SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #61
August 02, 2013
What's really happening at the Department of Homeland Security? Today DHS announced (or will announce shortly - I am in Europe today so I am not sure of the timing) that Suzanne Spaulding will be the new Undersecretary for National Protection and Programs, the division that oversees cyber as well as physical security. For those of you who know Rand Beers already holds that job and isn't getting the next job up at DHS, don't worry about Rand. The country needs him in a more critical role than DHS. And that's really what's happening at DHS - a recognition across Congress and senior Administration officials that DHS does not have the staff in place to carry the national load for protecting cybersecurity. (continued at the end of this issue)...
TOP OF THE NEWSUS Senators Aim to Change NSA's Data Collection Practices
NSA Chief Defends Data Gathering Programs, Asks Those Who Disagree to Help
THE REST OF THE WEEK'S NEWSAngry Cyber Criminals Target Brian Krebs, Again
Facebook Browsing Now "Secure" by Default
USDA Mobile Device Security Program Not Living Up to Expectations
Black Hat: Targeted Attack Can Extract Sensitive Data from Encrypted Pages
Most Mobile Companies Have Fixed SIM Card Flaw
Documents Show Lawmakers Knew of NSA Data Gathering
Appeals Court Says No Warrant Required for Accessing Cell Phone Location Data
Banking IP Addresses Hijacked
Hackers Hijack Reuters' Twitter Account
BlackBerry 10 eMail Client Sends Account Credentials to RIM
Browser Extensions Hijack Social Media Accounts
WHAT'S REALLY HAPPENING AT DHSToday DHS announced (or will announce shortly - I am in Europe today so I am not sure of the timing)
************************ SPONSORED By Bit9 *****************************
NEW Whitepaper: The SANS institute discusses how endpoint visibility, coordinated with network intelligence, can help identify threats that were not discovered by other means, determine the level of threat, recognize previously unknown threats and follow up with more accurate information for regulators and investigators. Learn More
-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.
--Washington, DC (August 12-August 16)
-- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
-- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.
-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
-- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
-- Multi-week Live SANS training
-- Looking for training in your own community?
-- Save on On-Demand training (30 full courses) - See samples at
Plus Bangkok, Melbourne, Bangalore, and Tokyo all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
US Senators Aim to Change NSA's Data Collection Practices (July 31, 2013)Undeterred by a recent House vote that failed to restrict NSA's data gathering practices, a number of US senators say they plan to introduce legislation that will focus on the NSA's phone data collection practices. The legislators say they want to make the NSA's activity more transparent. Senator Al Franken (D-Minnesota) plans to introduce a bill that will require the NSA and other intelligence agencies to disclose the number of people whose information they have collected, and allow companies to disclose the numbers of surveillance requests made by government agencies. Senator Richard Blumenthal (D-Connecticut) will seek changes at the Foreign Intelligence Surveillance Court, adding the presence of public advocate lawyers. Senator Dianne Feinstein (D- California) wants the length of time that the data are held reduced from five years to two or three years.
NSA Chief Defends Data Gathering Programs, Asks Those Who Disagree to Help (July 31, 2013)In his keynote address at the Black Hat security conference in Las Vegas, NSA chief General Keith Alexander defended the agency's data collection and surveillance practices. Alexander maintained that there have been "zero abuses of NSA PRISM," and that the data gathering is an essential part of fighting terrorism. He said that the data collection programs have been mischaracterized, and that the allegations that they are "collecting everything
not true." Alexander noted that queries of the collected phone call metadata are restricted. Alexander also told audience members, "If you disagree with what we're doing, you should help us
[make it better ]
The General's entire keynote, defending NSA's practices, is available on YouTube at the official BlackHat channel
*************************** Sponsored Links: ******************************
1) Live Webinar: Learn best practices for integrating next-generation network and endpoint security solutions so you can detect, prevent and respond to advanced cyberattacks. Register Today http://www.sans.org/info/136607
2) WhatWorks Webcast: WhatWorks in Detecting and Blocking Advanced Threats at a Large Research Organization. Tuesday, August 06, 2013 at 1:00 PM EDT. http://www.sans.org/info/136612
THE REST OF THE WEEK'S NEWS
Angry Cyber Criminals Target Brian Krebs, Again (July 30, 2013)IT security journalist Brian Krebs is no stranger to being targeted by angry hackers whose "work" he has uncovered. What started several months ago as using hacked PayPal accounts to make donations in his name progressed to a SWATting attack, in which local law enforcement authorities were tricked into believing that there was a dangerous hostage situation in progress at Krebs's home. Fortunately, Krebs had notified police that he might be the target of just such an attack. The most recent effort made by cyber criminals involved having heroin sent to Krebs's home and then planning to inform police that he had the drugs in his possession. Krebs "had already established a presence on
[the hacker's ]
forum and was able to monitor the scam in real time and alert ... local police well in advance of the delivery."
