SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #87

November 01, 2013

TOP OF THE NEWS

Microsoft Urging Windows XP Users to Upgrade to Windows 8
Adobe Breach Affected At Least 38 Million Users
Los Angeles's Cyber Intrusion Command Center
ICE Social Engineering Tests

THE REST OF THE WEEK'S NEWS

Finnish Security Police Investigating Malware Infection at Foreign Ministry
badBIOS Malware Jumps Airgap, Infects Multiple Platforms
Mozilla Updates Firefox to Version 25
UK ISPs Ordered to Block More Sites in Bid to Quell Piracy
MPAA Publishes List of Top Filesharing Sites Around the World
Traffic Problems in Israeli Tunnels Likely Caused by Routine Glitches
Silent Circle and Lavabit Joining Forces to Develop Open Source "Dark Mail" Project

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec **************************
New Symantec Intelligence Report This report provides the latest analysis of cyber security threats, trends, and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks.
Learn more http://www.sans.org/info/142542
***************************************************************************
TRAINING UPDATE

- --South Florida 2013 Ft. Lauderdale, IL November 4-9, 2013 5 courses. Bonus evening presentations include The Security Impact of IPv6; Evolving Threats; and Real-World Risk - What Incident Responders Can leverage from IT Operations.
http://www.sans.org/event/south-florida-2013


- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Sydney, San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Microsoft Urging Windows XP Users to Upgrade to Windows 8 (October 30, 2013)

Computers running Windows XP are already six times more likely to suffer malware infections than machines running Windows 8, according to Microsoft Trustworthy Computing general manager Mike Reavey. The problem is only going to get worse in April 2014, when Microsoft ends support for the 12-year-old operating system. According to one estimate, after April 8, the likelihood of machines running XP becoming infected with malware will increase by two-thirds.
-http://www.v3.co.uk/v3-uk/news/2303629/windows-xp-six-times-less-secure-than-win
dows-8-warns-microsoft
-http://www.computerworld.com/s/article/9243660/Windows_XP_infection_rate_may_jum
p_66_after_patches_end_in_April?taxonomyId=17
-http://www.scmagazine.com/microsoft-urges-users-to-upgrade-from-12-year-old-wind
ows-xp/article/318715/
-http://isc31.sans.edu/forums/diary/SIR+v15+Five+good+reasons+to+leave+Windows+XP
+behind/16922
[Editor's Note (Pescatore): If you drive on bald tires, expect flats. The biggest issues will be appliances/machinery with embedded Windows XP, though most of the manufacturers of those devices never invest in patching anyway. Just a reminder: medical machinery *should* be patched, according to the FDA, and patching does not automatically require recertification. No one should be buying embedded Windows XP machinery anymore without assurance from the vendor that the vendor will be paying for custom patch support from Microsoft. ]

Adobe Breach Affected At Least 38 Million Users (October 29, 2013)

The estimated number of registered Adobe products users affected by a recent breach of that company's systems has been increased to more than 38 million. The breach was initially disclosed at the beginning of October. At that time, Adobe said that the attackers stole encrypted credit card information of three million customers. In addition to increasing the number of affected users, Adobe also said that the breach appears to have compromised source code for Photoshop.
-http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-use
rs/

Los Angeles's Cyber Intrusion Command Center (October 30, 2013)

Los Angeles, California has a brand new Cyber Intrusion Command Center, established in an executive directive from the city's mayor, Eric Garcetti, and operated with help and guidance from the FBI and the US Secret Service. The center's mission is to provide "... a single, focused team responsible for implementing enhanced security standards across city departments and serving as a rapid reaction force to cyber-attacks."
-http://www.latimes.com/local/lanow/la-me-ln-garcetti-cyberattack-command-center-
20131030,0,6025801.story#axzz2jIcin7Iv
-http://www.nbcnews.com/technology/los-angeles-creates-cyber-intrusion-command-ce
nter-8C11500067
[Editor's Note (Murray): Any such organization requires scale in order to maintain currency. That is one reason that this function, incident response, is usually outsourced by all but the largest enterprises.
(Paller): The only reason organizations outsource this function is that they do not have trained staff and think the outsourcers do but only the top 4 or 5% of staff members at incident response outsourcing firms have extraordinary skills; and LA's new Center can easily train a talented team able to do the vast bulk of incident response more cost-effectively and, in most cases, better than the outsourcers can. ]

ICE Social Engineering Tests (October 29, 2013)

