SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #12
February 11, 2014
TOP OF THE NEWSCybersecurity Framework to be Released On February 13
North Carolina Law Firm Loses "All Documents" to Cryptolocker
THE REST OF THE WEEK'S NEWSBarclays Bank Investigating Alleged Theft of Customer Data
Iowa State University National Cyber Defense Competition
Medical Device Manufacturers' Networks Breached
Twitter Publishes Transparency Report, Seeks to Disclose More Detailed Data
NSA Collects Less Than 30 Percent of Phone Call Metadata
Linkup Malware Blocks Internet Access and Mines for Bitcoins
PCI Standard Compliance Treated as Annual Hurdle, Not Consistent Practice
Phony Army Benefits Website May Have Stolen Credentials
More Debunking of Sochi Attacks
Man Sentenced for Attack on Koch Industries Subsidiary's Network
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
*********************** Sponsored By Symantec *************************
Gartner 2014 Magic Quadrant for Endpoint Protection Platforms - Complementary Copy Symantec Endpoint Protection 12.1 was, once again, positioned as a Leader in Gartner's Magic Quadrant and rated highest in the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned.
--SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
--SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
-- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
-- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
-- SANS 2014Orlando, FLApril 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
--SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
--SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
--Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
--Multi-week Live SANS training
--Looking for training in your own community?
--Save on On-Demand training (30 full courses) - See samples at
Plus Bangalore, Tokyo, Canberra, and Munich all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Cybersecurity Framework to be Released On February 13 (February 8, 2014)The US Government's Cybersecurity Framework, scheduled to be released on February 13, does not mandate security measures for companies operating portions of the country's critical infrastructure, but instead aims to provide possible guidance that the companies may use to develop their information security programs. The framework is intended for voluntary, not mandated use.
[Editor's Note (Murray): If the problem were that we do not know "what" to do, or "how" to do it, then this approach might be more useful. In fact, the problem is that we know what to do but not how "much" to do, i.e., when we have done enough. In order not to be prescriptive (or accountable), and because risk tolerance varies by enterprise, this work does not address determining, achieving, or maintaining an "acceptable level of risk."
(Paller): In other words, the federal Framework effort wasted more than a year. The federal bureaucracy, led by OMB, will now defend their paper effort, and will not take active steps to protect the critical infrastructure. ]
North Carolina Law Firm Loses "All Documents" to Cryptolocker (February 10, 2014)A law firm in North Carolina has reported losing all of its legal documents to the Cryptolocker ransomware, even though the company tried to pay the US $300 ransom. Because the firm's IT staff attempted to decrypt the files, by the time the decision was made to pay the ransom, the three-day ransom deadline period had expired.
[Editor's Note (Northcutt): In Management 512, Security Leadership Essentials, we discuss this scenario, which seems to polarize people. Some say the only right course of action is to call the FBI. Others say, pay the ransom and stay in business. Most students prefer not to say anything at all. As we close out the discussion, what I tell the class is, whatever course you pick, make your choice when you are not under the pressure of a deadline. I strongly suggest that NewsBites readers open a discussion with management. While Cryptolocker is less than a year old, ransomware has been around a long time. If you find your mind telling you, "this can't happen to us", you could well be wrong. This law firm is not the only victim:
(Pescatore): The obvious lessons are Critical Security Controls 8 (Data Recover/backup) and 5 (Malware Defenses.) The business decision to pay the ransom usually does not make good business sense in the long run - there is ample evidence that paying off once increases the likelihood you are targeted again. But, it *is* a business decision - if the IT and IT security program isn't prepared to recover from incidents like this, management looks at this as "outsourcing" data recovery... of course, to the "outsourcer" that caused the problem in the first place.
(Murray): In order to use encryption to deny one use of one's own data, an attacker has to have "write" access to the data and there must be no backup. One of the things that computers do best is make cheap dense portable (backup) copies of data.
(Shpantzer): Law firms have a duty to protect their clients that may be actionable by the state bar association. This is news to many law firms who operate with one 'IT guy' and no dedicated security resources, while accumulating highly sensitive personal and corporate information. ]
************************** Sponsored Links: ******************************
1) Can you keep your XP systems compliant and secure after end of life without upgrading or paying for out-of-band support? http://www.sans.org/info/151460
2) Get Free Access to the World's Largest Open Threat Exchange. Join AlienVault OTX now! http://www.sans.org/info/151465
3) Join us March 7 in NYC at a morning briefing to discuss Financial Services Cybersecurity Trends And Challenges. http://www.sans.org/info/151470 Don't live in the area? Event will be simulcast as well. Register at: http://www.sans.org/info/151475
THE REST OF THE WEEK'S NEWS
Barclays Bank Investigating Alleged Theft of Customer Data (February 9 & 10, 2014)Barclays Bank is investigating an alleged theft of customer data from Barclays Financial Planning, a division that closed in 2011. A UK news publication was provided with a USB drive containing about 2,000 customer records, but the person providing the information said that the data leak actually affects 27,000 records. The information consists of dossiers that include passport and national insurance information, mortgage and savings information, as well as results of a psychometric test to determine each individual's attitude toward risk. The data had allegedly been sold for use in boiler room high-pressure investment scams.
[Editor's Note (Pescatore): I'd like to see the press use the term "theft" more often in these reports, vs. "hacked" or "breached." Whether it is insider theft or outsider theft, from a business perspective it is crime against the company. The technical details of how the theft occurred are of interest to security folks but I think dilute the impact to corporate management. ]
Iowa State University National Cyber Defense Competition (February 9, 2014)Iowa State University's National Cyber Defense Competition took place on February 8. The event is designed to simulate real-world situations to allow students the chance to defend their networks from intrusions. Professor Doug Jacobson said, "This competition is important because it gives our students an opportunity to do some things that they can't learn in the classroom."