[Editor's Comment (Northcutt): I hope Brian has a solid insurance policy. The good news is these two events have probably made his identity well known with the local police. The bad news is these guys are willing to go to pretty significant lengths. (Shpantzer): The most interesting part of that article is about the transparency (if you know what you're doing) of BitCoin transactions. Hmmm.... Cryptocurrency in a literal sense alone? ]
Facebook Browsing Now "Secure" by Default (August 1, 2013)Earlier this week, Facebook made "secure" browsing a default setting. The option to use TLS (Transport Layer Security) encryption has been an available for two years. "Secure" browsing means that data sent to Facebook servers by users will be encrypted. Among the reasons it took this long for Facebook to make "secure" browsing the default setting is that the company had to wait for third-party applications to upgrade their platforms to avoid compatibility issues
[Editor's Note): (Pescatore): Well, I wouldn't say turning on SSL makes browsing "secure." It is harder to eavesdrop on, yes. But the vast majority of attacks are quite effective when carried over SSL connections.
USDA Mobile Device Security Program Not Living Up to Expectations (August 1, 2013)Officials at the US Department of Agriculture (USDA) say that a mobile device security system it solicited in November 2012 is not functioning as specified in the contract. The solicitation from November 2012 specified "a fully functional 30 day pilot with vendor support ... ready to support a minimum of 3,000 mobile devices." The project is roughly a year behind schedule and parts of the project are incompatible with USDA's network security infrastructure. The vendors hired for the USDA project are the same as those with which the Pentagon's Defense Information Systems Agency (DISA) recently signed a three-year, US $16 million contract to provide security for 300,000 mobile devices. Neither DISA nor the Department of Agriculture required verification that the software being purchased is compatible with their existing software - resulting in extreme delays and significant additional costs at Agriculture and probably at DoD as well.
[Editor's Note (Pescatore): The article says the Fixmo product that is part of the solution is "incompatible with part of the department's network security infrastructure, according to Agriculture officials." That means either the procuring agency is at fault for not specifying the network security products or policies the containerization product had to work with, or DMI (the prime contractor) is at fault for proposing a solution that did not meet specifications. The Fixmo and Mobileiron products are in use successfully in many other environments. ]
Black Hat: Targeted Attack Can Extract Sensitive Data from Encrypted Pages (August 1, 2013)A presentation scheduled for Thursday, August 1 at the Black Hat security conference will demonstrate a type of targeted attack that could be used to extract email addresses and some security credentials from encrypted pages. Attackers would need to be able to passively monitor traffic between users and websites, and to trick users into clicking malicious links, which can be done surreptitiously through iframe tags or email messages with hidden images.
Most Mobile Companies Have Fixed SIM Card Flaw (July 31 & August 1, 2013)Nearly all mobile companies have patched a serious flaw that affected more than 500 million phones; the fixes were delivered within 10 days of notification. Karsten Nohl said that his team had found a way to remotely access and control mobile devices' SIM cards. In some cases, the SIM cards could also be cloned. Attackers could exploit the flaw to eavesdrop on communications, pilfer information from accounts, and commit identity fraud. The attack allowed hackers to obtain SIM cards' digital keys. The attack involves sending a text message to the SIM card that in certain cases, results in the card returning data that can be decrypted to reveal the key.
Documents Show Lawmakers Knew of NSA Data Gathering (July 31, 2013)Documents released by US intelligence officials earlier this week show that legislators were aware of the NSA's wide-reaching data collection practices, but were prohibited from discussing the issue. The intent of releasing the information is to "allay concerns that the Obama administration was overstepping its legal authority."
