SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #88

November 05, 2013

SANS will be hosting two events of interest for US Government security professionals in November. Wednesday 6 November is the SANS Continuous Diagnostics and Mitigation workshop. If you haven't already registered, the in person event is sold out/capped, but you can sign up for the simulcast at https://www.sans.org/webcasts/dhs-cdm-award-workshop-97170. On 20 November, John Pescatore of SANS hosts a webinar providing guidance on the FedRAMP cloud services certification/accreditation program, featuring FedRAMP Program Manager Matt Goodrich. Join the webcast to get the information you will need to assure secure of cloud-based IT services by your organization. Sign up at https://www.sans.org/webcasts/fedramp-update-secure-government-cloud-services-96
045

---

TOP OF THE NEWS

NSA and Cyber Command Leadership Likely to be Separate
Swiss Telecom Plans Cloud Service Hosted Entirely Within Switzerland
Firefox Beta Moves Toward Click-to-Run Default for Plug-ins

THE REST OF THE WEEK'S NEWS

Thieves Stole Data from Limousine Service Broker
Banking Trojan Modified to Look for SAP Installations
Chrome Canary Detects Suspicious Downloads
NIST Will Review Standard Development Process
Liberty Reserve Co-Founder Pleads Guilty
Results of SMB Cybersecurity Survey Suggests Many Unaware of Being Attacked

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

CORRECTION ON PESCATORE'S COMMENT ON MICROSOFT SUPPORT FOR XP EMBEDDED

CORRECTION ON PESCATORE'S COMMENT ON MICROSOFT SUPPORT FOR XP EMBEDDED

---

******************* Sponsored By WhiteHat Security **********************
ALERT: How a Hacker Breaks An Application with Vulnerability Daisy Chaining. With such a wide range of vulnerabilities it is easy to see how a malicious attacker can exploit seemingly "minor" vulnerabilities to create a truly devastating attack that could compromise an entire application. Learn key insights into how a hacker can daisy chain a series of web application exploits together to open the door to an application and steal real user accounts. http://www.sans.org/info/141485
***************************************************************************
TRAINING UPDATE


- --South Florida 2013 Ft. Lauderdale, IL November 4-9, 2013 5 courses. Bonus evening presentations include The Security Impact of IPv6; Evolving Threats; and Real-World Risk - What Incident Responders Can leverage from IT Operations.
http://www.sans.org/event/south-florida-2013


- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at

http://www.sans.org/ondemand/specials

Plus Sydney, San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

NSA and Cyber Command Leadership Likely to be Separate (November 4, 2013)

It appears likely that the next person to serve as NSA chief will not have authority over US Cyber Command, as does current NSA chief General Keith Alexander. Both military officials and legislators are leaning toward dividing the positions to prevent abuse of power and to help restore public trust in the NSA. Alexander, who was appointed head of the NSA in 2005 and acquired the leadership role at Cyber Command in 2010, plans to step down from those positions next year. He believes the two roles should be connected because agencies could end up squabbling over resources and decisions.
-http://thehill.com/blogs/hillicon-valley/technology/189036-nsa-chief-likely-to-b
e-stripped-of-cyber-war-powers
-http://news.cnet.com/8301-1009_3-57610793-83/nsa-chief-may-lose-us-cyber-command
-role/

Swiss Telecom Plans Cloud Service Hosted Entirely Within Switzerland (November 3 & 4, 2013)

