SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #32

April 22, 2014

TOP OF THE NEWS

Why Security Auditors' (GAO) Recommendations Can't Be Implemented
Report Examines Relative Security of Web Programming Languages

THE REST OF THE WEEK'S NEWS

Malware Steals Apple ID Credentials from Jailbroken iOS Devices
Deltek Breach May be Part of Larger Investigation
UK File-Sharing Site Closes Over Threats of Jail Time for Operators
Firmware Fix for Wireless Router Flaw Hides But Does Not Close Backdoor
Healthcare Sector Cybersecurity Exercise Highlights Need to Improve Information Sharing
GAO Report Instructs SEC to Address Security Issues in its Systems
SEC CIO Responds to GAO Report
Heartbleed Exploited to Bypass Multifactor Authentication
Microsoft Reissues Antimalware Engine Update
Researchers Say Heartbleed Not Exploited Before Disclosure

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Sophos Inc. ************************
NEW Whitepaper - Advanced persistent threats (APT) are sneaky and hard to detect. They stay on your network, waiting for the right moment to create havoc. Download this whitepaper and find out how these threats work and how a multi-faceted approach can keep you protected against APTs. Learn More http://www.sans.org/info/157580
***************************************************************************

TRAINING UPDATE


- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Why Security Auditors' (GAO) Recommendations Can't Be Implemented (See especially Pescatore note after the story) (April 17, 2014)

Gregory Wilshusen, director of information security at the US Government Accountability Office (GAO), says he understands why government agencies do not always implement his recommendations. The dynamic complexity of federal IT systems introduces risks and makes them difficult to secure. Eugene Spafford, executive director for the Center for Education and Research in Information Assurance and Security at Purdue University, said that agencies that do not follow auditors' recommendations sometimes face inconsistent and vague rules and insufficient budgets.
-http://www.govinfosecurity.com/blogs/auditors-infosec-advice-ignored-p-1652
[Editor's Note (Pescatore): Hey, GAO - any chance in these taxpayer-funded reports your auditors could put at least some focus on the underlying problem? Like most other GAO reports, the one cited here focuses on "information security control" weaknesses and deficiencies at the IRS. Yet the vast majority of the problems it talks about - failure to patch, lack of change management, misconfigured applications - - are actually IT operational process weaknesses and deficiencies. Since the security group doesn't patch, change or configure applications, the cited security control deficiencies are failures to mitigate the root cause problem - broken IT operational processes. Like most GAO security reports, that never comes up - there are no actions recommended for the CIO, other than where the CIO oversees the information security side of things.
(Murray): I have never been a fan of "security by auditor;" auditors only think they know better than management. Their reports are both incomplete and "flat" more often than not. ]

Report Examines Relative Security of Web Programming Languages (April 18, 2014)

A report from WhiteHat Security says that vulnerabilities in ASP remain unfixed longer than vulnerabilities in other programming languages. There is no significant difference between the numbers of vulnerabilities found in the various programming languages. ASP vulnerabilities remained unfixed for an average of 139 days; PHP for 129.5 days; Java for 90.9 days. The organization's 2014 Website Security Statistics Report also notes the different types of vulnerabilities that appeared most in each of the programming languages examined.
-http://www.scmagazine.com/research-shows-vulnerabilities-go-unfixed-longer-in-as
p/article/343357/
-https://www.whitehatsec.com/news/14pressarchives/PR_041514_statsreport.html
[Editor's Note (Pescatore): The report pointed out that once again Adobe leads the way with the software most vulnerable to SQL injection - not only did Cold Fusion have the highest percentage of SQL injection vulnerabilities but those flaws stay unfixed far longer than Perl or PHP equivalents. ]

---

************************** Sponsored Links: ******************************
1) Download this whitepaper and learn how bots work and how, by adopting the right strategy, you can use a defense-in-depth strategy to effectively prevent direct attacks against your critical systems. http://www.sans.org/info/157585

2) Webcast: Need to defeat APTs? Tony Sager Explains Where We're At With Live Threat Detection Automation. Wednesday, April 30 at 3:00 PM EDT Tony Sager and Scott Simkin. http://www.sans.org/info/157590

3) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Malware Steals Apple ID Credentials from Jailbroken iOS Devices (April 21, 2014)

