SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #38

May 13, 2014

Saying goodbye: Wyatt Stearns, a good man who made a difference. Wyatt Stearns passed away last Saturday. He was a big factor in the success of Tripwire, one of the companies that enabled open source security software to be widely used to solve real world business security problems. He was a great friend and mentor to many in the security field; he'll be missed.
http://www.oregonlive.com/business/index.ssf/2014/05/wyatt_starnes_longtime_entr
epr.html

---

TOP OF THE NEWS

DOJ Wants to Expand Authority to Break Into Suspects' Computers
DOJ Encourages Cyber Security Threat Information Sharing
Army Didn't Tell Thrift Savings Plan About Training Exercise That Imitated its Website

THE REST OF THE WEEK'S NEWS

Information Commissioner's Office Guidance Includes Eight Security Issues to Address
Bitly Provides More Information About Data Breach
Powerful DDoS Attack Used DDoS Protection Services' Servers
US Spy Plane Data Overwhelmed Air Traffic Control System
Five-Year-Old Linux Flaw Fixed
The UK Tax Office Must Disclose Information About Software Export Investigation
Canadian Teens Face Charges in SWATting Attacks
Post-XP Updates May Provide Source for Exploit Writers
A Month Later, Heartbleed Issues Abound

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By McAfee, Inc. ************************
What Works Webcast: Going 'All In' for Protection and Compliance with the Critical Security Controls at Sun Country Airlines. Wednesday, May 14 at 1:00 PM EDT with John Pescatore. Learn how Sun Country fast tracked increasing security and satisfying compliance with the McAfee Solution.
http://www.sans.org/info/159132
***************************************************************************
TRAINING UPDATE


- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANSFIRE 2014 Baltimore, ND June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

DOJ Wants to Expand Authority to Break Into Suspects' Computers (May 9, 2014)

The US Justice Department (DOJ) has issued a request to the US Judicial Conference standing committee to expand its authority to gain remote access to computers during investigations. DOJ maintains it needs the authority to access computers outside the jurisdiction of an investigation because criminal schemes are increasingly crossing jurisdictions. The proposal has raised concerns among civil rights groups, which say that allowing this activity could pose a threat to Internet security and Fourth Amendment protections. The remote access would be achieved through vulnerabilities known to DOJ but kept secret from the public, thus posing a security threat. The US court system currently allows magistrate judges to issue search warrants for property outside their districts only in limited cases. The DOJ request will be considered at the meeting of the US courts' Committee on Rules of Practice and Procedure later this month.
-http://www.darkreading.com/government/fbi-seeks-license-to-hack-bot-infected-pcs
/d/d-id/1252655?
-http://www.bloomberg.com/news/2014-05-09/federal-agents-seek-to-loosen-rules-on-
hacking-computers.html
-http://www.computerworld.com/s/article/9248242/DOJ_seeks_new_authority_to_hack_a
nd_search_remote_computers?taxonomyId=17
-http://www.uscourts.gov/uscourts/RulesAndPolicies/rules/Agenda%20Books/Standing/
ST2014-05.pdf#page499
[Editor's Note (Pescatore): The remote access part is worrisome, opens up huge potential for cyber-damage to innocent bystanders in many ways. It is pretty straightforward to turn off a wiretap or remove a tracking device from a suspect's vehicle. I don't think it removing a remote access Trojan is quite as simple, let alone giving law enforcement the authority to keep vulnerabilities secret from the public. I don't want to be too hyberbolic, but to me this has the potential for backfire as the "Fast and Furious" ATF project to smuggle guns *into* Mexico to see who buys them.]

DOJ Encourages Cyber Security Threat Information Sharing (May 9, 2014)

The US Justice Department (DOJ) wants organizations to share information about cyber threats with each other and with the government. DOJ is issuing guidance because organizations would like to share this kind of information, but are wary of violating people's privacy by sharing information with the government. The DOJ's has published legal guidance for organizations to help them share threat data without compromising customer data. Companies will not be violating privacy laws if they share aggregate data and describe characteristics of an attack, such as unusual changes in traffic patterns.
-http://money.cnn.com/2014/05/09/technology/security/cybersecurity-justice/index.
html
DOJ White Paper:
-http://www.justice.gov/criminal/cybercrime/docs/guidance-for-ecpa-issue-5-9-2014
.pdf
[Editor's Note (Henry): It's helpful that DOJ is clarifying for companies that sharing actionable intelligence (not "information") is legal; it's a good first step. Before any of this can be done, however, the USG needs to determine what type of intelligence it wants, who will receive it, how it will be used, how it will be maintained, and what the private sector can expect back from the government for their efforts.
(Pescatore): This paper really only addresses ISPs and network operators in relation to the Stored Communications act of 1986, and those firms routinely share threat information with each other as a normal course of their interconnected businesses. The bigger concern is sharing that information with the government - which has little to no benefit to industry and opens up potential paths for exposure and liability that aren't covered under existing guidelines.]