Swiss telecommunications company Swisscom plans to establish a "Swiss cloud" that will be hosted entirely within that country. The goal is to prevent the NSA and GCHQ from snooping on communications. (Swisscom is majority-owned by the country's government.) Switzerland already has stringent data privacy laws in place, which is why companies that provide secure communications services use data centers there. Prosecutors must obtain court orders before conducting surveillance.
-http://www.theregister.co.uk/2013/11/04/switzerland_to_set_up_swiss_cloud_free_o
f_nsa_snooping/
-http://www.v3.co.uk/v3-uk/news/2304738/swisscom-plans-swiss-cloud-to-hide-data-f
rom-prism-spies
-http://arstechnica.com/business/2013/11/swiss-telecos-cloud-aims-to-draw-custome
rs-who-are-fearful-of-spying/
-http://www.reuters.com/article/2013/11/03/us-swisscom-cloud-idUSBRE9A209S2013110
3
[Editor's Note (Pescatore): Just a few months ago Swisscom had to acknowledge a security breach when backup tapes containing customer and corporate sensitive information were stolen and given to a newspaper. And one year ago the Swiss Intelligence NDB admitted an insider had exported classified counter-terrorism intelligence information and they noticed this when the Swiss bank UBS notified them after UBS traced an attempt to open a new, numbered bank account to the IT technician. Seems like data and bank activity might not be risk-free in Switzerland.
(Murray): When their banks began to cooperate with the US IRS, the Swiss surrendered the historic trust on which such an offering as this might have been based. Those who want confidential communications or storage must rely on private encryption. One can no longer trust any institution for a result that one cannot verify intraday.
(Northcutt): I think the NSA thing is a bit overdone; they have been cast in the role of the Highlander, able to hear and process all of the world communications. However, cloud storage and processing does need to be taken seriously from a privacy perspective. I really like the University of Delaware policy. It is subtle, but they clearly get it:
-http://www.udel.edu/it/security/facultystaff/cloud2.html]

Firefox Beta Moves Toward Click-to-Run Default for Plug-ins (November 1, 2013)

The most recent beta version of Firefox moves closer to making "click-to-run" the default status for all plug-ins. The new feature will not automatically run plug-ins when pages are opened. Instead, users will see a box warning that the plug-ins the page requires may be vulnerable. Content will display only if users explicitly allow each plug-in. The only exception will be the most recent version of Flash. Other browsers have made exceptions for Flash as well. Google bundles Flash in its Chrome browser, making sure to push out updates when available, so that users are always running the most current version.
-http://www.theregister.co.uk/2013/11/01/firefox_plugin_blocking_enters_beta/

---

************************ Sponsored Links: ********************************
1) Meet the challenges of Continuous Diagnostics & Mitigation (CDM). Get real-time discovery and assessment of all network endpoints. Download the tech note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/142712

2) AlienVault OTX Reputation Monitor - Sign up to get free alerts if your IPs or domains are compromised: http://www.sans.org/info/142717

3) The SANS DHS CDM Award Workshop on Nov. 6th is sold out, but you can still attend remotely via simulcast at http://www.sans.org/info/142722. Register now.
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Thieves Stole Data from Limousine Service Broker (November 4, 2013)

More data have been found on the servers where malicious hackers stashed the information they stole from Adobe and from PR Newswire. The intruders appear to have gained access to systems at a company that broker services for limousine and Town Cars across the US. More than 850,000 individuals' personal and financial information is included in the purloined data.
-http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/
[Editor's Note (Murray): Krebs can usually be counted on for a good read but this article is over the top. Must reading for anyone with a customer database. ]

Banking Trojan Modified to Look for SAP Installations (November 1 & 4, 2013)

A new variant of an old banking Trojan horse program appears to have been modified to look for SAP installations. At present, the malware simply checks to see if infected computers have SAP installed, but there is concern that the information gathering may be laying the groundwork for future attacks.
-http://www.darkreading.com/attacks-breaches/is-a-tsunami-of-sap-attacks-coming/2
40163543
-http://www.computerworld.com/s/article/9243727/New_malware_variant_suggests_cybe
rcriminals_targeting_SAP_users?taxonomyId=17

Chrome Canary Detects Suspicious Downloads (November 1 & 2, 2013)

The Canary build of Google's Chrome browser has been updated to include functionality that detects malware attempting to download. A warning will appear at the bottom of the browser window when Canary detects an attempted malware download. Chrome Canary build is the name given to the "bleeding edge" channel of the browser, before it reaches the channel. Most features that are added to Canary do eventually appear in Dev, and then on into Beta and Stable versions of the browser.
-http://www.computerworld.com/s/article/9243768/_Canary_Chrome_chirps_when_it_sme
lls_malware?taxonomyId=17
-http://www.theregister.co.uk/2013/11/01/google_canary_security_update/s
[Editor's Note (Pescatore): Such blocking by default is a very good thing, despite the possible false positives. It is a needed safety feature, like when cars started making you have your foot on the brake before shifting out of park. It is also time to drive legitimate application developers to force distance between their products and malware as well. ]

