SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #2

January 07, 2014

The Snowden leaks are impacting the finances of technology companies. This week's first story provides a simple example of how buyers convert their anger into buying actions. John Pescatore's note describes steps technology companies may have to take to lessen the economic damage.

Control systems engineers and IT security people in electric power, oil & gas and manufacturing can save $600 by registering for the ICS/SCADA Security Orlando Summit by January 22. The Summit's the only place you will find a deep assessment of embedded system attack surfaces, discover what you can do, and take away first time released tools to test embedded systems! It is also where you can attend the new ICS/SCADA Security Essentials course that helps you prepare for the GICSP certification exam. GICSP certification is increasingly required by industry leaders for employment or consulting assignments in industrial control system security.
http://www.sans.org/event/north-american-ics-scada-summit-2014
Alan

---

TOP OF THE NEWS

UAE May Scrap Satellite Deal with France Over Backdoors in US Components
The Internet of Things Poses a Growing Threat
Both NSA Metadata Gathering Rulings Will be Appealed
NSA Metadata Gathering Program Might Not Reach Supreme Court

THE REST OF THE WEEK'S NEWS

Cyberattacks Top List of National Security Threats in Defense News Leadership Poll
Possible Common Link Found in Backdoored Wi-Fi Routers
Google Announces Alliance to Support Android-Connected Cars
AT&T Plan Shifts Burden of Data Cost to Content Providers
Newer, "Meaner" Ransomware
Yahoo Ad Hijacking
Sheriff Loses Job for Installing Keystroke Logger on Wife's Computer
World of Warcraft Accounts Hijacked

FIRST LOOK: PALO ALTO NETWORKS ACQUIRES MORTA SECURITY

FIRST LOOK: PALO ALTO NETWORKS ACQUIRES MORTA SECURITY

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec **************************
Webcast: RATs - The Tools of Targeted Attacks, January 14 10AM Pacific. Sometimes referred to as "creepware", Remote Access Tools (RAT) are being used to spy on people and businesses, with the ultimate goal of gaining access and control of computers and data. Attackers can do nearly anything from a remote location as if they're sitting at the computer themselves. Join our Security, Threat and Response Expert, Kevin Haley and learn how to defend against this type of threat.
http://www.sans.org/info/148055
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- -- SANS Cyber Threat Intelligence Summit February 4-11, 2014 Arlington, VA This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

UAE May Scrap Satellite Deal with France Over Backdoors in US Components (January 5, 2014)

The United Arab Emirates (UAE) inked a 3.4 billion dirham (US $926 million) deal last summer to purchase two intelligence satellites from France, but a UAE source says the country is considering scrapping the deal unless two US-made components are removed. The components reportedly contain backdoors that allow access to the data that are to be transmitted to the ground station. Officials have asked France to change out the components in question.
-http://www.defensenews.com/article/20140105/DEFREG04/301050006
[Editor's Note (Honan): I have seen similar moves by clients in their Request for Tenders where they specifically highlight data is not to be stored in US data centers or with US based cloud providers. US tech companies have a lot of reputational damage to repair for a lot of European based organizations post the revelations about NSA backdoors and spying allegations.
(Pescatore): Huawei funded a test lab in the UK so that the UK government could inspect Huawei telecoms equipment that BT wanted to use in the UK backbone network upgrade. Recently, Microsoft Chief Legal Counsel Brad Smith announced that Microsoft was "enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors." The Snowden leaks of NSA activities means that US IT exporters will need to make investments similar to Huawei's in order to convince overseas customers that their technology has not been compromised. ]

The Internet of Things Poses a Growing Threat (January 6, 2014)

