SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #69

August 30, 2013

TOP OF THE NEWS

New York Times Domain Hijack Due to Phishing Email
NIST Releases Cybersecurity Draft Framework
Three Men Charged with Stealing Company Code from Wall Street Firm

THE REST OF THE WEEK'S NEWS

Who is Behind the Syrian Electronic Army?
Facebook Releases First Transparency Report
NSA Allegedly Spied on UN offices and EU Embassies
Man Pleads Guilty to Hacking US Department of Energy Computer
Survey Confirms Woeful State of Application Security
Retailers Tops Concerns are Compliance and Security Vulnerabilities
Electronic Data Does Not Constitute 'Tangible Property.'

---

********************** Sponsored By WhiteHat Security ********************
ALERT: How Hackers Launch the Top Ten Web Attacks Every year the number and creativity of web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year. Learn about the latest and most insidious Web-based attacks researched and compiled from a panel of world-class web application security experts.
http://www.sans.org/info/138230
***************************************************************************
TRAINING UPDATE

- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


- -- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Melbourne, Bangalore, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

New York Times Domain Hijack Due to Phishing Email (29th August)

On Wednesday evening hackers claiming to be part of the Syrian Electronic Army disrupted web services for the New York Times, as well as the Huffington Post UK and the Twitter image sharing site Twing.com. The attack appears to have originated after a user in a reseller for Australian based domain registrar Melbourne IT fell victim to a "targeted phishing attack". Melbourne IT is the domain registrar for the New York Times and the other affected domains. As a result the attackers gained access to the username and password of the reseller. The attackers were then able to alter the DNS records for the affected sites to servers under their control based in Russia. Control over the domain records were eventually returned to the rightful owners and normal services restored. Internet Storm Center:
-https://isc.sans.edu/diary/NY+Times+DNS+Compromised/16451
-http://www.theregister.co.uk/2013/08/27/twitter_ny_times_in_domain_hijack/
-http://www.net-security.org/secworld.php?id=15478
-http://www.scmagazine.com/hacker-group-takes-responsiblity-for-dns-attack-on-maj
or-media-sites/article/309132/
-http://www.theguardian.com/technology/2013/aug/28/twitter-newyorktimes-hack-syri
an-electronic-army
[Editor's Note (Ullrich): Yet another simple "give me your password" attack. It should be noted that the attack against twitter was only partially successful due to Twitter taking advantage of the Domain Lock feature for it's main twitter.com domain. ]

NIST Releases Cybersecurity Draft Framework (28th August)

The US National Institute of Standards and Technology has released a preliminary cybersecurity draft framework outlining standards and guidelines to support President Obama's "Improving Critical Infrastructure Cybersecurity" executive order issued in February of this year. The NIST document states "The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk, in a manner similar to financial, safety, and operational risk." A spokesperson for NIST said the document is a discussion draft ahead of NIST's upcoming meeting in September where officials will meet with industry to discuss cybersecurity and help shape the forthcoming framework.
-http://fcw.com/articles/2013/08/28/nist-cybersecurity-framework.aspx
-http://www.federaltimes.com/article/20130828/IT01/308280005/NIST-seeks-feedback-
draft-cybersecurity-framework
-http://www.pcworld.com/article/2047778/nist-subjects-draft-cybersecurity-framewo
rk-to-more-public-scrutiny.html
-http://nist.gov/itl/upload/discussion-draft_preliminary-cybersecurity-framework-
082813.pdf
[Editor's Note (Paller): I am very hopeful that this framework is a first step in the right direction. The draft framework itself fails to accomplish what the Presidential Directive specified, (a Cybersecurity Framework that provides a "prioritized, flexible, repeatable, performance-based, and cost-effective approach.") The only criterion on which it excels is "flexibility" because any organization could do almost anything and claim it is following this framework. It fails most completely on prioritization and cost-effectiveness. I think the authors in the White House knew not to expect much from the team doing the initial framework and gave the subsequent job of making the framework real to DHS. If they can get the team John Streufert assembled there to demonstrate how to add the prioritization and cost-effectiveness, the Framework can be the beginning of important improvements. ]

