2 Days Left to Save $200 on SANS Cyber Defense San Diego 2014

SANS NewsBites - Volume: XVI, Issue: 5


FLASH: The U.S. President announced this morning that the NSA would cease monitoring of some foreign leaders' communications and that the NSA would no longer store large amounts of information on phone and electronic communications. Instead, the president suggests that these data be stored by a third party and queried only after gaining judicial approval. Congress will make the decision on where such data will be stored - possibly at the Internet service providers.
http://www.washingtonpost.com/politics/in-speech-obama-to-call-for-restructuring
-of-nsas-surveillance-program/2014/01/17/e9d5a8ba-7f6e-11e3-95c6-0a7aa80874bc_st
ory.html


*************************************************************************
SANS NewsBites                     January 17, 2014                    Volume: XVI, Issue: 5
*************************************************************************
TOP OF THE NEWS

  Target Point-of-Sale (POS) Malware
  Security Updates from Microsoft, Adobe, and Oracle

THE REST OF THE WEEK'S NEWS

  Experts Say HealthCare.gov Still Has Numerous Security Issues
  Centers for Medicare and Medicaid Services Official Says Site is Now Secure
  Microsoft Will Extend Security Essentials for Windows XP Through July 2015
  Cisco Updates Secure Access Control System
  Microsoft Acknowledges Syrian Electronic Army Compromised Some Employee eMail Accounts
  Pending Legislation Would Require Inspection of Chinese Made IT Equipment
  NSA Using Radio Technology to Snoop on Machines Not Connected to Internet
  FISC Jurists Oppose Task Force Transparency and Oversight Recommendations
  Federal Appeals Court Invalidates Most of FCC's Net Neutrality Rules

STORM CENTER TECH CORNER

  STORM CENTER TECH CORNER


************************ Sponsored By Bit9 *****************************
This new white paper explains how a single, positive security solution facilitates the convergence of compliance and security - one agent that provides visibility, detection, response and protection and can automate and manage compliance for PCI-DSS, SOX, HIPAA, FISMA, GLBA, GPG 13, NERC CIP and other regulations. Learn More
http://www.sans.org/info/148795
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- -- SANS Cyber Threat Intelligence Summit Feb. 4-11, 2014 Arlington, VA This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http//www.sans.org

*****************************************************************************

TOP OF THE NEWS

Target Point-of-Sale (POS) Malware (January 15 & 16, 2014)
More details are emerging about the malware used to steal data from payment cards used at Target over an 18-day period late last year. According to sources familiar with the ongoing investigation, the attack used memory-scraping malware in Target's point-of-sale systems. The malware "parses data stored briefly in the memory banks of specific POS devices" and can capture magnetic stripe data. The attackers appear to have used a central server in Target to store stolen data and then transmitted the data to an external FTP server.
-http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
-http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/


Security Updates from Microsoft, Adobe, and Oracle (January 14 & 15, 2014)
Microsoft and Adobe have released security updates for a variety of products. Microsoft four bulletins address a total of six flaws in Windows, Office, Microsoft Server 2003 and 2008, and Microsoft Dynamics AX. The Microsoft bulletins are all rated important. Adobe's fixes for Reader, Acrobat, and Flash, are rated critical. Earlier in the week, Oracle released an update with nearly 150 fixes for a variety of products, including 36 fixes for Java.
-http://www.theregister.co.uk/2014/01/15/january_microsoft_patch_tuesday/
-http://www.computerworld.com/s/article/9245406/Patch_Tuesday_Fairly_quiet_on_the
_Microsoft_front?taxonomyId=17

-http://krebsonsecurity.com/2014/01/security-updates-for-windows-flash-reader/
-http://arstechnica.com/security/2014/01/critical-microsoft-adobe-and-oracle-upda
tes-like-dental-floss-for-your-pc/

-http://technet.microsoft.com/en-us/security/bulletin/ms14-jan



************************** Sponsored Links: ******************************
1) Two new Whitepapers - Oracle and McAfee - in the SANS Reading Room. See these and a variety of papers by the SANS analysts at http://www.sans.org/info/148800

2) The SANS Cyber Threat Intelligence summit on February 10th & 11th in Arlington, VA will bring together practitioners and experts to give you the knowledge you need to deal with the next wave of threats. http://www.sans.org/info/148805

