SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #79

October 07, 2013

TOP OF THE NEWS

FBI Seizes Silk Road Underground Black Market Website
Bitcoin Value Drops After Silk Road Seizure
Proposed Legislation Would Reform Foreign Intelligence Surveillance Court
NSA Admits to Cellphone Location Data Gathering Pilot

THE REST OF THE WEEK'S NEWS

LinkedIn Fixes Issues that Allowed Cross-Site Scripting
Chrome Updated to Version 30
Microsoft's Patch Tuesday Will Include Fix for Actively Exploited IE Flaw
Attackers Steal Adobe Product Source Code and Access Customer Data
German Man Arrested for Attack on State Website
US Justice Dept. Asks FISC Not to Allow Tech Companies to Divulge Data Request Details
Huffington Post Highlights Cyber Talent
US Government Demanded Lavabit Encryption Keys, According to Unsealed Documents
DHS to Expand Community College Cybersecurity Internship Program

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

CYBER ACES SCOREBOARD

CYBER ACES SCOREBOARD

---

************************* Sponsored By Bit9 *****************************
Research Report: Do you have full visibility through a real-time endpoint sensor and recorder giving you actionable intelligence within your SOC? Download this free Forrester report to unravel the challenges presented in the SOC, and how a new-gen endpoint and server security strategy can help deliver maximum visibility, detection, response and protection within it.
http://www.sans.org/info/140505 **************************************************************************
TRAINING UPDATE


- --Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


- --Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


- --SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- --SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- --SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


- --SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

FBI Seizes Silk Road Underground Black Market Website (October 2 & 3, 2013)

US law enforcement officials have taken down Silk Road, an underground black market forum known for distributing illegal drugs and offering hacking services for hire and hacking products for sale. Silk Road, which was reachable only through the Tor network, conducted transactions exclusively in Bitcoins. The operation included the arrest of Silk Road's operator Ross William Ulbricht. Ulbricht is being charged with narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy.
-http://www.scmagazine.com/fbi-brings-down-silk-road-underground-market/article/3
14691/
-http://krebsonsecurity.com/2013/10/feds-take-down-online-fraud-bazaar-silk-road-
arrest-alleged-mastermind/
-http://www.wired.com/threatlevel/2013/10/silk-road-raided/
Text of Complaint:
-http://media.scmagazine.com/documents/54/ulbrichtcriminalcomplaint_13437.pdf

Bitcoin Value Drops After Silk Road Seizure (October 3, 2013)

The value of Bitcoin has dropped in the wake of the FBI's seizure of the Silk Road website, which included US $3.6 million in bitcoins. One possible explanation is investors were shying away from the virtual currency because of its association with the underground site known for its shady dealings. The FBI was able to seize the bitcoins by obtaining their encryption keys from confiscated computer equipment.
-http://www.bbc.co.uk/news/technology-24381847
-http://www.washingtonpost.com/business/economy/bitcoin-industry-reeling-as-autho
rities-shut-down-silk-road-online-marketplace/2013/10/02/961b105a-2ba1-11e3-97a3
-ff2758228523_story.html

Proposed Legislation Would Reform Foreign Intelligence Surveillance Court (October 1, 2013)

Two US legislators are sponsoring a bill that would reform the Foreign Intelligence Surveillance Court (FISC). The proposed legislation is a companion bill to one introduced in the Senate earlier this year. Among its provisions are the creation of an Office of the Constitutional Advocate to argue for civil liberties during court proceedings and a requirement that the Attorney General declassify or summarize certain FISC decisions.
-http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/01/the-house-is-divide
d-over-almost-everything-but-fisa-court-reform-might-be-able-to-unite-it/

NSA Admits to Cellphone Location Data Gathering Pilot (October 2 & 3, 2013)

The NSA has acknowledged that in 2010, it initiated a test project to collect wholesale cellphone location data on regular citizens, but ended the program in 2011 because it did not provide "operational value." NSA director General Keith Alexander said on Wednesday, October 2, that sample cellphone location data were collected "to test the ability of
[the NSA's ]
system's to handle the data format, but that data was not used for any other purpose." Alexander had evaded answering a question about the subject last week in a hearing. Senator Ron Wyden (D-Oregon) suggested that there is still "significant information" that has not been disclosed.
-http://www.washingtonpost.com/world/national-security/nsa-had-test-project-to-co
llect-data-on-americans-cellphone-locations-director-says/2013/10/02/65076278-2b
71-11e3-8ade-a1f23cda135e_story.html
-http://www.theregister.co.uk/2013/10/03/nsa_admits_tracking_us_cellphones/

---

*************************** Sponsored Links: ******************************
1) Take our BYOD survey and share your influence with other thought leaders; also enter to win a new iPad! http://www.sans.org/info/140510

2) Looking for 20 Critical Security Controls or Security Leadership Essentials Training in San Francisco? Register today http://www.sans.org/info/140515

