Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #16

February 26, 2013


If you are one of the 6,000 folks at the RSA conference today in San
Francisco try to get to the two game changing sessions (this afternoon
and tomorrow morning). The first offers perhaps the most important
opportunity for immediate career growth for cybersecurity professionals
we have seen. They are described at the end of this issue.

Alan

TOP OF THE NEWS

News of Cyberattacks Emanating From China Overshadows the Real Issue
DHS Sharing Cyberattack Information with Critical Infrastructure Operators
Microsoft Victim of iOS Developer Watering Hole Attack
NBC Acknowledges Site Was Serving Up Malware

THE REST OF THE WEEK'S NEWS

Cyberespionage is Not Cyber War
Firefox 22 Will Limit Third-Party Cookies by Default
US ISPs Launching Copyright Alert System
New Java Vulnerabilities
Trojan Has Valid Digital Signature
Mozilla Tightens Requirements for Digital Certificates
Zendesk Hack Affected Twitter, Pinterest, and Tubmlr
cPanel Breach Affects Customers Who Filed Support Requests
Internet Storm Center Exclusive Reports
Game Changing Sessions at RSA 2013


*************************** SPONSORED BY Bit9 *****************************
WHITEPAPER - Advanced Protection Against Advanced Threats: Trust Is Your Best Defense. Download this white paper and learn how to use a progressive, three-step approach to build trust, monitor activity and tailor protection to your enterprise and build an adaptive application control framework. Learn More:
http://www.sans.org/info/125367
****************************************************************************
TRAINING UPDATE

- -- SANS 2013 Orlando, FL March 8-March 15, 2013 47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013 8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013 7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013 9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013

- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013 32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013 6 courses. Bonus evening presentations include APT: It is Time to Act; and Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013 Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- --Looking for training in your own community?
http://www.sans.org/community/

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
***************************************************************************

TOP OF THE NEWS

News of Cyberattacks Emanating From China Overshadows the Real Issue (February 25, 2013)

The recent focus on China as the source of cyberespionage attacks against US government and industry organizations has not addressed the underlying issue - that US computer systems remain vulnerable to attacks. The focus on the Chinese-attributed attacks also neglects the "stealthier attacks coming from many nations that may take a different approach to penetrating
[sensitive ]
systems." The point is not who is launching the attacks; the point is whether or not systems are robustly protected from cyberattacks. The vast majority of attacks are launched using basic exploits. Australia's Defence Signals Directorate and the US's national Security Agency (NSA) put together a list of 35 cyber defense techniques that successfully block more than 85 percent of known attacks. In fact, just four of the measures - whitelisting; restricting PCs and serves to run only approved applications; quickly patching applications and operating systems; and minimizing the number of administrator accounts - can prevent a significant number of targeted attacks.
-http://www.informationweek.com/security/vulnerabilities/dont-blame-china-for-sec
urity-hacks-blam/240149309

[Editor's Comment (McBride): The idea that nation states are involved provides a nice excuse for the owners and operators to claim it is beyond their expertise and responsibility to defend. There is also the argument that the US actually benefits from Chinese industrial espionage: US consumers get cheaper products. Asset owners have got to start by understanding what they **must** protect, why they must protect it, and then carefully implement the "how". ]

DHS Sharing Cyberattack Information with Critical Infrastructure Operators (February 25, 2013)

President Obama's cybersecurity executive order requires government agencies to share cyberthreat intelligence with critical infrastructure operators, and asks that private companies also share information they have. The US Department of Homeland Security (DHS) has begun sharing information about the cyberattacks that affected Apple, Microsoft, Twitter, and other companies. The DHS bulletin sent out on Friday, February 22 warned organizations responsible for systems that support elements of the country's critical infrastructure of "ongoing malicious cyber activity against US government and private sector entities," and provided information about how those organizations that had been contacted could obtain confidential guidance, including malware indicators.
-http://www.nextgov.com/cybersecurity/2013/02/dhs-notifies-companies-offers-intel
-about-ongoing-hacks/61482/?oref=ng-channelriver

[Editor's Comment (McBride): When it comes to DHS information sharing, I always like to ask, where does this information come from? Is it supplied by third parties, or did the government "figure it out"? This is important because allowing the government to act as a filter/modifier may not be in the best interest of eventual recipients. ]

