SANS NewsBites - Volume: XV, Issue: 38


One more day to save $250 on SANSFIRE courses in Washington DC June 14-22. 40 world-class courses from deep technology updates to management techniques to auditing, plus the best technical security conference other than RSA - and the conference, run by the Internet Storm Center is free for all course attendees. Information: http://www.sans.org/event/sansfire-2013/

*************************************************************************
SANS NewsBites                     May 14, 2013                    Volume: XV, Issue: 38
*************************************************************************
TOP OF THE NEWS

  US Government is the Largest Purchaser of Hacking Tools
  Bloomberg Reporters Had Access to Client Account Information
  iPhone Encryption Stymies Law Enforcement

THE REST OF THE WEEK'S NEWS

  US State Department Demands 3D Printable Weapons Designs be Taken Down
  Malicious Browser Extensions Hijack Facebook Accounts
  NY Attorney General Wants Mobile Phone Companies to Help Thwart Device Theft
  Academic Institutions Warned About Configuration Issues That Could be Exploited to Launch DDoS Attack
  ESPN May Be Seeking Arrangement to Uncap its Wireless Traffic Limits
  Proposed Legislation Would Place Privacy Onus on Mobile App Developers
  Concerned About Security Risks in Telecom Equipment, India Will Establish Testing Lab
  Hackers Exploited Known Flaw in ColdFusion to Steal Data from Washington State Court System


****************** SPONSORED BY ForeScout Technologies ******************
Did you know that ForeScout is a Gartner Magic Quadrant Leader for Network Access Control? Download the free report to find out why magic quadrant leadership and network access control are crucial for your company. http://www.sans.org/info/130817
***************************************************************************

TRAINING UPDATE

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 41 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

US Government is the Largest Purchaser of Hacking Tools (May 10 & 13, 2013)
According to a report from Reuters, the US government is the single largest buyer in the "gray market" of offensive hacking tools. While tools that exploit unknown vulnerabilities provide a tactical advantage, not disclosing the flaws leaves other organizations, including those in the US, vulnerable to attacks. Former high level cybersecurity officials have expressed concern about the situation. Former White House cybersecurity advisor Richard Clarke said, "If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users." Howard Schmidt, also a former White House cybersecurity advisor, said, "It's pretty naive to believe that with a newly-discovered zero-day, you are the only one in the world that's discovered it." And former NSA director Michael Hayden said that although "there has been a traditional calculus between protecting your offensive capability and strengthening your defense, it might be time now to readdress that at an important policy level." Paying the vulnerability purveyors for the malware also removes the incentive for talented hackers to inform software makers about the flaws.
-http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUS
BRE9490EL20130510

-http://www.zdnet.com/u-s-government-becomes-biggest-buyer-of-malware-7000015242/
[Editor's Note (Pescatore): Governments are the largest buyers of all offensive weapons and the US government (DoD/Intelligence plus national law enforcement) is usually the largest of the government buyers, so this is sort of a "drug companies are the biggest buyers of opiates" story.
(Assante): The main ramification of a thriving tools market is greater investment in vulnerability discovery and the development of more powerful tools to assemble and test exploits. 2006 is considered a turning point as the emerging underground tool market breed specialization and provided paths for money to cycle through the system. Monetization of hacking gains began to feed upstream tool developers and people willing to commit attacks became more reliant on tools that were purchased. Super buyers will certainly influence this market place, but they are only one category of participant - these markets are here to stay. ]


Bloomberg Reporters Had Access to Client Account Information (May 11, 12 & 13, 2013)
Bloomberg news editor-in-chief Matthew Winkler has apologized for employees using the company's financial data terminals to snoop on customers. Bloomberg reporters had access to login histories, "high-level types of user functions on an aggregated basis," and help desk inquiries. Having access to the information may have given Bloomberg reporters an edge over other reporters. The terminals, which are in many financial institutions and related organizations, provide financial industry professionals with real-time market data, news, and a messaging service. Companies rent the machines for US $20,000 a year. Winkler wrote, "Our reporters should not have access to any data considered proprietary. I am sorry they did. The error is inexcusable." The issue came to light after a Bloomberg reporter commented to a Goldman Sachs executive that another Goldman executive had not logged in recently. The reporters no longer have access to the customer information.
-http://money.cnn.com/2013/05/13/news/companies/bloomberg-terminal-spy/
-http://news.cnet.com/8301-1009_3-57584159-83/bloomberg-yes-reporters-had-access-
to-client-data/

-http://www.washingtonpost.com/lifestyle/style/after-bloomberg-news-disclosure-fe
d-and-treasury-assess-possibility-of-privacy-breach/2013/05/11/6037d7c4-ba78-11e
2-b94c-b684dda07add_story.html

(Please note that the New York Times requires a paid subscription)
-http://www.nytimes.com/2013/05/11/business/media/privacy-breach-on-bloombergs-da
ta-terminals.html

