SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #95

December 03, 2013

New this issue: Pescatore First Look - John Pescatore (who built the security practice at Gartner and joined SANS last year) has been sharing his "First Looks" summarizing the importance of new products and services and of new acquisitions of security companies with a short list of CISOs at large organizations and strategists in major security companies. I asked him to summarize one for this issue of NewsBites so more people can get the benefit of his extraordinary breadth of knowledge about what matters in cybersecurity. If you like it, let us know and we'll continue.

Can you tell the difference between high and low quality graduate programs in cybersecurity? (Sorry for the long note, but this one matters to everyone who cares about the quality of cybersecurity leadership.)

At a 2012 meeting of U.S. college presidents there was much disagreement about the future of higher education, but as one of the presidents told me, "the one thing everyone agreed on is that cybersecurity is where the money is." Hundreds of colleges have quickly set up masters programs in cybersecurity; thousands of students are enrolling. Sadly, those colleges have found that they cannot find teachers with the combination of real-world, hands-on knowledge and great teaching skills to develop graduates with mastery of advanced topics in cybersecurity. As a result their graduates are finding it very hard to get the high-paying jobs that were "promised" and for which they borrowed tens of thousands of dollars in student loans. It is already hurting both students and the nation as more people enroll at hastily created university programs.

If you are considering a graduate program in cyber security or if you started one and are finding you are learning almost nothing other than theory, the recent accreditation announcement for the SANS Technology Institute may be of interest. It is a critical step in our efforts to develop the kind of technically proficient cyber leaders so desperately needed by government agencies and corporations alike. If you live in the D.C. area, join us next Thursday evening, December 12 at the Washington Hilton, D.C. to learn more from the president of the SANS Technology Institute, about how the SANS master's degree programs have already graduated some of America and Australia's most impressive cybersecurity leaders, and why SANS faculty have invested nearly a decade designing the program to augment the deep technical instruction of SANS courses and the validated knowledge of GIAC exams with additional simulations, projects and applied research that tie it all together into an integrated, master's-level experience known and respected by employers. If you're considering an advanced degree in the information security field, invest in one that has merit with a reputation that will last. This open house event includes access to SANS faculty leader Dr. Eric Cole's briefing on "Advanced Persistent Threats" commencing immediately after the master's program presentation. Please send your RSVP (required) to rsvp@sans.edu - 6PM, Thursday December 12, Washington Hilton, D.C.

---

TOP OF THE NEWS

European Parliament Shuts Its Public WiFi After Discovering Man-in-the-Middle Attack
Microsoft Will Encrypt Traffic Between Data Centers
Flash SMS Attack Can Crash Google Nexus Phones

THE REST OF THE WEEK'S NEWS

Bitcoin Miners Embedded in Browser Toolbars and Apps
Bitcointalk.org Forum Targeted by DNS Redirect and DDoS Attacks
A Pescatore "First Look" at the Akamai Acquisition of Prolexis
Probation for Man Who Participated in Koch Industries Cyberattack
D-Link Router Update
French Court Orders Search Engines and ISPs to Block Pirate Sites
Neverquest Banking Trojan Expanding its Repertoire
Unpatched Flaw in Windows XP and Server 2003
US Government Will Pay US $50 Million to Settle Software Piracy Case
Linux Worm Targets x86 Devices

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 ****************************
Why have targeted Advanced Threats succeeded so dramatically when most organizations have architected sophisticated defense-in-depth strategies? Because most of the tools and strategies organizations possess were built for an older generation of security threats. Download this eBook to learn 5 ways first-gen security is failing you. http://www.sans.org/info/145152
***************************************************************************
TRAINING UPDATE


- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --Asia Pacific ICS Security Summit Singapore, Singapore December 2-8, 2013 3 courses. Bonus evening presentations include First Things First: The Top 4 Security Mitigation Strategies.
http://www.sans.org/event/asia-pacific-ics-security-summit-training


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

European Parliament Shuts Its Public WiFi After Discovering Man-in-the-Middle Attack (November 27 & 28, 2013)

