Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #86

October 29, 2013


1. Please nominate "People Who Made a Difference in CyberSecurity in 2013." At the SANS Cyber Defense Initiative conference Dec 12-19th in Washington DC, SANS plans on celebrating the most dedicated and innovative people who implemented security processes or technology in 2013 that resulted in meaningful and measurable advances in security. Submissions are due by 8 November. http://www.sans.org/cyber-innovation-awards.

2. Did you register for the DHS Continuous Diagnostics and Mitigation (CDM) workshop next Wednesday? The CDM program will make over $1B available to reduce vulnerabilities and reward proactive efforts to improving government security levels. If you attend the workshop (online or live) you'll hear the key government leaders who are shaping the program as well as the auditors who are changing the way government measures cybersecurity. Vendor shootout sessions include Forescout, IBM, Mcafee, Qualys, RSA, Symantec, Tenable and others. Register to join us in person at (http://www.sans.org/event/sans-dhs-cdm-award-workshop) or via simulcast for remote attendees at (https://www.sans.org/webcasts/dhs-cdm-award-workshop-97170).

TOP OF THE NEWS

US Defense Secretary Wants DOD to Step Up Data Protection
Ploutus ATM Malware May be Spreading to US
66% of UK Organizations Lack Staff with Key Technical Cybersecurity Skills
PHP.net Breach

THE REST OF THE WEEK'S NEWS

UK Man Arrested, Charged with Breaking Into US Government and Military Computers
Dutch Police Arrest Four in Connection with Online Banking Theft
NSA Admits Snooping on World Leaders' Calls
NSA Says Site Outage Was Due to Error During Update
US Authorities Seize US $28 Million in Bitcoins in Silk Road Case
Teen Will Present Mobile Firefox OS Exploits at Conference in India Next Month
South Korean Police Warn of Malware-Infected Pirated Online Games

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


************************* Sponsored By Bit9 ****************************
Think you're safe from the Advanced Persistent Threat (APT)? Take this short assessment to learn how safe you really are. When you're done we'll create a customized action plan with steps you can take to better protect your organization.
Learn more http://www.sans.org/info/142090
***************************************************************************
TRAINING UPDATE


--SANS Chicago 2013 Chicago, IL October 28-November 2, 2013 7 courses. Bonus evening presentations include SANS 8 Mobile Device Security Steps; and Privileged Domain Account Protection: How to Limit Credentials Exposure.
http://www.sans.org/event/chicago-2013


--South Florida 2013 Ft. Lauderdale, IL November 4-9, 2013 5 courses. Bonus evening presentations include The Security Impact of IPv6; Evolving Threats; and Real-World Risk - What Incident Responders Can leverage from IT Operations.
http://www.sans.org/event/south-florida-2013


--October Singapore 2013 Singapore, Singapore October 21-November 2, 2013 5 courses. Bonus evening presentations include Pen Testing the Smart Grid; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/singapore-sos-2013


--SANS Dubai 2013 Dubai, UAE October 26 - November 7, 2013 SANS returns to Dubai with four essential courses at the Hilton Jumeirah Beach.
http://www.sans.org/event/dubai-2013


--SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.
http://www.sans.org/event/london-2013


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Sydney, San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

US Defense Secretary Wants DOD to Step Up Data Protection (October 25 & 28, 2013)

In a memo earlier this month, US Defense Secretary Chuck Hagel ordered the Defense Department to implement measures to protect unclassified controlled data from being accessed by hackers. He has ordered DOD's chief information Officer and the undersecretaries of defense for acquisition, technology, and linguistics; policy; and intelligence to assess unclassified DOD networks to evaluate their vulnerability to attacks and develop strategy to mitigate those risks. Hagel also called for DOD, the NSA, and DISA to develop means to assess loss of technical data and the consequences of those losses; identify critical acquisition and tech programs that need stronger protection; and make sure they are being adequately protected.
-http://www.federaltimes.com/article/20131028/IT01/310280018/Hagel-calls-better-p
rotection-DoD-data

-http://www.nextgov.com/cybersecurity/2013/10/hagel-wants-unclassified-sensitive-
data-protected-cyber-spying/72686/?oref=ng-channeltopstory

[Editor's Note (Paller): The change that is needed was put in place at NSA soon after the Snowden affair. That change requires contractors to give up their highly distributed and profitable system administration activities and, instead, operate centralized system administration with both technical and management controls. Absolutely essential that DoD undertakes the change, as well. However, the DoD CIO lost the trust of military commanders and civilian leaders that she would need to force the change across DoD. Her staff forced the commanders to waste a ton of money on C&A and non-technical certification activities that demonstrated a lack of awareness of what matters in securing military systems.
(Murray): It seems clear that the Secretary wishes to communicate that his tolerance for risk on these systems has gone down. But, if the secretary wishes to achieve a uniform and efficient level of risk across a huge population of systems, he must do a better job of expressing it than "adequate." ]

Ploutus ATM Malware May be Spreading to US (October 28, 2013)

