SANS NewsBites - Volume: XV, Issue: 85


Policy makers considering the impact of the NIST Framework released this week might find John Pescatore's assessment illuminating (first story). More to come on this.

Alan


*************************************************************************
SANS NewsBites                     October 25, 2013                    Volume: XV, Issue: 85
*************************************************************************
TOP OF THE NEWS

   NIST Releases Preliminary Cybersecurity Framework
   July DOE Intrusion Affected More People Than Previously Thought

THE REST OF THE WEEK'S NEWS

  US Attorney Charges Seven in Connection with Fraudulent Internet Transactions
  Cisco Issues Software Fixes for Networking and Communications Products
  Flash Now Sandboxed in Safari on OS X 10.9
  Don't Call Yourself a Hacker
  Malware Found on International Atomic Energy Agency Computers
  Netgear Equipment Vulnerabilities
  Rental Company Settles Charges Over Webcam Spying
  Federal Appeals Court Says Warrant Required for GPS Tracking

INTERNET STORM CENTER TECH CORNER

  INTERNET STORM CENTER TECH CORNER


********************* Sponsored By Symantec *************************
Last year, Mac malware increased by 66% with a single high-profile attack infecting over 600,000 machines. However, most Mac users are unaware of the risk of infection, leaving organizations vulnerable. Join our Security, Threat and Response Expert, Kevin Haley, for a closer look at Macs, Malware and Security Myths on November 5th.
http://www.sans.org/info/141775
***************************************************************************
TRAINING UPDATE

--SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


--SANS South Florida 2013 Ft. Lauderdale, IL November 4-9, 2013 5 courses. Bonus evening presentations include The Security Impact of IPv6; Evolving Threats; and Real-World Risk - What Incident Responders Can leverage from IT Operations.
http://www.sans.org/event/south-florida-2013


SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


--October Singapore 2013 Singapore, Singapore October 21-November 2, 2013 5 courses. Bonus evening presentations include Pen Testing the Smart Grid; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/singapore-sos-2013


--SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


--SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- - --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- - --Looking for training in your own community?
http://www.sans.org/community/


- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Sydney, San Diego, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************


TOP OF THE NEWS

NIST Releases Preliminary Cybersecurity Framework (October 22 & 23, 2013)
The US National Institute of Standards and Technology (NIST) has released its preliminary cybersecurity framework. The practices described in the document are voluntary. Some are critical of voluntary standards because they in turn become the de facto industry standards, which means companies that suffer breaches could be found liable if they have not implemented the practices. Private companies operate most elements of the country's critical infrastructure. The final version of the document is scheduled to be released in February 2014.
-http://www.govinfosecurity.com/nist-issues-preliminary-cyber-framework-a-6165
-http://www.scmagazine.com/nist-debuts-preliminary-framework-for-securing-critica
l-infrastructure/article/317635/

-http://news.cnet.com/8301-1009_3-57608834-83/us-government-releases-draft-cybers
ecurity-framework/

-http://www.bloomberg.com/news/2013-10-22/banks-to-utilities-given-u-s-standards-
to-fight-hackers.html

Draft Framework:
-http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf
[Editor's Note (Pescatore): The draft framework provides a mapping of its security controls to the many other existing frameworks. There are *no* requirements that do not already exist in one or more frameworks, with ISO 27001 being directly mapped to more than 61% of the NIST controls. The controls that don't directly map to ISO 27001 are generally either refinements (specifying detected events must be "analyzed") of controls that are found in ISO27001 or requirements to update controls - there is very little value add over just pointing to ISO 27001 or NIST 800-53, for that matter. There is no prioritization of the controls in the framework, but the mapping does include mapping to the Critical Security Controls. ]


July DOE Intrusion Affected More People Than Previously Thought (October 22, 2013)
The US Department of Energy (DOE) has revised the details of a July 2013 data security breach. DOE now says that the personal information of more than 104,000 current and former employees, their dependents, and contractors was compromised in the intrusion. DOE initially informed employees of the breach in mid-August, saying that at least 14,000 individuals were affected. By the end of that month, the official figure had nearly quadrupled to 53,000. Now that number has nearly doubled.
-http://www.informationweek.com/security/attacks/dept-of-energy-breach-bigger-tha
n-we-rea/240162952

Updated DOE Cyber Incident Information:
-http://energy.gov/cio/cyber-incident-information/july-2013-cyber-incident



*************************** Sponsored Links: ******************************
1) Analyst Webcast: Not your Father's IPS: SANS Survey on Network Security Results, featuring Rob Vandenbrink, Tuesday October 29 at 1 PM EDT http://www.sans.org/info/141780

