SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #98

December 13, 2013

A gift for the holidays:
Our tenth annual holiday hacking challenge, using themes from the classic It's a Wonderful Life holiday movie, is our most exciting and in-depth challenge ever. You'll match wits with nasty cyber attackers, analyzing their techniques in depth to help save the city and George Bailey's life! Based on the technical infrastructure of SANS CyberCity project, this fun and informative challenge will help you pick up valuable real-world skills in defending critical infrastructures.

You see, the city of Bedford Falls is under cyber attack, and on Christmas Eve no less! Dastardly villains have targeted its train switching system, water reservoir, traffic lights, and even its power grid. George Bailey, head of infosec for the town, is all that stands between Bedford Falls and disaster. Suddenly, all the lights in town go dark... And that's where you come in.

To read and participate in this FREE challenge, click here:
http://pen-testing.sans.org/holiday-challenge

---

TOP OF THE NEWS

Proposed Cybersecurity Legislation Focuses on Critical Infrastructure
NSA Director Defends Phone Data Gathering to Senate Judiciary Committee

THE REST OF THE WEEK'S NEWS

Gmail to Display Images Via Proxy Servers
Man Who Tried to Sell Access to DOE Laboratory Computers Gets 18-Months in Prison
Eighteen Years in Prison for Carder Site Co-Founder
64-Bit ZeuS
Inspector General Says US Dept. of Energy Did Not Adequately Protect Employee Data
Remote Access Trojan Found on Professional Poker Player's Laptop
Malware Pretends to be Microsoft IIS Module
Sanitizing Files to Prevent Attacks
Malware Cleanup Tools Can Miss Files
Microsoft and Adobe Issue Security Updates
Firefox 26 Blocks Java by Default
Lack of Details About October FDA Security Breach Frustrates Legislators

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 ****************************
When it comes to endpoint security, large organizations find themselves in a difficult situation. Most enterprises have host-based security software (antivirus software) installed on almost every PC and server, yet their IT assets are constantly attacked - and often compromised - by sophisticated malware and targeted attacks. Download this whitepaper to learn more.
http://www.sans.org/info/146230
***************************************************************************
TRAINING UPDATE


- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, San Antonio, Dubai, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Proposed Cybersecurity Legislation Focuses on Critical Infrastructure (December 12, 2013)

Legislation introduced in the US House of Representatives would establish measures to better protect elements of the country's critical infrastructure from cyberattacks. The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bipartisan bill that "strengthens the cybersecurity of the nation's 16 critical infrastructure sectors ... by codifying, strengthening, and providing oversight of the cybersecurity mission of the Department of Homeland Security (DHS)." The bill also describes a way to improve real-time threat detection through the National Cybersecurity and Communications Integration center (NCCIC).
-http://www.scmagazine.com//legislation-introduced-to-curb-cyber-attacks-targetin
g-nations-critical-industries/article/325447/
[Editor's Note (Weatherford): This legislation actually clarifies quite a bit. It finally gives power to the National Cybersecurity Incident Response Plan (NCIRP) which was written three years ago but never codified. This was a collaborative document written with both government and private sector partners but has been used in an interim capacity since because it was never approved. The proposed bill also provides clarity for each critical infrastructure sector to be formally represented by an Information Sharing and Analysis Center (ISAC). The ISACs were originally proposed in PDD-63 in 1998 so it's high time to update the relationship between the sectors and DHS, which didn't even exist in 1998. It formalizes authority for the National Cybersecurity and Communication Integration Center (NCCIC) Cyber Incident Response Teams to provide technical assistance to the private sector and finally, it changes the very confusing name of the National Protection and Programs Directorate (NPPD) to the Cybersecurity and Infrastructure Protection Directorate. The proposed legislation also provides for changing the Support Anti-Terrorism By Fostering Effective Technologies Act of 2002 (SAFETY ACT) to include cybersecurity. This is potentially big because it can provide liability protection for developers of security products, which may be the necessary incentive to begin incorporating better security into products.
(Murray): The devil is in the detail, of which this bill has 56 pages. One need read no further than the definitions to realize that this is a far reaching bill with potential for unintended consequences. However, in a quick scan, one was unable to find any effort to immunize private enterprise for compromising their customers, a provision that has become a standard feature of such proposals.
(Pescatore): Not much that is meaningful in this bill, as far as I can tell. Seems to add a layer of Sector Coordinating Councils on top of the ISACs, yet another annual report to Congress, name changing of some departments in DHS - pretty much the usual legislative chaff.
(Paller): This legislation has the fingerprints of a set of government affairs employees who work for large companies - sent to Washington to make sure that the government does nothing in cybersecurity that will cost their employers money. Most of the smarter ones are a wee bit embarrassed by what they are doing, but they know of no other way to earn a salary that is 3 to 20 times the median salary in the United States. ]

