SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #75

September 20, 2013

There are very real privacy issues involved in the information being disclosed about NSA. One of the most thoughtful pieces written about those issues and what needs to be done about them came from Dr. John Hamre, president of the Center for Strategic and International Studies. Dr. Hamre distributed the note to a small group of policy makers and thought leaders in the United States and several other countries, but it deserves to be read widely; it is attached it to the end of this issue of NewsBites.

Alan

---

TOP OF THE NEWS

Britain's GCHQ Hacked Belgian Telecoms Firm
RSA Warns Customers Not to Use Cryptographic Component with NSA Backdoor
Brazil Wants to Reduce Dependence on US-Based Internet Services
NSA Deploying Security Controls to Prevent More Leaks

THE REST OF THE WEEK'S NEWS

Eight Arrested in Barclay's Heist
Report Says its Too Soon to Professionalize Cybersecurity
Iowa State University Cybersecurity Competition
MPAA Says Search Engines Should Do More to Prevent Piracy
NIST Awards Grants for Development of Trusted Identity Systems
FBI Arrests Texas Man for Attempted Hacking
Foreign Intelligence Surveillance Court Releases Rationale on Legality of Phone Metadata Collection
NSA Bought Hacking Zero-Day Exploits
Firefox 24 Addresses 17 Vulnerabilities
Microsoft Issues Stopgap Fix for Vulnerability in Internet Explorer

DR. JOHN HAMRE (CSIS) ON THE NSA DISCLOSURES

DR. JOHN HAMRE (CSIS) ON THE NSA DISCLOSURES

---

************************ Sponsored By Bit9 *******************************
Do you know what is running on the endpoints and servers in your enterprise? Do you know the trustworthiness of the files on your systems? If you do not know the answers to these questions, you may have already been targeted. Download this whitepaper to learn why everyone is a cyber attack target.
http://www.sans.org/info/139770
***************************************************************************
TRAINING UPDATE

--Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


--Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation. http://www.sans.org/event/healthcare-summit


--SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


--SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


--SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


--SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


--SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


--SANS London 2013 London, UK November 16-25, 2013 17 courses.
http://www.sans.org/event/london-2013


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Chicago, and Ft. Lauderdale all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

(September 19, 2013)

On earlier occasions I have noted the unique paradox of America. With the tragic exception of African Americans who were brought here as slaves and native Americans who were living here for centuries before the Europeans arrived, most citizens trace their lineage to individuals who shared one common characteristic-they wanted to leave their native lands. To be sure, many of them saw no economic future back home and left for a better life. But also many of them left because the deck was stacked against them socially. They didn't come from privileged circumstances and many of them were escaping from pogroms and enforced service in the military.

So Americans have a unique perspective about their government. On the one hand, they want the government to protect them. On the other hand, they want to be protected from the government. We created a government system here that is constrained by laws, procedures, and custom.

---

TOP OF THE NEWS

Britain's GCHQ Hacked Belgian Telecoms Firm (September 20, 2013)

According to slides obtained by NSA whistleblower Edward Snowden and supplied to German newspaper Der Spiegel, GCHQ planted malware in the systems of Belgacom, the largest telecommunications company in Belgium. The attack involved planting an attack technology called "Quantum Insert", which was developed by the NSA. The attack technique surreptitiously directs victims to spook-run websites where they are exposed to secondary malware infection.
-http://www.spiegel.de/international/europe/british-spy-agency-gchq-hacked-belgia
n-telecoms-firm-a-923406.html
-http://www.theregister.co.uk/2013/09/20/gchq_belgacom_hack_link/

RSA Warns Customers Not to Use Cryptographic Component with NSA Backdoor (September 19, 2013)

RSA Security has sent an advisory to some of its customers, urging them to stop using a cryptographic component that has been revealed to contain an NSA backdoor. Two of the company's products, the BSAFE toolkit and Data Protection Manager, use the specification, known as Dual EC_DRBG, by default. RSA recommends that customers using the affected products switch to a different pseudo random number generator (PRNG).
-http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-pro
duct-rsa-tells-customers/
[Editor's Note (Murray): When the RSA patents expired, the BSAFE library was RSA'S stock-in-trade. It is the basis of hundreds of implementations. ("Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin." --John von Neumann) ]

Brazil Wants to Reduce Dependence on US-Based Internet Services (September 18, 2013)