3) Attend the DHS Continuous Diagnostics & Mitigation (CDM) Award Workshop - November 6, 2013. http://www.sans.org/info/140520
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

LinkedIn Fixes Issues that Allowed Cross-Site Scripting (October 1, 2013)

LinkedIn has fixed four cross-site scripting (XSS) issues that could have allowed attackers to steal users' credentials. The XXS-exploitable flaws were found in the "shared an update," "groups you may like," and "create a group" functions.
-http://www.infosecurity-us.com/view/34787/linkedin-shuts-down-four-xss-flaws/
[Editor's Note (Pescatore): I think we've really reached the point where these types of disclosures need to include info on "why was this vulnerability there?" and "Here is why it won't happen again." When a fast food outlet discloses that rat parts were found in a customer's burger, what you really want to hear is why it won't be in *your* burger if you ever decide to go there again. ]

Chrome Updated to Version 30 (October 3, 2013)

Google has updated its Chrome browser to version 30, addressing 50 security issues for which it paid outside researchers US $27,000 in bounties. Disclosing the number of flaws patched in Chrome updates is a relatively new development for Google.
-http://www.computerworld.com/s/article/9242942/Google_adds_pix_search_to_Chrome_
squashes_50_bugs?taxonomyId=17
-http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html
[Editor's Note (Pescatore): Google gives us information on how much they paid the folks who found the rat parts in the burger (please see my comment on the Linked In story if you don't get the rat reference), but nothing on why we won't see more of the same in the future. There seem to be a lot of "use after free" rat parts being reported in Chrome, IE and lots of other software. ]

Microsoft's Patch Tuesday Will Include Fix for Actively Exploited IE Flaw (October 3, 2013)

Microsoft plans to issue eight security bulletins on Tuesday, October 8. One of the bulletins will provide a fix for a vulnerability in Internet Explorer (IE) that is being actively exploited. Four of the eight bulletins address issues rated critical. The other fixes address flaws in Windows, Office, Silverlight, Microsoft Server Software, and Microsoft. NET Framework.
-http://www.zdnet.com/8-microsoft-patches-coming-including-ie-zero-day-7000021538
/
-http://www.computerworld.com/s/article/9242950/Microsoft_to_patch_zero_day_IE_bu
g_now_under_attack?taxonomyId=17
-https://technet.microsoft.com/en-us/security/bulletin/ms13-oct
Internet Storm Center:
-https://isc.sans.edu/forums/diary/October+Patch+Tuesday+Preview+CVE-2013-3893+pa
tch+coming+/16721
[Editor's Note (Pescatore): See previous rat parts in burgers comments. ]

Attackers Steal Adobe Product Source Code and Access Customer Data (October 3, 2013)

Hackers broke into Adobe's network where they stole source code for a number of products, including Acrobat, ColdFusion, and ColdFusion Builder. They also accessed customer data, including account login credentials and nearly three million payment card records. The stolen data were stored on the same server used by the criminals who stole data from LexisNexis, Kroll, and Dun & Bradstreet. Adobe believes the attackers accessed the source code repository in mid-August.
-http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-b
reach/
-http://news.cnet.com/8301-1009_3-57605962-83/adobe-hacked-3-million-accounts-com
promised/
-http://arstechnica.com/security/2013/10/adobe-source-code-and-customer-data-stol
en-in-sustained-network-hack/
-http://www.bankinfosecurity.com/adobe-breach-affects-29-million-a-6122
Adobe Announcements: Illegal Access to Adobe Source Code:
-http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html
Customer Security Announcement:
-http://blogs.adobe.com/conversations/2013/10/important-customer-security-announc
ement.html
Internet Storm Center:
-https://isc.sans.edu/forums/diary/The+Adobe+Breach+FAQ/16727
[Editor's Note (Pescatore): Continuing my "rat parts in burgers" theme, this is like thieves breaking into a rat-burger company and stealing the recipe for rat-burgers *and* stealing the personal information of people who had been buying the rat-burgers. ]

German Man Arrested for Attack on State Website (September 30 and October 3, 2013)

An 18-year-old man from Hamburg, Germany, was arrested in connection with a distributed denial-of-service (DDoS) attack on the website of the State of Saxony-Anhalt. The young man has admitted his responsibility for the attack. Authorities searched the man's apartment and seized evidence, including copies of data taken from the site. Another young man was arrested in London in April in connection with a different DDoS attack, but new of his arrest was not made public until recently.
-http://www.net-security.org/secworld.php?id=15674
-http://www.esecurityplanet.com/hackers/german-teen-arrested-for-ddos-attack-on-g
overnment-web-site.html

US Justice Dept. Asks FISC Not to Allow Tech Companies to Divulge Data Request Details (October 2, 2013)

