OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XV - Issue #92

November 19, 2013


FBI Says Anonymous Infiltrated US Government Agency Systems
Supreme Court Will Not Hear Case Challenging NSA Phone Data Gathering
Financial Futures and Derivatives Exchange Acknowledges Computer Intrusion


Yahoo Will Encrypt Traffic Between Data Centers
Attackers Exploit Flaw in Japanese Word Processing Software
vBulletin Acknowledges Forum Intrusion
Six More Charged in Connection With US $45 Million ATM Fraud Scheme
Coin Start-Up Stores Credit Card Information
Estonia Will Extradite Three Men to US to Face Charges in DNSChanger Scheme
Judge Gives Stratfor Hacker Ten-Year Sentence
Fokirtor Backdoor Targets Linux Systems
Attacks on Healthcare.gov Site Under Investigation



************************** Sponsored By Bit9 ****************************
Bit9 conducted its third-annual survey on server security. In the past year, the inability to detect or stop advanced attacks has remained a constant challenge for enterprises. This survey was designed to analyze these challenges from respondents who are responsible for their organization's security posture. Some of the results may surprise you! Download Today. http://www.sans.org/info/143962

- --SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.

- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.

- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.

- --SANS Sydney 2013 Sydney, Australia November 11-23, 2013 6 courses. Bonus evening presentations include Advanced Exploit Writing: Use-After-Free Vulnerabilities.

- --SANS London 2013 London, UK November 16-25, 2013 17 courses. Bonus evening presentations include Real World Risk - What Incident Responders Can Leverage From IT Operations; Information Assurance Metrics: Practical Steps to Measurement; and APT: It Is Time To Act.

- --Asia Pacific ICS Security Summit Singapore, Singapore December 2-8, 2013 3 courses. Bonus evening presentations include First Things First: The Top 4 Security Mitigation Strategies.

- --Multi-week Live SANS training
Contact mentor@sans.org

- --Looking for training in your own community?

- - --Save on On-Demand training (30 full courses) - See samples at

Plus San Diego, Muscat, San Antonio, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org



FBI Says Anonymous Infiltrated US Government Agency Systems (November 16 & 18, 2013)

The FBI has sent a memo to federal agencies alerting them to the fact that members of the Anonymous hacking collective have infiltrated government systems and have been stealing sensitive information for nearly a year. The series of attacks is believed to have begun in December 2012; most exploit vulnerabilities in Adobe ColdFusion web application development software. Affected agencies include the Army, The Department of Energy, and the Department of Health and Human Services. Most of the intrusions have not been disclosed.



Supreme Court Will Not Hear Case Challenging NSA Phone Data Gathering (November 18, 2013)

The US Supreme Court has declined to hear a challenge from the Electronic Privacy Information Center (EPIC) that sought to stop the NSA's wholesale gathering of phone metadata. EPIC filed its plea directly with the Supreme Court instead of arguing in lower courts first; the organization maintains that the Supreme Court is the only court with the jurisdiction to overturn a Foreign Intelligence Surveillance Court (FISC) order.

Financial Futures and Derivatives Exchange Acknowledges Computer Intrusion (November 15 & 17, 2013)

CME Group, the world's largest financial futures exchange and derivatives trading company, has disclosed that a July attack compromised the personal information of customers who use its CME ClearPort services. The incident has prompted a federal investigation.


************************** Sponsored Links: ******************************
1) Meet the challenges of Continuous Diagnostics & Mitigation (CDM). Get real-time discovery and assessment of all network endpoints. Download the tech note: ForeScout CounterACT Continuous Diagnostics & Mitigation. http://www.sans.org/info/143967

2) Join John Pescatore, SANS Director of Emerging Security Trends and Matt Goodrich, GSA FedRAMP Program Manager for this one hour webinar to gain guidance on how to best practices for taking advantage of the FedRAMP effort to advance secure use of cloud services in government. Wed. Nov 20 at 1:00pm EDT. http://www.sans.org/info/144117

3) Ask the Expert Webcast = Mobile Forensics: Recovering Data You May Be Missing - Friday, November 22 at 1:00 PM EST. Join Paul Henry. Includes live demo of Internet Evidence Finder http://www.sans.org/info/143972


Yahoo Will Encrypt Traffic Between Data Centers (November 18, 2013)

Yahoo CEO Marissa Mayer says that the company will encrypt traffic between its data centers by March 2014. The announcement follows revelations that the NSA has been tapping in to unencrypted connections between data centers belonging to several large tech companies. Mayer wrote, "Yahoo has never given access to our data centers to the NSA or any other government agency. Ever." Yahoo also plans to move to apply SSL to all its websites and to use SSL encryption by default on Yahoo Mail.

