SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XV - Issue #97
December 10, 2013
The RICO verdict (first story) may be the start of a powerful new dimension in cyber-related prosecution.
TOP OF THE NEWSGuilty Verdict in RICO Cybercrime Case
FBI Custom Suspect Tracking Malware Raises Fourth Amendment Concerns
THE REST OF THE WEEK'S NEWSGoogle Revokes Certificates Spoofed By French Certificate Authority
London Police Pilot Anti-Piracy Program
Leading Internet Companies Call For Government Surveillance Reform
ENISA Urges EU Member States to Implement Patch Management Policies
Free Games on DARPA Site Analyze Code for Vulnerabilities
DARPA Contest Seeks Software That Can Find and Fix Vulnerabilities
Thirteen Plead Guilty in December 2010 PayPal DDoS Case
NSA Says Cellphone Location Tracking Authorized Under Presidential Order
Russian Authorities Charge 13 in Connection with Blackhole Malware Kit
No Fix for Microsoft Kernel Privilege Elevation Flaw on December 10
Electronic Health Record Vulnerability
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
************************** Sponsored By Bit9 ****************************
New eBook from Bloor Research explains how endpoint technology is mandating a new, Holistic approach to cyber security. Learn best practices you can apply to achieve real-time situational awareness to improve security and allow for better-informed decision-making. Download Today http://www.sans.org/info/145700
--SANS Cyber Defense Initiative Washington, DC December 12-19, 2013 31 courses. Bonus evening presentations include Have No Fear - DFIR is Here!; New School Forensics: Latest Tools and Techniques in Memory Analysis; and a Special Event: NetWars Tournament of Champions.
--SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
--SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
--SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
--Multi-week Live SANS training
--Looking for training in your own community?
--Save on On-Demand training (30 full courses) - See samples at
Plus Muscat, San Antonio, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Guilty Verdict in RICO Cybercrime Case (December 9, 2013)A jury in Nevada found David Ray Camez guilty of federal racketeering charges for his involvement with the Carder.su website. Camez's defense team concedes that he is a criminal - the RICO (Racketeering Influenced Corrupt Organizations) charges were brought while he was already serving a seven-year state sentence for fraud - but the conviction sets a significant legal precedent. It marks the first conviction for RICO violations involving cybercrime and it means that Camez can be held legally responsible for all activity that took place on the website.
[Editor's Note (Henry): I don't have all the facts related to this specific case, but this is an opportunity to raise the general merits of RICO in cybercrime investigations. Under RICO, a person who has committed at least two acts of racketeering activity (drawn from a list of 35 crimes, if such acts are related to an "enterprise,") can be charged with racketeering. This law has been incredibly successful for more than 40 years in identifying, prosecuting, and dismantling organized crime groups in the physical world. Many of the cybercrime organizations I've seen in the FBI, primarily targeting the financial services and retail sectors, resemble these physical-world OC groups in their structure and actions. There are multiple co-conspirators, each actively participating in various parts of the crime over a period of time, sharing the sizable stolen proceeds. The penalties for RICO are severe, and include stiff incarceration and asset forfeiture provisions. In my opinion, these are the very type of costs necessary to help deter these prolific groups, and bring some risk to an otherwise profitable and risk-free endeavor.
(Pescatore): Over the years, RICO has enabled broad seizure of convicted criminals' assets with tremendous impact on any who depended (often unknowingly) on those assets for legitimate business purposes. A cloud service provider that gets convicted under RICO charges could cause a lot of loss of service to users of the service. Another good reason to (a) vet your cloud service providers and (2) have business continuity, backup/recovery, continuity of operations plans in place for all use of external services, including cloud services. ]
FBI Custom Suspect Tracking Malware Raises Fourth Amendment Concerns (December 6, 2013)The FBI has a team of specialists that develops customized malware to be used to help identify suspects who have managed to elude traditional methods of detection. The malware can track suspects' locations and activate integrated computer cameras without making the warning light turn on. The increasing sophistication of the technology is raising concerns that it may violate constitutional limits on search and seizures. ACLU principal technologist Chris Soghoian said, "We have transitioned into a world where law enforcement is hacking into people's computers, and we have never had public debate. Judges are having to make up these powers as they go along."
