SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #80

October 08, 2013

The People Who Made a Difference In Security in 2013 There is no shortage of publicity around failures in security - constant headlines detailing breaches and vulnerabilities at companies and government agencies. On Monday 16 December at the SANS Cyber Defense Initiative conference in Washington DC, SANS plans on celebrating the most dedicated and innovative "People Who Made a Difference in Security in 2013."

We know some of them, but we are looking for many more nominations. Nominations are due by 8 November 2013, and will be evaluated by a team from SANS, security industry analysts and thought leaders. Send your nominations or questions to trends@sans.org, full information is available at http://blogs.sans.org/security-trends/?p=2048 Award categories and more data may be found at the end of this issue.
Alan

---

TOP OF THE NEWS

NSA Attempts to Crack Tor Are (Mostly) Unsuccessful
FBI Seized Bitcoins From Silk Road Site, But Owner's Personal Stash Remains Encrypted

THE REST OF THE WEEK'S NEWS

US Supreme Court Declines to Hear Online Threat Case
Air Gaps
Gameover Trojan
General Alexander's Scope of Influence Raises Concerns
Cyberthreat Exercise for UK Banks
Thirteen Charged in Connection with DDoS Attacks Protesting Pirate Bay Shutdown
WHMCS Releases Updates to Address Security Issue
GitHub Source Code Warehouse Recovers from DDoS Attacks

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

CYBERACES STATE LEADERBOARD

CYBERACES STATE LEADERBOARD

SANS PRESENTS: PEOPLE WHO MADE A DIFFERENCE IN SECURITY IN 2013

SANS PRESENTS: PEOPLE WHO MADE A DIFFERENCE IN SECURITY IN 2013

---

******************* Sponsored By WhiteHat Security **********************
ALERT: HTML5 Storage Vulnerabilities: The ink on the HTML5 specification isn't even dry, and yet HTML5 Storage already has its own Web Storage Specification. Researchers in the WhiteHat Security Threat Research Center (TRC) know that "where there's code, there are vulnerabilities." And JavaScript is no exception. Watch this on demand webinar to gain insights into Web Storage usage and: - - Discover why Web Storage is not secure storage - - Get examples of POC Web Storage attacks - - Find out how hackers access your sensitive data - - See how the TRC is using new research to safeguard Web Storage http://www.sans.org/info/140570
***************************************************************************
TRAINING UPDATE


- --Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


- --Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


- --SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- --SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- --SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


- --SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

NSA Attempts to Crack Tor Are (Mostly) Unsuccessful (October 7, 2013)

According to leaked documents, the NSA attempted to monitor targets using Tor by exploiting vulnerabilities in Firefox. NSA and its UK counterpart, GCHQ, have been trying for some time to crack Tor. Short for The Onion Router, Tor is an online anonymization service that helps users hide their identities and their online activity by routing encrypted traffic through other computers, which are volunteered by those machines' owners. One of the attempts to break Tor involved infecting the computers of Tor users. The report indicated that the NSA has been unsuccessful in decrypting Tor communications but had managed to "de-anonymize a very small fraction of Tor users."
-http://www.bbc.co.uk/news/technology-24429332
-http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encrypt
ion
-https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
-http://arstechnica.com/security/2013/10/nsa-repeatedly-tries-to-unpeel-tor-anony
mity-and-spy-on-users-memos-show/
[Editor's Note (Ullrich): Apparently some endpoint vulnerabilities allowed tracking: particularly Firefox 17. ]

FBI Seized Bitcoins From Silk Road Site, But Owner's Personal Stash Remains Encrypted (October 4 & 7, 2013)

The FBI seized US $26 million in Bitcoins after taking down the Silk Road black market website last week. Those funds belonged to Silk Road customers, but the FBI has not yet been able to obtain the estimated US $80 million in Bitcoins believed to be held by Silk Road mastermind Ross William Ulbricht, who was arrested last week. Ulbricht's Bitcoin holdings make up roughly five percent of all bitcoins in circulation. The FBI plans to hold on to the seized Bitcoins "until the judicial process is over" and then "probably just liquidate them."
-http://www.theguardian.com/technology/2013/oct/07/fbi-bitcoin-silk-road-ross-ulb
richt
-http://www.forbes.com/sites/kashmirhill/2013/10/04/fbi-silk-road-bitcoin-seizure
/

---

*************************** Sponsored Links: ******************************
1) Meet the challenges of Continuous Diagnostics & Mitigation (CDM). Get real-time discovery and assessment of all network endpoints. Download the tech note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/140575

2) Server Security: Take this 5-minute survey and help us understand how the evolution of advanced and targeted threats changed your approach to security. Learn More http://www.sans.org/info/140580

