SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #30

April 15, 2014

TOP OF THE NEWS

Attackers Exploited Heartbleed to Access Canada Revenue Agency Data
Heartbleed Flaw Caused by "Trivial" Coding Error
KKR Adds Cyber-Risk Score to Company Assessments
US Sought International Help in Stopping DDoS Attacks on Bank Websitesin 2012

THE REST OF THE WEEK'S NEWS

NSA Denies it Knew About Heartbleed Vulnerability
Akamai Releases Second Fix for Heartbleed
Android Devices Remain Unpatched Despite Google's Heartbleed Fix
OpenSSL President Says Entities That Use the Technology Should Help Fund It
White House Policy Encourages Vulnerability Disclosure, Except When it Doesn't
Training Cyber Warriors Takes Time
Cloud Security Deadline Approaching for US Government Agencies
Target Breach Prompts Formation of Retail ISAC
Paramedic Faces Charges Based on Evidence from Warrantless Database Search
Three Indicted in Connection with Theft of Apache Helicopter Simulation Software
IRS Will Pay for Extended XP Support While Completing Migration to Windows 7
Auernheimer Conviction Overturned on Technicality
West Point Wins Cyber Defense Exercise
House Subcommittee Pushes Through Bill to Stop Transfer of ICANN Oversight

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Symantec *************************
2013 Year of the Mega Breach - Symantec's 2014 Internet Security Threat Report
In 2013, data breaches hit businesses hard. The end of last year provided a painful reminder that everyday cyber-crime remains, and threats from adversaries continue to target businesses and consumers. Download the 2014 Symantec Internet Security Threat Report today. You'll learn more about important key trends to help keep you and your organization safe. http://www.sans.org/info/157140
***************************************************************************
TRAINING UPDATE


- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Attackers Exploited Heartbleed to Access Canada Revenue Agency Data (April 14, 2014)

Heartbleed has been used to steal tax identification numbers from the Canada Revenue Agency. At least 900 individuals and businesses have been affected.
-http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpay
er-data/
-http://www.nbcnews.com/tech/security/hundreds-canadian-tax-id-numbers-stolen-hea
rtbleed-breach-n80241

Heartbleed Flaw Caused by "Trivial" Coding Error (April 11, 2014)

The German developer who wrote the flawed code that caused the Heartbleed flaw in OpenSSL says it comes down to a trivial coding error. Robin Seggelmann contributed the code to OpenSSL in 2012. While the error is trivial, the impact is severe.
-http://arstechnica.com/information-technology/2014/04/heartbleed-developer-expla
ins-openssl-mistake-that-put-web-at-risk/
-http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-s
ecurity-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
-http://www.nbcnews.com/tech/security/heartbleed-bug-coder-it-was-simple-programm
ing-error-n78561
[Editor's Note (Pescatore): The vast majority of serious vulnerabilities are caused by either trivial coding errors or trivial system administration errors. Hey, CEOs who have tuned in because of the Heartbleed publicity: please ask your CIO why the IT development and operations organizations don't stop making the same "trivial" errors time after time after time, when known process improvements and administrative tools are widely available to test software for flaws *before* deploying and to make sure sys admins don't turn on badly configured servers, etc.
(Murray): While it is true that validating inputs requires special knowledge, skills, and abilities, it is just these knowledge, skills, and abilities that distinguish the professional from the amateur. We should not build infrastructure with amateurs, regardless of how well intended they are or how cheaply they work. Moreover, professionals are responsible for the quality of the materials that they incorporate into their products. Not only may they not assume that "open source" equates to "thoroughly vetted," but they should assume nothing about it that they have not confirmed. The incorporation of inferior product into the infrastructure is not the fault of the amateurs that created it. ]

KKR Adds Cyber-Risk Score to Company Assessments (April 11, 2014)

Private equity firm KKR recently added a cyber risk score to its assessment of companies in its portfolio. Working with BitSight Technologies, a company that collects and analyzes Internet traffic, KKR developed a score for cyber risk. KKR could then use the scores, calculated at intervals, to monitor each company's security.
-http://www.businessweek.com/articles/2014-04-11/kkr-adds-cyber-risk-score-to-its
-assessment-of-companies?google_editors_picks=true
[Editor's Note (Pescatore): Anything that causes investors in companies to look at the security level of companies is a good thing, since CEOs care about what investors care about. ]

