SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #41

May 23, 2014

As of this morning 2,532 candidates have registered for the Online National Cybersecurity Career Fair (NCCF) and most of them have completed the skills and talent exam that helps them show potential employers their strengths. They include winners of seven statewide Governor's Cyber Cup competitions, and the US Cyber Challenges, as well as US Air Force service members with IT and IA experience who are transitioning to private jobs, from associations like ISC2 and from SC magazine subscribers as well as others who hear through social media. Several of America's best cybersecurity employers - especially those who are focused on giving opportunities to veterans (26% of the candidates) will be recruiting at the NCCF. A few examples: JPMorgan Chase, KPMG, Accenture, CBS, NSA, INSCOM, Solutionary and PWC. Several more - particularly the major security service providers - are also engaging. The program is open to any employer and jobseeker interested; email Max Shuftan (mshuftan@cyberaces.org) or visit nationalcybersecuritycareerfair.com

---

TOP OF THE NEWS

eBay Criticized for Handling of Breach
Microsoft Successfully Challenged National Security Letter
House Passes Watered Down Bill Aimed at Limiting NSA Data Collection
US Public Utility Breached

THE REST OF THE WEEK'S NEWS

Apple to Address "iMessage Purgatory" Flaw
Microsoft Will Not Fix IE 8 Flaw
China Vetting Networking Gear
China Bans Windows 8 for Government Computers
Senate Panel Approves Bill Allowing DHS to Pay Cyber Specialists Higher Salaries
Four-Year Prison Sentence for Server Sabotage
Two Plead Guilty to Breaking into Government and University Systems
Chrome 35 Fixes 23 Flaws
DDoS Attack on URL-shortening Service Affected Hundreds of Millions
What Does the US Hope to Accomplish With Indictments of Chinese Military Officials?

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By Bit9 *****************************
How do security and compliance gaps affect your organization? Learn how a single agent can provide visibility, detection, response and protection - all while automating and managing compliance! Close security gaps and ensure the security of your servers and endpoints today.
Download The White Paper! http://www.sans.org/info/160272
***************************************************************************
TRAINING UPDATE


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

eBay Criticized for Handling of Breach (May 21 & 22, 2014)

eBay has met with widespread criticism for the way it handled a breach that exposed user data. On May 21, eBay acknowledged that a database containing user passwords and personally identifiable information was compromised. The intrusion occurred in February or March of this year. eBay became aware of the breach earlier this month. The company was taken to task for delaying notification for so long and for the labyrinthine process users had to navigate to change their passwords. Furthermore, the volume of users trying to change their passwords was at one point overwhelming eBay's system. People want to know why they did not detect the intrusion for three months, but eBay and the FBI have not been forthcoming with details about the breach.
-http://www.nbcnews.com/tech/security/silent-auction-ebay-fbi-mum-hack-details-n1
12186
-http://www.v3.co.uk/v3-uk/news/2346280/ebay-slammed-for-password-plundering-afte
r-giant-breach
-http://arstechnica.com/security/2014/05/ebay-buryies-its-own-advisory-to-change-
passwords-following-database-hack/
-http://www.nextgov.com/cybersecurity/2014/05/ebays-system-cant-handle-all-people
-trying-change-their-passwords-once/85009/?oref=ng-HPriver
[Editor's Note (Pescatore): I'm all for the market excoriating companies slow to detect compromises. However, I didn't find the process of changing my eBay password "labyrinthine" - if it was any easier to do, attackers would be changing all our passwords on a regular basis.
(Murray): This compromise dwarfs any to date. By failing to use strong authentication and by leaving a path between the public network and these sensitive databases and records eBay has exposed hundreds of thousands of users to application fraud, not to say "identity theft." Users should not be misled by the warning to change their passwords; the real risk here is the disclosure of names and dates of birth for which there is no remedy offered or available. I did not change my eBay password, I closed my account and sold my stock. ]

Microsoft Successfully Challenged National Security Letter (May 22, 2014)

A federal court in Seattle has unsealed documents revealing that Microsoft successfully challenged an FBI National Security Letter (NSL) late last year. The FBI uses NSLs to request information relevant to national security-related investigations from telecommunications companies. The request in this case involved one of Microsoft's enterprise customers. Microsoft was prompted to challenge the NSL because of its accompanying gag order, which forbids it from notifying affected customers about the data request. When the challenge was filed, the FBI withdrew the NSL.
-http://www.zdnet.com/microsoft-challenged-an-fbi-national-security-letter-and-wo
n-7000029785/

House Passes Watered Down Bill Aimed at Limiting NSA Collection (May 22, 2014)

