SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #65

August 16, 2013

One more comment on the story in the last issue, "NSA Plans to Eliminate System Administrators." (http://www.nbcnews.com/technology/nsa-cut-system-administrators-90-percent-limit
-data-access-6C10884390). Newsbites editor, John Pescatore, who was Gartner's top security analyst for nearly 15 years, offered a strong reaction, which I somehow missed. Here it is:

"To put it kindly, this is odd logic when it comes to preventing information leaks. Having an individual admin action impact 1000% more servers because there are 90% fewer admins means fewer small mistakes/malicious internal actions but more very, very large mistakes/malicious actions. Rogue traders costing financial services companies many billions of dollars in unauthorized huge commands to automated trading systems have shown this for years. If you don't vet the admins better, if you don't improve the training, if you don't improve the processes, if you don't improve the security controls, you don't improve by concentrating the risk into fewer people."

---

TOP OF THE NEWS

Hackers Target Washington Post, CNN, and Time Websites
The Internet of Things: Baby Monitor Hacked
Android Malware Spreading Through Mobile Ad Networks

THE REST OF THE WEEK'S NEWS

Northrup Grumman Data Breach
GitHub Repository Hit by DDoS Attack
Feds Decrypt Two Drives, Arrest Man in Child Pornography Case
NYT Outage Blamed on Faulty Firewall Configuration Following Maintenance
Hackers Exploiting Flaws in Apache Struts
Google Releases Patches for Android Java Cryptography Architecture Flaw
Microsoft Releases Security Updates for Windows, Exchange, and IE
Microsoft Pulls Faulty Updates

---

************************ SPONSORED By Bit9 *****************************
Is Java keeping you up at night? Java's ubiquity and vulnerabilities have made it the technology most frequently exploited by cyber attackers. Download this latest report and learn how Java has become the most targeted endpoint technology and how to remediate vulnerabilities in your environment.
http://www.sans.org/info/137442
***************************************************************************
TRAINING UPDATE

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


- -- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Melbourne, Bangalore, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Hackers Target Washington Post, CNN, and Time Websites (August 15, 2013)

Attackers have targeted the websites of major US media companies The Washington Post, CNN, and Time. Some links on the affected sites redirected users to the Syrian Electronic Army's (SEA's) website. The SEA claims to have launched the attack through Outbrain, a third-party link recommendation service that all three sites use. The Washington Post has released a statement indicating that the attack was the result of "a sophisticated phishing attack to gain password information."
-http://www.washingtonpost.com/lifestyle/style/syrian-group-hacks-washington-post
-web-site/2013/08/15/4e60d952-05bd-11e3-88d6-d5795fab4637_story.html
-http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/15/heres-how-the-syria
n-electronic-armys-hack-worked/
-http://money.cnn.com/2013/08/15/technology/security/outbrain-hack/
-http://www.bbc.co.uk/news/technology-23712007
-http://www.zdnet.com/washington-post-confirms-it-was-hacked-by-syrian-electronic
-army-7000019459/
-http://krebsonsecurity.com/2013/08/washington-post-site-hacked-after-successful-
phishing-campaign/
[Editor's Comment (Northcutt): Long time readers of NewBites know I question the accuracy of the cybersecurity media, but it is great to have a "smoking gun". Make sure you store this one.]

The Internet of Things: Baby Monitor Hacked (August 14, 2013)

A Texas family heard noises coming from their toddler's bedroom through their video baby monitor. A man was yelling obscenities at their child, and when the parents entered the room, he yelled obscenities at them as well. The family had taken security precautions, including enabling a firewall and establishing passwords for their router and the baby monitor camera, which connects to their Wi-Fi network.
-http://www.bbc.co.uk/news/technology-23693460
-http://news.cnet.com/8301-1009_3-57598499-83/attention-parents-baby-monitor-hack
ed-default-password-to-blame/
-http://www.nbcnews.com/technology/hacker-attempts-harass-toddler-through-baby-mo
nitor-6C10916536
[Editor's Note (Pescatore): Security should be on by default in many of the Internet-connected "things" that are exploding in consumer and business use. There is absolutely no reason to repeat all the security mistakes we made when PCs and servers were the "things" being designed 20 years ago. SANS is holding a "Securing the Internet of Things" summit to explore these issues, on October 22nd in San Francisco - see
-http://www.sans.org/event/internet-of-things-summit]

Android Malware Spreading Through Mobile Ad Networks (August 13, 2013)

Malware targeting Android devices has been found to be spreading through mobile advertisement networks. Many developers include advertising frameworks in their apps to help boost profits. Advertisements in mobile apps are served by code that is part of the app itself. An attack scheme in Asia involved a rogue ad network pushing code onto devices. When users download and install legitimate apps, the malware prompts users to approve its installation, appearing to be part of the process for the app they have just downloaded.
-http://www.computerworld.com/s/article/9241596/New_Android_malware_is_being_dist
ributed_through_mobile_ad_networks?taxonomyId=17
[Editor's Note (Murray): To John's point (on the previous story) about the Internet of things, the Androids are too young to have learned anything from the choices we made with the PC. They did not consider the implications of their success. ]

---

*************************** Sponsored Links: ******************************
1) Tool Talk Webcast: Essential Tools for Testing and Securing a Mobile Applications Portfolio. Thursday, August 22, 2013 at 1:00 PM EDT. http://www.sans.org/info/137447