The US Justice Department (DoJ) has asked the FISC to deny a request from major technology companies, such as Google, Microsoft and Facebook, to publish additional details about requests for information they have received from the government. According to a September 30 DoJ filing, divulging the specific numbers of requests, and in some instances, the nature of the requests, would "be invaluable to our adversaries." The companies expressed their disappointment, with a yahoo spokesperson noting that the decision "ultimately breeds distrust and suspicion - both of the United States and of companies that must comply with
[their ]
directives."
-http://www.washingtonpost.com/business/technology/justice-department-urges-court
-not-to-approve-tech-firms-request-to-release-more-data/2013/10/02/7e38b9dc-2ba2
-11e3-8ade-a1f23cda135e_story.html

Huffington Post Highlights Cyber Talent (October 2, 2013)

College freshman Arlan Jaska took first place at last spring's Cyber Aces Virginia Governor's Cup. While in high school, Jaska started a computer security club, but he and his classmates realized that the best way to learn to secure systems was by understanding how they can be attacked. Experimenting with offensive techniques on their own would have been illegal, but they found cybersecurity competitions outside of school that allowed them to develop real-world skills.
-http://www.huffingtonpost.com/arlan-jaska-/computer-security-club_b_4029601.html
?utm_hp_ref=teen

US Government Demanded Lavabit Encryption Keys, According to Unsealed Documents (October 2 & 3, 2013)

Recently unsealed documents in a court case regarding secure email provider Lavabit's appeal of a US government demand for information show that the government had ordered Lavabit to provide it with its SSL keys. The order reads, in part, "The court determines that there is reason to believe that notification of the existence of this order will seriously jeopardize the ongoing investigation." Levison says he suggested logging Snowden's communications, decrypting them and uploading them to a government server on a daily basis. But the government wanted the private SSL certificate used to encrypt all Lavabit traffic. He initially provided the encryption keys in hardcopy format, printed out as strings of numbers. When he was found to be in contempt of court for this action, being fines US $5,000 a day, he eventually relented and provided the government with the electronic keys but the immediately shut down his business.
-http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-log
in-info-then-govt-asked-for-sites-ssl-key/
-http://www.computerworld.com/s/article/9242930/US_demanded_access_to_encryption_
keys_of_email_provider_Lavabit?taxonomyId=17
-http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/
-http://www.zdnet.com/unsealed-docs-show-what-really-happened-with-lavabit-700002
1489/
-http://www.theregister.co.uk/2013/10/03/lavabit_snowden_investigation_details/
Pleadings Exhibits (Redacted):
-https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.
html

DHS to Expand Community College Cybersecurity Internship Program (September 30, 2013)

The US Department of Homeland Security (DHS) plans to expand its cybersecurity internship program for community college students. Over the summer, 23 students had unpaid internships at US Immigration and Customs Enforcement (ICE). The summer internships varied in length from four to 12 weeks. They worked with forensic investigators, examining devices confiscated by ICE agents. In the first round, 300 students applied, 200 were interviewed, and 23 selected for the program. DHS plans to increase the number of students participating in the program and to include another agency in the next round of internships. The announcement for the new round will be published by early November, and the 12-week internships are expected to begin in February or March 2014.
-http://www.communitycollegetimes.com/Pages/Technology/DHS-will-expand-cybersecur
ity-intern-program.aspx

---

STORM CENTER TECH CORNER

WHMCS Vulnerability

WHMCS is a billing and support software package that is frequently used by web hosting and software companies. The code appears to be missing basic SQL injection counter measures. In this case, neither proper encoding nor input validation or prepared statements were used. Given this fact, I wouldn't be surprised to find more similar vulnerabilities.
-http://localhost.re/p/whmcs-527-vulnerability

Healthcare/Govt. Shutdown Spam

As with any large news events, scams are springing up in particular around the launch of the healthcare market places. Be on the lookout for fake market places.
-https://isc.sans.edu/forums/diary/Obamacare+related+domain+registration+spike+Go
vernment+shutdown+domain+registration+beginning/16709

Support Calls Now Install Ransomware

We have heard about fake tech support calls for a while. In this new version, the tech support person will lock your system and ask for money to unlock it.
-https://isc.sans.edu/forums/diary/+microsoft+support+calls+-+now+with+ransomware
/16703
To report fake support calls, please use:
-https://isc.sans.edu/reportfakecall.html

Multipath TCP

iOS 7 started using an interesting extension to the TCP protocol, Multipath TCP. Right now, it appears to be used only for Siri. But once it catches on, it poses new challenges for firewalls and intrusion detection systems.
-https://isc.sans.edu/forums/diary/iOS+7+Adds+Multipath+TCP/16682
(Please don't read this article if you like to wait until after a breach to figure out what went wrong)

PANDA Now Allows Finding SSL/TLS Master Secrets.

Forensic analysts have a new tool available to extract SSL master keys from memory images. These keys can then be used to decrypt SSL traffic. This technique may also be helpful to analyze malicious traffic without having to reverse engineer the complete software.
-https://github.com/moyix/panda/blob/master/docs/panda_ssltut.md

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/