The US House of Representatives has approved a bill aimed at ending the NSA's wholesale collection of phone records, but last minute changes to the language have removed some of the bill's teeth. The USA Freedom Act was drafted with the intent of putting an end to the NSA's metadata collection program revealed by Edward Snowden, but changes have provided the NSA a wide loophole to continue collecting data. The NSA would be required to search for particular terms to justify collection of a record. The bill would technically end bulk metadata collection as the intelligence community defines it, because any targeted collection is no longer deemed "bulk." Other changes to the bill include the definition of search terms from "a term used to uniquely describe a person, entity, or account," to "a discrete term, such as a specifically identifying a person, entity, account, address, or device." The removal of "unique" and the addition of "such as" make the requirement sufficiently vague as to leave room for broad interpretation, which will be left to the Foreign Intelligence Surveillance Court (FISC). In addition, the public advocate provision of the bill has been removed and replaced with an amicus option, which takes some of the teeth out of challenges to NSA requests.
-http://www.wired.com/2014/05/usa-freedom-act-2/
-http://www.computerworld.com/s/article/9248519/House_approves_weakened_bill_to_l
imit_NSA_bulk_collection?taxonomyId=17

US Public Utility Breached (May 20 & 21, 2014)

The US Department of Homeland Security's (DHS's) Industrial Control Systems Cyber Emergency Response Team, has received reports of security incidents involving control systems. In one, attackers managed to breach the control system network of an unidentified US public utility. The attackers found their way into the system from the Internet, using a brute force password attack against the system's remote access capability. The utility's operations were not affected by the intrusion. An investigation concluded that the utility had been the target of previous intrusions. In a second incident, attackers accessed a control system server that operates a mechanical device. The intruder had access for "an extended period of time."
-http://www.cnn.com/2014/05/21/us/hackers-public-utility/
-http://www.reuters.com/article/2014/05/21/us-usa-cybercrime-infrastructure-idUSB
REA4J10D20140521
-http://www.v3.co.uk/v3-uk/news/2345950/us-public-utility-compromised-by-brute-fo
rce-cyber-attack
-http://www.scmagazine.com/dhs-control-system-of-us-utility-company-hacked/articl
e/347990/
-http://www.computerworld.com/s/article/9248473/Public_utility_compromised_after_
brute_force_attack_DHS_says?taxonomyId=17
-http://www.nbcnews.com/tech/security/hackers-launched-cyberattack-u-s-public-uti
lity-government-says-n110476
-http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_%20Jan
-April2014.pdf
[Editor's Note (Assante): DHS has selected two examples of known incidents to draw attention to the mounting concerns with weaker ICS architectures that include Internet-facing control system devices/components. These two incidents are mere drops in an ever larger bucket. Technology convergence has been steadily undoing government outreach efforts to teach the importance of segmentation of the ICS away from Internet connected networks. Welcome to the Internet of many faces - we are now adding the Industrial Internet, the Internet of Things, and the military Internet. Convenience and speed will come at a price for some.
(Murray): Resist brute force attacks by slowing prompts after two or three failed attempts. Failing that, at least generate and act on "failed logon" alerts. ]

---

************************** Sponsored Links: ******************************
1) New research from Gartner says evolving threats mandate a new approach to intrusion prevention. We agree. That's why Gartner has placed HP TippingPoint in the leaders quadrant of their Magic Quadrant for IPS nine years in a row. Click here to read the Newsletter. http://www.sans.org/info/160277

2) Government IT Pros! Tell us Your Wins and Misses with the Continuous Diagnostics and Mitigation Program by Taking This Survey: http://www.sans.org/info/160282. Also Enter to Win an iPad!

3) Analyst Webcast: Kill Malware in its Tracks with Intelligent Sensors, featuring Rob Vandenbrink and Elissa Lippencort, thursday, June 19 at 3 PM EDT http://www.sans.org/info/160287
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple to Address "iMessage Purgatory" Flaw (May 22, 2014)

Apple has promised a fix for a flaw in iMessage that keeps users who have moved from iOS to another system from receiving their messages if they forget to disable iMessage before they move. Because iMessage can send a message over Wi-Fi and Apple servers instead of as a standard SMS over a wireless carrier, if users forget to turn off iMessage, their messages are never delivered. Apple says it will include a fix in its next iOS update.
-http://www.zdnet.com/apple-acknowledges-imessage-flaw-promises-fix-7000029773/

Microsoft Will Not Fix IE 8 Flaw (May 21 & 22, 2014)

