SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #17

February 28, 2014

The global cyber arms race and search for cyber talent, predicted as one of the most likely results of Snowden's revelations, is accelerating. The top story today, from William Wan in this morning's Washington Post, reports on CISIL, China's new cyber organization, led by President Xi himself, with the mandate to make China a "cyber power."

Alan

---

TOP OF THE NEWS

President Xi Personally Takes Charge Of CISIL, Aiming For "Cyber Power" Status for China
FBI Director Says Online Crime is Increasingly Sophisticated?
Energy Companies Have Difficulty Obtaining Insurance Against Cyber Incidents

THE REST OF THE WEEK'S NEWS

British Man Faces More Charges Over Attack on US Federal Reserve Servers
Bloomberg Adopts Tighter Data Access Controls
Proof-of-Concept Malware Spreads Through WiFi Access Points
Millions of Stolen Web Services Account Credentials Found on Black Market
Apple Update for OS X Addresses Critical SSL Flaw
DHS Offers Managed Cybersec Services for State and Local Governments That Adopt Framework
Microsoft Releases EMET 5.0 Beta
Justice Department Subpoenas Bitcoin Exchanges in Attack Investigation
Mt. Gox Goes Offline
How Did Stuxnet Sneak Into Natanz?

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 *****************************
Now is the time to Lock-Down Point of Sale and Fixed-Function Devices! If you can't block advanced malware in real-time, control change and protect your customers from real-world threats - then you should take a Free POS Security Assessment today!
http://www.sans.org/info/153637
***************************************************************************
TRAINING UPDATE

- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Munich, Austin, Malaysia, and London all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

President Xi Personally Takes Charge Of CISIL, Aiming For "Cyber Power" Status for China (February 28, 2014)

Xi Jinping vowed to turn China into a "cyber power," saying cyber security must be prioritized. He personally took the reins of the new Central Internet Security and Informatization Leading (CISIL) Group and, at its first meeting, told the group that cybersecurity is a major strategic issue concerning a country's security and development, and "efforts should be made to build our country into a cyber power." The deputy heads of CISIL are Premier Li Keqiang and Liu Yunshan, both members of the Communist Party's Standing Committee, China's most powerful body.
-http://www.washingtonpost.com/world/chinese-president-takes-charge-of-new-cyber-
effort/2014/02/27/a4bffaac-9fc9-11e3-b8d8-94577ff66b28_story.html
[Editor's Note (Assante): Nations working to maintain or advance their competitive position and national security are mobilizing strategic efforts around cyber. Where China may struggle is trying to control and advance cyber power to include managing thoughts and information available to their people and focusing on the militarization of cyber power. The most successful approaches will recognize freedom of information, encourage innovation, and will focus on mobilizing leadership and action from people, industry, government, and military. Leaders should set an expectation of achieving cyber power in a way that complements the interest of their nation, people, and global community. ]

FBI Director Says Online Crime is Increasingly Sophisticated? (February 27, 2014)

Speaking at the RSA security conference in San Francisco, FBI director James Comey said, "Terrorism remains the FBI's top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country." The FBI has already begun amassing malware samples in a database known as BACSS (Binary Analysis, Characterization, and Storage System). A declassified version of the database will be made available to agency security partners later this year. Comey said that they want "to make BACSS the same kind of repository that
[they ]
have long maintained for fingerprints, criminal records, and DNA."
-http://www.theregister.co.uk/2014/02/27/new_fbi_boss_pledges_cyber_crime_not_ter
rorism_will_dominate_agency_in_the_next_decade/
-http://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-world-outsmartin
g-terrorists-hackers-and-spies??
[Editor's Note (Pescatore): Of course, that is what the FBI was saying on September 10th, 2001. National law enforcement's focus will change as crimes change, and having the US national law enforcement agencies get back to playing a major role in cyber security is a good thing because the problem is more of a cybercrime problem than a warfare problem. That said, rather than having the FBI build more databases I'd like to see them focus on increasing human intelligence and the cyber-skills of the agent force - the traditional parts of law enforcement that tend to actually reduce crime the most.
(Murray): BACSS is comparable to the Fingerprint and DNA databases only to the extent that it is a database. Entries do not point to individuals and entries in it do not create a presumption of guilt. ]

Energy Companies Have Difficulty Obtaining Insurance Against Cyber Incidents (February 27, 2014)

