SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #77

September 27, 2013

A change in NewsBites - the Internet Storm Center team has added the 7 most interesting highlights from its recent Daily Diaries and podcasts, read and/or heard by more than 14,000 threat analysts every day. Look for TECH CORNER at the end of the issue.

Alan

---

TOP OF THE NEWS

Underground Identity Theft Site Hacked Data Aggregators
Google's eMail Scanning May Violate Wiretap Law
US Food and Drug Administration to Regulate Some Medical Apps

THE REST OF THE WEEK'S NEWS

NSA Director Keith Alexander Defends Data Gathering Practices to Legislators
Proposed Legislation Would Amend FISA to Limit Data Collection and Reform Foreign Intelligence Surveillance Court
Icefog APT Group Conducts "Surgical Strikes"
Problems Surfacing with Reassigned Yahoo Accounts
Former Barclays Employee Fired, Fined for Accessing Customer Data
NY State Task Force Recommends Updating Laws to Address Cybercrime
NSA and GCHQ May be Outsourcing Cybersecurity Tasks
NSA Seeks Civil Liberties and Privacy Officer
Dutch IT Trade Organization Objects to Proposed Breach Notification Legislation

TECH CORNER

Highlights from the Internet Storm Center

---

************************ Sponsored By Symantec *************************
Full Service Hackers for Hire Join our upcoming webcast to learn about a new breed of highly organized and sophisticated professional hackers now engaged in organized targeted attacks against a broad range of industries. You will learn how this group is providing customized attacks for their clients, and how you can protect yourself and your business from these state-of-art attackers. Register now.
http://www.sans.org/info/140205
**************************************************************************
TRAINING UPDATE


- --Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


- --Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


- --SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- --SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- --SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


- --SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Underground Identity Theft Site Hacked Data Aggregators (September 25, 2013)

An underground website that trades in identity theft data reportedly gathers information by breaking into computers at major US data aggregators. The site, SSNDOB, sells Social Security numbers (SSNs), birthdates, and other personal data. Network analysis showed that SSNDOB administrators were also operating a botnet that had infiltrated servers at LexisNexis, Dun & Bradstreet, and Kroll Background America.
-http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service
/s
-http://www.theregister.co.uk/2013/09/25/krebs_lexisnexis_db_and_kroll_hacked/
[Editor's Note (Paller): Brian Krebs broke another big story here - with the penetration of the big data aggregators - LexisNexis, D&B, and Kroll, the criminals now own substantial data on early every American who spends money. Other major aggregrators have also been deeply penetrated - like the companies that provide credit ratings. ]

Google's eMail Scanning May Violate Wiretap Law (September 26, 2013)

A US federal judge in California has ruled that a lawsuit brought against Google for violating US wiretap law may move forward. The lawsuit alleges that Google violates the law when it scans email messages. Google maintains that it scans all emails that pass through its servers to check for spam as well as to create user profiles and provide targeted advertising. Google was seeking to have the lawsuit dismissed under a portion of the wiretap law that allows email providers to intercept messages if the action helps the message get delivered or is incidental to the efficient functioning of service. US District Judge Lucy Koh wrote in her decision, "the statutory scheme suggests that Congress did not intend to allow electronic communication service providers unlimited leeway to engage in any interception that would benefit their business models."
-http://www.washingtonpost.com/business/technology/judge-allows-lawsuit-against-g
oogles-gmail-scans-to-move-forward/2013/09/26/3b4bedaa-26e4-11e3-b75d-5b7f663498
52_story.html
-http://www.wired.com/threatlevel/2013/09/gmail-wiretap-ruling/

US Food and Drug Administration to Regulate Some Medical Apps (September 24, 2013)