Bruce Schneier says that embedded systems pose a growing security threat because "there is no good way to patch them." He notes that two decades ago, PCs were facing a similar challenge, which has been addressed by full disclosure of vulnerabilities and automated patching. However, embedded systems are products of several different companies, none of which has particular incentive to make sure that they are secure. Schneier says that embedded systems vendors need to be pressured to create more secure products; driver software needs to be open-source; and automated update mechanisms need to be used to keep the products secure. ISPs are a likely locus to initiate this shift.
-http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of
-things-and-thats-a-huge-problem/
[Editor's Note (Assante): Bruce does a nice job of explaining the behaviors and process involved in developing and supporting embedded systems. The 'Internet of Things' label is far too limited as it does not conjure thoughts of the many legacy and new industrial controllers and field devices. Embedded systems security represents a real challenge to those relying on these devices with limited but important avenues for the owner/operator to address them. ]

Both NSA Metadata Gathering Rulings Will be Appealed (January 2 & 3, 2014)

Both recent rulings regarding the legality of the NSA's phone metadata gathering program will be appealed. On Thursday, January 2, the American Civil Liberties Union (ACLU) filed a notice of appeal in its lawsuit challenging the data collection program; Judge William Pauley III dismissed the ACLU's challenge the previous week. On Friday, January 3, the US Justice Department (DOJ) filed an appeal of a ruling from Judge Richard Leon in Klayman v. Obama, which found that the NSA's data collection likely violates the constitution.
-http://www.computerworld.com/s/article/9245154/DOJ_will_appeal_judge_39_s_ruling
_against_NSA_phone_program?taxonomyId=17
-http://www.zdnet.com/u-s-appeals-unconstitutional-ruling-on-nsa-metadata-program
s-7000024772/

NSA Metadata Gathering Program Might Not Reach Supreme Court (January 3, 2014)

If each of the federal judges' rulings on NSA data gathering is upheld on appeal, it is likely the Supreme Court would step in to resolve the issue. However, according to Orin Kerr, a Fourth Amendment scholar at George Washington University, it is not a sure thing. Kerr points out in a Volokh Conspiracy post that the provision of the Patriot Act (Section 215) that is being held up as license to continue the snooping expires on June 1, 2015. By that time, legislators will likely be debating the issue, and this "lessens the likelihood of the Supreme Court stepping in to the debate at that time, both because the issue may be mooted by statute and because the Court may feel that statutory regulation is preferable to constitutional regulation in this context."
-http://www.wired.com/threatlevel/2014/01/scotus-phone-snooping/
Orin Kerr's post:
-http://www.volokh.com/2014/01/02/supreme-court-take-bulk-telephony-case-circuit-
courts-dont-invalidate-program/
In the meantime, the Foreign Intelligence Surveillance Court (FISC) has renewed the NSA's phone data collection program. The FISC has to renew the program every 90 days. The court makes clear that the program does not permit the NSA to collect the content of phone calls.
-http://www.scmagazine.com/fisa-court-renews-nsa-phone-data-collection/article/32
8120/

---

************************** Sponsored Links: ******************************
1) SANS AppSec Summit 2014 offers four training courses that will help you find and fix critical vulnerabilities in your applications. http://www.sans.org/info/148060

2) Are you an IT professional working in the financial services sector with responsibility for some aspect of information security, compliance, risk management or information privacy? Win an iPad by registering and completing the SANS financial services survey: http://www.sans.org/info/148065

3) Analyst Webcast: Smart buildings, Cars and Other Devices: New SANS Survey Reveals How Internet of Things Impacts IT Risk Management, Wednesday, January 15 at 1 PM EDT http://www.sans.org/info/148070
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyberattacks Top List of National Security Threats in Defense News Leadership Poll (January 5 & 6, 2014)

Nearly half of the 352 people responding to the inaugural Defense News Leadership Poll said that cyberattacks top the list of national security threats. Terrorism came in second, nearly 20 percentage points behind cyberattacks. The respondents are senior employees in the executive and legislative branches of government as well as the military and the defense industry who are Defense news Subscribers. More than half of those responding said that the NSA and the US Cyber Command should have separate leaders.
-http://www.defensenews.com/article/20140105/DEFREG02/301050011
-http://www.nextgov.com/defense/2014/01/defense-leaders-say-cyber-top-terror-thre
at/76265/?oref=ng-HPriver
[Editor's Note (Pescatore): I agree with separating NSA and Cyber Command but no way are cyber attacks the top risk to national security. On September 10th 2001 there were similar statements. ]

