SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #39
May 16, 2014
SANSFIRE is bringing 38 courses to Baltimore June 21-30. They are presented by the best security teachers/practitioners - people shaping the future of information security; 5 of the courses will be simulcast so you can attend anywhere in the world. Three timely new courses have been added: Advanced Network Forensics and Analysis, Advanced Smartphone Forensics, and the new benchmark course for people working in SCADA and ICS security. All course attendees get free access to the evening Internet Storm Center updates where you'll learn about the newest attack types and other up to the minute developments.
Data at http://www.sans.org/event/sansfire-2014/welcome/
TOP OF THE NEWS
Google Drawing Harder Line on Suspicious Google Apps LoginsUS Senate Committee Calls for Strengthening Online Advertising Security
DOJ Fast-Tracking Cyber Specialist Hires
THE REST OF THE WEEK'S NEWS
FCC Votes for Fast Lane ProposalAttackers Actively Exploiting IE Flaw Patched in Emergency Fix Two Weeks Ago
20-Year Sentence for Cyber Criminal Charged Under Racketeering Act
US Retailers Launch Cyber Intelligence Sharing Center
Former Subway Sandwich Shop Owner Pleads Guilty in Point-of-Sale Terminal Fraud Scheme
Guardian Journalists' Book Describes NSA Installing Spyware on Network Equipment
NIST Wants Developers of Critical Systems to Consider Security From the Start
Linux Distributions Preparing Fixes for Kernel Flaw
Iranian Hacktivists Shift Focus to Espionage
Microsoft and Adobe Security Updates
PESCATORE FIRST LOOK: GE WILL BUY WURLDTECH
PESCATORE FIRST LOOK: GE will buy WurldtechSTORM CENTER TECH CORNER
STORM CENTER TECH CORNER**************************** Sponsored By Bit9 *************************
Windows XP is Dead! XP End of Life is here - there are no more security updates or critical patches available unless you pay for high cost support. How will you protect your organization?
http://www.sans.org/info/159617
***************************************************************************
TRAINING UPDATE
- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014
- --SANSFIRE 2014 Baltimore, ND June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014
- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014
- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014
- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Austin, Malaysia, and Bangkok all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************
TOP OF THE NEWS
Google Drawing Harder Line on Suspicious Google Apps Logins (May 14, 2014)
Google is imposing stronger requirements on Google Apps logins that appear suspicious. If the company suspects that a login attempt is being made by someone other than an account's legitimate user, Google will ask the person logging in to enter a verification code sent via SMS to authenticate their identity, even if users have not activated that security feature. Google will eventually roll out the stricter login requirements to all its domains.-http://www.cnet.com/news/google-gets-tougher-on-suspicious-google-apps-logins/
[Editor's Note (Pescatore): Thank you, Google - this is a good thing and there is a growing list of online services doing the same or similar things. It is another example of consumer services adding stronger security *faster* than enterprises.
(Murray): I use one time password options wherever they are offered. It would be interesting to know whether other's do. If, for example, a significant number of Google's users choose this security option, publicizing that fact might overcome the resistance to using strong authentication. ]
US Senate Committee Calls for Strengthening Online Advertising Security (May 15, 2014)
A report from the US Senate Committee on Homeland Security and Governmental Affairs calls on the online advertising industry to improve security, and says that if the industry does not effectively self-regulate, the Federal Trade Commission (FTC) "could consider comprehensive regulations." The report also notes that "the complexity of current online advertising practices impedes industry accountability for malware attacks." The committee also calls for the creation of "circuit breakers" so site administrators and network operators can disable advertisements that have been detected spreading malware.-http://www.theregister.co.uk/2014/05/15/senate_slams_ad_servers_for_security_fai
lings/
-http://www.hsgac.senate.gov/media/permanent-subcommittee-on-investigations-relea
ses-report-online-advertising-and-hidden-hazards-to-consumer-security-and-data-p
rivacy-
[Editor's Note (Pescatore): I'll summarize the few meaningful parts for you: "Malvertizing is the new spyware. Government should do something, how about having Congress debate new regulations for a few years?" So, to save much hot air: FTC, please go after some of the online advertisers who are delivering ads that contain malware, just like you've successfully moved against other online companies doing unfair and deceptive things. Thank you.