3) SANS Webcast! Securing Web Apps Made Easy: A Review of H-P WebInspect with SANS Analyst Gregory Leonard and SANS Instructor Stephen Simms Thursday, Oct. 10, 1 PM EDT. http://www.sans.org/info/140585
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Supreme Court Declines to Hear Online Threat Case (October 7, 2013)

The US Supreme Court has declined to hear a case that would decide when online speech becomes grounds for prosecution. The decision not to hear the case lets stand an 18-month prison sentence for an Iraqi war veteran who threatened, in a YouTube video, to kill a judge if he did not grant him visitation rights to his daughter.
-http://www.wired.com/threatlevel/2013/10/scotus-internet-threats/
-http://sblog.s3.amazonaws.com/wp-content/uploads/2013/06/12-1185-brief-in-opp.pd
f

Air Gaps (October 7, 2013)

Bruce Schneier explains how to create an air gap to protect computers from Internet threats. While air gaps are "conceptually simple, ... they're hard to maintain in practice," as "it's impossible to completely avoid connecting the computer to the Internet." Among Schneier's rules for maintaining an air-gapped computer are: installing the minimum software necessary; turning off auto-run features; and not connecting the computer directly to the Internet once it has been configured.
-http://www.wired.com/opinion/2013/10/149481/

Gameover Trojan (October 7, 2013)

The Gameover banking malware uses a SSL connection to evade detection. Those behind this particular attack use spam to spread a downloader known as "Upatre," which retrieves Gameover from websites. The spam spreading the downloader uses the Cutwail botnet; the messages appear to be from financial institutions and government agencies.
-http://www.scmagazine.com/gameover-trojan-hides-activity-in-encrypted-ssl-connec
tions-to-defraud-victims/article/315215/

General Alexander's Scope of Influence Raises Concerns (October 6, 2013)

NSA Director General Keith Alexander also heads the US military's Cyber Command. Some have expressed concern about Alexander's dual roles. The Brookings Institute's Peter Singer said that it "blurs the lines between a military command and a national spy agency." Alexander defends the breadth of his influence, saying, "We all operate on the same network. You create more problems by trying to separate them and have two people fighting over who's in charge." Jason Healey director of the Atlantic Council's Cyber Statecraft Initiative said. "We're allowing the same commander to tell us how bad the problem is and propose and implement solutions to fix it."
-http://www.washingtonpost.com/world/national-security/dual-leadership-role-at-ns
a-and-cyber-command-stirs-debate/2013/10/06/ffb2ac40-2c59-11e3-97a3-ff2758228523
_story.html
[Editor's Note (Pescatore): Back in 2008 President Bush's Comprehensive National Cybersecurity Initiative (NSPD-54/HSPD-23) moved federal cybersecurity leadership from national law enforcement to the national intelligence community. The vast majority of cyber attacks are criminal in nature and trying to treat them all as cyber-warfare has not helped the cause of cybersecurity. Having the offense *inform* the defense is a very good thing. Having the offense run the defense is rarely a good thing. ]

Cyberthreat Exercise for UK Banks (October 6 & 7, 2013)

In mid-November, financial institutions in the UK will participate in a one-day cyberthreat exercise. Designed by a third-party, Operation Waking Shark 2 will be monitored by the Bank of England, the Treasury, and the Financial Conduct Authority.
-http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/10359520/Banks-p
ut-to-the-test-over-cyber-security.html
-http://www.itproportal.com/2013/10/07/uk-banks-simulate-massive-cyber-attack-ope
ration-waking-shark-2/

Thirteen Charged in Connection with DDoS Attacks Protesting Pirate Bay Shutdown (October 4, 2013)

Thirteen people have been charged in connection with a series of DDoS attacks launched in retaliation for the shuttering of The Pirate Bay. The attacks ran between September 2010 and January 2011 and targeted government and company websites that were known for their hostile stance toward illegal filesharing.
-http://www.theregister.co.uk/2013/10/04/op_payback_anon_indictment/
-http://www.zdnet.com/13-anonymous-members-indicted-over-operation-payback-700002
1571/
-http://news.cnet.com/8301-1009_3-57605991-83/u.s-indicts-13-alleged-members-of-a
nonymous-in-ddos-attacks/
Indictment:
-http://ia801002.us.archive.org/0/items/gov.uscourts.vaed.299616/gov.uscourts.vae
d.299616.1.0.pdf

WHMCS Releases Updates to Address Security Issue (October 4, 2013)