3) Special Webcast: Leveraging the Critical Security Controls to Mitigate User and Asset-based Risk. Friday, February 07 at 1:00 PM EDT with Dr. Eric Cole and Michael Yaffe. http://www.sans.org/info/148810
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Experts Say HealthCare.gov Still Has Numerous Security Issues (January 16, 2014)
Experts testifying before congress said that the government's healthcare exchange website still contains many security problems. One of the security issues identified last year has been partially addressed, but the other 17 remain, and 20 new issues have been detected. According to a statement from the Centers for Medicare and Medicaid Services (CMS), "There have been no successful security attacks on HealthCare.gov and ...
[no one ]
has maliciously accessed personally identifiable information from the site."
-http://news.cnet.com/8301-1009_3-57617335-83/healthcare.gov-security-a-breach-wa
iting-to-happen/

-http://arstechnica.com/security/2014/01/healthcare-gov-riddled-with-flaws-that-c
ould-expose-user-data-experts-say/

-http://www.nbcnews.com/technology/hackers-healthcare-gov-still-riddled-potential
-security-issues-2D11940198

-https://www.trustedsec.com/january-2014/stand-one-change-infosec-now/
[Editor's Note (Shpantzer): I just finished watching the two hours of painful back-and-forth and found it shameful that members of the Congressional committee asked to strike Mr. Kennedy's testimony from the record (around 1:28:00) This is not how vulnerabilities get fixed, rather it is more of the same old shoot-the-messenger ridiculous commentary we've grown accustomed to hearing from people who don't like security researchers pointing out vulnerabilities.
-http://www.c-spanvideo.org/program/TSec]



Centers for Medicare and Medicaid Services Official Says Site is Now Secure (January 16, 2014)
Teresa Fryer, Department of Health and Human Services (HHS) CIO at Centers for Medicare and Medicare Services, told members of the US House Oversight and Government Reform Committee that she believes that the HealthCare.gov website meets government security standards. Fryer had expressed concerns about the site's security prior to its launch last October. But this week, she said the site passed a security control assessment in December.
-http://www.nextgov.com/health/2014/01/healthcaregov-secure-says-cms-official-who
-voiced-early-concerns/77036/?oref=ng-HPtopstory

[Editor's Note (Murray): While "compliance with requirements" is undoubtedly a good thing, it is a mistake to conclude that that means that a system is "secure." ]


Microsoft Will Extend Security Essentials for Windows XP Through July 2015 (January 16, 2014)
Microsoft now says that it will extend support for Security Essentials for Windows XP for 15 months beyond the date that it plans to stop supporting the popular operating system. One figure suggests that nearly one-third of desktop computers are still running on Windows XP.
-http://www.bbc.co.uk/news/technology-25758308
[Editor's Note (Pescatore): Good move to extend, the other desktop AV providers have left support for XP open dependent on what Microsoft does. ]


Cisco Updates Secure Access Control System (January 16, 2014)
Cisco has updated its Secure Access Control System (ACS) to fix three security flaws that could be exploited to remotely gain administrative access to vulnerable devices, which would allow the intruders to execute OS-level commands without authorization. The "ACS is a server appliance that enforces access control policies for both wireless and wired network clients."
-http://www.computerworld.com/s/article/9245476/Cisco_fixes_remote_access_flaws_i
n_its_Secure_Access_Control_System?taxonomyId=17



Microsoft Acknowledges Syrian Electronic Army Compromised Some Employee eMail Accounts (January 15 & 16, 2014)
Microsoft has admitted that a Syrian Electronic Army (SEA) attack compromised several internal email accounts, in addition to an official blog and two of the company's Twitter accounts.
-http://www.theregister.co.uk/2014/01/16/sea_microsoft_email_compromised/
-http://news.cnet.com/8301-1009_3-57617306-83/microsoft-employee-e-mail-also-hit-
by-syrian-electronic-army/



Pending Legislation Would Require Inspection of Chinese Made IT Equipment (January 15, 2014)
US legislators in both houses are expected to approve bills that would prohibit certain agencies from purchasing IT equipment manufactured in China until it is inspected by federal authorities. The provision is part of a 2014 fiscal spending package in the House of Representatives. The agencies that would be affected by the bills are the Department of Commerce, the Department of Justice, NASA, and the National Science Foundation.
-http://www.nextgov.com/cio-briefing/2014/01/congress-cracks-down-agency-purchase
s-chinese-made-it/76922/

[Editor's Note (Pescatore): This is similar to what the UK did when Huawei won a competition to provide national telecoms equipment. But, such legislation is a two-way street - I assume many Asian companies will want to do the same for US technology and cloud services. ]