The European Parliament turned off its public WiFi network in Strasbourg, France, following a man-in-the-middle attack that captured communications between smartphones and the WiFi network. The public WiFi network will remain shut down until IT staff have installed certificates on all devices that EP members use to access internal IT systems.
-http://www.zdnet.com/european-parliaments-network-hacked-public-wi-fi-network-sh
utdown-7000023733/
-http://www.v3.co.uk/v3-uk/news/2309641/european-parliament-switches-off-public-w
ifi-after-man-in-the-middle-attack
-http://news.techworld.com/security/3491268/european-parliament-cuts-wi-fi-after-
french-researcher-breaks-into-email-accounts/
[Editor's Note (Honan): While the European Parliament's IT staff may be able to prevent man in the middle attacks by installing certificates on European Parliament members' devices, there still remains a large risk that staff may connect to other insecure networks away from the parliament. This is why it is so important to augment technical security controls with effective security awareness training.
(Murray): Would this action even be news were it taken for the same reason by any other operator of a public WiFi site? Are we surprised that any public WiFi site is subject to a "man in the middle" attack? Does the media hold the public sector to a different standard? Do they enjoy holding it up to ridicule?]

Microsoft Will Encrypt Traffic Between Data Centers (November 27, 2013)

Microsoft has joined Google and Yahoo in committing to encrypt the traffic between its data centers around the world. The step come in response to leaked documents that suggest the NSA and GCHQ have worked together to tap into the privately leased fiber optic cables that the companies use to send traffic between data centers. In Microsoft's case, the documents suggest that the intelligence agencies used software called Monkey Puzzle to scan Hotmail, Windows Live Messenger, and Passport communications.
-http://www.zdnet.com/microsoft-to-encrypt-network-traffic-amid-nsa-datacenter-li
nk-tapping-claims-7000023687/
-http://www.theregister.co.uk/2013/11/27/microsoft_encryption_nsa_spying/
[Editor's Comment (Skoudis): I'm quite amazed at the trust so many organizations had put in their ISPs and other ISPs, sharing such sensitive data center information across the Internet in clear text. The big service guys (Google, Yahoo, and Microsoft) are finally moving to encrypt such data, but it leaves one to wonder: how many enterprises (banks, law firms, retailers, etc.) are actually encrypting their data center to data center traffic? They definitely should be; site-to-site VPNs have been around for a loooong time.
(Northcutt): The Snowden disclosures may have set cloud computing back a couple of years; here are some supporting links:
-http://www.huffingtonpost.com/2013/11/06/nsa-revelations-cloud_n_4226695.html
-http://www.zdnet.com/nsa-spying-poisons-the-cloud-market-survey-7000022964/
-http://www.usnews.com/news/articles/2013/11/27/study-nsa-spying-may-cost-us-comp
anies-35-billion]

Flash SMS Attack Can Crash Google Nexus Phones (November 29 & December 2, 2013)

Google Nexus phones are vulnerable to crashing following an attack using a quick succession of SMS messages. Flash messages are not automatically saved, but instead appear in a semi-transparent overlay on the screen. The users decide whether or not to save the messages. But as there are no alerts when these messages arrive, users may not be aware of receiving multiple Flash messages. When the Nexus receives 30 or more messages without having any saved or dismissed, the phone often reboots. If the SIM card requires a PIN to unlock it, the phone will not reconnect to the mobile network.
-http://www.theregister.co.uk/2013/12/02/nexus_phones_carry_sms_crash_bug_vuln/
-http://www.computerworld.com/s/article/9244430/Google_Nexus_phones_are_vulnerabl
e_to_attack_via_Flash_SMS_messages?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57614074-83/google-nexus-phones-reportedly-susc
eptible-to-sms-attacks/

---

************************** Sponsored Links: ******************************
1) Do you have thousands of devices on distributed networks and need to manage security risks, enable BYOD adoption, and support IT-GRC framework specs? Get the Frost & Sullivan report. http://www.sans.org/info/145157

2) Dimension Data survey reveals critical gaps between the 'secure mobility' vision businesses have and the realworld implementations. http://www.sans.org/info/145162

3) Complimentary eBook: "NetFlow Security Monitoring for Dummies". Download now http://www.sans.org/info/145167
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Bitcoin Miners Embedded in Browser Toolbars and Apps (December 2, 2013)

Some browser toolbars that users download come with embedded Bitcoin miners, and the resulting Bitcoins are not the property of the users, but of the people who arranged to have the miners embedded. The arrangement is codified when users agree to the EULA (end-user license agreement), which describes the activity in veiled terms.
-http://www.theguardian.com/technology/2013/dec/02/bitcoin-mining-malwarebytes-ap
p-pc
-http://www.theregister.co.uk/2013/12/01/dont_like_our_malware_tough_read_the_eul
a/
-http://www.v3.co.uk/v3-uk/news/2316378/bogus-apps-duping-users-into-bitcoin-mini
ng-for-criminals
[Editor's Note (Skoudis): Looks like the bad guys are adapting all of their various technical attacks and business models to the Bitcoin world. Given the stakes for rapid money making here, we'll surely see even more creative Bitcoin related attacks in the near future.
(Shpantzer): I attended Eric Cole's SANS Security Essentials class in 2001. He said that people want your computer/network for three things, beyond just the information on they could capture from you: Storage space, CPU cycles and bandwidth. Still holds true today.]

