3 Days left to Save $400 on SANS DFIR Summit

SANS NewsBites - Volume: XV, Issue: 55


Update: The "Internet of Things" is causing major changes in security architectures, security processes and security responsibilities - and driving major changes in security markets. SANS is bringing together the community talent and ideas to explore the new risks, develop new solutions, and demonstrate security technology that already works and to provide a force multiplier to making the Internet of Things be more secure. Register now for the 2013 inaugural Securing the Internet of Things Summit - a top notch Summit priced to fit your training budget: http://www.sans.org/event/internet-of-things-summit

*************************************************************************
SANS NewsBites                     July 12, 2013                    Volume: XV, Issue: 55
*************************************************************************
TOP OF THE NEWS

  Microsoft Provided NSA More Help Than Previously Disclosed
  South Korea's Financial Regulator Imposes New Security Requirements on Banks
  Indian Government Can Now Intercept Consumers' BlackBerry Communications

THE REST OF THE WEEK'S NEWS

  Pirate Bay Founder Aims to Create Spy-Proof Messaging App
  Thomas-Rasset Turns Down RIAA's Offer to Become Anti-Piracy Advocate
  Yahoo Files Request to Disclose Secret Order to Prove it Fought Directives
  HP Will Patch Backdoor in StoreVirtual Products
  DefCon Asks Feds to Stay Home; Black Hat Welcomes NSA Director
  UK's Ministry of Defence Providing Scant Information About Reports of Data Theft
  Google Releases Patch for Android Signing Flaw
  Microsoft and Adobe Release Security Updates
  US Commerce Department Agency Destroys Technology and Spends Millions to Rid Systems of Imaginary Malware


*********************** SPONSORED Trend Micro Inc. ********************
Alert: Read this report from Trend Micro Forward Threat Researcher, Kyle Wilhoit, titled, "Who's Really Attacking Your ICS Equipment?". In-depth report of ongoing research into ICS/SCADA attacks from across the globe. Learn about who's attacking, what attacks their perpetrating, and how you can protect your critical infrastructure.
http://www.sans.org/info/134887
***************************************************************************
TRAINING UPDATE

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.


--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
http://www.sans.org/event/sans-capital-city-2013


-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


-- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


-- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling.
http://www.sans.org/event/mumbai-2013


-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


-- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-- Looking for training in your own community?
http://www.sans.org/community/


-- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Bangkok and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

Microsoft Provided NSA More Help Than Previously Disclosed (July 11, 2013)
Relying on NSA documents provided by Edward Snowden, the Guardian reported that Microsoft recently worked with the FBI to help the NSA get around encryption on Microsoft services, such as online chats on Outlook.com, and to monitor conversations on the company's Skype service. The newspaper also said that Microsoft worked recently with the FBI to streamline the way NSA can access users' files on SkyDrive, Microsoft's online document storage service, when Microsoft is required to provide that information for foreign-intelligence purposes. Microsoft said it doesn't provide governments with blank or direct access to Microsoft services.
-http://blogs.wsj.com/digits/2013/07/11/guardian-says-documents-show-microsoft-he
lp-for-nsa/?mod=WSJBlog&mod=



South Korea's Financial Regulator Imposes New Security Requirements on Banks (July 11, 2013)
In the wake of serious attacks on South Korean banks' networks, the country's Financial Services Commission (FSC) plans to require large banks to separate their networks into two sections - one for internal use and one for external use. FSC also wants to establish a center for backup storage.
-http://www.zdnet.com/s-korea-banks-to-segment-network-establish-data-backup-7000
017927/

[Editor's Note (Murray): In the modern environment all large enterprises, not just banks, should be moving to end-to-end encryption terminating on the application, not the network, not the OS, for both internal and external applications. In a world in which even the NSA assumes that some of its systems are already compromised, mere network segmentation or layering is inadequate. ]