2) Analyst Webcast: Finding Hidden Threats by Decrypting SSL Traffic featuring J. Michael Butler Friday, Nov. 8 at 1 PM EDT. http://www.sans.org/info/141785

3) John Pescatore Analyst Webcast - Actionable Tools for Convincing Management to Fund Application Security. http://www.sans.org/info/141790
*****************************************************************************

THE REST OF THE WEEK'S NEWS

US Attorney Charges Seven in Connection with Fraudulent Internet Transactions (October 24, 2013)
Seven people have been indicted in connection with a scheme selling nonexistent luxury items on eBay and other sites. The indictment was filed in the Eastern District of New York Office of the US Attorney. The defendants allegedly netted more than US $3 million in the scheme. The defendants, who are from Romania and Albania, remain at large. Interpol is asking for assistance in apprehending the suspects.
-http://investigations.nbcnews.com/_news/2013/10/24/21118879-romanian-ring-that-p
reyed-on-online-car-buyers-in-us-broken-up-8-fugitives-sought

-http://www.wired.com/threatlevel/2013/10/romanians-indicted-cyber-fraud/
-http://www.wired.com/images_blogs/threatlevel/2013/10/press.release.Popescu.indi
ct.pdf



Cisco Issues Software Fixes for Networking and Communications Products (October 24, 2013)
Cisco Systems released security updates for several of its products to address denial-of-service and arbitrary command execution vulnerabilities. Cisco has released updates for Cisco IOS XR Software, Cisco Identity Services Engine, and the Apache Struts development framework.
-http://www.computerworld.com/s/article/9243502/Cisco_fixes_serious_security_flaw
s_in_networking_communications_products?taxonomyId=17



Flash Now Sandboxed in Safari on OS X 10.9 (October 23 & 24, 2013)
Adobe Flash Player is now sandboxed in Apple's Safari browser. Adobe has already released sandboxed versions of Flash for Firefox, Chrome, and Internet Explorer. When software is sandboxed, it is granted limited privileges on a system; it may be prohibited from writing to a storage device or altering data in memory. The sandboxed version of Flash for Safari is for machines running OS X 10.9 Mavericks.
-http://www.zdnet.com/adobe-flash-player-now-sandboxed-on-os-x-safari-7000022368/
-http://news.cnet.com/8301-1009_3-57609053-83/safari-matches-rivals-with-sandboxe
d-flash-for-better-security/

[Editor's Note (Northcutt): Adobe has been working on virtualization for their product suite for a while now. There are two things to keep in mind. One is the definition of sandbox. Do we mean reduced privileges, the ability to keep the browser from changing the underlying file/operating system or the ability to protect one tab from another. Second, it is good to see them continue to strengthen their products. ]


Don't Call Yourself a Hacker (October 23, 2013)
A US federal court in Idaho recently stripped Corey Thuen of his Fourth Amendment rights because he called himself a "hacker" on his website. Judge Lynn Winmill ruled that software developer's computer could be seized and its contents copied without prior notice because he referred to himself as a "hacker." The judge wrote, "The tipping point for the Court comes from evidence that de defendants - in their own words - are hackers." The case involves Thuen and his former employer, Battelle Energy Alliance. After helping to develop a security tool called Sophia at Battelle, Thuen left the company and established his own company, Southfork Security. He initially bid to help commercialize the tool, but then withdrew that bid and shortly later, released a tool called Visdom, which bears striking similarities to Sophia. Battelle sought a temporary restraining order (TRO) to prevent Southfork from marketing Visdom and asked that the order be issued with no prior warning because Battelle was concerned that Thuen would release Visdom as open source.
-http://www.computerworld.com/s/article/9243472/Update_Judge_orders_self_describe
d_hacker_s_computer_seized_without_warning?taxonomyId=17

-http://www.theregister.co.uk/2013/10/23/hacker_loses_4th_amendment_rights_case/
Ruling:
-http://docs.justia.com/cases/federal/district-courts/idaho/iddce/4:2013cv00442/3
2488/8/0.pdf

[Editor's Note (Murray): The issuance of a restraining order does not amount to "stripping" of "Fourth Amendment rights." Indeed, Thuen got exactly what the Amendment guarantees, "due process." In their request, Batelle made a number of claims to convince the court that there existed "probable cause." In retrospect, I think we may find that Batelle over reacted and over reached but that is what courts are for. We are guaranteed due process, but not necessarily a just outcome. ]