The US Food and Drug Administration (FDA) will impose the same regulations on certain mobile medical apps as it does on medical devices. The apps affected are those that perform the same functions as medical devices, like blood pressure monitors. According to the FDA, "If a mobile app is intended for use in performing a medical device function
[such as diagnosis, cure, mitigation, treatment, or prevention ]
, it is a medical device, regardless of the platform on which it is run." Apps that log and track trends would not be subject to regulatory oversight.
-http://www.nextgov.com/mobile/2013/09/fda-will-regulate-some-mobile-medical-apps
-devices/70760/?oref=ng-HPriver
FDA Document on Mobile Medical Applications:
-http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Guidance
Documents/UCM263366.pdf
[Editor's Note (Pescatore): Remember: don't let mobile medical app vendors tell you "we can no longer patch those apps because of FDA certification." The FDA reissued guidance this year that first came out in 2005 (and was repeated in 2009) that patching vulnerabilities does not automatically necessitate recertification and that medical device/software vendors are deficient if they do not patch.
(Ullrich): If apps like these are used to make diagnostic decisions, it is important that they are proven to be as reliable as conventional diagnostic tools. In the past however, regulators had problems keeping up with new threats and flaws in medical devices and addressing the need for timely and robust patching processes.
(Shpantzer): Doctors sure love their iPads with a bunch of apps on them. Good thing they've avoided using them in clinical settings and will continue to do so until certified by the FDA. Oh, wait... ]

---

*************************** Sponsored Links: ******************************
1) SANS is pleased to offer the DHS Continuous Diagnostics & Mitigation (CDM) Award Workshop as a key opportunity to provide education on this program. The workshop will bring awareness of this important program, provide thought leadership around cybersecurity risks, showcase key solution capabilities /customer success stories and provide connections with Integrators and Solution Providers. November 6, 2013. http://www.sans.org/info/140210

2) Seeking Security Pros: Join your peers to learn advancements in IR and techniques to expose the threats that evade perimeter defenses. Free seminar in Chicago, NYC & Atlanta. http://www.sans.org/info/140215

3) Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure. http://www.sans.org/info/140220
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

NSA Director Keith Alexander Defends Data Gathering Practices to Legislators (September 26, 2013)

NSA Director General Keith Alexander told US legislators that the Foreign Intelligence Surveillance Court (FISC) has not placed an upper limit on the number of phone records the NSA may collect. Alexander said, "I believe it in the nation's best interest to put all the phone records into a lock box that we can search when the nation needs to do it." Alexander and several other intelligence officials along with members of the Senate Select Committee on Intelligence were speaking at a committee hearing. At the same hearing, Alexander avoided directly answering a question posed by Senator Ron Wyden (D-Oregon) about whether the agency had used cell phone data to track callers.
-http://www.computerworld.com/s/article/9242728/NSA_Surveillance_court_says_no_up
per_limit_on_phone_records_collection?taxonomyId=17
-http://www.charlotteobserver.com/2013/09/26/4343466/lawmakers-seek-to-fix-terror
ist.html#.UkTPQ0KinjA
Speaking at a cybersecurity summit earlier in the week, Alexander defended NSA data gathering. He also said he is willing to share cyberattack information with private sector organizations.
-http://www.washingtonpost.com/world/national-security/nsa-chief-defends-collecti
ng-americans-data/2013/09/25/5db2583c-25f1-11e3-b75d-5b7f66349852_story.html
-http://www.computerworld.com/s/article/9242698/NSA_chief_seeks_more_data_from_pr
ivate_sector_in_sharing_offer?taxonomyId=17

Proposed Legislation Would Amend FISA to Limit Data Collection and Reform Foreign Intelligence Surveillance Court (September 26, 2013)

US legislators have introduced the Intelligence Oversight and Surveillance Reform Act, which aims to protect people's privacy without sacrificing security. The proposed bill would amend the Foreign Intelligence Surveillance Act (FISA) by prohibiting bulk gathering of phone records and emails and prohibiting national security letters (NSLs) from being used for bulk collection of data. It would also establish the position of an independent constitutional advocate to "argue against the government when the FISC is considering significant legal and constitutional questions."
-http://arstechnica.com/tech-policy/2013/09/senators-to-introduce-comprehensive-n
sa-and-secret-court-reform-bill/
-http://news.cnet.com/8301-1009_3-57604756-83/congress-unveils-bill-to-limit-nsas
-powers/
-http://www.scmagazine.com/senators-introduce-reform-initiative-in-light-of-aggre
ssive-nsa-surveillance/article/313608/

Icefog APT Group Conducts "Surgical Strikes" (September 25 & 26, 2013)

