SANS NewsBites - Volume: XV, Issue: 74

*************************************************************************
SANS NewsBites                     September 17, 2013                    Volume: XV, Issue: 74
*************************************************************************
TOP OF THE NEWS

  Foreign Intelligence Surveillance Court Orders Patriot Act Opinions Declassified
  Pentagon Beefing Up Cyber Defense
  US Health Agency Inspector General Chastised for Failing to Review Insurance Marketplace Website Security
  FBI Took Control of Freedom Hosting

THE REST OF THE WEEK'S NEWS

  Netflix Monitors Piracy Sites to Determine Content to Buy
  AT&T Issues Piracy Warning to Customers
  London Police Arrest 12 in Connection with Attempted Bank Cybertheft
  Argentine Police Arrest Man In Connection with Online Fraud and Theft
  Belgium Investigating Possible Cyberespionage on Belgacom Systems
  Microsoft Reissues Problematic Updates


***************** Sponsored By ForeScout Technologies ******************
The first phase of Continuous Diagnostics & Mitigation (CDM) contracts have been awarded. Would you like to address these new challenges?
ForeScout CounterACT(TM) assists Federal and private sector IT organizations in meeting these requirements by providing real-time discovery and assessment of all endpoints on your network, and automatically mitigating any security issues that occur.
Download the latest technical note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/139380
*************************************************************************
TRAINING UPDATE

--Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


--Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


--SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
http://www.sans.org/event/network-security-2013


--SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


--SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


--SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


--SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


--SANS London 2013 London, UK November 16-25, 2013 17 courses.
http://www.sans.org/event/london-2013


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Chicago, and Ft. Lauderdale all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

Foreign Intelligence Surveillance Court Orders Patriot Act Opinions Declassified (September 13, 2013)
The US Foreign Intelligence Surveillance Court (FISC) says it will release some of the legal opinions justifying the government's wholesale collection of phone data. The FISC has ordered the US government to start declassifying some of its opinions regarding the Patriot Act. The documents will be revealed as a result of a lawsuit brought by the ACLU.
-http://arstechnica.com/tech-policy/2013/09/top-intelligence-court-will-reveal-so
me-of-its-secret-legal-opinions/

-http://www.wired.com/threatlevel/2013/09/secret-spy-court/
-http://www.computerworld.com/s/article/9242395/Surveillance_court_orders_transpa
rency_review_of_its_NSA_opinions?taxonomyId=17

FISC Order:
-http://www.uscourts.gov/uscourts/courts/fisc/misc-13-02-order-130813.pdf


Pentagon Beefing Up Cyber Defense (September 15, 2013)
The Pentagon is taking steps to beef up its cyber defense capabilities in the light of some dire predictions about attacks on the country's power grid, financial infrastructure, and water supplies. CyberCity, a US military cyberwar simulator, came into being because defense officials wanted to sharpen troops' offensive cyber skills as well as their ability to defend against such attacks. Some point out that current threats tend to focus on denial of service, and that kinetic attacks are "incredibly difficult" and "really unlikely." But former NSA director Michael Hayden, alluding to Stuxnet, noted, "Somebody just used a new weapon. And this weapon will not be put back into the box."
-http://www.csmonitor.com/USA/Military/2013/0915/Cyber-security-The-new-arms-race
-for-a-new-front-line



US Health Agency Inspector General Chastised for Failing to Review Insurance Marketplace Website Security (September 11 & 16, 2013)
In a congressional hearing last week, legislators and the former commissioner of the Social Security Administration took the US Department of Health and Human Services (HHS) inspector general (IG) to task for not testing the system's vulnerability to attacks. The IG said the office would not review security plans for the online health insurance marketplace that is scheduled to launch on October 1. The system is being designed to communicate with multiple state and federal agencies that maintain the data necessary to process insurance exchange applications. The Centers for Medicare and Medicaid Services (CMS) issued a fact sheet prior to the hearing that said the data hub will have strong security measures in place and that it will not store any personally identifiable information.
-http://www.nextgov.com/cybersecurity/2013/09/health-agency-watchdog-doesnt-have-
time-vet-obamacare-cyber-designs/70352/?oref=ng-HPtopstory

-http://thehill.com/blogs/healthwatch/health-reform-implementation/321605-hhs-def
ends-security-of-obamacare-data-hub



FBI Took Control of Freedom Hosting (September 13 & 16, 2013)
The FBI has acknowledged that it took control of Freedom Hosting earlier this year, shortly before Tor servers were discovered to be serving malware that would identify users. In early August, all sites hosted by Freedom Hosting began serving an error message with embedded code. Upon analysis, the code was determined to exploit a vulnerability in Firefox to identify Tor Browser Bundle users. The information was sent back to a server in Northern Virginia. The information was revealed in the testimony of an FBI agent regarding the arrest of Eric Eoin Marques, who is facing extradition to the US to face charges of distributing child pornography.
-http://arstechnica.com/tech-policy/2013/09/fbi-admits-what-we-all-suspected-it-c
ompromised-freedom-hostings-tor-servers/

-http://www.scmagazine.com/fbi-takeover-of-tor-server-leads-to-arrest/article/311
880/

-http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/



*************************** Sponsored Links: ******************************
1) Gain insight into the latest cyber security trends and how you can stay one step ahead of today's sophisticated attackers with the 2013 Cyber Security Study http://www.sans.org/info/139385