Three Men Charged with Stealing Company Code from Wall Street Firm (27th August)

Three men have been charged in a scheme to steal the source code for the electronic trading software of a Wall Street based firm. Two of those charged were employees of the firm. They are accused of emailing the code from their work accounts to their personal accounts. According to the complaint one of the accused, Glen Cressman, a trader at the firm, sent emails to his personal account which included trading strategies and valuation algorithms. He is charged with two counts of unlawful duplication of computer related material and unauthorized use of secret scientific material. One of his alleged conspirators and former co-worker, Jason Vuu, faces twenty counts of the same charge. Vuu is alleged to have shared the stolen information with a former college friend with the aim to set up their own trading company.
-http://www.bloomberg.com/news/2013-08-26/three-charged-with-stealing-flow-trader
s-trading-software.html
-http://www.theregister.co.uk/2013/08/27/wall_street_secrets_stolen_via_email/

---

*************************** Sponsored Links: ******************************
1) Join John Pescatore and Tony Sager as they moderate a panel discussion on the upcoming SANS webcast titled, "Using the DHS Continuous Diagnostics and Mitigation Contract to Make Real Security Advances". Tuesday, September 10, 2013 at 10:00 AM EDT. http://www.sans.org/info/138235

2) Ask The Expert Webcast: Mobile Forensics: Recovering Data You May Be Missing. Featuring: Paul Henry, Jad Saliba and Lance MuellerFriday, September 06, 2013 at 1:00 PM EDT. http://www.sans.org/info/138240

3) Wanted: Healthcare InfoSec Professionals to Take our Survey & Enter to Win an iPad!! http://www.sans.org/info/138245
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Who is Behind the Syrian Electronic Army? (28th August)

In his latest blog post computer crime reporter Brian Krebs claims to have identified some of the individuals behind the pro-Syrian online hacktivist group the Syrian Electronic Army (SEA). According to Krebs the user database of one of the SEA's servers was compromised when the SEA was forced to move its servers to a Russian hosting provider. Using details from that compromised database, and piecing together various bits of information, Krebs claims one of the individuals alleged to be part of the SEA is a developer based in Turkey. In an interview with Venture Beat the named individual denied the claims.
-http://krebsonsecurity.com/2013/08/who-built-the-syrian-electronic-army/
-http://venturebeat.com/2013/08/28/sea-hacker-identities/

Facebook Releases First Transparency Report (28 August)

In its first ever transparency report, Facebook revealed that for the first six months of 2013 it received 25,000 requests from governments about Facebook users. Up to half of the requests came from US government agencies. Colin Stretch, Facebook's general counsel, revealed that many of the requests related to criminal cases. The information requested in most cases related to basic subscriber information, such as name and length of membership. In other cases the requests looked for additional information such as IP addresses or account content. Facebook also revealed that it did not respond to every request saying that it responded to 79% of the requests from the US government.
-http://www.computerworld.com/s/article/9241940/Facebook_got_25_000_government_re
quests_about_users_
-http://www.infosecurity-magazine.com/view/34198/facebook-report-discloses-number
-of-government-requests-for-user-data/
-http://newsroom.fb.com/News/699/Global-Government-Requests-Report
[Editor's Note (Murray): Note the numbers. Not surprisingly, Facebook is now the target of first choice. Moreover, for Facebook responding to government process servers is a significant cost of being in business. ]

NSA Allegedly Spied on UN offices and EU Embassies (27th August)

The latest revelations from Edward Snowden, which were published in the German magazine Der Spiegel, claim the NSA spied on the offices of the UN and also EU embassies. The article claims the NSA not only breached the security of the EU embassies in Washington and New York but also the VPN between them. The article also outlines that while in the networks of the EU embassies, the NSA detected attacks allegedly originating from China and were able to hack back into the Chinese systems. The revelations have caused further outrage amongst EU countries, especially in light of the recent trade negotiations between the US and the EU.
-http://www.spiegel.de/international/world/secret-nsa-documents-show-how-the-us-s
pies-on-europe-and-the-un-a-918625.html
-http://www.infosecurity-magazine.com/view/34179/nsa-revealed-spying-on-the-un-an
d-eu-embassies/