US Sought International Help in Stopping DDoS Attacks on Bank Websites in 2012 (April 11, 2014)

During the spring 2012 distributed denial-of-service (DDoS) attacks on US bank websites, the White House rejected the idea of launching retaliatory attacks against the alleged attackers' network in Iran due to concerns about unintended consequences and escalation. Instead, the US sought help from 120 countries, asking them to stop the malicious traffic locally and to remove malware from infected servers. The strategy built a cooperative framework for dealing with cyber attacks.
-http://www.washingtonpost.com/world/national-security/us-rallied-multi-nation-re
sponse-to-2012-cyberattack-on-american-banks/2014/04/11/7c1fbb12-b45c-11e3-8cb6-
284052554d74_story.html
[Editor's Note (Pescatore): Good to see in this case the "bias" was towards a common sense approach, essentially the same approach private industry has been using for 20 years to deal with DDoS attacks. ]

---

************************** Sponsored Links: ******************************
1) Spotting cyber attacks in your network means identifying the signatures of known threats. Reputation data takes that one step farther by identifying communications coming from or going to known bad actors based on their reputations. Read this Whitepaper to find out more. http://www.sans.org/info/157145

2) Higher Ed Strapped for ITSec Resources? Tell Us in Our Higher Ed Security Survey: http://www.sans.org/info/155945

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

NSA Denies it Knew About Heartbleed Vulnerability (April 13, 2014)

The NSA has denied reports that it knew about the vulnerability in OpenSSL for two years and used it to conduct surveillance.
-http://www.scmagazine.com/heartbleed-bug-not-leveraged-for-surveillance-nsa-says
/article/342579/
-http://www.cnet.com/news/nsa-denies-it-knew-of-exploited-heartbleed-kept-flaw-se
cret/

Akamai Releases Second Fix for Heartbleed (April 14, 2014)

Akamai's first attempt to fix Heartbleed was incomplete. The company applied a patch to its network on Friday, April 11, but it was found to have addressed just half the problem. The initial fix protected just three of the six critical values in RSA keys. Akamai is reissuing all SSL certificates and keys used to make encrypted connections between its customers' websites and users who visit them.
-http://www.cnet.com/news/akamai-heartbleed-patch-not-a-fix-after-all/
-http://www.computerworld.com/s/article/9247650/Akamai_admits_issuing_faulty_Open
SSL_patch_reissues_keys?taxonomyId=17
-http://www.darkreading.com/application-security/akamai-withdraws-proposed-heartb
leed-patch/d/d-id/1204443?

Android Devices Remain Unpatched Despite Google's Heartbleed Fix (April 14, 2014)

Although Google released an update for Android to address the Heartbleed flaw last week, millions of Android devices remain unpatched because they cannot run newer versions of the mobile operating system. Google estimates that fewer than 10 percent of Android handsets are running version 4.1.1, which runs a vulnerable version of the OpenSSL cryptographic software library. However, there are an estimated one billion devices running Android, which means at least 100 million remain vulnerable.
-http://www.bbc.com/news/technology-27020256

OpenSSL President Says Entities That Use the Technology Should Help Fund It (April 14, 2014)

Steve Marquess, co-founder and president of the OpenSSL Software Foundation is critical of governments and companies that use the software but do not contribute to the foundation's funding.
-http://www.v3.co.uk/v3-uk/news/2339660/openssl-heartbleed-bug-founders-slam-tech
-world-for-not-supporting-project
[Editor's Note (Northcutt): The key to understanding this article is this quote, "In particular, Marquess singled out Fortune 1000 companies for not pulling their weight, despite many of them using OpenSSL within their products that are sold at a profit." We could debate ideology until we turn green, but the key fact is that hundreds or thousands of organizations believe they are not vulnerable because they do not run OpenSSL when in fact it is embedded in the commercial product they are using. That is going to lead to needless pain and suffering. Making sure your organization is, or is not running software based on the OpenSSL code base(s), should be a significant priority. The more you research this project, the more you realize it makes sense for individuals, companies and governments to contribute:
-https://www.openssl.org/support/]

White House Policy Encourages Vulnerability Disclosure, Except When it Doesn't (April 12, 13 & 14, 2014)

