SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #28

April 08, 2014

TOP OF THE NEWS

GAO Report Says Government Agency Incident Response is Inconsistent, Ineffective
HHS OIG Report Describes Serious Security Issues at State Medicaid Agencies
DHS Preparing to Revamp its Security Operations Center
EU Data Retention Directive Ruled Invalid

THE REST OF THE WEEK'S NEWS

Some Governments Paying for Extended Custom Windows XP Support
Heartbleed Vulnerability in OpenSSL Cryptographic Library
Booz Allen Hamilton CIO Reports to CISO
US Supreme Court Says NSA Metadata Case Must Come Up Through Normal Channels
Neiman Marcus Breach Likely Linked to Russian Criminal Network
Microsoft Gets Tough on Adware
Data Classification Challenges
Website's Cross-Site Scripting Flaw Exploited to Launch DDoS Attack
ZeuS Variant Uses Valid Digital Certificate

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By The Economist Group ********************
How much money did that attack just cost your company? What's the value of prevention? Find out using The Economist Intelligence Unit's CyberTab, a free and anonymous tool that tallies the bill from specific attacks, sponsored by Booz Allen Hamilton. Enter expense and lost-business estimates, and get a detailed report. http://www.sans.org/info/156395
***************************************************************************
TRAINING UPDATE


-- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


-- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses.
http://www.sans.org/event/pentest-berlin-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

GAO Report Says Government Agency Incident Response is Inconsistent, Ineffective (April 3 & 7, 2014)

A forthcoming report from the US Government Accountability Office (GAO) says that in most cases, government agencies have not responded to cyber incidents in effective ways. Gregory C. Wilshusen, GAO Director of Information Security Issues, recently testified before the Senate Homeland Security and Governmental Affairs Committee. He told them that a study of the 24 major agencies showed inadequate response to cyber incidents approximately 65 percent of the time. A focused examination of six agencies found that while they had established incident response plans, policies, and procedures, they were not always comprehensive or in line with federal requirements.
-http://www.zdnet.com/government-breaches-at-all-time-high-press-blunder-under-re
ports-by-millions-7000028113/
-http://www.govinfosecurity.com/gao-federal-incident-response-erratic-a-6707
[Editor's Note (Assante): This weakness is not a government monopoly as most organizations have erratic responses. The challenge begins with failures in implementing and tuning security tools and extends to a lack of preparation and practice. Many organizations do not exercise their process and people enough to achieve a comfort level around both practices and competencies. We need to ask ourselves, in a world where you should assume intrusions have already occurred...How are we not getting better at this? Should we not be in a constant engagement cycle of incident discovery, response, and applied learning? What does that tell you about our collective ability to detect intrusions? ]

DHS Preparing to Revamp its Security Operations Center (April 4, 2014)

The US Department of Homeland Security (DHS) is getting ready to overhaul its security operations center (SOC). DHS CISO Jeff Eisensmith is requesting ideas for SOC operations that include the use of the Intrusion Defense Chain or "kill chain" mechanism. This methodology predicts what intruders will do and breaks that prediction down into steps that will need to be completed before the next one is undertaken. Then countermeasures are devised for each step along the way.
-http://www.nextgov.com/cio-briefing/2014/04/dhs-prepares-overhaul-internal-secur
ity-operations/81937/?oref=ng-channelriver
[Editor's Note (Paller): It would be valuable to the nation if Mr. Eisensmith's innovations in improving incident monitoring and response encompass the US-CERT operations center which is also a part of DHS. Other agencies wrongly assume that US-CERT is investigating the attacks closely rather than just putting them in categories ("bucketing"). In essence, no one is looking closely, and without deep analysis of attacks, kill chain analysis also fails. The failure is nearly always caused by the lack of personnel with advanced network and malware analysis skills at US-CERT, effectively blinding the watchers. ]

HHS OIG Report Describes Serious Security Issues at State Medicaid Agencies (April 7, 2014)