(Shpantzer): If you ever wanted to understand the sleazy, bizarre world of online ad networks, look no further than Ben Edelman's blog which has been tracking this niche for years:
-http://www.benedelman.org/]
DOJ Fast-Tracking Cyber Specialist Hires (May 15, 2014)
The US Justice Department (DOJ) is recruiting cyber specialists more quickly than it has been able to in the past, thanks in part to relaxed funding restrictions. DOJ has also been granted a direct hire authority so job candidates do not have to navigate the labyrinthine and lengthy standard application process. While direct hire authority is granted with the aim of filling critical positions in a timely manner, other civilian agencies have not seen the designation help increase staff as quickly as anticipated. The shortage of technical skills is a major challenge.-http://www.nextgov.com/cybersecurity/2014/05/justice-fast-tracking-cyber-hires/8
4511/?oref=ng-channeltopstory
[Editor's Note (Paller): When DHS obtained a similar direct hiring authority four years ago for "1,000 cybersecurity engineers," DHS IT managers hijacked it to hire people, without cyber skills, for regular IT roles, bypassing normal hiring rules. Senate oversight committee staff just discovered the details. The Department of Justice might want to be sure that a high standard of technical cyber skills is enforced as a minimum requirement for using the direct hiring authority. The Homeland Security Advisory Committee Taskforce on CyberSkills has useful guidance on hiring for mission critical cybersecurity jobs.
-http://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report%
20-%20Final.pdf]
************************** Sponsored Links: ******************************
1) In case you missed it: What Works Webcast: Going 'All In' for Protection and Compliance with the Critical Security Controls at Sun Country Airlines. Wednesday, May 14 at 1:00 PM EDT with John Pescatore. Learn how Sun Country overcame limited staffing, budget challenges and only 6 months of runway to implement an integrated, system-wide security capability that worked like a single "rack" of equipment. http://www.sans.org/info/159627
2) Higher Ed IT Security: Doing More With Less - Listen to SANS Survey Results delivered by SANS Education Expert, Randy Marchany, Tuesday, June 17, 1 PM EDT http://www.sans.org/info/159632
3) New Whitepaper in the SANS Reading Room: http://www.sans.org/info/159637
*****************************************************************************
THE REST OF THE WEEK'S NEWS
FCC Votes for Fast Lane Proposal (May 15, 2014)
Members of the Federal Communications Commission (FCC) have voted for a proposal that, if it becomes a rule, would allow Internet service providers (ISPs) to charge companies offering web services for prioritized Internet access. Three of the commissioners voted for the plan, and two voted against it. Called "Fast Lanes," the plan is being criticized as potentially creating a two-tiered Internet. The Notice of Proposed Rulemaking (NPRM) will ask for public comment on several specific questions, including whether paid prioritization should be barred completely, and whether broadband should be reclassified as a telecommunications service.-http://arstechnica.com/tech-policy/2014/05/fcc-votes-for-internet-fast-lanes-but
-could-change-its-mind-later/
-http://www.bbc.com/news/technology-27426937
[Editor's Note (Murray): One gets the sense that all of this hype is simply a lead up to preemptive regulation of the Internet. The young people who see increased regulation as necessary and desirable for "net neutrality," do not remember how stifling and inefficient the regulation of POTS (plain old telephone service) was. They forget that regulation of the telcos as "natural monopolies" was necessary only because we granted them de jure monopoly as a means of achieving critical mass, critical mass that the Internet achieved a generation ago. ]
Attackers Actively Exploiting IE Flaw Patched in Emergency Fix Two Weeks Ago (May 15, 2014)
Attackers are actively exploiting a vulnerability in Internet Explorer that Microsoft patched in an out-of-band emergency update on May 1, 2014. Three companies came under attack just days after the patch was released.-http://www.theregister.co.uk/2014/05/15/aussie_biz_served_april_ie_exploit/
-https://technet.microsoft.com/en-US/library/security/2963983
20-Year Sentence for Cyber Criminal Charged Under Racketeering Act (May 15, 2014)
Federal prosecutors have successfully used racketeering laws to convict a low-level cyber criminal who was a small player in a large organization. David Ray Camez was sentenced to 20 years in prison and ordered to pay US $20 million in restitution for his role in the carder-http://arstechnica.com/security/2014/05/anti-gangster-law-invoked-to-score-stiff
-sentence-against-two-bit-cyberthief/
[Editor's Note (Shpantzer): The vulnerability is CVE-2014-1776 and FireEye's report says that EMET mitigates it:
-http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting
-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
">http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting
-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
EMET is free from Microsoft and is highly recommended... Here's the mitigation approach from FireEye: Pick at least one : "Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests. Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10. Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning."
