SANS NewsBites - Volume: XV, Issue: 50

*************************************************************************
SANS NewsBites                     June 25, 2013                    Volume: XV, Issue: 50
*************************************************************************
TOP OF THE NEWS

  NSA Will Adopt Measures to Prevent Data Leaks
  EU Rule Sets Out Data Breach Notification Expectations for Telecoms and ISPs
  US-CERT Issues Default Password Alert

THE REST OF THE WEEK'S NEWS

  Leaked Docs Reveal UK Intelligence Wiretaps Fiber Optic Cables, Shares Data with NSA
  NSA More Likely to Collect Encrypted and Other Secure Communications
  Google Scanning Chrome Apps and Extensions Submitted to Chrome Web Store
  Facebook Data Leak Repaired
  LulzSec Hacker Released From Detention, Faces Tech Restrictions
  Australian Government Will Not Pursue Data Retention Plan for Now
  Unsealed Court Orders Reveal Secret Warrants Used to Obtain Data on WikiLeaks Volunteer
  UK ICO Gives Google Five Weeks to Purge Any Remaining Street View Data
  Flaw in Backup Program Grants Root Access to LG Android Phones


********************** SPONSORED BY Invincea **************************
BREAKING NEWS: Invincea and Dell announced an OEM agreement today to ship Invincea's advanced malware prevention technology straight from the factory to 20 million + machines over the next 12 months.

This is a huge step forward in the fight against watering hole, spear-phishing and drive-by download attacks. Learn more about how this relationship can help your firm!

http://www.sans.org/info/133547
***************************************************************************
TRAINING UPDATE

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.


--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Austin, Bangkok and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

NSA Will Adopt Measures to Prevent Data Leaks (June 24, 2013)
Following Edward Snowden's leak of information about US intelligence surveillance programs, the NSA is planning to introduce measures to lessen the likelihood of a recurrence. Snowden was employed as a contractor through Booz Allen Hamilton. He worked as a systems administrator, a position that granted him broad access to networks. NSA Director General Keith Alexander told a congressional committee that the NSA plans to implement a "two-person rule" requiring a second individual to authorize requests for sensitive data before access is granted.
-http://www.zdnet.com/nsa-instigates-security-measures-to-hamper-future-whistlebl
owers-7000017207/

-http://www.computerworld.com/s/article/9240151/Expanded_2_person_rule_could_help
_plug_NSA_leaks

-http://www.wired.com/threatlevel/2013/06/nsa-hearing-by-the-numbers/
[Editor's Note (Pescatore): The two person rule has long been used for highly sensitive but not so frequently occurring activities, like changing keying materials or destruction of materials. Requiring it for all sensitive actions a system or database administrator does would be like requiring all car repairs to be done by two mechanics at once - slow and expensive. The real issue is limiting privileged users capabilities, better vetting of admins in sensitive positions and better monitoring of their actions. ]

(Murray): Whenever I have complained about their absence, I have been told that it is okay because "They have top-secret clearance" or have "taken an oath to the Queen." As in the rest of the government, the cultural imperative is "avoid accountability at all cost." ]


EU Rule Sets Out Data Breach Notification Expectations for Telecoms and ISPs (June 24, 2013)
The European Union has issued new regulations describing the responsibilities of telecommunications companies and Internet service providers (ISPs) when they experience data breaches. The incidents must be reported to data protection authorities within 24 hours of their discovery. The companies must report the size and nature of the breach, what data were compromised, and what steps they have taken to address the issue with customers. Businesses and consumers will be told of the breach if it "is likely to adversely affect personal data or privacy." That decision will be made by the national data protection authorities using a test to be provided by the European Commission. Notification of authorities has been required for several years, but the new regulation establishes specific details. Companies can be exempt from the requirements if they encrypt data.
-http://www.zdnet.com/data-breaches-telcos-and-isps-have-24-hours-to-come-clean-s
ays-eu-7000017217/



