Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #59

July 26, 2013


Two weeks left (August 7 deadline) to save 20% on SANS On-Demand or vLive courses (5 or 6 day). http://www.sans.org/online-security-training/specials

The coolest (and possibly most important) new cybersecurity course in America is a "cyber flight simulator" course that hones your skills with 80% hands-on labs built around the Netwars cyber simulator. Doing well in this training will give you bragging rights with peers and will demonstrate to your bosses that you are someone with rare and valuable talent. The Hands-On Security Practitioner with NetWars course, created by Ed Skoudis, debuts at Network Security 2013 September 16-21 in Las Vegas. You'll gain advanced skills in mobile infrastructures, web applications, network devices, and operating systems using real-world scenarios, with an expert instructor providing detailed coaching and underscoring vital lessons learned. http://www.sans.org/event/network-security-2013/course/skill-development-with-ne
twars


Alan

TOP OF THE NEWS

160 Million Credit Cards Stolen; Indictment Reveals Wall Street Exposure To Hacking
UK Intelligence Agencies Support Security Assessment Effort for Large Companies

THE REST OF THE WEEK'S NEWS

Apple Users Getting Hit with Phishing eMails in Wake of Developer Site Hack
Maryland's Volunteer Cybersquad Bears Similarities to Estonia's Cyber Reserve
Lack of Common Lexicon Hinders Threat Information Sharing
Japanese Police Arrest Nine in Connection with Malware Scheme
US House Defeats Measure That Would Have Reined In NSA Data Collection
Apps Exploiting Android Master Key Flaw Found in Chinese Third-Party App Stores
Bill Would Expand NZ Intelligence Agency's Domestic Surveillance Authority
Hackers Gain Access to French Server Host's Systems
Privacy Practices Could be Interpreted as Violation of Computer Fraud and Abuse Act


************************ SPONSORED By Symantec *************************
On-Demand Webcast: Strategies for Moving Beyond Antivirus View this recent webcast to find out how you can move beyond antivirus and adopt a proactive approach to endpoint protection. We will cover best practices amidst a rapidly changing threat landscape and also strategies for deploying unrivaled protection for both physical and virtual systems. Register Now http://www.sans.org/info/136002">http://www.sans.org/info/136002
**************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

- --Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc">http://www.sans.org/event/ics-security-training-washington-dc

- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013">http://www.sans.org/event/san-francisco-2013

- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013">http://www.sans.org/event/boston-2013

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013">http://www.sans.org/event/virginia-beach-2013

- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013">http://www.sans.org/event/sans-capital-city-2013

- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013">http://www.sans.org/event/network-security-2013

- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013">http://www.sans.org/event/forensics-prague-2013

- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013">http://www.sans.org/event/dubai-2013

- -- Multi-week Live SANS training
http://www.sans.org/mentor/about">http://www.sans.org/mentor/about
Contact mentor@sans.org

- -- Looking for training in your own community?
http://www.sans.org/community/">http://www.sans.org/community/

- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials">http://www.sans.org/ondemand/specials
Plus Bangkok, Melbourne, Bangalore, and Baltimore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

160 Million Credit Cards Stolen; Indictment Reveals Wall Street Exposure To Hacking (July 25, 2013)

Five people have been indicted in connection with a series of major cyberattacks that compromised more than 160 million credit card accounts over a seven-year period. A separate indictment of one of the men exposed a two-year-long penetration of computers at the NASDAQ and shined a light on the vulnerability of global financial systems. The five men named in the indictment were allegedly involved with breaches for which Albert Gonzalez is currently serving a 20-year prison sentence. Between 2005 and 2012, the group allegedly breached systems at Heartland Payment Systems, Hannaford Brothers, and Dexia Bank Belgium, and a number of other organizations.
-http://dealbook.nytimes.com/2013/07/25/wall-streets-exposure-to-hacking-laid-bar
e/?_r=0

-http://www.wired.com/threatlevel/2013/07/albert-gonzalez-conspirators/
-http://www.computerworld.com/s/article/9241078/Five_indicted_in_massive_hacking_
scheme?taxonomyId=17

-http://krebsonsecurity.com/2013/07/hacker-ring-stole-160-million-credit-cards/
-http://www.bbc.co.uk/news/technology-23448639
-http://news.cnet.com/8301-1009_3-57595482-83/feds-accuse-five-men-of-largest-u.s
-hacking-scheme/

-http://www.justice.gov/opa/pr/2013/July/13-crm-842.html

UK Intelligence Agencies Support Security Assessment Effort for Large Companies (July 25, 2013)