-http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting
-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
">http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting
-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html]
US Retailers Launch Cyber Intelligence Sharing Center (May 14 & 15, 2014)
Major US retailers have come together to launch the Retail Cyber Intelligence Sharing Center (R-CISC) in an effort to prevent incidents like the Target attack. The organization, which counts among its members Target, The Gap, Walgreens, and J.C. Penney, will share real-time threat information with each other and with US agencies, including the Secret Service, the FBI, and the Department of Homeland Security (DHS), as well as with other public and private stakeholders. R-CISC will also provide training, education, and research resources to its members.-http://www.scmagazine.com/retailers-join-forces-to-share-threat-intelligence/art
icle/347215/
-http://www.computerworld.com/s/article/9248357/Target_Gap_other_retailers_join_t
o_share_cyberthreat_data?taxonomyId=17
-http://www.govinfosecurity.com/retailers-launch-info-sharing-center-a-6840
Former Subway Sandwich Shop Owner Pleads Guilty in Point-of-Sale Terminal Fraud Scheme (May 15, 2014)
A man who once owned several Subway sandwich restaurants has pleaded guilty to charges that he operated a gift card scam involving point-of-sale (POS) terminals at other Subway restaurants. Shahin Abdollahi admitted that he sold POS systems preloaded with remote login software to more than a dozen Subway stores. Abdollahi and another man, Jeffrey Wilkinson, also faced charges of accessing those systems while stores were closed and using them to load credit onto Subway gift cards, which they then sold on eBay and Craigslist. The scheme stole at least US $40,000 from the stores.-http://arstechnica.com/security/2014/05/former-subway-sandwich-franchisee-cops-t
o-40000-gift-card-hack-scheme/
-http://www.computerworld.com/s/article/9248359/Former_Subway_franchise_owner_adm
its_to_POS_hacking?taxonomyId=17
Guardian Journalists' Book Describes NSA Installing Spyware on Network Equipment (May 12, 13, 14 & 15, 2014)
In excerpts of his upcoming book, journalist Glenn Greenwald describes how the National Security Agency (NSA) intercepted shipments of routers, servers, and other network devices bound for overseas destinations and installed spyware on the equipment before sending it on its way. This is the same activity that in 2012 the US government alleged China was engaged in. Excerpts from Greenwald's book were published in The Guardian.-http://www.v3.co.uk/v3-uk/news/2344962/nsa-seen-tampering-with-cisco-kit-to-add-
surveillance-tools
-http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show
-cisco-router-getting-implant/
-http://www.zdnet.com/nsa-backdoors-us-hardware-headed-overseas-greenwald-7000029
361/
-http://www.cnet.com/news/nsa-reportedly-installing-spyware-on-us-made-hardware/
NIST Wants Developers of Critical Systems to Consider Security From the Start (May 14, 2014)
The US National Institute of Standards and Technology (NIST) wants developers of critical systems to build security into their products "from the ground up." The voluntary guidelines are intended to be a roadmap for IT management responsible for securing systems that underlie the country's critical infrastructure. The 121-page draft document describes 11 core technological processes in systems and software development. The draft is open to public comment through July 11, 2014. One of the document's co-authors describes it as "a disciplined and structured process to show how ... security actually does get baked into the process."-http://www.scmagazine.com/nist-standard-puts-security-at-start-of-critical-syste
ms-development/article/346988/
-http://www.nextgov.com/cybersecurity/2014/05/nist-offers-guidance-building-secur
ity-critical-systems/84328/?oref=ng-channeltopstory
-http://csrc.nist.gov/publications/drafts/800-160/sp800_160_draft.pdf
[Editor's Note (Assante): There are great ideas in this draft guideline packaged with the quality and difficult to implement complexity expected from a NIST effort. I applaud the attempt to shift attention from the component-level to the system-level and move the consideration of co-adaptive and intelligent threats to the earliest stage (design requirements) in the lifecycle. I am struggling with the authors' choice to limit system resilience to the small box of 'security engineering'. Regardless, even the draft will serve as an excellent reference document in my library, but I believe organizations remain ill-equipped to implement what is suggested here. ]
Linux Distributions Preparing Fixes for Kernel Flaw (May 14, 2014)
Fixes are on the way for a vulnerability that affects several Linux distributions, including Ubuntu, Debian, and certain Red Hat systems. The flaw could be exploited to allow local users to crash systems or run programs with administrative privileges. The flaw lies in the way the kernel manages tty.-http://www.theregister.co.uk/2014/05/14/linux_distos_get_patching_on_terminal_bu
g/
-http://www.zdnet.com/patches-ready-for-red-hat-ubuntu-and-others-affected-by-lin
ux-kernel-flaw-7000029442/
Iranian Hacktivists Shift Focus to Espionage (May 13 & 14, 2014)
A group based in Iran that had been defacing websites has moved on to more serious activity. Calling itself the Ajax Security Team, the group has been active for at least five years. In recent months, the group has been launching attacks against Western defense contractors and organizations within Iran that are trying to bypass the country's Internet firewall using proxy services. The group has developed its own malware called Stealer. It does not exploit a software flaw to gain purchase in systems, but instead relies on social engineering to trick people into installing it themselves.-http://www.theregister.co.uk/2014/05/14/iranian_hacktivists_move_into_hardcore_h
acking_against_west_dissidents/
-http://www.darkreading.com/analytics/threat-intelligence/on-the-trail-of-an-iran
ian-hacking-operation/d/d-id/1252723
-http://www.darkreading.com/anatomy-of-the-new-iranian-apt/d/d-id/1252695?
