SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #33

April 25, 2014

TOP OF THE NEWS

Verizon Data Breach Investigations Report: Government Incident Reporting Requirement Skews Statistics
Tech Giants Agree to Fund OpenSSL and Other Open Source Projects
Bank of England Plans Penetration Tests on Financial Institutions

THE REST OF THE WEEK'S NEWS

Threat Information Sharing Program Slowed by Red Tape
More Surreptitious Bitcoin Mining Android Apps Found in Google Play Store
Apple Patches Triple Handshake Bug in iOS
FBI Informant Exploited Zero-Day Flaw in Attacks on Foreign Governments
SMS Premium Rate Trojan Targets US Users
Maritime Industry Faces Cyber Threats
Feds Ask SCOTUS to Allow Warrantless Cellphone Searches Upon Suspect's Arrest
Lost Key Codes at Tokyo Airport Underscore Issues with Password-Based Security
AOL Locks Down Servers After Spam Deluge

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

**************************** Sponsored By Bit9 ***************************
The Convergence of Security & Compliance How do security and compliance gaps affect your organization? Learn how a single agent can provide visibility, detection, response and protection - all while automating and managing compliance! Close security gaps and ensure the security of your servers and endpoints today. Download The White Paper! http://www.sans.org/info/157730
**************************************************************************

TRAINING UPDATE


- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Verizon Data Breach Investigations Report: Government Incident Reporting Requirement Skews Statistics (April 22, 23, & 24, 2014)

According to Verizon's annual data breach report, government employees cause more than half of reported cyber incidents in the public sector. Of those incidents caused by employees, one third involved various errors such as emailing information to the wrong person. One quarter of the incidents involved unapproved or malicious use of data. Espionage and exploitation of website vulnerabilities made up less than one percent of the incidents. Part of the reason the statistics seem skewed is the requirement that all incidents in the public sector be reported. Report co-author Jay Jacobs "think
[s ]
that the raw numbers are actually quite high for things like web-based attacks and espionage as well," but that fact gets lost amid the other data generated by the required reports. Private industries' numbers are strikingly different. In the manufacturing industry, 30 percent of reported incidents involved espionage. In the information industry, 41 percent involved website flaw exploitation. Miscellaneous errors, the largest category in the public sector, account for less than one percent of incidents in the information industry.
-http://www.nextgov.com/cybersecurity/2014/04/government-employees-cause-nearly-6
0-public-sector-cyber-incidents/82933/
[Editor's Note (Murray): It is ironic that so many of the breaches reported on continue to exploit things in the SANS Top Twenty. It is also ironic that security professionals tell me that they dismiss the DBIR while continuing to complain that they need "real" threat data from the government. ]

Tech Giants Agree to Fund OpenSSL and Other Open Source Projects (April 24, 2014)

Major technology companies have come forward to say they will help fund the Linux Foundation's Core Infrastructure Initiative to help fund open source projects. The Heartbleed bug brought the state of OpenSSL to center stage; the code is widely used, yet the project receives about US $2,000 in donations and has just one full-time employee. Thirteen technology companies, including Facebook, Microsoft, and Google, have each pledged to contribute US $100,000 to the foundation every year for at least the next three years.
-http://www.nbcnews.com/tech/security/after-heartbleed-tech-giants-team-avoid-red
ux-n88646
-http://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-h
eartbleed-finally-agree-to-fund-openssl/
-http://www.linuxfoundation.org/news-media/announcements/2014/04/amazon-web-servi
ces-cisco-dell-facebook-fujitsu-google-ibm-intel
[Editor's Note (Pescatore): This is a much-needed initiative but there are a lot of potential pitfalls. Certificates and private keys are critical to SSL, and Google and Microsoft were early members of the totally ineffective CA/Browser Forum - a great example of what *not* to do. Many of these same technology companies also were members of the Trusted Computing Platform Alliance that mostly just postured and squabbled for years before being reformed as the Trusted Computing Group. If the initiative stays internally focused, with technical people (vs. marketing people) working together on solutions, good stuff. I'd like to see the equivalent of a " Open Source Core Infrastructure App Store" model come out of this.
(Shpantzer): Noticeably missing are companies like Apple and Oracle, who have the financial and technical resources to contribute to such efforts. ]