According to a statement from the Office of the Director of National Intelligence, the Obama administration supports NSA disclosure of vulnerabilities in commercial and open source software with the exception of cases in which there is "a clear national security or law enforcement need" to keep them a secret.
-http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-intern
et-flaws-officials-say.html?_r=1
-http://www.cnet.com/news/obama-reportedly-lets-nsa-keep-some-security-flaws-secr
et/
-http://www.computerworld.com/s/article/9247648/Obama_backs_disclosuse_of_most_so
ftware_flaws?taxonomyId=17
-http://recode.net/2014/04/13/the-new-white-house-policy-on-security-bugs-changes
-nothing/
[Editor's Note (Pescatore): The exact wording in the statement was "This process is biased toward responsibly disclosing such vulnerabilities." Imagine if the FAA was only "biased towards responsibly disclosing" flaws in airplanes because Chinese or Iranian planes might crash before US planes did. ]

Training Cyber Warriors Takes Time (April 14, 2014)

To qualify for the US Cyber Command force, service members must obtain credentials at their schools, attend Cyber Command training, and have their knowledge tested to see if they qualify. The US Coast Guard Cyber Command hopes to qualify two service members for Cyber Command. The Coast Guard faces tougher odds than other branches of the military because it does not have a dedicated cyber component to its education system and it splits its responsibilities between domestic security and military operations. The Pentagon aims to make Cyber Command a 2,000-strong force by 2016.
-http://www.nextgov.com/cybersecurity/2014/04/cyber-warrior-training-no-easy-task
/82498/
[Editor's Note (Assante): Language matters and Cyber Command is having to put energy into bridging people from different backgrounds into one team. We need to always be mindful that it does take energy to form people into effective teams. Apply energy to bring IT, security, and business staff together and security and engineering for ICS reliant organizations. ]

Cloud Security Deadline Approaching for US Government Agencies (April 14, 2014)

US agencies have until June 5 to make sure that they are in compliance with the government's cloud security standards. The date also marks changes for the standards. Agencies' existing cloud computing solutions must be assessed against FedRAMP (the Federal Risk and Management Program). The General Services Administration (GSA) is expected to update those standards in June as well.
-http://www.nextgov.com/cloud-computing/2014/04/your-agency-ready-fedramp-deadlin
e-june/82486/
[Editor's Note (Pescatore): Won't be much of an impact, given the high number of cloud services already in the FedRamp pipeline or through it. ]

Target Breach Prompts Formation of Retail ISAC (April 14, 2014)

The Target breach has prompted the National Retail Federation to establish an industry Information Sharing and Analysis Center (ISAC). The ISAC is expected to launch in June. Congress has been urging retailers to take steps to improve security of customer data.
-http://www.nbcnews.com/business/business-news/retailers-share-cyber-threat-data-
after-target-breach-n80171
[Editor's Note (Assante): While ISACs help focus their members on threats and relevant vulnerabilities they don't tell you which internal security event alerts to pay attention to. Memory scraping malware was not an unheard of threat related to Point of Sales systems - there was much reporting/discussion back in 2012. ISACs are nice but they are not a 'direct' step in improving the security of customer data. ]

Paramedic Faces Charges Based on Evidence from Warrantless Database Search (April 14, 2014)

In the course of investigating the theft of morphine from emergency vehicles, Utah law enforcement officials searched without a warrant a state database that holds records of all controlled substances that pharmacists dispense. Utah law allows the search of such databases without a probable-cause warrant. An official decided, on a hunch, to examine the records of all public paramedics, firefighters, and other members of the Unified Fire Authority. Prescription fraud charges were brought against one paramedic as a result of information obtained through the search, but they have nothing to do with the initial investigation. The paramedic's attorney has filed a motion to have the evidence from the database search thrown out.
-http://arstechnica.com/tech-policy/2014/04/utah-cops-warrantlessly-search-drug-r
ecords-of-480-emergency-personnel/
[Editor's Note (Murray): It is pretty well established that if the search is legal, any thing that is found may be used. We should not forget that the requirement for a warrant is not to protect criminals but to protect everyone else from an intrusive government. ]

Three Indicted in Connection with Theft of Apache Helicopter Simulation Software (April 11 & 14, 2014)

Three men have been indicted for allegedly stealing a top-secret US Army helicopter simulator. The trio allegedly broke into networks at several gaming companies and stole pre-release games; they were allegedly able to access the Apache training software when they broke into the network of a Seattle-based Zombie Studios, which had a contract with the US Army to develop the training software.
-http://www.scmagazine.com/trio-charged-with-hacking-stealing-data-from-us-army-m
icrosoft-and-more/article/342578/
-http://www.dailymail.co.uk/news/article-2602216/War-Games-FBI-arrests-men-hacked
-Army-computers-steal-helicopter-simulators-Call-Duty-ahead-release.html