A report from the US Department of Health and Human Services (HHS) Office of Inspector general (OIG) itemizes high-risk security issues that affect 10 state Medicaid agencies. The issues were detected during audits performed between 2010 and 2012. The 79 issues were grouped "into 15 security control areas within three information system general categories: entity-wide controls, access controls, and network operations controls."
-http://www.scmagazine.com/hhs-reveals-high-risk-security-issues-at-medicaid-agen
cies/article/341678/
HHS OIG Report:
-http://oig.hhs.gov/oas/reports/region7/71400433.pdf

EU Data Retention Directive Ruled Invalid (April 8, 2014)

Major breaking news in Europe today is the European Court of Justice ruling the EU Data Retention Directive from 2006 is "invalid". The European Court of Justice says it violates two basic rights - respect for private life and protection of personal data.
-http://www.bbc.com/news/world-europe-26935096
-http://www.irishtimes.com/business/sectors/technology/european-court-declares-da
ta-retention-directive-invalid-1.1754150

---

************************** Sponsored Links: ******************************
1) Ponemon - 2013 4th Annual Cost of Cyber Crime Study: The 4th Annual Cost of Cyber Crime study is based on a benchmark sample of U.S. organizations which shows that cyber attacks not only increased 12 percent last year, the costs associated with those attacks increased by an average of 26 percent or 2.6 million per organization. Read the study now to learn more details. http://www.sans.org/info/156595

2) Your organizations servers are vulnerable! Learn how to improve server security through leveraging application controls. http://www.sans.org/info/156405

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Some Governments Paying for Extended Custom Windows XP Support (April 7, 2014)

After Tuesday, April 8, Microsoft will no longer offer security updates for Windows XP. Governments in some countries, including the UK and the Netherlands, have worked out custom arrangements with Microsoft to maintain support for their XP systems. The UK government is paying Microsoft GBP 5.548 million (US $9.2 million) for an additional year of XP support. The Dutch government is paying for extended support through January 2015.
-http://www.bbc.com/news/technology-26884167
-http://www.computerworld.com/s/article/9247504/Windows_XP_The_end_is_nigh?pageNu
mber=1
-http://www.pcworld.com/article/2139929/windows-xp-support-will-be-available-afte
r-april-8-just-not-for-you.html
-http://www.zdnet.com/dutch-government-pays-millions-to-extend-microsoft-xp-suppo
rt-7000028116/
[Editor's Note (Pescatore): Those hefty fees for custom support should be good incentive for migrating from Windows 7 before its January 14, 2020 end of extended support date. ]

Heartbleed Vulnerability in OpenSSL Cryptographic Library (April 7 & 8, 2014)

A newly detected vulnerability in the OpenSSL cryptographic library can be exploited to reveal contents of secured messages as well as primary and secondary SSL keys. The flaw is being called "Heartbleed." The issue lies not in OpenSSL's design, but in its implementation. A fix is available for OpenSSL 1.0.1 and a fix for the 1.0.2 beta should be available soon. Sites could still be vulnerable to attacks after installing the patch if the private key has already been stolen. To ensure that they do not remain vulnerable, sites may have to revoke exposed keys, reissue new keys, and invalidate all session keys and session cookies.
-http://www.theregister.co.uk/2014/04/08/running_openssl_patch_now_to_fix_critica
l_bug/
-http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-
7000028166/
-http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two
-thirds-of-the-web-to-eavesdropping/
-http://heartbleed.com
[Editor's Note (Skoudis): This is a REALLY serious bug, and you need to patch right right away. Otherwise, attackers can swipe some very sensitive information from your websites that could come back and hurt you later. Thousands of sites (including some really big-name brands) are vulnerable. If you use OpenSSL to protect your websites, I urge you to ensure that you have a patched version in place. As they say at the Internet Storm Center for various super critical patches: PATCH NOW!
(Honan): This issue is a timely reminder that all software can contain security vulnerabilities. Simply because the source code of Open Source software can be reviewed by anyone that does not mean they will know how to look for security vulnerabilities or indeed detect them.]