Bank of England Plans Penetration Tests on Financial Institutions (April 23 & 24, 2014)

The Bank of England is planning a large-scale penetration test of financial institutions in the UK. The penetration testing will focus on 20 major financial institutions. In November 2013, the Bank of England held a cyber security exercise. The decision to conduct the penetration test arose from the results of a November 2013 cyber security exercise called Waking Shark II. While testing the banks' protections against intruders is useful, experts say it is important to remember that organizations also need to address insider threats and place controls on data access.
-http://www.theregister.co.uk/2014/04/24/ethical_hackers_drafted_to_probe_banks/
-http://www.scmagazine.com/report-bank-of-england-to-helm-pen-testing-effort-for-
uks-finance-sector/article/343946/
[Editor's Note (Shpantzer): Work relating to partner due diligence and security assurance requests by customers and auditors has picked up a lot on my radar screen in just the last 6 months. ]

---

************************** Sponsored Links: ******************************
1) New Analyst Paper in the SANS Reading Room John Pescatore's 2014 Trends Shaping Organizational Security http://www.sans.org/info/157735

2) Plan to attend the SANS Security Leadership Summit, April 30th and May 1st, in Boston. The format will partner CISOs with leading SANS experts across a broad range of key security topics and emerging trends. Choose from four classes that take place afterwards (May 2nd - 6th) including ICS/SCADA Security Essentials, Security Leadership, Implementing the Critical Security Controls and Security Bootcamp. http://www.sans.org/info/154465

3) Webcast: The Application Blind-Spot - with Eric Schou. Friday, May 09 at 1:00 PM EDT. http://www.sans.org/info/157705
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Threat Information Sharing Program Slowed by Red Tape (April 24, 2014)

The Enhanced Cybersecurity Services (ECS) program aims to give companies access to classified threat data to improve their cyber security. The program was established in 2012, when AT&T and CenturyLink were given access to the classified data to sell security services to approved critical infrastructure companies. In February 2013, the program was expanded to allow more security services providers and more customers. Both providers and their customers must obtain government approval to participate, which has proven to be a slow process. A recent survey indicates that recent breaches could have been prevented if not for the delay in obtaining approval.
-http://www.bloomberg.com/news/2014-04-24/hacker-threat-sharing-has-companies-wai
ting-amid-breaches.html

More Surreptitious Bitcoin Mining Android Apps Found in Google Play Store (April 24, 2014)

Researchers have found bitcoin mining malware stowed in several Android apps in the official Google Play store. The malware, which is known as "BadLepricon," was found in five wallpaper apps, each of which had been downloaded between 100 and 500 times. The seeded apps have been removed from the store. Two other apps that mined other cryptocurrencies were found a month ago; they were also removed from the store.
-http://arstechnica.com/security/2014/04/covert-bitcoin-miner-found-stashed-in-ma
licious-google-play-apps/

Apple Patches Triple Handshake Bug in iOS, OS X (April 22, 23, & 24, 2014)

Apple released iOS 7.1.1 on Tuesday, April 22, to address 19 flaws in the mobile operating system, including a critical flaw in the secure transport mechanism that could be exploited with "triple handshake" attacks to expose user data. Apple also released updates for OS X Lion (10.7.x), Mountain Lion (10.8.x), and Mavericks (10.9.x) to address number of flaws, including the triple handshake bug.
-http://www.cnet.com/news/apple-turns-loose-ios-7-1-1-with-touch-id-improvements/
-http://www.zdnet.com/apple-security-updates-for-mac-ios-and-airport-7000028665/
-http://arstechnica.com/security/2014/04/iphones-and-macs-get-fix-for-extremely-c
ritical-triple-handshake-crypto-bug/
[Editor's Note (Shpantzer): A blog post about the last cycle of Apple patching from a bona fide security rock-star, who also happens to be a former Apple employee...
-http://www.tombom.co.uk/blog/?p=492]

