Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #91

November 15, 2013

TOP OF THE NEWS

Microsoft Does Not Encrypt Server-to-Server Traffic
Loyaltybuild Data Breach Affects More Than One Million People
US Justice Dept. Files Brief in Lavabit Appeal

THE REST OF THE WEEK'S NEWS

Google Transparency Report
Microsoft November Patch Tuesday
Adobe Releases Security Updates for Flash, AIR, and ColdFusion
Two Arrested in Connection With Theft From Online Financial Accounts
Guilty Plea in Webcam Hacking and Extortion Case
International Space Station Computers Infected with Gaming Trojan in 2008
MacRumors Attack Compromises User Passwords
Lengthy Prison Sentence Sought for Stratfor Attack

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


********************** Sponsored By Lancope ****************************
LIVE CASE STUDY WEBCAST Learn how Hewlett Packard (HP) leverages NetFlow to * improve network visibility and security across its enormously complex, global network * obtain in-depth information that enables its security teams to act more quickly and minimize potential damage * quickly detect anomalous activity, such as, DDoS, malware and network misuse.
http://www.sans.org/info/143632
***************************************************************************
TRAINING UPDATE

- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Sydney 2013 Sydney, Australia November 11-23, 2013 6 courses. Bonus evening presentations include Advanced Exploit Writing: Use-After-Free Vulnerabilities.
http://www.sans.org/event/sydney-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

Microsoft Does Not Encrypt Server-to-Server Traffic (November 14, 2013)

A Microsoft executive told members of the European Parliament that the company does not encrypt server-to-server data traffic. Dorothee Belz, Microsoft EMEA VP for Legal and Corporate Affairs said that the company is "currently reviewing
[its ]
security system." Belz appeared before a European Parliamentary committee with representatives from Google and Facebook. Earlier, she had stated that Microsoft did not allow "direct access" to its servers. The revelation about the unencrypted traffic between Microsoft servers follows close on the heels of leaked documents that indicate the NSA and GCHQ tapped into such connections between Google data centers to access data.
-http://arstechnica.com/security/2013/11/we-still-dont-encrypt-server-to-server-d
ata-admits-microsoft/

-http://www.theregister.co.uk/2013/11/14/ms_data_centre_link_uncryption/
[Editor's Note (Pescatore): There's a big difference between the difficulties doing server to server encryption and the relative ease of doing data center to data center encryption. Back in 2005 or so Microsoft trumpeted Windows IPSec capabilities for "Server and Domain Isolation" when "de-perimeterization" was being overhyped - turn on IPSec encryption on all servers and you wouldn't need a perimeter, could publish all your IP addresses externally. Things may break on your network when access to unencrypted payloads is required for management and performance functions - even Microsoft went to authenticated but not encrypted server to server communications. The 802.1ae standard support hop by hop linksec decisions that solves many of the problems but efficient implementations in network gear and adoption have been very slow.
(Ullrich): When Microsoft pushed to convince its customers to deploy IPSEC inside corporate networks for more granular access control, Microsoft's own corporate network was used as a reference implementation. But maybe what is used for Microsoft's own corporate data may not be applicable to customer's corporate data stored on various Microsoft cloud services. ]

Loyaltybuild Data Breach Affects More Than One Million People (November 13 & 14, 2013)

An attack on the computer systems of Irish company Loyaltybuild has compromised the complete credit card information of at least 376,000 people. The attacks took place in mid-October. According to a preliminary investigation by the Office of the Data Protection Commissioner, the stored data, including the card numbers and the associated Card Verification Values (CVVs), were not encrypted. In addition, the names, addresses, phone numbers, and email addresses of one million customers were stolen.
-http://www.theregister.co.uk/2013/11/14/irish_loyalty_card_breach/
-http://www.irishexaminer.com/analysis/glitch-in-the-system-the-loyaltybuild-data
-breach-249392.html

[Editor's Note (Honan): Loyaltybuild is a company that manages loyalty programs on behalf of other companies. While the breach impacted LoyaltyBuild it also impacted the data belonging to the companies who outsourced their loyalty programs to LoyaltyBuild. Under Irish Data Protection law those companies are still responsible for the security of the customer data they entrusted to LoyaltyBuild. While you can outsource the management and processing of the data you cannot outsource the responsibility to make sure that data is secure. On another note the drip feed of information from Loyaltybuild about this breach is a stark lesson in how not to handle communications during an incident.
(Northcutt): In some sense it feels like some of these companies are throwing cups of gasoline in the air on a hot summers day while smoking cigars - - what did you think would happen? It is not like we do not have Payment Card Industry standards:
-https://www.pcisecuritystandards.org]

US Justice Dept. Files Brief in Lavabit Appeal (November 12 & 13, 2013)

The US Justice Department has filed an appellate brief in the Lavabit case. The government maintains that Lavabit founder Ladar Levison's promise of security to his customers does not exempt him or his company from having to comply with court orders. According to the brief, DOJ wanted the metadata from a single Lavabit account. (Although the investigation's target is not specified, it is widely believed to be Edward Snowden.) The DOJ dismissed Levison's concerns that it would use the SSL key it sought to peruse accounts of other Lavabit users.
-http://www.wired.com/threatlevel/2013/11/lavabit-doj/
-http://www.computerworld.com/s/article/9244009/DOJ_says_Lavabit_cannot_prevent_s
earch_warrants_by_39_locking_its_front_gate_39_?taxonomyId=17