Microsoft Victim of iOS Developer Watering Hole Attack (February 22, 2013)

Microsoft says that it was the victim of a cyberattack like those that targeted Apple and Facebook. The company said that "a small number of computers, including some in
[its ]
Mac business unit, ... were infected by malicious software using techniques similar to those" used in the other attacks. Customer data do not appear to have been affected. The attack exploited a flaw in Oracle's Java in a "watering hole" attack through a compromised iOS developer website.
-http://www.computerworld.com/s/article/9237074/Microsoft_joins_list_of_recently_
hacked_companies?taxonomyId=17

-http://news.cnet.com/8301-1009_3-57570861-83/add-microsoft-to-list-of-hacked-com
panies/

-http://www.v3.co.uk/v3-uk/news/2250219/microsoft-also-targeted-in-apple-facebook
-hack

NBC Acknowledges Site Was Serving Up Malware (February 21 & 22, 2013)

NBC has acknowledged that its NBC<dot>com website, along with websites for several of the network's programs, was serving malware for several hours on Thursday, February 21. The malware is used to steal online banking information. NBC said that user data were not compromised. The malware that infected the computers is known as Citadel. Internet Storm Center:
-https://isc.sans.edu/diary/NBC+site+redirecting+to+Exploit+kit/15223
also see:
-https://isc.sans.edu/diary/When+web+sites+go+bad%3A+bible+.+org+compromise/15250
-http://www.h-online.com/security/news/item/NBC-com-hacked-and-served-up-malware-
1808273.html

-http://www.computerworld.com/s/article/9237044/NBC.com_hacked_to_serve_up_bankin
g_malware?taxonomyId=17

-http://www.theregister.co.uk/2013/02/22/nbc_hack/
-http://money.cnn.com/2013/02/22/technology/security/nbc-com-hacked-malware/index
.html



*************************** Sponsored Links: *****************************
1) Take the Mobile Application security Survey! Enter to Win an iPad! http://www.sans.org/info/125372

2) Analyst Webcast: Secure Configuration in Action Featuring new deployment information from the City of Oregon. http://www.sans.org/info/125377
***************************************************************************

THE REST OF THE WEEK'S NEWS

Cyberespionage is Not Cyber War (February 22, 2013)

Cryptography and security expert Bruce Schneier cautions against mistaking the cyberespionage attacks being launched on US companies for acts of war. Schneier said that Mandiant's recent report connecting a cyberespionage campaign to a certain group and location in Shanghai is accurate, but notes that the attacks like those described in the report "happen all the time, and just because the media is reporting them with greater frequency doesn't mean that they're happening with greater frequency." He warns that the attacks are espionage and to mistake them for acts of war could result in escalation of the cyber arms race. Schneier points to an important distinction between espionage and acts of cyber war: espionage is conducted over a prolonged period of time, while cyber war "is more likely to happen in milliseconds."
-http://www.v3.co.uk/v3-uk/news/2249975/chinese-hacker-attacks-risk-fuelling-cybe
r-arms-race-warns-bruce-schneier

Firefox 22 Will Limit Third-Party Cookies by Default (February 25, 2013)

Mozilla has announced that starting with Firefox 22, which is slated for release on June 25, 2013, the browser will accept cookies only from the publisher of the websites users visit. Content from a third-party website will have permission to use cookies only if it already has at least one cookie set. The goal is to prevent advertisers and networks from using cookies when users visit websites that contain their ads and widgets. Firefox users already have the option of blocking third-party cookies, but with Firefox 22, they will be blocked by default.
-http://www.theregister.co.uk/2013/02/25/firefox_cookies_policy/
-http://www.webmonkey.com/2013/02/firefox-22-to-stop-eating-third-party-cookies/
[Editor's Comment (Pescatore): I'm starting to look at these cookie/data collection battles more as safety issues than just privacy issues. The future of the advanced targeted attacks we see today is even better targeting and personal information (location, social networks, activities, etc) is the critical accelerator for more narrowly targeted advertising *and* attacks. Safe by default, opt in to danger should be the guiding philosophy.
(Northcutt): Be interesting to see how well this works. I have no third party cookies set on Safari and also use Ghostery. However, I will visit five or six news type sites and according to the Safari/Preferences/Privacy menu, I will consistently have fifty or so websites storing cookies and other data on my Mac. I have learned to leave the privacy screen up and every half hour or so when I am browsing I wipe them all out. ]

