SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #71
September 06, 2013
TOP OF THE NEWSNSA Defeats Internet Encryption
The Internet of Things: FTC Reaches Settlement With Company Over Unsecure Webcams
Android Trojan Spreading Through Mobile Botnet
THE REST OF THE WEEK'S NEWSHesperbot Trojan
Microsoft's Patch Tuesday to Include Bulletin for All Versions of Internet Explorer
NSA Targets Internet Routers and Switches
Brainstorming Disaster Recovery With the White House
Two Sentenced in Point-of-Sale Payment Card Data Theft Scheme
Software Patching is Enormous Drain of Resources for Government
DOE Now Says July Breach Affected 53,000 People
Taiwan Releases Free Malware Database to Help Organizations Defend Against Attacks
FTC Files Complaint Against LabMD for Alleged Data Exposure
************************ Sponsored By Symantec *************************
Symantec Intelligence Report: June 2013 The monthly intelligence report, provides the latest analysis of cyber security threats, trends, and insights from the Symantec intelligence team concerning malware, spam, and other potentially harmful business risks. Learn more.
- -- SANS Capital City 2013 Washington, DC September 3-8, 2013 6 courses. Bonus evening presentations include Look Ma, No Exploits! - The Recon-ng Framework; and How the West was Pwned. Keynote address: Who's Watching the Watchers?
- -- SANS Network Security 2013 Las Vegas, NV September 14-23, 2013 50 courses. Bonus evening presentations include The Security Impact of IPv6; Unleashing the Dogs of (cyber) War; and InfoSec Vertigo: Small Medical Lab Wages War Against InfoSec Vendor, US Government, and Big DC Law Firm.
- -- SANS Seattle 2013 Seattle, WA October 7-14, 2013 8 courses. Bonus evening presentations include "So What?" The Most Important Question in Information Security; Why Our Defenses are Failing Us. One Click is All it Takes ...; and Sick Anti-Analysis Mechanisms in the Wild.
- -- SANS Baltimore 2013 Baltimore, MD October 14-19, 2013 9 courses. Bonus evening presentations include An Introduction to PowerShell for Security Assessments; The Security Impact of IPv6; and Tales from the Crypt: TrueCrypt Analysis.
- -- SANS Forensics Prague 2013 Prague, Czech Republic October 6-13, 2013 SANS' European forensics summit and dedicated forensics training event. Four of SANS' most important forensics training courses and opportunities to network with leading digital forensics experts.
- -- SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
- -- Multi-week Live SANS training
- -- Looking for training in your own community?
- -- Save on On-Demand training (30 full courses) - See samples at
Plus Bangalore, Tokyo, Chicago, and Ft. Lauderdale all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
NSA Defeats Internet Encryption (September 4 & 5, 2013)According to documents leaked by Edward Snowden, the US government has spent more than US $10 billion over four years on the Consolidated Cryptologic Program. The documents also show that the NSA has used its influence to insert encryption weaknesses in currently used standards; used a variety of techniques - including hacking - to acquire cryptographic keys from various technology companies; and in some instances, broke into targeted machines to intercept messages before they were encrypted. (Please note that the New York Times website requires a paid subscription.)
[Editor's Note (Murray): Prudence has always required that one assume that NSA can read any message that it wants to; it cannot read every message that it wants to. In any case, NSA is not the threat that most of us have to address.
(Pescatore): Eek, you mean when they stopped fighting for export and other controls on encryption, governments actually decided to try to break crypto that was in use by bad guys?? Or they used strategies similar to what was done in World War II to get to see traffic *before* it was encrypted?? This is what we expect our intelligence agencies to do - any shock from the security community over this is disingenuous.
