SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #1

January 03, 2014

SANS 2014 is the largest cybersecurity training program in the world featuring more than 40 courses, an expo showing the most important security technologies, and many bonus evening education and networking programs. Several SANS 2014 classes filled up early last year so register in January to ensure a place and to take advantage of the early registration discount.

More data: http://www.sans.org/event/sans-2014

---

TOP OF THE NEWS

Judge Dismisses Challenge to Suspicionless Border Searches of Electronics
NSA Developed Backdoor for iPhones

THE REST OF THE WEEK'S NEWS

Backdoor in Certain Combination Wireless Router/DSL Modems
OpenSSL Code Library Site Defaced
CryptoLocker Variant Disguised as Photoshop and Office Activation Codes
Snapchat Data Stolen; App Will Be Updated
Ars Technica's Four Tech Legal Cases to Watch in 2014
Senators Call for Consumer Financial Data Security Hearing in Wake of Target Breach
DDoS Attacks Exploiting Vulnerability in Network Time Protocol
US Military Winnowing Down Number of Network Entry Points

FIRST LOOK: FIREEYE ACQUIRES MANDIANT

FIRST LOOK: FIREEYE ACQUIRES MANDIANT

---

********* Sponsored By SANS Cyber Threat Intelligence Summit ************
Forward leaning organizations have the skills, technology and processes to collect and analyze threat data and turn it into action to mitigate risks and elevate security. For an update of those skills, technology and processes, plan to attend the SANS Cyber Threat Intelligence Summit, February 10th & 11th, in Washington DC! It will focus on Security Information & Event Management, Security Monitoring and Threat Intelligence. Choose from three related classes that take place beforehand (Feb 4th - 9th) including Security Essentials, Reverse Engineering Malware and Advanced Computer Forensics & Incident Response. http://www.sans.org/info/147860
***************************************************************************
TRAINING UPDATE

--SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


--SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


--SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


-- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 The nation's largest conference and training program on security of power, oil&gas and other industrial control systems. Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


--SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Judge Dismisses Challenge to Suspicionless Border Searches of Electronics (December 31, 2013 & January 2, 2014)

A federal judge in New York dismissed a suit brought by the ACLU in 2010 that challenged the Customs and Border Patrol's authority to conduct searches of electronic devices at border crossings without reasonable suspicion. Judge Edward Korman said the likelihood of such a search was small and that there are procedures in place for privileged content, such as journalists' sources and attorneys' client communications. The second Bush administration established suspicionless electronics searches in 2008, adding them to the existing border search exemption that allows routine searches and seizures without a warrant or probable cause. The ACLU is appealing the ruling.
-http://www.computerworld.com/s/article/9245126/ACLU_appeals_judge_39_s_decision_
to_throw_out_NSA_lawsuit?taxonomyId=17
-http://arstechnica.com/tech-policy/2013/12/judge-wont-let-student-challenge-elec
tronics-searches-at-us-border/
-http://www.nextgov.com/defense/2013/12/judge-says-border-officials-can-search-yo
ur-laptop-and-cellphone/76130/?oref=ng-HPriver
-http://www.wired.com/threatlevel/2013/12/gadget-border-searches-2/
-http://www.computerworld.com/s/article/9245095/Judge_dismisses_challenge_to_bord
er_laptop_searches?taxonomyId=17
Decision:
-https://www.aclu.org/sites/default/files/assets/abidor_decision.pdf
Notice of Appeal:
-https://www.aclu.org/sites/default/files/assets/notice_of_appeal_-_aclu_v_clappe
r.pdf

NSA Developed Backdoor for iPhones (December 31, 2013)

A news story in German magazine Der Spiegel said that NSA spyware known as DROPOUTJEEP can give anyone using it access to most everything on infected iPhones. The tool harvests text messages and voicemail and is capable of switching on the device's microphone and camera remotely. Apple has denied that it worked with the NSA to put the backdoor in iPhones. In a statement to the Wall Street Journal, Apple officials said. "Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products."
-http://www.nbcnews.com/technology/apple-denies-working-nsa-backdoor-iphone-2D118
21229
-http://www.scmagazine.com/apple-says-it-was-never-privy-to-nsas-program-targetin
g-iphones/article/327736/
-http://www.zdnet.com/no-surprise-the-nsa-can-hack-iphones-7000024691/
-http://news.cnet.com/8301-1009_3-57616409-83/nsa-spyware-gives-agency-full-acces
s-to-the-iphone-report/
-http://www.computerworld.com/s/article/9245093/The_NSA_developed_software_for_ba
ckdoor_access_to_iPhones?taxonomyId=17