NSA Director Defends Phone Data Gathering to Senate Judiciary Committee (December 11 & 12, 2013)

NSA Director General Keith Alexander defended his agency's phone data collection programs to the US Senate Judiciary Committee, saying, "We can't go back to a pre-9/11 moment," and that there is no other way we know of to connect the dots." Committee Chairman Senator Patrick Leahy (D-Vermont) noted that the phone data collection program has been "uniquely valuable" in just one terrorism case since the program was authorized in 2006.
-http://www.washingtonpost.com/world/national-security/at-senate-hearing-nsa-dire
ctor-defends-spying-program/2013/12/11/a21ae186-62b1-11e3-aa81-e1dab1360323_stor
y.html
-http://www.nextgov.com/cybersecurity/2013/12/nsa-chief-protecting-americans-terr
orism-holding-hornets-nest/75415/?oref=ng-channeltopstory
[Editor's Note (Northcutt): The Wall Street Journal had an article today saying a panel appointed by President Obama recommends reorganizing the NSA and restricting the data they store and access:
-http://online.wsj.com/news/articles/SB10001424052702304202204579254652728273502]

(Honan): While the US wrestles with the pros and cons of collecting cell phone data, just yesterday the European Court of Justice has given its legal opinion that the EU Data Retention directive that requires telecoms and internet providers to store data on phone and email traffic for up to two years is a serious interference with citizens' right to privacy.
-http://www.irishtimes.com/business/sectors/technology/data-retention-interferes-
with-privacy-european-court-opinion-1.1626041
-http://euobserver.com/justice/122459]

---

************************** Sponsored Links: ******************************
1) Discover how BlueCoat's Lifecycle Defense enables you to preserve your IT budget, protect and empower your business. http://www.sans.org/info/146235

2) "Targeted Attacks - Best practices from Trend Micro for securing your organization using infrastructure and personnel adjustments" http://www.sans.org/info/146240

3) Take the SANS Second Survey on Application Security and Enter to Win an iPad! http://www.sans.org/info/146245
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Gmail to Display Images Via Proxy Servers (December 12, 2013)

Gmail now shows users embedded images in their email messages by default. Email providers stopped displaying images by default after attackers began using them to infect computers, but Google's new system displays the images via proxy servers. Senders can manipulate the feature so that they know when the messages they send have been read.
-http://news.cnet.com/8301-1009_3-57615469-83/gmail-now-shows-you-all-images-by-d
efault/
-http://www.wired.com/business/2013/12/gmail-spying-explained/
[Editor's Note (Ullrich): In line with Google's business model, this will eliminate some tracking by third parties but improve tracking done by Google.
(Honan): It is possible to set up your Gmail account to not load images automatically. Under the General tab in settings there is the "Ask before displaying external images" option. ]

Man Who Tried to Sell Access to DOE Laboratory Computers Gets 18-Months in Prison (December 12, 2013)

A man who broke into US government, corporate, and university computer networks and tried to sell access to the systems, has been sentenced to 18 months in prison. Andrew James Miller pleaded guilty to conspiracy and computer fraud charges earlier this year. Miller attempted to sell access to two supercomputers at the National Energy Research Scientific Computing Center at Lawrence Livermore National Laboratory. The intrusions occurred between 2008 and 2011.
-http://www.computerworld.com/s/article/9244755/Hacker_gets_18_months_for_peddlin
g_computer_access_to_U.S._national_security_lab?taxonomyId=17
-http://www.nextgov.com/cybersecurity/2013/12/18-months-slammer-energy-supercompu
ter-hacker/75449/?oref=ng-channelriver

Eighteen Years in Prison for Carder Site Co-Founder (December 12, 2013)

A US federal judge has sentenced Roman Vega to 18 years in prison for his role in CarderPlanet, essentially a clearinghouse for stolen credit card information. The operation was shut down in 2004. Vega has been in custody since 2003.
-http://arstechnica.com/tech-policy/2013/12/ukranian-fraudster-and-carderplanet-d
on-finally-sentenced-to-18-years/
-http://www.justice.gov/opa/pr/2013/December/13-crm-1313.html
[Editor's Note (Murray): It is likely to take a decade of such sentences to overcome the effect of two generations of under-sentencing that has taught that computer crime is low risk. ]