(Honan): These revelations should be no surprise to many in the security industry. The world has not changed. Criminals, terrorists, and spies still continue to do what they do. The Internet simply allows them to scale their operations, in the very same way the many business can scale theirs. We need to accept more responsibility for securing our online lives, business transactions and protecting our privacy, while also demanding better transparency from our governments and suppliers. ]
The Internet of Things: FTC Reaches Settlement With Company Over Unsecure Webcams (September 4 & 5, 2013)The US Federal Trade Commission (FTC) has reached a settlement with a company whose webcams lack adequate security. Trendnet cameras contain vulnerabilities that allow anyone online to view the devices' feeds. Under the terms of the settlement, Trendnet may not refer to the cameras as "secure" in marketing materials. Trendnet must notify customers of the security issue, provide help to make the devices more secure, and undergo third-party security audits every two years through 2033. (The incident reported last month in which a stranger hurled obscenities at a Texas couple and their toddler through the webcam they were using as a child monitor involves a device from a different company.)
[Editor's Note (Pescatore): Consumer grade "things" will be easy pickings for cyber criminals if the device industry doesn't learn from what the consumer WiFi industry went through, and build security in from the start. Earlier this year, several consumer electronics manufacturers formed the Internet of Things Consortium that had security as one of its goals, but I have heard nothing out of them.
(Shpantzer): Third party security audits every two years until 2033... That's 10 audit cycles, call it $50k each, rough order of magnitude, for the audit $500k ]
Android Trojan Spreading Through Mobile Botnet (September 5, 2013)An Android Trojan known as Obad.a is spreading through mobile botnets. At present, Obad is targeting Russian users with spam text messages containing malicious links. Those links install an Android Trojan known as Opfake. Once that piece of malware is installed, its command-and-control server tells Opfake to spam the device's contact list, which in turn points them to Obad.
[Editor's Note (Pescatore): Obad seems to be targeting Ukraine, Russia and Belarus, where Android versions and configurations that allow side loading must be common, and the patch that closes the vulnerability exploited must not have patched. Turn on the Google Play App Store mechanism, or auto update, and the bar is raised significantly against all malware exploits, which is why so few succeed in the iPhone/iPad ecosystem. ]
*************************** Sponsored Links: ******************************
1) Why have targeted Advanced Threats succeeded so dramatically when most organizations have architected sophisticated defense-in-depth strategies? Find out why in this new interactive whitepaper http://www.sans.org/info/138615
2) Wanted: Healthcare InfoSec Professionals to Take our Survey & Enter to Win an iPad!! http://www.sans.org/info/138620
3) Satisfied with your IPS? Tell us! Take our Survey and enter to win an iPad! http://www.sans.org/info/138625
THE REST OF THE WEEK'S NEWS
Hesperbot Trojan (September 5, 2013)The Hesperbot Trojan horse program spreads through emails that appear to be legitimate package-tracking documents or messages from Internet service providers and other companies. The messages attempt to get the recipients to download an attachment with a .pdf.exe file extension. Hesperbot has the capability to log keystrokes, take screenshots, record from installed video cameras, intercept traffic, and send all the information back to the command-and-control server. It also establishes a remote proxy on infected machines. Hesperbot has infected computers in Turkey, Portugal, the Czech Republic, and the UK.
Microsoft's Patch Tuesday to Include Bulletin for All Versions of Internet Explorer (September 5, 2013)Microsoft plans to issue 14 security bulletins next week to address vulnerabilities in Internet Explorer (IE), Windows, Office, and SharePoint. The IE update will apply to all currently supported versions of the browser. Four of the bulletins have been rated critical; the other 10 are rated important.
[Editor's Note (Pescatore): The critical ones are all remote code execution vulnerabilities, which is always worrisome. I recently blogged about how Steve Ballmer stepping down as CEO of Microsoft will impact security of Microsoft products. It would be nice to see the new CEO come in re-invigorating Bill Gates' 2002 "security should be top priority at Microsoft" memo. ]
NSA Targets Internet Routers and Switches (September 4, 2013)According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because "people are ... horrible about updating their network gear because it is too critical, and usually they don't have redundancy to be able to do it properly," according to Beyond Trust CTO Marc Maiffret.