As information about US intelligence data gathering continues to emerge, Brazil is considering ways it can reduce its dependence on US Internet services. Brazil does not plan to forbid citizens from using US-based services, but it does want companies to store Brazilians' data within the country.
-http://www.bbc.co.uk/news/technology-24145662
-http://world.time.com/2013/09/18/brazil-looks-to-break-from-u-s-centric-internet
/

NSA Deploying Security Controls to Prevent More Leaks (September 18, 2013)

The NSA is taking steps to prevent more leaks like those conducted by former contractor Edward Snowden. The agency will digitally tag sensitive documents to limit access to specific analysts. The tags will also help NSA learn what people do with the data they access. NSA CTO Lonny Anderson said that what Snowden did could not be done today. Systems administrators and other people who have privileged access to the NSA system will not do anything alone. The NSA is also limiting how employees store data on removable devices.
-http://arstechnica.com/security/2013/09/nsa-aims-to-plug-holes-that-sprang-snowd
en-leaks/

---

THE REST OF THE WEEK'S NEWS

Eight Arrested in Barclay's Heist (September 20, 2013)

London police arrested eight men in connection to a 1.3 million pound ($2.1 million) computer-aided robbery from Barclay's Swiss Cottage branch in London. The money was taken from via the bank's computer system in April
-http://www.bbc.co.uk/news/uk-england-24172305
-http://www.theregister.co.uk/2013/09/20/barclays_cyber_cops_make_arrests/

Report Says its Too Soon to Professionalize Cybersecurity (September 18, 2013)

According to a recent report from the National Research Council of the National Academy of Sciences, it is too soon to introduce professionalization standards into the discipline of cybersecurity. According to a member of the committee that produced the report, professionalization may improve the quality of the people entering the profession, but it also prevents others from entering. The report, which was commissioned by the Department of Homeland Security (DHS), observes that because jobs in the discipline of cybersecurity are so diverse, professionalization requires careful analysis and must consider the particulars of each job. Professionalization should move forward when these two criteria are met: stable knowledge and skills requirements, and credible evidence of deficiencies in the workforce's skills.
-http://www.nextgov.com/cybersecurity/2013/09/cybersecurity-field-not-ready-be-pr
ofessionalized-study-finds/70488/?oref=ng-channeltopstory
[Editor's Note (Honan): Another reason to consider professionalization in our industry is the area of accountability. Today it is too easy for anyone to claim to be a cybersecurity expert and no real mechanism for them to be challenged on their claims or censured should they bring the industry into disrepute. ]

Iowa State University Cybersecurity Competition (September 17, 2013)

On Saturday, September 21, Iowa State University (ISU) will run its annual Cyber Defense Competition. More than 200 students are expected to participate in the event, which began in 2005. The competitions are conducted through ISEAGE, the Internet-Scale Attack and Event Generation Environment, which was developed at ISU. Teams of four to eight students from all disciplines and at all levels will defend their networks against attacks launched by a team of ISU industry partner professionals and graduate students.
-http://www.news.iastate.edu/news/2013/09/17/cyberdefense13

MPAA Says Search Engines Should Do More to Prevent Piracy (September 18, 2013)

The Motion Picture Association of America (MPAA) has released a report indicating that search engines need to make a more concerted effort to help fight piracy. The report comes just as the Commerce Department is considering ways to help private sector companies fight piracy. The MPAA's report said that Google's recent changes to its search algorithm have not had an effect on piracy.
-http://www.wired.com/threatlevel/2013/09/mpaa-google-fosters-piracy/
-http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-mpaa-piracy-study-
20130918,0,2271858.story
-http://www.politico.com/story/2013/09/google-piracy-97020.html?hp=l12
MPAA Study:
-http://www.mpaa.org/Resources/38bc8dba-fe31-4a93-a867-97955ab8a357.pdf
[Editor's Note (Pescatore): Google has led the way in search engines warning search users away from malware sites. It would be nice to see them do the same for sites featuring pirated content, even if Google could still sell advertising revenue around it. ]

NIST Awards Grants for Development of Trusted Identity Systems (September 19, 2013)

The US National Institute of Standards and Technology (NIST) has awarded more than US $7 million in grants to five organizations to develop systems for online identity protection and verification. The grants are part of the National Strategy for Trusted Identities in Cyberspace (NSTIC).
-http://www.informationweek.com/government/security/nist-awards-grants-to-improve
-online-sec/240161535

