SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #68

August 27, 2013

TOP OF THE NEWS

FBI and DHS Concerned About Android Vulnerabilities
New EU Rule Requires Breach Notification Within 24 Hours
HITECH Act Compliance Deadline Four Weeks Away

THE REST OF THE WEEK'S NEWS

DDoS Attack Against China's Top-Level Domain
Amazon Cloud Problems Cause Web Services Outages
Exploit for Unpatched Java 6 Flaw in the Wild
How Did Snowden Access All That Data?
NSA Paid Millions for Tech Companies' Compliance with PRISM
PayPal Fixes Account Hijacking Flaw
Orbit Downloader Has Surreptitious DDoS Component

---

************************** Sponsored By Bit9 ****************************
How are you closing the Mac security gap in your enterprise? As Mac products grow in popularity, they are becoming increasingly attractive targets for cybercriminals. This eBook will give you an understanding of the nature of the malware that is currently exploiting Macs and how to adopt a security posture that works for your enterprise.
http://www.sans.org/info/138047
***************************************************************************
TRAINING UPDATE

- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


- -- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Melbourne, Bangalore, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

FBI and DHS Concerned About Android Vulnerabilities (August 26, 2013)

According to an unclassified US government document, the FBI and the Department of Homeland Security (DHS) are concerned about security flaws in the Android operating system. Specifically, the document outlines concerns about threats faced by law enforcement officers and officials who are using devices running older versions of the operating system. The document says, "Android is the world's most widely used mobile operating system and continues to be a primary target for malware attacks due to its open source architecture." It also offers mitigation advice for certain types of threats.
-http://news.cnet.com/8301-1009_3-57600105-83/android-security-holes-worry-fbi-dh
s/
-http://info.publicintelligence.net/DHS-FBI-AndroidThreats.pdf
[Editor's Note (Murray): Ironic. DHS has favored Android over iOS for exactly this reason. That the government has consistently used its buying power to favor "open" over "secure" is at least partially accountable for our current state. ]

New EU Rule Requires Breach Notification Within 24 Hours (August 22, 23, & 26, 2013)

As of August 25, telecommunications operators and Internet service providers (ISPs) in the European Union (EU) must notify authorities within 24 hours of detecting a data security breach. While notification is already required, the mandatory 24-hour window is raising concerns because organizations will not have adequate time to conduct forensics. There is also movement toward broadening the scope of the requirement to include all industries.
-http://www.scmagazine.com/stern-new-data-breach-reporting-requirement-takes-hold
-in-eu/article/308530/
-http://www.v3.co.uk/v3-uk/news/2290763/eu-24hour-breach-disclosure-laws-to-come-
into-force
-http://www.infosecurity-magazine.com/view/34102/eu-businesses-prep-for-regulatio
ns-requiring-24hour-data-breach-notification/
[Editor's Note (Honan): The requirement is that notification is given to the relevant authorities within 24 hours of detecting the breach, and not as some reports are suggesting from when the breach occurred. Sharing such information can be quite beneficial as the recent Major Incidents in 2012 Report by ENISA demonstrates
-http://www.enisa.europa.eu/media/press-releases/new-major-incidents-in-2012-repo
rt-by-eu-cyber-security-agency-enisa
. That report highlighted that 8% of the incidents reported were due to cyber-attacks with 75% being attributed to system failures. Independent and verified hard data and facts is what we need better design our systems rather than marketing reports and surveys.
(Murray): The Verizon Data Breach Incident Report and other intelligence suggest that many, not to say most, breaches are not detected for weeks to months. ]

HITECH Act Compliance Deadline Four Weeks Away (August 26, 2013)

As of September 23, 2013, U.S. organizations that handle healthcare data must be in compliance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. The law establishes new breach notification standards and restrictions on how personal health information is shared and/or disclosed. Previously, breach notification was required only if there was a serious risk of harm. The new law requires that notifications be made unless the organization can demonstrate that there is a low probability of such risk. Companies handling the data will also be required to make sure that their subcontractors and business associates are compliant with Health Insurance Portability and Accountability Act (HIPAA) requirements.
-http://www.computerworld.com/s/article/9241913/Sept._23_deadline_looms_for_busin
ess_compliance_with_HITECH_Act_on_patient_privacy?taxonomyId=17

---

*************************** Sponsored Links: ******************************
1) Wanted: Healthcare InfoSec Professionals to Take our Survey & Enter to Win an iPad!! http://www.sans.org/info/138052

2) AlienVault USM delivers complete security visibility in minutes. Download a Free 30-Day Trial. http://www.sans.org/info/138057