64-Bit ZeuS (December 12, 2013)

A 64-bit version of ZeuS malware appears to have been circulating on the Internet since June at least. Researchers expected that a 64-bit variant would one day exist, but they are surprised that it has emerged so soon. Most browsers currently in use are 32-bit. Another notable feature of this ZeuS variant is that it works via Tor.
-http://www.computerworlduk.com/news/security/3493503/zeus-malware-gets-64-bit-ma
keover/
-http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_
come_enhanced_with_Tor

Inspector General Says US Dept. of Energy Did Not Adequately Protect Employee Data (December 11, 2013)

According to auditors, The US Department of Energy (DOE) knew of and did nothing to correct suspected cybersecurity issues that could have prevented the personal information of more than 100,000 employees, dependents, and contractors from a July 2013 incident. DOE has been the target of cyberattacks three times since 2011. The report from the DOE Office of Inspector General (IG) found that DOE did not put in place "accepted standards for protecting its network and failed to ensure that its security controls were working effectively in many cases." According to the IG, DOE did not implement fixes for known security issues. The agency also allowed "direct Internet access to a highly sensitive system without adequate security controls;" and permitted systems with known critical security flaws to operate. The report also noted "unclear lines of responsibility" and "ineffective communications and coordination among responsible officials."
-http://www.washingtonpost.com/blogs/federal-eye/wp/2013/12/11/doe-was-aware-of-s
ecurity-weaknesses-that-led-to-hacking-report-says/
-http://energy.gov/sites/prod/files/2013/12/f5/IG-0900.pdf

Remote Access Trojan Found on Professional Poker Player's Laptop (December 11, 2013)

Professional poker player Jens Kyllnen's computer was infected with a remote access Trojan (RAT). Kyllnen discovered the malware after an odd experience in Barcelona during which the laptop disappeared from and then mysteriously reappeared in his hotel room. Because he suspected something was not right, Kyllnen took the computer to F-Secure, where they found the malware.
-http://www.theregister.co.uk/2013/12/11/poker_pros_call_shenanigans_over_hotel_m
alware_infections/
-http://arstechnica.com/security/2013/12/card-sharks-infect-professional-poker-pl
ayers-laptop-with-a-dirty-rat/
[Editor's Note (Pescatore): This is a very common scenario in countries like China, where international business executives are frequently targeted for compromise of their laptops, tablets and smartphones. Many global 1000 companies give their execs clean machines for traveling to those countries - a good idea. Don't usually see Spain on that list, but maybe professional poker players attract their own set of targeted attacks. ]

Malware Pretends to be Microsoft IIS Module (December 11, 2013)

Malware known as ISN pretends to be a Microsoft Internet Information Services (IIS) module. The malware is actually a malicious dynamic link library (DLL) that infects servers with the intent of stealing credit card data entered by people who visit websites.
-http://www.scmagazine.com//malicious-dll-targets-e-commerce-sites-for-customer-c
redit-card-data/article/325240/
[Editor's Note (Ullrich): Malicious modules have been seen in Apache in the past, so no big surprise that IIS is catching up here. These modules can be difficult to detect. Traditionally, system administrators suspect backdoors and bugs in the web application and will often overlook unauthorized modules. ]

Sanitizing Files to Prevent Attacks (December 11, 2013)

Historically, security companies have detected malicious code and blocked it from executing, or used whitelisting to allow only trusted applications to run. But determining when a file, script, or binary is maliciously crafted is not easy. Some security companies are starting to use technology that removes or modifies executable code in common file formats, such as Office documents and PDFs, to reduce the threat of attacks.
-http://www.darkreading.com/advanced-threats/firms-eliminate-embedded-code-to-foi
l-ta/240164687
[Editor's Note (Ullrich): This works great until you "clean" an important order form that uses Javascript to pull in data from a web service. Sadly sometimes these features are actually used.
(Murray): It is hard enough to detect such malicious code, much less remove it without breaking something. However, one can only wish them well. As computers get smarter and cheaper, this application may well be efficient. ]

Malware Cleanup Tools Can Miss Files (December 10, 2013)

