Get an iPad with Online Courses Now!

SANS NewsBites - Volume: XV, Issue: 90


Next month (December 12-19) Washington DC will host all 15 of SANS highest rated hands-on courses. Plus bonus sessions: Updates on Advanced Persistent Threats, Digital Forensics Techniques, and Windows Exploratory Surgery. More information: http://www.sans.org/event/cyber-defense-initiative-2013/ PS. If the west coast is better, many of these courses will also be presented in San Diego next week and in San Francisco in mid-December.

Alan


*************************************************************************
SANS NewsBites                     November 12, 2013                    Volume: XV, Issue: 90
*************************************************************************
TOP OF THE NEWS

  GCHQ Spoofed LinkedIn and Slashdot to Gain Access to Telecoms' Internal Networks
  Survey Suggests Majority of Breaches in US Undisclosed

THE REST OF THE WEEK'S NEWS

  Microsoft's November Patch Tuesday Includes Fix for New IE Vulnerability
  More Flaws in D-Link Routers
  Kaspersky: Stuxnet Infected Russian Nuclear Plant
  NYPD Detective Pleads Guilty to Hacking
  White House May Consider Civilian to Head NSA
  Barrett Brown's Mother Gets Probation For Helping to Hide Son's Laptops
  UK Financial Institutions' Cybersecurity Exercise
  House Committee Wants Answers From VA About Cybersecurity Practices

NTERNET STORM CENTER TECH CORNER

  NTERNET STORM CENTER TECH CORNER


**************** Sponsored By ForeScout Technologies ********************
The first phase of Continuous Diagnostics & Mitigation (CDM) contracts have been awarded. Would you like to address these new challenges?
ForeScout CounterACT(TM) assists Federal and private sector IT organizations in meeting these requirements by providing real-time discovery and assessment of all endpoints on your network, and automatically mitigating any security issues that occur. Download the latest technical note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/143262
**************************************************************************
TRAINING UPDATE


- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2013


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Sydney 2013 Sydney, Australia November 11-23, 2013 6 courses. Bonus evening presentations include Advanced Exploit Writing: Use-After-Free Vulnerabilities.
http://www.sans.org/event/sydney-2013


- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

GCHQ Spoofed LinkedIn and Slashdot to Gain Access to Telecoms' Internal Networks (November 10 & 11, 2013)
According to leaked documents, the UK's GCHQ spoofed LinkedIn and Slashdot pages to install malware on the computers of certain engineers working for global roaming exchange providers in Europe. Once the malware was on the computers, intelligence agents were able to gain access to internal networks of Belgian telecommunications company Belgacom and its subsidiaries. The method used to infect the computers is known as "Quantum Insert" and was developed by the NSA.
-http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linke
din-pages-a-932821.html

-http://www.wired.com/threatlevel/2013/11/british-spies-hacked-telecom/
-http://www.computerworld.com/s/article/9243937/British_spies_reportedly_spoofed_
LinkedIn_Slashdot_to_target_network_engineers?taxonomyId=17

-http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-atta
ck-via-linkedin-slashdot-pages/



Survey Suggests Majority of Breaches in US Undisclosed (November 11, 2013)
According to a survey, more than half of all data breaches experienced by companies in the US remain undisclosed. The study surveyed 200 security professionals who conduct malware analysis; 57 percent said they had investigated or helped manage fallout from a data breach that was not disclosed by the targeted company.
-http://www.zdnet.com/enterprise-data-breaches-often-left-undisclosed-malware-ana
lysts-say-7000023032/

-http://www.csoonline.com/article/742878/senior-executives-blamed-for-a-majority-
of-undisclosed-security-incidents?source=CSONLE_nlt_update_2013-11-10

[Editor's Note (Skoudis): There need to be consequences for people who don't follow the rules of disclosure. Otherwise, well, we'll have more than half of data breaches not being disclosed. ]



*************************** Sponsored Links: *****************************
1) Analylst Webcast: Automation and Critical Security Controls 1-7: EIQ SecureVue Tuesday, November 12 at 1:00 PM EST Featuring Jerry Shenk and Brian Mehlman. http://www.sans.org/info/143022