The US Immigration and Customs Enforcement's (ICE's) social engineering initiative has earned the agency a Government Information Security Leadership Award nomination. The initiative involves calling personnel to try to trick then into saying their passwords, and sending phishing emails to trick them into providing access credentials. ICE employees have been undergoing training since winter 2012. Before the training about 50% fell for the attacks. Of the 5,000 who have completed the training, that number has been reduced by 60% to 20 percent of employees falling prey to the social engineering attacks.
-http://www.nextgov.com/cio-briefing/2013/10/ice-hacks-employees-teach-self-defen
se-cyberspace/72800/?oref=ng-HPrivers
[Editor's Note (Paller): These test-phishing programs can be much more effective than lectures and posters in stopping inappropriate employee behavior. The Securing the Human program (now used by more than 2,500,000 people) is testing a new function assessing employees' responses to social engineering attacks and making them more responsive. Looks very good and should roll out within a few months. If your organization has not switched to Securing the Human for security awareness, this is a good time, and spear phishing exercises is a good reason (in addition to STH being less expensive than do-it-yourself, constantly updated in 25 languages, and a program that employees actually like and take seriously). www.securingthehuman.org]

---

************************ Sponsored Links: ********************************
1) Ask the Expert Webcast: Enhancing Security Analytics with Endpoint Forensics - Tuesday, November 05 at 1:00 PM EST with John Pescatore and Jason Fredrickson Sr. Dir of Enterprise Application Development at Guidance Software. http://www.sans.org/info/142547

2) Survey Results are in: Inaugural Health Care Survey -by Barbara Filkins https://www.sans.org/reading-room/analysts-program/2013-healthcare-survey It's Not Your Father's IPS: SANS Survey on Network Security Results - by Rob VandenBrink http://www.sans.org/info/142552

3) Special Webcast: "Reading the Security Tea Leaves" - The Story from 50 million Vulnerabilities: Thursday, November 07 at 12:00 PM EST. Matt Johansen, Threat Research Center Manager at WhiteHat Security Inc. & Ed Bellis, CoFounder, Risk I/O, Inc. http://www.sans.org/info/142557
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Finnish Security Police Investigating Malware Infection at Foreign Ministry (October 31, 2013)

The Finnish Foreign Ministry's computer network has been infected with malware for several years. It is believed that whoever placed the malware on the computers did so with the intent of gathering sensitive data, especially communications between Finland and the European Union.
-http://www.businessweek.com/news/2013-10-31/finland-probing-extensive-hacking-of
-foreign-ministry-network
-http://arstechnica.com/tech-policy/2013/10/finlands-foreign-ministry-gets-pwned-
by-red-october-malware/
The attacks are allegedly to have originated in Russia and China.
-http://www.reuters.com/article/2013/10/31/net-us-finland-hacking-idUSBRE99U0ZL20
131031

badBIOS Malware Jumps Airgap, Infects Multiple Platforms (October 31, 2013)

Three years ago, security consultant Dragos Ruiu noticed that his MacBook Air was behaving strangely - updating firmware that helps the machine boot; undoing configuration changes; modifying settings; and deleting data - and all with no prompting. The machines were also sending pieces of network data even when power cords and Ethernet cables were unplugged and WiFi and Bluetooth cards removed. Ruiu found that even after he wiped the machines, the infections returned. The malware was found to have infected not only OS X, but several versions of Windows and Linux as well. Ruiu theorizes that the malware infects computers through USB drives, targeting "the lowest levels of computer hardware," such as the Basic Input/Output System (BIOS) and Unified Extensible Firmware Interface (UEFI). He has also theorized that badBIOS, as he calls the malware, can use high-frequency transmissions between computer speakers and microphones to jump airgaps.
-http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m
alware-that-jumps-airgaps/
-https://isc.sans.edu/forums/diary/Happy+Halloween+The+Ghost+Really+May+Be+In+The
+Machine/16934
[Editor's Note (Murray): Malicious software can spread by any medium. Thumbdrives are no less useful for this than floppy disks, the medium for the spread of the earliest viruses. ]

Mozilla Updates Firefox to Version 25 (October 29 & 30, 2013)

Mozilla has released security updates for several of its products, including Firefox for desktop and mobile, Thunderbird, and Seamonkey. Firefox 25, the newest version of the browser, includes fixes for five security issued deemed critical.
-http://www.computerworld.com/s/article/9243654/Mozilla_releases_10_patches_five_
critical_for_Firefox?taxonomyId=17
-http://www.eweek.com/cloud/firefox-25-welcomes-mobile-guests.html/
-http://www.scmagazine.com/firefox-25-includes-patches-for-critical-memory-bugs/a
rticle/318709/