UK intelligence outfits GCHQ and MI5 are supporting an effort from the Department of Business, Skills, and Innovation, that asks the UK's largest listed companies to take part in a Cyber Governance Health Check. The process involves having the companies' chairpeople and audit committee heads complete web governance questionnaires. The companies' audit committees will have the opportunity to discuss security issues discovered, and participating organizations will be able to view anonymized information about other participating organizations.
-http://www.zdnet.com/uk/intelligence-bosses-ask-biggest-uk-firms-to-take-securit
y-health-check-7000018560/

-http://www.v3.co.uk/v3-uk/news/2284860/gchq-and-mi5-push-all-ftse-350-firms-to-h
ave-cyber-security-audit

-http://www.telegraph.co.uk/technology/internet-security/10202772/MI5-and-GCHQ-ur
ge-FTSE-350-to-step-up-cyber-defences.html

-http://www.computerworlduk.com/news/security/3460812/mi5-gchq-urge-ftse-chiefs-c
arry-out-cyber-security-health-check/

[Editor's Note (Pescatore): Benchmarking of security can be very useful but self-assessment questionnaires filled out by chairpeople and auditors will likely have minimal value. They would get more security improvement if they collect the results of web application vulnerability testing against those firms public facing web apps and anonymize it - and then make that level of benchmarking be available to board members. ]


*************************** Sponsored Links: ******************************
1) Former Deputy Secretary of the DHS, Jane Holl-Lute, to keynote Critical Security Controls Summit! Register today http://www.sans.org/info/136007

2) In-depth, hands-on technical courses led by top SCADA experts. Industrial Control Systems Training in Washington DC http://www.sans.org/info/136012

3) Retina is a web-based console that simplifies and centralizes vulnerability management and patching. With Retina, decrease time, effort, and cost of managing security risks. http://www.sans.org/info/136017
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Apple Users Getting Hit with Phishing eMails in Wake of Developer Site Hack (July 25, 2013)

Unsurprisingly, phishing emails targeting Apple users have followed close on the heels of an attack on the Apple Developer website. The messages contain obvious signs that they are phony, but "scammers often use emotional responses to a recent event to induce panic in users - which may make them less likely to double-check a domain or other details before" surrendering authentication credentials.
-http://news.cnet.com/8301-1009_3-57595511-83/phishing-scam-piggybacks-on-apple-d
ev-center-hack/

Maryland's Volunteer Cybersquad Bears Similarities to Estonia's Cyber Reserve (July 25, 2013)

Maryland's 175th Network Warfare Squadron, a part of the state's Air National Guard, is a volunteer squad that "provides operational, technical, analytical, and language support to Air Force and national efforts to identify and mitigate cyberintrusion activities on DoD networks." Estonian Ambassador Marina Kaljurand says the group resembles her country's cyber reserve, which was established after cyber attacks in 2007 left government and private industry networks unable to access the Internet for two weeks. The Estonian reserve comprises IT professionals from a variety of private businesses who want to volunteer time to help with the country's cyber defense. US legislation proposed earlier this year would establish a National Guard "Cyber and Computer Network Incident Response Team" in each state. Members of the US National Guard Association supported the measure.
-http://www.nextgov.com/cybersecurity/2013/07/maryland-and-estonian-civilians-tak
e-arms-against-hackers/67370/?oref=ng-HPriver

Lack of Common Lexicon Hinders Threat Information Sharing (July 25, 2013)

Because security companies have developed their own naming schemes for threats, companies trying to gather information about potential threats to their systems may have a difficult time correlating data and identifying threats that are described differently by different companies. For example, a certain Chinese cyberespionage group is identified as Comment Crew by one company, Comment Panda by another, and a part of the Shanghai Group by a third. Different companies focus on different aspects of the same threat.
-http://www.darkreading.com/threat-intelligence/firms-far-from-taming-the-tower-o
f-apt-b/240158923?cid=NL_DR_Daily_240158923&elq=db3174fc1754475d9aa70b84a5b4
5d77

[Editor's Note (Pescatore): The Common Malware Enumeration effort didn't stick back in 2007 and in 2011 the CAPEC and MAEC efforts started another approach. This is actually a good role for government to use its purchasing power to drive important developments - just as the US Government required SCAP support in vulnerability scanning products they would buy, require MAEC support in anti-malware products.
(Northcutt): Mitre has been working the issue of a common naming scheme for a number of security issues for over ten years, why the anti-virus companies insist on "cute" names for malware is beyond me:
-http://maec.mitre.org]

