SANS NewsBites - Volume: XV, Issue: 78


The most promising game changer in cyber defense was launched last month when the U.S. Department of Homeland Security and GSA announced the initial funding of more than $150 million to make it essentially free for Federal agencies to implement state of the art continuous monitoring of the most critical security controls. Their first awards were not caught up in the shutdown and will be announced in a few days. Ultimately this will involve billions of dollars as state and local agencies use the same contracts. As importantly, it will transform the landscape in cybersecurity tools - as critical infrastructure and other corporations take advantage of the lessons learned on how to prioritize cybersecurity expenditures and how to stop wasting so much money on high-priced, low-impact tools. On November 6, Tony Sager who led NSA's cyber defense programs and John Pescatore who built Gartner's cybersecurity programs will provide in-depth assessment of the impact and how to take advantage of it, and will bring together the senior government officials who shaped the program. At the same program they will host panels of the most promising tools for each critical control so you can have a clearer picture of which makes sense for your organization. You may attend in person or via simulcast. Federal government employees are free. Contractors and vendors pay a fee. Register for in person attendance at (http://www.sans.org/event/sans-dhs-cdm-award-workshop) or via simulcast at (https://www.sans.org/webcasts/dhs-cdm-award-workshop-97170).

Alan

PS Once again, Tech Corner is at the end of the issue with a couple of very interesting discoveries.

*************************************************************************
SANS NewsBites                     October 01, 2013                    Volume: XV, Issue: 78
*************************************************************************
TOP OF THE NEWS

  UK's Ministry of Defence Plans to Recruit Hundreds for Joint Cyber Reserve Unit
  Long Overdue Change In Qualifications for NSA/DHS Centers of Academic Excellence
  Internet Explorer Flaw Actively Exploited

THE REST OF THE WEEK'S NEWS

  Fort Disco Malware Now Taking Aim at eMail and FTP Servers
  ZeroAccess Botnet Avoids Takedown
  Judge Says Government Must Declassify More NSA Documents
  Microsoft Releases Data on Government Requests for Information
  Copyright Attorney Suing Record Label Over Automated Takedown Notice
  French Data Protection Agency May Fine Google for Privacy Violations
  Spanish Police Arrest Cybercrime Masterminds
  UK Police Arrested Teen in Connection with Spamhaus DDoS
  Google Will Send All Searches Over SSL
  Recent Attacks on US Navy Network Blamed on Iran

STORM CENTER TECH CORNER

  Stories discussed as part of our Internet Storm Center diaries


******************** Sponsored By WhiteHat Security *********************
ALERT: Website Attack Report-Top Web Exploits Correlated from Thousands of Websites WhiteHat's Website Security Statistics Report (13th EDT) provides a unique perspective on the state of website security and the issues that organizations must address to avert attack. In addition to highlighting the Top 10 vulnerabilities and new attack vectors, this year's report correlates vulnerability data from tens of thousands of websites. Watch this on demand webinar to learn about the results from this years report http://www.sans.org/info/140250
***************************************************************************
TRAINING UPDATE


- --Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure.
http://www.sans.org/event/internet-of-things-summit


- --Health Care Cyber Security Summit (October 17-24, 2013) San Francisco, CA Meet leaders from the top health care organizations and see what really works in securing and succeeding in the new health care environment - balance security, compliance, and innovation.
http://www.sans.org/event/healthcare-summit


- --SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
http://www.sans.org/event/seattle-2013


- --SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
http://www.sans.org/event/baltimore-2013


- --SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


- --SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
http://www.sans.org/event/forensics-prague-2013


- --SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Tokyo, Ft. Lauderdale, Sydney, and San Diego all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

TOP OF THE NEWS

UK's Ministry of Defence Plans to Recruit Hundreds for Joint Cyber Reserve Unit (September 29 & 30, 2013)
Defence Secretary Philip Hammond said that the UK's Ministry of Defence (MoD) is aiming to recruit hundreds of IT experts to serve as cyber reservists. Last year, UK cyber defense workers blocked 400,000 sophisticated cyber threats against government systems. The reservists will work along with regular IT specialists in the Joint Cyber Reserve Unit, which will have the task of protecting critical networks and data. MoD has budgeted GBP 500 million (US $810 million) for the program.
-http://news.cnet.com/8301-1009_3-57605262-83/uk-gears-up-for-cyberwarfare-offens
ives/