A group of hackers called Icefog hire themselves out to make quick forays into targeted organizations to steal data and then disappear. According to Kaspersky Lab, the group, which numbers between six and 10 members, uses stealthy malware to infiltrate Windows and Mac systems. The attacks are categorized as advanced persistent threats (APT) and are very sharply focused on specific content.
-http://www.computerworld.com.au/article/527546/_icefog_spying_operation_targeted
_japan_south_korea/
-http://www.theregister.co.uk/2013/09/26/icefog_hit_and_run_apt_japan_south_korea
/
-http://www.forbes.com/sites/kenrapoza/2013/09/25/kaspersky-lab-uncovers-new-cybe
r-hit-n-run-op-called-icefog/
-http://arstechnica.com/security/2013/09/for-hire-elite-cyber-mercenaries-adept-a
t-infecting-windows-and-macs/
-http://www.darkreading.com/attacks-breaches/rise-of-the-hit-and-run-apt/24016187
0

Problems Surfacing with Reassigned Yahoo Accounts (September 24 & 26, 2013)

Some people who obtained reassigned Yahoo email addresses are receiving personal messages meant for the prior account holder. Some of the messages contain sensitive personal information, such as data about other accounts, emailed receipts, and appointment and travel confirmations. Earlier this year, Yahoo said it would begin reassigning email addresses and Yahoo IDs that had been inactive for more than a year. A company representative said that before reassigning the identifiers, they attempted to contact the account owners in several ways. Yahoo said they would unsubscribe the dormant accounts from newsletters and alerts and notify "merchants, ecommerce sites, financial institutions, social networks, email providers, and other online properties" that the account no longer exists before reassigning the name.
-http://www.bbc.co.uk/news/technology-24283179
-http://news.cnet.com/8301-1009_3-57604441-83/yahoo-recycled-id-users-warn-of-sec
urity-risk/
-http://www.informationweek.com/security/vulnerabilities/yahoo-recycled-emails-us
ers-find-securit/240161646
[Editor's Note (Pescatore): I'm not sure this is really that big of a deal, since the same thing has happened with phone numbers, home addresses, PO boxes, etc. for years. When you move, someone else gets your old home address and often someone else gets your old phone number. The major difference is where email addresses are used as user names on websites, which has always been a bad idea. ]

Former Barclays Employee Fired, Fined for Accessing Customer Data (September 26, 2013)

A former Barclays Bank employee has been fined GBP 3,360 (US $5,400) for accessing a customer's data without permission. Jennifer Addo was found to have accessed the customer's data 22 times between May and August 2011. The incident came to light when the customer noticed that a friend of Addo's knew things about him that could only be found out by looking at information in the bank's possession. Barclays terminated Addo's employment shortly after the customer registered a complaint.
-http://www.v3.co.uk/v3-uk/news/2296863/barclays-employee-fined-gbp3-360-for-ille
gally-accessing-customer-data
-http://www.information-age.com/technology/security/123457372/ex-barclays-worker-
fined---3-360-for-accessing-customer-s-data
-http://www.credittoday.co.uk/article/15970/online-news/ex-barclays-worker-fined-
for-accessing-customers-details

NY State Task Force Recommends Updating Laws to Address Cybercrime (September 25, 2013)

A task force has made recommendations to update New York State's white-collar crime laws to make them applicable to cybercrime. Criminal law in the state of New York has not been comprehensively revised since 1965 and has not had any significant changes made since 1986. "The intervening years have brought an evolution of crimes and factual scenarios." The task force comprises five committees, one of which is Cybercrime and Identity Theft.
-http://www.scmagazine.com/task-force-seeks-to-update-new-york-state-cyber-crime-
laws/article/313442/
Report of the New York State White Collar Crime Task Force:
-http://www.manhattanda.org/sites/default/files/WCTF%20Report.pdf.pdf
[Editor's Ote (Pescatore): I think anything that increases the attention to cybercrime and helps increase a law enforcement focus on cyber attacks (vs. a national Intelligence focus) is badly needed. In 2012 37% of felony complaints in NY involved identity theft or cybercrime and most statistics show the vast majority of damaging cyber attacks are criminal attacks aimed at financial gain. ]

NSA and GCHQ May be Outsourcing Cybersecurity Tasks (September 24, 2013)