Japanese Police Arrest Nine in Connection with Malware Scheme (July 25, 2013)

Police in Japan have arrested nine people in connection with a malware distribution scheme. The gang allegedly distributed Android malware that stole contact information from mobile device users and used the data to populate a phony dating website. The group's alleged ringleader is Masaaki Kagawa, president of an IT company. The group allegedly earned more than US $4 million from the scheme. The malware was included in specially crafted apps that were available in third-party app stores.
-http://www.theregister.co.uk/2013/07/25/japanese_police_bust_pokerplaying_it_bos
s_for_android_malware/

-http://arstechnica.com/information-technology/2013/07/poker-player-who-won-1-5-m
illion-charged-with-running-android-malware-ring/

US House Defeats Measure That Would Have Reined In NSA Data Collection (July 23 & 24, 2013)

By a narrow margin, the US House of Representatives voted down an amendment to the DoD Appropriations Act of 2014 that would have restricted the NSA's authority for bulk collection of phone record metadata. Under the defeated amendment, the NSA would still have had the authority to collect phone records of suspects related to anti-terrorism investigations. The White House opposed the amendment, saying "this blunt approach is not the product of an informed, open, or deliberative process."
-http://www.wired.com/threatlevel/2013/07/house-nsa-repeal-vote/
-http://arstechnica.com/tech-policy/2013/07/congress-nearly-shuts-down-nsa-phone-
dragnet-in-sudden-217-205-vote/

-http://www.zdnet.com/u-s-house-rejects-proposal-to-strip-considerable-power-from
-nsa-7000018524/

-http://www.computerworld.com/s/article/9241068/House_votes_against_reining_in_NS
A_records_collection?taxonomyId=17

-http://www.theatlanticwire.com/politics/2013/07/white-house-doesnt-houses-data-m
ining-amendment/67529/

Apps Exploiting Android Master Key Flaw Found in Chinese Third-Party App Stores (July 24 & 25, 2013)

A handful of apps that exploit a known critical flaw in the Android operating system have been detected in unofficial Android marketplaces in China. The apps exploit the master key vulnerability, which allows attackers to inject code into a legitimate app without invalidating the app's digital signature. The malicious code allows hackers to control the devices remotely, steal sensitive data, send SMS messages to premium numbers, and disable certain mobile security software.
-http://www.theregister.co.uk/2013/07/25/malicious_android_master_key_apps_found_
in_china_symantec/

-http://arstechnica.com/security/2013/07/first-malicious-apps-to-exploit-critical
-android-bug-found-in-the-wild/

Bill Would Expand NZ Intelligence Agency's Domestic Surveillance Authority (July 24, 2013)

New Zealand's parliament is poised to pass legislation that gives the Government's Communications Security Bureau (GCSB) broader surveillance powers, including the authority to wiretap New Zealand citizens' communications. GCSB's domestic surveillance activity gained attention last year after it tapped communications of Megaupload founder Kim Dotcom, an action found to be illegal because Dotcom was a resident of the country. Public opposition to the bill is growing.
-http://www.theregister.co.uk/2013/07/24/kiwis_set_to_get_new_spook_law/
-http://www.stuff.co.nz/national/politics/8964434/Group-gathers-to-protest-GCSB-b
ill

-http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10903207

Hackers Gain Access to French Server Host's Systems (July 23 & 25, 2013)

French server host OVH says that hackers gained access to its systems and accessed personal information belonging to its customers. The multi-stage attack involved gaining control of a system administrator's account through which the hackers accessed a VPN account belonging to someone in the company's back office. From there, the intruders were able to access customer data, including those of a hosting company in Canada.
-http://www.theregister.co.uk/2013/07/23/top_server_host_ovh_warns_of_multistage_
hacking_attack/

-http://www.scmagazineuk.com/european-web-hosting-company-reports-breach/article/
304470/

Privacy Practices Could be Interpreted as Violation of Computer Fraud and Abuse Act (July 23, 2013)

The vague language of the US's Computer Fraud and Abuse Act (CFAA) allows it to be interpreted to criminalize measures that privacy-savvy users employ to protect their information. In particular, researchers are placed in a precarious position by the law, which prohibits "access without authorization" and "exceed
[ing ]
authorized access" to computers. However, consumers could also unwittingly fall afoul of the law's provisions for taking steps to protect their data.
-http://www.wired.com/opinion/2013/07/the-catch-22-of-internet-commerce-and-priva
cy-could-mean-youre-the-bad-guy/



************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/