SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #70
September 03, 2013
On the first story this week, about disclosure of offensive cyber operations, the respected analyst, John Pescatore, offers a thoughtful perspective: "*All* governments spy on *all* other countries using *all* available technologies. No country has the high ground here, and claiming espionage is ***not*** done for economic reasons changes *nothing*."
The most promising game changer in cyber defense was launched last month when the U.S. Department of Homeland Security and GSA announced the initial funding of more than $150 million to make it essentially free for Federal agencies to implement state of the art continuous monitoring of the most critical security controls. Ultimately this will involve billions of dollars as state and local agencies use the same contracts. As importantly, it will transform the landscape in cybersecurity tools - - as critical infrastructure and other corporations take advantage of the lessons learned on how to prioritize cybersecurity expenditures and how to stop wasting so much money on high-priced, low-impact tools. On September 10, Tony Sager who led NSA's cyber defense programs and John Pescatore who built Gartner's cybersecurity programs will host a webcast explaining exactly what this means and they will be joined by the one person in the best position to explain how it works and how you can take advantage of it. Sign up by Friday to guarantee a line - there is no cost - this is a SANS service to the community. http://www.sans.org/info/138235
TOP OF THE NEWSDocuments Reveal U.S. Government Launched 231 Offensive Cyber Operations in 2011
Indian Government Considers Ban on Gmail for Official Use
THE REST OF THE WEEK'S NEWSTalks on Surveillance Transparency Break Down
UK Government to Test Banks' Cyber Crime Defences
Five Men Arrested for Alleged Cyber Attacks on UK Tax Systems
Aberdeen City Council Fined GBP100,000 For Employee Data Breach
U.S. Army Will Not Fix Security Flaw
UK Launches New Degree-Level Cyber Security Apprenticeships
Citi Fined US $55,000 For Data Breach
ATM and Card Not Present Fraud Increasing in Germany
******************** Sponsored By Trend Micro Inc. **********************
Alert: Trend Micro Forward Threat Researcher, Kyle Wilhoit, has updated his ICS Honeypot report, now titled, "The SCADA That Didn't Cry Wolf; Who's Really Attacking Your ICS Equipment? (Part 2)". This report covers more SCADA honeypots, in more regions around the world, and details out who's attacking, and how they are attacking.
-- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
-- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
-- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
-- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
-- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
-- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
-- Multi-week Live SANS training
-- Looking for training in your own community?
-- Save on On-Demand training (30 full courses) - See samples at
Plus Melbourne, Bangalore, and Tokyo all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Documents Reveal U.S. Government Launched 231 Offensive Cyber Operations in 2011 (31st August)Classified budget documents released by Edward Snowden to the Washington Post reveal that the U.S. government launched 231 offensive cyber operations in 2011. The documents provide details of a budget aimed at breaking into foreign networks so that they can be put under the control of the U.S. The top countries targeted are China, Russia, Iran and North Korea. The documents outline that the NSA develops most of its software, but that it has devoted US$25.2 million for the "additional covert purchases of software vulnerabilities" from private research companies. According to an emailed statement from the NSA to the Washington Post "The Department of Defense does engage" in computer network exploitation but "The department does ***not*** engage in economic espionage in any domain, including cyber."
Indian Government Considers Ban on Gmail for Official Use (30th August)In what appears to be a reaction to the alleged Internet snooping by U.S. government agencies on users of U.S. based email services, the Indian government is said to be planning a ban on the use of U.S. based email services for official government use. The ban will force government workers to use only official Indian government email servers for official use. Many workers, including some government ministers, use hosted email accounts as they are easier to use and have better features than official email systems. India's IT minister, Kapil Sibal, said there is no evidence of the U.S. accessing any Internet data from India
*************************** Sponsored Links: ******************************
1) Wanted: Healthcare InfoSec Professionals to Take our Survey & Enter to Win an iPad!! http://www.sans.org/info/138470
2) Satisfied with your IPS? Tell us! Take our Survey and enter to win an iPad! http://www.sans.org/info/138475
3) Join John Pescatore and Tony Sager as they moderate a webcast on, "Using the DHS Continuous Diagnostics and Mitigation Contract to Make Important Security Advances". Tuesday, September 10, 2013 at 10:00 AM EDT. http://www.sans.org/info/138235
THE REST OF THE WEEK'S NEWS
Talks on Surveillance Transparency Break Down (30th August)In June of this year both Microsoft and Google filed lawsuits against the U.S. government to allow them to publish more details about the surveillance requests they receive from U.S. government agencies. However, negotiations between the two companies and U.S. government representatives broke down leading to Microsoft and Google moving forward with their lawsuits. In a blog post on Microsoft's website, Microsoft's General Counsel Brad Smith said "We both remain concerned with the Government's continued unwillingness to permit us to publish sufficient data relating to Foreign Intelligence Surveillance Act (FISA) orders. We believe we have a clear right under the U.S. Constitution to share more information with the public."
UK Government to Test Banks' Cyber Crime Defences (2nd September)The Bank of England and the UK government's Treasury Department is to run a series of "cyber stress tests" against the IT systems of banks within the United Kingdom. The tests are designed to assess the banks' abilities to withstand attempts to steal customer data or funds. The tests will also include determining the banks' capabilities to withstand Distributed Denial of Service Attacks. In March of this year the Bank of England said that "Cyber security needs to be an integral part of corporate governance and risk management processes."
