Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #45

June 07, 2013


PRISM Program Gives NSA Access to Data on Servers of Major US Internet Companies
FISA Order Requires Verizon to Provide NSA With Metadata on All Calls
FBI and Microsoft take Down Citadel Botnet


Eleven People Arrested in Connection with Carder Forum
Microsoft's June Security Update to Address 23 Flaws in Windows, IE, and Office
Draft Legislation in Spain Would Allow Police to Place Spyware on Suspects' Devices
California Police Baffled by Electronic Device Used to Break Into Cars
Proposed Legislation Would Impose "Real Consequences and Punishments" on Foreign Hackers
DHS Document Defends Border Searches of Electronic Devices Without Reasonable Suspicion
Schneider Electric Releases Fixes for SCADA Vulnerability
Judge Stays Decryption Order in Feldman Case
Apple Issues Security Updates for OS X and Safari
Machine-Readable Format Helps Disseminate Essential Information in Emergencies
NetTraveler Espionage Malware

************************** SPONSORED BY Bit9 ****************************
Are you using network security solutions such as FireEye or Palo Alto Networks? Did you know you can integrate these solutions with a next-generation endpoint security solution to prioritize networks alerts, speed forensic investigation and drive remediation and automatically analyze files from endpoints and servers? Learn more about this solution and how you can benefit from an early access offer! http://www.sans.org/info/132277
*************************************************************************** TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.
--Houston, TX (June 10-June 15)
--Washington, DC (August 12-August 16)

- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 43 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.

- -- Security Impact of IPv6 Summit Washington, DC June 14-16 Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6 Summit offers discussions and panels with IPv6 security experts, ISPs, early adopters, and industry vendors. You will come away with best practices from those who have already implemented IPv6. A two-day, post-summit class follows:

- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.

- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!

- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.

- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.

- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13 2013 SANS's European forensics summit and dedicated forensics training event. Four of SANS's most important forensics training courses and opportunities to network with leading digital forensics experts.

- -- SANS Dubai 2013 Dubai, UAE October 26th - November 7th 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.

- -- Multi-week Live SANS training http://www.sans.org/mentor/about
Contact mentor@sans.org

- - -- Looking for training in your own community?

- - -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current

Plus Canberra, Austin, Mumbai, Bangkok and Melbourne all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org


PRISM Program Gives NSA Access to Data on Servers of Major US Internet Companies (June 6, 2013)

It now appears that the National Security Agency's (NSA's) reach extends beyond just Verizon's call records. According to information provided to The Washington Post by a career intelligence officer, the NSA and the FBI are mining data directly from the servers of nine major US Internet companies, including Microsoft, Apple, Yahoo, Google, Facebook, Skype, and YouTube. They are accessing a wide variety of content, including audio and video chats, photographs, email, and connection logs. The program is called PRISM and focuses on foreign communications traffic. Some of the companies have said that they are not aware of PRISM. Facebook chief security officer Joe Sullivan said that they "do not provide any government organization direct access to Facebook servers" and that when the company receives a request for data, it is carefully scrutinized to make sure laws are being obeyed and then they provide only the information that is required by law. Material from an April 2013 internal briefing on PRISM said that NSA reporting uses raw information gathered through PRISM for nearly one in seven of its intelligence reports. US legislators who were aware of the program were bound by oath not to speak of it, even during a floor debate in the Senate late last year on the FISA Amendments Act.

[Editor's Note (Ullrich): The inability of government agencies to safeguard data in the past prompts the question who else has access to it, or to the backdoors and APIs to retrieve the data. ]

FISA Order Requires Verizon to Provide NSA With Metadata on All Calls (June 5 & 6, 2013)

According to a document obtained by The Guardian, the US Foreign Intelligence Surveillance Court issued an order forcing Verizon to provide the NSA metadata on all calls made through its systems over the three-month period between April 25 and July 19 2013. The data gathered includes phone numbers of both parties, IMSI numbers for mobile callers, calling card numbers used, and time and duration of calls. While the content of the calls is not recorded or gathered, in some cases the location of the parties on the call may be included through cell site data. Senators Ron Wyden (D-Oregon) and Mark Udall (D-Colorado) have been trying to drop hints about the extent of the surveillance program but have been bound by oath not to discuss it. The Obama administration is defending the program as a necessary tool to protect the country from terrorist attacks. James R. Clapper, Director of National Intelligence has issued a statement on this particular issue:



Court Order:

[Editor's Note (Honan): As a result of the European Union's Data Retention Directive similar data is being retained by EU countries for at least 6 months for access by law enforcement or other government agencies. Interestingly a report issued by the Danish police shows that data retention has not given them the benefits promised.

FBI and Microsoft take Down Citadel Botnet (June 6, 2013)

Microsoft and the FBI worked together to take down the Citadel botnet, which is believed to have been instrumental in an estimated US $500 million in thefts from online bank accounts. Approximately 70 percent of the 1,400 networks that Citadel comprised have reportedly been shut down. The takedowns also involved the efforts of police forces in 80 countries. While the actions are not likely to spell the end of Citadel, they will make a significant dent in its operations.



