SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #83

October 18, 2013

TOP OF THE NEWS

Flaws Could be Exploited to Put Critical Infrastructure at Risk of Attack
NSA Chief to Retire Next Year
Oracle Update Includes 51 Fixes for Java

THE REST OF THE WEEK'S NEWS

isoHunt Founder Agrees to Cease Operations and Pay US $110 Million
Cisco: Suspect Crypto "Not Invoked in Our Products"
Windows 8.1 Comes with Automatic Disk Encryption
Purloined PR Newswire Database Found on Server Holding Stolen Adobe Source Code
Nemim Malware Steals eMail, Browser Data
US Government Sites Using Expired SSL Certificates
Dexter Malware Found on Point-of-Sale Terminals in South Africa
California Governor Vetoes Privacy Bill Again
Ploutus Malware Lets Thieves Manipulate ATMs to Dispense Cash

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 ***************************
Every enterprise has high-value information that is vital to its success. As cyber-attack techniques become more sophisticated your "digital gold" is increasingly vulnerable. Today's cyber threats have changed in sophistication and focus. Download this eBook to learn what cybercriminals are doing to target you and your business. http://www.sans.org/info/141260
***************************************************************************
TRAINING UPDATE

--Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


--Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


--SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


--SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


--October Singapore 2013 Singapore, Singapore October 21-November 2, 2013 5 courses. Bonus evening presentations include Pen Testing the Smart Grid; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/singapore-sos-2013


--SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


--SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Flaws Could be Exploited to Put Critical Infrastructure at Risk of Attack (October 16, 2013)

Researchers have found vulnerabilities in industrial control systems (ICS) that manage portions of the US's critical infrastructure, such as electric substations and water systems. The vulnerabilities could be exploited to crash servers, create denial-of-service conditions, or inject code. The vulnerabilities affect devices used for serial and network communication between servers and substations, and could be accessed physically or by breaking into the wireless radio network with which they communicate with master servers.
-http://www.wired.com/threatlevel/2013/10/ics/
[Editor's Note (Assante): Chris and Adam are applying the necessary techniques to understand existing weaknesses in the implementations of relied upon industrial protocols. They are covering important ground in a more comprehensive manner than past efforts to identify weaknesses and educated ICS stakeholders. I am hopeful that they will bring down the myth that serial protocols and devices are not something that needs to be concerned about. Chris and Adam will talk about their research and share their tool at the SANS ICS Summit in Orlando this March! ]

NSA Chief to Retire Next Year (October 17, 2013)

General Keith Alexander plans to retire from his position as director of the NSA (and Cyber Command Chief) in the spring of next year. An anonymous source indicated that Alexander's top civilian deputy, John "Chris" Inglis, would also retire from his position by the end of 2014.
-http://www.theatlanticwire.com/national/2013/10/report-nsa-director-keith-alexan
der-out-next-april/70625/
-http://arstechnica.com/tech-policy/2013/10/nsa-chief-keith-alexander-and-top-dep
uty-will-abdicate-in-coming-months/
-http://www.scmagazine.com/report-nsa-director-keith-alexander-plans-spring-retir
ement/article/316802/
-http://www.zdnet.com/nsas-keith-alexander-to-stand-down-7000022066/
[Editor's Note (Pescatore): General Alexander's tenure, the longest I can remember for a DIRNSA, spanned the transition of NSA from an intelligence collection and cryptography development/deployment agency to the addition of responsibility for offensive cyberwarfare and defensive cybersecurity after President Bush's Comprehensive National Cybersecurity Initiative and the creation of the US Cyber Command in 2007. That is an enormous span of control and the Snowden revelations seem to point out that it may be too large a span of control.
(Paller): General Alexander raised the stature of the defensive mission at NSA from a backwater to a high level of profession performance under folks like Tony Sager. By empowering the defensive mission, he built a channel allowing offensive (discovery of new vulnerabilities) to inform defense and, often over the objections of the NSA offense people, he enabled vulnerabilities to be translated into defensive guidance that actually works. NSA's guidance (including for example the new NSA Top 10) is much more valuable than the high-level essays from other federal agencies that masqueraded as security guidance. ]

Oracle Update Includes 51 Fixes for Java (October 16 & 17, 2013)

Oracle has released fixes for more than 50 vulnerabilities in Java. Of those, a dozen could be exploited to take control of vulnerable systems remotely. Brian Krebs writes that if users must run Java they should update promptly. However, if they do not use Java, Krebs recommends disabling it. The most current version of Java is now Java 7 Update 45. Apple has also released an update for java on OX X. The most recent current version of Java for Mac is now 1.6.0_65 for OS X 10.6.8. Oracle also released foxes for 76 flaws in a number of its other products.
-http://www.bbc.co.uk/news/technology-24564745
-http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/
-http://www.computerworld.com/s/article/9243247/Oracle_plugs_critical_security_ho
les_that_are_putting_systems_at_risk?taxonomyId=17
[Editor's Note (Pescatore): Reports say Larry Ellison, Oracle's CEO, spent $100M or more to have his sailboat be slightly faster than New Zealand's sailboat. Wouldn't a similar investment in making Java security a non-oxymoron feel as good?
(Shpantzer): We must abandon the term Java, instead replacing it with the term Oracle Java, or Java by Oracle. To paraphrase the old AmEx commercial: Ownership has its privileges (and responsibilities). ]