Army Didn't Tell Thrift Savings Plan About Training Exercise That Imitated its Website (May 9, 2014)

Earlier this year, the DoD Thrift Savings Plan (TSP) was targeted in a phishing scheme; a phony TSP website appeared online. TSP, which suffered a breach in 2011, noticed the suspicious messages and traced the scheme to an Army server. Officials tried for nearly two weeks to find out who was behind the attack; it turned out to be part of an Army cyber security training exercise. TSP was not informed that their site was being imitated in the drill, which was designed to test whether troops would willingly supply their account access credentials. TSP traced it to the Pentagon, but it took officials there 13 days to figure out what was going on. DOD officials admit that mistakes were made.
-http://www.nextgov.com/cybersecurity/2014/05/it-took-feds-13-days-unravel-tsp-cy
ber-hoax-perpetrated-feds/84061/
[Editor's Note (Assante): As a young naval officer one of my first assignments was to help script a Joint-Task Force and Fleet-level exercise. I became very good at marking all of the exercise materials as 'notional' - 'exercise - exercise - exercise'. We can't forget to apply proven practices in the cyber world.]

---

************************** Sponsored Links: ******************************
1) Close security gaps and ensure the security of your servers and endpoints today - Download the White Paper! http://www.sans.org/info/159137

2) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II. August 1, 2014 in Washington, DC. http://www.sans.org/info/159142

3) Government IT Pros! Tell Us Your Wins and Misses with the Continuous Diagnostics and Mitigation Program by Taking This Survey: http://www.sans.org/info/158842
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Information Commissioner's Office Guidance Includes Eight Security Issues to Address (May 12, 2014)

A report from the UK Information Commissioner's Office (ICO) lists eight security issues it has noted in its investigations and which, if appropriately addressed, could prevent data security incidents. Companies have faced fines of as much as GBP 250,000 (US $422,000) for incidents that could have been avoided if they had addressed the issues, which include SQL injection vulnerabilities; default logins; unpatched software; unnecessary services; and lack of encryption. The report also provides advice for mitigating each of the eight issues.
-http://www.v3.co.uk/v3-uk/news/2344150/ico-details-eight-security-failings-that-
cost-firms-thousands
-http://ico.org.uk/news/latest_news/2014/~/media/documents/library/Data_Protectio
n/Research_and_reports/protecting-personal-data-in-online-services-learning-from
-the-mistakes-of-others.pdf
[Editor's Note (Murray): The problem is not that we do not know what to do; it is rather that we lack the courage and resources to do the right thing. That said, the inclusion of "poor password protection" in the ICO's list reflects a poor understanding of the problem. The problem with passwords is not that we fail to "protect" them but that they are inadequate to task of authenticating users in the modern world. They are vulnerable to dictionary and brute force attacks, and when all else fails "phishing" and other "social engineering" attacks. Once compromised, they can be fraudulently reused. Strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) should be at the top of any short list of security fixes.
(Honan): This guidance could mean companies running Windows XP and who suffer a breach may end up being fined by the ICO. On a related matter the Irish Data Protection Commissioner's office released their annual report yesterday (
-http://dataprotection.ie/docs/12-5-14-Annual-Report-2013/1434.htm)
including analysis of case studies on how certain organisations suffered security breaches and/or breached the Data Protection Act. Useful reports, particularly if you have to comply with the EU Data Protection directive.
(Pescatore): The 8 areas discussed in the report line up nicely with Critical Security Controls 2, 3, 6, 11, 16 and 19, and the report is well written, in human readable (versus security-ese) form. But it comes in at a hefty 46 pages with 141 numbered paragraphs. It reminds me of the very long list of "to dos" that your parents left you the first time they went away for the weekend and left you home alone.]

Bitly Provides More Information About Data Breach (May 9 & 12, 2014)