-http://www.theregister.co.uk/2013/09/30/uk_cyber_reserve_force/
-http://www.bbc.co.uk/news/uk-24321717
[Editor's Note (Henry): More and more governments are applying their personnel capabilities, both active-duty and reserves, against the national security network threat. This will ultimately result in more and better trained resources for the commercial sector. While I see this as an important and necessary application of resources...one of the government's primary roles is to protect its citizens...I'd like to see these increased resources result in a greater sharing of actionable intelligence with the private sector so they can better protect themselves. ]


Long Overdue Change In Qualifications for NSA/DHS Centers of Academic Excellence (Sept. 30, 2013)
The National Security Agency has raised the standards for acceptance into the Information Assurance Center of Academic Excellence (CAE) program, and all 200 schools who were accepted the old standards will need to requalify. "I definitely see this as long-overdue change," says Victor Piotrowski, who in his role at the National Science Foundation helps oversee millions of dollars in annual spending on postsecondary cybersecurity education and work-force development. "The step is in the right direction, but the big question is, is it going to be executed effectively? We will see in a couple of years how it works out." The CAE program is a marketing boon to colleges; but hiring managers in federal agencies report that few of the CAE colleges are producing graduates with the advanced technical skills needed by the nation and envisioned for the program. Graduates without those advanced technical skills face a bleak job market and are questioning the value of the large loans they took out to pay for the soft, survey and policy-oriented courses they were given.
-http://chronicle.com/article/Federal-Agencies-Revamp/141953/


Internet Explorer Flaw Actively Exploited (September 27, 2013)
Code that exploits an unpatched vulnerability in Internet Explorer (IE) is becoming widely distributed. The flaw affects all version of IE and has been exploited in targeted attacks on systems in Taiwan since July. Microsoft has acknowledged the issue, releasing a security advisory and a workaround to help users protect their systems until a patch is available.
-http://www.computerworld.com/s/article/9242768/IE_zero_day_vulnerability_exploit
ed_more_widely_than_previously_thought?taxonomyId=17

-http://www.zdnet.com/ie-zero-day-actively-being-exploited-in-the-wild-rapid7-700
0021249/

-http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaroun
d-available.aspx

[Editor's Note (Pescatore): These manual workarounds are hugely disruptive and expensive. It is like telling delivery truck drivers to stop every few miles and wrap their tires in duct tape until someone figures out why the tires keep leaking.
(Murray): While the vulnerability is global, attacks have been focused on targets in Japan. Risk-averse readers may want to test the work-around. However, deploying it at this time is likely to be more expensive than tolerating the risk for the window of time until a patch becomes available. ]



*************************** Sponsored Links: ******************************
1) Meet the challenges of Continuous Diagnostics & Mitigation (CDM). Get real-time discovery and assessment of all network endpoints. Download the tech note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/140260

2) Do you know what's running on your endpoint? Join us for a live webinar "Cracking the Endpoint: Inside the Head of a Hacker." Register Today! http://www.sans.org/info/140265

3) Securing the Internet of Things Summit (October 17-22, 2013) San Francisco, CA The Internet of Things summit focuses on new solutions, demonstrates security technology that already works and provides a force multiplier to make the Internet of Things more secure. http://www.sans.org/info/140270
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Fort Disco Malware Now Taking Aim at eMail and FTP Servers (September 30, 2013)
Malware known as Fort Disco was designed to launch brute force password attacks against websites built on widely used content management systems like WordPress and Joomla. Now the malware has started to be seen in attacks on email and FTP (file transfer protocol) servers.
-http://www.computerworld.com/s/article/9242829/Fort_Disco_malware_is_now_targeti
ng_email_and_FTP_servers?taxonomyId=17