Malware detected in the wild steals Apple ID credentials from jailbroken iPhones and iPads. The malware is being called "unflod," which is the name of a library that it installs on infected devices. Unflod was detected after users reported repeated crashes of jailbroken iOS devices. Users noticed that the problems began occurring after they installed jailbroken-specific customizations, also known as tweaks, that came from someplace other than Cydia, an alternative Apple App Store store for jailbroken iOS devices.
-http://arstechnica.com/security/2014/04/active-malware-campaign-steals-apple-pas
swords-from-jailbroken-iphones/
-http://www.infosecurity-magazine.com/view/38049/baby-panda-goes-after-jailbroken
-apple-iphones/
-https://www.sektioneins.de/en/blog/14-04-18-iOS-malware-campaign-unflod-baby-pan
da.html
[Editor's Note (Pescatore): The most reliable figures I've been able to find indicate that between 7-10% of active iPhones globally have been jailbroken, but that number is skewed by the much higher rates in China and other parts of Asia. In the US and Europe the rate seems to be more in the 1-2% range - so the risk of this malware is mitigated by those low percentages. Most Mobile Device Management products and many vulnerability assessment products can detect whether you have jailbroken phones connecting to or active on your network. ]

Deltek Breach May be Part of Larger Investigation (April 21, 2014)

A month ago, Deltek acknowledged that a data security breach of its systems compromised sensitive data belonging to approximately 80,000 federal contractor employees. Deltek discovered the breach of its federal market analysis database called GovWin IQ on March 13. An arrest has reportedly been made in connection with the breach. A Deltek executive said that the breach is part of a larger investigation involving many more websites.
-http://www.nextgov.com/cybersecurity/2014/04/deltek-breach-raises-questions-abou
t-widespread-hacking/82867/?oref=ng-channeltopstory

UK File-Sharing Site Closes Over Threats of Jail Time for Operators (April 21, 2014)

A UK file-sharing site known for offering links to sporting events has shut down after authorities threatened to jail the site's operators. The Sports Torrent Network (TSTN) had links to European football matches, US National Hockey League, and other events. The City of London Police Intellectual Property Crime Unit sent an email to the company, saying that law enforcement has the "right to pursue action against
[TSTN operators ]
and against the ... website." The message also noted that the site's operators could face 10-year prison sentences if they were found guilty of facilitating piracy. TSTN did not host pirated material, but helped its 20,000 users connect to share files.
-http://www.bbc.com/news/technology-27103527

Firmware Fix for Wireless Router Flaw Hides But Does Not Close Backdoor (April 21, 2014)

Just months after a researcher found, late last year, a backdoor in numerous models of wireless DSL routers, the same researcher has discovered that a patch issued to address the problem does not actually fix the vulnerability; it just hides it. The firmware update for routers based on a certain Sercomm modem was released in January. The new code hides the open communication port instead of closing it, and allows the port to be opened again when it is sent a network packet specially-crafted to reactivate the backdoor.
-http://arstechnica.com/security/2014/04/easter-egg-dsl-router-patch-merely-hides
-backdoor-instead-of-closing-it/

Healthcare Sector Cybersecurity Exercise Highlights Need to Improve Information Sharing (April 21, 2014)

The Health Information Trust Alliance (HITRUST) has released details about CyberRX, a healthcare cybersecurity drill held earlier this month. The exercise drew attention to information sharing issues, including, but not limited to communicating critical information to non-IT internal staff like legal teams, crisis management teams, and business operations. Participants suggested establishing formalized procedures to define responsibilities and streamline communications. HITECH worked with the US Department of Health and Human Services (HHS) to run the exercise. A second CyberRX drill will be held this summer.
-http://www.scmagazine.com/attack-exercise-reveals-threat-sharing-roadblock-withi
n-health-orgs/article/343566/
-http://www.govinfosecurity.com/cybersecurity-drill-lessons-learned-a-6769

GAO Report Instructs SEC to Address Security Issues in its Systems (April 18, 2014)

The US Government Accountability Office (GAO) says the Securities and Exchange Commission (SEC) needs to address several security issues in its systems. Among the issues itemized in the GAO's report are: failure to encrypt sensitive data; failure to properly identify and authenticate users; and failure to securely configure a critical financial system. The problems are due in part to the SEC's inadequate oversight of the contractor it hired to migrate its systems to a new data center last year. The GAO's recommendations include assigning security staff to monitor contractors conducting security-related operations.
-http://www.scmagazine.com/federal-watchdog-says-sec-security-issues-put-financia
l-data-at-risk/article/343345/
-http://media.scmagazine.com/documents/67/gao_on_sec_security_issues_16737.pdf

SEC CIO Responds to GAO Report (April 18, 2014)