Booz Allen Hamilton CIO Reports to CISO (April 7, 2014)

At Booz Allen Hamilton, the chief information officer (CIO) reports to the chief information security officer (CISO). Although this is the reverse of what is true in most organizations, Booz Allen Hamilton "elevated the role of security function associated with information to an all-encompassing umbrella in which
[they ]
consider all ... systems operations." The nature of the company's business requires that it "demonstrate the importance of security in its operations."
-http://www.govinfosecurity.com/blogs/role-reversal-cio-reports-to-ciso-p-1648
[Editor's Note (Pescatore): I doubt this will be a trend, as it means the majority of the CISO's time will now be spent on non-security related matters. ]

US Supreme Court Says NSA Metadata Case Must Come Up Through Normal Channels (April 7, 2014)

The US Supreme Court Monday declined to hear a case challenging the legality of the National Security Agency's (NSA's) bulk phone metadata collection. The plaintiffs had attempted to bypass standard judicial process by bringing the case to the Supreme Court following a US District Court ruling late last year. The Supreme Court's decision not to hear the case means that it will have to work its way up through the court system. In December 2013, US District Judge Richard Leon ruled that the NSA's bulk phone metadata collection program does violate a reasonable expectation of privacy and could have violated the Fourth Amendment; Judge Leon stayed his own decision in the interest of national security pending appeal.
-http://arstechnica.com/tech-policy/2014/04/supreme-court-passes-on-nsa-bulk-phon
e-surveillance-case/
-http://www.cnet.com/news/us-supreme-court-wont-look-at-nsa-bulk-phone-collection
-practices/
-http://www.zdnet.com/supreme-court-holds-off-on-looking-at-legality-of-nsa-bulk-
metadata-collection-for-now-7000028143/

Neiman Marcus Breach Likely Linked to Russian Criminal Network (April 6, 2014)

The group behind the data breach at Neiman Marcus is believed to be the same one responsible for other breaches that have stolen 160 million payment card numbers from more than 100 companies, including Citigroup and J.C. Penney, over the last seven years. Investigators found evidence, including hacking tools and methods of moving data unique to the Russian group. Although there have been international attempts to thwart the groups' activity, just five people have been indicted, and only two are in custody. FBI agents traveled to Russia in 2008 and 2009 to share information with their counterparts there. Despite assurances to the contrary, no arrests were made, and US agents surmised that Russian agents were using US intelligence to identify talented hackers for use in other arenas.
-http://www.bloomberg.com/news/2014-04-07/neiman-marcus-breach-linked-to-russians
-who-eluded-u-s-.html

Microsoft Gets Tough on Adware (April 4 & 7, 2014)

Microsoft is cracking down on its classification of adware. Companies have three months to make changes to their products or risk having those products blocked by Microsoft security programs by default starting July 1. Programs that display ads within other programs, such as browsers, will be scrutinized. The ads must have obvious close buttons and display the name of the program that generated the ads. If the program functions as a browser extension or a toolbar, it must incorporate a standard uninstall method.
-http://www.theregister.co.uk/2014/04/07/microsoft_puts_adware_in_the_crosshairs_
again/
-http://www.computerworld.com/s/article/9247445/Microsoft_will_block_adware_witho
ut_easy_uninstall?taxonomyId=17
Microsoft's Unwanted Software Evaluation Criteria:
-http://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx
[Editor's Note (Pescatore): In general a good thing, but in the past Potentially Unwanted Software (PUS, one of my favorite acronyms) and Potentially Unwanted Program (PUP) blocking algorithms had high false positive rates, which begat the whole "turn off your anti-malware program when you install our software" mess. Also, need Microsoft, Apple and Google to use similar definitions of PUS/PUP. Back when spyware was the rage, the old Anti-spyware coalition was where companies agreed on common definitions. Today, the Stopbadware.org guidelines are good. ]

Data Classification Challenges (April 4, 2014)