ZeroAccess Botnet Avoids Takedown (September 30, 2013)
The ZeroAccess botnet earns its operators US $700,000 annually in fraudulent advertising revenue. At its peak, ZeroAccess had an estimated 1.9 million computers under its control, which it used to generate fraudulent advertising clicks and commandeer the machines' processing power to "mine" bitcoins. Security firm Symantec attempted a sinkhole takedown by gaining control of the botnet's command and control mechanism, but ZeroAccess uses a peer-to-peer (P2P) architecture that acts as a sort of immunization against such takedown attempts. Symantec found a weakness in the P2P updating design, but the botmasters updated ZeroAccess to address it. Symantec was able to sinkhole the machines that had not yet been updated, reducing the botnet's size by roughly 45 percent.
-http://arstechnica.com/security/2013/09/blood-sucking-botnet-narrowly-escapes-ex
termination-lives-to-leech-again/

[Editor's Note (Pescatore): Disrupting botnets is an area where ISPs could be playing a much larger, more proactive role. The natural market economics just don't tilt that way, however - this might be an area where government incentives, vs. more frameworks, could make a difference. ]


Judge Says Government Must Declassify More NSA Documents (September 27 & 29, 2013)
The Electronic Frontier Foundation (EFF) has announced that a federal judge has ordered the US government to declassify additional NSA-related documents by December 20, 2013. The ruling was made in a lawsuit, Jewel v. NSA, which was initiated in 2008.
-http://arstechnica.com/tech-policy/2013/09/us-government-given-december-deadline
-to-unseal-more-nsa-documents/

-https://www.eff.org/deeplinks/2013/09/after-nsa-court-hearing-government-must-un
seal-documents-december-20



Microsoft Releases Data on Government Requests for Information (September 27, 2013)
Microsoft's most recent Law Enforcement Requests Report details the number of requests for information it received from governments worldwide in the first half of 2013. Based on that number - 37,196 - Microsoft looks to be on track to receive roughly the same number of requests it did in 2012, when it received just over 75,000 requests. The report breaks down the requests by country, and indicates the company's response to the requests. Microsoft provided non-content user data for 77 percent of the requests, while it provided customer content for 817, or 2.2 percent, of requests. The US government made 7,014 requests affecting 18,809 accounts. The report does not provide information about US national security requests.
-http://www.computerworld.com/s/article/9242783/Microsoft_gets_37_000_requests_fo
r_user_data_in_first_half_of_year?taxonomyId=17

-http://www.zdnet.com/microsoft-reports-on-governments-user-data-requests-7000021
287/

-http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency
/



Copyright Attorney Suing Record Label Over Automated Takedown Notice (September 27, 2013)
Harvard Law School professor Lawrence Lessig is suing an Australian record label that attempted him to sue him for copyright infringement. The matter involves a lecture given by Lessig that is available on YouTube. The lecture is in fact about the need for copyright law to be adjusted for the Internet. In the lecture, Lessig uses a clip from a song to which the Australian record label holds the rights. However, the company backed down after Lessig invoked the fair use legal doctrine. Lessig then sued the company for initiating a bad-faith lawsuit. Lessig filed the suit because he believes music labels should stop depending on automated systems to detect possible infringements and send takedown notices.
-http://www.npr.org/blogs/alltechconsidered/2013/09/27/226834651/record-label-pic
ks-a-fight-over-copyright-with-the-wrong-guy



French Data Protection Agency May Fine Google for Privacy Violations (September 27, 2013)
France's data protection agency, CNIL, plans to fine Google for failing to comply with that country's privacy requirements. Google was warned of the fines in June; the company was given three months to amend its privacy policy to clarify its collection and use of user data. The issue centered on Google's decision to combine 60 services under a unified policy that allows the company to merge data from its different products, such as Gmail, YouTube, and Google+. The concern is that some users may not want their data connected in this way. Google maintains that its current privacy policy respects EU privacy laws.
-http://www.washingtonpost.com/business/technology/french-data-protection-agency-
google-missed-deadline-to-change-its-privacy-policy/2013/09/27/0253ea40-2796-11e
3-ad0d-b7c8d2a594b9_story.html

-http://www.computerworld.com/s/article/9242779/France_sanctions_Google_for_Europ
ean_privacy_law_violations?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57605097-83/french-could-serve-up-fines-to-goog
le-for-privacy-violation/