Criminals are spreading malware previously detected on ATMs in Mexico, to the US. Symantec found an updated, English-language version of Ploutus. The malware is placed on the ATM through its CD-ROM drive. The malware makes the cash machines dispense money. Ploutus works only on a specific, as-yet unidentified type of ATM.
-http://www.scmagazine.com/atm-malware-ploutus-updated-with-english-language-vers
ion/article/318336/

-http://www.computerworld.com/s/article/9243572/ATM_malware_may_spread_from_Mexic
o_to_English_speaking_world?taxonomyId=17

[Editor's Note (Murray): If one has the access necessary to install this software, one should not need it. This has "insider" writ large all over it. ]

66% of UK Organizations Lack Staff with Key Technical Cybersecurity Skills (October 29, 2014)

Twenty-four out of 25 UK firms report not having the adequate security measures to battle cyber attacks and two-thirds report that the lack of staff with advanced technical skills is the cause.
-http://www.telegraph.co.uk/technology/internet-security/10409330/Cyber-attacks-a
re-the-greatest-threats-UK-businesses-face.html

PHP.net Breach (October 24, 25 & 28, 2013)

Attackers breached the PHP.net website last week, causing the site to serve malware to some users between October 22 and 24. The situation was discovered when Google's Safe Browsing system began flagging the site as malicious. PHP administrators removed the JavaScript malware, but it is not clear how the attackers gained access to the site. The administrators say that the PHP source code repository was not affected by the breach. They acknowledged that the attackers could have accessed the site's SSL private key, so they revoked the site's certificates. They eventually moved the site to a new set of servers and a new certificate was installed.
-http://www.zdnet.com/php-project-site-hacked-served-malware-7000022513/
-http://www.computerworlduk.com/news/security/3475691/phpnet-confirms-server-brea
ch-after-google-flags-them-for-malware/

-http://arstechnica.com/security/2013/10/hackers-compromise-official-php-website-
infect-visitors-with-malware/

-http://www.theregister.co.uk/2013/10/25/phpnet_compromise_analysis/
[Editor's Comment (Northcuttt): The problem here is what we call a supply chain breach. Many sites depend on PHP, so if it fails they risk being vulnerable.
-http://dspace.mit.edu/handle/1721.1/33313]


*************************** Sponsored Links: *****************************
1) Meet the challenges of Continuous Diagnostics & Mitigation (CDM). Get real-time discovery and assessment of all network endpoints. Download the tech note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/142095

2) Ask the Expert Webcast: Enhancing Security Analytics with Endpoint Forensics - Tuesday, November 05 at 1:00 PM EST with John Pescatore and Jason Fredrickson Sr. Dir. of Enterprise Application Development at Guidance Software. http://www.sans.org/info/142100

3) PCI DSS Simplified: What You Need to Know. Friday, November 01 at 1:00 PM EDT; Sandy Hawke, VP, Product Marketing, AlienVault. http://www.sans.org/info/142105
****************************************************************************

THE REST OF THE WEEK'S NEWS

UK Man Arrested, Charged with Breaking Into US Government and Military Computers (October 28, 2013)

Authorities in the UK have arrested a man for allegedly breaking into US government and military systems. The investigation leading to Lauri Love's arrest was a cooperative effort between the FBI and the UK's National Crime Agency. Love allegedly installed backdoors on the systems. The US Attorney has charged Love with accessing a government computer without permission. Love allegedly has at least three accomplices.
-http://www.theatlanticwire.com/national/2013/10/hacker-fameball-arrested-plot-le
ak-stolen-government-information/71003/

-http://www.bbc.co.uk/news/technology-24712214
-http://www.v3.co.uk/v3-uk/news/2303414/uk-man-arrested-for-hacking-us-military-a
nd-government-networks

US Attorney Press Release:
-http://www.justice.gov/usao/nj/Press/files/Love,%20Lauri%20Indictment%20News%20R
elease.html

Dutch Police Arrest Four in Connection with Online Banking Theft (October 28, 2013)

Police in the Netherlands have arrested four people in connection with the use of malware used to steal US $1.5 million from bank accounts. The stolen funds were allegedly laundered by converting them to Bitcoins. The malware, known as TorRAT, receives instructions through the Tor network.
-http://www.informationweek.com/security/attacks/dutch-banking-malware-gang-buste
d-bitcoi/240163193

NSA Admits Snooping on World Leaders' Calls (October 28, 2013)

The NSA has acknowledged that it snooped on phone calls of 35 world leaders, including German Chancellor Angela Merkel. According to a report in The Wall Street Journal, the White House was unaware of the program until this summer; once it learned about the snooping, it was stopped. The WSJ story says that the surveillance decision was made at NSA and did not require approval from the president. According to other sources, US intelligence officials say that the State Department and the White House both signed off on the surveillance program. While it is possible that the president was not briefed on specific NSA operations targeting foreign leaders' communications, the National Security Council and senior members of the intelligence community would be aware of the activity, according to an unnamed former US intelligence official.
-http://www.cbsnews.com/8301-250_162-57609690/obama-administration-tight-lipped-o
n-nsa-surveillance-of-allies/