Man Pleads Guilty to Hacking US Department of Energy Computer (28th August)

Andrew James Milner, a 23 year old man from Pennsylvania, pleaded guilty in a US District Court to two counts of computer intrusion and one count of conspiracy. Between 2008 and 2011 Milner broke into various computer systems, including computers belonging to the US Department of Energy. Milner installed backdoors onto the systems he compromised and stole user login credentials, which he and his conspirators sold to others. One of the parties to whom Milner tried to sell login credentials were undercover FBI agents posing as buyers. Sentencing has been postponed until November 19 where Milner could face up to five years in prison on the conspiracy count, five years on one count of computer intrusion and 10 years for the other computer intrusion count which also involves causing intentional damage to a protected computer.
-http://www.theregister.co.uk/2013/08/28/hacker_plea_deal/
-http://www.net-security.org/secworld.php?id=15479

Survey Confirms Woeful State of Application Security (28th August)

In its "Current State of Application Security Report" the Ponemon Institute confirms most organizations surveyed have very lax application security. The survey reveals that 90% of all security vulnerabilities are at that application layer yet only 20% of IT security spending is at this level. The bulk of the security budget, the remaining 80%, focuses on networks and endpoint systems. The survey also reveals a serious disconnect between what senior management believes to be in place in relation to application security and what technical staff say is actually in place. Of the senior executives interviewed for the report, 71% believed that application security training is available and up to date. When asked the same question only 20% of technical staff agreed. Speaking about the results Larry Ponemon, founder of the Ponemon Institute, said "Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations' overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications".
-http://www.infosecurity-magazine.com/view/34222/most-organizations-are-woefully-
behind-in-application-security
-http://www.net-security.org/secworld.php?id=15476

Retailers Tops Concerns are Compliance and Security Vulnerabilities (28th August)

A report assessing computer security for retailers and retail processing systems has identified compliance with PCI DSS is a major concern. Many of those surveyed stated the amount and variety of store systems they employ makes it increasingly difficult to manage vulnerabilities across all those platforms. While many of those surveyed showed a clear understanding of PCI compliance, they highlighted the challenge is ensuring all these systems comply with PCI. On average only 22% of those surveyed said they trusted the manufacturers of these systems to provide security.
-http://finance.yahoo.com/news/mcafee-report-examines-challenges-retailers-120000
062.html
-http://www.net-security.org/secworld.php?id=15475
[Editor's Note (Murray): PCI DSS has transferred too much of the cost and risk to the merchant. We are now at the limits of what we can reasonably expect of the merchants. The card issuers have claimed that they have not issued EMV cards because the merchants refused to upgrade. Walmart, Target, McDonalds, CVS, Scheetz, and other national chains upgraded months ago. Today Metro-North Railroad announced EMV ticket vending machines. Where are the cards? Visa promised a push in 2012; we are three-fourths of the way through 2013. No progress. Merchants are wising up.]

Electronic Data Does Not Constitute 'Tangible Property.' (28th August)

Insurance company Liberty Mutual has filed a lawsuit against the supermarket chain Schnucks seeking release from liability in relation to a computer security breach Schnucks suffered earlier this year. Between December 2012 and March of this year 2.4 million credit and debit cards used at 79 of Schnucks' stores were compromised. As a result eight lawsuits have been filed against Schnucks by customers whose cards were hacked. Liberty Mutual is refusing to meet those claims stating that its coverage only applies to property damage and bodily injury and that electronic data does not constitute 'tangible property.'
-http://fox2now.com/2013/08/28/schnucks-sued-by-their-insurance-company-for-data-
breach/
-http://supermarketnews.com/retail-amp-financial/insurer-sues-schnucks-over-data-
breach
-http://news.softpedia.com/news/Insurance-Company-Files-Lawsuit-Against-Schnucks-
for-Data-Breach-378850.shtml

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/