OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #64

August 13, 2013


NSA Plans to Eliminate System Administrators
DHS Deputy Secretary Lute Takes On Global Leadership in Cybersecurity
Alleged NYT Hackers Re-Emerge With Updated Tools
When Windows XP Support Expires Next Spring, Flaws May Fetch High Price


City of London Bans Wi-Fi Tracking Trash Bins
Flaw in Bitcoin Android Apps
Thrift Savings Plan Gets New Contractor
The Pirate Bay Launches Browser Bundle to Circumvent Blocked Sites
German Providers Tout Secure eMail Services
One-Year Prison Sentence for Sony Pictures Hacker
Hand of Thief Banking Trojan Targets Linux Systems
President Obama Promises Review of Current Surveillance Activity
Federal CIO Council Reorganization

************************ SPONSORED By WhiteHat Security ***********
ALERT: How Hackers Launch the Top Ten Web Attacks Every year the number and creativity of web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year. Learn about the latest and most insidious Web-based attacks researched and compiled from a panel of world-class web application security experts. http://www.sans.org/info/137292

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

- --Washington, DC (August 12-August 16)

- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act.

- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?

- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.

- -- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.

- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.

- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.

- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013
SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.

- -- Multi-week Live SANS training
Contact mentor@sans.org

- -- Looking for training in your own community?

- -- Save on On-Demand training (30 full courses) - See samples at

Plus Bangkok, Melbourne, Bangalore, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org


NSA Plans to Eliminate System Administrators (August 9, 2013)

In an effort to reduce the risk of information leaks, the US National Security Agency (NSA) plans to get rid of 90 percent of its contracted system administrator positions. NSA Director General Keith Alexander said that the agency plans to move to an automated cloud infrastructure. Speaking on a panel along with FBI Director Robert Mueller at a security conference in New York, Alexander referred to the recent revelations about the scope of NSA surveillance, noting that "people make mistakes. But ... no one has willfully or knowingly disobeyed the law or tried to invade ... civil liberties or privacy."



[Editor's Note (Paller): A huge revelation to executives of the Snowden affair is illuminated in this decision by NSA. System administrators are powerful - too powerful. In the mainframe era, IBM and its customers invested 15 years (1967-1982) building strong controls into computers, specifically to constrain the power of the systems programmers. System administrators are now as powerful as system programmers were in the 60s and 70s, and are unconstrained. NSA is in the vanguard of a major shift coming to every organization that cares about security. The immediate implementation of the top 4 controls in the 20 Critical Controls is a core survival task for IT security organizations. See Raising the Bar for evidence (
Organizations failing to implement those quickly should anticipate an unstoppable board-level push to outsource system administration and management to the cloud providers. ]

DHS Deputy Secretary Lute Takes On Global Leadership in Cybersecurity (August 11, 2013)

Jane Holl Lute has established the Council on Cybersecurity and chartered it to provide a minimum standard of due care that will allow top executives of corporations and governments to measure their organizations' cybersecurity defenses and skills. Lute stepped down from her role as the second-highest official at the Department of Homeland Security this spring, and her name has been floated as a possible candidate to succeed Homeland Security Secretary Janet Napolitano.

[Editor's Note (Paller): Mrs. Lute has a level of mastery of cybersecurity issues and solutions rare for a top government executive and has recruited Tony Sager, who spent 34 years at NSA and managed all 600 the NSA's top vulnerability analysts. Lute was United Nations Assistant Secretary-General for Peacebuilding prior to coming to DHS. Senior executives around the world trust Lute and Sager; their efforts are already accelerating security improvements. Sager has recruited the top technologists in security around the globe to help ensure that Council's Critical Security Controls reflect the most effective means of blocking all active attack vectors. ]

Alleged NYT Hackers Re-Emerge With Updated Tools (August 12, 2013)

The Chinese hackers who are suspected of breaking into networks at The New York Times and other well-known organizations have begun another round of attacks with updated hacking tools. APT12, which is believed to have ties to China's People's Liberation Army, dropped off the radar after the NYT hack was revealed earlier this year. The group's new activity was first noticed in May 2013. The new target has not been identified but is described as an "organization involved in shaping economic policy." The malware updates help the hacking tools evade intrusion detection systems.


When Windows XP Support Expires Next Spring, Flaws May Fetch High Price (August 12, 2013)

In less than eight months, Microsoft will end support for Windows XP. After April 8, 2014, there will be no more security updates for regular folks, although companies and government agencies that have paid fees for custom support will continue to receive critical security updates. It is likely that because of XP's approaching expiration date, hackers who have uncovered vulnerabilities in the operating system will hold on to that information so it can be used and sold once support ceases. One of the reasons the flaws will be so valuable is the number of machines still running XP. One projection suggests that at the time support for XP ends, it will still be running on 33 percent of PCs worldwide.

[Editor's Note (Pescatore): Past experience with Windows 95 and NT going past this point showed that appliances/machines/devices with embedded versions of Win95 will be the biggest problem areas, and the hardest hit. A lot of the "Internet of Things" is running old, old versions of embedded Oss and seeing attacks all the time. ]

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/137297

2) AlienVault USM delivers complete security visibility in minutes. http://www.sans.org/info/137302l

3) August 21 Webcast! Managing Identities in the Cloud Without Sacrificing Corporate Control: A Review of McAfee's Web-Focused Identity Tools, featuring Dave Shackleford http://www.sans.org/info/137307


City of London Bans Wi-Fi Tracking Trash Bins (August 12, 2013)

The City of London Corporation has asked a company called Renew London to stop using devices embedded in trash bins to gather data from and track smartphones. The high-tech trashcans play advertisements on an integrated flat-screen. The devices in the bins log smartphones' media access control (MAC) addresses. There are presently 12 tracking devices installed in recycling bins around the city. A statement from the UK Information Commissioner's Office (ICO) reads: "Any technology that involves the processing of personal information must comply with the Data Protection Act," and noted that it "will be making enquiries to establish what action, if any, is required." Renew London has suspended trials of the tracking program.