2) Tool Talk Webcast: 2014 Security Predictions. Tuesday, November 19 at 1:00 PM EST featuring Bob Hansmann. Come prepared to be armed with new insights on how the threat landscape will shift in the coming year, along with ideas on how to improve your security posture and stay ahead of threats. http://www.sans.org/info/143027

3) Smart Buildings, Cars and Medical Devices! The Internet of Things Survey is Calling You To Take It - and enter to win an iPad. http://www.sans.org/info/143032
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft's November Patch Tuesday Includes Fix for New IE Vulnerability (November 11, 2013)
Two unpatched vulnerabilities in Internet Explorer (IE) are being actively exploited in watering hole attacks. The flaws affect IE7, IE8, IE9, and IE10 running on Windows XP and Windows 7. The exploits load attack code directly into computers' memory, where it is executed. When computers are rebooted, the malware disappears, which means that attackers seeking sensitive valuable data must work quickly in real time. Microsoft has announced that a fix for the issue is included in one of the security bulletins scheduled for release on November 12.
-http://www.computerworld.com/s/article/9243943/Researchers_reveal_IE_zero_days_a
fter_hackers_set_watering_hole_traps?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57611860-83/microsoft-plans-to-address-zero-day
-ie-bug-on-tuesday/

-http://www.computerworld.com/s/article/9243943/Update_Microsoft_to_patch_just_re
vealed_Windows_zero_day_tomorrow?taxonomyId=17

-https://isc.sans.edu/forums/diary/IE+Zero-Day+Vulnerability+Exploiting+msvcrt+dl
l/16985

[Editor's Note (Skoudis): The ephemeral focus of this attack is interesting. It's a smash-and-grab. That likely won't last, as other attackers craving persistence start using the exploit this week before orgs fully deploy the new patch. ]


More Flaws in D-Link Routers (November 11, 2013)
Vulnerabilities in some D-Link routers could be exploited through cross-site scripting (XSS) attacks. Last month, another, more serious vulnerability was found in several D-Link routers. The newest group of flaws affect the D-Link 2760N, also known as the D-Link DSL-2760U-BN.
-http://news.cnet.com/8301-1009_3-57611824-83/new-security-holes-found-in-d-link-
router/

-http://seclists.org/fulldisclosure/2013/Nov/76


Kaspersky: Stuxnet Infected Russian Nuclear Plant (November 11, 2013)
According to Eugene Kaspersky, head of the eponymous Russian anti-virus company, Stuxnet has infected the internal network of a Russian nuclear plant. Kaspersky also claims that unspecified malware has infected the International Space Station through a USB stick.
-http://www.scmagazine.com//eugene-kaspersky-stuxnet-struck-russian-nuclear-plant
/article/320454/

-http://www.theregister.co.uk/2013/11/11/stuxnet_hit_russia_claim/
-http://www.v3.co.uk/v3-uk/news/2306181/stuxnet-uk-and-us-nuclear-plants-at-risk-
as-malware-spreads-outside-russia

-http://www.theatlanticwire.com/global/2013/11/russian-cosmonaut-accidentally-inf
ected-iss-stuxnet/71470/

[Editor's Note (Skoudis): A few years ago, Marcus Sachs mentioned to me an intriguing idea. He said, someday, it is possible that pretty much every system will have some malware on it, just as our bodies are chock full of viruses and bacteria. But, our bodies handle it ok as long as the infection doesn't get out of hand and cause damage. The notion was that it will be impossible to be 100% clean, but you can in fact still be operational if you have good defenses (like the body's immune system). I didn't like hearing what he had to say then, as it sounded defeatist. But, stories like this remind me of that view of the future and make me wonder if we are heading there. ]


NYPD Detective Pleads Guilty to Hacking (November 11, 2013)
New York City Police Detective Edwin Vargas has pleaded guilty to conspiracy to commit computer hacking. Vargas admitted that he hired a service to steal email account passwords of his fellow officers and other individuals. He also admitted to accessing the National Crime Information Center database without authorization to obtain information about fellow officers.
-http://www.wired.com/threatlevel/2013/11/police-detective-guiltyhacking-charges/
-http://www.wired.com/images_blogs/threatlevel/2013/11/Vargas-Edwin-Plea-PR.pdf
[Editor Comment (Northcutt): This why there has to be misuse detection. Who is watching the watchers? The majority of people involved in health care, tax collection and law are upright and careful, but there will always be a few that abuse their access. ]


