SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #82

October 15, 2013

Want to participate in benchmarking the top 4 Critical Security Controls? If you have more than 500 Windows computers, please answer these questions: (If you don't know the answers, ask your system management folks; they will be remarkably important to the success of your cybersecurity programs going forward.)

1. What Microsoft Systems Management platform are you running? If more than one, give approximate numbers.
_____ SMS 2003
_____ Configuration Manager 2007
_____ Configuration Manager 2012
2. Do you use the built-in functionality of this Microsoft platform to perform Operating System patching? ___ yes ___ no

3. Do you use the built in "SCUP" functionality of this platform to perform 3rd party Application patching or do you use a separate tool?
__ Use SCUP
__ Use another automated tool for application patching:
(name: __________________________________________)

4. Are you implementing "whitelisting" with the native Microsoft tools such as a Software Restriction GPO or the newer AppLocker features?
___ GPO
___ AppLocker
___ Other (name: __________________________________________)

Your organization's industry: _____________________________________________
Number of Windows computers: ______________________________________________
[Return to top4benchmark@sans.org by Friday]

Alan

---

TOP OF THE NEWS

Shortage of Cyber Security Professionals Felt Worldwide
Voluntary Executive Order Cybersecurity Standards Could Become Baseline Expectations
Brazil Plans Secure Government eMail System

THE REST OF THE WEEK'S NEWS

Yahoo Webmail Gets Default SSL Protection in January
D-Link Promises Fix for Home Router Firmware Flaw by End of the Month
Malaysian Doman Name Reseller Compromised, Google Malaysia Sites Affected
Foreign Intelligence Surveillance Court Approves NSA's Request to Renew Phone Metadata Collection
Citing "Failure of Oversight," Patriot Act Author Sponsors Reform Bill
Lavabit Founder Appealing Government's Order to Turn Over Encryption Keys
Former Lavabit Users Will Have Brief Window to Reset Passwords, Retrieve Data
Three More Arrested in Barclays Theft Case

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

CYBERACES STATE LEADERBOARD (MORE THAN 10,000 REGISTERED)

CYBERACES STATE LEADERBOARD (more than 10,000 registered)

BENCHMARKING THE TOP 4 CRITICAL SECURITY CONTROLS

Benchmarking The Top 4 Critical Security Controls

---

**************** Sponsored By ForeScout Technologies *******************
The first phase of Continuous Diagnostics & Mitigation (CDM) contracts have been awarded. Would you like to address these new challenges? ForeScout CounterACT(TM) assists Federal and private sector IT organizations in meeting these requirements by providing real-time discovery and assessment of all endpoints on your network, and automatically mitigating any security issues that occur. Download the latest technical note: ForeScout CounterACT Continuous Diagnostics & Mitigation.
http://www.sans.org/info/140885
***************************************************************************
TRAINING UPDATE

--Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


--Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


--SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


--SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


--October Singapore 2013 Singapore, Singapore October 21-November 2, 2013 5 courses. Bonus evening presentations include Pen Testing the Smart Grid; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/singapore-sos-2013


--SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


--SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Shortage of Cyber Security Professionals Felt Worldwide (October 14, 2013)

Countries around the world, including the US, the UK, Brazil, and Indonesia, are establishing cyber forces to help defend critical networks from attacks. However, there are not nearly as many qualified specialists as are needed. The governments are also facing competition from private industry for the scarce resources; private industry offers higher salaries. Most universities are not graduating high numbers of students with necessary skills, and the coursework is more theoretical than practical. Hacking contests around the country are designed to identify people who have a talent in the area, and to raise awareness of the need for talented specialists.
-http://www.nbcnews.com/technology/cyber-defenders-are-short-supply-hacking-wars-
escalate-8C11390053
[Editor's Note (Assante): Human talent continues to move up the list of vulnerabilities that organizations need to deal with! Managers struggle to identify the best competency mix for their organization. Commercial contracting is their primary means of tapping into deeper hard-to-find, expertise. There have been limited experiments in sharing competencies, such as the ICS-CERT fly-away team and proposals to tap into talent in National Guard cyber units. Figuring out how to get talent to the need will require a massive effort.
(Paller): The one program that has demonstrated it can find and develop the needed talent is Cyber Aces. With more than 7,500 entrants (veterans, college students, job seekers, more) from the efforts of the governors in just 5 states (See "Leaderboard" near the end of this issue), it is clear this program has found the formula for tapping the hidden national talent pool and can scale to meet more of the demand. The best of last-year's group is already enrolled in advanced training programs and demonstrating they are exactly the talent that is needed. To ensure the skills being developed meet employers' needs, an initial board of founding employer-sponsors is being formed. To be considered for membership, email Kate Straus kate@eventsinc.net. ]