US-CERT Issues Default Password Alert (June 24, 2013)
The US Computer Emergency Response Team (US-CERT) has issued an alert warning that "it is imperative to change default manufacturer passwords and restrict network access to critical and important systems." The alert notes that "critical infrastructure and other important embedded systems, appliances, and devices are of particular concern."
-http://www.darkreading.com/attacks-breaches/us-cert-warns-of-default-password-ri
sks/240157218

-http://www.us-cert.gov/ncas/alerts/TA13-175A
[Editor's Note (Paller): US CERT issues alerts but there is no follow up. If it is critical, why isn't DHS providing a list of all the systems that have default passwords? The criminals already know. If DHS keeps the data secret, the manufacturers who put out insecure systems will keep right on doing it. Either this is critical or it is "make work" for the DHS contractors. Which is it? ]



*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/133552

2) ALERT: 2013 Website Attack Report- Webinar: Top 10 Vulnerabilities- Data Correlated from Thousands of Websites. http://www.sans.org/info/133557
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Leaked Docs Reveal UK Intelligence Wiretaps Fiber Optic Cables, Shares Data with NSA (June 21, 2013)
Information leaked by former Booz Allen Hamilton contract employee Edward Snowden includes documents indicating that the UK's GCHQ has been tapping phone and Internet traffic traveling through fiber optic cables and has shared the collected data with the NSA. The wiretaps were allegedly conducted by placing intercepts on transatlantic undersea cables where they come to the surface in the UK. The tapping was conducted as a secret program known as Tempora. The companies that own and operate the cables cooperated with authorities. The Tempora program has been operational for at least 18 months. It allows GCHQ to store the data it siphons for up to 30 days. Analysts from both GCHQ and NSA sift through the data for relevant information.
-http://www.wired.com/threatlevel/2013/06/gchq-tapped-200-cables/
-http://arstechnica.com/tech-policy/2013/06/new-leaks-british-intels-direct-from-
fiber-taps-worse-than-the-us/

-http://www.computerworld.com/s/article/9240254/British_intelligence_tapping_fibe
r_optic_cables_for_massive_amounts_of_data?taxonomyId=17

[Editor's Note (Pescatore): The ability of national governments to tap fiber optic cables is old news. That is almost never a threat that makes the top ten risk list for most enterprises - if it does, high speed network encryptors are a well proven solution. ]


NSA More Likely to Collect Encrypted and Other Secure Communications (June 20 & 21, 2013)
According to leaked information about US surveillance practices, people who encrypt their email, employ services like Tor, or use secure instant message services are at risk for having their communications collected and stored by the NSA. The documents state that surveillance must be halted once the subject is determined to be on US soil or to be a US citizen, although there are exceptions for this rule. If a subject's location cannot be determined, they are not considered to be a US citizen until evidence shows otherwise. The NSA can store "inadvertently" collected data for up to five years.
-http://www.theregister.co.uk/2013/06/21/nsa_spooks_can_pry_on_your_encrypted_ema
ils/

-http://arstechnica.com/tech-policy/2013/06/use-of-tor-and-e-mail-crypto-could-in
crease-chances-that-nsa-keeps-your-data/

[Editor's Note (Shpantzer): Think of the game Hangman: You guess A, E, I, for vowels and then the popular consonants like L, N, R, S, etc. A mnemonic for the order of letter frequency is etaoin shrdlu
-http://en.wikipedia.org/wiki/Letter_frequency.
Normal unencrypted/uncompressed streams have this histogram. Encrypted histograms are basically flat. Now poke around here for a bit:
-https://www.google.com/search?q=detecting+encryption+entropy]



Google Scanning Chrome Apps and Extensions Submitted to Chrome Web Store (June 24, 2013)
Google is now scanning apps and extensions submitted to the Chrome Web Store for malware. Google already performs this function in its Google Play Android Apps Store. Developers could experience short delays in uploads because of the scanning. Google calls the process "Enhanced Item Validation."
-https://plus.google.com/+GoogleChromeDevelopers/posts/3kpAu4VcP5E
-http://www.h-online.com/security/news/item/Google-to-scan-for-malicious-apps-in-
Chrome-Web-Store-1895404.html

-http://www.infosecurity-magazine.com/view/33104/google-implements-chrome-app-sca
nning-for-g-developer-site/