SEC CIO Thomas Bayer admits that the commission could have kept a closer eye on IT work being done by contractors. In a letter responding to the GAO's audit, Bayer wrote that when the GAO informed the SEC about the unsecure configuration, the SEC shut down the system in question and reverted to the original, securely configured environment. A subsequent move was carried out with the proper configuration.
-http://www.govinfosecurity.com/sec-cio-vendor-management-must-improve-a-6764

Heartbleed Exploited to Bypass Multifactor Authentication (April 18 & 21, 2014)

Network security company Mandiant says that attackers managed to breach a walled-off virtual private network (VPN) by exploiting the Heartbleed bug. The attackers managed to bypass the VPN's multifactor authentication. The targeted organization has not been identified, and it is not yet known if any data were stolen. Mandiant said the attack began on April 8, just one day after the flaw was disclosed. In this attack, Heartbleed was used to grab legitimate VPS session tokens.
-http://www.darkreading.com/attacks-breaches/heartbleed-attack-targeted-enterpris
e-vpn-/d/d-id/1204592?
-http://www.cnet.com/news/heartbleed-attack-used-to-skip-past-multifactor-authent
ication/
-http://www.govinfosecurity.com/mandiant-heartbleed-leads-to-attack-a-6766
-http://www.nbcnews.com/tech/security/hackers-use-heartbleed-bug-attack-major-cor
poration-n84521
-http://arstechnica.com/security/2014/04/heartbleed-exploited-to-hack-network-wit
h-multifactor-authentication/
[Editor's Note (Murray): One hopes that no one concludes from this report that users of strong authentication and VPNs are not dramatically better off in the face of Heartbleed than those who are not users. ]

Microsoft Reissues Antimalware Engine Update (April 18, 2014)

Microsoft has re-issued its antimalware engine and signatures to fix a problem "that may have caused interrupted service for some customers using Microsoft security products." The issue affected mainly users running Windows XP and Windows Server 2003. While the XP operating system itself is no longer being supported, Microsoft is continuing to provide antimalware engine and signature updates for XP through July 14, 2015. The initial update was pushed out on April 15; the updated update was released two days later.
-http://www.zdnet.com/microsoft-corrects-windows-xpsecurity-essentials-bug-700002
8585/
-http://blogs.technet.com/b/enginenotifications/archive/2014/04/17/antimalware-en
gine-1-1-10502-0-was-released-to-customers-on-17-april-2014.aspx
-http://social.technet.microsoft.com/Forums/en-US/043515cb-2746-43dc-94e0-441f70f
d50b8/system-center-endpoint-protection-error-0x80004005

Researchers Say Heartbleed Not Exploited Before Disclosure (April 16, 2014)

According to researchers at the US Department of Energy's (DOE's) Lawrence Berkeley National Laboratory, the Heartbleed bug was not exploited before it was disclosed. There has been speculation that governments and companies may have been using the flaw for surveillance or espionage during the two years between the flaw's introduction into the OpenSSL cryptographic library and its disclosure. The DOE researchers say that evidence of Heartbleed exploitation could be detected by measuring the size of messages sent to the vulnerable portion of OpenSSL and comparing it to the size of the message that reaches a server. A response larger than the request would indicate an attack. Both Berkeley and the National Energy Research Scientific Computing Center have been analyzing Internet traffic that moved through their networks since the end of January and found no such evidence of a Heartbleed attack. The evidence does not rule out the possibility of attacks prior to January 2014 or that remained outside the scope of the laboratories' monitoring. Now that the flaw has been disclosed, there is growing concern that it will be exploited.
-http://bits.blogs.nytimes.com/2014/04/16/study-finds-no-evidence-of-heartbleed-a
ttacks-before-the-bug-was-exposed/?_php=true&_type=blogs&_php=true&_
type=blogs&_r=1&
[Editor's Note (Murray): The absence of evidence is not evidence. ]

---

STORM CENTER TECH CORNER

Detecting Heartbleed Attacks
-https://isc.sans.edu/forums/diary/Finding+the+bleeders/18001

Oracle Heartbleed Vulnerability
-http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160
-2188454.html

Router Upgrade Problems (German only)
-http://www.heise.de/security/meldung/Das-Router-Desaster-Fritzbox-Update-geraet-
ins-Stocken-2173043.html

Comparing the Security Impact of Different Web Application Languages
-https://info.whitehatsec.com/Social-Statsreport2014.html

Port 32764 Backdoor is Back again
-http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/