WHMCS has released updated versions of its software to address a vulnerability that could be exploited through SQL injection attacks. WHMCS offers a client management, billing, and support application for web hosting providers. WHMCS has updated its products to versions 5.2.8 and 5.1.10. The company has also released patches for older versions for users who are not able to upgrade.
-http://www.computerworld.com/s/article/9242979/Web_hosting_firms_at_risk_from_cr
itical_flaw_in_WHMCS_billing_and_support_system?taxonomyId=17
-http://blog.whmcs.com/?t=79427
[Editor's Note (Ullrich): This is a very sad, and for the most part un-necessary vulnerability. The developer neither validated input, nor properly encoded the data for use in a SQL query. He/she also failed to use prepared statements (probably the biggest oversight here). Yet more indications of "dark matter" developers who are invisible to the security community at large writing code for critical systems.
(Paller): The reason SANS provides secure coding courses is to avoid just these errors. One of the few proactive things security people can do to avoid such problems is ensure that the programmers can pass the GIAC secure coding certification exams. ]

GitHub Source Code Warehouse Recovers from DDoS Attacks (October 3 & 4, 2013)

GitHub, a San Francisco-based source code warehouse, has recovered from a string of distributed denial-of-service (DDoS) attacks. The first round of attacks began on October 1 and was quelled by the following day, but a new round began on Thursday, October 3. As of Friday, October 4, GitHub was back online.
-http://www.theregister.co.uk/2013/10/04/github_ddos/
-http://www.techweekeurope.co.uk/news/github-ddos-attacks-128704

---

STORM CENTER TECH CORNER

Even an old vulnerability can come with a new twist. This PHP detect not only uses an interesting PHP feature to bypass some signatures, but also came highly fragmented. (for all of those who think fragmentation attacks are no longer "current")
-https://isc.sans.edu/forums/diary/CSAM+-+RFI+with+a+small+twist/16748

- --Patching network equipment like routers is often overlooked. Just to reinforce the need to do so, one vulnerability in certain ASUS routers that is trivially exploited.
-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3610

- --Tor provides pretty good anonymity, but may still be breached due to endpoint vulnerabilities.
-http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encrypt
ion

- --One of the important new security features of iOS 7 was activation lock. But sadly, the implementation could be a bit better. This video shows how activation lock can be bypassed.
-http://www.youtube.com/watch?v=LXZ6yUsn0v8

- --Important: Microsoft will release a patch for the IE 0-day vulnerability today!
-http://technet.microsoft.com/en-us/security/bulletin/ms13-oct

---

CYBERACES STATE LEADERBOARD

Veterans, Students, Job Seekers, Active Duty Military enrolled as of October 8, 2013 at 0800 hours (last Friday's numbers in parentheses):

Illinois 3,061 (2,971)

Massachusetts 901 (826)

New Jersey 803 (705)

New York 763 (665)

Virginia 684 (618)

California 496 (478)

Delaware 442 (322)
[Leader per capita ]

Minnesota 347 (293)

Maryland 247 (231)

Florida 163 (135)

Texas 141 (130)

Total: 9,438 (8,898)

More data: Cyberaces.org

---

SANS PRESENTS: PEOPLE WHO MADE A DIFFERENCE IN SECURITY IN 2013

There is no shortage of publicity around failures in security - constant headlines detailing breaches and vulnerabilities at companies and government agencies. However, what you never hear about are the many organizations who aren't in the news because they have found ways to meet business and mission needs while protecting customer and business data from attackers. There are thousands of security practitioners out there who are quietly succeeding and making breakthroughs in advancing security.

On Monday 16 December at the SANS Cyber Defense Initiative conference in Washington DC, SANS plans on celebrating the most dedicated and innovative "People Who Made a Difference in Security in 2013."

We are soliciting nominations from the SANS community for names of individuals, teams and groups who implemented security processes or technology in 2013 that resulted in meaningful and measurable advances in security. The criteria for nomination are:

1. Must have led the implementation and deployment of security processes or controls in 2013 that either (a) made measurable increases in cybersecurity or (b) enabled new business initiatives (such as use of BYOD, cloud, Smart Grid, Digital Government, etc) while maintaining required security levels.

2. The deployed solutions must show advances or innovation over common levels of practice.

3. Must be willing, and have management approval, to be publicly acknowledged. Company or agency names can be kept anonymous if necessary.

Awards will be made in several categories, including but not limited to:

1. Enhancing the Security Workforce

2. Implementing the Critical Security Controls

3. Meaningful Security Metrics 4. Mitigating Advanced Threats

5. Securing the Human

6. Vertical Industry Difference Makers: ICS, Healthcare, Government, etc.

Submissions are due by 8 November 2013, and will be evaluated by a team from SANS, security industry analysts and thought leaders. Send your nominations or questions to trends@sans.org, full information is available at
-http://blogs.sans.org/security-trends/?p=2048

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/