FBI Arrests Texas Man for Attempted Hacking (September 18, 2013)

The FBI has arrested a Texas man for alleged accessing a protected computer without authorization. Fidel Salinas Jr. allegedly attempted to break into the Hidalgo County website server in January 2012. Salinas allegedly used a brute force SQL injection attack. The arrest was the result of a 21-month investigation.
-http://www.scmagazine.com/fbi-arrests-hacker-who-may-have-ties-to-anonymous/arti
cle/312259/
-http://media.scmagazine.com/documents/54/salinas_complaint_13291.pdf

Foreign Intelligence Surveillance Court Releases Rationale on Legality of Phone Metadata Collection (September 17, 2013)

The Foreign Intelligence Surveillance Court (FISC) has declassified its rationale that the collection of phone call metadata under the Patriot Act is legitimate. The FISC also noted that no US telecommunication company has ever challenged court orders requiring them to provide bulk telephony metadata.
-http://www.wired.com/threatlevel/2013/09/telcos-metada-orders/
FISC Opinion:
-http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary-order.pdf
FISC Rationale on Legality of Metadata Demands:
-http://www.uscourts.gov/uscourts/courts/fisc/br13-09-130917.pdf

NSA Bought Hacking Zero-Day Exploits (September 17 & 18, 2013)

According to documents obtained through the Freedom on Information Act (FOIA), the NSA purchased zero-day exploits from Vupen, which is known for selling such products. A 12-month contract between the NSA and the French company specified a subscription for "binary analysis and exploits service." Vupen's CEO noted that "there is no real news here since we have always been transparent about the fact that we work with major government agencies to help them defend their infrastructures and citizens." There is no way to know whether the NSA used the information for offensive or defensive purposes.
-http://www.scmagazine.com/nsa-sought-services-of-french-security-firm-zero-day-s
eller-vupen/article/312266/
-http://www.theregister.co.uk/2013/09/17/nsa_vupen/
-http://www.zdnet.com/nsa-purchased-zero-day-exploits-from-french-security-firm-v
upen-7000020825/

Firefox 24 Addresses 17 Vulnerabilities (September 18, 2013)

On Tuesday, September 17, Mozilla released Firefox 24. The newest incarnation of the company's flagship browser addresses a total of 17 flaws, seven of which are rated critical. Mozilla has also released an updated version of its Thunderbird email client.
-http://www.eweek.com/security/mozilla-updates-firefox-24-with-17-security-adviso
ries.html
-http://www.theregister.co.uk/2013/09/18/firefox_24_update/
-http://www.zdnet.com/firefox-24-fixes-many-serious-vulnerabilities-7000020808/

Microsoft Issues Stopgap Fix for Vulnerability in Internet Explorer (September 17 & 18, 2013)

Microsoft has issued a Fix It tool for a critical vulnerability in Internet Explorer (IE). The flaw is being actively exploited in IE 8 and 9. The flaw reportedly affects all currently supported versions of the browser and can be exploited through drive-by downloads. Microsoft is working on a patch for the flaw but has not yet said when it will be available.
-http://www.darkreading.com/attacks-breaches/microsoft-issues-emergency-fix-it-fo
r-ie/240161502
-http://krebsonsecurity.com/2013/09/microsoft-ie-zero-day-flaw-affects-all-versio
ns/
-http://www.informationweek.com/security/vulnerabilities/microsoft-beware-ie-zero
-day-attacks/240161451
-http://www.computerworld.com/s/article/9242469/Hackers_exploit_critical_IE_bug_M
icrosoft_promises_patch?taxonomyId=17
-http://blogs.technet.com/b/msrc/archive/2013/09/17/microsoft-releases-security-a
dvisory-2887505.aspx
Microsoft Security Advisory:
-http://technet.microsoft.com/en-us/security/advisory/2887505
[Editor's Note (Pescatore): Net Applications says IE leads in browser share by users, Stat Counter says Chrome leads in page views. So, not clear which browser is really the most heavily used, but IE seems to clearly be the most frequently exploited. ]

---

DR. JOHN HAMRE (CSIS) ON THE NSA DISCLOSURES

(September 19, 2013)

On earlier occasions I have noted the unique paradox of America. With the tragic exception of African Americans who were brought here as slaves and native Americans who were living here for centuries before the Europeans arrived, most citizens trace their lineage to individuals who shared one common characteristic-they wanted to leave their native lands. To be sure, many of them saw no economic future back home and left for a better life. But also many of them left because the deck was stacked against them socially. They didn't come from privileged circumstances and many of them were escaping from pogroms and enforced service in the military.

