SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #99

December 17, 2013

Celebrating the people who made a difference in cybersecurity in 2013: http://www.sans.org/cyber-innovation-awards

SANS training in New Orleans and Orlando - registration now open! New Orleans: http://www.sans.org/event/security-east-2014 Orlando: http://www.sans.org/event/sans-2014

Important changes in industrial control systems (especially power, oil & gas) security: Shell, Pacific Gas & Electric, BP, Chevron, ABB and a dozen other leaders have just changed the face of cybersecurity in control systems. You'll learn about it at the 9th Annual ICS/SCADA Security Summit & Training in Orlando. Plan to attend the ground-breaking new certification preparation course, ICS410: ICS/SCADA Security Essentials and hear from many of the best minds in ICS in Orlando. http://www.sans.org/event/north-american-ics-scada-summit-2014

---

TOP OF THE NEWS

Federal Judge Rules NSA's Phone Metadata Gathering May be Unconstitutional
White House Task Force Says Phone Metadata Should be Held by a Third Party
US Television News Magazine: NSA Defends Surveillance Programs
White House Will Keep NSA and Cyber Command Under One Director

THE REST OF THE WEEK'S NEWS

Two Laptops Stolen From Insurance Office Contained Unencrypted Patient Data
Advanced Power Botnet Uses Infected Computers to Seek Vulnerabilities
More Than 60 Percent of Internet Traffic is Bot-Generated
Phony Antivirus Program Uses Stolen Digital Certificates
New BT Customers Will Find Content Filters on by Default
FTC Wants Official Authority to Enforce Data Security
Android mToken App Steals Texts
Twenty-three People Charged in Payment Card Fraud Ring

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By AlienVault ************************
Are your network assets communicating with known malicious IPs? Find out now with a free 30-day trial of AlienVault Unified Security Management (USM). Powered by the Open Threat Exchange (OTX), the world's largest collaborative threat intelligence system, USM detects potential breaches and provides detailed remediation advice for each alert. Try it now. http://www.sans.org/info/146495
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Federal Judge Rules NSA's Phone Metadata Gathering May be Unconstitutional (December 16, 2013)

A US federal judge in Washington DC has ruled that the NSA's massive collection of phone metadata may be unconstitutional. Judge Richard Leon of the US District Court for the District of Columbia wrote that the plaintiffs have "a substantial likelihood of success on the merits of their Fourth Amendment claim," in challenging the constitutionality of the NSA's surveillance program, which slurps up data on calls, including those made to and from US citizens. Judge Leon has granted a motion for a preliminary injunction that would immediately end the NSA's wholesale collection of phone call metadata, but noted that he would stay the motion pending a government appeal.
-http://www.washingtonpost.com/national/judge-nsas-collecting-of-phone-records-is
-likely-unconstitutional/2013/12/16/6e098eda-6688-11e3-a0b9-249bbb34602c_story.h
tml?hpid=z1
-http://www.wired.com/threatlevel/2013/12/bulk-telephone-metada-ruling/
-http://www.scmagazine.com/federal-judge-rules-nsa-metadata-collection-is-unconst
itutional/article/325860/
-http://usnews.nbcnews.com/_news/2013/12/16/21925625-federal-judge-says-nsa-progr
am-appears-to-violate-constitution?lite
-http://www.computerworld.com/s/article/9244833/Update_Judge_rules_NSA_spy_effort
s_may_be_unconstitutional?taxonomyId=17
-http://www.theregister.co.uk/2013/12/16/judge_puts_nsa_mobile_record_collection_
on_ice/
Judge Leon's Ruling:
-http://www.wired.com/images_blogs/threatlevel/2013/12/leonruling.pdf
[Editor's Note (Murray): Perhaps more significant than the ruling is that someone finally got a court to consider the question.
(Honan): This ruling applies only to the constitutional rights of US citizens. It does not have any effect on the privacy rights of those of us who live outside of the United States. ]

White House Task Force Says Phone Metadata Should be Held by a Third Party (December 13, 2013)

A White House task force says that the data gathered by the NSA should be held by a third party or retained by phone companies. While the panel did not say that the data-gathering program should end, it did say that there should be restrictions on the activity and stricter standards for NSA when it wants to search the data. The panel also recommended that the agency be led by a civilian when current director General Keith Alexander steps down in April 2014. (The White House has said that the NSA will be led by a member of the military who will also head up the US Cyber Command - see story below.)
-http://www.wired.com/threatlevel/2013/12/obama-panel-nsa/
-http://arstechnica.com/tech-policy/2013/12/obama-panel-says-nsa-phone-spying-rec
ords-should-be-held-by-third-party/

US Television News Magazine: NSA Defends Surveillance Programs (December 15 & 16, 2013)

