Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: The SANS Institute (NewsBitessans.org)
Date: Tue May 14 2013 - 13:50:00 CDT
-----BEGIN PGP SIGNED MESSAGE-----
One more day to save $250 on SANSFIRE courses in Washington DC June
14-22. 40 world-class courses from deep technology updates to
management techniques to auditing, plus the best technical security
conference other than RSA - and the conference, run by the Internet
Storm Center is free for all course attendees. Information:
SANS NewsBites May 14, 2013 Vol. 15, Num. 038
TOP OF THE NEWS
US Government is the Largest Purchaser of Hacking Tools
Bloomberg Reporters Had Access to Client Account Information
iPhone Encryption Stymies Law Enforcement
THE REST OF THE WEEK'S NEWS
US State Department Demands 3D Printable Weapons Designs be Taken Down
Malicious Browser Extensions Hijack Facebook Accounts
NY Attorney General Wants Mobile Phone Companies to Help Thwart
Academic Institutions Warned About Configuration Issues That Could
be Exploited to Launch DDoS Attack
ESPN May Be Seeking Arrangement to Uncap its Wireless Traffic Limits
Proposed Legislation Would Place Privacy Onus on Mobile App Developers
Concerned About Security Risks in Telecom Equipment, India Will
Establish Testing Lab
Hackers Exploited Known Flaw in ColdFusion to Steal Data from
Washington State Court System
****************** SPONSORED BY ForeScout Technologies ******************
Did you know that ForeScout is a Gartner Magic Quadrant Leader for
Network Access Control? Download the free report to find out why magic
quadrant leadership and network access control are crucial for your
- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
- -- SANSFIRE 2013 Washington, DC June 14-22, 2013
41 courses. Bonus evening sessions include Avoiding Cyberterrorism
Threats Inside Hydraulic Power Generation Plants; and Automated Analysis
of Android Malware.
- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013
10 courses. Bonus evening sessions include OODA - The Secret to
Effective Security in Any Environment; and APT: It is Not Time to Pray,
It is Time to Act.
- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013
7 courses. Bonus evening sessions include Offensive Digital Forensics;
and Base64 Can Get You Pwned!
- -- SANS Boston 2013 Boston, MA August 5-10, 2013
9 courses. Bonus evening sessions include Cloud R and Forensics; and You
Can Panic Now. Host Protection is (Mostly) Dead.
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Four
dedicated pen test training courses led by five SANS world-class
- -- SANS London Summer 2013 London, UK July 9-July 16, 2013
5 courses. SANS has added a new London date to the security-training
calendar, giving security professionals the opportunity to take one of
four of SANS' most popular 6-day courses and the excellent 2 day
Securing The Human course.
- -- Looking for training in your own community?
- -- Save on On-Demand training (30 full courses) - See samples at
Plus Malaysia, Canberra, Austin and Mumbai all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
TOP OF THE NEWS
--US Government is the Largest Purchaser of Hacking Tools
(May 10 & 13, 2013)
According to a report from Reuters, the US government is the single
largest buyer in the "gray market" of offensive hacking tools. While
tools that exploit unknown vulnerabilities provide a tactical advantage,
not disclosing the flaws leaves other organizations, including those in
the US, vulnerable to attacks. Former high level cybersecurity officials
have expressed concern about the situation. Former White House
cybersecurity advisor Richard Clarke said, "If the US government knows
of a vulnerability that can be exploited, under normal circumstances,
its first obligation is to tell US users." Howard Schmidt, also a former
White House cybersecurity advisor, said, "It's pretty naive to believe
that with a newly-discovered zero-day, you are the only one in the world
that's discovered it." And former NSA director Michael Hayden said that
although "there has been a traditional calculus between protecting your
offensive capability and strengthening your defense, it might be time
now to readdress that at an important policy level." Paying the
vulnerability purveyors for the malware also removes the incentive for
talented hackers to inform software makers about the flaws.
[Editor's Note (Pescatore): Governments are the largest buyers of all
offensive weapons and the US government (DoD/Intelligence plus national
law enforcement) is usually the largest of the government buyers, so
this is sort of a "drug companies are the biggest buyers of opiates"
(Assante): The main ramification of a thriving tools market is greater
investment in vulnerability discovery and the development of more
powerful tools to assemble and test exploits. 2006 is considered a
turning point as the emerging underground tool market breed
specialization and provided paths for money to cycle through the system.
Monetization of hacking gains began to feed upstream tool developers and
people willing to commit attacks became more reliant on tools that were
purchased. Super buyers will certainly influence this market place, but
they are only one category of participant - these markets are here to
--Bloomberg Reporters Had Access to Client Account Information
(May 11, 12 & 13, 2013)
Bloomberg news editor-in-chief Matthew Winkler has apologized for
employees using the company's financial data terminals to snoop on
customers. Bloomberg reporters had access to login histories,
"high-level types of user functions on an aggregated basis," and help
desk inquiries. Having access to the information may have given
Bloomberg reporters an edge over other reporters. The terminals, which
are in many financial institutions and related organizations, provide
financial industry professionals with real-time market data, news, and
a messaging service. Companies rent the machines for US $20,000 a year.