-http://news.cnet.com/8301-1009_3-57609559-83/officials-admit-nsa-snooped-on-worl
d-leaders-wsj/

-http://www.washingtonpost.com/politics/obama-didnt-know-about-surveillance-of-us
-allied-world-leaders-until-summer-officials-say/2013/10/28/0cbacefa-4009-11e3-a
751-f032898f2dbc_story.html

-http://www.latimes.com/world/la-fg-spying-phones-20131029,0,3235295.story#axzz2j
4kLcEqa

NSA Says Site Outage Was Due to Error During Update (October 25, 26, & 28, 2013)

The US National Security Agency's (NSA's) website was unavailable for 11 hours late last week. The site, NSA.gov, went down on Friday, October 25 and was available once again the following day. The NSA denied reports that the outage was due to a DDoS, instead maintaining that it was caused by an "error ... during a scheduled update."
-http://www.theregister.co.uk/2013/10/28/nsagov_goes_down_after_error_during_sche
duled_update/

-http://www.theatlanticwire.com/technology/2013/10/no-one-knows-why-nsas-website-
was-down-11-hours/70967/

-http://www.nbcnews.com/technology/nsa-gov-down-denial-service-attack-rumored-8C1
1469380

-http://www.cio-today.com/story.xhtml?story_id=12100ESH7J08

US Authorities Seize US $28 Million in Bitcoins in Silk Road Case (October 25 & 26, 2013)

US authorities have reportedly seized 144,000 Bitcoins (US $28.3 million) that allegedly belonged to Silk Road underground marketplace owner Ross Ulbricht. Until the site was taken down earlier this month, it served as a marketplace for people seeking to buy drugs, malware, and other illegal goods and services. Following the takedown and Ulbricht's arrest, law enforcement agents seized more than 26,000 (US $5.1 million) Bitcoins.
-http://www.ibtimes.com/silk-road-shutdown-ny-us-attorney-seizes-28-million-bitco
ins-belonging-ross-ulbricht-1442640

-http://arstechnica.com/tech-policy/2013/10/fbi-seizes-over-27-million-in-bitcoin
s-likely-from-silk-road-suspect/

Teen Will Present Mobile Firefox OS Exploits at Conference In India Next Month (October 25, 2013)

A teenager who has discovered a way to infect Mozilla Firefox mobile operating system with malware says he will remain silent about the exploit until a November summit in New Delhi, India. Shantanu Gawde developed malware that allows attackers to gain remote access to devices' SD cards, transfer contacts, track locations, control radio functions, and upload and download pictures, music, and video.
-http://www.scmagazine.com/mozilla-addresses-teenagers-purported-mobile-firefox-o
s-malware/article/318056/

[Editor's Note (Murray): This is a speculative report about potential vulnerabilities in a novel and sparsely used OS. If it rises to the level of "news," it is only because of the word "teenager." We continue to be mesmerized by the ability of the young to excel at things that interest them but which we do not consider important enough to teach them in school. ]

South Korean Police Warn of Malware-Infected Pirated Online Games (October 25, 2013)

Police in South Korea are warning people not to download unofficial versions of online games as some have been found to be seeded with malware that harvests location data and IP addresses from infected machines and sends them to servers in another country. Once infected, machines can be used to launch distributed denial-of-service (DDoS) attacks.
-http://www.theregister.co.uk/2013/10/25/norks_malware_ddos_south_korea/

INTERNET STORM CENTER TECH CORNER

Single Compromise Uses 3 Different Recent Vulnerabilities
-https://isc.sans.edu/forums/diary/Exploit+cocktail+Struts+Java+Windows+going+aft
er+3-month+old+vulnerabilities/16913

Barack Obama URL Shortener Hacked
-http://mashable.com/2013/10/28/syrian-electronic-army-obama/

IBM Storwize Unauthorized Admin Access
-http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004481

Linked In Intro Controversy
-http://jordan-wright.github.io/blog/2013/10/26/phishing-with-linkedins-intro/

PHP Update: Signing Code
-https://isc.sans.edu/forums/diary/PHPnet+compromise+aftermath+Why+Code+Signing+B
eats+Hashes/16901

Perl Bot
-https://isc.sans.edu/diary/Active+Perl+Shellbot+Trojan/16907

Kaspersky Flags TCPIP.SYS as malware
-https://isc.sans.edu/diary/Kaspersky+flags+TCPIP.SYS+as+Malware/16904

Buffer Compromised
-http://open.bufferapp.com/buffer-has-been-hacked-here-is-whats-going-on/

php.net compromise
-https://isc.sans.edu/forums/diary/False+Positive+phpnet+Malware+Alert/16892
-http://php.net/archive/2013.php#id2013-10-24-1

Small business DDoS attacks (feedback wanted)
-https://isc.sans.edu/forums/diary/Are+you+a+small+business+that+experienced+a+Do
S+attack+/16895

WHMCS Authentication Bypass
-http://localhost.re/p/whmcs-v5210-vulnerability


************************************************************************
The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/