************************** Sponsored Links: ******************************
1) Webcast: How Two Factor Authentication Defends Against User Targeted Attacks Thursday, November 21 at 1:00 PM EST with John Pescatore. http://www.sans.org/info/143637

2) New Analyst Paper in the Reading Roonm: Managing Threats and Compliance While Automating the CSCs: EiQ SecureVue Review. http://www.sans.org/info/143642 Author: Jerry Shenk

3) App Developers and Managers! Share Your Expertise by Taking SANS' 2nd AppSec Survey and Enter to Win an iPad! http://www.sans.org/info/143652
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Google Transparency Report (November 14, 2013)

According to Google's most recent transparency report, the US government made nearly 11,000 requests for user information from the company in the first six months of 2013. The Indian government made 2,700 requests of Google in that same period. The company makes note of the fact that the numbers represent only those requests that they are permitted by the US government to disclose.
-http://news.cnet.com/8301-1009_3-57612322-83/google-were-bombarded-by-govt-reque
sts-on-user-data/

[Editor's Note (Ullrich): I am not sure what these numbers tell us. Lately it seems the problem is the wholesale data syphoning without first making a request for information. Are the requests made legally the tip of the iceberg? What kind of evidence had to be presented? How was the data used? The report mentioned that these are only the requests they are allowed to publish. While Google complains about the large number of requests, there is an easy way out: Don't store so much data about your customers. Encrypt it in a way that renders the data inaccessible to you as a provider, and the requests will go away. ]

Microsoft November Patch Tuesday (November 13, 2013)

Microsoft's November patch Tuesday release includes a fix for a zero-day vulnerability in Internet Explorer (IE). Microsoft issued eight bulletins, three of which are rated critical. In all, 19 vulnerabilities are addressed. Along with the patches, Microsoft is urging customers to stop using the RC4 cipher and SHA-1 hashing functions. Microsoft issued an advisory that provides an update to address weaknesses in or disable RC4. Microsoft also said that it would not recognize the validity of certificates using SHA-1 after 2016.
-http://www.theregister.co.uk/2013/11/13/november_patch_tuesday/
-http://www.computerworld.com/s/article/9244026/Microsoft_Patch_Tuesday_advisorie
s_urge_ditching_old_weak_crypto_algorithms?taxonomyId=17

-http://krebsonsecurity.com/2013/11/zero-days-rule-novembers-patch-tuesday/
-http://arstechnica.com/security/2013/11/hoping-to-avert-collision-with-disaster-
microsoft-retires-sha1/

-http://www.v3.co.uk/v3-uk/news/2306713/microsoft-plugs-windows-internet-explorer
-and-outlook-vulnerabilities

-https://technet.microsoft.com/en-us/security/bulletin/ms13-nov
[Editor's Note (Ullrich): There was a bit of confusion about which of the zero-days was patched, due to a typo in the initial version of one of the bulletins. The currently exploited Microsoft Office "TIFF" vulnerability (CVE-213-3906) has not been patched. ]

Adobe Releases Security Updates for Flash, AIR, and ColdFusion (November 13, 2013)

Adobe has released security updates for Flash Player, AIR, and ColdFusion to address four vulnerabilities. The Flash update is available for Windows, Mac, and Linux. According to Adobe, the updates are not related to the recent theft of ColdFusion source code.
-http://www.computerworld.com/s/article/9244025/Adobe_patches_critical_vulnerabil
ities_in_Flash_Player_ColdFusion?taxonomyId=17

-http://www.zdnet.com/adobe-patches-flash-coldfusion-vulnerabilities-7000023110/
-http://www.scmagazine.com/adobe-plugs-holes-in-flash-player-and-coldfusion/artic
le/320842/

[Editor's Note (Pescatore): Between these and Windows Vulnerability Tuesday, it has been one of those multi-reboot weeks. I'd like to see software vendors multiply their user base by 3 minutes, and require product managers to spend that amount of time doing public service every time their product results in a patch that requires a reboot. (Ullrich): My usual reminder: Don't forget the ColdFusion patch. In particular the authentication bypass in Coldfusion 10. ]

Two Arrested in Connection With Theft From Online Financial Accounts (November 13, 2013)

US authorities have arrested two men in connection with a string of fraudulent online transactions that drained millions of dollars from US bank and brokerage accounts. Brothers Adrian and Gheorghe Baltaga were arrested on October 29. They allegedly stole account access credentials for accounts at Fidelity Investments and conducted fraudulent automated clearinghouse (ACH) transactions, transferring purloined funds onto prepaid debit cards.
-http://krebsonsecurity.com/2013/11/feds-charge-calif-brothers-in-cyberheists/
Indictment:
-http://krebsonsecurity.com/wp-content/uploads/2013/11/BaltagaIndictment.pdf
[Editor's Note (Henry): The Krebs articles suggests the possibility there may be more to this. The full extent of crimes committed in these types of cases is sometimes difficult to grasp. While an indictment is an initial charge, subsequent investigation often times uncovers a much more extensive scheme when additional evidence is uncovered, victims/witnesses are interviewed, etc. Time will tell if this is more expansive. ]