Spanish Police Arrest Cybercrime Masterminds (September 27, 2013)
The Spanish National Police have arrested two people believed to be the masterminds of a scheme that compromised 21,000 company servers around the world and sold remote access to those machines. The compromise allowed the attackers complete administrator privileges.
-http://www.v3.co.uk/v3-uk/news/2297369/europol-nabs-cyber-crooks-behind-21-000-s
trong-hacked-server-store

[Editor's Comment (Northcutt): It is not entirely clear there is a reveton gang as it says in the article, we might need someone like Brain Krebs to weigh in, but there is certainly malware:
-http://www.v3.co.uk/v3-uk/news/2295107/darkleech-campaign-targets-java-to-spread
-reveton-ransomware
]


UK Police Arrested Teen in Connection with Spamhaus DDoS (September 27, 2013)
Police in London have arrested a 16-year-old in connection with a massive distributed denial-of-service (DDoS) attack against Spamhaus in March. The teen was arrested in April, but the arrest was kept secret until recently. When authorities arrested the teenager, he "was found with his computer systems open and logged on to various virtual systems and forums.
[He also ]
has a significant amount of money flowing through his bank account." A man was arrested in the Netherlands in connection with the attack earlier this year.
-http://www.theregister.co.uk/2013/09/27/london_schoolboy_arrested_for_biggest_dd
os_attack_in_history/

-http://news.techworld.com/security/3471224/british-teen-accused-of-massive-spamh
aus-ddos-attack-arrested-months-ago/

-http://www.scmagazine.com/london-teen-arrested-for-involvement-in-spamhaus-ddos-
attack/article/313787/



Google Will Send All Searches Over SSL (September 27, 2013)
Google is now sending all searches over secure sockets layer (SSL). Google has been using SSL to protect Google account holders' searches since 2011. SSL encrypts connections between users' computers and Google, which means that ISPs, Wi-Fi hotspots, and Internet cafes cannot intercept searches conducted through Google. Users' search results will be protected, but their search terms and the fact they that they visited Google.com may not be protected.
-http://www.scmagazine.com/google-shifts-to-ssl-for-all-searches/article/313796/
[Editor's Note (Pescatore): From an overall security perspective, a good thing. But enterprises that don't allow SSL from internal desktops will need to either change policy or deploy SSL inspection to avoid serious business disruption. ]


Recent Attacks on US Navy Network Blamed on Iran (September 27, 2013)
Hackers have broken into a US Navy network. The attackers either worked for the Iranian government or acted with its approval, according to US officials. The incident is being called "one of the most serious infiltrations" of US networks emanating from Iran. The targeted network is unclassified and is used for email and internal intranet.
-http://www.theatlanticwire.com/global/2013/09/irans-hackers-are-still-hacking-aw
ay-us-networks/69984/

-http://www.navytimes.com/article/20130927/NEWS/309270027/Report-Iranian-hackers-
breach-Navy-intranet

(Please note that The Wall Street Journal required a paid subscription.)
-http://online.wsj.com/article/SB10001424052702304526204579101602356751772.html


STORM CENTER TECH CORNER

Stories discussed as part of our Internet Storm Center diaries
-https://isc.sans.edu/diary.html
or daily podcasts
-https://isc.sans.edu/podcast.html
If you started seeing "unknown TCP Option" or similar alerts in your IDS as of a week ago, it may be because iOS 7 adds multipath TCP
-https://isc.sans.edu/forums/diary/iOS+7+Adds+Multipath+TCP/16682
PANDA now allows finding SSL/TLS Master Secrets. In case you run into SSL encrypted traffic during a forensics investigation, PANDA will help you find the master secrets in memory images.
-https://github.com/moyix/panda/blob/master/docs/panda_ssltut.md
The motion/tilt sensor in your phone can be used to read keystrokes typed on nearby keyboards,
-http://www.cc.gatech.edu/~traynor/papers/traynor-ccs11.pdf
Tools for Reviewing Infected Websites
-https://isc.sans.edu/diary/Tools+for+reviewing+infected+websites/16673
iOS 7.0.2 fixes lock screen bypass
-http://support.apple.com/kb/HT5957
Google Talk Problems result in outages and messages being routed to the wrong recipient.
-https://productforums.google.com/forum/#!category-topic/chat/i-found-a-bug/uOssf
rVhlzU



************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/