Microsoft says it will not patch a critical flaw in Internet Explorer 8 (IE 8) that it has known about since October 11, 2013, saying that instead, users need to harden their browsers by changing their settings to block and send alerts about ActiveX Controls and Active Scripting. The flaw, which lies in the way IE 8 handles CMarkup objects, could be exploited to launch phishing and drive-by download attacks on computers running the older version of Microsoft's browser and to give attackers the same rights as the compromised user account. The company also advises users to install its Enhanced Mitigation Experience Toolkit (EMET).
-http://www.v3.co.uk/v3-uk/news/2346199/microsoft-ignores-critical-internet-explo
rer-zero-day-bug-leaving-users-open-to-attack
-http://www.theregister.co.uk/2014/05/22/ie_8_zero_day_dumped_after_7_months_redm
ond_says_harden_up/
-http://www.cnet.com/news/zero-day-flaw-haunts-ie-8-for-7-months-and-counting/
Microsoft now says that it will eventually patch the flaw in IE 8, but did not say when that would be.
-http://www.computerworld.com/s/article/9248531/Microsoft_plans_to_patch_IE_zero_
day_eventually?taxonomyId=17
[Editor's Note (Murray): I use No Script but should not need to. I accept that MS does not put EMET in enterprise editions for fear of breaking applications. Never let it be said that MS put security ahead of running absolutely any application. However, it should be included by default in consumer editions. ]

China Vetting Networking Gear (May 22, 2014)

After the US Justice Department indicted five members of China's People's Liberation Army (PLA) for espionage, China has begun imposing inspection requirements for networking gear sold there. The US imposed similar restrictions on Chinese-made gear in 2012, essentially removing Chinese network equipment suppliers Huawei and ZTE from the US market.
-http://arstechnica.com/information-technology/2014/05/china-responds-to-nsa-tamp
ering-with-network-gear-with-vetting-process/
-http://www.computerworld.com/s/article/9248510/China_to_block_IT_products_that_d
on_39_t_pass_cybersecurity_vetting?taxonomyId=17
[Editor's Note (Pescatore): I said last week "It's official, we are now in a Cyber Cold War" with China. During the Cold War with the USSR, the US was the dominant supplier of computing, networking and telecoms gear and had little to fear from the "Trade Wars" that come along with a Cold War. That is not true anymore - the US is just as dependent on global suppliers as everyone else. Supply chain integrity is important, but the UK approach of testing telecoms gear is a much more meaningful approach than trying to ban products from certain countries. ]

China Bans Windows 8 for Government Computers (May 20, 2014)

The Chinese government is citing security concerns as the reason it has chosen to ban Windows 8 from use on its computers. There was no explanation as to how the decision would improve security. The decision to ban Windows 8 was made before the US Department of Justice (DOJ) announced the indictments of the five PLA members. One report says that the decision was made to avoid the security problems that arose from the end of XP support. The Chinese government plans to use Linux-based operating systems.
-http://www.v3.co.uk/v3-uk/news/2345794/china-bans-windows-8-in-government-as-it-
looks-to-linux
-http://www.cnet.com/news/china-bans-windows-8-from-government-computers/

Senate Panel Approves Bill Allowing DHS to Pay Cyber Specialists Higher Salaries (May 21, 2014)

The US Senate Homeland Security and Governmental Affairs Committee has approved a bill that would give the Department of Homeland Security (DHS) the authority to pay cyber specialists it hires as much as the Pentagon pays their cyber professionals. The measure would place DHS on a more even playing field with private sector companies and the military, where compensation is often more lucrative than government work. Some are warning that the measure could be misused to hire IT workers without security skills, thereby failing to fulfill the bill's intent. In 2010, DHS had direct hire authority so it could increase its pool of cyber specialists by 1,000 over three years and put it on a footing with the military. However, IT managers used that authority to hire people without security skills for regular IT roles.
-http://www.nextgov.com/cybersecurity/2014/05/bill-would-let-dhs-pay-cyber-worker
s-much-pentagon-pays/84958/
[Editor's Note (Pescatore): When I got out of college in 1978, NSA had similar pay authority for those with Electrical Engineering degrees, since they were in high demand. (I think it came to a whopping $10/week...) The recent SANS security salary survey showed that security certifications - proof of knowing how to implement and operate security controls and actually improve security - are in high demand by employers, so a premium makes sense for that. More important overall is the need to increase the size of the talent pool vs. DHS just paying more to hire away other organization's talented security folks. ]

Four-Year Prison Sentence for Server Sabotage (May 21, 2014)

A judge in West Virginia has sentenced former network engineer Ricky Joe Mitchell to four years in prison for sabotaging his former employer's systems, disrupting its business for a month. Mitchell pleaded guilty in January 2014. The judge also ordered him to pay more than US $500,000 in restitutions and fines. In June 2012, after learning that he was going to be fired from his position at EnerVest, Mitchell reset the company's servers to their factory default settings. He also disabled the systems' cooling equipment and data-replication process.
-http://www.computerworld.com/s/article/9248499/IT_pro_gets_4_years_in_prison_for
_sabotaging_ex_employer_39_s_system?taxonomyId=17