---

************************** Sponsored Links: ******************************
1) SANS AppSec Summit 2014 offers four training courses that will help you find and fix critical vulnerabilities in your applications. http://www.sans.org/info/147865

2) Analyst Webcast: Smart buildings, Cars and Other Devices: New SANS Survey Reveals How Internet of Things Impacts IT Risk Management, Wednesday, January 15 at 1 PM EDT http://www.sans.org/info/147870

3) Is the Perimeter Dead (or just Redefined)? Take the SANS Survey on End Point Intelligence and enter to win an iPad! http://www.sans.org/info/147875
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Backdoor in Certain Combination Wireless Router/DSL Modems (January 2, 2014)

A backdoor in some combination wireless router/DSL modems could be used to reconfigure the router and access the device's administrative control panel. The attack exploits an open port accessible over the wireless network in certain Linksys and Netgear DSL modems. This attack cannot be launched remotely; the attacker would need to be on the target's local network.
-http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-at
tacker-reset-router-get-admin/
[Editor's Note (Ullrich): We are already seeing a significant increase in scans for the backdoor. ( see
-https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+
TCP+/17336
). ]

OpenSSL Code Library Site Defaced (January 2, 2014)

A December 29 attack on the OpenSSL code library site did not affect code repositories, but it raises concerns because it was launched via hypervisor through the hosting provider, not through an operating system configuration vulnerability.
-http://www.scmagazine.com/openssl-website-hacked-and-defaced/article/327712/
-http://arstechnica.com/security/2014/01/openssl-site-defacement-involving-hyperv
isor-hack-rattles-nerves/
[Editor's Note (Honan): According to OpenSSL the breach was not due to any software vulnerabilities in the Hypervisor software but due to poor password management by admin staff at the hosting provider
-http://www.openssl.org/news/secadv_hack.txt
(Ullrich): Important reminder to verify your hypervisors configuration. Even if your server is configured securely, a compromised hypervisor due to a weak password provides the attacker with the equivalent of physical access to the system.
-https://isc.sans.edu/diary/OpenSSL.org+Defaced+by+Attackers+Gaining+Access+to+Hy
pervisor/17333
-http://blogs.vmware.com/security/2014/01/recent-openssl-website-defacement.html]

CryptoLocker Variant Disguised as Photoshop and Office Activation Codes (January 2, 2014)

A new variant of the CryptoLocker ransomware can spread via the removable drives, meaning that it can spread more easily than older variants of the malware. It is being disguised as Adobe Photoshop and Windows Office software activators on P2P sites. CryptoLocker encrypts the machine's entire hard drive and connected LAN drives and demands payment in the form of Bitcoin to unlock the data.
-http://www.theregister.co.uk/2014/01/02/cryptolocker_worm/

Snapchat Data Stolen; App Will Be Updated (January 1 & 2, 2014)

A database of Snapchat 4.6 million usernames and some associated telephone numbers with the last two digits blurred has been posted online. The site where the stolen data were posted has been taken down. The people behind the attack say they exploited recent changes made to Snapchat to access the information. A message on Twitter from Snapchat CEO Evan Spiegel says that the company is "working with law enforcement
[and ]
will update when we can."
-http://www.cnn.com/2014/01/01/tech/social-media/snapchat-hack/index.html
-http://www.zdnet.com/predictably-snapchat-user-database-maliciously-exposed-7000
024697/
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/02/snapchat-has-clamme
d-up-after-being-hit-by-hackers-thats-not-good/
-http://www.theregister.co.uk/2014/01/02/snapchat_leak/
-http://news.cnet.com/8301-1009_3-57616434-83/overexposed-snapchat-user-info-from
-4.6m-accounts/
Update: Snapchat has announced that it will release an updated version of the app that will allow users "to opt out of appearing in Find Friends after they have verified their phone number." The company said that it is also implementing other changes "to address future attempts to abuse our service."
-http://www.darkreading.com/attacks-breaches/snapchat-to-update-app-in-wake-of-br
each/240165103
[Editor's Note (Pescatore): I think Snapchat was notified of this vulnerability back in August. This would be a good one for the FTC to look into.
(Ullrich): Classic example of ignoring vulnerability reports. Anti-automation is difficult (we cover it in SANS' Defending Web Application class). Of course in the aftermath of all this, the people reporting and exploiting this may go to jail while Snapchat will just move on, just like in the similar AT&T iPad e-mail leak. ]