---

*************************** Sponsored Links: ******************************
1) Take our BYOD survey and share your influence with other thought leaders; also enter to win a new iPad! http://www.sans.org/info/141265

2) Attend the DHS Continuous Diagnostics & Mitigation (CDM) Award Workshop - November 6, 2013. http://www.sans.org/info/140520

3) John Pescatore Analyst Webcast - Actionable Tools for Convincing Management to Fund Application Security. http://www.sans.org/info/141270
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

isoHunt Founder Agrees to Cease Operations and Pay US $110 Million (October 17, 2013)

isoHunt founder Gary Fung will shutter all operations and pay US $110 million to the eight movie studios that sued the BitTorrent search engine. Fung accepted the judgment just weeks before a trial in the case was scheduled to begin. The settlement follows a federal appeals court ruling that found Fung liable for inducing copyright infringement. The Motion Picture Association of America (MPAA) brought the lawsuit on behalf of the movie studios.
-http://www.wired.com/threatlevel/2013/10/isohunt-shutters/
-http://arstechnica.com/tech-policy/2013/10/bittorrent-site-isohunt-will-shut-dow
n-pay-mpaa-110-million/
-http://www.pcworld.com/article/2055840/isohuntcom-to-shut-down-in-settlement-wit
h-movie-studios.html
-http://www.wired.com/images_blogs/threatlevel/2013/10/isohunt-judgement.pdf

Cisco: Suspect Crypto "Not Invoked in Our Products" (October 17, 2013)

Cisco says that although cryptographic technology that is believed to be an NSA backdoor is present in some of the company's products' code libraries, it is not used, since the company designated a different cryptographic technology as an unchangeable default. The technology in question is Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG).
-http://www.computerworld.com/s/article/9243301/Cisco_says_controversial_NIST_cry
pto_potential_NSA_backdoor_not_invoked_in_products?taxonomyId=17s

Windows 8.1 Comes with Automatic Disk Encryption (October 17, 2013)

Microsoft Windows 8.1 ships with automatic device encryption enabled by default, but the feature's hardware requirements mean that it works only on newer systems.
-http://arstechnica.com/information-technology/2013/10/windows-8-1-includes-seaml
ess-automatic-disk-encryption-if-your-pc-supports-it/
-http://arstechnica.com/information-technology/2013/10/review-in-windows-8-1-mail
-is-finally-usable-on-tablets-and-desktops/
-http://money.cnn.com/2013/10/17/technology/enterprise/windows-8-1/
[Editor's Note (Shpantzer): Maybe it's OK to have this new version of Windows work only with newer devices. Backward compatibility is one of the consistent security disablers and at some point, we have to decide if backward compatibility is worth the tradeoff.
(Murray): A step in the right direction. Developers continue to be reluctant to choose "safe out of the box." ]

Purloined PR Newswire Database Found on Server Holding Stolen Adobe Source Code (October 16 & 17, 2013)

Press release distribution service PR newswire has acknowledged that criminal hackers compromised a customer database containing access credentials and contact data. PR Newswire said that the database held about 10,000 records. The company is urging affected customers to change their passwords. The stolen database was discovered on the same server where stolen Adobe source code was found several weeks ago, indicating that the thefts might be connected. The same group is believed to have broken into systems at LexisNexis, Kroll Background America, and Dun and Bradstreet.
-http://krebsonsecurity.com/2013/10/breach-at-pr-newswire-tied-to-adobe-hack/
-http://www.computerworld.com/s/article/9243279/Hackers_attack_PR_Newswire_get_us
er_data?taxonomyId=17
-http://www.scmagazine.com/pr-newswire-alerts-customers-to-change-passwords-follo
wing-breach/article/316799/

Nemim Malware Steals eMail, Browser Data (October 16, 2013)

A variant of malware known as Nemim has been spreading since April and has compromised thousands of computers. Nemim has been around since at least 2006. This most recent variant includes infection, downloading, and data-stealing components. It spreads through phishing emails and uses stolen digital certificates.
-http://www.scmagazine.com/hackers-compromise-certs-to-spread-nemim-malware-which
-hijacks-email-and-browser-data/article/316607/

US Government Sites Using Expired SSL Certificates (October 16 & 17, 2013)

