SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #3

January 10, 2014

TOP OF THE NEWS

When Support for Windows XP Ends in April, Microsoft Will Also Pull Security Essentials for XP
New Hampshire Town Lost Files to CryptoLocker
Proposed Bill in California Would Ban Officials and Agencies from Helping NSA

THE REST OF THE WEEK'S NEWS

Yahoo! Mail Now Encrypted by Default
Fixes Issued for Two Flaws in Siemens ICS Switches
More Details Emerge About Yahoo! Ad Hijacking
Microsoft's First Patch Tuesday for 2014
Report Says Snowden Downloaded 1.7 Million Intelligence Files
Bank Sues Over Fraudulent ACH Transactions
Audit Finds Inconsistent Response to Data Breaches at US Government Agencies
Teen Who Found Vulnerability in Government Website Was Reported to Police

FIRST LOOK: ROGUE WAVE SOFTWARE ACQUIRES KLOCWORK

FIRST LOOK: Rogue Wave Software Acquires Klocwork

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Bit9 *****************************
26% of organizations' servers have been hit by advanced malware. In 2013, Bit9 conducted its third-annual survey on server security. The inability to detect or stop advanced attacks remained a constant challenge for enterprises. Download this report to gain insight into latest server security trends that may impact your organization. http://www.sans.org/info/148225
**************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- -- SANS Cyber Threat Intelligence Summit February 4-11, 2014 Arlington, VA This summit will focus on the tools, techniques, and analytics that enterprises need to collect and analyze threat data and turn it into action to mitigate risks and elevate security.
http://www.sans.org/event/sans-cyber-threat-intelligence-summit


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

When Support for Windows XP Ends in April, Microsoft Will Also Pull Security Essentials for XP (January 8 & 9, 2014)

In what appears to be a concerted effort to urge users to upgrade from Windows XP to a more current version of the operating system, Microsoft has announced that when is stops supporting XP in April, it will also cease support for Security Essentials on XP.
-http://www.v3.co.uk/v3-uk/news/2322034/microsoft-deals-new-blow-to-xp-diehards-b
y-pulling-malware-protection
-http://arstechnica.com/information-technology/2014/01/security-essentials-for-wi
ndows-xp-will-die-when-the-os-does/
[Editor's Note (Assante): XP is widely deployed as an operating system used for SCADA/ICS. This large installed base will not migrate quickly, resulting in premiums for future zero-day exploits. This pressure comes at a time when many ICS are being further interconnected and growing numbers of components are being directly mounted on the Internet.
(Murray): The problem for most organizations will be legacy applications and embedded systems. Reduce the attack surface; consider migrating, "wrappers," and firewalls.
(Pescatore): This is one of many reasons why the infrastructure should never be depended on for securing itself, and why enterprises should always weigh the risk of depending on infrastructure vendors for products to secure that infrastructure. Since security product revenue is always a very small percentage of overall revenue at any infrastructure vendor, there are disincentives for continuing to support a security product that might actually delay migration to a new version or product. Independent security vendors actually have incentive (they need that revenue) to support old or less popular versions of OSs and applications.
(Ullrich): For systems that need to keep running on Windows XP, now is the time to think about how to secure these systems better. Limit them to "essential" functions (that means whatever the function is that prevents you from upgrading) and remove all non-essential software as much as possible. With the end of support of Windows XP, a lot of third party security software like malware scanners will likely stop supporting Windows XP as well.]

New Hampshire Town Lost Files to CryptoLocker (January 7, 2014)

A New Hampshire town has lost eight years worth of computer files to the CryptoLocker ransomware. An employee at the Greenland, NH, town hall opened an attachment accompanying an email purporting to be from AT&T on December 26. The system administrator did not learn about the issue until four days later, after the deadline for paying the ransom had expired.
-http://www.computerworld.com.my/resource/security/cryptolocker-scrambles-eight-y
ears-of-data-belonging-to-us-town-hall/
[Editor's Note (Ullrich): Got Backups? Cryptolocker is probably the best reason to check your backup solution right now.
(Northcutt): There is something wrong with this story. Cryptolocker puts up a screen saying "Your personal files are encrypted!" It would seem that someone had to know:
-http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-y
ou-need-to-know/]

Proposed Bill in California Would Ban Officials and Agencies from Helping NSA (January 7 & 9, 2014)

Two California state senators have introduced legislation that would prohibit state officials, state agencies, and companies providing services to the state from helping the NSA with surveillance without a specific warrant. Information gathered without such a warrant would be inadmissible as evidence in California courts. State and locally owned utilities would also be prohibited from supplying NSA facilities with water and electricity.
-http://www.computerworld.com/s/article/9245232/California_lawmakers_move_to_bar_
state_help_to_NSA
-http://www.scmagazine.com//calif-senators-intro-bill-to-stop-state-from-aiding-n
sa-spying/article/328737/
[Editor's Note (Murray): It is sad that we must look to the California legislature for sound public policy. That said, what is lacking in the national security space is not bans or restrictions but transparency and accountability.
(Pescatore): This, and similar efforts in Arizona and other states, is largely symbolic. President Obama will be announcing his plan for changes in NSA's charter and oversight soon. I worked at NSA in 1978 when Congressional investigations into then President Nixon's use of intelligence agencies for domestic purposes led to the establishment of the Foreign Intelligence Surveillance Act, movement of domestic cybersecurity leadership to NIST, more oversight by the House Permanent Select Committee on Intelligence, etc. ]