[Editor's Note (Pescatore): Bad guys know this, too - please see Critical Security Control 10, Secure Configurations for Network Devices. ]
[Counterpoint from Donald Smith: No evidence is provided to support this so I call ... FUD even the Cisco root kit they refer to in this article, Da IOS rootkit, has never been published/reviewed. ]
Brainstorming Disaster Recovery With the White House (September 4, 2013)The White House has asked more than 80 private sector organizations to help improve the government's disaster response and recovery efforts. Participants included Zappos, Marriott International, The Weather Channel, Twitter, and Google. Among the suggestions is a communications platform that will allow people relying on electrically powered medical devices to communicate their situations to emergency response networks.
Two Sentenced in Point-of-Sale Payment Card Data Theft Scheme (September 4 & 5, 2013)A US federal judge in New Hampshire has sentenced two men to prison for their roles in a point-of-sale credit card theft scheme. Adrian-Tiberiu Oprea received a 15-year sentence, and Iulian Dolan received a seven-year sentence. The men broke into point-of-sale systems at hundreds of businesses to steal the data. In all, payment cards belonging to more than 100,000 people were compromised, and losses incurred exceeded US $17.5 million.
Software Patching is Enormous Drain of Resources for Government (September 3, 2013)US Marine Corps CIO Robert Jack says that patching systems in his organization requires a significant amount of work. Of 300,000 people in his organization, roughly one third have "day-to-day access to the enterprise network." There are also "over 450 registered systems that are regresses to 10 significant versions. When we get a patch from a vendor, we have to go out and test that against all that." Jack is concerned that the companies are making compromises on security in an effort to push their software into production. Jack does not think that legislation will address the issue, but he does want "corporate citizenry to step up to the plate and take responsibility for what they put into their software."
[Editor's Note (Pescatore): When the Romans first started using software, they quickly came up with the term "caveat emptor" which translates to "let the buyer beware." Just as I'm sure the Marines wouldn't use Ford Mustang convertibles to carry troops into battle or Cessna Pipers to fly critical missions, using off the shelf software without investing in hardening should never even be part of the discussion.
(Murray): Patching is a drain on the whole economy. We are far too tolerant of shoddy software. ]
DOE Now Says July Breach Affected 53,000 People (September 3, 2013)The US Department of Energy (DOE) has updated information about a July data breach that compromised employees' personally identifiable information. DOE now says that the breach affects 53,000 current and former employees, contractors, and dependents. The information compromised includes names, Social Security numbers (SSNs) and birth dates. The attacker or attackers exploited a known vulnerability in an unpatched ColdFusion system called DOEInfo. The department's investigation indicates that the theft of the personal information "might have been the primary purpose of the attack." DOE will notify all affected individuals within the next two weeks.
DOE Cyber Incident Information:
Taiwan Releases Free Malware Database to Help Organizations Defend Against Attacks (September 2 & 3, 2013)Taiwan's National Centre for High-Performance Computing (NCHC) has created the Malware Knowledge Base, a free database of malware that is designed to help organizations and researchers identify and protect their systems from attacks. The database contains at least 200,000 malware samples. The database is a joint project between NCHC and 20 universities. It also contains information on removing more than 3,000 known viruses and a list of 6,000 decoy IP addresses that are being continuously monitored for new attacks.
FTC Files Complaint Against LabMD for Alleged Data Exposure (August 29 & September 3, 2013)The US Federal Trade Commission (FTC) has filed a complaint against a medical testing laboratory for allegedly exposing the data of more than 9,000 individuals. The complaint alleges that LabMD put the data at risk of theft in two separate incidents. In 2009, patient data were reportedly available on peer-to-peer (P2P) file sharing networks. In 2012, California police found identity thieves had documents from LabMD that contained personal information of more at least 500 patients.
FTC Press Release:
FTC Complaint Links:
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/