2) Automate the Top SANS Critical Security Controls - Get Started with Two Weeks Free: http://www.sans.org/info/139390

3) ALERT: Learn how to unmask stealthy web application attacks - Free 30 Day Trial http://www.sans.org/info/139395
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Netflix Monitors Piracy Sites to Determine Content to Buy (September 16, 2013)
Netflix acknowledged that it tracks activity on known piracy websites to help it decide which movies and television programs to purchase for its online streaming service. Some others in the industry have noted that there can be an up side to piracy. According to the creator of "Breaking Bad," piracy helped keep the show alive. Initial broadcasts of the show garnered few viewers, but once circulated through piracy, the show gained a following. A Time Warner executive suggested that the same is true of the "Game of Thrones" series.
-http://www.bbc.co.uk/news/technology-24108673
[Editor's Note (Murray): One learned something about the quality of automobiles from the reports of those most stolen. One would hardly describe that as "an upside" to auto theft. This is not a game.
(Northcutt): This is an interesting problem every publisher faces. When people will not pay for content, yet it is still popular for free, the only choice is advertising. Not a new problem by any means. My guess is they will increase product placement (embedded advertising), during the show the protagonist drinks a Budweiser, and the camera clearly picks it up. ]


AT&T Issues Piracy Warning to Customers (September 13, 2013)
AT&T is warning its customers that if they are found to be engaging in Internet piracy, their Internet access could be severed. The warning, which came in the form of a letter, is part of the company's implementation of the so-called "six strikes" anti-piracy policy. The letter says the illegal activity "could result in mitigation measures including limitation of Internet access or even suspension or termination." Several years ago, AT&T reportedly said it would terminate users' accounts only upon receipt of a court order.
-http://arstechnica.com/tech-policy/2013/09/att-shakes-its-banhammer-at-would-be-
pirates/



London Police Arrest 12 in Connection with Attempted Bank Cybertheft (September 13 & 16, 2013)
The Metropolitan Police in London (UK) have arrested a dozen people in connection with an attempted cyberheist from a London branch of Banco Santander. Four of the suspects have been charged. An individual posing as a third-party maintenance engineer attempted to install a keyboard video mouse switch to a bank terminal at a branch of the bank. The bank worked with the police to stop the would-be thieves before they were able to launch their attack. Had the attempt proven successful, the attackers would have been able to see everything on the desktop computer targeted and to take remote control of the bank's computer.
-http://www.v3.co.uk/v3-uk/news/2294784/santander-cyber-bank-robbers-arrested-by-
met-police-after-plot-to-hack-surray-quays-branch

-http://washpost.bloomberg.com/Story?docId=1376-MT23F96JIJV201-06MM9H1AOSOGNEMEBE
JHMB82B2

-http://www.seacoastonline.com/articles/20130916-BIZ-309160306


Argentine Police Arrest Man In Connection with Online Fraud and Theft (September 13 & 16, 2013)
Police in Argentina have arrested a man who is believed to be responsible for stealing money from gambling and international funds transfer websites. The young man's schemes were reportedly bringing in at least US $50,000 a month. He would allegedly launch distributed denial-of-service (DDoS) attacks against his targets to distract them from the theft of funds. To resist destruction of evidence, authorities shut off the power to the 19-year-old's neighborhood during the arrest.
-http://www.v3.co.uk/v3-uk/news/2294837/police-arrest-teenage-hacker-behind-usd50
-000-per-month-cyber-ring

-http://www.telegraph.co.uk/news/worldnews/southamerica/argentina/10309027/Argent
inian-super-hacker-arrested-over-online-scams.html

-http://www.bbc.co.uk/news/world-latin-america-24089050


Belgium Investigating Possible Cyberespionage on Belgacom Systems (September 16, 2013)
Belgian telecommunications company Belgacom has taken steps to secure its systems after an attempted intrusion into its networks. Belgacom has hired an outside company to conduct a security sweep of its systems. According to Belgian paper De Standaard, the attack was launched by a foreign state and had been ongoing for several years. The country's Prime Minister issued a statement in which he noted, "The goal of the intrusion wasn't sabotage, but collection of strategic data." The Belgian government is investigating.
-http://www.zdnet.com/belgacom-clears-up-after-hack-attempt-7000020726/
-http://arstechnica.com/tech-policy/2013/09/major-belgian-telco-targeted-by-a-for
eign-state-brussels-says/

-http://www.reuters.com/article/2013/09/16/us-usa-security-belgium-idUSBRE98F0A32
0130916



Microsoft Reissues Problematic Updates (September 13, 14, & 15, 2013)
Microsoft has reissued several security updates to address a detection problem. The updates, which were part of a batch released on Tuesday, September 10, were not able to detect whether or not they had already been installed on users' computers and continued to offer themselves to install. Customers also reported that some of the updates were not offered through Windows Server Update Services or System Center Configuration Manager. Microsoft has released new versions of the affected updates to fix these problems.
-http://www.theregister.co.uk/2013/09/13/microsoft_reissues_september_patches_aft
er_user_complaints/

-http://www.zdnet.com/microsoft-fixes-bad-patch-detection-7000020676/
-http://www.computerworld.com/s/article/9242408/Microsoft_updates_display_worriso
me_decline_in_quality?taxonomyId=17



************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/