More than 200 US government websites appear to be using expired SSL certificates, putting site visitors at risk of having personal information stolen through man-in-the-middle attacks. Some of the expired certificates may be due, in part, to the government shutdown. According to a study from the University of California, users are likely to click through messages warning of expired certificates.
-http://www.itnews.com.au/News/360936,us-govt-left-vulnerable-by-expired-ssl-cert
s.aspx
-http://www.nextgov.com/cybersecurity/2013/10/security-flaw-200-government-websit
es-blamed-shutdown/72035/?oref=ng-HPriver
Study of Browser Security Warning Effectiveness:
-http://www.cs.berkeley.edu/~devdatta/papers/alice-in-warningland.pdf
[Editor's comment (Northcutt): And we are supposed to believe this is a new problem, or the result of the shutdown? Crypto should be managed with a life cycle mentality, keys should expire. And managers should be responsible to track and manage the expirations.
(Pescatore): The SSL certificate model is so broken, I'm not sure expired certificates make any difference in the actual level of security. But, they do cause user confusion and transaction abandonment - - never a good thing. Widely used vulnerability scanners, such as Rapid7, Qualys and Tenable, will find and alert on expired certificates, while specialized tools such as Venafi provide SSL certificate discovery and management capabilities.
(Murray): I am less concerned with the failure to change keys on a timely basis than I am with the proliferation of and compromise of certification authorities. It is clear that there are more organizations that aspire to this role than are competent to fill it. I assert that our single signature PKI model is broken. We need to move PKI to emulate the multiple signatures that we use in the paper system. Think "witness," "endorsement," and "countersign." The system should not break because, merely for example, Diginotar is compromised. ]

Dexter Malware Found on Point-of-Sale Terminals in South Africa (October 15 & 16, 2013)

Malware known as Dexter has compromised point-of-sale terminals at thousands of businesses in South Africa. Dexter, which was first detected in December 2012, steals data from payment cards' magnetic strips and sends the information to the criminals who use it to conduct fraudulent transactions. The variant found on devices in South Africa has affected most banks in that country; hundreds of thousands of customers have had their payment card data compromised.
-http://www.bbc.co.uk/news/technology-24550505
-http://arstechnica.com/security/2013/10/dexter-malware-infects-south-african-res
taurants-costs-banks-millions/
-http://www.scmagazine.com/dexter-malware-resurfaces-in-south-africa-costs-banks-
millions/article/316387/

California Governor Vetoes Privacy Bill Again (October 15, 2013)

California Governor Jerry Brown has once again vetoed legislation that would have required law enforcement authorities to obtain warrants before searching suspects' electronic communications. Governor Brown said the bill would impede investigations and would impose requirements beyond those in existing federal laws. This is the third time he has vetoed the legislation.
-http://www.computerworld.com/s/article/9243227/Calif._governor_vetoes_email_priv
acy_legislation_for_third_time?taxonomyId=17
Governor Brown's Memo Explaining Veto:
-http://gov.ca.gov/docs/SB_467_2013_Veto_Message.pdf

Ploutus Malware Lets Thieves Manipulate ATMs to Dispense Cash (October 15, 2013)

Researchers have detected malware that can be used to induce ATMs to dispense cash directly to thieves, bypassing the need for a skimmer and cloned cards. The malware, known as Ploutus, has been found on machines in Mexico. The thieves picked locks to gain access to the machines and physically installed Ploutus on the ATMs.
-http://www.scmagazine.com/new-malware-enables-attackers-to-take-money-directly-f
rom-atms/article/316409/
[Editor's Note (Shantzer): Physical security is a critical aspect of information security. That said, getting your grubby paws on any given box shouldn't mean you can install anything you want, and it certainly shouldn't mean you can install anything you want and not trigger alarms. ]

---

INTERNET STORM CENTER TECH CORNER

Convincing Microsoft Phish
-https://isc.sans.edu/forums/diary/Microsoft+phish/16838
Apple iMessage Analysis
-http://blog.quarkslab.com/imessage-privacy.html
Square allows sending money via e-mail
-http://www.theregister.co.uk/2013/10/17/square_launches_payments/
Ship Navigation System Hack
-http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-disco
vered-in-global-vessel-tracking-systems/?utm_source=feedburner&utm_medium=fe
ed&utm_campaign=Feed%3A+Anti-MalwareBlog+(Trendlabs+Security+Intelligence+Bl
og)
Honeydroid
-http://www.ieee-security.org/TC/SP2011/posters/HoneyDroid__Creating_a_Smart_Phon
e_Honeypot.pdf
Fake Mac Tech Support
-http://blog.malwarebytes.org/intelligence/2013/10/tech-support-scams-coming-to-a
-mac-near-you/
Microsoft RADIUS Logs
-https://isc.sans.edu/forums/diary/CSAM+Microsoft+Logs+-+NPS+and+IAS+RADIUS+/1680
8
Oracle Critical Patch Update for October
-http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
(Java, Solaris, Oracle, MySQL) 127 security fixes including 51 Java fixes. Rapid7/Metasploit dns hijack not due to fake Fax
-http://threatpost.com/registrar-in-metasploit-dns-hijacking-not-duped-by-fax/102
588
WhatsApp Crypto Flaws
-https://blog.thijsalkema.de/blog/2013/10/08/piercing-through-whatsapp-s-encrypti
on/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org