SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #66

August 20, 2013

Although Eric Cole's Security Essentials Bootcamp is the most popular course at the upcoming 2013 Network Security Conference (mid-September in Las Vegas), attendance at the very advanced courses in forensics and enterprise defense and penetration testing and legal issues and management is approaching attendance in the more basic courses. The growing sophistication of the attackers demands that organizations have defenders who have mastered the attacks and the sophisticated defenses needed to respond. That is what seems to be happening in cybersecurity training at SANS. SANS has access to the data on nearly all the sophisticated attacks and updates its courses as often as three times each year. At SANS you learn the most current techniques available, taught by the highest rated teachers on each topic, and practical skills so you can put it to work when you return to the office. If you intend to be one of the leaders in cybersecurity, and want depth of mastery in both the technology and the management of security, consider starting now on a Master of Science in Security Engineering at SANS Technology Institute (STI). The people who have earned STI MS degrees are already shaping the field in the military and electric power and other areas. Network Security 2013: http://www.sans.org/event/network-security-2013 Master's Degree at SANS Technology Institute http://www.sans.edu/academics/curricula/msise

Alan

---

TOP OF THE NEWS

Judge Says Changing IP Address and Using Proxies May Violate CFAA
Researchers Document Method of Sneaking Malicious Apps into Apple Store
Microsoft Warns About Dangers of Not Migrating From XP

THE REST OF THE WEEK'S NEWS

DOE Notifies Employees of Second Data Breach This Year
Additional Guidance for Open Data Project
Phyllis Schneck Takes on Federal Cybersecurity Post
Microsoft Reissues Problematic ADFS Patch
Flaws in IPMI Put Servers at Risk of Remote Attack
Leaked NSA Audit Shows Agency Violated US Citizens' Privacy
China to Investigate Reports that IBM, Oracle, and EMC Products Were Used to Spy on Country
Sophisticated Skimmers Used in Attacks on Sydney ATMs
Phony Flash Update Serves Spam Ads
Glitch Blamed for Prison Door Openings

---

***************** Sponsored By Blue Coat Systems, Inc. ******************
In this webinar find out how Big Data Security Analytics and comprehensive Advanced Threat Protection not only delivers real-time advanced threat detection and blocking, but tells you the how, what, where, when and why of advanced targeted attacks-all while delivering end-to-end visibility of data exfiltration and malware infiltration on the network.
http://www.sans.org/info/137562
***************************************************************************
TRAINING UPDATE

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


- -- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Melbourne, Bangalore, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Judge Says Changing IP Address and Using Proxies May Violate CFAA (August 19, 2013)

A federal judge in California has ruled that changing IP (Internet protocol) addresses or using a proxy server to access a public website from which a user has been banned constitute violations of the Computer Fraud and Abuse Act (CFAA). The case involves a company that aggregated and republished advertisements from Craigslist. The company, 3taps, received a cease-and-desist letter from Craigslist, and Craigslist blocked IP addresses associated with 3taps. The company used alternate IP addresses and proxy servers to get around the blocks.
-http://arstechnica.com/tech-policy/2013/08/changing-ip-address-to-access-public-
website-ruled-violation-of-us-law/
[Editor's Note (Murray): The use of proxies is integral to the Internet and most of it is, and remains, legitimate. One should not infer that every gateway, router, firewall or VPN is a "violation of CFAA." However, if one is using a bot to hide the origin of a hack, one better hope that it works. "Fraud" and "abuse" are the predicates and judges can still read. ]

Researchers Document Method of Sneaking Malicious Apps into Apple Store (August 17 & 19, 2013)

Researchers have demonstrated a method of creating malicious apps that evade detection by Apple's app review. The apps, dubbed Jekyll malware, use program paths that do not exist during the app review process.
-http://www.nbcnews.com/technology/apple-app-store-infiltrated-researchers-jekyll
-malware-6C10945771
-http://www.informationweek.com/mobility/smart-phones/apple-ios-security-defeated
-by-sneaky-ap/240160105
[Editor's Note (Pescatore): App stores that have strong security checking processes can be game changers. For mobile apps in particular, those app store security processes have to extend beyond the initial app review and even initial publishing of the app.
(Schpantzer): Apple's app store has processes that can be circumvented. That said, once it identifies malware, Apple has a way to universally revoke that app's permission to run on an iOS device.
-http://www.telegraph.co.uk/technology/3358134/Apples-Jobs-confirms-iPhone-kill-s
witch.html
Android too:
-http://gizmodo.com/5572510/google-remotely-removes-apps-from-android-phones-for-
security-reasons]