Data classification evokes distinct responses from people who believe it is impossible and from those who believe it is essential as it exists within their environment. Both positions are correct. In most average business environments, data classification presents difficulties because of network shares, mobile devices, and other practices that create "data sprawl." Other organizations such as the Defense Department and pharmaceutical companies rely on data classification for their operations. In these cases, data classifications are easily defined. Effective data classification requires a limited set of categories, otherwise users get confused and frustrated and the likelihood of misclassification grows. The classifications should depend on the data's value and the risk of the data "falling into the wrong hands, being destroyed, or losing
[their ]
integrity."
-http://www.darkreading.com/tech-insight-making-data-classification-work/d/d-id/1
174144?
[Editor's Note (Pescatore): Anyone who has worked in DoD or the Intelligence communities knows that they are not great examples of *effective* data classification, where I define effective as both reducing security incidents *and* not impeding legitimate business, collaboration, etc. It is hard to find success stories of enterprise-wide data classification efforts - the success stories usually involve different processes/controls for different types of data, vs. any one size fits all approach.
(Murray): Data classification is a tool, difficult, essential, about how much one wants to spend on protection, and must be built into the culture of the enterprise. It is about communicating to users and holders of the data decisions made by the classifying authority (e.g., author, owner) about how to protect the information. It addresses the very capabilities that are used as excuses for not doing it. Those without an effective program are spending too little on a small amount of data and too much on a large amount. One can expect to spend years, rather than months, building it in. Avoid the tendency to over classify. Use automatic (e.g., age based) reduction in class. "Sensitive but 'unclassified'" is an oxymoron. ]

Website's Cross-Site Scripting Flaw Exploited to Launch DDoS Attack (April 4 & 7, 2014)

Last week, attackers exploited a cross-site scripting (XSS) flaw in a popular website to hijack site visitors' browsers to be used in a distributed denial-of-service (DDoS) attack. The attackers embedded malicious JavaScript embedded in image icons for dummy accounts they created. Whenever those images were viewed, the JavaScript injected a hidden iframe that allowed the attackers to hijack users' browsers and make them send GET requests to the DDoS target.
-http://arstechnica.com/security/2014/04/how-a-website-flaw-turned-22000-visitors
-into-a-botnet-of-ddos-zombies/
-http://www.computerworld.com/s/article/9247450/XSS_flaw_in_popular_video_sharing
_site_allowed_DDoS_attack_through_browsers?taxonomyId=17
-http://www.scmagazine.com/xss-vulnerability-in-popular-video-site-enables-unique
-ddos-attack/article/341453/
[Editors' Note (Murray and Paller): Colleges and technical schools are not teaching programmers that validating inputs is essential, much less that it requires knowledge and skill that distinguishes professionals from amateurs. ]

ZeuS Variant Uses Valid Digital Certificate (April 3 & 7, 2014)

A new variant of the ZeuS malware uses a valid digital certificate to evade detection. The certificate lets the malware be executed in the guise of a valid Windows app. The signing key used belongs to a Microsoft-registered third-party developer in Switzerland.
-http://www.scmagazine.com/zeus-variant-uses-valid-digital-signature-to-avoid-det
ection/article/341674/
-http://www.theregister.co.uk/2014/04/05/digitally_signed_zeus/
-http://www.networkworld.com/news/2014/040414-zeus-malware-found-with-valid-28041
6.html

---

STORM CENTER TECH CORNER

Weird HTTP Request
-https://isc.sans.edu/forums/diary/Attack+or+Bad+Link+Your+Guess+/17915

Indosat BGP Problem
-http://www.renesys.com/2014/04/indonesia-hijacks-world/

Power Shell Malware
-http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-
infected-using-windows-powershell

Microsoft Patch Tuesday Pre-Release
-http://technet.microsoft.com/en-us/security/bulletin/ms14-apr

Windows 8.1 Updates
-http://blogs.windows.com/windows/b/windowsexperience/archive/2014/04/02/windows-
8-1-update-important-refinements-to-the-windows-experience.aspx

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/