Appeals Court Says No Warrant Required for Accessing Cell Phone Location Data (July 30 & 31, 2013)The US Fifth Circuit Court of Appeals in New Orleans, Louisiana, has ruled that law enforcement agents do not require warrants to track suspects' locations through cell phone records. The ruling overturns an order from a federal judge in Texas. The new ruling indicates that cell phone records are the property of the carrier and are therefore not subject to reasonable expectation of privacy under the Fourth Amendment. Instead, the information is considered a business record. A court order is still required to search the records, but the requirements for obtaining a court order are less stringent than those for obtaining a search warrant. The Louisiana court cited the Stored Communications Act in support of its ruling.
Text of Decision:
[Editor's Note (Shpantzer): It seems to me that this whole 'third party business records' thing has gotten away from us: Since the business records were not created by the government and they exist in a third party's facility... No problem! Just need a subpoena, instead of a warrant. With this ruling, in the 5th circuit's jurisdiction, it's now perfectly legal and trivially simple to obtain location records from the cellphone service providers that could completely substitute for what would require a 24/7 effort by a physical surveillance team. In the ruling on this case, the judge quotes the words of US Supreme Court Chief Justice, in the US vs. Jones, which disallowed warantless GPS tagging: "In the pre-computer age, the greatest protections of privacy were neither constitutional nor statutory, but practical. ... The surveillance at issue in the case -- constant monitoring of the location of a vehicle for four weeks -- would have required a large team of agents, multiple vehicles, and perhaps aerial assistance. Only an investigation of unusual importance could have justified such an expenditure of law enforcement resources." I'd argue that the converse is also true: That in the digital age, any trivially unimportant case can justify the conjuring up of previously inconceivable troves of evidence, with a mere subpoena.
Banking IP Addresses Hijacked (July 30, 2013)On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks and other organizations suddenly were routed to somewhere else. This was due to a BGP (border gateway protocol) prefix hijack where an ISP updated their routing tables incorrectly.
Hackers Hijack Reuters' Twitter Account (July 30, 2013)A hacking group known as the Syrian Electronic Army (SEA) managed briefly to take control of the Reuters news agency's Twitter account earlier this week. The group has hijacked other new organizations' Twitter feeds in the past. They are also believed to be responsible for a recent phishing attack aimed at taking control of White House social media staffers' personal Gmail accounts.
[Editor's Note (Pescatore): In a time where traditional news is trying to hang on and show relevance, it would be a really good idea to protect trust in their brands, as that is about all they have going for themselves. ]
BlackBerry 10 eMail Client Sends Account Credentials to RIM (July 30, 2013)A vulnerability in Discovery Service, the email client of the latest version of BlackBerry's operating system, exposes users' email credentials. When users enter POP or IMAP email addresses into the BlackBerry 10 email client, the account credentials are sent, in plaintext, without the users' consent and without notification, to BlackBerry parent company Research in Motion. The person who detected the issue noted that an email "client should only connect to your mail server and no one else." A RIM spokesperson said there is no backdoor in the Discovery Service.
Browser Extensions Hijack Social Media Accounts (July 30, 2013)A pair of malicious browser extensions hijack social media accounts. Attackers plant links on sites such as Facebook, Twitter, and Google+; the links encourage users to install media player updates. The update has a cryptographic signature that verifies it came from a certain developer and has not been modified. It is not yet known whether the signature was issued fraudulently, or if it was stolen. The links install browser extensions for Firefox and Chrome that appear legitimate, but which actually connect to another site to download malware that allows them to harvest account access credentials.
WHAT'S REALLY HAPPENING AT DHSToday DHS announced (or will announce shortly - I am in Europe today so I am not sure of the timing) that Suzanne Spaulding will be the new Undersecretary for National Protection and Programs, the division that oversees cyber as well as physical security. For those of you who know Rand Beers already holds that job and isn't getting the next job up at DHS, don't worry about Rand. The country needs him in a more critical role than DHS. And that's really what's happening at DHS - a recognition across Congress and senior Administration officials that DHS does not have the staff in place to carry the national load for protecting cybersecurity. Many Democratic senators privately agree with Senator McCain on the essential truth of DHS's lack of capacity to take on the cybersecurity protection for the nation.
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/