Winkler wrote, "Our reporters should not have access to any data
considered proprietary. I am sorry they did. The error is inexcusable."
The issue came to light after a Bloomberg reporter commented to a
Goldman Sachs executive that another Goldman executive had not logged
in recently. The reporters no longer have access to the customer
(Please note that the New York Times requires a paid subscription)
Matthew Winkler's Apology:
[Editor's Comment (Northcutt): One of the things I learned from Ben
Wright's course on the Law of Data Security and Investigations is how
important it is to handle incidents rapidly and transparently. I think
Bloomberg passed this test, and this will fade away.]
--iPhone Encryption Stymies Law Enforcement
(May 10 & 11, 2013)
Law enforcement agencies are growing frustrated with Apple iPhone
encryption. Because the encryption used on the devices is so strong, law
enforcement agencies are finding that they need to ask Apple to manually
override the security controls and decrypt the data on seized devices.
The demand is high enough to have created a significant backlog. Some
law enforcement officials report having been been told that they would
have to wait seven weeks for Apple to help decrypt the information. Law
enforcement frustration with Apple's encryption is not new. Just a few
weeks ago, the US Drug Enforcement Agency (DEA) warned that messages
sent through Apple's Messages App are nearly impossible to wiretap. The
issue is illustrative of the balance that needs to be struck between law
enforcement's need to eavesdrop on certain communications, and people's
right to privacy.
*************************** Sponsored Links: ******************************
1) Risk vs. Cost of DDoS Protection: How to model costs and risks of
these attacks for evaluating DDoS protection.
2) At the Mobile Device Security Summit experts and practitioners will
detail proven approaches to securing BYOD.
THE REST OF THE WEEK'S NEWS
--US State Department Demands 3D Printable Weapons Designs be Taken Down
(May 9, 10, & 13, 2013)
The US State Department has sent a letter to Defense Distributed
demanding that it remove from the Internet plans for a 3D-printable gun
and nine other weapons components. The letter indicated that their
presence on the Internet and their availability to entities outside the
US could be a violation of US arms control regulations. The files are
no longer available on the company's Defcad website, but the plans for
the gun have been downloaded more than 100,000 times already, and copies
of the plans have been uploaded to filesharing sites. The State
Department's Office of Defense Trade Controls Compliance demanded that
the documents be removed until Defense Distributed founder Cody Wilson
can prove that he did not violate US laws. Kim Dotcom, who recently
launched a new file-storage service called Mega, has also ordered that
the plans be removed from the company's servers. The government had not
contacted Mega to request the content takedown.
--Malicious Browser Extensions Hijack Facebook Accounts
(May 13, 2013)
According to a warning from Microsoft's Malware Protection Center, a
Trojan horse program called JS/Febipos.A is taking control of Facebook
accounts by disguising itself as a legitimate Firefox add-on or Google
Chrome extension. The Trojan checks to see if users are logged in to
Facebook, then receives configuration instructions from a remote site
which enable it to perform most Facebook activity posing as the user.
The issue currently affects users in Brazil.
--NY Attorney General Wants Mobile Phone Companies to Help Thwart
(May 13, 2013)
New York State Attorney General Eric Schneiderman has sent letters to
the CEOs of Apple, Samsung, Google, Motorola, and Microsoft asking them
to specify what they are doing to make phones less susceptible to theft.
Schneiderman asked why the companies do not offer technology that would
make stolen phones useless, which would deter thieves.
[Editor's Note (Pescatore): Lots wrong with this idea, but it is a feel
good kinda thing. There are already a myriad of ways to quickly shut
down the phone service, and (like with cars) there is insurance for
device loss. The same idea never flew with automobiles, even though way
more of those are stolen - and the economic impact is much higher. I can
see all kinds of denial of service opportunities with the "remote device
--Academic Institutions Warned About Configuration Issues That Could
be Exploited to Launch DDoS Attack
(May 10, 2013)
The Research and Education Networking Information Sharing and Analysis
Center (REN-ISAC) is advising academic institutions to take precautions
to make sure their computer systems are not hijacked and used in
distributed denial-of-service (DDoS) attacks. The alert refers
specifically to DNS amplification or reflection attacks, which increase
the intensity of the attacks. REN-ISAC recommends that schools examine
their Domain Name System (DNS) and network configurations. "The network
configuration issue concerns the ability for a machine on your network
to send packets marked with a source IP address that doesn't belong to
you ("spoofed") to outside your network. The DNS issue concerns a
configuration that allows outsiders to exploit your DNS servers to send
high volumes of traffic at arbitrary target machines." The technical
alert provides specific actions to take to remediate the configuration
problems. REN-ISAC is a private organization with more than 350
academic institution members in the US, Canada, Australia, New Zealand,
Alert (Technical Version):
[Editor's Note (Pescatore): Another 20 Critical Security Controls
pointer here. Control 3: Secure Configurations.]