Guilty Plea in Webcam Hacking and Extortion Case (November 13 & 14, 2013)

A 19-year-old man has pleaded guilty to charges of extortion and unauthorized access of a computer for breaking into computers belonging to young women, taking pictures of them with their computers' webcams, and attempting to blackmail the young women. Jared James Abrahams will be sentenced in March 2014; his plea agreement is likely to draw a prison sentence of 27 to 33 months. Abrahams allegedly hacked into computers of more than 20 women.
-http://www.scmagazine.com//miss-teen-usa-hacker-pleads-guilty/article/321017/
-http://www.bbc.co.uk/news/technology-24929916
[Editor's Note (Shpantzer): One of my machines, a cheap old Asus eeePC netbook, has the best human interface to the webcam privacy issue I've seen: There's a simple metal slider that goes from right (open) to left (closed), over the webcam's lens. The rest of my machines have painter's tape... ]

International Space Station Computers Infected with Gaming Trojan in 2008 (November 12 & 13, 2013)

Recent news stories have said that International Space Station computers were infected with malware, and some have suggested that the malware may be Stuxnet. Those reports conflate two separate malware infection stories told by Eugene Kaspersky. One of the stories was about Stuxnet having infected a network at a Russian nuclear facility. The other story was about Russian astronauts telling Kaspersky, "from time to time, there
[is malware ]
on the space station." In one instance in 2008, a Trojan horse program designed to steal online gaming passwords was detected on laptops being used aboard the space station.
-http://www.theregister.co.uk/2013/11/13/space_station_malware_not_stuxnet/
-http://www.nbcnews.com/technology/no-stuxnet-did-not-infect-international-space-
station-2D11577724

MacRumors Attack Compromises User Passwords (November 12, 2013)

An attack on the MacRumors user forums has compromised the hashed passwords of all 860,000 users. The attacker managed to log in to a moderator account and elevate privileges to gain access to the user data.
-http://arstechnica.com/security/2013/11/hack-of-macrumors-forums-exposes-passwor
d-data-for-860000-users/

[Editor's Note (Ullrich): The root cause of this attack was, yet again, shared passwords. One of the MacRumors administrator's password was leaked in another breach, and then used to log in to Macrumors and raid it's data. Over the last month, as far as I know, 2 of my own usernames and passwords were leaked in various site compromises. If you still reuse passwords, you will be compromised. If you don't use a password manager, you are reusing passwords. ]

Lengthy Prison Sentence Sought for StratFor Attack (November 12, 2013)

Federal prosecutors are seeking a 10-year prison sentence for Jeremy Hammond, who earlier this year pleaded guilty to breaking into the computer system at Strategic Forecasting, Inc. in December 2011. Hammond stole data from StratFor, including five million email messages and 60,000 credit card numbers. His sentencing is scheduled for Friday, November 15.
-http://www.wired.com/threatlevel/2013/11/hammond-sentencing-memo/
[Editor's Note (Henry): Swift and severe punishment are critical components to deterrence. Until those convicted of these types of breaches are held accountable and penalized, there is no "cost" and these types of crimes will continue unabated. ]

STORM CENTER TECH CORNER

iOS Update
-http://lists.apple.com/archives/security-announce/2013/Nov/msg00000.html

MediaWiki Update
-https://bugzilla.wikimedia.org/show_bug.cgi?id=55332
-https://bugzilla.wikimedia.org/show_bug.cgi?id=53032

Facebook Warns Adobe Breach Victims
-http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/

Old Thunderbird S/Mime Problem re-surfaces
-https://bugzilla.mozilla.org/show_bug.cgi?id=332639

Packet Challenge: Odd Ethernet Headers
-https://isc.sans.edu/forums/diary/Packet+Challenge+for+the+Hivemind+What+s+happe
ning+with+this+Ethernet+header+/17012

Building Honeypots
-https://isc.sans.edu/forums/diary/Setting+up+Honeypots/17015

Google Drive Phishing
-https://isc.sans.edu/forums/diary/Google+Drive+Phishing/17018

Macrumors Forum Password Leak
-http://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/

S/Mime X.509 Portscanning
-https://www.cynops.de/techzone/http_over_x509.html

Microsoft Patch Tuesday
-https://isc.sans.edu/forums/diary/November+2013+Microsoft+Patch+Tuesday/17003

Adobe Patch Tuesday
-https://isc.sans.edu/forums/diary/Adobe+Google+and+other+Patch+Tuesday+patches/1
7006

-https://www.adobe.com/support/security/bulletins/apsb13-26.html
-https://www.adobe.com/support/security/bulletins/apsb13-27.html

Google Releases Chrome 31
-http://googlechromereleases.blogspot.com/2013/11/stable-channel-update.html

Microsoft Blog post recommends use of AES-GCM over older ciphers
-https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-rec
ommendation-to-disable-rc4.aspx?Redirected=true



************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/