Microsoft and Adobe Security Updates (May 13 & 14, 2014)
On Tuesday, May 14, both Microsoft and Adobe released security updates. Microsoft issued eight security bulletins to address 13 vulnerabilities in Internet Explorer (IE), Sharepoint Server, Office, and Windows. This monthly security release marks the first time that Windows XP and Office 2003 did not receive any updates. Adobe released fixes for a total of 18 flaws in Reader, Acrobat, and Flash Player. The Flash update addresses at least six vulnerabilities.-https://isc.sans.edu/diary/Microsoft+May+2014+Patch+Tuesday/18113
-https://isc.sans.edu/diary/Adobe+May+2014+Patch+Tuesday/18115
-http://www.darkreading.com/vulnerabilities---threats/vulnerability-management/mi
crosoft-blocks-zero-day-attacks-targeting-ie-office/d/d-id/1252718?s
-http://www.v3.co.uk/v3-uk/news/2344667/microsoft-insists-no-more-windows-xp-secu
rity-upgrades-amid-patch-tuesday-fixes
-http://www.computerworld.com/s/article/9248321/Microsoft_s_Patch_Tuesday_gives_X
P_attackers_a_roadmap?taxonomyId=17
-http://www.scmagazine.com/microsoft-pushes-eight-fixes-for-13-bugs-in-windows-ie
-and-office/article/346795/
-http://www.theregister.co.uk/2014/05/13/adobe_outdoes_microsoft_swats_18_bugs_in
_latest_update/
-http://www.zdnet.com/adobe-patches-acrobat-reader-flash-and-illustrator-70000293
97/
-http://krebsonsecurity.com/2014/05/adobe-microsoft-issue-critical-security-fixes
-2/
-https://technet.microsoft.com/library/security/ms14-may
[Editor's Note (Shpantzer): Adobe is to infosec as UHaul is to moving companies. ]
PESCATORE FIRST LOOK: GE WILL BUY WURLDTECH
GE said it will buy Vancouver, Canada based Wurldtech, a privately held company that sells tools and services to assess the security of industrial controls systems and runs a certification program for industrial control device vendors and operators. GE will initially run Wurldtech as a wholly owned subsidiary. This acquisition could be positive for users of GE's industrial control products, if Wurldtech's expertise is used to reduce the vulnerabilities in GE's products before they ship. There are two potential negatives, however: (1) Wurldtech's certification program will be viewed by GE's competitors as less desirable now that Wurldtech is controlled by GE; and (2) GE software's Bill Ruh has stated that "The world of OT security needs to be foundationally different from traditional IT detection systems" which runs counter to the growing trend of IT/OT integration - putting the Critical Security Controls to work in similar and connected processes across traditional PCs and servers, as well as across appliances, ATM machines, kiosks, and industrial control systems.-http://online.wsj.com/news/articles/SB10001424052702304431104579551621019395990
STORM CENTER TECH CORNER
DogeVault.com Hacked-https://www.dogevault.com
Public Accessible NAS Drives Leak Secret Data
-http://www.theregister.co.uk/2014/05/13/nas_security_risk/
OAuth Security Cheat Sheet
-http://www.oauthsecurity.com
New (to me) Kippo Fingerprinting Techniques
-https://isc.sans.edu/forums/diary/Kippo+Users+Beware+Another+fingerprinting+tric
k/18119
Microsoft Updates Bricking Selected UEFI Systems
-http://www.infoworld.com/t/microsoft-windows/how-fix-problems-revoked-uefi-modul
e-patches-kb-2920189-and-2962824-242533
Netcraft Statistic On Post-Heartbleed Cleanup
-http://news.netcraft.com/archives/2014/05/09/keys-left-unchanged-in-many-heartbl
eed-replacement-certificates.html
IETF Considers Pervasive Monitoring an Attack
-http://www.rfc-editor.org/rfc/rfc7258.txt
What's the Scope
-https://isc.sans.edu/forums/diary/Breaches+and+Attacks+that+are+Not+in+Scope+/18
123
Inventorying Systems
-https://isc.sans.edu/forums/diary/Collecting+Workstation+Software+Inventory+Seve
ral+Ways/18125
Apple Security Update for iTunes
-http://support.apple.com/kb/HT6245
Facebook STARTTLS reports
-https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-start
tls-deployment/1453015901605223
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/