Voluntary Executive Order Cybersecurity Standards Could Become Baseline Expectations (October 11 & 14, 2013)

US companies that do not comply with voluntary cybersecurity standards being developed under the White House Executive Order could find themselves facing liability risks. While the standards will be voluntary, organizations that do not adopt them may face negligence, shareholder, and breach of contract lawsuits if they suffer a breach. The EO standards advise organizations to identify the most valuable data and classify them. The Information Week article points out that, "There is a major difference between being 'compliant,' and being 'secure'" and that securing data is not an endgame - it's a posture. Defenses built to protect the data must be monitored. The release has been delayed because of the government shutdown. The government will take public comment on the draft standards until February 2014.
-http://www.computerworld.com/s/article/9243150/New_NIST_cybersecurity_standards_
could_pose_liability_risks?taxonomyId=17s
-http://www.informationweek.com/government/security/nist-security-standards-falla
cies-and-pi/240162600
[Editor's Note (Pescatore): Nothing new will come out of the NIST "Yet Another Framework" effort, given the widespread existence of many other voluntary and involuntary frameworks. The baseline expectations already exist - customers expect businesses to protect their data, and it is very, very expensive when businesses don't. ]

Brazil Plans Secure Government eMail System (October 14, 2013)

The Brazilian government has given the country's Federal Data Processing Service (Serpro) the job of creating a secure email system to protect the government's electronic communications from being intercepted by foreign intelligence agencies. According to leaked NSA documents, various intelligence agencies have electronically spied on Brazilian citizens, government officials, and the country's national oil company, Petrobras.
-http://www.computerworld.com/s/article/9243200/Brazil_to_fortify_government_emai
l_due_to_NSA_revelations?taxonomyId=17

---

*************************** Sponsored Links: ******************************
1) Do you have full visibility through a real-time endpoint sensor and recorder giving you actionable intelligence within your SOC? Download Forrester's report to learn more. http://www.sans.org/info/140890

2) AlienVault OTX Reputation Monitor - Sign up to get free alerts if your IPs or domains are compromised http://www.sans.org/info/140895

3) Webcast: Take Control! 7 Steps to Prioritize Your Security Program. Wednesday, October 16 at 1:00 PM EDT with John Pescatore and Matt Hathaway. http://www.sans.org/info/140790
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Yahoo Webmail Gets Default SSL Protection in January (October 14, 2013)

Yahoo has announced that starting on January 8, 2014, all Yahoo mail will be protected by SSL by default. Microsoft has offered optional SSL protection since 2010 and it has been default for Microsoft webmail since July 2012. Facebook implemented SSL for all connections several months ago; it has been an option since 2011. Twitter offered it as an option at the beginning on 2011 and made it default by August of that year. Google has had SSL on by default since 2010, an option since 2008. Yahoo began offering the option of SSL encryption earlier this year.
-http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/14/yahoo-to-make-ssl-e
ncryption-the-default-for-webmail-users-finally/
-http://news.cnet.com/8301-1009_3-57607486-83/yahoo-mail-finally-turns-on-ssl/
-http://www.theregister.co.uk/2013/10/15/yahoo_mail_encryption_by_default_in_2014
/
[Editor's Note (Pescatore): One of the few upsides of the hype over NSA surveillance is some acceleration of making transport security more ubiquitous. The barriers to persistent data encryption are still high, but if you can leverage the hype to get started on attacking those barriers (mostly authentication and directory issues) the value is high. ]

D-Link Promises Fix for Home Router Firmware Flaw by End of the Month (October 13 & 14, 2013)

A backdoor has been found in firmware used in several models of D-Link and Planex home routers. The flaw can easily be exploited to take control of vulnerable devices and spy on browsing activity. D-Link is aware of the issue and says a fix will be available by the end of the month. Internet Storm Center:
-https://isc.sans.edu/diary/Old+D-Link+routers+with+coded+backdoor/16802
-http://www.bbc.co.uk/news/technology-24519307
-http://www.computerworld.com/s/article/9243191/Backdoor_found_in_D_Link_router_f
irmware_code?taxonomyId=17
-http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/
[Editor's Note (Pesactore): For all software on devices that are always connected to the Internet, we have to start seeing the vendors say "The fix will be pushed out.." vs. "A fix will be available.." ]