*************************** Sponsored Links: ******************************
1) Attend the SANS Industrial Controls Systems Security Briefing, Monday, June 10, 2013 in Houston, TX at the Westin Houston Memorial City. Featuring Mike Assante, Eric Cornelius, Lior Frenkel, Bart Pestarino and Jonathan Knudsen. This event is free to Oil & Gas constituents. For more information go to http://www.sans.org/info/131912">http://www.sans.org/info/131912 To register for this event via simulcast, visit http://www.sans.org/info/13191

2) Live from SANSFIRE, please attend our Simulcast - "Security Analytics: What Matters in Your Chatter?", featuring Westley McDuffie. Register at http://www.sans.org/info/132282

3) SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 by Dave Shackleford http://www.sans.org/info/132287


Eleven People Arrested in Connection with Carder Forum (June 6, 2013)

In a coordinated effort, authorities in the US, the UK, and Vietnam have shut down a carder forum known as Mattfeuter, which was the starting point for 1.1 million stolen cards and US$200 million in fraudulent payment card transactions. The theft and fraud ring has been operational since 2007. Police in Vietnam have arrested eight people, one of who, Duy Hai Truong, is believed to be the mastermind of the operation. Police in the UK have arrested three more suspects. Truong has been charged in the US with conspiracy to commit bank fraud.




Microsoft's June Security Update to Address 23 Flaws in Windows, IE, and Office (June 6, 2013)

On Tuesday, June 11, Microsoft plans to issue five security bulletins to address a total of 23 vulnerabilities. Nineteen of those flaws will arrive in a critical update that affects all versions of Internet Explorer (IE). Another update will fix a vulnerability in Office that is being actively exploited. The IE bulletin is the only one of the five that has been given a critical rating. The other three bulletins address flaws in Windows 7, 8, and RT.


[Editor's Note (Ullrich): This looks like a light month. Note that the Office update also applies to Macs. ]

Draft Legislation in Spain Would Allow Police to Place Spyware on Suspects' Devices (June 6, 2013)

Draft legislation from Spain's ministry of justice would give police the authority to remotely install spyware on computers, storage devices, and mobile devices being used by suspected criminals. The spyware would be installed only on devices physically located in Spain, and only when suspects are allegedly involved with terrorism, organized crime, or other serious offenses that carry at least a three-year prison sentence. The legislation as currently drafted raises some serious privacy issues: the spyware would give authorities access to data as well as account passwords. It would also affect people who share the targeted device with the suspect.

California Police Baffled by Electronic Device Used to Break Into Cars (June 6, 2013)

Police in California are asking for the public's help regarding a rash of car break-ins in which the thieves used an unidentified electronic device to unlock the vehicles. Long Beach Deputy Police Chief David Hendricks said, "We are stumped and we don't know what this technology is." The Long Beach police force has released surveillance video of two of the break-ins; the thieves use a device that resembles a key fob. In both cases, the thieves gained access to the cars and searched for items but did not steal the vehicles.

[Editor's (Ullrich): These devices have been used frequently in Europe to steal high end cars in the last couple of years. They either brute force short encryption keys, or employ a sniffer to record the authorized user opening the car. ]

Proposed Legislation Would Impose "Real Consequences and Punishments" on Foreign Hackers (June 5 & 6, 2013)

US lawmakers have introduced a bill that would punish foreign hackers who steal sensitive data. The Cyber Economic Espionage Accountability Act would deny US travel visas to hackers backed by foreign governments. If the hackers are living in the US, their assets could be frozen and they could be expelled from the country. News of the planned bill emerges days before President Obama is scheduled to meet with Chinese President Xi at a summit at which they will discuss cyberattacks and espionage. Obama will reportedly tell Xi that the US considers China responsible for cyberattacks launched from within that country.



[Editor's Note (Pesactore): First, I continue to be disappointed that our elected officials seem to have completely lost their creatively in choosing acronyms for proposed legislation - CEEAA?? Maybe it is more clever than I first thought - could it be pronounced SeeYa? Anyway, they don't seem to have grasped the concept that foreign hackers are generally, well, foreign - they don't have to actually be in the US to attack vulnerable companies and government agencies. If they actually are in the US, I'm pretty sure all the existing espionage laws apply anyway. ]

DHS Document Defends Border Searches of Electronic Devices Without Reasonable Suspicion (June 5 & 6, 2013)

The American Civil Liberties Union (ACLU) obtained DHS's December 2011 Civil Rights/Civil Liberties Impact Assessment through a Freedom of Information Act (FOIA) request. Regarding border searches of electronic devices, the redacted document says that "imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits." The document observes that DHS has "been presented with some noteworthy Customs and Border Patrol and Immigration and Customs Enforcement success stories based on hard-to-articulate intuitions or hunches based on officer experience or judgment. Under a reasonable suspicion requirement, officers might hesitate to search an individual's device without the presence of articulable factors capable of being formally defended."