So Americans have a unique perspective about their government. On the one hand, they want the government to protect them. On the other hand, they want to be protected from the government. We created a government system here that is constrained by laws, procedures, and custom.

All of this is now coming to a head on the question of cyber surveillance. A young man named Snowden betrayed his country by stealing vast quantities of classified information and fled the country, masquerading as a whistleblower patriot. (Okay, I got that out of my system.) These disclosures in the press have triggered a major cyclical change in America. After 9/11, the overwhelming demand by citizens was for the government to protect them from terrorism. Now it appears that the cycle has shifted and many Americans fear intrusion by the government in their private lives.

The Right and the Left are joining forces on this. The Left is always skeptical about American police powers. The Right is energized by the allegation that the Internal Revenue Service was targeting conservative organizations that sought tax-exempt status. They blame the Obama Administration for using the IRS to pursue political agendas. And the rising "tea party" caucus in Republican ranks shares the Left's skepticism of police powers more generally. So both Left and Right are energized on the domestic intelligence surveillance issue and are targeting the National Security Agency as a rogue operation violating the rights of ordinary citizens.

I used to serve on as a member of the Advisory Committee to the National Security Agency. So some people will obviously consider me biased. But honestly, these wild claims against NSA are simply untrue. Amazon, Facebook, VISA, American Express and Wal-Mart know a hell of a lot more about me and you than NSA does. These organizations (and business in general) collect vast quantities of information to try to understand their customers. Their knowledge is deep and intimate in its details. NSA isn't allowed to pursue any of this without a court order, and that is granted only after independent judges have determined there is tangible evidence that a citizen is connected to criminal or terrorist activities.

This is ironic, but it is also understandable. Amazon can give me a discount, but they can't put me in jail. The Government can, so we do want serious constraints on our government.

But we also want our Government to protect us. NSA has been the indispensable element of our overall system to detect and stop terrorist incidents, either here in the US or overseas. We shouldn't damage our most essential tool because we are running scared by staged press leaks by a traitor.

I know a lot about NSA's procedures and systems. I am personally confident that they are VERY careful to protect the privacy of citizens. But we do have a crisis.

Democracies, by definition, must conduct their most fundamental public debates in the open. But governments do have matters that they must undertake in secret. How do we reconcile this inherent tension?

Thirty-five years ago we faced a similar crisis and developed a good system. We established the FISA Court system, a special judicial process mandated by the Foreign Intelligence Surveillance Act (FISA) in 1978. If NSA wants to listen in on the conversations of American citizens (or anyone living in America, even if they are not a citizen, or an American citizen living overseas), they must get authorization from this independent court.

There is a fundamental flaw in the design of FISA, however. When the Supreme Court renders an opinion, it explains its reasoning in a public document. That process of public explanation of its decisions fundamentally establishes the legitimacy of the Court. The FISA court system does not publish the reasoning for its decisions. (Recently one judge did release a fine summary of her thinking in a case. This is a first.)

As a substitute, we rely on the respective intelligence committees of the House of Representatives and the Senate. These Committees represent you and me in a process of oversight of the intelligence community and the FISA court. They are the essential link that ties the democratic need for public debate to the government's legitimate need for secrecy.

Sadly, these committees descended into partisan skirmishing through the Bush Administration and into the first term of the Obama Administration, badly damaging their authority and focus. We need these institutions to return to their historic norm of thoughtful, bipartisan cooperation. The current committee leaders are strong and attuned to the need for bipartisan cooperation. The question is whether the rank and file representatives and senators will let the committees function honorably and collaboratively on a bipartisan basis.

Ultimately the crisis facing us with NSA is a crisis of legitimacy of the institutions we picked to oversee the intelligence community. NSA is doing important and honorable work, but it needs oversight scrutiny, and we need to strengthen the two sets of institutions that do that for all of us average citizens. It is the only way to insure our government is effective in protecting us, and that we are protected from abuse by the government.

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/