US ISPs Launching Copyright Alert System (February 25, 2013)

Internet service providers (ISPs) in the US will start to roll out the Copyright Alert System (CAS), a graduated scheme designed to reduce digital content piracy. The scheme was developed by the Center for Copyright Information (CCI), and involves six stages of notification. Verizon is the only participating ISP so far to address what penalties it will impose on persistent file sharers. That company says that if there is no response to email, voice mail, and pop-up message alerts, users identified as engaging in illegal file sharing will have their Internet speeds throttled to near-dial-up speeds. Customers will be notified two weeks in advance if their Internet speeds are going to be reduced. Other ISPs, including Comcast, AT&T, and Cablevision, have not yet disclosed their CAS implementation plans.
-http://arstechnica.com/tech-policy/2013/02/six-strikes-enforcement-policy-debuts
/

-http://www.forbes.com/sites/kashmirhill/2013/02/25/copyright-alert-system/?utm_c
ampaign=techtwittersf&utm_source=twitter&utm_medium=social

[Editor's Note (Ullrich): At least the latest Hollywood movies will be safe, while our corporate intellectual property flows freely, and banks remain under the constant threat of DDoS attacks. It is always very frustrating to see how a simple DMCA request gets action while there is no real legal recourse against the people who cause actual damage. ]

New Java Vulnerabilities (February 25, 2013)

A pair of newly detected flaws in Oracle's Java could be exploited to allow attackers to bypass the browser plug-in's sandbox security feature. The vulnerabilities affect the most recent Java update, Java 7 Update 15,which was released on February 19. Java 6 is not affected. Experts are advising users to disable or even uninstall Java. There are also reports that an exploit for Java 7 Update 11 has been detected in the wild. Java 7 Update 13 was released on February 1.
-http://arstechnica.com/security/2013/02/javas-latest-security-problems-new-flaw-
identified-old-one-attacked/

-http://www.computerworld.com/s/article/9237124/Researcher_unearths_two_new_Java_
zero_day_bugs?taxonomyId=17

[Editor's Note (Pescatore): in developing the Morse code, Samuel Morse assigned the shortest code element (dit) to the most common letter (E) in the English language. Java vulnerabilities today, much like IIS and Internet Explorer vulnerabilities 10 years ago, have earned "dit" status. ]

Trojan Has Valid Digital Signature (February 22, 2013)

An online banking Trojan horse program has been detected in the wild, and it carried a valid digital signature. The DigiCert Certificate Authority issued the certificate in November 2012 to a company that was liquidated in 2011. DigiCert revoked the certificate after learning of the Trojan's existence.
-http://www.h-online.com/security/news/item/Certified-online-banking-trojan-in-th
e-wild-1808898.html

[Editor's Note (Pescatore): dit (Ullrich): Note that Digicert revoked the certificate AFTER it learned about it being used in a trojan. in other words: After the horse left the barn. ]

Mozilla Tightens Requirements for Digital Certificates (February 19, 2013)

Mozilla has updated its Certificate Authority (CA) Certificate Policy to lessen the risk of hackers getting their hands on subordinate CA certificates. Subordinate CA certificates are granted the same power as the CA, and they can be used to issue valid SSL certificates. Until now, subordinate CA certificates have not been subjected to the same scrutiny and controls as root CA certificates. The policy is being changed to reflect Mozilla's "belief that each root is ultimately accountable for every certificate it signs, directly or through its subordinates." Subordinate CA certificates issued after May 15, 2013 must comply with Mozilla's new policy; existing certificates have until May 15, 2014 to be updated to comply with the policy.
-http://www.computerworld.com/s/article/9236945/Mozilla_moves_to_limit_risk_of_su
bordinate_CA_certificate_abuse?taxonomyId=245

Zendesk Hack Affected Twitter, Pinterest, and Tubmlr (February 21 &amp; 22, 2013)