UK ISPs Ordered to Block More Sites in Bid to Quell Piracy (October 29, 2013)

A UK court has ordered Internet service providers (ISPs) there to block 21 additional websites suspected of encouraging illegal music filesharing. The blocks must be in place by Wednesday, October 30. Earlier orders have called on UK ISPs to block eight other sites, including The Pirate Bay.
-http://www.bbc.co.uk/news/technology-24726078
[Editor's Note (Pescatore): This type of whack-a-mole blocking is rarely effective, but the UK seems to be pretty pro-active on protecting music industry revenue streams. How about pushing ISPs to filter known malware and/or block known malware delivery sites? ]

MPAA Publishes List of Top Filesharing Sites Around the World (October 28, 2013)

The Motion Picture Association of America (MPAA) has released a report that lists major illegal filesharing sites around the world. Ironically, the MPAA has criticized Google for returning high numbers of filesharing sites in its search results, but now MPAA has provided an organized list of many of those sites. The MPAA report was created to provide the US Trade Representative with the names of "potential Internet and physical notorious markets that exist outside the US."
-http://www.wired.com/threatlevel/2013/10/mpaa-illicit-torrents/
MPAA's Report critical of Google:
-http://www.mpaa.org/Resources/38bc8dba-fe31-4a93-a867-97955ab8a357.pdf
MPAA's Report on Filesharing Sites:
-http://www.mpaa.org/Resources/007146fe-31b7-4bd5-9a01-b5d636067251.pdf

Traffic Problems in Israeli Tunnels Likely Caused by Routine Glitches (October 28, 29, & 30, 2013)

Although an Associated Press report said that traffic problems on an underground highway in Israel were caused by a Trojan horse program, the company that operates the Carmel Tunnels maintained that the problems were caused by control system flaws. On September 8, traffic was halted for 20 minutes; the following day, the highway was shut down for eight hours.
-http://www.tomsguide.com/us/israel-tunnels-attack,news-17781.html
-http://technews.tmcnet.com/news/2013/10/29/7505838.htm
-http://www.cio-today.com/story.xhtml?story_id=13000DBMVM74
[Editor's Note (Pescatore): Lots of shameless hype early on this incident: first Cyberwar!!, then Cyberterrorism!! But, as most of these overhyped events end up, just another Cyberoops. ]

Silent Circle and Lavabit Joining Forces to Develop Open Source "Dark Mail" Project (October 31, 2013)

Lavabit and Silent Circle, which formerly provided secure email services, are joining forces to develop the Dark Mail encrypted mail project. Both companies chose to shut down their operations rather than face demands from the government for their private SSL keys. Dark Mail would protect email content and email metadata. The Dark Mail Alliance will provide open source protocol and architecture "to address privacy concerns against surveillance."
-http://www.computerworld.com/s/article/9243692/Silent_Circle_Lavabit_unite_for_3
9_Dark_Mail_39_encrypted_email_project?taxonomyId=17
-http://darkmail.info
[Editor's Note (Pescatore): The business model for these types of services doesn't exist, despite periodic surges when government surveillance fears rise. There are something like one billion people using free mail services like Google mail where they sign agreements to allow complete surveillance of every word they type, every attachment they send. ]

---

INTERNET STORM CENTER TECH CORNER

HTTP Request Hijacking in Mobile Applications
-http://www.skycure.com/blog/http-request-hijacking/

Kitchen Appliances With Spambots
-http://www.theregister.co.uk/2013/10/29/dont_brew_that_cuppa_your_kettle_could_b
e_a_spambot/

Retrieving Android App Client Certificates via Debugging the Applications
-http://gursevkalra.blogspot.com/2013/10/debugging-out-client-certificate-from.ht
ml

TP-Link Router CSRF
-http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-serv
er-configuration-of-tp-link-routers-2/

Firefox/Thunderbird Patch
-https://www.mozilla.org/security/known-vulnerabilities

US CERT Warns of New Joomla Vulnerability
-http://www.kb.cert.org/vuls/id/639620

Google Webmaster Tools Improve Malware Diagnosis
-http://googlewebmastercentral.blogspot.de/2013/10/easier-recovery-for-hacked-sit
es.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/