NSA Director General Keith Alexander and the agency's Information Assurance Director Debora Plunkett appeared on US television news magazine 60 Minutes to defend the agency's surveillance programs. The officials said that an unnamed foreign country attempted to infect computers with BIOS malware that could have been used to destroy the infected machines and that an adversary could conceivably take down the US economy with a computer virus.
-http://www.theregister.co.uk/2013/12/16/nsa_alleges_bios_plot_to_destroy_pcs/
-http://www.forbes.com/sites/robertlenzner/2013/12/15/some-foreign-nations-have-c
yberwar-capability-to-destroy-our-financial-system-nsa-admits/
-http://www.wired.com/threatlevel/2013/12/60-minutes/

White House Will Keep NSA and Cyber Command Under One Director (December 13, 2013)

The White House says it plans to stick with the current arrangement of the NSA Director also heading up US Cyber Command. General Keith Alexander plans to step down from the positions next spring. There had been some talk of splitting the positions and putting a civilian in charge of the NSA. The administration said that having one individual wear both hats allows for "rapid response" to threats. A member of the military will hold the dual-responsibility position.
-http://www.washingtonpost.com/world/national-security/white-house-to-preserve-co
ntroversial-policy-on-nsa-cyber-command-leadership/2013/12/13/4bb56a48-6403-11e3
-a373-0f9f2d1c2b61_story.html
-http://news.cnet.com/8301-1009_3-57615582-83/white-house-sticks-with-double-duty
-for-nsa-director/

---

************************** Sponsored Links: ******************************
1) Do you have thousands of devices on distributed networks and need to manage security risks, enable BYOD adoption, and support IT-GRC framework specs? Get the Frost & Sullivan report. http://www.sans.org/info/146500

2) Analyst report advocates for integration of network and endpoint security into single, consolidated solution. Download your copy of the report to learn more http://www.sans.org/info/146505

3) Is your network prepared for anything? Would you like a free Cyber Defense Readiness Assessment? Start now: http://www.sans.org/info/146510
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Two Laptops Stolen From Insurance Office Contained Unencrypted Patient Data (December 16, 2013)

Earlier this month, a New Jersey health insurance company began notifying more than 800,000 members that their personally identifiable information was stored, unencrypted, on laptops stolen from Horizon Blue Cross Blue Shield headquarters in Newark. The data include names, addresses, dates of birth, insurance ID numbers, and clinical information.
-http://www.scmagazine.com/two-unencrypted-nj-health-insurance-laptops-stolen-mor
e-than-800k-impacted/article/325840/
[Editor's Note (Pescatore): This incident will cost them several tens of millions of dollars, on top of a similar 2008 incident Horizon BCBS NJ suffered that impacted 300,000 accounts. It appears that they were using cable locks to prevent physical theft of the laptops instead of encryption to prevent data theft - the cost of replacing the laptop hardware is less than .01% of the cost of dealing with a data disclosure incident of this scope. ]

Advanced Power Botnet Uses Infected Computers to Seek Vulnerabilities (December 16, 2013)

A botnet that its operators call Advanced Power has infected more than 12,500 systems. The botnet malware conducts SQL injection attacks on websites that infected users visit. So far, Advanced Power has detected more than 1,800 websites that are vulnerable to the attacks. The malware pretends to be a Firefox add-on. The botnet appears to have been operational since at least May 2013.
-http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web-site
s/
-http://arstechnica.com/security/2013/12/botnet-forces-infected-firefox-users-to-
hack-the-sites-they-visit/

More Than 60 Percent of Internet Traffic is Bot-Generated (December 12 & 13, 2013)

According to recent study, "bots" accounted for more than 61 percent of all Internet traffic in 2013. In 2012, that figure was just over 50 percent. About half of the bots are considered good bots, such as search engines and web performance tools. But it does mean that the majority of traffic on the Internet is not generated by humans.
-http://news.cnet.com/8301-1009_3-57615501-83/bots-now-running-the-internet-with-
61-percent-of-web-traffic/
-http://www.forbes.com/sites/timworstall/2013/12/13/over-60-of-all-website-visits
-are-bot-traffic/
-http://www.nextgov.com/cybersecurity/2013/12/615-web-traffic-not-human/75466/?or
ef=ng-channelriver
[Editor's Note (Pescatore): I guess we shouldn't be surprised - the majority of physical mail is mass produced junk mail, most calls to my landline are robot-dialed telemarketing, most TV channels seem filled with randomly generated dreck that I would hate to blame on human beings, most pages in newspapers and magazines are ads, probably the cave people complained that the cave walls were covered with graffiti. In every form of communications, filtering is required to separate the signal from the noise. ]

Phony Antivirus Program Uses Stolen Digital Certificates (December 16, 2013)

