Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #94

November 26, 2013

TOP OF THE NEWS

Technology Council Report Says Government Needs to Improve its Cybersecurity (But Is Disconnected From Reality)
Thieves Steal More Than US $1 Million in Bitcoins

THE REST OF THE WEEK'S NEWS

Blackshades Remote Access Tool Use On the Rise
The Racing Post Website Acknowledges Customer Database Attack
Twitter Switches to Individual Temporary Session Keys
Google Fixes Flaws in Password Recovery System
Lavabit Files Reply Brief in Appeal
UK Bank and Building Society Computers are Sending Spam
Older Version of Stuxnet More Sophisticated and Dangerous
Judge Dismisses Charges Over Casino Gambling Machine Hacking

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************** Sponsored By Bit9 ****************************
Do you know what's running on your PC or if you are the target of an advanced threat? Download this Trust Assessment Tool and find out what traditional anti-virus tools are missing. Learn More http://www.sans.org/info/144872
***************************************************************************
TRAINING UPDATE


- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --Asia Pacific ICS Security Summit Singapore, Singapore December 2-8, 2013 3 courses. Bonus evening presentations include First Things First: The Top 4 Security Mitigation Strategies.
http://www.sans.org/event/asia-pacific-ics-security-summit-training


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

Technology Council Report Says Government Needs to Improve its Cybersecurity (November 22, 2013)

A report from a presidential technology council says that the US government is not setting a good example in cybersecurity. According to the report from The President's Council of Advisors on Science and Technology, "the Federal Government rarely follows accepted best practices." The report's "Overarching Finding" reads: "Cybersecurity will not be achieved by a collection of static precautions ...
[but instead ]
requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses." Among the report's recommendations is that Internet service providers (ISPs) increase their real-time threat response.
-http://arstechnica.com/information-technology/2013/11/presidents-tech-council-pl
ays-sad-trombone-for-federal-cyber-security/

-http://www.scmagazine.com/advisory-group-to-obama-isps-should-step-up-real-time-
threat-response/article/322616/

Report:
-http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_cybers
ecurity_nov-2013.pdf

[Editor's Note (Pascatore): This report reads as being very disconnected from what the federal government is actually doing or has been doing, and what has worked or hasn't worked - no mention of the DHS Continuous Diagnostics and Mitigation program, just a token reference to FedRAMP. It has yet another set of recommendations for national online identities and more information sharing between industry and government. It was very obvious that the report was written mostly by folks from Universities, along with Craig Mundie of Microsoft and Eric Schmidt of Google: many recommendations for more government funding for research, government updating of operating systems and browsers and more use of cloud services.
(Shpantzer): I submit to you the Report of the Defense Science Board Task Force on Computer Security. It is a good read and you may find the, um, findings, familiar. The Chairman of the Task Force at the time of the report was Willis Ware, who died last week at the age of 93. The report is dated 1970 (!) and a representative quote is in order: "It is important to influence designers of future computers and software so that security controls can be installed before the fact and as an integral part of the system. It is also important to ascertain what can be done with equipment presently installed or owned by the government." I repeat: 1970.
-http://csrc.nist.gov/publications/history/ware70.pdf]

Thieves Steal More Than US $1 Million in Bitcoins (November 25, 2013)

Thieves have stolen more than US $1 million in Bitcoins from Danish Bitcoin exchange BIPS. The company's founder and CEO Kris Henrikson said that earlier this month, the company was targeted by a distributed denial-of-service (DDoS) attack that appears to have laid the groundwork for a subsequent attack that disabled BIPS security systems and allowed the thieves to steal the Bitcoins. Two other significant Bitcoin thefts have taken place in recent weeks: an Australian online wallet service lost US $1.4 million in Bitcoins, and a Chinese exchange lost more than US $4 million. There have also been several smaller thefts.
-http://www.scmagazine.com/more-than-a-million-dollars-in-bitcoins-stolen-by-hack
ers/article/322605/

-http://www.networkworld.com/news/2013/112513-bitcoin-robbery-276352.html?hpg1=bn


************************** Sponsored Links: ******************************
1) Webcast: Prowling Peer-to-Peer Botnets Monday, December 02 at 1:00 PM EST George Kurtz and Tillmann Werner. http://www.sans.org/info/144877

2) Webcast: Hunting Attackers with Network Audit Trails. Friday, December 06 at 1:00 PM EST with Tom Cross, Director of Research, Lancope. http://www.sans.org/info/144882

3) Layered Security: Why It Works Monday, December 09 at 1:00 PM EST with Jerry Shenk. http://www.sans.org/info/144887
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Blackshades Remote Access Tool Use On the Rise (November 25, 2013)

Malware known as Blackshades is still being sold, and its use is on the rise, according to analysis conducted by Symantec. Source code for Blackshades, which is a remote access tool (RAT), was leaked in 2010. The malware collects usernames and associated passwords for email accounts, FTP clients, and other services.
-http://www.computerworld.com/s/article/9244348/_39_Blackshades_39_malware_still_
being_sold_Symantec_says?taxonomyId=17

-http://www.scmagazine.com/surge-in-blackshades-infections-exposes-machines-world
wide-to-rat/article/322617/

The Racing Post Website Acknowledges Customer Database Attack (November 25, 2013)

The Racing Post website was targeted in an attack that compromised customer data stored on one of the company's databases. The company said that while it is possible that other information was accessed as well, customers' financial data were not affected because "betting through the site ... takes place directly with the bookmaker," and that information is not stored on Racing Post's system.
-http://www.v3.co.uk/v3-uk/news/2308953/racing-post-website-hit-by-aggressive-cyb
er-attack