Indian Government Can Now Intercept Consumers' BlackBerry Communications (July 11, 2013)
BlackBerry has come to an arrangement with the Indian government to allow "lawful interception" of communications in realtime. The system allows the Indian government to track consumers' communications sent to or from any Blackberry device, regardless of whether the message has been delivered or read. The system does not include corporate email messages sent over BlackBerry Enterprise Server. News of the arrangement has raised questions among analysts about whether the Indian government will now turn its attention to Apple, whose iMessage and Facetime services use end-to-end encryption.
-http://www.zdnet.com/in/indias-blackberry-monitoring-system-ready-for-use-700001
7937/

-http://www.bbc.co.uk/news/technology-23265091
[Editor's Note (Pescatore): Despite periodic hand-wringing, lawful intercept by law enforcement and intelligence agencies is something that just about every society has decided is necessary. What varies is the definition of "lawful" and the controls and safeguards around such interception. Technology, like the move from analog to digital 20 years ago or more widespread use of encryption, doesn't change the societal need for well run and truly "lawful" monitoring of communications.
(Murray): Those who would rely upon encryption to protect themselves from the state would do well to re-read Phil Zimmerman's wonderful paper, published with the first PGP, on its limitations. ]



*************************** Sponsored Links: ******************************
1) Securing Help Desks: A SANS Survey, Tuesday July 16 at 1 PM EDT http://www.sans.org/info/134892

2) Digital Forensics in Modern Times: A SANS Survey, Thursday, July 18, 1 PM EDT http://www.sans.org/info/134897
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Pirate Bay Founder Aims to Create Spy-Proof Messaging App (July 9 & 10, 2013)
Pirate Bay founder Peter Sunde is working with app developers to create a mobile messaging application that uses end-to-end encryption, which means that only the sender and the recipient will be able to read messages. Sunde says there will not be ads on the app and that it will not sell user data to advertisers. The funding will come solely from users, who will have to pay extra to use certain features, such as sending images.
-http://news.cnet.com/8301-1009_3-57592992-83/pirate-bay-founder-creating-surveil
lance-free-messaging-app/

-http://www.computerworld.com/s/article/9240686/Pirate_Bay_founder_working_on_spy
_proof_text_messaging_app?taxonomyId=17



Thomas-Rasset Turns Down RIAA's Offer to Become Anti-Piracy Advocate (July 11, 2013)
Jammie Thomas-Rasset is not interested in offers from the Recording Industry Association of America (RIAA) that would have her making anti-piracy statements in exchange for the organization accepting less that the US $222,000 verdict. The RIAA has not specified how much they would reduce the penalty. Thomas-Rasset has been challenging the RIAA's lawsuit for more than seven years; earlier this year, the US Supreme Court let the US $222,000 verdict stand.
-http://www.wired.com/threatlevel/2013/07/riaa-asks-infamous-file-sharer/


Yahoo Files Request to Disclose Secret Order to Prove it Fought Directives (July 11, 2013)
Yahoo has filed a motion seeking the release of a 2008 secret order and associated documents that will demonstrate that the company "objected strenuously" to the government's directives. Yahoo says it objected at every stage but each time, their objections were overruled. As do other service providers, Yahoo publishes ranges of requests for user data made by the US government. During the first six months of 2013, Yahoo received between 12,000 and 13,000 such requests. Providers are not permitted to disclose what percentage of those requests was made under the Foreign Intelligence Surveillance Act (FISA).
-http://www.computerworld.com/s/article/9240710/Yahoo_says_release_of_secret_FISA
_court_order_will_prove_it_resisted_directives?taxonomyId=17



HP Will Patch Backdoor in StoreVirtual Products (July 11, 2013)
Hewlett-Packard (HP) says it will release a patch for an undocumented administrative account in some of its products. The fix will be available on or before Wednesday, July 17. The backdoor has existed in HP StoreVirtual products since 2009. HP admits that "this vulnerability could be remotely exploited to gain unauthorized access to the device."
-http://www.theregister.co.uk/2013/07/11/hp_prepping_fix_for_latest_storage_vuln/