Flaw in Bitcoin Android Apps (August 12 & 13, 2013)

A flaw in Android's pseudo-random number generator (PRNG) is causing problems with Android-generated Bitcoin wallets. The vulnerability leaves the private keys generated on Android devices vulnerable to cracking, which in turn makes users' Bitcoin wallets open to theft.



Thrift Savings Plan Gets New Contractor (August 12, 2013)

The Federal Retirement Thrift Investment Board (FRTIB) has passed over incumbent contractor, Serco, and chosen Science Applications International Corporation (SAIC) to manage technology and record keeping for the Thrift Savings Plan. Both companies experienced security breaches in 2011. A July 2011 cyberattack compromised the records of as many as 123,000 TSP participants and TSP payment recipients. The company was unaware of the breach until the FBI notified Serco in April 2012. The new contract specified more stringent security requirements. FRTIB did not indicate whether or not the breach was a factor in its decision. SAIC and the US Defense Department are facing a series of lawsuits seeking nearly US $5 billion in damages over backup tapes that were stolen from an employee's car in September 2011. That breach affected 4.9 million individuals who were beneficiaries of TRICARE.

The Pirate Bay Launches Browser Bundle to Circumvent Blocked Sites (August 11 & 12, 2013)

The Pirate Bay has introduced The PirateBrowser, which helps users circumvent blocks put in place by Internet service providers (ISPs). Although the browser bundle contains a Tor client, it does not anonymize web surfing.




[Editor's Comment (Northcutt): I am not a big fan of Pirate Bay, but for anonymous browsing consider www.startpage.com ]

German Providers Tout Secure eMail Services (August 9, 10, & 12, 2013)

Just days after two US-based secure email providers shuttered operations in the face of government demands for data, German email providers have begun offering their own secure email services, in which SSL will be on by default. The providers, Deutsche Telekom's T-Online and United Internet's GMX and Web.de services, say they will send mail within the country through domestic servers only. However, the companies' plans provide security only for messages in transit; they do not provide secure data storage. Despite Germany's strong data protection laws, there are exceptions for security agency demands, and SSL can be intercepted and decrypted fairly easily. The technology media say the secure email tagline is nothing more than marketing.



[Editor's Note (Pescatore): Since both Deutsche Telekom and United Internet will say yes to legal requests from the German government to expose communications, this may make it harder to German-German emails to be intercepted by NSA, but not by the German equivalent. Of course, we don't know what vulnerabilities are introduced in whatever software or configurations they are using to have that email be processed differently than email going out of country...
(Honan): While many commentators rightly point out that these German providers will have to comply with German law enforcement requests they tend to forget one vital thing for those of us based outside the United States. That is transparency and accountability. As a non-US citizen I have little or no recourse should the US government monitor my usage of any US based services. If I use non-US based service providers that are located in the EU, then as an EU citizen I can have legal recourse through my own country's legal system or that of the EU courts. The issue for many is not one of whether or not your communications can be monitored but that you can have legal recourse and accountability should that happen. ]

One-Year Prison Sentence for Sony Pictures Hacker (August 9 & 12, 2013)

A federal judge in Arizona has sentenced Raynaldo Rivera to a year and a day in prison for his involvement with attacks on Sony Pictures' network in September 2011 as part of the LulzSec hacker group. US District Judge John Kronstadt also ordered Rivera to serve 13 months of house arrest following his release; perform 1,000 hours of community service; and pay more than US $600,000 in restitution.


Hand of Thief Banking Trojan Targets Linux Systems (August 9, 2013)

The Hand of Thief Trojan horse program is capable of infecting devices running Linux. While the malware is currently equipped with basic form grabbers and backdoor infection vectors, it is expected to be outfitted with web injection capabilities in the near future. Some have noted that because Linux has a smaller user base and is patched more quickly than most other operating systems, it is surprising that malware targeting the OS would be crafted.


President Obama Promises Review of Current Surveillance Activity (August 9 & 12, 2013)

US President Barack Obama has acknowledged that there needs to be more transparency around government surveillance activity. He has asked Director of National Intelligence James Clapper to establish a special commission to look into the government's management of privacy and security while conducting surveillance. President Obama initially called for a review of government surveillance programs in April, before information leaked by Edward Snowden was published. At a press conference on Friday, August 9, Obama described for areas for reform, including determining what changes need to be made to the Patriot Act and reviewing Foreign Intelligence Surveillance Court (FISC) procedures so that judges consider privacy and civil liberties alongside security issues.


Federal CIO Council Reorganization (August 9, 2013)

The US Federal CIO Council is being reorganized to better meet the government's IT needs. As currently configured, the CIO Council comprises six committees and 29 subcommittees. The structure has made the locus of accountability unclear and has hindered communication with the Executive Committee and Management and Operations. The new configuration plan calls for three committees focused on portfolio management; information security and identity management; and innovation. Each of those three committees will report directly to the executive committee.


The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/