Twitter Switches to Individual Temporary Session Keys (November 22, 2013)

Twitter has joined Google, Facebook, and other tech companies in implementing stronger security measures to make it more difficult for the NSA or other similar organizations to snoop on its customers' data. Twitter now uses temporary, individual keys for each new session instead of one single master key. Each key works for only one session for one user, so organizations that obtain a key to decrypt a particular message will not be able to use that key to read earlier messages.
-http://news.cnet.com/8301-1009_3-57613517-83/twitter-upping-security-to-thwart-g
overnment-hacking/

-http://www.nbcnews.com/technology/twitter-joins-google-facebook-forward-secrecy-
security-2D11644163

Google Fixes Flaws in Password Recovery System (November 22, 2013)

Google has fixed vulnerabilities in its password recovery system that could have been exploited to hijack user accounts. A proof-of-concept exploit tried to trick users into clicking on a link in a spear phishing email. The link in the message rerouted the request to Google's account password reset page through a maliciously crafted page that harvests data.
-http://arstechnica.com/security/2013/11/google-squashes-nasty-bugs-that-led-to-p
erfect-storm-account-hijacking/

-http://www.theregister.co.uk/2013/11/22/researcher_earns_payday_for_fixing_high_
impact_gmail_password_flaw/

[Editor's Comment (Northcutt): Good for Google. This is not a new problem and sometimes it does not matter to me; my favorite knife catalog does not store my credit card number, if someone succeeds with a reset, not much is at risk. However, as we continue to increase our dependence on online retailers and cloud services, this becomes a bigger problem, (but not a new problem, the first link below is from 2008 and is a shout out to Ben Rothke):
-http://www.csoonline.com/article/205900/how-to-do-password-resets-right
-http://www.informationweek.com/attacks/5-ways-to-solve-the-password-reset-proble
m/d/d-id/1105781
]

Lavabit Files Reply Brief in Appeal (November 22, 2013)

Lavabit's legal team has filed its reply brief in its case appealing the US government's authority to demand the company's master encryption key. The outcome of the case will decide whether an Internet company can be compelled to surrender master encryption keys when entities are seeking information about a single user. According to Lavabit's brief, "the government has no general entitlement to search through the information of an innocent business."
-http://www.wired.com/threatlevel/2013/11/lavabit-reply-brief/
[Editor's Note (Pescatore): If it has been judged legal for a court order to demand a business open a safe, hard to see why encryption should be treated differently. ]

UK Bank and Building Society Computers are Sending Spam (November 22, 2013)

Research conducted by the University of Delft in The Netherlands indicates shows that computers at many UK banks and building societies are infected with malware that makes them send spam. Delft University Professor Michel van Eeten said that the fact these computers are being used to send spam is worrisome. "If they are vulnerable to that you have to wonder what else they are vulnerable to." The research was conducted on behalf of the BBC.
-http://www.computerworld.com.my/resource/security/uk-bank-networks-hijacked-to-s
pew-botnet-spam-bbc-finds/

Older Version of Stuxnet More Sophisticated and Dangerous (November 20 & 21, 2013)

According to Ralph Langner, the Industrial Control System (ICS) and SCADA expert who first brought Stuxnet to the public's attention, there are two versions of the malware, and the older version is even more dangerous than the one that made headlines several years ago. The earlier version of Stuxnet employed a more sophisticated attack and targeted the plant's gas valves in the Natanz nuclear reactor.
-http://www.darkreading.com/attacks-breaches/stuxnets-earlier-version-much-more-p
ower/240164120

-http://www.cio-today.com/story.xhtml?story_id=11100BDJA5UI
[Editor's Note (Shpantzer): Langner's report is here:
-http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
It's a good read, not too technical, nor filled with buzzwords for their own sake. ]

Judge Dismisses Charges Over Casino Gambling Machine Hacking (November 25, 2013)

A federal judge in Las Vegas has dismissed charges against two men who had been facing possible prison sentences for hacking casino gambling machines. John Kane and Andre Nestor were accused of taking advantage of a flaw in software used in casino gambling machines to win hundreds of thousands of dollars.
-http://www.wired.com/threatlevel/2013/11/video-poker-case/
[Editor's Note (Pescatore): The video poker software allowed a key of button pushes that would tilt the odds and these guys took advantage of it - just as many take advantage when airlines mistakenly price international flights at $1.49 due to update errors. If companies don't test software well enough, they are and should be generally liable for the results. The hacking charge was dropped earlier, and the government dropped the fraud charge after realizing they had no case. ]

STORM CENTER TECH CORNER

Malformed (Crafted?) Port 0 Traffic
-https://isc.sans.edu/forums/diary/More+Bad+Port+0+Traffic/17102

Autocad Malware
-http://blog.trendmicro.com/trendlabs-security-intelligence/autocad-malware-leave
s-victims-hackable/

Covert Acoustic Mesh Networks
-http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&
id=600

Port 0 DDoS
-https://isc.sans.edu/forums/diary/Port+0+DDOS/17081

Planning for Failure
-https://isc.sans.edu/forums/diary/Planning+for+Failure/17096

Tales of Password Reuse
-https://isc.sans.edu/diary/Tales+of+Password+Reuse/17087

Missing Mountain Lion Updates
-https://isc.sans.edu/diary/Apple+not+updating+OS+X+Mountain+Lion%3F/17093

Securing OS X
-https://www.usenix.org/conference/lisa13/os-x-hardening-securing-large-global-ma
c-fleet



************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/