URL-shortening service Bitly has acknowledged that attackers compromised an employee account to gain access to the company's hosted code repository, which contained the key to its offsite backup database. Last week, Bitly said that users' accounts were compromised and urges users to change their passwords. The company faced criticism for not being forthcoming about the nature and specifics of the breach itself: what was compromised, how passwords were protected, and how the breach was detected? Bitly says that it learned of the breach from a security company. Bitly's security team then detected suspicious traffic from its offsite database backup. The company decided it would be safest to assume that the user database was compromised and thus made the decision to disconnect all Facebook and Twitter accounts linked to Bitly accounts.
-http://www.cso.com.au/article/544802/bitly_reveals_hackers_stole_secret_keys_fro
m_hosted_code_repository/
-http://www.bbc.com/news/technology-27340494
-http://www.nbcnews.com/tech/security/bit-ly-breach-link-shortening-service-warns
-users-change-passwords-n101481
-http://www.theregister.co.uk/2014/05/09/bitly_shortens_life_of_users_passwords_a
fter_credential_compromise/
Update:
-http://blog.bitly.com/#85169217199
[Editor's Note (Ullrich): Bitly's blog post about the incident does a good job walking users through the process of invalidating affected credentials. The problem with sites like bitly is that they heavily rely on automated authentication systems like OAuth and an attacker may have stolen or manipulated these tokens. Users need to reset not just their passwords, but also their API keys and OAuth tokens. Unlike passwords, the provider cannot just invalidate these tokens as it will break a lot of users applications. ]

Powerful DDoS Attack Used DDoS Protection Services' Servers (May 9 & 12, 2014)

PointDNS, which hosts more than 220,000 domains, was the target of a powerful distributed denial-of-service (DDoS) attack that lasted for several hours late last week. A similar attack targeting an online gaming site was detected a week earlier. That attack used servers hijacked from two separate DDoS protection providers. The attack remained consistent at 25 million packets per second for seven hours.
-http://www.theregister.co.uk/2014/05/09/point_dns_ddos/
-http://www.scmagazine.com/hijacked-anti-ddos-servers-used-to-carry-out-massive-d
dos-attack/article/346619/
[Editor's Note (Pescatore): Obviously not good if DDoS mitigation firms were used to launch DDoS attacks, sorta like auto body shops seeding hail storms over parking lots to drive business. But, I haven't seen any actual attribution of the firms, just that one was in Canada and one in China.]

US Spy Plane Data Overwhelmed Air Traffic Control System (May 12, 2014)

Insufficient memory in the US air traffic control system may have been the reason the system stopped working several weeks ago, grounding or delaying flights in the southwestern US. The problem was caused when a US spy plane flew above the area. The system attempted to calculate all possible flight paths the aircraft could take and became overwhelmed. The particular system that became overloaded was Lockheed Martin's En Route Automation Modernization (ERAM) system. More memory has been added to prevent the problem from recurring.
-http://www.theregister.co.uk/2014/05/12/los_angeles_air_traffic_control_crash_ca
used_memory_shortage_u_2_spyplane_cia/
-http://www.bbc.com/news/technology-27374759
-http://www.orlandosentinel.com/news/nationworld/sns-rt-us-airtraffic-bug-exclusi
ve-20140511,0,6322530.story
[Editor's Note (Pescatore): I dunno, this story bothers me at several levels. Can you really call something a "spy" plane if it sets off all the ground radar? Is adding memory to accommodate software that "began to consider all altitudes between ground level and infinity" really a good idea? I don't even want to think about what will happen to that software when all those package delivery drones start zipping through the skies.]

Five-Year-Old Linux Flaw Fixed (May 12, 2014)

Developers responsible for maintaining the Linux kernel have fixed a vulnerability that has been undetected since its introduction in 2009. The privilege elevation flaw could be exploited by users with privileges to crash systems or execute code on vulnerable systems.
-http://arstechnica.com/security/2014/05/linux-gets-fix-for-code-execution-flaw-t
hat-went-unpatched-since-2009/
[Editor's Note (Ullrich): Luckily, the flaw is not easily exploited and often results in a system crash. If you have systems crashing all for sudden, check for any exploits trying to take advantage of this vulnerability.
(Murray): In what sense is this flaw "fixed?" It is probably far more pervasive than Heartbleed and if Heartbleed is any example, it is likely to persist for a very long time. ]

The UK Tax Office Must Disclose Information About Software Export Investigation (May 12, 2014)

The UK High Court has ruled that the HM Revenue & Customs (HMRC), UK's tax office, exhibited "a mistaken view of the law" when it refused to disclose information related to the alleged illegal export of software to regimes known to have poor records on human rights. The tax office refused to discuss an investigation into a company that sells the malware with Privacy International, a non-government organization that brought the issue to the attention of HMRC in 2012. Privacy International alleged that Gamma International, which makes surveillance software known as FinFisher, sold and exported its products to countries that are suspected of spying on their own citizens. HMRC initially said it could not divulge information about an investigation or even let the group know if an investigation were underway. The High Court said that the response is not adequate and that HMRC must provide more information.
-http://www.zdnet.com/uk-tax-office-unlawfully-hid-export-data-of-cyber-espionage
-tech-to-dictatorships-7000029334/
-http://www.wired.co.uk/news/archive/2014-05/12/hmrc-spy-software