Energy companies are finding it difficult to obtain insurance against cyber attacks. Insurance underwriters are reluctant to provide the coverage for the companies because of inadequate security controls found by risk assessors. Often, the Industrial Control Systems, or SCADA (Supervisory Control and Data Acquisition) systems that the energy companies run are not up to date on patches. The assessors look closely at what each company does to keep intruders out of its systems; how they make sure that software is kept current with patches; and how the companies oversee networks that span great distances. One underwriter noted that, "We would not want insurance to become a substitute for security."
-http://www.bbc.com/news/technology-26358042
-http://www.theregister.co.uk/2014/02/27/energy_sector_refused_cyber_insurance/
[Editor's Note (Pescatore): This has been going on in cyber-insurance for years (beyond simple laptop replacement policies). After major threat events (think Slammer/Blaster, TJX, Sony, now) hype goes up for cyber-insurance to mitigate exposure as the hype says "Security is hard, insurance is the answer," and the cyber insurance industry replies "We want to sell you cyber-insurance but only if you won't ever need to use it." Insurance is an expense that gets *added* to preventive measures, it does *not* replace *any* preventive measures - it only limits the financial exposure when those preventive measures fail. You can *not* get home owners insurance for a house made of balsa wood or auto insurance for a car to be driven by someone who has had their driver's license revoked. Think Critical Security Controls: if you have them all up and running under a mature security program, then you can add cyber insurance to limit liability - that is what the insurers are looking for. ]

---

************************** Sponsored Links: ******************************
1) Get Free Access to the World's Largest Open Threat Exchange. Join AlienVault OTX now! http://www.sans.org/info/153642

2) Join SANS in NYC at the SANS Financial Cybersecurity Trends and Challenges breakfast briefing on March 7. John Pescatore, Tony Sager and Alan Paller head this important event for the Financial Community providing critical information on upcoming security trends, an end-user security panel on how your colleagues are dealing with threats, and information from sponsors on the future direction of their solutions. Earn 4 CPE/CMU credit hours. Fees waived for SANS alumni, NewsBites readers, and their co-workers. http://www.sans.org/info/153647 Not in the NYC area - attend via simulcast: http://www.sans.org/info/153672

3) Are you a DBA who needs to secure your databases? Download the free ebook: Securing Oracle Database 12c. http://www.sans.org/info/153662
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

British Man Faces More Charges Over Attack on US Federal Reserve Servers (February 27, 2014)

The US Justice Department (DOJ) has charged a British man with hacking and aggravated identity theft for allegedly breaking into the computer system of the US Federal Reserve Bank and stealing personal information of legitimate system users. Lauri Love is also facing charges in New Jersey and Virginia for attacks on other US government agencies, including NASA, the US Department of Energy, and the Army. The latest charges come from the US Attorney's Office for the Southern District of New York. Love allegedly breached Federal Reserve servers using an SQL attack and later bragged about it in an IRC chat room and posted some of the personal information he stole. Love faces up to 12 years in prison if convicted on all charges. Love was arrested in October 2013 in connection with the earlier charges, but US authorities do not know if he is in custody.
-http://money.cnn.com/2014/02/27/technology/security/federal-reserve-hack/index.h
tml
-http://www.computerworld.com/s/article/9246650/UK_man_charged_with_hacking_Feder
al_Reserve?taxonomyId=17
-http://www.bbc.com/news/world-us-canada-26376865
DOJ Press Release:
-http://www.justice.gov/usao/nys/pressreleases/February14/LauriLoveIndictmentPR.p
hp

Bloomberg Adopts Tighter Data Access Controls (February 27, 2014)

After journalists from financial data and news company Bloomberg were found to have been snooping on client activity last year, the company sought recommendations from outside advisers on strengthening access controls. The company is endeavoring to implement dozens of third-party recommended measures to tighten data access. The journalists were able to see how company terminals had been used at other firms to look for financial market data. New access controls allow Bloomberg to have granular control over who may see what information.
-http://www.computerworld.com/s/article/9246643/Bloomberg_clamps_down_with_data_a
ccess_policies_after_scandal?taxonomyId=17
Editor's Note (Pescatore): The Bloomberg issue is really the poster child for an issue that exists at Google, Amazon, Microsoft and every other online service company that provide services to customers and that monitor their customers to sell information about their activities. How are they maintaining the "internal paywall" between the privacy expectations of their service consumers and the profit motive of selling private information to advertisers? The report done by the law firm Hogan Lovells and the Promontory Financial Group makes a nice checklist to ask service providers: "How would you answer these questions about how you will use my company's private information?" ]

Proof-of-Concept Malware Spreads Through WiFi Access Points (February 26 & 27, 2014)