[Editor's Note (Pescatore): That is a good thing. Short delays in app uploads is just like short delays in delivering email because of malware inspection - no one notices and the removal of malicious executables is a major benefit.
(Murray): Will not stop the spread of malware in the Android population but will give users a safer source and give Google some cover.
(Honan): I really wish companies would use plain language when describing security services. Hiding the fact a security check is being carried out on the app by using the term "Enhanced Item Validation" can undermine the importance of security and abstract it from the minds of developers. ]


Facebook Data Leak Repaired (June 21, 22, & 24, 2013)
A bug in Facebook's data archive exposed the email addresses and telephone numbers of six million of the social network's users. Facebook has fixed the problem. The issue lay in archives generated through the use of Facebook's Download Your Information tool. Users who had downloaded their profile data were able to view the phone numbers and email address of other members. Internet Storm Center:
-https://isc.sans.edu/diary/Facebook+Reports+a+Potential+Leak+of+User+Data/16043
-http://www.bbc.co.uk/news/technology-23027643
-http://arstechnica.com/security/2013/06/facebook-sqashes-bug-that-exposed-e-mail
-addresses-for-6-million-users/

-http://www.cnn.com/2013/06/21/tech/social-media/facebook-contact-bug/index.html


LulzSec Hacker Released From Detention, Faces Tech Restrictions (June 24, 2013)
A 20-year-old who served detention in a "young offender" institution for activity related to his involvement with a hacker group known as LulzSec has been released but must abide by restrictions placed on his use of technology. Jake Davis served just over five weeks in detention. His original sentence was two years, but he wore an electronic monitoring device for 21 months prior to his sentencing. Davis is prohibited from being in contact with anyone associated with the Anonymous hacking group, of which LulzSec is an offshoot. He may not create encrypted files, nor may he securely wipe data or delete his Internet history.
-http://www.bbc.co.uk/news/technology-23029464


Australian Government Will Not Pursue Data Retention Plan for Now (June 24, 2013)
The Australian government has put on hold plans to establish a mandatory data retention plan for telecommunications companies. While law enforcement agencies have been pushing for the measure, the vast majority of public comments were from those opposed to the plan.
-http://www.zdnet.com/au/australian-government-shelves-data-retention-plans-70000
17183/



Unsealed Court Orders Reveal Secret Warrants Used to Obtain Data on WikiLeaks Volunteer (June 21 & 22, 2013)
Recently released court records show that the US Justice Department used a secret search warrant to obtain the contents of former WikiLeaks volunteer Herbert Snorrason's entire Gmail account. Another recently revealed court order showed that the government demanded the account metadata of Smari McCarthy, who also has connections to WikiLeaks.
-http://arstechnica.com/tech-policy/2013/06/google-handed-over-years-of-e-mails-b
elonging-to-wikileaks-chatroom-admin/

-http://www.wired.com/threatlevel/2013/06/wikileaks-gmail/


UK ICO Gives Google Five Weeks to Purge Any Remaining Street View Data (June 21, 2013)
The UK Information Commissioner's office has given Google five weeks to delete any remaining data that were inadvertently collected while the company was gathering images for its Street View feature. If Google does not comply, criminal proceedings could be initiated for being in contempt of court. The issue was reopened in 2012 after Google acknowledged that it had "accidentally" retained some of the data it was to have destroyed in accordance with an earlier agreement. Google is also required to inform the ICO if it finds any additional personal data.
-http://www.bbc.co.uk/news/technology-23002166
-http://www.v3.co.uk/v3-uk/news/2276614/google-avoids-street-view-wifi-fine-from-
ico-yet-again



Flaw in Backup Program Grants Root Access to LG Android Phones (June 25, 2013)
A security flaw in a pre-installed backup program on more than 40 LG Android phones allows root access to the devices. The vulnerability in the Sprite Backup program can be exploited by introducing a specially crafted file into backup. The problem has been reported to LG, Google, and Sprite Software. A fix is reportedly being developed.
-http://www.h-online.com/security/news/item/Backup-program-allows-root-access-to-
LG-smartphones-1896506.html



************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/