US and UK intelligence agencies are reportedly outsourcing some cybersecurity tasks. The information was uncovered by F-Secure's Mikko Hypponen, who has been researching "where
[the agencies ]
get their expertise from."
-http://www.v3.co.uk/v3-uk/news/2296504/gchq-and-nsa-outsourcing-cyber-security-t
asks-to-third-party-vendors
[Editor's Note (Shpantzer): Who makes the US Air Force's B-2 stealth bomber? What about US Navy nuclear submarines and aircraft carriers? What about the pistols and rifles American soldiers carry? Just saying... ]

NSA Seeks Civil Liberties and Privacy Officer (September 24, 2013)

The NSA is seeking a Civil Liberties and Privacy Officer to be selected from within the agency's ranks. The new position will bring together "the separate responsibilities of NSA's existing Civil Liberties and Privacy (CL/P) protection programs under a single official." The officer will help NSA "ensure that CL/P protections continue to be baked into NSA's future operations, technologies, tradecraft, and policies."
-http://www.theregister.co.uk/2013/09/24/nsa_privacy_officer/

Dutch IT Trade Organization Objects to Proposed Breach Notification Legislation (September 24, 2013)

A trade organization representing IT companies in the Netherlands is objecting a proposed law in that country requiring technology companies to report security breaches. Nederland ICT says that Dutch companies are already required to report breaches to several organizations and that the new legislation would just create more administrative work. The draft legislation affects select industries that are part of the country's critical infrastructure and aims to clarify notification requirements for those companies that experience breaches. The government says the bill intends that only severe breaches must be reported, but Nederland ICT says that if the bill becomes law, companies are likely to start reporting all breaches.
-http://www.zdnet.com/dutch-it-companies-rebel-against-security-breach-notificati
on-law-7000021089/
[Editor's Note (Pescatore): The European Commission has also put forth a proposed directive that will require incident disclosure. So, the Dutch lobbyists do seem to have a point about an increasing number of government agencies they must inform - but I haven't seen anything in all of this that actually makes the breach information public. Reporting to government doesn't change business behavior as much as having to report to the public and the press does. ]

---

TECH CORNER

Highlights from the Internet Storm Center

iMessage Application for Android plays "man in the middle" and puts user data at risk:

-https://plus.google.com/u/0/116098411511850876544/posts/UkgaXa1oa6M
Chrome outlines improved requirements for Certificate Authorities

-https://cabforum.org/pipermail/public/2013-September/002233.html

-http://www.certificate-transparency.org
Twitter publishes Bittorent files by mistake. Not a serious problem, but confusing to users. And it also shows how a frequently shunned protocol like bit torrent can have some great uses in managing large scale distributed architectures.

-http://www.businessinsider.com/a-weird-twitter-bug-is-screwing-up-the-internet-2
013-9
Java Struts released a critical update. The vulnerabilities fixed here put numerous web applications at risk.

-http://struts.apache.org/release/2.3.x/docs/security-bulletins.html
(s2-018 and s2-019 apply) Schneider Electric Ethernet Module Patch. Took them two years to remove hard coded "backdoor" passwords

-http://threatpost.com/ics-vendor-fixes-hard-coded-credential-bugs-nearly-two-yea
rs-after-advisory/102391
TLS usually adds a MAC to the data before they are encrypted. As a result, a recipient doesn't know if the data are valid until they are encrypted, which has long been considered a weakness in the protocol. This new proposal fixes this issue, but with all the recent news about government agencies affecting crypto standards, this proposal is receiving a lot of scrutiny.

-http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-03
How to create decent random strings for passwords/pre-shared-keys quickly.

-https://isc.sans.edu/diary/How+do+you+spell+%22PSK%22%3F/16643
For cyber security awareness month, which starts in October, the Internet Storm Center wants your "most interesting log". Send us a single line, or a couple lines, from any log that you consider interesting. We will publish a few of them during October and hope to get these logs to tell us an interesting story. If you submit a log, and include your mailing address, you will receive an Internet Storm Center sticker if your log is published. If you can't find an interesting log entry: You are just not looking hard enough! Send us your entry: handlers@isc.sans.edu

-https://isc.sans.edu/contact.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/