SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #43

May 30, 2014

In 3 weeks, 3,051 cyber-skilled candidates will be reviewed by 14 leading employers (examples: JPMoragnChase, KPMG, Palantir, PwC, NSA, INSCOM, Accenture, NBC/Comcast, CBS) are participating in the completely on-line National Cyber Career Fair. Other employers are welcome: email Max Shuftan (mshuftan@cyberaces.org) or visit nationalcybersecuritycareerfair.com

Alan

---

TOP OF THE NEWS

FTC Wants Transparency and Accountability From Data Brokers
Microsoft Warns Against Workaround to Get Patches for Windows XP
iPhones and iPads Held Hostage

THE REST OF THE WEEK'S NEWS

Core Infrastructure Initiative Funds Audit and Two Full-Time Developers for OpenSSL
TrueCrypt Shuts Down Development
"Newscaster" Espionage Campaign Targeted Diplomatic and Military Information
VA Audit Finds Security Control Problems Persist
Backdoor in Wiretap Kit
Microsoft's myBulletins Dashboard
Eleven Arrested in Skimming Case
Avast User Support Forum Breached
LulzSec Member Turned FBI Informant Sentenced to Time Served

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 *****************************
XP End of Life is here! How will you protect your organization? There are NO MORE security updates or critical patches available unless you pay for high cost support. Keep your XP systems compliant and secure - without upgrading or paying for out-of-band support! Positive security is the best compensating control.
Download the eBook: http://www.sans.org/info/160525

***************************************************************************
TRAINING UPDATE


- --Digital Forensics Incident Response Summit Austin, TX June 3-10, 2014 8 courses. Bonus evening presentations include Extracting User Credentials Using Memory Forensics, and Dealing with Persistent Smartphone Forensic Challenges.
http://www.sans.org/event/dfir-summit-2014


- --SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


- --SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

FTC Wants Transparency and Accountability From Data Brokers (May 28, 2014)

In a report, the US Federal Trade Commission (FTC) is seeking legislative and best practices changes to encourage transparency and accountability from data brokers. Data brokers collect information from many sources, most of the time without consumer's knowledge. The FTC has asked Congress to consider legislation that would give consumers more control over their data.
-http://www.v3.co.uk/v3-uk/news/2346985/us-ftc-wants-greater-controls-on-data-bro
kers
FTC Data broker Report:
-http://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency
-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.
pdf
[Editor's Note (Pescatore): The Court of Justice of the European Union just ruled that Google has to give people the "right to be forgotten" and delete information from search indices and caches upon request. The FTC report is addressing similar issues. What it comes down to: the search and data broker industry is really all about collecting user information to target lucrative advertising - it is the "Mad Men" of the 21st century, a US-centric reference to when the television generation of advertising firms began to use computers to target their ads. Transparency is certainly needed, and end users should have more say in what happens to their data - i.e., Opt In - is an important goal. ]

Microsoft Warns Against Workaround to Get Patches for Windows XP (May 27 & 28, 2014)

Microsoft is warning users to be wary of a workaround that claims to provide Windows XP with security updates for five more years. The hack involves a small change to the Windows XP registry that will let the retired operating system receive security updates. The change aims to trick Windows Update into thinking that XP is an embedded point-of-sale operating system that Microsoft plans to support through 2019. The systems are similar but not identical. The updates would not fully protect XP and the change could cause functionality problems.
-http://www.darkreading.com/microsoft-ignore-unofficial-xp-update-workaround/d/d-
id/1269236?
-http://www.v3.co.uk/v3-uk/news/2346809/microsoft-cautions-against-windows-xp-upd
ate-trick

iPhones and iPads Held Hostage (May 27 & 28, 2014)

Some owners of iPhones and iPads have found their devices held hostage by malware that locks them until the demand, usually about US $100, is paid. The attacker exploited the Find My iPhone feature to launch the attack, which has mainly affected people in Australia. While it is not clear how the attacker obtained the information used to launch the attacks, there is speculation that it was obtained in a breach and it would affect users who use the same set of credentials for multiple accounts. Apple denied that its iCloud service has been breached. Apple Australia recommends that users change their Apple ID passwords.
-http://www.telegraph.co.uk/technology/apple/10857715/iPhones-frozen-by-hackers-d
emanding-ransom.html
-http://www.theregister.co.uk/2014/05/28/apple_denies_icloud_breach_behind_oz_ran
somware_outbreak/
-http://www.cnn.com/2014/05/27/tech/mobile/hackers-iphones/index.html
-http://arstechnica.com/security/2014/05/your-iphone-has-been-taken-hostage-pay-1
00-ransom-to-get-it-back/