Malaysian Doman Name Reseller Compromised, Google Malaysia Sites Affected (October 13, 2013)

A Malaysian domain name reseller was compromised, resulting in DNS redirect attacks on Google's Malaysian sites. While the Malaysia Network Information Center (MYNIC) manages .my domain names, the organization has at least 50 resellers. MYNIC did not say which reseller was compromised, but did say that it plans to improve account security at all resellers. Internet Storm Center:
-https://isc.sans.edu/diary/google.com.my+DNS+hijack/16775
-http://www.computerworld.com/s/article/9243192/Reseller_account_hack_caused_Goog
le_39_s_Malaysia_sites_to_redirect?taxonomyId=17
[Editor's Note (Honan): We are seeing more and more attackers using this vector as a way of compromising domains. While domain name resellers and registrars need to do more to secure their services, companies need to ensure they are not overlooking this critical part of their Internet infrastructure. If you have not done so already make sure you contact your DNS Registrar or reseller to ensure the appropriate security controls are in place. ]

Foreign Intelligence Surveillance Court Approves NSA's Request to Renew Phone Metadata Collection (October 11 & 12, 2013)

The US Foreign Intelligence Surveillance Court has reauthorized the NSA's phone call metadata collection program. The previous authorization order expired on October 11. News of the reauthorization was disclosed in a press release from the Office of the Director of National Intelligence.
-http://arstechnica.com/tech-policy/2013/10/fisc-approves-phone-metadata-collecti
on-yet-again/
-http://thehill.com/blogs/hillicon-valley/technology/328181-court-gives-nsa-permi
ssion-to-continue-massive-phone-data-collection
DNI Press Release:
-http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/944
-foreign-intelligence-surveillance-court-approves-government's-application-to-r
enew-telephony-metadata-program

Citing "Failure of Oversight," Patriot Act Author Sponsors Reform Bill (October 11, 2013)

US Representative James Sensenbrenner (R-Wisconsin), who authored the original Patriot Act in the days following the September 11 attacks, is displeased with how the legislation has been used to justify the NSA's data harvesting programs. Sensenbrenner is introducing legislation with co-sponsors Senator Patrick Leahy (D-Vermont) and Representative John Conyers (D-Michigan) to try to address concerns over how the law has been used. The USA Freedom Act restricts aspects of the Patriot Act's controversial section 215 so it will be used more narrowly, in line with the original intent of the law. The bill also introduces changes to the FISC, including creating the position of public advocate to appeal court decisions that appear to violate the law, and allowing companies that have been served with the orders to specify the number of FISA orders and NSLs (national security letters) they have received and complied with.
-http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/11/patriot-act-author-
there-has-been-a-failure-of-oversight/

Lavabit Founder Appealing Government's Order to Turn Over Encryption Keys (October 10 & 11, 2013)

Ladar Levison, owner of the now-shuttered secure email service Lavabit, is asking the Fourth Circuit Court of Appeals in Virginia to rule that the government's orders earlier this year demanding that the company surrender its private SSL keys were unlawful. Levison is hoping to reopen the business. While Edward Snowden has not been named in connection with the Lavabit case, it seems likely that it was Snowden's communications the government sought when they demanded that Levison turn over the keys. Levison eventually relented, but shut down his company immediately after surrendering the keys, saying that he would rather shut down his business than be "complicit in crimes against the American people."
-http://www.wired.com/threatlevel/2013/10/lavabit-brief/
-http://investigations.nbcnews.com/_news/2013/10/11/20924083-snowdens-email-provi
der-fights-back-appeals-governments-demand-for-access?lite

Former Lavabit Users Will Have Brief Window to Reset Passwords, Retrieve Data (October 14, 2013)

Lavabit will reopen for a brief window of time to allow users retrieve their data from the company's servers. Starting at 8 PM US Eastern time on Monday, October 14, users have 72 hours to change their passwords. Following that period, users will have a short window of time to retrieve an archive of their stored messages and account data.
-http://news.cnet.com/8301-1009_3-57607490-83/lavabit-to-reopen-briefly-to-allow-
former-clients-to-retrieve-data/
-http://www.engadget.com/2013/10/14/lavabit-reopens-briefly-ssl-archive/

Three More Arrested in Barclays Theft Case (October 10 & 11, 2013)

Police in London have charged three men in connection with the theft of GBP 1.3 million (US $2.08 million) from a Barclays bank. One of the men is a former Barclays employee. Four other people were arrested last month in connection with the theft, which occurred in April 2013. The attack involved some of the thieves pretending to be IT specialists, gaining access to bank computers, and placing a KVM (keyboard, video, and mouse) switch on a computer connected to the bank's network.
-http://www.v3.co.uk/v3-uk/news/2300126/police-charge-three-men-for-gbp13m-barcla
ys-cyber-theft
-http://www.bloomberg.com/news/2013-10-10/barclays-bank-hacking-suspects-charged-
over-2-1-million-theft.html

---

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

--Google GMail XSS Vulnerability

An independent programmer and web developer found a stored XSS vulnerability in GMail iOS. Google fixed the weakness and issued a $5,000 bounty to the man in only 4 days time.