Matthew Winkler's Apology:
-http://www.bloomberg.com/news/2013-05-13/holding-ourselves-accountable.html
[Editor's Comment (Northcutt): One of the things I learned from Ben Wright's course on the Law of Data Security and Investigations is how important it is to handle incidents rapidly and transparently. I think Bloomberg passed this test, and this will fade away. ]


iPhone Encryption Stymies Law Enforcement (May 10 & 11, 2013)
Law enforcement agencies are growing frustrated with Apple iPhone encryption. Because the encryption used on the devices is so strong, law enforcement agencies are finding that they need to ask Apple to manually override the security controls and decrypt the data on seized devices. The demand is high enough to have created a significant backlog. Some law enforcement officials report having been been told that they would have to wait seven weeks for Apple to help decrypt the information. Law enforcement frustration with Apple's encryption is not new. Just a few weeks ago, the US Drug Enforcement Agency (DEA) warned that messages sent through Apple's Messages App are nearly impossible to wiretap. The issue is illustrative of the balance that needs to be struck between law enforcement's need to eavesdrop on certain communications, and people's right to privacy.
-http://www.v3.co.uk/v3-uk/the-frontline-blog/2267468/apple-iphone-encryption-cau
sing-police-backlog

-http://arstechnica.com/apple/2013/05/apple-will-reportedly-unlock-your-iphone-fo
r-police-but-theres-a-wait-list/




*************************** Sponsored Links: ******************************
1) Risk vs. Cost of DDoS Protection: How to model costs and risks of these attacks for evaluating DDoS protection. http://www.sans.org/info/130822

2) At the Mobile Device Security Summit experts and practitioners will detail proven approaches to securing BYOD. http://www.sans.org/info/130827
*****************************************************************************

THE REST OF THE WEEK'S NEWS

US State Department Demands 3D Printable Weapons Designs be Taken Down (May 9, 10, & 13, 2013)
The US State Department has sent a letter to Defense Distributed demanding that it remove from the Internet plans for a 3D-printable gun and nine other weapons components. The letter indicated that their presence on the Internet and their availability to entities outside the US could be a violation of US arms control regulations. The files are no longer available on the company's Defcad website, but the plans for the gun have been downloaded more than 100,000 times already, and copies of the plans have been uploaded to filesharing sites. The State Department's Office of Defense Trade Controls Compliance demanded that the documents be removed until Defense Distributed founder Cody Wilson can prove that he did not violate US laws. Kim Dotcom, who recently launched a new file-storage service called Mega, has also ordered that the plans be removed from the company's servers. The government had not contacted Mega to request the content takedown.
-http://www.bbc.co.uk/news/technology-22478310
-http://arstechnica.com/tech-policy/2013/05/pistol-plans-hit-p2p-after-creator-pu
lls-design-offline/

-http://www.forbes.com/sites/andygreenberg/2013/05/09/state-department-demands-ta
kedown-of-3d-printable-gun-for-possible-export-control-violation/

-http://www.computerworld.com/s/article/9239133/In_legal_fog_Kim_Dotcom_removes_3
D_gun_design?taxonomyId=17



Malicious Browser Extensions Hijack Facebook Accounts (May 13, 2013)
According to a warning from Microsoft's Malware Protection Center, a Trojan horse program called JS/Febipos.A is taking control of Facebook accounts by disguising itself as a legitimate Firefox add-on or Google Chrome extension. The Trojan checks to see if users are logged in to Facebook, then receives configuration instructions from a remote site which enable it to perform most Facebook activity posing as the user. The issue currently affects users in Brazil.
-http://news.cnet.com/8301-1009_3-57584111-83/microsoft-warns-of-new-trojan-hijac
king-facebook-accounts/

-http://www.h-online.com/security/news/item/Microsoft-warns-of-Facebook-hijacking
-extensions-1861398.html

Microsoft's Warning:
-http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-fac
ebook-profiles.aspx



NY Attorney General Wants Mobile Phone Companies to Help Thwart Device Theft (May 13, 2013)
New York State Attorney General Eric Schneiderman has sent letters to the CEOs of Apple, Samsung, Google, Motorola, and Microsoft asking them to specify what they are doing to make phones less susceptible to theft. Schneiderman asked why the companies do not offer technology that would make stolen phones useless, which would deter thieves.
-http://news.cnet.com/8301-1009_3-57584195-83/apple-samsung-others-urged-to-help-
thwart-mobile-phone-thefts/

[Editor's Note (Pescatore): Lots wrong with this idea, but it is a feel good kinda thing. There are already a myriad of ways to quickly shut down the phone service, and (like with cars) there is insurance for device loss. The same idea never flew with automobiles, even though way more of those are stolen - and the economic impact is much higher. I can see all kinds of denial of service opportunities with the "remote device disable" capability. ]


Academic Institutions Warned About Configuration Issues That Could be Exploited to Launch DDoS Attack (May 10, 2013)
The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) is advising academic institutions to take precautions to make sure their computer systems are not hijacked and used in distributed denial-of-service (DDoS) attacks. The alert refers specifically to DNS amplification or reflection attacks, which increase the intensity of the attacks. REN-ISAC recommends that schools examine their Domain Name System (DNS) and network configurations. "The network configuration issue concerns the ability for a machine on your network to send packets marked with a source IP address that doesn't belong to you ("spoofed") to outside your network. The DNS issue concerns a configuration that allows outsiders to exploit your DNS servers to send high volumes of traffic at arbitrary target machines." The technical alert provides specific actions to take to remediate the configuration problems. REN-ISAC is a private organization with more than 350 academic institution members in the US, Canada, Australia, New Zealand, and Sweden.
-http://www.computerworld.com/s/article/9239092/Academic_institutions_urged_to_ta
ke_steps_to_prevent_DNS_amplification_attacks?taxonomyId=17