FBI Informant Exploited Zero-Day Flaw in Attacks on Foreign Governments (April 23 & 24, 2014)

An FBI informant directed a series of attacks on websites outside the US in 2013 exploiting a then-undisclosed vulnerability with the knowledge of the FBI agents supervising him. Some of the targeted websites were operated by governments of Iran, Syria, Brazil, and Pakistan.
-http://www.nytimes.com/2014/04/24/world/fbi-informant-is-tied-to-cyberattacks-ab
road.html?hp&_r=1
-http://www.darkreading.com/attacks-breaches/fbi-informant-sabu-tied-to-foreign-a
ttacks/d/d-id/1234836?
-http://arstechnica.com/tech-policy/2014/04/fbi-knew-of-zero-day-attack-on-websit
es-let-hackers-use-it/
-http://www.theregister.co.uk/2014/04/24/fbi_snitch_tied_to_foreign_gov_hacking/

SMS Premium Rate Trojan Targets US Users (April 23, 2014)

An SMS Trojan horse program targets Android users in the US. It is believed to be the first such attack targeting US-based devices. The malware, known as FakeInst, has the capability to send messages to premium rate numbers. It also allows attackers to steal, erase, and reply to SMS messages. FakeInst targets users in 66 countries, but until now has remained largely outside the US.
-http://www.scmagazine.com/android-trojan-sends-premium-sms-messages-targets-us-u
sers-for-first-time/article/343953/
-http://www.infosecurity-magazine.com/view/38099/fake-porn-app-is-first-sms-troja
n-to-land-on-us-soil/

Maritime Industry Faces Cyber Threats (April 23, 2014)

Although the global maritime industry has not received as much attention as other sectors, sea faring vessels are increasingly at risk of cyber attacks as they become more Internet connected. While ships get larger, crews get smaller; tasks are managed with technology rather than with people. The incidence of maritime cyber attacks appears low, possibly because some attacks are not detected and others remain unreported for various reasons. Of particular concern are vulnerabilities in GPS; the marine Automatic Identification System (AIS); and the Electronic Chart Display and Information System (ECDIS). A floating oil rig off the coast of Africa was attacked and tilted. And pirates use navigational data to target ships, so some ships have started transmitting phony data to disguise their locations.
-http://www.cnbc.com/id/101608644
[Editor's Note (Assante): The maritime industry is not being honest with itself if they believe they are well positioned to manage these risks. Shipboard systems are becoming complex and onboard crew members must rely upon remote support. The attack surface has been steadily growing, ship operations require good data, they have integrated disparate control technologies, and the mobility of the platform is not a defense. "cast off all lines" does not apply here as modern ships remain connected and susceptible. ]

Feds Ask SCOTUS to Allow Warrantless Cellphone Searches Upon Suspect's Arrest (April 23, 2014)

A brief filed to the US Supreme Court earlier this week argues that law enforcement should be authorized to search mobile phones taken from suspects immediately upon arrest, without first obtaining a warrant. Law enforcement authorities are concerned that if they do not search the devices immediately, the suspect could remotely wipe them before the warrant is obtained. Ironically, law enforcement officials across the country have supported a bill that would require kill mechanisms on smartphones that allow the phones to be remotely disabled in the hope that such a feature would deter cellphone thieves. One simple, cheap and 4th amendment-safe possible solution to law enforcement's concerns is to remove the device's battery or place it in a container that prevents radio communications until the warrant is obtained.
-http://www.wired.com/2014/04/smartphone-kill-switch/

Lost Key Codes at Tokyo Airport Underscore Issues with Password-Based Security (April 23, 2014)