--ESPN May Be Seeking Arrangement to Uncap its Wireless Traffic Limits
(May 10, 2013)
According to a report in The Wall Street Journal, sports broadcasting
network ESPN is talking with at least one wireless carrier about ways
to exempt its traffic from data caps. While it is not known which
provider ESPN is negotiating with, both Verizon and AT&T have indicated
that they would consider such arrangements. Net neutrality proponents
are not pleased, but an arrangement like the one rumored to be under
consideration would probably not violate the US Federal Communication
Commission's (FCC's) rules, which require wired broadband providers to
treat all traffic equally. Wireless providers may provide preferential
treatment if they are transparent about their practices and do not
completely block sites.
[Editor's Note (Murray): The FCC struck a bad bargain with AT&T and
Verizon when they opted for net neutrality on the wired side, where it
is not important, at the expense of the air side, where it is. This is
only one example of how the ISPs can make money by pitting the users of
one application against those of another and by under provisioning the
network and pricing scarcity.]
--Proposed Legislation Would Place Privacy Onus on Mobile App Developers
(May 10, 2013)
A US legislator has introduced the Application Privacy, Protection and
Security Act of 2013, a bill that would require mobile app developers
to take responsibility for the privacy of users' data. The legislation
would require developers to inform users which data the apps collect and
how the data are stored, and to obtain consent before the data are
gathered. The developers would also need to specify how they will use
the collected data, and whether they will be shared with other parties.
The Federal Trade Commission would bear the responsibility of enforcing
the measure should it become law.
Discussion Draft of the Bill: http://hankjohnson.house.gov/sites/hankjohnson.house.gov/files/documents/APPS_Act_Key_Provisions.pdf
[Editor's Note (Pescatore): I'm a big fan of opt-in, but
technology-focused legislation invariably ends up with a lot of
unintended consequences in the long run. Why only mobile applications?]
--Concerned About Security Risks in Telecom Equipment, India Will
Establish Testing Lab
(May 8 & 10, 2013)
India is the latest country to express concern about possible security
risks associated with using telecommunications equipment from Chinese
companies Huawei and ZTE. India's Department of Telecommunications is
reportedly setting up a laboratory to test telecom equipment made by
foreign manufacturers for security issues. The testing could also be
required for products from US companies, such as Cisco and Alcatel.
[Editor's Note (Pescatore): The UK and Australia are taking a similar
approach. This is clearly heading towards a "Common Criteria" testing
approach - which is the only feasible solution in the long run.]
--Hackers Exploited Known Flaw in ColdFusion to Steal Data from
Washington State Court System
(May 9 & 10, 2013)
A data security breach at the Washington state Administrative Office of
the Courts (AOC) has compromised 160,000 social security numbers (SSNs)
and one million driver's license numbers. The attackers exploited a
known flaw in Adobe ColdFusion to access the data. Adobe issued a fix
for the vulnerability in January 2013. The patch addressed four issues,
but an AOC spokesperson did not specify which flaw was exploited in the
attack. The incident occurred sometime between September 2012 and
February 2013. Adobe recently acknowledged another flaw in ColdFusion
and expects to release a patch for it on Tuesday, May 14. This is not
the flaw that was exploited in the attacks.
AOC Breach Information:
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years.
He became a director of the SANS Institute in 2013. He has worked in
computer and network security since 1978 including time at the NSA and
the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director
responsible for all criminal and cyber programs and investigations
worldwide, as well as international operations and the FBI's critical
incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management;
he founded the GIAC certification and was the founding President of STI,
the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center and Dean of the Faculty of the graduate school at the SANS
Ed Skoudis is co-founder of CounterHack, the nation's top producer of
cyber ranges, simulations, and competitive challenges, now used from
high schools to the Air Force. He is also author and lead instructor of
the SANS Hacker Exploits and Incident Handling course, and Penetration
Michael Assante was Vice President and Chief Security Officer at NERC,
led a key control systems group at Idaho National Labs, and was American
Electric Power's CSO. He now leads the global cyber skills development
program at SANS for power, oil & gas and other critical infrastructure
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy
Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in
Information Assurance and Associate Professor at the Naval Postgraduate
Sean McBride is Director of Analysis and co-founder of Critical
Intelligence, and, while at Idaho National Laboratory, he initiated the
situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director
of the digital forensics and incident response research and education
program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for
InGuardians, a handler for the SANS Institute's Internet Storm Center,
and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS
Institute. He has written five books, including Insider Threat and he
is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information
security field who have held a top management position in a Fortune 50
company (Alcoa). He is leading SANS' global initiative to improve
David Hoelzer is the director of research & principal examiner for
Enclave Forensics and a senior fellow with the SANS Technology
Gal Shpantzer is a trusted advisor to CSOs of large corporations,
technology startups, Ivy League universities and non-profits
specializing in critical infrastructure protection. Gal created the
Security Outliers project in 2009, focusing on the role of culture in
risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS infrastructure manager and serves as production
manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----