Ars Technica's Four Tech Legal Cases to Watch in 2014 (January 1, 2014)

Cyrus Farivar and Joe Mullin at Ars Technica have listed four tech legal cases to watch in 2014. Two lawsuits challenging the legality of NSA data gathering resulted in a pair of "starkly different" rulings. Both are likely to rise to appeals courts, making it likely that the issue will eventually reach the Supreme Court. The other highlighted cases are Megaupload founder Kim Dotcom's extradition hearing; the likely prosecution of The Silk Road's Ross Ulbricht; and Lavabit founder Ladar Levison's challenge to the FBI's demand that he surrender the SSL key that would allow them access to Snowden's communications.
-http://arstechnica.com/tech-policy/2014/01/the-top-4-tech-legal-cases-to-watch-i
n-2014/

Senators Call for Consumer Financial Data Security Hearing in Wake of Target Breach (December 30 & 31, 2013)

Three US senators have asked the Committee on Banking, Housing, and Urban Affairs to hold a hearing on the Target breach "as soon as reasonably possible." The senators want to address the questions of whether or not marketplace entities "are taking all appropriate actions to safeguard consumer data and protect against fraud, identity theft, and other harmful consequences, and whether we need stronger industry-wide cyber security standards." The senators want to discuss the possibility of accelerated adoption of EMV chip-based cards and they want to know if financial regulators "have the necessary tools, information, and authority to ensure that financial companies and service providers are doing enough to protect consumer data."
-http://www.scmagazine.com/in-light-of-target-breach-senators-push-for-hearing-on
-consumer-data-security/article/327450/
-http://www.bankinfosecurity.com/target-breach-senators-seek-hearing-a-6325
Senators' Letter to the Committee:
-http://docs.ismgcorp.com/files/external/Letter_Banking_Data_Security_Hearing_Req
uest_20131230.pdf

DDoS Attacks Exploiting Vulnerability in Network Time Protocol (December 30, 2013)

A new variety of distributed denial-of-service (DDoS) attack exploits an often-neglected network protocol known as NTP, or Network Time Protocol. Researchers noticed a spike in NTP reflection attacks last month. Network administrators tend not to update NTP after its initial configuration. The current attacks exploit a flaw in the "monlist" command of these older versions. Organizations should update NTP to version 4.2.7, which does not use the monlist command. They can also disable access to monlist in older versions of NTP. Internet Storm Center:
-https://isc.sans.edu/diary/NTP+reflection+attack/17300
-http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol
-bas/240165063

US Military Winnowing Down Number of Network Entry Points (December 30, 2013)

US military agencies are reducing the number of entry points into their networks to protect them from attacks. Officials managing cyber security in the military have noted that the jumble of the military's overall information grid presents serious security concerns. The Air Force's cyber command center has reduced 120 network entry points to just 16 gateways and expects to be "fully consolidated by the spring ...
[into ]
a single enterprise network with consistent standards." The agencies are also being encouraged to treat information systems as though they were weapons rather than innocuous technology.
-http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1367
[Editor's Note (Northcutt): This is wonderful news! I think the DoD has been talking about this for over 15 years. You want to keep enough connection points to reduce the risk of denial of service and and here is hoping they will keep a few unknown/unused connections in their back pocket, in case it really breaks bad some day. In the meantime, the security architecture principle in play is called reduce attack surface. I learned about this from my first SANS Instructor with Dr. Matt Bishop where he taught me to disable all unneeded services on Unix computers:
-http://www.sans.edu/research/security-laboratory/article/did-attack-surface
(Pescatore): "Put all your eggs in a small number of baskets and really, really watch those baskets" has been standard security dogma for a long time, and the US civilian Trusted Internet Connect program started back in 2007 to reduce civilian government Internet access points. Starting this late, it will take the DoD longer than they project. ]

---

FIRST LOOK: FIREEYE ACQUIRES MANDIANT

Advanced threat detection appliance vendor FireEye acquired forensics and incident response services firm Mandiant for just over $1B in cash and stock. The acquisition gives FireEye a needed services business along with strong threat research and analysis capabilities. Mandiant had moved to productize its endpoint forensics software, and very high-end enterprises who were using the Mandiant software and the FireEye appliances may see improved integration. However, there is rarely, if ever, long term gain from trying to use the same vendor for endpoint security and for network security. Enterprises looking at endpoint forensics software should weight e-discovery and other endpoint-centric capabilities and integration to multiple network appliance vendors more highly than buying both endpoint and network security products from a single source.

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/