Customer service software provider Zendesk has acknowledged that hackers managed to gain access to its system. Data belonging to three of the company's customers were compromised. The companies, Twitter, Pinterest, and Tumblr, have notified their customers about the breach. Zendesk fixed the hole shortly after learning of the breach. Zendesk said that the compromised information included the email addresses and subject lines of users who had contacted those three companies for support. Internet Storm Center:
-https://isc.sans.edu/diary/Zendesk+breach+affects+TumblrPinterestTwitter/15247
-http://www.wired.com/threatlevel/2013/02/twitter-tumblr-pinterest/
-http://www.theregister.co.uk/2013/02/22/zendesk_hack_hits_twitter_tumblr_users/
-http://news.cnet.com/8301-1009_3-57570657-83/zendesk-hack-snares-user-data-from-
twitter-tumblr-pinterest/

-http://www.computerworld.com/s/article/9237047/Zendesk_says_breach_compromised_e
mail_addresses?taxonomyId=17

Zendesk Blog Post:
-http://www.zendesk.com/blog/weve-been-hacked

cPanel Breach Affects Customers Who Filed Support Requests (February 22, 2013)

Customers of the cPanel website management application are being urged to change root and administrative passwords after a breach of a cPanel server was detected. The beach affects cPanel customers who have filed support requests within the past six months. Internet Storm Center
-https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
-http://arstechnica.com/security/2013/02/server-hack-prompts-call-for-cpanel-cust
omers-to-take-immediate-action/

Internet Storm Center Exclusive Reports

Two interesting stories from Internet Storm Center that the general press will pick up in the coming weeks:
-https://isc.sans.edu/diary/Punkspider+enumerates+web+application+vulnerabilities
/15274

-https://isc.sans.edu/diary/Trustwave+Trustkeeper+Phish/1527

Game Changing Sessions at RSA 2013 (February 26, 2013)

Two sessions that appear to be the game changers at RSA 2013 1. Tuesday February 26 at 1:10 PM in room 306 Title: A Standard of Due Care for CyberSecurity: The 20 Critical Controls For more than a decade commercial and government leaders have been seeking a consensus set of benchmarks that are reliable measures of effectiveness in blocking known attacks. With the adoption by the NSA, the DHS, the British CPNI, and U.S. power companies, the 20 Critical Controls have become that answer. Now the top cybersecurity companies (Mandiant, Symantec, and many more) have joined the 20 Critical Controls initiative because they provide an answer to a question their clients are asking: "What do we need to do first to stop these attacks form China and others?" In this session the man who led all of NSA's cyber defense initiatives (Tony Sager) will present the latest news on the 20 Critical Controls, the Chief Security Officer of Colorado (Jonathan Trull) will show how (and why) his state and most other states are implementing them, and the nation's top malware expert will answer questions about how the 20 controls work and why and lessons learned in implementation. The bottom line is that competency in cybersecurity leadership and technologists is being redefined to embrace effective implementation of the 20 Critical Controls; careers will be shaped by the way the cybersecurity professionals take advantage of this game changer.
If that session conflicts with your schedule, you can get another view of the same game changer in the keynote Wednesday at 2:50 when John Pescatore, Gartner's top cyber defense analyst for the past 14 years (who just joined SANS in January) will show you where the 20 Critical Controls fit in an effective risk management strategy.
2. Wednesday February 27 9:20 - 10:10 AM Room 134 The new shape of cyber warfare and how the attacks on critical infrastructure actually work - plus a preview of the military's new simulator: Cyber City and how simulated cyberwarfare can help develop cyber warriors for both offense and defense. This session (called: The Five Most Dangerous New Attacks and What's Coming Next) has been the highest rated and most popular session at RSA each year for the past four years and has been full every year - so if you want to get in, be there early. There were 220 people in line last year, who never got in, after the first 775 were seated. This session features both Ed Skoudis and Johannes Ullrich - explaining what new attacks they are seeing (Ed in his work with the leading edge military cyber folks and Johannes in his work leading the Internet Storm Center) and lots of Q&A. The audience is often very, very smart and makes the session even better.

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt founded the GIAC certification and is President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was Vice President and Chief Security Officer for American Electric Power.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/