[Editor's Note (Pescatore): Back in the 1980s, I worked for the US Secret Service and we often tracked criminals by putting "beepers" on their cars and following them with direction finders. We were essentially "hacking" into their cars, albeit by crawling underneath them and physically attaching physical "malware." The courts back then had to wrestle with the legality of this and generally required a court ordered warrant to do so, and even required suspect notification if we tried to use the vehicle's power, for example. Recently a US district court passed down a similar ruling for attaching GPS units to a vehicle. The legalities of placing "GPS-like" software on a suspects PC, which obviously uses the individual's CPU power, memory, etc., will face similar legal challenges. ]
************************** Sponsored Links: ******************************
1) Do you have thousands of devices on distributed networks and need to manage security risks, enable BYOD adoption, and support IT-GRC framework specs? Get the Frost & Sullivan report. http://www.sans.org/info/145705
2) Complimentary eBook: "NetFlow Security Monitoring for Dummies". Download now -http://www.sans.org/info/145710
3) Is your network prepared for anything? Would you like a free Cyber Defense Readiness Assessment? Start now: http://www.sans.org/info/145715
THE REST OF THE WEEK'S NEWS
Google Revokes Certificates Spoofed By French Certificate Authority (December 9, 2013)Last week, Google learned that unauthorized digital certificates were being used for several Google domains. An investigation revealed that the certificates in question had been issued by an intermediate certificate authority (CA) that links back to French CA ANSSI. ANSSI said that the fraudulent certificates were due to "human error." Microsoft, Mozilla, and Opera are taking a cue from Google, opting to revoke digital certificates issued by a subordinate certificate authority in France.
[Editor's Note (Pescatore): There now seem to be at least three Certificate authority industry groups (the CA/Browser Forum, the CA Security Council and the Online Trust Alliance) talking about improving the sorry state of CA security, but progress seems elusive.
(Ullrich): It appears that the unauthorized certificates were requested by the French Ministry of Finance. One stumbling block in initiatives like "CA transparency" is that it may expose government-initiated interception. ]
London Police Pilot Anti-Piracy Program (December 9, 2013)In a three-month pilot program, the City of London (UK) Police Intellectual Property Crime Unit (PIPCU) targeted websites that offer pirated content. Sixty-one websites were identified and asked to "correct their behavior." If the offending sites continued to display the content after repeated warnings, the information was shared with domain name registrars, which were informed that the sites were "facilitating copyright infringement under UK law." Forty websites were suspended. The program also asked businesses stop running advertisements on the offending sites. While the three-month pilot program did result in a decrease of legitimate companies advertising on pirate sites, the number of advertisements touting explicit content or attempting to install malware increased.
Leading Internet Companies Call For Government Surveillance Reform (December 9, 2013)Eight major Internet companies have signed an open letter to US President Barack Obama and Congress, asking them to establish limits on government surveillance. Under the aegis of the Reform Government Surveillance campaign, AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo "urge
the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent, and subject to independent oversight." The campaign comprises five principles: limiting government's authority to collect users' information; oversight and accountability; transparency about government demands; respecting the free flow of information; and avoiding conflicts among governments.
Reform Government Surveillance:
ENISA Urges EU Member States to Implement Patch Management Policies (December 9, 2013)European cybersecurity agency ENISA advises member states to establish patch management policies to better protect elements of critical infrastructure that run on SCADA systems. Even with strong patching practices in place, organizations running SCADA systems need to take additional steps to secure their systems, particularly because fewer than half of the 364 publicly disclosed SCADA vulnerabilities have patches available. Compensatory controls suggested include using network segmentation to create trusted zones that communicate with access controls; removing unnecessary features from SCADA systems; and application whitelisting and deep packet inspection.
[Editor's Note (Pescatore): I doubt that many, if any, member states don't have patch management *policies.* What they need are patch management *practices* that are actually in place and actually working. I think in many (not all) cases, the impact to applications of pushing patches out quickly is over-estimated - the vast majority of impact is usually only to custom business applications. Part of a strong/secure application development cycle should be to better isolate apps from OS patches. ]
Free Games on DARPA Site Analyze Code for Vulnerabilities (December 8, 2013)The US Department of Defense's Defense Advanced Research Project Agency (DARPA) has established a website offering five free online games; what makes these games different is that playing them will help vulnerability analysts identify pieces of code that may contain vulnerabilities. One of the games, Xylem, has players identify patterns in flowers on an imaginary island. The players' activity actually generates mathematical proofs that analyze software for vulnerabilities.
DARPA Contest Seeks Software That Can Find and Fix Vulnerabilities (December 6, 2013)DARPA is also offering a US $2 million prize in a competition to develop software that can find and fix security flaws in new code. The deadline for initial entries is January 14, 2014.