Possible Common Link Found in Backdoored Wi-Fi Routers (January 6, 2014)

The link between several Wi-Fi routers from different vendors that have been found to contain backdoors may possibly be a manufacturer of broadband and wireless networking equipment called Sercomm. The vulnerability affects products from Cisco, Linksys, Netgear, and several other companies.
-http://www.scmagazine.com/possible-link-discovered-that-ties-together-wi-fi-rout
ers-with-backdoors/article/328125/

Google Announces Alliance to Support Android-Connected Cars (January 6, 2014)

Google has created an alliance of car manufacturers that are working to make their products Android-connected. The initiative is known as the Open Automotive Alliance (OAA). It is "committed to bringing the Android platform to cars starting in 2014 ... in a safe and seamless way." Google is developing an Android platform "that will enable the car itself to become a connected Android device." Questions about the alliance's plans for addressing security issues were not answered directly. Charlie Miller, a Twitter security engineer who has given presentations about cars' vulnerability to hacking said he believes "these automotive efforts need to have security experts brought in from the beginning."
-http://www.scmagazine.com/google-joins-with-automakers-to-put-android-connected-
cars-on-road/article/328124/
[Editor's Note (Northcutt): Hmmm, you would think the Toyota sticky accelerator/unintended acceleration would be enough for people to rebel against cars they cannot control; think they are up to 34 deaths at this time, some say it is more. The first link below contains Car and Driver's tips should you ever find yourself in an unintended acceleration scenario, I did not know the bit about having to hold the start/stop button for some time on keyless ignition vehicles. Had a part time job in high school refurbishing carburetors, maybe I should sell my Tacoma and pick up a truck with points, plugs and a carburetor:
-http://www.caranddriver.com/features/how-to-deal-with-unintended-acceleration
-http://www.huffingtonpost.com/2010/02/15/toyota-recall-government_n_462601.html
-http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
-http://arstechnica.com/security/2013/07/disabling-a-cars-brakes-and-speed-by-hac
king-its-computers-a-new-how-to/
-http://www.carscoops.com/2011/08/hacking-your-car-through-your-smart.html
-http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-ca
r-attacks-with-me-behind-the-wheel-video/
-http://www.caranddriver.com/features/can-your-car-be-hacked-feature]

AT&T Plan Shifts Burden of Data Cost to Content Providers (January 6, 2014)

AT&T has confirmed a plan that allows content providers to pay for bandwidth their customers use so that it will not count toward subscribers' monthly data caps. Some say the plan flies in the face of "the spirit of net neutrality." Companies trying to break into the market may not be able to match competitors' ability to pay the subscriber fees. While content providers would absorb the cost of data use, they will likely pass it on to their customers. AT&T pointed out that the plan does not prioritize traffic for the participating content providers, but merely shifts the burden of data limits.
-http://www.wired.com/threatlevel/2014/01/att-sponsored-data/
-http://arstechnica.com/business/2014/01/att-turns-data-caps-into-profits-with-ne
w-fees-for-content-providers/

Newer, "Meaner" Ransomware (January 6, 2014)

Newly detected ransomware known as PrisonLocker or PowerLocker has been the subject of discussions on underground forums since late last year. It bears some similarities to CryptoLocker, the ransomware that demands payment in Bitcoins and has thus far not been cracked. The new malware could be even more of a threat than CryptoLocker because it could be sold as a malware kit for US $100, whereas CryptoLocker was crafted specially for a certain group of cyber extortionists.
-http://arstechnica.com/security/2014/01/researchers-warn-of-new-meaner-ransomwar
e-with-unbreakable-crypto/
[Editor's Note (Murray): The potential for success for "ransomware, as with other forms of extortion, is all in the pricing. The criminals appear to have found the "sweet spot."
(Honan): Ransomware has proven to be quite lucrative for criminals and we will no doubt see continual development by them in this area. What is frustrating though is the countermeasures to protect against infection by ransomware are basic measures (up to date patches, up to date AV, good backups) that most companies and individuals should have in place. As an industry we need to focus on better ways of articulating how to protect our systems rather than focusing on the cool and new sophisticated attacks that may never be used against those systems. ]