Malware Found on International Atomic Energy Agency Computers (October 23, 2013)
Some computers at the International Atomic Energy Agency (IAEA) are infected with malware. IAEA says the machines have been infected for several months, adding that sensitive information about nuclear inspections was not compromised. Late last year, IAEA suffered a computer security breach at the hands of a politically motivated hacking group calling itself Parastoo.
-http://www.infosecurity-magazine.com/view/35214/un-nuclear-agency-computers-infe
cted-with-malware/

[Editor's Note (Murray): Since malware is so pervasive and since one cannot demonstrate its absence, enterprise security must assume its presence and manage with the followings teps: air gap your intellectual assets, segment your internal network, employ end-to-end crypto, terminate VPNs on applications rather than on the perimeter or on operating systems, reduce administrative privileges, increase supervision of privileged users, increase use of two-person controls and strong authentication, etc. ]


Netgear Equipment Vulnerabilities (October 23, 2013)
Security flaws in some Netgear wireless routers and network-attached storage products could be exploited to take control of the devices. The vulnerabilities lie in the management interfaces of the products.
-http://www.computerworld.com/s/article/9243462/Vulnerabilities_in_some_Netgear_r
outer_and_NAS_products_open_door_to_remote_attacks?taxonomyId=17



Rental Company Settles Charges Over Webcam Spying (October 22 & 23, 2013)
An Atlanta-based rental store has agreed to stop spying on customers who rent computers. Aaron's used software called Detective Mode to monitor customer activity through keystroke logging, screen shots, and images taken from webcams. The complaint, filed by the US Federal Trade Commission (FTC) noted that the practice violated customers' privacy and put them at rick of identity fraud because of screen shots that contained financial data. According to the settlement, Aaron's may not use technology that captures keystrokes, screenshots, images, or sounds on the devices it rents. The company may only use tracking technology with the consent of the renter. Consumers also filed a lawsuit against Aaron's prior to the FTC's complaint.
-http://money.cnn.com/2013/10/23/technology/aarons-ftc-computer/index.html
-http://news.cnet.com/8301-1009_3-57608838-83/aarons-computer-rental-chain-settle
s-ftc-spying-charges/

FTC Complaint:
-http://www.ftc.gov/os/caselist/1223264/131022aaronscmpt.pdf
Consumer lawsuit:
-http://www.applieddiscovery.com/ws_display.asp?filter=Case%20Summaries%20Detail&
amp;item_id={EFBF0C34-EE83-4E27-8313-8057ED21BD5B}



Federal Appeals Court Says Warrant Required for GPS Tracking (October 22, 2013)
The Third US Circuit Court of Appeals has ruled that law enforcement officers must obtain a probable cause warrant before affixing GPS trackers to a suspect's vehicle. The is the first appeals court ruling since the January 2012 US Supreme Court ruling in United States v. Jones that affixing a GPS device to a suspect's vehicle constitutes a search under the Fourth Amendment. The justices did not rule on whether the search was unreasonable and thus required a warrant. This recent case, United States v. Katzin, involved a GPS device attached to the vehicle of a suspect in a series of pharmacy robberies.
-http://www.computerworld.com/s/article/9243444/Warrant_required_for_GPS_tracking
_of_vehicles_court_rules?taxonomyId=17

-http://www.wired.com/threatlevel/2013/10/warrant-required-gps-trackers/


INTERNET STORM CENTER TECH CORNER

php.net site compromised and used to spread malware
-https://isc.sans.edu/forums/diary/False+Positive+phpnet+Malware+Alert/16892
-http://php.net/archive/2013.php#id2013-10-24-1


We are looking for experiences from small businesses who were the victim of a DoS attack
-https://isc.sans.edu/forums/diary/Are+you+a+small+business+that+experienced+a+Do
S+attack+/16895



Yet more WHMCS Vulnerabilities
-http://localhost.re/p/whmcs-v5210-vulnerability


Netgear Router Authentication Bypass
-http://shadow-file.blogspot.com/2013/10/complete-persistent-compromise-of.html?m
=1



Certified pre-pw0ned Smartphones
-http://www.heise.de/security/meldung/E-Plus-verschickt-Base-Smartphones-mit-Viru
s-1984119.html

(sorry, German only)

Google and Arbor publish real time DDoS attack Map
-http://www.digitalattackmap.com


Using Nexus 1000v Switch and Netflow in VMWare
-https://isc.sans.edu/forums/diary/Netflow+on+Nexus+1000v/16865


Cryptolocker Update
-https://isc.sans.edu/forums/diary/Cryptolocker+Update+Request+for+Info/16871


Apple Updates
-http://support.apple.com/kb/HT1222
(new updates should be added sometime today/tomorrow)

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/