Thirteen Plead Guilty in December 2010 PayPal DDoS Case (December 8 & 9, 2013)Thirteen people have pleaded guilty to charges of damaging a protected computer and conspiracy for their roles in a 2010 distributed denial-of-service (DDoS) attack against PayPal. The attack was launched to protest PayPal's refusal to process donations for WikiLeaks.
[Editor's Note (Murray): eBay, parent of PayPal, chairman Pierre Omidyar has called on the government to show leniency in the forthcoming trial (made moot by the plea) of the "PayPal 14", who are accused of DDoSing the online payment service, arguing that their action was protected by their First Amendment right to protest. Sharp contrast to PayPal founder, Elon Musk, who asserted that PayPal would get the hackers or the hackers would get PayPal.
The rogue hackers were not accused of violating a law against their political motive but one against interfering with a protected system. We would all like to be judged by our motives as long as everyone else is judged by their behavior. ]
NSA Says Cellphone Location Tracking Authorized Under Presidential Order (December 6, 2013)The US's National Security Agency (NSA) said that its overseas cellphone tracking practices are authorized under a presidential order. The NSA claims that Executive Order 12333 allows the agency to collect cellphone location data, generating up to five billion records every day. Data on American citizens are inadvertently gathered as well because of the scope of the program. A government intelligence lawyer said that the data are not covered by the Fourth Amendment. US court decisions on the matter of cell-site location tracking are mixed, and the Supreme Court has not yet addressed the issue directly.
Russian Authorities Charge 13 in Connection with Blackhole Malware Kit (December 6, 2013)The Russian Ministry of Internal Affairs has charged 13 people in connection with the development, sale, and distribution of the Blackhole malware kit. Earlier this fall, authorities in Russia were rumored to have arrested the alleged creator of Blackhole. In fact, we now know that 13 people were arrested in October. The accused allegedly used Trojan horse programs and other means to conduct "massive embezzlement of funds from accounts of individuals and legal entities." They also allegedly stole account access authentication credentials. An estimated 70 million rubles (US $2.14 million) was stolen. According to some estimates, Blackhole was behind as much as 40 percent of malware infections. The group's budget for purchasing exploits was reportedly US $450,000.
No Fix for Microsoft Kernel Privilege Elevation Flaw on December 10 (December 5, 2013)Microsoft's December patch release will include a fix for the TIFF zero-day issue, but the privilege elevation vulnerability in Windows kernel will not be fixed this month. Microsoft points out that the Enhanced Mitigation Experience Toolkit (EMET) has been effective against zero-day issues.
[Editor's Comment (Murray): One has to ask, if the inclusion of EMET in the operating system so improves its resistance to contamination, why is it not included by default? The answer is in Microsoft's strategy of, not to say commitment to, backward compatibility. Put simply, EMET breaks applications that do not follow good practice, i.e., separating procedure and data. It is time to switch the default. Instead of having to defend the use of EMET, one should be forced to defend the use of the applications that it breaks. ]
Electronic Health Record Vulnerability (December 4, 2013)While conducting research for his thesis, Georgia Tech graduate student Doug Mackey found a serious security hole in VistA, a widely-used electronic health record (EHR) platform. The flaw could be exploited to allow an attacker to access the system without authentication. Mackey contacted US-CERT; when they did not respond, he tried contacting the VA Office of the Inspector General. He received no reply again, and eventually turned to a group of developers familiar with VistA who confirmed his findings and alerted the VA and Indian Health Service. A patch for the flaw was released in slate October.
[Editor's Note (Pescatore): At the recent SANS Securing the Internet of Things summit, Billy Rios of Cylance described his experience finding vulnerabilities in medical equipment and trying to report them. He found the best way was to contact DHS, and since this involved hardware, the ICS-CERT issued an alert. More recently, the National Health Information Sharing/Analysis Center (NH ISAC) has initiated the National Healthcare and Public Health Cybersecurity Response System (HPH-CRS) but haven't seen any reports of effectiveness yet (HSAREY). ]
STORM CENTER TECH CORNERMicrosoft Attempts to Shut Down Zero Access Botnet
MIDAS Intrusion Detection Framework for OS X
Siemens Sinamics Authentication Bypass Vulnerability
Passive Scanning for Systems and Vulnerabilities
More Details on Unauthorized Google Certificates issued by French CA
Weak or Incomplete SSL Implementations in Android Apps
FreeBSD Removes Support for Hardware Based Random Number Generators
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS SANS IT operation manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/