Microsoft Warns About Dangers of Not Migrating From XP (August 16, 2013)

In a blog posting last week, Microsoft warned XP users that there would be no more updates for Windows XP Service Pack 3 after April 8, 2014. The Security Blog post from Microsoft Director of Trustworthy Computing Tim Rains warns that while XP SP3 was state of the art when it was released, the measures employed are no longer sufficient to block current attacks. Once support for XP ends, hackers will be able reverse engineer updates to see if XP is vulnerable to the vulnerabilities they address; while newer versions of Windows will be patched, XP will not be, putting users at direct risk of attack.
-http://www.computerworld.com/s/article/9241683/XP_Z_Microsoft_scares_Windows_XP_
users_straight_with_undead_bug_warning?taxonomyId=17
-http://www.zdnet.com/microsoft-warns-windows-xp-users-risk-zero-day-forever-7000
019503/
[Editor's Note (Pescatore): Past experience with NT and Windows 95 going through this transition says appliances, machinery, kiosks, etc. using embedded versions of Windows XP will be the most problematic. ]

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/137567

2) AlienVault USM delivers complete security visibility in minutes. Download a Free 30-Day Trial. URL with tracking. http://www.sans.org/info/137572

3) Seeking Security Pros: Join your peers to learn advancements in IR and techniques to expose the threats that evade perimeter defenses. Register now at http://www.sans.org/info/137577
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DOE Notifies Employees of Second Data Breach This Year (August 19, 2013)

The US Department of Energy (DOE) is notifying 14,000 current and former employees that their personally identifiable information was compromised when someone gained unauthorized access to an agency human resources system. The specific information compromised was not disclosed. The incident, which occurred in late July, is the second reported data breach at DOE this year. In February, DOE notified a few hundred employees about a breach launched by "sophisticated attackers."
-http://www.scmagazine.com/department-of-energy-data-breach-affects-thousands/art
icle/307752/
-http://www.darkreading.com/attacks-breaches/department-of-energy-hacked-again/24
0160114

Additional Guidance for Open Data Project (August 19, 2013)

The White House has released additional clarification and detailed requirements to help agencies achieve open data project objectives. An executive order in May affirmed the importance of the open data project, noting that open data are a boon to economic growth, innovation, and government efficiency. Agencies must submit open data progress reports by November 1, 2013.
-http://www.nextgov.com/cio-briefing/2013/08/white-house-expands-guidance-promoti
ng-open-data/68918/?oref=ng-HPriver
Project Open Data Implementation Guide:
-http://project-open-data.github.io/implementation-guide/
[Editor's Note (Murray): The government default has always been "when in doubt, classify," i.e., prefer secrecy to transparency. This default has reduced trust in government to such a level as to bring its legitimacy into question. Changing that default, without compromising necessary security, will challenge our knowledge, skills, and abilities.]

Phyllis Schneck Takes on Federal Cybersecurity Post (August 19, 2013)

Phyllis Schneck, currently McAfee's chief technology officer and vice president, has been appointed Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate, which falls under the umbrella of the Department of Homeland Security (DHS). Schneck was "a key contributor on the CSOS Commission on Cybersecurity for the 44th Presidency," and "is the current Chairman of the Board of Directors of the National Cyber Forensics and Training Alliance."
-http://www.zdnet.com/mcafee-cto-headed-for-federal-cybersecurity-role-7000019589
/
-http://www.dhs.gov/blog/2013/08/19/appointment-new-deputy-under-secretary-cybers
ecurity

Microsoft Reissues Problematic ADFS Patch (August 19, 2013)

Microsoft has reissued a patch it pulled last week when users reported problems after installing. The patch addresses a vulnerability in Active Directory Federation Services (ADFS) 2.0. The initial version of the patch, MS13-066, caused ADFS to stop working if a previous RU rollup had not been installed. Microsoft also pulled a patch for Exchange Server due to problems after installation; an updated version of that patch is not yet available.
-http://www.zdnet.com/microsoft-re-releases-botched-ad-fs-patch-7000019594/
-https://technet.microsoft.com/en-us/security/bulletin/ms13-066
[Editor's Note (Pescatore): Microsoft, and most enterprise software vendors, have gotten better at preventing patch quality issues. This is important, as the ability of enterprises to patch quickly is directly related to the quality of the patches coming from the vendors. ]

Flaws in IPMI Put Servers at Risk of Remote Attack (August 16, 2013)