Canadian Teens Face Charges in SWATting Attacks (May 9 & 12, 2014)

A teenager in Canada has been arrested in connection with making bomb threats and placing calls to emergency services reporting phony life-threatening situations, which is known as "SWATting." The teen allegedly placed at least 30 such calls, which caused law enforcement agencies to deploy SWAT teams to locations of the teen's choosing. Two other teenagers are facing similar charges.
-http://www.ottawacitizen.com/news/Swatting+leads+charges+against+Ottawa/9824837/
story.html
-http://www.ctvnews.ca/canada/ottawa-teen-facing-60-charges-related-to-swatting-1
.1815334
-http://arstechnica.com/security/2014/05/teen-arrested-for-30-swatting-attacks-ag
ainst-schools-security-reporter/
-http://www.fbi.gov/losangeles/press-releases/2014/canadian-law-enforcement-offic
ers-arrest-canadian-resident-suspected-in-series-of-swatting-incidents-throughou
t-north-america

Post-XP Updates May Provide Source for Exploit Writers (May 11 & 12, 2014)

When Microsoft releases its first post-XP support security update on May 13, it is likely that at least one of the vulnerabilities scheduled to be fixed in Windows will also affect XP, giving attackers a peek into vulnerabilities that could be exploited on now-unprotected machines. Predictions are that attacks on XP machines will increase because patches for newer Windows flaws could be reverse-engineered. Users still running XP can mitigate some of the threat by using a browser other than Internet Explorer.
-http://www.computerworld.com/s/article/9248265/Hackers_now_crave_patches_and_Mic
rosoft_s_giving_them_just_what_they_want?taxonomyId=17
-http://www.computerworld.com/s/article/9248277/Windows_XP_die_hards_can_slash_at
tack_risk_by_dumping_IE?taxonomyId=17
[Editor's Note (Assante): XP use in the Industrial Control System (ICS) world will not be the exception to the rule for a longtime. The powerful force of connecting the plant is resulting in dangerous waters for infrastructures and manufactures that continue to rely upon unsupported XP. Many of those hosts can't be isolated from the system and will become the weak link over time. If you think of your 'extended' security team - it includes your ICS supplier and the vendors that support the OSs, applications, and hardware you rely upon. Continued use of XP with out support, in the ICS world, is like removing one of the strongest elements of your security team.]

A Month Later, Heartbleed Issues Abound (May 8 & 9, 2014)

A month after the Heartbleed bug was publicly disclosed, there are still large numbers of systems that are not patched. Several scans suggest that the number of systems still vulnerable to Heartbleed is half what it was when the flaw was first disclosed. There are also reports that more than 30,000 TLS/SSL certificates have been reissued with the same keys, which does not fix the problem, and some new servers put online are running a vulnerable version of the cryptographic software library. Finally, several industrial control system products have been found to be vulnerable to Heartbleed.
-http://www.infosecurity-magazine.com/view/38359/heartbleed-bug-hits-industrial-c
ontrol-systems/
-http://www.darkreading.com/vulnerabilities---threats/accidental-heartbleed-vulne
rabilities-undercut-recovery-effort/d/d-id/1251166?
-http://www.zdnet.com/many-sites-reusing-heartbleed-compromised-private-keys-7000
029282/
-http://arstechnica.com/security/2014/05/four-weeks-on-huge-swaths-of-the-interne
t-remain-vulnerable-to-heartbleed/
[Editor's Note (Shpantzer): Admins are inadvertently ADDING Heartbleed to safe servers.
-http://www.theregister.co.uk/2014/05/09/unpatched_failboxes_see_thousands_join_h
eartbleed_club/
(Murray): The problem with certificates versus keys was caused in large part by "expert advice" to change certificates when the problem was the potential to leak keys. At one point I thought that the security community understood key management but apparently I was simply optimistic. ]

---

STORM CENTER TECH CORNER

Windows 8.1 End of Support
-https://isc.sans.edu/forums/diary/This+is+not+a+testtypo+Support+for+Windows+81+
Ends+in+a+month/18087

Solar Power Management Platform Could Crash Grid
-http://www.solar-log.ro/fileadmin/BENUTZERDATEN/Downloads/Firmware/ReleaseNotes/
_3.1.1-66-20140414-EN.pdf

Elastic Search Remote Code Execution Flaw
-http://bouk.co/blog/elasticsearch-rce/

Smart TV may be used to listen in
-http://www.theregister.co.uk/2014/05/10/smarttv_bugging/

Twitter Improving Account Security
-https://blog.twitter.com/2014/keeping-your-twitter-account-safe

IBM Patches Java Secure Random
-http://www.cigital.com/justice-league-blog/2014/05/06/recent-fixes-ibmsecurerand
om

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/