Bitcointalk.org Forum Targeted by DNS Redirect and DDoS Attacks (December 2, 2013)

Users of Bitcoin forum bitcointalk.org are being urged not to log into their accounts due to a redirect attack. A forum administrator said it is likely that the attacker managed to redirect the domain name system (DNS) to a different address. Users who did log in with passwords on December 1 and 2 may have had their information captured. Bitcointalk.org has been transferred to a different registrar, but because changes can take a while, users are cautioned not to log into their accounts just yet. The forum is also currently being targeted by a distributed denial-of-service (DDoS) attack.
-http://www.scmagazine.com//popular-bitcoin-forum-targeted-in-dns-and-ddos-attack
/article/323311/

A Pescatore "First Look" at the Akamai Acquisition of Prolexis (December 2, 2013)

Akamai Technologies Inc said it will spend about $370 million to acquire Prolexic Technologies Inc, a provider of denial of service mitigation services. The move will bolster Akamai's security offerings, which already include some services for protecting websites against HTTP-based distributed denial of service (DDoS) attacks. This is a good move for Akamai, as Content Delivery Networks are already in the critical path for DDoS attacks against web sites that are using CDN services. The business model of CDNs and DDoS mitigation as a service are also very similar, in that growth in customers requires adding scrubbing center capacity - a large barrier to entry for everyone other than ISPs. Akamai's challenge will be maintaining Prolexic's quality of service which was its major differentiator over ISP-based DDoS services.
-http://www.reuters.com/article/2013/12/02/akamai-acquisition-idUSL4N0JH2JP201312
02

Probation for Man Who Participated in Koch Industries Cyberattack (December 2, 2013)

Eric J. Rosol has been sentenced to two years probation for his role in a February 2011 attack on a Koch Industries website. Rosol was also ordered to pay US $183,000 in restitution. He pleaded guilty to a misdemeanor count of accessing a protected computer. The attack knocked the website offline for about 15 minutes. Although the direct loss associated with the attack was less than US $5,000 Koch said it spent the amount specified in the restitution on a consulting company to protect its websites.
-http://www.reuters.com/article/2013/12/02/us-usa-crime-kansas-hacker-idUSBRE9B10
Y920131202
-http://www.businessweek.com/ap/2013-12-02/wisconsin-trucker-sentenced-in-koch-cy
berattack

D-Link Router Update (December 2, 2013)

D-Link has issued firmware updates for eight of its older router models to address a backdoor that could be exploited remotely to change settings on vulnerable devices and to steal information. The attack could be launched if the routers have enabled the remote management feature; it is disabled by default.
-http://krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/
-http://www.pcworld.com/article/2068560/dlink-issues-fixes-for-firmware-backdoor-
in-routers.html

French Court Orders Search Engines and ISPs to Block Pirate Sites (November 29 & December 2, 2013)

A French court has ordered major search engines to block 16 video-streaming websites. Google, Microsoft, and Yahoo must prevent the sites from appearing in their search results. The order also applies to several Internet service providers (ISPs) used by residents of France, which will have to prevent users from accessing those sites. Some of the plaintiffs in the case told the judge that merely ordering a block on the sites would prove ineffective because the people behind the pirate sites would just re-create the sites with new names.
-http://www.bbc.co.uk/news/technology-25185819
-http://www.wired.co.uk/news/archive/2013-11/29/french-court-orders-google-micros
oft-and-yahoo-to-delist-pirate-sites

Neverquest Banking Trojan Expanding its Repertoire (November 26 & 29, 2013)

A banking Trojan known as Neverquest can be used to break into "any bank in any country," according to its creators. The malware has tried to infect several thousand computers around the world. Neverquest is able to modify website contents in Internet Explorer and Firefox to inject rogue forms and steal login credentials. The malware also identifies webpages containing keywords relating to finances that are visited by users whose machines are infected, then sends the information back to attackers, so they can broaden their base of financial institutions to target.
-http://www.theregister.co.uk/2013/11/29/_meet_the_new_swiss_army_knife_of_cyberc
rime/
-http://www.computerworld.com/s/article/9244374/_Neverquest_trojan_threatens_onli
ne_banking_users?taxonomyId=17