3) Satisfied with your IPS? Tell us! Take our Survey and enter to win an iPad! http://www.sans.org/info/138062
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

DDoS Attack Against China's Top-Level Domain (August 26, 2013)

A Sunday morning distributed denial-of-service (DDoS) attack against the domain servers for the country's top-level domain, .cn, is reportedly the largest ever attack against that domain. The first wave of the attack occurred at midnight Beijing time on Sunday, August 25. A second wave was launched four hours later. Service to the affected websites was largely restored by 10 a.m. on Sunday. Because of the country's regulation and censorship practices, not many details about the attacks have been released.
-http://money.cnn.com/2013/08/26/technology/china-cyberattacks/index.html
-http://www.zdnet.com/china-suffers-largest-cyberattack-scope-motives-unclear-700
0019850/
-http://www.computerworld.com/s/article/9241899/Major_DDoS_attacks_.cn_domain_dis
rupts_Internet_in_China?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57600083-83/chinas-internet-hit-by-ddos-attack-
sites-taken-down-for-hours/
-http://www.theatlanticwire.com/technology/2013/08/who-hacked-chinas-internet-yes
terday/68712/
[Editor Comment (Northcutt): This is not a new problem and will repeat. Here is some interesting research on countermeasures:
-http://www.cs.ucla.edu/~lixia/papers/07DSN_TTL.pdf]

Amazon Cloud Problems Cause Web Services Outages (August 25 & 26, 2013)

A packet loss issue at an Amazon cloud services data center caused outages for several high profile web services including Instagram, Netflix, and Vine. The issue has been resolved. Amazon says the problems were caused by "partial failure of a networking device."
-http://www.bbc.co.uk/news/technology-23839901
-http://www.cio.com/article/738737/Packet_Loss_Problem_in_Amazon_39_s_Cloud_Wobbl
es_Airbnb_Vine

Exploit for Unpatched Java 6 Flaw in the Wild (August 26, 2013)

An exploit targeting an unpatched vulnerability in Java 6 has been found in the wild. The flaw was disclosed earlier this year when Oracle released Java 7 Update 25. Java 6 was not patched because Oracle has discontinued support for that version.
-http://www.informationweek.com/security/vulnerabilities/hackers-target-java-6-wi
th-security-expl/240160443

How Did Snowden Access All That Data? (August 24 & 26, 2013)

The US government is having difficulty figuring out exactly what data Edward Snowden took while working as a contractor at the NSA because Snowden was careful to hide his digital footprints by deleting or bypassing electronic logs. The incident illustrates problems inherent in the structure of the data systems if they were so easily defeated. It also appears to refute assurances from the government that NSA surveillance programs are not subject to abuse because they are so tightly protected.
-http://www.nbcnews.com/technology/snowden-suspected-bypassing-electronic-logs-8C
10995684
-http://www.zdnet.com/how-snowden-got-the-nsa-documents-7000019860/
[Editor's Note (Murray): If the user can cause or prevent entries in a log or journal, then it is not reliable. Admittedly, the process-to-process isolation problem was difficult when we tried to solve it with software in expensive hardware. Perhaps their contractors have not told the NSA that hardware is now cheap.]

NSA Paid Millions for Tech Companies' Compliance with PRISM (August 23, 2013)

Although major US technology companies have denied their knowing participation in the NSA's surveillance program known as PRISM, recently disclosed documents show that the NSA footed the bill for the companies' compliance to the tune of millions of dollars.
-http://www.zdnet.com/nsa-said-to-have-paid-millions-to-cover-costs-for-tech-gian
ts-in-prism-program-7000019807/

PayPal Fixes Account Hijacking Flaw (August 23, 2013)

PayPal has fixed a vulnerability that could have been exploited to delete accounts and replace them with a new one in the same name, but with a different email address. Attackers could add email addresses to targeted PayPal accounts, which then allowed them to delete the account.
-http://www.theregister.co.uk/2013/08/23/paypal_fixes_critical_account_switcheroo
_bug_after_researcher_tipoff/

Orbit Downloader Has Surreptitious DDoS Component (August 22 & 26, 2013)

Versions of Orbit Downloader released in December 2012 and later have the capability to turn computers into bots to be used in distributed denial-of-service (DDoS) attacks. The issue affects Orbit Downloader versions 4.1.1.14 and newer. The software surreptitiously downloads a DLL (dynamic link library) component.
-http://www.scmagazine.com/orbit-downloader-found-capable-of-malicious-activity/a
rticle/308672/
-http://www.computerworld.com/s/article/9241823/Popular_download_management_progr
am_has_hidden_DDoS_component_researchers_say?taxonomyId=17

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/