Medical Device Manufacturers' Networks Breached (February 8, 2014)US authorities have informed three major medical device manufacturers that their networks have been infiltrated. Medtronic, Boston Scientific, and St. Jude Medical were hit by attacks during the first half of 2013; some of the attacks may have lasted for months. Because they companies have made no disclosures, it is assumed that no patient data were compromised.
[Editor's Note (Pescatore): Since the targets were the manufacturers of medical devices, one concern is theft of their intellectual property. I think the bigger issue is compromise of their infrastructure - both the source code for the actual devices and also for the server side of any services/updates they provide. ]
Twitter Publishes Transparency Report, Seeks to Disclose More Detailed Data (February 7, 2014)Twitter has published its first transparency report under the new guidelines that allow companies to disclose information about requests for data made with FISA court orders. However, the company is seeking to publish more specific information about the requests from the US government. According to Twitter's most recent transparency report, it received 1,410 requests for data from governments during the last six months of 2013.
NSA Collects Less Than 30 Percent of Phone Call Metadata (February 7, 2014)US officials say that the NSA collects less than 30 percent of Americans' phone call metadata because burgeoning cell-phone use has outstripped their ability to capture and store what they need. The challenges include collecting cell phone metadata without including cell phone tower location, which they are not authorized to retain. One official said that in 2006, the NSA was able to collect nearly 100 percent of phone records from certain companies, but that number has dropped to less than 30 percent as of summer 2013. The government is attempting to bring the data collection program up to its previous levels. Princeton University computer scientist Edward Felten said the new information "calls into question whether the rationale offered for the program is consistent with the way the program has been operating." As Deputy Attorney General James Cole told legislators last summer, "If you're looking for the needle in the haystack, you have to have the entire haystack."
Linkup Malware Blocks Internet Access and Mines for Bitcoins (February 7 & 10, 2014)Newly detected ransomware known as Linkup takes control of users' computers to mine Bitcoins. This malware's twist is that it does not lock up data on the computers, but sends messages that appear to come from The Council of Europe, telling users that they are suspected of illegal activity and that until they provide personal information and pay a tiny fine, they will not be permitted to access the Internet.
PCI Standard Compliance Treated as Annual Hurdle, Not Consistent Practice (February 7, 2014)According to a report from Verizon, most companies that attain annual compliance with the Payment Card Industry Data Security Standard (PCI DSS) do not maintain that compliance over the course of the following year. Verizon based its report on PCI compliance assessments it conducted on more than 500 organizations between 2011 and 2013. According to the data, just over 11 percent of organizations maintained compliance between annual assessments. The problem is that many organizations treat compliance as an annual test rather than a "continuous risk management effort."
[Editor's Note (Murray): "Compliance" alone rarely leads to security. If it diverts too much resource or management attention, it may actually detract. That said, on balance, PCI DSS is a practical standard and its effect has been salutary. However, by design, it is more about improving than achieving or maintaining. It is about improving the security of the retail payment system more than about securing any participating enterprise.
(Shpantzer): Malicious compliance should not be a surprise to auditors. It's nearly universal and applies to every walk of life, with exceptions being, umm, exceptional. Said exceptions are usually driven by top leadership decisions to make the exception a marketable differentiator. Think Volvo and car safety in the 1970s and '80s, more recently Toyota with the Prius and the branding around efficiency, and Apple with the marketing of security on OS X. (Guest Editor Daniel Wesemann): Verizon has done very good work with their compilation and presentation of the data.
. The Computerworld article just contains a (somewhat lopsided) interpretation of the Verizon report. ]
Phony Army Benefits Website May Have Stolen Credentials (February 7, 2014)A website set up to mimic a US Army benefits site may have managed to trick soldiers into providing their personal information. The site, which called itself My Army Benefits, bears a name nearly identical to a real site, myarmybenefits.us.army.mil. The fraudulent site, which included a misspelled word in its name, collected soldiers' Army Knowledge Online (AKO) access credentials.
More Debunking of Sochi Attacks (February 6 & 7, 2014)Experts are debunking an NBC report about the alarming speed with which wireless devices were infected with malware upon being connected to the Internet while in Russia. The report included an anecdote about malware being downloaded onto a phone that allowed attackers to eavesdrop on conversations and access data; however, it appears that the reporter deliberately allowed the malware to download. An expert who appeared on the report with the journalist also says that "incorrect impressions may have been formed" because of the way the story was edited. All the attacks required user interaction. Similar attacks could happen anywhere with this sort of "risky behavior." The report made it sound as if the minute electronic devices were booted up in Sochi, they were barraged with attacks and malware. NBC is now saying that the report was designed to demonstrate how people with little or no technical savvy could become victims of such attacks.
Man Sentenced for Attack on Koch Industries Subsidiary's Network (February 5, 2014)A district judge in Wisconsin has sentenced Christopher Michael Sudlik to 36 months of probation for his role in distributed denial-of-service (DDoS) attacks against servers of a Koch Industries subsidiary. Sudlik was also ordered to pay more than US $110,000 in restitution and perform 60 hours of community service.
STORM CENTER TECH CORNERBitcoin Stealing OS X Malware
Revised and additional bulletins include MSIE
New ISO Standards for Vulnerability Handling
Ruby on Rails "Paperclip" Vulnerability
AVM Fritzbox Security Update
LinkedIn Discontinues "Intro"
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operartions manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/