Microsoft has issued an advisory about a phony antivirus program currently in circulation that uses fraudulent certificates. The program is called Antivirus Security Pro and it reportedly uses at least a dozen certificates that have been stolen from several different certificate authorities. The malware has been around since 2009 in one form or another.
-http://www.computerworld.com/s/article/9244815/Fake_antivirus_program_uses_stole
n_signing_certificates?taxonomyId=17
[Editor's Note (Pescatore): Repeating my 10 December SANS Twelve Word Tuesday tweet: SSL certificates today are to security as balsa wood is to strength.
(Northcutt): As we all know, certificates do more than prove the validity of a program, they are foundational to all commerce. And yet these continue to be stolen. A Symantec blog has a well-researched post on the how's and what's related to stolen certs that helps show the magnitude of the problem:
-http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-c
ertificates]

New BT Customers Will Find Content Filters on by Default (December 14 & 16, 2013)

New BT broadband Internet subscribers will have pornography filters activated by default. The control will affect all Internet connected devices, including smartphones and game consoles. When customers are setting up their Internet connections for the first time, they will have the option of accepting the default controls, or choosing to alter the settings. BT will contact current customers over the next 12 months to let them know about the new controls and allow them to choose to implement them. The filters are designed to protect children from unsuitable content.
-http://www.bbc.co.uk/news/technology-25400009
-http://arstechnica.com/tech-policy/2013/12/new-isp-customers-will-have-porn-filt
ers-turned-on-automatically/

FTC Wants Official Authority to Enforce Data Security (December 13, 2013)

The US Federal Trade Commission (FTC) is seeking to codify its authority to enforce data security standards. Over the past few years, the FTC has successfully imposed fines and other penalties on companies in the US that have failed to provide adequate security for customer data. The agency says it has the authority to impose the penalties through a section of the FTC Act that prohibits unfair and deceptive trade practices. Several companies have recently pushed back against what they say is the FTC's overreaching purview. Wyndham Worldwide Corp and LabMD have both mounted legal challenges to FTC-imposed penalties for data breaches. Both maintain that they are being held to standards that have never been formally established.
-http://www.computerworld.com/s/article/9244794/FTC_wants_to_be_enforcer_of_data_
security?taxonomyId=17
[Editor's Note (Pescatore): We recently gave the FTC a SANS "People Who Made a Difference in Security 2013" award. Over the past decade the FTC has managed to do a good job of keeping companies honest about lapses in protecting customer data - I would hate to see that effectiveness get screwed up by legislation.
(Murray): I think we have all taken satisfaction from FTC actions but we should admit that their enforcement has been less than uniform. ]

Android mToken App Steals Texts (December 13, 2013)

The Android mToken app has been found to intercept text messages. The malicious app targets devices that are already infected with banking malware.
-http://www.scmagazine.com/app-mtoken-intercepts-texts-spams-mobile-devices-to-fu
rther-campaign/article/325537/

Twenty-three People Charged in Payment Card Fraud Ring (December 13, 2013)

Twenty-three people have been charged in connection with a credit card theft and fraud ring that involved "computer intrusion" and carding websites. The group allegedly obtained details of more than 1,000 payment cards, which were used to make more than US $2 million in fraudulent purchases.
-http://www.scmagazine.com/23-charged-in-counterfeit-card-scam/article/325611/

---

STORM CENTER TECH CORNER

Acquiring Memory Images with Dumpit
-https://isc.sans.edu/forums/diary/Acquiring+Memory+Images+with+Dumpit/17216

E-Bay Remote Code Execution Flaw
-http://www.secalert.net/2013/12/13/ebay-remote-code-execution/

Timing Attacks to Assist in "Dirbusting" of Web Applications
-http://blog.wallarm.com/post/69598321538/timing-attacks-against-file-systems

Android 4.4.2 Update Fixes SMS DoS Vulnerability
-https://funkyandroid.com/aosp-KOT49E-KOT49H.html

xt-commerce 3 Security Patch Released
-http://www.gambio.de/security-patch-dez2013-div.html

WhatApp Malware Uses Geolocation to Create Plausible Filename
-https://isc.sans.edu/diary.html?storyid=17222

Cryptolocker Copy Cat Sighted with Weak Encryption
-http://www.theregister.co.uk/2013/12/13/locker_ransomware/

Zimbra 0-day Exploit
-http://cxsecurity.com/issue/WLB-2013120097

Analysis of Compromissed System with Litecoin Miner "Minerd"
-https://isc.sans.edu/forums/diary/The+case+of+Minerd/17225

Bitcoin Mining Hoax used to destroy Mac user's systems
-http://www.theregister.co.uk/2013/12/13/mac_bitcoin_mining_hoax/

Only about 1/3 of ZeroAccess Botnet Infrastructure Affected by MSFT Takedown
-https://blog.damballa.com/archives/2221

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/