---

************************** Sponsored Links: ******************************
1) The SANS Cyber Threat Intelligence summit on February 10th & 11th in Arlington, VA will bring together practitioners and experts to give you the knowledge you need to deal with the next wave of threats. http://www.sans.org/info/148230

2) SANS AppSec Summit 2014 offers four training courses that will help you find and fix critical vulnerabilities in your applications. http://www.sans.org/info/148235

3) 2nd SCADA ICS survey: control systems security experts, give us your thoughts on the issues that keep you up at night! We want your opinions on the threats and challenges facing our infrastructure today. Take our survey now and you might win a free iPad. http://www.sans.org/info/148240
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Yahoo! Mail Now Encrypted by Default (January 9, 2014)

While Yahoo! has at last adopted default HTTPS encryption for Yahoo! Mail, the company is facing criticism over its "failure to follow industry best practices in rolling out" the encryption. Yahoo! has supported full-session HTTPS since 2012, but until now, it has been an opt-in feature. Yahoo!'s implementation of HTTPS encryption is not consistent across servers and includes flaws that leave it vulnerable to snooping. Yahoo!'s implementation of the encryption is missing what is known as Perfect Forward Secrecy, which is used by Google, Microsoft, and Twitter.
-http://www.computerworld.com/s/article/9245258/Yahoo_email_encryption_standard_n
eeds_work?taxonomyId=17
-http://www.theregister.co.uk/2014/01/09/yahoo_always_on_crypto_unstrong/

Fixes Issued for Two Flaws in Siemens ICS Switches (January 9, 2014)

Siemens has released fixes for a pair of vulnerabilities some of its Industrial Control Systems (ICS) switches. The person who found the flaws reported them to Siemens, and the fixes were issued earlier this fall. The flaws could be exploited to take control of the devices without need for a password. Despite the availability of the patches, between 10 to 20 percent of organizations apply them because of the possibility of disruption to the system. Proof-of-concept code will be released at a conference in Florida next week. The code is designed to let organizations test the flaws on their own systems.
-http://www.darkreading.com/vulnerability/zero-day-flaws-found-patched-in-siemens
/240165252

More Details Emerge About Yahoo! Ad Hijacking (January 8 & 9, 2014)

Some of the malware that recently infected computers of Yahoo! users in Europe appears to make them into part of a Bitcoin mining network. The websites to which the users were redirected are linked to hundreds of other sites that are being used in other attacks. The hijacked Yahoo! ads were serving other malware as well.
-http://www.computerworld.com/s/article/9245325/Yahoo_malvertising_attack_linked_
to_larger_malware_scheme?taxonomyId=17
-http://www.theguardian.com/technology/2014/jan/08/yahoo-malware-turned-europeans
-computers-into-bitcoin-slaves
-http://news.cnet.com/8301-1009_3-57616958-83/yahoo-malware-turned-pcs-into-bitco
in-miners/
-http://www.bbc.co.uk/news/technology-25653664

Microsoft's First Patch Tuesday for 2014 (January 9, 2014)

Microsoft's first scheduled security update in 2014 will comprise just four security bulletins, none of which is rated critical. The updates will fix flaws in Windows, Word, SharePoint Server, and Dynamics AX. One of the bulletins will fix an issue in Windows XP and Windows Server 2003 that has been actively exploited since late last year.
-http://www.computerworld.com/s/article/9245301/Patch_Tuesday_preview_Get_your_Wi
ndows_XP_patches_while_they_last?taxonomyId=17
-https://technet.microsoft.com/en-us/security/bulletin/ms14-jan
[Editor's Note (Ullrich): This looks like a nice and easy patch Tuesday with only 4 patches that Microsoft rates as important. The Office/Sharepoint patch will likely be the one to watch. Use the extra time you have to think about securing or eliminating Windows XP (see story earlier in this issue). ]

Report Says Snowden Downloaded 1.7 Million Intelligence Files (January 9, 2014)

The Pentagon says that Edward Snowden downloaded 1.7 million intelligence files. The classified report suggests that much of the information pertains to current US military operations. If the figure is accurate, the documents that have been released to the media are a small fraction of what remains. Snowden's supporters maintain that officials are exaggerating the threat that the information poses to national security.
-http://www.washingtonpost.com/world/national-security/snowden-downloaded-17-mill
ion-intelligence-files-pentagon-report-concludes/2014/01/09/b343bacc-794b-11e3-a
f7f-13bf0e9965f6_story.html