DefCon Asks Feds to Stay Home; Black Hat Welcomes NSA Director (July 11, 2013)
Last year, NSA director General Keith Alexander gave the keynote address at DefCon. This year, DefCon organizers have asked feds not to attend the conference, scheduled for the beginning of August in Las Vegas. Although feds have been welcomed at past conferences, "recent revelations have made many in the community uncomfortable about this relationship," according to a blog post from Jeff Moss. He goes on to say that the "'time-out' ... will give everybody time to think about how we got here, and what comes next." This year, General Alexander will be giving the keynote address at the Black Hat USA conference, which takes place at the same time.
-http://krebsonsecurity.com/2013/07/def-con-to-feds-stay-home-this-year/
-http://arstechnica.com/security/2013/07/for-first-time-ever-feds-asked-to-sit-ou
t-defcon-hacker-conference/

-http://www.bbc.co.uk/news/technology-23269125
-http://arstechnica.com/security/2013/07/as-defcon-asks-feds-to-take-time-out-bla
ck-hat-welcomes-nsa-chief/



UK's Ministry of Defence Providing Scant Information About Reports of Data Theft (July 10 & 11, 2013)
The UK Ministry of Defence (MOD) is being tight lipped about reports that it has been the victim of cyberespionage. News of the attack came in a report from the Intelligence and Security Committee as it briefed Parliament earlier this week. MOD will not say when the attack occurred nor how much and what type of information was stolen. The report noted that hackers targeted more than 200 government email accounts in attempts to gain access to classified or confidential data. The attacks affected accounts across 30 departments.
-http://www.zdnet.com/u-k-ministry-of-defence-hit-by-cyberattack-data-stolen-7000
017831/

-http://www.v3.co.uk/v3-uk/news/2280640/mod-silent-on-cyber-attack-that-stole-dat
a-from-its-systems



Google Releases Patch for Android Signing Flaw (July 9 & 10, 2013)
Google has released a patch to protect Android devices from attacks on a flaw that affects nearly every version of the operating system. Google has released the patch to device manufacturers who are then responsible for rolling out product-specific fixes. The patch comes just as proof-of-concept exploit code for the flaw was released. Hackers could exploit the vulnerability to alter trusted apps on Android devices so they become Trojan horse programs. The exploit involves "manipulat
[ing ]
the files within the APK format packages without the operating system being able to detect that the APK package has been tampered with."
-http://arstechnica.com/security/2013/07/google-patches-critical-android-threat-a
s-working-exploit-is-unleashed/

-http://www.zdnet.com/proof-of-concept-for-android-flaw-found-patches-start-rolli
ng-out-7000017859/

-http://www.v3.co.uk/v3-uk/news/2280406/google-plugs-master-key-security-flaw-aff
licting-99-percent-of-android-users

-http://www.h-online.com/security/news/item/Exploit-for-Android-signing-hole-publ
ished-1914228.html

-http://www.computerworld.com/s/article/9240645/Proof_of_concept_exploit_availabl
e_for_Android_app_signature_check_vulnerability?taxonomyId=17

-http://www.scmagazine.com//android-flaw-allows-hijack-of-any-app-to-go-unnoticed
/article/302497/

[Editor's Note (Pescatore): Nice piece by Paul Roberts pointing out how the patching of Android vulnerabilities is complicated/slowed by the fragmentation of Android versions, and the complex mix of phone manufacturers and carriers that offer different types of Android-based phones and tablets.
-http://www.itworld.com/security/364589/android-app-signing-flaw-underscores-patc
h-paralysis
]