Alert (Technical Version):
-http://www.ren-isac.net/alerts/dns_amp_ddos_tech_201305.html
[Editor's Note (Pescatore): Another 20 Critical Security Controls pointer here. Control 3: Secure Configurations. ]


ESPN May Be Seeking Arrangement to Uncap its Wireless Traffic Limits (May 10, 2013)
According to a report in The Wall Street Journal, sports broadcasting network ESPN is talking with at least one wireless carrier about ways to exempt its traffic from data caps. While it is not known which provider ESPN is negotiating with, both Verizon and AT&T have indicated that they would consider such arrangements. Net neutrality proponents are not pleased, but an arrangement like the one rumored to be under consideration would probably not violate the US Federal Communication Commission's (FCC's) rules, which require wired broadband providers to treat all traffic equally. Wireless providers may provide preferential treatment if they are transparent about their practices and do not completely block sites.
-http://arstechnica.com/tech-policy/2013/05/report-espn-may-pay-to-exempt-its-con
tent-from-wireless-data-caps/

[Editor's Note (Murray): The FCC struck a bad bargain with AT&T and Verizon when they opted for net neutrality on the wired side, where it is not important, at the expense of the air side, where it is. This is only one example of how the ISPs can make money by pitting the users of one application against those of another and by under provisioning the network and pricing scarcity. ]


Proposed Legislation Would Place Privacy Onus on Mobile App Developers (May 10, 2013)
A US legislator has introduced the Application Privacy, Protection and Security Act of 2013, a bill that would require mobile app developers to take responsibility for the privacy of users' data. The legislation would require developers to inform users which data the apps collect and how the data are stored, and to obtain consent before the data are gathered. The developers would also need to specify how they will use the collected data, and whether they will be shared with other parties. The Federal Trade Commission would bear the responsibility of enforcing the measure should it become law.
-http://www.computerworld.com/s/article/9239076/Bill_would_put_mobile_app_vendors
_on_the_hook_for_privacy?taxonomyId=17

-http://www.scmagazine.com/privacy-bolstering-apps-act-introduced-in-house/articl
e/292925/

Discussion Draft of the Bill:
-http://hankjohnson.house.gov/sites/hankjohnson.house.gov/files/documents/APPS_Ac
t_Key_Provisions.pdf

[Editor's Note (Pescatore): I'm a big fan of opt-in, but technology-focused legislation invariably ends up with a lot of unintended consequences in the long run. Why only mobile applications? ]


Concerned About Security Risks in Telecom Equipment, India Will Establish Testing Lab (May 8 & 10, 2013)
India is the latest country to express concern about possible security risks associated with using telecommunications equipment from Chinese companies Huawei and ZTE. India's Department of Telecommunications is reportedly setting up a laboratory to test telecom equipment made by foreign manufacturers for security issues. The testing could also be required for products from US companies, such as Cisco and Alcatel.
-http://www.theregister.co.uk/2013/05/10/india_to_test_huawei_and_zte_kit/
-http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/
-http://www.hindustantimes.com/News-Feed/Chunk-HT-UI-BusinessSectionPage-Infotech
/Huawei-ZTE-under-scanner/Article1-1057038.aspx

[Editor's Note (Pescatore): The UK and Australia are taking a similar approach. This is clearly heading towards a "Common Criteria" testing approach - which is the only feasible solution in the long run. ]


Hackers Exploited Known Flaw in ColdFusion to Steal Data from Washington State Court System (May 9 & 10, 2013)
A data security breach at the Washington state Administrative Office of the Courts (AOC) has compromised 160,000 social security numbers (SSNs) and one million driver's license numbers. The attackers exploited a known flaw in Adobe ColdFusion to access the data. Adobe issued a fix for the vulnerability in January 2013. The patch addressed four issues, but an AOC spokesperson did not specify which flaw was exploited in the attack. The incident occurred sometime between September 2012 and February 2013. Adobe recently acknowledged another flaw in ColdFusion and expects to release a patch for it on Tuesday, May 14. This is not the flaw that was exploited in the attacks.
-http://www.scmagazine.com/weakness-in-adobe-coldfusion-allowed-court-hackers-acc
ess-to-160k-ssns/article/292906/

-http://www.zdnet.com/hackers-breached-washington-state-court-with-adobe-coldfusi
on-flaw-7000015199/

-http://www.nbcnews.com/technology/160-000-social-security-numbers-exposed-washin
gton-state-court-hack-1C9864740

AOC Breach Information:
-http://www.courts.wa.gov/newsinfo/?fa=newsinfo.displayContent&theFile=dataBr
each/home



************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/