White House May Consider Civilian to Head NSA (November 9, 2013)
When NSA chief General Keith Alexander steps down from his post next year, the White House may nominate a civilian candidate to fill the position. The NSA has drawn its leaders from within the military since the agency's inception in 1952. Alexander currently also heads the US Cyber Command, so a civilian NSA director would be considered only if the White House decides to split the two positions after Alexander steps down. A civilian nominee would likely have to face Senate confirmation hearings. A qualified civilian candidate may be difficult to find, as the job requires a depth of technical knowledge and "familiarity with intelligence gathering." Jim Lewis, senior fellow at the Center for Strategic and International Studies, notes that a civilian NSA director may encounter difficulty providing intelligence for military operations.
-http://thehill.com/blogs/hillicon-valley/technology/189773-white-house-considers
-civilian-for-nsa-chief



Barrett Brown's Mother Gets Probation For Helping to Hide Son's Laptops (November 8, 2013)
Barrett Brown's mother has been given six months probation and fined US $1,000 for helping him hide laptops from authorities. Barrett Brown has been indicted on charges of trafficking stolen authentication features, access device fraud, and aggravated identity theft. Brown, who claimed he was a spokesperson for Anonymous, was arrested in September 2012. He was also charged with concealment of evidence.
-http://arstechnica.com/tech-policy/2013/11/mom-helped-hide-laptops-from-fbi-in-d
ishwasher-gets-6-months-probation/

-http://rt.com/usa/barrett-brown-mother-probation-461/


UK Financial Institutions' Cybersecurity Exercise (November 7, 2013)
Financial institutions in London, UK, will participate in a cybersecurity exercise on November 12. The exercise will simulate a cyberattack on systems critical to the UK's financial system. The exercise will test organizations' preparedness for cyberattacks, including how they communicate and coordinate action with each other and with authorities.
-http://www.computerweekly.com/news/2240208779/Security-experts-welcome-UK-bankin
g-cyber-attack-test

-http://www.theregister.co.uk/2013/11/11/uk_cyber_stress_test/
-http://uk.reuters.com/article/2013/11/07/uk-britain-cybercrime-test-idUKBRE9A614
U20131107

[Editor's Note (Honan): It is refreshing to see more and more organisations running these type of exercises. It's better to find flaws in your incident response plans in an exercise than in the heat of a security breach. ]


House Committee Wants Answers From VA About Cybersecurity Practices (November 4, 2013)
The US Department of Veterans Affairs (VA) is coming under scrutiny from a congressional committee after offering inconsistent explanations for several data breaches since 2010. The state-sponsored cyberattacks have compromised personal information of more than 20 million veterans and their family members. In the past three weeks, the House Veterans Affairs Committee has made six formal inquiries to the VA's Office of Information and Technology regarding the agency's IT security practices and compliance with federally mandated standards. The agency has a backlog of unanswered inquiries dating back to June 2012. The most recent round of inquiries arose after it became clear that VA networks were compromised multiple times since March 2010, but officials have been unable to determine what data were compromised.
-http://fcw.com/articles/2013/11/04/congress-investigates-va-data-breaches.aspx


NTERNET STORM CENTER TECH CORNER

FireEye Releases more details about waterhole attack
-http://www.scmagazine.com//security-forum-website-targeted-in-drive-by-attack-le
veraging-ie-zero-day/article/320459/



More Internet Explorer Vulnerabilities
-https://isc.sans.edu/forums/diary/IE+Zero-Day+Vulnerability+Exploiting+msvcrt+dl
l/16985



OpenSSH Vulnerability
-http://www.openssh.com/txt/gcmrekey.adv


Unmasking Spoofed WiFi MAC Addresses
-http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html


Sidechannel Attacks against Mobile Device PINs
-http://threatpost.com/stealing-pin-codes-with-a-wink-and-a-nod/102881


************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/