Microsoft and Adobe Release Security Updates (July 9 & 10, 2013)
On Tuesday, July 9, Microsoft released seven security bulletins to address a total of 34 vulnerabilities. Six of those bulletins are rated critical, an unusually high number of critical bulletins for a single month. Three of the six bulletins address a font-rendering issue in the company's software. Microsoft has also issued a fix for a flaw in the Windows kernel that has been exploited in limited, targeted attacks. In separate news, Microsoft announced that developers who sell their apps through the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace will have 180 days to fix critical and important vulnerabilities in those apps. The 180-day window starts from the date the Microsoft Security Response Center notified the developer of the flaw. Apps that do not meet the deadline will be pulled from the stores. In cases where a public exploit for one of the flaws becomes available, Microsoft reserved the right to take the app down from the stores quickly. July 9 also marked Adobe's release of fixes for flaws in Flash and Shockwave. The Flash update addresses at least three critical flaws. The Shockwave update addresses at least one critical flaw. Internet Storm Center:
-http://isc.sans.edu/diary/Adobe+July+2013+Black+Tuesday+Overview/16129
-http://isc.sans.edu/diary/Microsoft+July+2013+Black+Tuesday+Overview/16126
Microsoft Bulletins:
-https://technet.microsoft.com/en-us/security/bulletin/ms13-jul
Flash Update:
-http://www.adobe.com/support/security/bulletins/apsb13-17.html
Shockwave Update:
-http://krebsonsecurity.com/2013/07/adobe-microsoft-release-critical-updates/
-http://www.computerworld.com/s/article/9240668/Patch_Tuesday_release_handles_mal
icious_fonts_in_Microsoft_Windows?taxonomyId=17

-http://www.scmagazine.com//microsoft-administers-fixes-for-34-vulnerabilities-on
-patch-tuesday/article/302324/

-http://www.h-online.com/security/news/item/July-s-Patch-Tuesday-fixes-Windows-pr
ivilege-system-1914459.html

-http://www.theregister.co.uk/2013/07/10/fix_everything_patch_tuesday/
-http://www.h-online.com/security/news/item/Adobe-fixes-Flash-Player-Shockwave-an
d-ColdFusion-1914832.html

180-Day App Patch Deadline:
-http://www.scmagazine.com//microsoft-invokes-six-month-deadline-to-replace-vulne
rable-mobile-apps/article/302321/

-http://www.computerworld.com/s/article/9240670/Microsoft_gives_Windows_app_devel
opers_180_days_to_patch_or_else?taxonomyId=17



US Commerce Department Agency Destroys Technology and Spends Millions to Rid Systems of Imaginary Malware (July 8 & 9, 2013)
In 2012, federal officials at the US Commerce Department's Economic Development Administration (EDA) isolated its systems and physically destroyed US $170,000 worth of equipment to get rid of a malware infection. However, a report from the Department of Commerce's Office of Inspector general "found neither evidence of a widespread malware infection nor support for EDA's decision to isolate its IT systems." In late 2011, the US Department of Homeland Security (DHS) notified the Commerce Department that anomalous activity had been detected in their systems. The infection appeared to be on a system in a building shared by EDA and the National Oceanic and Atmospheric Administration (NOAA). Due to miscommunication and/or an unqualified IT person, EDA spent more than US $2.5 million on an investigation, temporary infrastructure, and development of a long-term recovery plan. In contrast, NOAA addressed their malware issue within a matter of weeks.
-http://www.theverge.com/2013/7/8/4503946/commerce-department-unnecessary-cyberse
curity-computer-destruction

-http://www.nextgov.com/cio-briefing/2013/07/commerce-trashes-170000-worth-tech-d
isinfect-imaginary-viruses/66248/?oref=ng-channelriver

-http://money.cnn.com/2013/07/09/technology/security/commerce-malware/index.html
-http://www.zdnet.com/how-a-paranoid-us-dept-took-a-2-7m-wrecking-ball-to-its-own
-it-systems-7000017868/

-http://www.h-online.com/security/news/item/US-government-agency-destroys-hardwar
e-to-clear-malware-1914296.html

IG's Audit Report:
-http://www.oig.doc.gov/OIGPublications/OIG-13-027-A.pdf
[Editor's Note (Pescatore): the OIG report shows there is a lot of blame to go around here: The Department of Commerce CIRT originally mistakenly identified 143 compromised components on EDA's network vs. what was later determined to only be 2. Then "APT Hysteria" kicked in at EDA, with simple malware being identified as "nation state" originated that could possibly embed itself in firmware. Serious mistakes in the Incident Response processes at DoC and EDA turned a simple malware incident into a self-inflicted denial of service attack that caused EDA to spend 50% of its entire IT budget on this one incident! ]


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/