Researchers at the University of Liverpool have developed malware, dubbed Chameleon, that is capable of spreading undetected over WiFi networks. The ease with which the malware spreads has been likened to that of the common cold. Chameleon can spread from network to network across access points, but is blocked by secure networks. The project underscores the risks inherent in public WiFi.
-http://www.v3.co.uk/v3-uk/news/2331294/security-researchers-warn-of-airborne-wif
i-virus-that-spreads-like-a-cold
-http://www.cnet.com.au/researchers-create-a-virus-that-can-spread-via-wi-fi-3393
46763.htm
-http://www.forbes.com/sites/bridaineparnell/2014/02/26/new-virus-spreads-like-th
e-common-cold-via-wifi/
Paper:
-http://jis.eurasipjournals.com/content/2013/1/2
[Editor's Note (Murray): How clever! They have demonstrated that which is obvious by inspection. In the process they have reduced the cost of such an attack by an order of magnitude. God save us all from such "researchers." ]

Millions of Stolen Web Services Account Credentials Found on Black Market (February 26 & 27, 2014)

While studying underground data-selling forums, researchers found a stash of 360 million web services account credentials for sale. The data likely came from numerous breaches. Most of the records are email addresses and passwords, many of which are not encrypted. It has not yet been determined where the information came from.
-http://arstechnica.com/security/2014/02/360-million-recently-compromised-passwor
ds-for-sale-online/
-http://news.cnet.com/8301-1009_3-57619567-83/black-market-lights-up-with-360m-st
olen-credentials-report/
-http://www.computerworld.com/s/article/9246604/360_million_account_credentials_f
ound_in_the_wild_says_security_firm?taxonomyId=17

Apple Update for OS X Addresses Critical SSL Flaw (February 25 & 26, 2014)

Apple has issued an update for OS X Mavericks that addresses a critical SSL flaw. The same issue was fixed several days ago in iOS. Users are urged to update their systems as soon as possible as exploit code has already been released. The newest version of OS X is now 10.9.2. The update fixes 32 additional issues, including six in the QuickTime media player and four that could be exploited to circumvent the application sandbox. Apple also issued updates for Safari, bringing the browser's latest versions to 6.1.2 and 7.0.2, and for Lion (OS X 10.7.5), Mountain Lion (OS X 10.8.5) and Lion Server (10.7.5). Apple is no longer supporting Snow Leopard (OS X 10.6).
-http://www.informationweek.com/security/application-security/apple-patches-maver
icks-ssl-flaw-update-now/d/d-id/1114016?
-http://www.computerworld.com/s/article/9246593/Apple_patches_critical_gotofail_b
ug_with_Mavericks_update?taxonomyId=17
-http://arstechnica.com/apple/2014/02/apple-releases-os-x-10-9-2-patches-ssl-flaw
-and-adds-facetime-audio-support/
-http://money.cnn.com/2014/02/25/technology/apple-security-fix/index.html
-http://www.computerworlduk.com/news/security/3504076/apple-retires-snow-leopard-
from-support-leaves-1-in-5-macs-vulnerable-to-attacks/
[Editors Note (Ullrich): This patch covers a lot more then the SSL flaw, and a patch for Safari on OS X was released as well. Interestingly, Apple hasn't released a patch for Safari on Windows in a while suggesting that Apple no longer supports Safari on Windows. ]

DHS Offers Managed Cybersec Services for State and Local Governments That Adopt Framework (February 26, 2014)

The US Department of Homeland Security will pay for managed cybersecurity services for state, local, and territorial government that adopt the cybersecurity framework. The services, provided by the Multi-State Information Sharing and Analysis Center (MS-ISAC), will include intrusion detection, intrusion prevention, and monitoring for firewalls and network traffic. The governments will retain governance of their own networks.
-http://www.govinfosecurity.com/dhs-offers-incentive-to-adopt-framework-a-6567
[Editor's Note (Pescatore): This can be a very good thing for local agencies but: While St. Jerome may have considered it rude to look a gift horse in the mouth, it is very important that even subsidized managed security services be assessed using the same evaluation criteria you would use comparing doing yourself against commercial MSSPs and comparing MSSPs against each other. Don't forget to figure out how you will modify existing security processes to integrate with any managed services you do decide to use. ]

Microsoft Releases EMET 5.0 Beta (February 26, 2014)

Just days after researchers revelaed that they had developed exploit code that bypasses bypasses Microsoft's Enhanced Mitigation Experience Toolkit (EMET), Microsoft has released a new beta version of the tool, EMET 5.0, which includes a feature known as Attack Surface Reduction that security managers can use to enforce usage policies.
-http://www.theregister.co.uk/2014/02/26/ms_emet_revamp/
-http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-
preview.aspx
[Editor's Note (Ullrich): The ability of EMET 5 to turn off selective plugins in specific applications in order to reduce their attack surface looks promising. For example I never used Flash in Excel for anything but analyzing malware.
(Hoelzer): This is certainly good news, but it still doesn't solve the root of the problem: we're still writing bad code. Until we invest in teaching developers how to do things right and require that they deliver secure code, not just functional code, we're going to continue to have software compromises. In case you missed it, 2 days ago Jared DeMott's research on completely bypassing every aspect of EMET 4.1 was released:
-http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
(Murray): The problem with EMET is not its limitations (only addresses 95% of potential attacks) but that it is so sparsely used. In consideration of backwards compatibility to legacy code, it is not turned on even where there is no legacy code to consider. ]