[Editor's Note (Henry): We've spoken about public/private partnerships in the US for many years. What we need to share is "actionable intelligence," not just "information." Governments have an abundance of valuable intelligence that is typically not shared with the private sector, in order to protect "sources and methods." It's encouraging to see the UK taking that leap, and working directly with its banking system to address this threat (called "the greatest threat to their businesses" by four of the five largest banks in the UK.) Could it be the UK government is focusing on those risks with the greatest potential impact to their country? Hmmmm....maybe they've got something there...! ]
Five Men Arrested for Alleged Cyber Attacks on UK Tax Systems (30th August)Five people have been arrested in the United Kingdom on suspicion of being involved in a number of attempts to defraud Her Majesty's Revenue and Customs (HMRC). The five men are accused of using "illegally obtained personal data from third parties" to set up fake accounts in the HMRC online tax system with the goal to "steal large sums of false tax rebates" up to the value of GBP500,000 (US$775,000). One man was arrested in London's Stansted Airport after arriving on a flight from Italy and was charged with "cheating the Revenue". Italian authorities assisted the UK authorities in identifying the suspect. Andrew Sackey, assistant director of criminal investigation at HMRC, said. "These arrests clearly demonstrate that we can, and will, apprehend those suspected of attempting to cheat UK taxpayers by defrauding HMRC, with international assistance if necessary."
Aberdeen City Council Fined GBP100,000 For Employee Data BreachThe United Kingdom's Information Commissioner's Office (ICO) has fined the Aberdeen City Council the sum of GBP100,000 (US$150,000) resulting from the leaking online of sensitive data relating to vulnerable children. The data was accessed on an employee's home PC from where a file sharing program installed on the PC uploaded the information and shared it online. The information was first leaked on the 14th November 2011 and was detected by another member of staff on the 15th February 2012. Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said "As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure."
[Editor's Note (Murray): Given that it is so often the case that end points are compromised and people a weak link, we should design our applications to be more secure in spite of these things. Think more automatic feedback and out-of-band confirmations. ]
U.S. Army Will Not Fix Security Flaw (30th August)The U.S. Army has confirmed the existence of a vulnerability in the way users are logged out of the system. The flaw, apparently first reported in 2011, exists on PCs that are shared amongst different users. Each individual uses a Common Access Code (CAC) military ID to log onto a shared PC. When the card is removed the PC should automatically log off the user. However, this does not happen every time enabling someone else to take advantage of a session which has not closed properly. The army confirmed the vulnerability exists and that it will not be patched. Instead, the issue will be addressed by raising awareness of the matter and encouraging users to ensure they are properly logged off when using a shared computer. United States Army's Deputy of Cybersecurity Roy Lundgren said "Often software and/or hardware solutions are not available, supportable, or necessary. In the case of many risks, they are managed via other mitigations such as modifying policy, procedures, or training."
[Editor's Note (Pescatore): The CAC card as implemented is a tremendously expensive form of strong authentication. If it does not actually provide non-refutable authentication because of allowing "tailgating" it is just a tremendously expensive form of authentication.
(Murray): Not much sense in requiring token-based authentication if the authentication survives the removal of the token. This is an implementation-induced vulnerability and should be fixed. One suspects that the reason for not fixing the problem is that it is not localized, that is, it is pervasive. ]
UK Launches New Degree-Level Cyber Security Apprenticeships (31st August)In response to the increasing demand for individuals with cyber security skills, the UK has launched a new Cyber Academy. The Cyber Academy will see employers, government, and academic institutions work together to provide young people with a route into a career in cyber security. A recent survey showed that just 7% of the UK's cyber security workforce is under 29 years of age. Speaking at the launch of the academy the UK's Minister of State for Universities and science David Willetts said "The Cyber Academy will help develop the expertise the nation needs to tackle this important issue, and keep the UK ahead in the global race. In particular, we are excited to see the development of cyber security apprenticeships."
[Editor's Note (Henry): An academy focused solely on cyber security skills is a great concept; building it collaboratively between the government and the private sector is brilliant. One of the success measures for this program will be how the skills developed are utilized to protect commerce and critical infrastructure. Cheers to the UK. ]
Citi Fined US$55,000 For Data Breach (2nd September)The state of Connecticut has fined Citi US$55,000 as a result of a security flaw which led to a data breach exposing the personal details of 360,000 customers and the subsequent theft of US$ 2.7 million. The account details were accessed in May 2011 when a flaw in Citi's Account Online Web-based service allowed criminals to log into the system, and by simply changing a few characters in the URL they were able to access other accounts. According to Connecticut's Attorney General George Jepsen, Citi were aware of the vulnerability and that it could have existed for three years before the attack. Not only will Citi pay a fine of US$55,000, it has agreed to engage a third party to conduct a security audit of the Account Online system and will offer two years of free credit monitoring for any affected customers from the state.
[Editor's Note (Pescatore): As usual, the actual fine is the least of the costs after a data breach. But even so - a $55K fine, or about 1.5 cents per account exposed, seems minuscule. ]
ATM and Card Not Present Fraud Increasing in Germany (2nd September)According to the latest figures overall credit card fraud in Germany increased by 140% from 2006 to 2012. Card Not Present fraud accounted for 70% of all fraudulent transactions on German credit cards in 2012. The figures also show ATM fraud accounted for a third of all cross border Card Present fraud. The level of ATM fraud could be due to issues with ATM traffic flows within some banks' legacy systems.
[Editor's Note (Pescatore): Card not present fraud went up in almost all EU countries, except for Spain, Poland and the Netherlands. What did those three countries do right/better?
(Murray): EMV is effective in reducing ATM fraud; EMV cards are more resistant to counterfeiting than mag-stripe cards. It is not as effective in reducing "card not present" fraud. The solution is to pass only one-time virtual tokens rather than re-playable credit card numbers. EMV is too little too late. Think PayPal (with strong authentication). ]
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/