Bank Sues Over Fraudulent ACH Transactions (January 8, 2014)

A California escrow company now in receivership is suing First Foundation Bank, alleging that the bank's security measures were inadequate and that it did not act in good faith when it processed three automated clearinghouse (ACH) transactions totaling more than US $1.5 million from Efficient Services Escrow's account to accounts in Russia and China. Efficient Services was forced to cease operations and let its employees go after it was unable to recover all of the funds. According to the plaintiffs, a token-based security measure First Foundation Bank had failed, and rather than take steps to provide alternate measures, the bank simply disabled the feature.
-http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank/
[Editor's Note (Ullrich): Chase recently announced to some of its customers that it will no longer allow any wire transfers to foreign countries. The risk has become too large, and most small business and individuals do not need to wire money. On the other hand, criminals now try to target specific businesses by intercepting e-mails and "injecting" fraudulent bank information into normal business transactions:
-https://isc.sans.edu/diary/Intercepted+Email+Attempts+to+Steal+Payments/17366]

Audit Finds Inconsistent Response to Data Breaches at US Government Agencies (January 8, 2014)

US government agencies are inconsistent in their responses to data breaches, according to an audit report from the Government Accountability Office (GAO). Between 2011 and 2012, the number of reported data breaches of government systems rose more than 40 percent, from 15,584 to 22,156. At the same time, agencies have not improved their responses to the attacks and are inconsistent in their corrective actions. The audit "analyzed data breach response plans and procedures at eight various-sized agencies and compared them to requirements in relevant laws and federal guidance," and conducted interviews.
-http://www.nextgov.com/cybersecurity/2014/01/hacked-agencies-are-inconsistent-ab
out-alerting-potential-victims/76502/
-http://www.gao.gov/assets/660/659572.pdf
[Editor's Note (Pescatore): The report points out that an OMB directive that came out in 2007 requiring breaches involving Personally Identifiable Information to be reported within one hour has resulted in wasted resources and incomplete information. OMB is reportedly looking at changing that requirement. The report also points out that the breach reporting to DHS has only been used to generate statistics vs. lead to any "close the loop" processes that change the root cause of the reported breaches.
(Murray): Drafting policy, direction, and guidance is difficult. It takes experience to produce the intended results. If the results are not consistent, one does not have it right yet. ]

Teen Who Found Vulnerability in Government Website Was Reported to Police (January 8, 2014)

An Australian teenager who found a vulnerability in the Public Transport Victoria website has been reported to police. The teen found a hole in the website that exposed personal information of 600,000 people. He informed the site on December 26, but after getting no response, he contacted Fairfax Media. When Fairfax contacted PTV for more information, the agency reported the teen to the police. Fairfax gave PTV time to address the issue before publishing the story.
-http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
-http://www.theage.com.au/technology/technology-news/schoolboy-hacks-public-trans
port-victoria-website-20140107-30fkg.html
[Editor's Npte (Ullrich): While I don't advocate unauthorized scans like the one conducted by this individual, companies should take advantage of these responsible disclosures, fix the vulnerabilities, and try to get as much free consulting out of the individual as possible instead of threatening legal actions. Otherwise, irresponsible disclosure and dumping large amount of personal data as in the snapchat case becomes safer and more rewarding than responsible disclosure. ]

---

FIRST LOOK: ROGUE WAVE SOFTWARE ACQUIRES KLOCWORK

Klocwork was focused on the security and quality testing of embedded software, a niche market compared to the larger layered application testing market. However, the "Internet of Things" will be driving increased need for embedded application security testing. Rogue Wave Software had previously acquired Open Logic, which provided tools for finding and analyzing open source components used in applications - a growing issue in the IoT, as well. Existing users of Klocwork and Rogue Wave Software tools for embedded software should see this as a positive move
-http://www.sdtimes.com/content/article.aspx?ArticleID=67564&page=1

---

STORM CENTER TECH CORNER

Intercepted E-Mails Used in Financial Scam
-https://isc.sans.edu/forums/diary/Intercepted+Email+Attempts+to+Steal+Payments/1
7366

OpenSUSE Forum Compromised
-http://news.opensuse.org/2014/01/07/opensuse-forums-defaced/

X.org Finds and Fixes 23-Year-Old Vulnerability
-http://lists.x.org/archives/xorg-announce/2014-January/002389.html

OpenSSL Updates
-https://isc.sans.edu/forums/diary/OpenSSL+version+1+0+0l+released/17360

CryptoLocker Updates
-http://about-threats.trendmicro.com/us/malware/worm_crilock.a

Cryptolocker Copycats
-http://malwaremustdie.blogspot.de/2014/01/threat-intelligence-new-locker-prison.
html

DailyMotion Serving Malicious Ads
-http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/

US GSM Networks Vulnerable to Eavesdropping
-http://gsmmap.org/assets/pdfs/gsmmap.org-country_report-United_States_of_America
-2013-08.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/