Impact Assessment:

[Editor's Note (Murray): One might agree with DHS on this if the officer was functioning in his customs officer role, was looking for contraband, and trying to collect duties. In fact, he is functioning in a police role, looking for evidence of crimes not associated with smuggling or avoiding duties. ]

Schneider Electric Releases Fixes for SCADA Vulnerability (June 4 & 5, 2013)

Schneider Electric has released patches for vulnerabilities in its Quantum Ethernet Module. The flaws were initially disclosed in December 2011. At issue are hard-coded Ethernet credential vulnerabilities. The flaws could be exploited to allow remote access and privilege elevation. The patches address the problem on some but not all devices; more fixes will be needed. The US Department of Homeland Security's (DHS's) Industrial Control Systems Cyber Emergency Response Team (ISC-CERT) has issued an advisory.

[Editor's Note (Assante): Embedded system programming has had much less scrutiny and attention than operating systems and applications. With the "Internet of Things" upon us that has to change as we recognized the number and importance of embedded systems.
(McBride): Good on Schneider for trying to address several "hard to fix" flaws. But should each ICS vendor patch really give us cause to celebrate? Also, "Patch" is probably too strong of a term. For example, the "patch" for one vulnerability appears to merely offer the user the ability to disable the vulnerable FTP server (rather than removing the hard-coded passwords). It is probably easier for affected asset owners to block access to the vulnerable service at the network level than it is to re-flash dozens of PLCs and then change the configuration to disallow FTP access. ]

Judge Stays Decryption Order in Feldman Case (June 4 & 5, 2013)

A federal judge in Wisconsin has stayed a magistrate's order that would have forced Jeffrey Feldman to decrypt 16 devices which authorities believe contain child pornography. US District Judge Rudolph Randa's ruling came one day after US Magistrate William Callahan Jr. issued the decryption order. Callahan stepped aside and Feldman's case was reassigned to Randa after Feldman's attorney argued successfully that only District Court judges have the authority to issue decryption orders. Feldman's attorney argued that the decryption order would force her client to build the government's case against him.

Defense Filing:
Stay of Previous Order:

Apple Issues Security Updates for OS X and Safari (June 4 & 5, 2013)

Apple has issued an update for OS X that addresses 31 security issues. Apple has also issued an updated version of its Safari browser that fixes 26 flaws. The most current version of OS X is now 10.8.4, and the most current version of Safari is 6.0.5. Apple has also released a security update for older versions of OS X.




OS X Update:
[Editor's Note (Pescatore): June will be a busy patch month for both Windows and Macintosh PCs. It is interesting to note that since in most companies IT doesn't heavily manage Macs, auto update is more common on Macs - patching tends to happen rapidly, with few app compatibility problems. Yet, on PCs IT for years had to worry about app compatibility before releasing patches so patching is slower. Actually reports of app failure after Windows desktop patches for the past 2-3 years are pretty low - the QA/update window can be shortened with low risk of self-inflicted wounds. ]

Machine-Readable Format Helps Disseminate Essential Information in Emergencies (June 4, 2013)

Google and other technology companies told a panel of US lawmakers that providing emergency information in open formats will help drive it to top search results where people who need it will be most likely to find it. In the days surrounding last year's Hurricane Sandy, Google received roughly 15 million queries for information about the storm, while the Federal Emergency Management Agency's pages with Sandy information received 740,000 visitors. Government agencies often release pertinent information as PDFs and other formats do not make it to the top of search results, where they could do the most good to people looking for relevant information such as the projected path of a storm, shelter locations, and other emergency services.

[Editor's Note (Pescatore): That seems like an odd request, as it seems like .pdf files end up at the top of my search results from Google all the time. Good to recognize that users will go to search engines first, good to keep search engine optimization in mind to make it more likely they will find your stuff - but I think it is a bad move to make content/format decisions at the request of search engines. There are still really good business reasons why you want your content to look better than others and not just be indistinguishable from everyone else to save search engine programmer time. ]

NetTraveler Espionage Malware (June 4, 2013)

Malware known as NetTraveler has infiltrated more than 350 companies in 40 countries over the past eight years, according to researchers at Kaspersky Lab. Those behind the malware targeted a variety of organizations, including energy industry, scientific research facilities, universities, governments, military contractors, and social activists. Most recently, NetTraveler's focus has included space exploration, nanotechnology, nuclear power, and energy production. The malware harvests data, logs keystrokes, and gathers file system listings and Office and PDF documents. NetTraveler gains a foothold in targeted organizations through spear phishing campaigns and exploits a pair of known vulnerabilities in Microsoft Word; fixes for the flaws were released in 2010 and 2012. NetTraveler has been most active since 2010, but there are indications that it has been around in some form since 2004.



The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/