[Editor's Note (Pescatore): I'll repeat my comment last week about similar news from Google: Yahoo didn't do much of a risk analysis here. There has always been a risk of governments tapping into fiber optic networks. After the terrorist attacks of 2001, many businesses moved their backup data center's further away from the main data center and looked at the risk of compromise of the fiber runs between the data center. Government interception (by US, China, others) was a known risk as early as 2000, with much public validation by 2003, and I believe that in around 2005 SANS published a white paper on how much easier it had become. Businesses that decided they did not want to risk any eavesdropping on fiber put high speed encryptors on those links, which appears to be what Google and Yahoo have now belatedly decided to do. ]

Attackers Exploit Flaw in Japanese Word Processing Software (November 18, 2013)

Attackers appear to be exploiting an unpatched vulnerability in Japanese word processing software Ichitaro. The remote code execution flaw affects several versions of the popular software. The attacks detected in the wild use a backdoor that was also used in attacks that exploited a memory corruption vulnerability in Microsoft Internet Explorer (IE).

vBulletin Acknowledges Forum Intrusion (November 18, 2013)

vBulletin disclosed that attackers have exploited an unpatched vulnerability to gain access to the vBulletin and MacRumors forums. The former software maker is urging users to change their passwords. The attackers claim to have exploited a vulnerability in versions 4.x and 5.x of vBulletin software.


Six More Charged in Connection With US $45 Million ATM Fraud Scheme (November 18, 2013)

Federal authorities in the US have charged six more people in connection with a well-orchestrated cyberheist campaign that stole more than US $45 million from ATMs around the world. In all, 14 people have been charged in connection with this scheme.

Coin Start-Up Stores Credit Card Information (November 17 & 18, 2013)

Digital payment startup Coin is offering a technology that allows phones to be used to arrange payments. It stores information from users' credit cards. Users swipe their cards through the Coin device, then take pictures of the front and back of the card. The Coin device locks if it's away from users' phones for more than 10 minutes, or if the phone has run out of power. The company has not yet obtained approval from credit card companies.

[Editor's Note (Murray): The enabling technology for this device is Bluetooth Low Energy (designed for extended use with "watch" batteries) that is used for its setup and security. The perhaps not so obvious problem with it is that it lowers the cost and increases the mobility of "skimming" and counterfeiting mag-stripe cards; it is a skimmer/replicator. Since many applications no longer require us to surrender our cards, this may be less of a problem than it used to be. However, one would not want one's "waiter" (or one's Christmas hire at Bloomingdale's) to have one of these. ]

Estonia Will Extradite Three Men to US to Face Charges in DNSChanger Scheme (November 15 & 17, 2013)

The Estonian government has agreed to extradite three citizens to the US to face charges stemming from a malware scheme known as "Operation Ghost Click." A fourth individual was extradited last year. The scheme made use of the DNSChanger botnet to redirect users to legitimate advertisers' sites; the people allegedly made more than US $14 million through the traffic they redirected to those sites. As many as four million computers are believed to have been infected.


Judge Gives Stratfor Hacker Ten-Year Sentence (November 15, 2013)

A federal judge has sentenced Jeremy Hammond to 10 years in prison for breaking into servers at Strategic Forecasting, Inc. (Stratfor) and stealing email messages and customer credit card information. Earlier this year, Hammond pleaded guilty to conspiracy to engage in computer hacking, a violation of the Computer Fraud and Abuse Act. The stolen credit card data were used to make US $700,000 in fraudulent charitable donations. Hammond's sentence also carries a three-year probation following his release during which time his computer use will be severely restricted.


[Editor's note (Northcutt): The computer use restriction sounds good, but I doubt it will be possible. We are quickly moving forward to a time where everything is computer controlled or assisted. Some of you will remember Mitnick's solution to a similar same court order using John Draper (which many in computer security know better as Captain Crunch). They are both legendary figures, and while they did some misguided things, they helped shape security. After his release from prison, and being restricted from using a computer, Mitnick spoke the commands and Crunch typed them in (or so history claims):

Fokirtor Backdoor Targets Linux Systems (November 15, 2013)

During an investigation of a security breach at an Internet hosting provider earlier this year, Symantec researchers discovered a backdoor known as Fokirtor on the network. The malware is capable of monitoring traffic, and stealing login credentials from secure shell (SSH) connections. Fokirtor targets the Linux operating system. It evades detection by injecting its communications into legitimate traffic.

[Editor's Note (Pescatore): This looks like yet another example of where server-side whitelisting would have prevented malware installation without impacting business operations at all. ]

Attacks on Healthcare.gov Site Under Investigation (November 14, 2013)

The US government's Affordable Care Act website, healthcare.gov, was attacked more than a dozen times over a three-day period earlier this month, according to Roberta Stempfley, acting assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security. None of the attacks was successful; they are being investigated. Stempfley, who spoke at a House Homeland Security Committee meeting, also described a recently discovered tool that was designed to launch denial-of-service attacks against the website.



HTTP Caching Headers

Sagan Log Normalisation Tool

Fokirtor SSH Backdoor

HTTP/2 is making progress, and is likely going to require TLS

Logging Sinkhole Traffic

vBulletin.com Hacked, possible vBulletin 0-day

Update to DumpDNS

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/