NIST Will Review Standard Development Process (November 1, 2013)

The National Institute of Standards and Technology (NIST) plans to review its standards development process. The organization hopes to restore the credibility that took a hit several months ago when news stories broke that the NSA may have included a backdoor in a NIST-approved encryption algorithm. NIST will open its process for public review as well as review by an as-yet unnamed third-party organization. In a November 1 statement, NIST wrote, "Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable."
-http://arstechnica.com/security/2013/11/to-restore-credibility-nist-will-audit-i
ts-standards-development-process/

Liberty Reserve Co-Founder Pleads Guilty (November 1, 2013)

An alleged co-founder of the Liberty Reserve anonymous digital currency service has pleaded guilty to charges of money laundering and operating an unlicensed money transmitting business. Liberty Reserve was shut down earlier this year; the service was popular among underground operations. Vladimir Kats and six others were indicted. According to the indictment, "virtually all of
[the transactions conducted through Liberty Reserve ]
were illegal."
-http://arstechnica.com/tech-policy/2013/11/digital-currency-service-founder-plea
ds-guilty-faces-75-years-in-prison/
-http://www.justice.gov/usao/nys/pressreleases/May13/LibertyReservePR.php
Redacted Indictment:
-http://www.justice.gov/usao/nys/pressreleases/May13/LibertyReservePR/Liberty%20R
eserve,%20et%20al.%20Indictment%20-%20Redacted.pdf
-http://www.justice.gov/opa/pr/2013/October/13-crm-1163.html

Results of SMB Cybersecurity Survey Suggests Many Unaware of Being Attacked (November 1, 2013)

A survey from McAfee and Office Depot of more than 1,000 small and medium-sized businesses (SMBs) found that two thirds were confident of the security of their data and devices. More than three-quarters of the companies said they had not been the victims of cyber attacks. There is a significant discrepancy between those numbers and research, which shows that SMBs are often targeted by cybercriminals. Seventy-two percent of breaches investigated by Verizon's forensic analysis unit in the company's most recent Data Breach Investigations Report were of companies with fewer than 100 employees. It is likely that many SMBs are simply not aware that they have been attacked.
-http://www.infosecurity-magazine.com/view/35374/thanks-to-a-false-sense-of-secur
ity-small-businesses-are-skipping-cyberprotection/

---

INTERNET STORM CENTER TECH CORNER

Querying DNS Server Cache
-https://isc.sans.edu/diary/When+attackers+use+your+DNS+to+check+for+the+sites+yo
u+are+visiting/16955

Seed Brute Forcer Released for php mt_rand Random Number Generator
-http://www.openwall.com/lists/announce/2013/11/04/1

Ebay Germany Uses Expired Certificates
-http://www.heise.de/security/meldung/Zertifikats-Schlamperei-bei-eBay-2039268.ht
ml

Morris Worm: 25-Year Anniversary
-http://www.zdnet.com/the-morris-worm-internet-malware-turns-25-7000022740/

Secunia PSI Report
-https://isc.sans.edu/diary/Secunia%27s+PSI+Country+Report+-+Q3+2013/16943
-http://secunia.com/resources/countryreports/

Protecting Your Family PC
-https://isc.sans.edu/forums/diary/Protecting+Your+Familys+Computers/16946

More BadBIOS Analysis
-http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

---

CORRECTION ON PESCATORE'S COMMENT ON MICROSOFT SUPPORT FOR XP EMBEDDED

************************************************************************

Correction: While standard support for Windows XP Embedded will last until 2016, no one should be buying embedded Windows XP machinery anymore without assurance from the vendor that the vendor will be paying for custom patch support from Microsoft after that date.

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/