-http://roy-castillo.blogspot.com/2013/10/google-mail-hacking-stored-xss-in-gmail
_11.html

--DNS Response Rate Limiting (RRL) can assist in DNS Spoofing

During the DNS OARC Fall Workshops conference, taking place on the 5th and 6th of October, in Phoenix, Arizona (USA), the ANSSI has presented a way to abuse some denial of service (DDoS) countermeasures to ease DNS cache poisoning attacks.

-http://www.ssi.gouv.fr/en/the-anssi/publications-109/scientific-publications/con
ference/abusing-anti-ddos-mechanisms-to-perform-dns-cache-poisoning.html

--Metasploit/Rapid7 DNS Hijack

The DNS settings for Rapid7.com and Metasploit.com were changed by a malicious third-party. It appears the domain was hijacked via a spoofed change request faxed to Register.com.

-http://news.softpedia.com/news/Metasploit-com-Hacked-by-Palestinian-Hackers-of-K
DMS-Team-390444.shtml

-https://twitter.com/hdmoore/status/388646690464358401

--vBulletin Vulnerability Opens Backdoor To Rogue Accounts

The widespread vBulletin CMS has a vulnerability that allows remote attackers to create new administrative accounts.

-http://www.theregister.co.uk/2013/10/10/vbulletin_vuln_opens_backdoor_to_rogue_a
ccounts/

More Tech Corner Links:

--Microsoft will consider Windows 8.1 a "Service Pack" for Windows 8

-http://support.microsoft.com/gp/msl-Windows-81

--Mexican ATM Machines Compromissed by Malware CDs

-http://blog.spiderlabs.com/2013/10/having-a-fiesta-with-ploutus.html

--Facebook Privacy Feature Changed (again)

-http://threatpost.com/facebook-privacy-feature-gone-for-good/102573

--Reverse Engineering D-Link Backdoor

-http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

--Microsoft record bug bounty

-http://threatpost.com/microsoft-bounty-winner-finds-payoff-outside-comfort-zone/
102559

--Google expanding its bug bounty program

-http://googleonlinesecurity.blogspot.com.au/2013/10/going-beyond-vulnerability-r
ewards.html

--Cisco Patches include important VPN SSL Certificate fix that prevents unauthorized access

-http://tools.cisco.com/security/center/publicationListing.x

--Outdated F5 load balancer firmware with old SSL Implementations hold back modern clients with better SSL options

-https://www.imperialviolet.org/2013/10/07/f5update.html

--Blackberry Update

-http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=C9F89831F6465
363099E5FD4390827D5?externalId=KB35139&sliceId=1&cmd=displayKC&docTy
pe=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewe
dDocsListHelperImpl

--Spiderlabs reporting more variations of IE "0 day" exploit

-http://threatpost.com/unexpected-ie-zero-day-used-in-banking-gaming-attacks/1025
54

---

CYBERACES STATE LEADERBOARD (MORE THAN 10,000 REGISTERED)

FINAL CYBER ACES REGISTRATION LEADERBOARD - Note registrations now exceed 10,000 Veterans, Students, Job Seekers, Active Duty Military enrolled as of October 15, 2013 at 0800 hours:

Illinois 3,181

Massachusetts 1,051

New York 1006

New Jersey 956

Virginia 816

Delaware 565
[Leader per capita ]

California 519

Minnesota 374

Maryland 275

Florida 174

Texas 158

Total: 10,438

More data: Cyberaces.org

Next report in two weeks will have data on results of the first (networking foundations of security) competition

---

BENCHMARKING THE TOP 4 CRITICAL SECURITY CONTROLS

SURVEY For Benchmarking the Top 4 Critical Security Controls (return to top4benchmark@sans.org by Friday).

If you have more than 500 Windows computers, please answer the 4 questions (at the top of NewsBite) so you can get an opportunity to test the benchmarking tool.

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/