Yahoo Ad Hijacking (January 5 & 6, 2014)

The ads on Yahoo that were reportedly serving malware affected mainly users in Europe; users in the US are not likely to have had their machines infected in the attack. They hijacked Yahoo's ad servers and redirected users to an exploit kit that exploits Java vulnerabilities. The ultimate goal of the attack was to infect machines with banking Trojans. Internet Storm Center:
-https://isc.sans.edu/diary/Malicious+Ads+from+Yahoo/17345
-http://www.computerworld.com/s/article/9245178/Malware_from_Yahoo_ads_did_not_af
fect_US_and_Mac_and_mobile_users?taxonomyId=17
-http://www.theregister.co.uk/2014/01/06/yahoo_tainted_ads_malware/
-http://arstechnica.com/security/2014/01/malware-attacks-thousands-of-yahoo-com-v
isitors-through-java-exploit/
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/05/worried-about-the-y
ahoo-malware-outbreak-if-youre-in-u-s-youre-probably-safe/
[Editor's Note (Pescatore): I would like to see The Advertising Self-Regulatory Council or one of the many other advertising industry lobbying groups push all online advertisers to take a look at the Critical Security Controls and take the basic steps to assure that malicious code does not go out in online advertising. ]

Sheriff Loses Job for Installing Keystroke Logger on Wife's Computer (January 5, 2014)

A West Virginia man has lost his job as Clay County sheriff after it was discovered that he had placed a keystroke logger on his wife's work computer. Miles J. Slack and his wife were in the process of divorcing at the time. To make matters worse, Slack's wife works for the Clay County Magistrate Court, so the keystroke logger he surreptitiously attached to her computer also slurped up sensitive personal data she entered into her computer. The device was detected several weeks after he installed it. Slack was sentenced to two years of probation and ordered to pay a fine of US $1,000.
-http://arstechnica.com/tech-policy/2014/01/the-county-sheriff-who-keylogged-his-
wife/

World of Warcraft Accounts Hijacked (January 6, 2014)

Account-hijacking malware is targeting World of Warcraft (WoW) accounts. The malware disguises itself as an installer for an add-on known as Curse that helps users manage other WoW add-ons. The infected versions of the Curse client have been detected on unofficial WoW sites. The malware is capable of taking control of accounts even if users have employed two-factor authentication.
-http://arstechnica.com/security/2014/01/world-of-warcraft-users-hit-by-account-h
ijacking-malware-attack/

---

FIRST LOOK: PALO ALTO NETWORKS ACQUIRES MORTA SECURITY

Palo Alto Networks announced it was acquiring Morta Security, a small startup developing advanced threat detection technology. While Palo Alto was in front of the previous wave of Next Generation Firewall Capabilities, it has been slow to react to FireEye's on-box executable analysis capabilities and appear to be looking to this acquisition to address that shortcoming.
-http://bits.blogs.nytimes.com/2014/01/06/palo-alto-networks-acquires-morta-secur
ity-as-security-acquisitions-gain-steam/?_r=0
-http://blogs.wsj.com/venturecapital/2014/01/06/palo-alto-networks-acquires-morta
-security-to-fight-sophisticated-cyber-threats/

---

STORM CENTER TECH CORNER

--Lessons Learned From Incident Response
-https://isc.sans.edu/forums/diary/Incident+response+and+the+false+sense+of+secur
ity/17354

--Port 32764 Backdor Update: Many devices vulnerable
-https://github.com/elvanderb/TCP-32764

--Ubuntu LTS behind on Drupal Updates
-http://people.canonical.com/~ubuntu-security/cve/pkg/drupal7.html

--Yahoo Serves Malicious Ads
-http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/

--Using Syslog with Windows
-https://isc.sans.edu/diary.html?storyid=17342

--Django Framework Session Vulnerability Affects PInterest/instagram
-http://maverickblogging.com/you-cant-log-out-of-pinterest-or-instagram-django-we
b-framework-security-weakness/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/