A staff member at Tokyo Haneda Airport dropped a memo containing security codes the day before President Obama arrived in Japan for the first visit by a US president in nearly 20 years. Even though the paper was found within the hour, authorities decided to change the codes. The incident points out the security problems inherent in systems that depend on passcodes for access.
-http://www.theregister.co.uk/2014/04/23/tokyo_haneda_passcode_loss_obama/
-http://www.japantimes.co.jp/news/2014/04/22/national/lost-codes-spark-airport-sc
ramble-eve-obama-trip/#.U1cYmaiSyQA

AOL Locks Down Servers After Spam Deluge (April 22 & 23, 2014)

Users have recently noticed a higher than usual volume of spam coming from AOL email addresses. AOL has now locked down its email servers to quell a spoof attack that is generating large quantities of spam. AOL has implemented a more stringent email validation process that instructs mailbox providers to reject email that appears to be associated with an AOL domain if the message did not originate from an AOL server. Reports also say that AOL Mail was breached and some accounts hijacked.
-http://www.theregister.co.uk/2014/04/23/aol_mail_locks_down_email_servers_to_dea
l_with_tsunami_of_spam/
-http://www.cnet.com/news/aol-imposes-stricter-email-rules-to-stem-spoofing-attac
k/
-http://threatpost.com/aol-email-hacked-by-spoofers-to-send-spam/105629
[Editor's Note (Murray): Received one from a neighbor and one from a family member on the same day. I see these often enough that I have a standard reply. "If you did not send the message below, your e-mail account may be compromised. Please change your password. Recipients of your message who clicked on the embedded URL may have compromised their systems." ]
--Password Authentication Alone is Insufficient Single-factor, password based security for Internet facing computers is inadequate. Organizations that have adopted multi-factor and other types of authentication are doing the right thing. Stolen or weak passwords are at the root of two-thirds of breaches.
-http://www.zdnet.com/data-breach-report-dishes-recommendations-for-authenticatio
n-changes-7000028717/
--Most Breaches Fall Into One of Nine Categories The Verizon report says that 92 percent of breaches fall into one of nine categories: miscellaneous errors, such as sending a document to the wrong person; crimeware (which aims to hijack systems); insider/privilege misuse; physical theft and/or loss; web app attacks; denial-of-service attacks; espionage; point of sale intrusions; and card skimmers. In any given industry, 72 percent of security incidents can be attributed to just three of the categories; the three categories vary from industry to industry.
-http://www.netsecurity.org/secworld.php?id=16725

---

STORM CENTER TECH CORNER

Apache Struts Vulnerability
-http://blog.vulnhunt.com/index.php/2014/04/24/apache_struts2_0day/
-http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/

HP iLo Cards may crash if scanned for Heartbleed
-http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?j
avax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId
%253Demr_na-c04249852-1&javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01&
amp;ac.admitted=1398377927037.876444892.492883150

Voicemail Boxes Still wide open to caller ID spoofing
-http://www.theregister.co.uk/2014/04/24/voicemail_still_easy_to_hack/

Apple Airport Heartbleed Update
-http://support.apple.com/kb/DL1708?viewlocale=en_US&locale=en_US

NIST Steps Away From Dual-EC
-http://www.nist.gov/itl/csd/sp800-90-042114.cfm

IOActive Whitepaper on Satellite Communication Security
-http://www.ioactive.com/pdfs/IOActive_SATCOM_Security_WhitePaper.pdf

Iowa State Synology NAS Compromised by Bitcoin Miner
-http://threatpost.com/iowa-state-hacked-to-mine-bitcoins/105650

Google Refunds Purchasers of Fake Anti Virus App
-http://www.androidpolice.com/2014/04/19/google-issues-refunds-and-an-extra-5-pla
y-store-credit-to-android-users-who-bought-the-phony-virus-shield-app/

Nagios NRPE Problem
-http://seclists.org/fulldisclosure/2014/Apr/240

---

***********************************************************************
|The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/