Certain baseboard management controllers (BMCs) embedded in motherboards of Internet-connected servers put those servers at risk for remote attacks that can be used to steal passwords and place malware on vulnerable systems. Design flaws in the BMCs' intelligent platform management interface (IPMI) mean that hackers could launch attacks "that can cascade throughout a network." A recent scan indicates that there are at least 100,000 IPMI-enabled servers running on publicly accessible addresses. Server administrators would be well advised to heed a list of recommended defenses, which includes keeping IPMI firmware updated, changing default passwords, and not running IPMI-enabled devices on public IP addresses.
-http://arstechnica.com/security/2013/08/remote-admin-tool-imperils-servers/
[Editor's Note (Ullrich): Also note that IPMI is usually "on" if the server is plugged into an outlet and network, even before the power switch is pressed. See for example
-https://isc.sans.edu/diary/IPMI%3A+Hacking+servers+that+are+turned+%22off%22/133
99]

Leaked NSA Audit Shows Agency Violated US Citizens' Privacy (August 16, 2013)

Leaked documents indicate that the US National Security Agency (NSA) has run afoul of privacy laws thousands of times since 2008. That year, Congress passed the FISA Amendments Act, which broadened the NSA's data collection authority "in exchange for regular audits from the Justice Department and the Office of the Director of National Intelligence and ... reports to Congress and the surveillance court." Although NSA Director General Keith Alexander said that the agency has not abused surveillance powers and that it does not store data on US citizens, it has in fact done both. One of the leaked documents, a May 2012 NSA internal audit, listed nearly 2,800 incidents over the past year.
-http://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-th
ousands-of-times-per-year-audit-finds/2013/08/15/3310e554-05ca-11e3-a07f-49ddc74
17125_story.html
-http://www.wired.com/threatlevel/2013/08/nsa-violated-privacy-rules/
-http://www.theregister.co.uk/2013/08/16/nsa_internal_audit_privacy_violations/

China to Investigate Reports that IBM, Oracle, and EMC Products Were Used to Spy on Country (August 16, 2013)

China plans to investigate allegations made in documents leaked by Edward Snowden that the US hacked into products from IBM, Oracle, and EMC that were sold to universities in China. The investigation will reportedly be led by China's Ministry of Public Security. The agency will look into whether the companies' products are being used to spy on China.
-http://news.cnet.com/8301-1009_3-57598827-83/china-eyes-ibm-oracle-emc-over-poss
ible-security-issues/
-http://www.theregister.co.uk/2013/08/16/ibm_emc_oracle_prism_probe

Sophisticated Skimmers Used in Attacks on Sydney ATMs (August 16, 2013)

ATMs at two major banks in Sydney, Australia, were found to have been outfitted with "virtually undetectable" skimming technology that has been used by a group of Romanian hackers to steal AUD $100,000 (US $91,260). The thieves appear to be using sophisticated skimming devices that are made using 3D printers. At least one person has been arrested and charged in connection with ATM skimming attacks in New South Wales.
-http://au.ibtimes.com/articles/499369/20130816/sydney-atms-hacked-scammed-romani
an-thieves-atm.htm#.UhKUi0KinjC
-http://www.theregister.co.uk/2013/08/16/3d_printed_atm_skimmers/

Phony Flash Update Serves Spam Ads (August 16, 2013)

A phony update for Adobe's Flash Player serves spam advertisements to users who fall prey to its lure. Users are told that must install the update to view certain videos. Some of the advertisements are pornographic, and others are capable of replacing legitimate advertisements. The phony update has been spotted on websites aimed at children. It injects ads into every page visited. Users are advised to check their browser extensions.
-http://www.scmagazine.com/fake-adobe-flash-player-update-extension-serves-salaci
ous-spam-
ads/article/307765/
-http://www.theregister.co.uk/2013/08/16/fake_flash_browser_plugin_feeds_smut_ads
/

Glitch Blamed for Prison Door Openings (August 16, 2013)

Officials at a Florida prison say that a computer glitch caused all doors in its maximum security wing to open at once. However, a surveillance video shows that some of the prisoners appeared to be aware that the doors were going to open, which suggests that the doors may have been opened intentionally, perhaps by a staff member or by someone on the outside who managed to trigger the function. This is the second time this same thing has happened at the Turner Guilford Knight Correctional Center. An initial log review indicates that there was an "operator error." A facility in Maryland had a similar occurrence in April. It is not known if the prisons were using the same system.
-http://www.wired.com/threatlevel/2013/08/computer-prison-door-mishap/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/