Unpatched Flaw in Windows XP and Server 2003 (November 28, 2013)

Attackers are exploiting an unpatched flaw in a kernel component of Windows XP and Windows Server 2003. While the privilege elevation flaw alone is not remotely exploitable, it is being used in conjunction with a remote code execution vulnerability in Adobe Reader in limited, targeted attacks. The Reader flaw was patched in May 2013. Microsoft has released an advisory that includes a workaround for the issue.
-https://isc.sans.edu/diary.html?storyid=17117
-http://technet.microsoft.com/en-us/security/advisory/2914486
-http://www.v3.co.uk/v3-uk/news/2309770/firms-urged-to-ditch-windows-xp-after-zer
o-day-attack-discovered-in-the-wild
-http://www.computerworld.com/s/article/9244428/Attackers_exploit_unpatched_flaw_
to_hit_Windows_XP_Server_2003?taxonomyId=17
-http://www.theregister.co.uk/2013/11/28/winxp_0day/

US Government Will Pay US $50 Million to Settle Software Piracy Case (November 28 & December 2, 2013)

The US government will pay US $50 million to a Texas-based company for installing pirated copies of its software on machines. The army has used Apptricity's logistics software since 2004, but the company recently became aware that it was installed on thousands more machines than the number for which the Army had purchased licenses.
-http://www.zdnet.com/u-s-government-settles-software-piracy-case-7000023804/
-http://www.military.com/daily-news/2013/12/02/us-army-settles-in-180m-software-p
iracy-case.html?comp=700001075741&rank=1
-http://www.bbc.co.uk/news/technology-25137089

Linux Worm Targets x86 Devices (November 27 & 28, 2013)

A worm named Linux.Darlloz targets x86 computers running Linux and PHP. It has the potential to infect home routers, set-top boxes, security cameras, and other devices. Darlloz spreads by exploiting a flaw in php-cgi. The worm is based on proof-of-concept code that was released earlier this year.
-http://www.theregister.co.uk/2013/11/28/researchers_warn_over_connected_device_m
alware/
-http://arstechnica.com/security/2013/11/new-linux-worm-targets-routers-cameras-i
nternet-of-things-devices/
-http://www.computerworld.com/s/article/9244409/This_new_worm_targets_Linux_PCs_a
nd_embedded_devices?taxonomyId=17

---

STORM CENTER TECH CORNER

Toolbar Includes Bitcoin Miner (and discloses the fact in a cryptic reference in it's EULA)
-http://blog.malwarebytes.org/fraud-scam/2013/11/potentially-unwanted-miners-tool
bar-peddlers-use-your-system-to-make-btc/

Keeping Browser Plugins Up-to date remains challanging
-https://community.qualys.com/blogs/laws-of-vulnerabilities/2013/11/27/secure-you
r-browser-before-shopping-online

D-Link Router Update
-http://www.dlink.com/uk/en/support/security

D-Link Router New Fixed Password Problems (telnet)
-http://www.h725.co.vu/2013/11/d-link-whats-wrong-with-you.html

Drupal mt_rand Vulnerability
-http://nakedsecurity.sophos.com/2013/11/29/drupal-security-update-fixes-a-laundr
y-list-of-problems-including-predictable-random-numbers/

Windows XP / 2003 Privilege Escalation Flaw
-https://isc.sans.edu/diary.html?storyid=17117

Exchange 2013 Backup Fix
-http://support.microsoft.com/kb/2888315

Google Columbia Issues due to local ISP proxy server intercepting requests
-https://isc.sans.edu/forums/diary/Google+having+a+hiccup+in+Colombia/17126

Google Nexus Phone SMS DoS Vulnerability
-http://www.pcworld.com/article/2067960/google-nexus-phones-vulnerable-to-denialo
fservice-attack-via-flash-sms-messages.html

Vodafone Iceland SMS Message Leak
-http://www.cyberwarnews.info/2013/11/30/official-vodafone-iceland-hacked-and-def
aced-with-77000-accounts-leaked/

Android InMobi Adware
-http://www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vul
naggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.htm
l

Ruby On Rails Cookiestore Vulnerability still widely present
-http://maverickblogging.com/list-of-websites-using-ruby-on-rails-cookiestore-for
-session-management/

Newegg Looses first round of RC4 Patent Lawsuite
-http://arstechnica.com/tech-policy/2013/11/jury-newegg-infringes-spangenberg-pat
ent-must-pay-2-3-million/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/