google and Apple be much more transparent in what they do as far as app security testing in their app stores. They are both part of an industry coalition asking NSA to be more transparent about surveillance requests - transparency should be a two way street. ]

Oracle's Quarterly Critical Patch Update (July 16 & 17, 2013)

Oracle's Critical Patch Update for July includes 89 fixes. Nearly one third of the 89 vulnerabilities are remotely exploitable. The majority of the vulnerabilities were found by third parties. Oracle's July update includes six bulletins that address issues in its database software. One of the 21 fixes addresses a flaw in the Java Virtual Machine in Fusion Middleware. Oracle has said that starting in October, it will release Java updates with its quarterly updates.
-http://www.theregister.co.uk/2013/07/17/oracle_quarterly_patch_batch/
-http://www.computerworld.com/s/article/9240843/Oracle_39_s_July_patch_release_in
cludes_27_fixes_for_remote_exploits?taxonomyId=17
-http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/