Two Plead Guilty to Breaking into Government and University Systems (May 21, 2014)

Two men have entered guilty pleas to charges stemming from break-ins at government and university computer systems. One of the men, Nicholas Paul Knight, is a former systems administrator on a nuclear-powered Navy aircraft carrier and conducted some of the attacks from the vessel. The other man is Daniel Trenton Krueger, a computer network engineering student. The pair was charged in Oklahoma as the attack that got them caught targeted data stored on servers in Tulsa.
-http://www.scmagazine.com/former-navy-systems-admin-pleads-guilty-to-hacking-cha
rges/article/347968/
-http://arstechnica.com/tech-policy/2014/05/sailor-convicted-of-hacking-websites-
from-aboard-aircraft-carrier/
-http://www.nbcnews.com/news/crime-courts/ex-sailor-college-student-plead-guilty-
massive-hacking-operation-n111636

Chrome 35 Fixes 23 Flaws (May 21, 2014)

The most recent update for Google's Chrome browser addresses 23 security issues, including one that could have been exploited to use its old speech API to eavesdrop through vulnerable machines.
-http://www.eweek.com/enterprise-apps/google-updates-chrome-browser-to-version-35
.html
-http://www.theregister.co.uk/2014/05/21/patch_or_cop_chrome_security_shiner/
[Editor's Note (Pescatore): On smart phones and tablets, we've almost completely moved away from the idea of "versions" of the OS; continuous and largely silent updates are the norm. That is actually what we want in security - auto update, continuous patching, etc - but IT has always been the barrier because of the desire for homogeneity to reduce enterprise cost of ownership. The Mozilla and Chrome browsers largely use that new model, since they aren't as tightly tied to the Windows as Microsoft's IE unfortunately is. Who really knows they are using "Chrome 35"? ]

DDoS Attack on URL-shortening Service Affected Hundreds of Millions (May 21, 2014)

A distributed denial-of-service (DDoS) on link shortening service is.gd caused the majority of its URLs not to work. More than one billion URLs are believed to have been affected. The service is now up and running.
-http://www.scmagazine.com/a-billion-shortened-urls-go-down-following-dos-attack/
article/347958/
[Editor's Note (Pescatore): Oh, no - it is bad enough to keep hearing breathless reports of the latest "largest DDoS attack ever" as measured in Gbs, but now we are going to hear about "billions of URLs unserved"?? I would like to propose that the Associated Press Style Book largely used by the press require all articles about Denial of Service to use only "hours of down time" or "days of service interruption" vs. quoting how many quadrillions of atoms were impacted by the latest attack. ]

What Does the US Hope to Accomplish With Indictments of Chinese Military Officials? (May 20 & 21, 2014)

Despite statements to the contrary, there is little expectation that the five members of China's People's Liberation Army (PLA) indicted for breaking into US corporate systems will actually face trial. This article suggests that the indictments are intended to let China know that the US is serious about its efforts to prevent intellectual property theft; to let other countries know that espionage in the digital age is for military, political, and defense purposes, not for stealing intellectual property; and to let US companies know that they have an ally in the government. Experts point out that while the US may make distinction between economic and national security espionage, other countries do not share that view.
-http://www.govinfosecurity.com/real-aim-us-indictment-chinese-a-6854

---

STORM CENTER TECH CORNER

Adobe Shockwave Still Includes Old Flash Player
-http://www.kb.cert.org/vuls/id/323161

Outlook.com doesn't protect attachments properly on Android
-http://blog.includesecurity.com/2014/05/mobile-app-data-privacy-outlook-example.
html

MSFT Working on IE 0-day Patch
-http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-day/106247

Safari Patches
-http://support.apple.com/kb/HT6254

Internet Explorer 0-day
-http://zerodayinitiative.com/advisories/ZDI-14-140/

iOS MiM Attack to Defeat Lockout
-http://www.intego.com/mac-security-blog/have-hackers-defeated-the-iphone-kill-sw
itch/

Same Remote Code Exec. Vuln Affects Yahoo, MSFT and others.
-http://www.sec-down.com/wordpress/?p=409

Detecting Unusual DNS Queries
-https://isc.sans.edu/forums/diary/Detecting+Queries+to+odd+DNS+Servers/18145

More Silverlight Exploits
-http://blogs.cisco.com/security/angling-for-silverlight-exploits/

Yahoo! Fixes XSS in Comment System
-http://nahamsec.com/2014/05/how-i-xssed-all-of-yahoos-services/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/