Justice Department Subpoenas Bitcoin Exchanges in Attack Investigation (February 27, 2014)

The US Attorney has served Mt. Gox and several other Bitcoin with subpoenas seeking information about the way they dealt with recent attacks. Earlier in February, several Bitcoin exchanges were hit with distributed denial-of-service attacks that exploited a "transaction malleability" vulnerability in the Bitcoin transaction verification system. There are reports that Mt. Gox is facing additional scrutiny from federal law enforcement due to its financial troubles (see story below.)
-http://news.cnet.com/8301-1009_3-57619649-83/bitcoin-exchanges-reportedly-served
-with-subpoenas/
-http://www.reuters.com/article/2014/02/26/us-bitcoin-subpoena-idUSBREA1P18820140
226

Mt. Gox Goes Offline (February 24, 25, 26, & 28 2014)

Tokyo-based Bitcoin exchange Mt. Gox has gone offline, leaving customers without access to their funds. The company is also saying that as much as US $400 million worth of the virtual currency was stolen. But there is evidence that the situation is attributable, at least in part, to gross financial mismanagement. Mt. Gox ceased allowing withdrawals on February 7 when it realized that attackers were exploiting a transaction malleability vulnerability. All Bitcoin trading on Mt. Gox stopped on February 24; at that time the value of one Bitcoin on that exchange was US $130, less that one-fourth of the currency's value on other exchanges. Mt. Gox CEO Mark Karpeles has resigned from the Bitcoin Foundation board.
-http://www.reuters.com/article/2014/02/28/us-bitcoin-mtgox-insight-idUSBREA1R06C
20140228
-http://money.cnn.com/2014/02/25/technology/security/bitcoin-mtgox/index.html
-http://www.nbcnews.com/business/markets/bitcoin-exchange-mt-gox-closed-time-bein
g-n37896
-http://www.wired.com/wiredenterprise/2014/02/bitcoins-mt-gox-implodes/
-http://www.bbc.com/news/technology-26352442

How Did Stuxnet Sneak Into Natanz? (February 25, 2014)

It has never been completely clear how Stuxnet managed to gain purchase in the computer network at Iran's Natanz nuclear facility. One possible explanation posits that the sophisticated and customized malware was able to slip through a vulnerability in the plant's supply chain. Documents obtained from federal court cases suggest that US intelligence was monitoring the procurement activity of NEDA Industrial Group, an Iranian company that oversaw the computerized industrial control systems at the Natanz facility. NEDA also had expertise with the Siemens SCADA/ICS software used at Natanz. Armed with that information, the US then targeted the components of the equipment that NEDA sought. State Department cables from that time period that were more recently leaked through WikiLeaks indicated that the US had been seeking to intercept shipments of equipment headed for Iran. While the scenario is not conclusive, it offers a compelling alternative to the idea that Stuxnet arrived in the Natanz plant on a memory stick.
-http://www.csmonitor.com/World/Security-Watch/2014/0225/Exclusive-New-thesis-on-
how-Stuxnet-infiltrated-Iran-nuclear-facility
[Guest Editor's Note (Sean McBride): It is also important to recognize that as the ICS integrator for Natanz, Neda would possess the details about the plant that were required to create the ICS portion of Stuxnet. While ICS integrators are attractive targets, they are often missing from discussions on ICS security. ]

---

STORM CENTER TECH CORNER

RSA Conference Panel (with link to slides)
-http://www.rsaconference.com/events/us14/agenda/sessions/1043/the-seven-most-dan
gerous-new-attack-techniques-and

Twitter Restores "N"
-http://arstechnica.com/security/2014/02/twitter-restores-50000-n-username-to-its
-owner/

Snort 2.7.4 alpha released
-http://seclists.org/snort/2014/q1/521

700,000 bit coins missing from Mt Gox
-http://www.techrepublic.com/article/over-700000-bitcoin-missing-in-mt-gox-securi
ty-flaw/

Apple Updates for Safari, OS X, Quicktime
-http://support.apple.com/kb/HT1222

iOS 7 Background Applications May Receive Touch Events from Other Apps
-http://www.fireeye.com/blog/technical/2014/02/background-monitoring-on-non-jailb
roken-ios-7-devices-and-a-mitigation.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/