IRS Will Pay for Extended XP Support While Completing Migration to Windows 7 (April 11, 2014)

The US Internal Revenue Service (IRS) is still running Windows XP on roughly half of its Windows-based computers. The agency says it will pay Microsoft "less than US $500,000" to continue security support while it completes its US $30 million migration to Windows 7.
-http://www.computerworld.com/s/article/9247634/Update_IRS_misses_XP_deadline_wil
l_spend_30M_to_upgrade_remaining_PCs?taxonomyId=17

Auernheimer Conviction Overturned on Technicality (April 11, 2014)

The Third US Circuit Court of Appeals has reversed and vacated the conviction of Andrew Auernheimer because the case was tried in an improper venue. In 2012, Auernheimer was found guilty of violating the Computer Fraud and Abuse Act for leaking 100,000 email addresses of iPad users obtained from an unsecured AT&T website in 2010. By charging Auernheimer in New Jersey, prosecutors believed they could use that state's criminal code to stiffen the penalties. The court found there was no justification for bringing the lawsuit in New Jersey, as the compromised servers were in Texas and Georgia.
-http://www.wired.com/2014/04/att-hacker-conviction-vacated/
-http://www.nbcnews.com/tech/security/court-overturns-conviction-hacker-weev-ipad
-data-case-n78521
-http://www.theregister.co.uk/2014/04/11/weev_reprieve/

West Point Wins Cyber Defense Exercise (April 10 & 11, 2014)

The team from West Point, the US military academy, had taken top honors in this year's Cyber Defense Exercise. Teams from the five US service academies participated in the 14th annual exercise last week. One participant described the four-day competition as "the Army-Navy game for our electrical engineering and computer science departments." The Air Force Academy team won the competition last year.
-http://fcw.com/articles/2014/04/10/cyber-defense-exercise.aspx
-http://www.washingtonpost.com/business/technology/call-of-cyber-duty-military-ac
ademies-take-on-nsa/2014/04/10/7e1094c6-c07f-11e3-9ee7-02c1e10a03f0_story.html

House Subcommittee Pushes Through Bill to Stop Transfer of ICANN Oversight (April 7 & 10, 2014)

The US House Energy and Commerce Committee's Technology Subcommittee has approved a bill that would delay the Obama administration's plan to relinquish control of ICANN. The vote was split along party lines. Republicans expressed concern that if the plan moves forward, the Internet could be taken over by authoritarian regimes, like Russia or China. Assistant Secretary of Commerce Lawrence Strickling spoke before a House Judiciary Committee subcommittee, saying that the plan relinquish ICANN oversight to an international committee of non-profits, engineers, and private companies is a necessary step for the US to rebuild international trust.
-http://www.nextgov.com/cio-briefing/2014/04/house-panel-votes-halt-obamas-intern
et-power-transfer/82315/
-http://thehill.com/blogs/floor-action/technology/202811-gop-bill-prevents-us-fro
m-giving-up-internet-control
-http://www.computerworld.com/s/article/9247580/U.S._plan_to_end_ICANN_oversight_
jeopardizes_Internet_freedom?pageNumber=1

---

STORM CENTER TECH CORNER

True Crypt Passes Audit
-https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCry
pt_Security_Assessment.pdf

Android Adobe PDF Reader Code Execution Bug
-http://seclists.org/fulldisclosure/2014/Apr/192

Client Side Heartbleed
-https://isc.sans.edu/forums/diary/How+to+talk+to+your+kids+or+manager+about+Hear
tbleed/17943
-https://isc.sans.edu/forums/diary/The+Other+Side+of+Heartbleed+-+Client+Vulnerab
ilities/17945

Heartbleed Webcast #4 (Client Side issues)
-https://www.sans.org/webcasts/side-heartbleed-clientside-heartbleed-vulnerabilit
ies-explained-98135

Android Secure Coding Standard
-https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=111509
535

Google Enhancing Android Verify Feature
-http://officialandroid.blogspot.com/2014/04/expanding-googles-security-services-
for.html

EnSnare Web Application Security Tool (Ruby on Rails)
-https://github.com/ahoernecke/ensnare

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/