NSA Using Radio Technology to Snoop on Machines Not Connected to Internet (January 14 & 15, 2014)
The NSA has put malware on 100,000 computers that allow it to conduct surveillance, even when the machines are not connected to the Internet. The NSA has been using the technology since 2008. The technology involves the use of small transceivers and in some cases, small circuit boards placed inside targeted machines.
-http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connect
ed-to-internet.html?hp&_r=0

-http://www.computerworld.com/s/article/9245443/Spy_agencies_around_the_world_use
_radio_signals_to_tap_data_from_targeted_systems?taxonomyId=17

-http://www.nbcnews.com/technology/report-nsa-maps-pathway-computers-2D11931591
-http://arstechnica.com/security/2014/01/nsa-uses-covert-radio-transmissions-to-m
onitor-100000-bugged-computers/

-http://www.scmagazine.com//leaks-detail-nsas-arsenal-for-targeting-disconnected-
computers/article/329528/

-http://www.bbc.co.uk/news/technology-25743074
[Editor's Note (Pescatore): I worked for the US Secret Service back in the early 1980's when the Russians did this to IBM electric typewriters used in the US embassy in Moscow. This is what we expect intelligence agencies to do, that is their job. By the way, NSA has the declassified report on that old embassy typewriter incident - you can read it from the nsa.gov website.
(Murray): While not always sufficient, physical security is always a necessary and efficient measure. (Stephen Colbert had a report on this NSA activity last night and should be available here
-http://www.colbertnation.com/the-colbert-report-videos/
shortly.) ]


FISC Jurists Oppose Task Force Transparency and Oversight Recommendations (January 14 & 15, 2014)
Current and former Foreign Intelligence Surveillance Court judges says that White House task force recommendations for change to court procedures would place a greater burden on the court and hinder its ability to do its job. The letter, written by former FISC Chief Judge John D. Bates, expresses the jurists' opposition to appointing an independent privacy advocate to represent public interest; requiring the FISC judges' approval for national security letters; broadening the selection process of FISC judges; and the cessation of the NSA's phone call metadata collection program.
-http://www.washingtonpost.com/world/national-security/surveillance-court-judges-
oppose-white-house-groups-nsa-proposals/2014/01/14/3c41e1e2-7d60-11e3-93c1-0e888
170b723_story.html

-http://www.latimes.com/nation/la-na-nsa-reform-20140115,0,5995749.story#axzz2qd1
nSeGa

-http://www.computerworld.com/s/article/9245432/FISA_judges_oppose_plan_for_priva
cy_advocate?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57617240-83/judge-cautions-against-some-propose
d-reforms-to-nsa/



Federal Appeals Court Invalidates Most of FCC's Net Neutrality Rules (January 14 & 16, 2014)
The US Court of Appeals for the District of Columbia has struck down major portions of the Federal Communications Commission's (FCC's) net neutrality rules. The FCC ran into problems because several years ago, it classified Internet service providers (ISPs) as information services rather than telecommunications services, which means that the commission's authority in regulating ISPs was on shaky legal ground.
-http://www.wired.com/threatlevel/2014/01/court-kills-net-neutrality/
-http://arstechnica.com/tech-policy/2014/01/how-the-fcc-screwed-up-its-chance-to-
make-isp-blocking-illegal/



STORM CENTER TECH CORNER

Microsoft releases details about twitter/blog compromise
-http://www.theregister.co.uk/2014/01/13/microsoft_twitter_blog_sea_compromised/


More Target Breach Details
-http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/


Exposed Network Printers
-http://shodanio.wordpress.com/2014/01/14/i-know-you-need-new-toner/


Google Updates Chrome, Adds Caching for Mobile Browser
-http://techcrunch.com/2014/01/15/google-adds-optional-data-compression-feature-t
o-chrome-for-mobile-reducing-your-data-usage-by-up-to-50/

-http://googlechromereleases.blogspot.de/2014/01/stable-channel-update.html


Microsoft Updates
-http://technet.microsoft.com/en-us/security/bulletin/ms14-Jan


Adobe Patches
-http://helpx.adobe.com/security/products/flash-player/apsb14-01.html
-http://helpx.adobe.com/security/products/flash-player/apsb14-02.html


Oracle Critical Patch Update
-http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html


SEA Website Defaced by Turkish Hackers
-http://thehackernews.com/2014/01/syrian-electronic-armys-own-website-got.html


Aidra Botnet Client with Backdoor on port 4028
-https://isc.sans.edu/forums/diary/Port+4028+-+Interesting+Activity/17444


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/