The ZeroAccess botnet has been spreading by catching a ride onto computers during the Adobe Flash download process. The malware slides in under the radar and remains undetected by antivirus programs. The ZeroAccess infection vector is just one example of malicious files that can go undetected. Many malware cleanup tools miss files that appear to be legitimate but are in fact infected. Anti-malware programs generally do not include signatures for files malware creates once it has infected a computer.
-http://www.darkreading.com/attacks-breaches/mystery-malware-files-often-missed-i
n-cl/240164631
[Editor's Note (Ullrich): The actual news headline should read: Yes, there are still some people who expect anti-malware to find current relevant threats. ]

Microsoft and Adobe Issue Security Updates (December 10 & 11, 2013)

Microsoft has released 11 Security Bulletins to address at least two dozen flaws in its products. Five of the bulletins address critical flaws, two of which are being actively exploited. Adobe has issued security updates for its Flash and Shockwave Players. One of the vulnerabilities already has seen an exploit released. It tries to get users to open a Microsoft Word document that contains malicious Flash content. The patched Flash vulnerabilities have also been patched for Adobe AIR.
-https://isc.sans.edu/forums/diary/Microsoft+December+Patch+Tuesday/17198
-https://isc.sans.edu/forums/diary/Adobe+Updates+today+as+well+/17201
-http://krebsonsecurity.com/2013/12/zero-day-fixes-from-adobe-microsoft/
-http://www.theregister.co.uk/2013/12/10/microsoft_and_adobe_deliver_critical_fix
es_on_patch_tuesday/
-http://www.computerworld.com/s/article/9244708/Adobe_patches_critical_vulnerabil
ities_in_Flash_Player_and_Shockwave?taxonomyId=17
-http://technet.microsoft.com/en-us/security/bulletin/ms13-Dec
-http://helpx.adobe.com/security/products/shockwave/apsb13-29.html
-http://helpx.adobe.com/security/products/flash-player/apsb13-28.html
[Editor's Note (Pescatore): I'm going to end 2013 on a "glass half full" note and assume Microsoft and Adobe are pushing all these reboot-causing updates into December so that 2014 end of year vulnerability statistics will show a dramatic *decrease* over 2013's depressing statistics. ]

Firefox 26 Blocks Java by Default (December 10, 2013)

Mozilla has released Firefox 26. The newest version of the browser blocks Java by default on all websites; users will be see a dialog box asking if they would like to run Java. Users may choose to allow Java to run for the specific instances, or they can select "Allow and Remember," which will allow Java to run on the specified websites in the future without seeking permission.
-http://www.theregister.co.uk/2013/12/10/firefox_26_blocks_java/
-http://www.zdnet.com/firefox-26-bumps-up-security-by-letting-users-screen-plug-i
ns-7000024120/
-https://www.mozilla.org/en-US/firefox/26.0/releasenotes/
[Editor's Note (Pescatore): I think it is time for this. May just lead to rampant click-through, but maybe it will lead to enough added friction to nudge more web sites away from Java use, which W3Techs says is down to less than 3% of websites now, and others show even lower figures.
(Murray): Those of us who have been using No Script understand the efficiency of this idea. ]

Lack of Details About October FDA Security Breach Frustrates Legislators (December 10, 2013)

US legislators are displeased with the Food and Drug Administration's (FDA's) lack of candor about an October security breach that exposed personally identifiable information of more than 12,000 people. The breach affected the users of the FDA's Biologic Product Deviation Reporting System, the Electronic Blood Establishment Registration System, and the Human Cell and Tissue Establishment Registration System. In a letter to the FDA, members of the House Committee on Energy and Commerce have asked the agency to provide information about the nature of the information stolen, the identification of contractors and subcontractors who knew of the breach, information about corrective action the agency has taken in the wake of the breach, and other details.
-http://www.govinfosecurity.com/fda-breach-raises-lawmakers-hackles-a-6279
Text of the Letter to the FDA:
-http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files
/letters/120913%20FDA%20October%202013%20Cybersecurity%20Breach.pdf

---

STORM CENTER TECH CORNER

Facebook Phish Advertised via Direct Messages and Links to Tumblr
-https://isc.sans.edu/forums/diary/Facebook+Phishing+and+Malware+via+Tumblr+Redir
ects/17207

Browser Fingerprinting by Analyzing SSL Client Hello Messages
-https://isc.sans.edu/forums/diary/Browser+Fingerprinting+via+SSL+Client+Hello+Me
ssages/17210

HashID: Identify hashing algorithms
-https://isc.sans.edu/forums/diary/Those+Look+Just+Like+Hashes+/17195

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS Operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/