2) Wanted: Healthcare InfoSec Professionals to Take our Survey & Enter to Win an iPad!! http://www.sans.org/info/137452

3) Seeking Security Pros: Join your peers to learn advancements in IR and techniques to expose the threats that evade perimeter defenses. http://www.sans.org/info/137457
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Northrup Grumman Data Breach (August 15, 2013)

Employees of and applicants to Northrup Grumman's linguist program have been notified that their personal data were compromised in a security breach. More than 70,000 people were affected. The incident: unauthorized database access sometime between November 2012 and May 2013.
-http://www.scmagazine.com/us-defense-contractor-sustains-data-breach/article/307
498/

GitHub Repository Hit by DDoS Attack (August 15, 2013)

Online code repository GitHub experienced a service outage on Thursday, August 15, the result of a "very large DDoS (distributed denial-of-service) attack." This is the fourth DDoS attack on GitHub in the last month.
-http://www.theregister.co.uk/2013/08/15/github_ddos/

Feds Decrypt Two Drives, Arrest Man in Child Pornography Case (August 14 & 15, 2013)

Federal authorities in Wisconsin have arrested Jeffrey Feldman after they managed to break the encryption on two drives seized from his residence earlier this year and found that they contained images of child pornography. An FBI agent said that there are seven additional drives that have not been decrypted. Prosecutors expect that Feldman will decrypt the drives, but his attorney said, "We do not intend to decrypt."
-http://www.wired.com/threatlevel/2013/08/feds-crack-encrypted-drives/
-http://www.wired.com/threatlevel/2013/08/kid-porn-decryption-flap/
[Editor's Note (Murray): Court opinion is converging on this. Courts will not compel decryption without probable cause. Said another way, police cannot compel decryption to conduct a fishing expedition, but criminals cannot use encryption to conceal evidence. In this case, I think a judge will find probable cause to believe that these drives contain evidence. The accused and his lawyers will have to decide whether the penalties for contempt trump those for the crimes that the crypto conceals. ]

NYT Outage Blamed on Faulty Firewall Configuration Following Maintenance (August 14 & 15, 2013)

The website of The New York Times was unavailable for several hours on Wednesday, August 14. Although there was initially speculation that the site had been attacked by SEA, the Times said that the outage was due to problems with "a scheduled maintenance update." The issue is believed to have been a bad change to the firewall configuration that blocked all incoming traffic.
-http://www.wired.com/threatlevel/2013/08/nyt-maintenance-update/
-http://www.zdnet.com/what-happened-to-the-new-york-times-website-7000019453/

Hackers Exploiting Flaws in Apache Struts (August 14 & 15, 2013)

Hackers are now exploiting vulnerabilities in the Apache Struts framework for Java. Fixes for the flaws were released in July, but there are many applications that are still running on older, flawed versions of Struts. The hackers are using automated tools to install backdoors on vulnerable systems.
-http://www.computerworld.com/s/article/9241639/Hackers_target_servers_running_Ap
ache_Struts_apps?taxonomyId=17
-http://www.theregister.co.uk/2013/08/15/java_struts_automated_exploit_tool/

Google Releases Patches for Android Java Cryptography Architecture Flaw (August 14 & 15, 2013)

Google has acknowledged a cryptographic flaw in the Android operating system that left Bitcoin wallets vulnerable to theft. The issue lies in applications that use the Java Cryptography Architecture (JCA) for key generation, signing, and random number generation. Because the problem resides in the operating system, all Bitcoin wallets generated with Android apps are vulnerable. The flaw has already been exploited to steal more than US $5,700 worth of Bitcoins. Google is distributing patches for the flaw to members of the Open Handset Alliance.
-http://arstechnica.com/security/2013/08/google-confirms-critical-android-crypto-
flaw-used-in-5700-bitcoin-heist/
-http://news.cnet.com/8301-1009_3-57598603-83/google-confirms-android-flaw-that-l
ed-to-bitcoin-theft/
-http://www.computerworld.com/s/article/9241647/Google_patches_Android_after_Bitc
oin_wallet_issue?taxonomyId=17
-http://www.zdnet.com/google-confirms-bitcoin-theft-vulnerability-in-android-7000
019431/

Microsoft Releases Security Updates for Windows, Exchange, and IE (August 14, 2013)

Microsoft's security update for August comprises eight bulletins that address at least 23 vulnerabilities in Windows, Internet Explorer, and Microsoft Exchange Server. Three of the bulletins are rated critical; the other five are rated important. Along with the regular bulletins, Microsoft released two optional updates that will block digital certificates using the MD5 hashing algorithm.
-http://krebsonsecurity.com/2013/08/microsoft-patches-plug-23-security-holes/
-http://news.cnet.com/8301-1009_3-57598363-83/critical-security-fixes-issued-for-
windows-ie-exchange/
-http://www.computerworld.com/s/article/9241622/Microsoft_moves_to_block_MD5_cert
ificates_and_improve_RDP_authentication?taxonomyId=17
-http://technet.microsoft.com/en-us/security/bulletin/ms13-aug

Microsoft Pulls Faulty Updates (August 14, 2013)

Microsoft has pulled the patch for Exchange Server released earlier this week after users reported problems after installation. The three issues affect Exchange 2013; Exchange 2007 and 2010 are not affected.
-http://www.scmagazine.com/microsoft-removes-exchange-2013-patch-after-customers-
report-snafus/article/307429/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/