---

************************** Sponsored Links: ******************************
1) Webcast: Best Practices for Leveraging Security Threat Intelligence. Wednesday, June 04 at 1:00 PM EDT. Featuring: Russell Spitler & Dave Shackleford. http://www.sans.org/info/160530

2) Webcast: Saving Time and Resources Managing Administrator Rights with a Process-based Whitelist Model. Thursday, June 05 at 1:00 PM EDT. Featuring: John Pescatore. http://www.sans.org/info/160535

3) Government IT Pros! Tell us Your Wins and Misses with the Continuous Diagnostics and Mitigation Program by Taking This Survey: http://www.sans.org/info/160540. Also Enter to Win an iPad!
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Core Infrastructure Initiative Funds Audit and Two Full-Time Developers for OpenSSL (May 29, 2014)

The Core Infrastructure Initiative (CII), which was created by the Linux Foundation with support from high-profile tech companies, will fund a security audit for OpenSSL code and salaries for two full-time core developers. CII was established earlier this year when the Heartbleed flaw in the OpenSSL open source cryptographic library drew attention to how lack of funding for the widely used technology affected its security.
-http://arstechnica.com/information-technology/2014/05/openssl-to-get-a-security-
audit-and-two-full-time-developers/
[Editor's Note (Pescatore): Reminder: Advice out of Heartbleed was to inventory where you may relying on other open source software that may have vulnerabilities or been compromised, or be precipitously removed from distribution, as the TrueCrypt item illustrates. Once you know where they are, how are you mitigating the risks?
(Northcutt): This is an initiative that matters. A lot more organizations run OpenSSL, (which supports TLS), than realize it. Certain versions have even been FIPS 140-2 validated:
-http://www.openssl.org/source/license.html
-http://www.openssl.org/related/apps.html
-https://slproweb.com/products/Win32OpenSSL.html
-http://h71000.www7.hp.com/openvms/products/ssl/ssl.html
-http://www.openssl.org/docs/fips/fipsvalidation.html]

TrueCrypt Shuts Down Development (May 29, 2014)

The TrueCrypt open source encryption project has ceased operations after issuing a warning that the software is no longer secure. The warning included instructions for users to migrate to BitLocker. The warning says that TrueCrypt development stopped in May 2014 after Microsoft stopped supporting Windows XP, but experts say the connection does not make sense. Some are positing that the company received a National Security Letter and is doing what Lavabit did to avoid disclosing customer data. Others have suggested that it might be a hoax or an attack, or that the TrueCrypt developers found an overwhelming vulnerability.
-https://isc.sans.edu/forums/diary/True+Crypt+Compromised+Removed+/18177
-http://www.computerworld.com/s/article/9248658/In_baffling_move_TrueCrypt_open_s
ource_crypto_project_shuts_down?taxonomyId=17
-http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
-http://arstechnica.com/security/2014/05/bombshell-truecrypt-advisory-backdoor-ha
ck-hoax-none-of-the-above/

"Newscaster" Espionage Campaign Targeted Diplomatic and Military Information (May 29, 2014)

A cyber espionage campaign that has been operational for three years, believed to be emanating from Iran, used phony social media accounts to target US and Israeli journalists, diplomats, military personnel and others and steal access credentials for their email accounts. The effort appears to be aimed at unearthing information about the US's posture on nuclear diplomacy with Iran. The campaign has been dubbed "Newscaster," because it involved setting up a dummy news outlet to make friends requests on social networks seem legitimate.
-http://www.scmagazine.com/iranian-spies-bait-us-officials-in-years-long-social-e
ngineering-scheme/article/349079/
-http://www.nextgov.com/cybersecurity/2014/05/cyberspies-seen-targeting-us-plans-
iran-nuclear-work/85393/?oref=ng-channeltopstory
-http://www.darkreading.com/attacks-breaches/iranian-cyberspies-pose-as-journalis
ts-online-to-ensnare-their-targets/d/d-id/1269270
-http://www.wired.com/2014/05/iranian-spying/
-http://www.v3.co.uk/v3-uk/news/2347266/iranian-newscaster-cyber-spies-snooped-on
-us-and-israeli-officials
-http://thehackernews.com/2014/05/iranian-hackers-pose-as-journalists-to.html

VA Audit Finds Security Control Problems Persist (May 29, 2014)

A third-party audit of the Veterans Affairs Department (VA) systems found that the agency is still having difficulty protecting critical systems. The report noted "significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems." The audit was performed to assess the VA's compliance with the Federal Information Security Management Act (FISMA) for FY 2013.
-http://www.nextgov.com/defense/whats-brewin/2014/05/va-failed-protect-critical-c
omputer-systems-audit-finds/85429/?oref=ng-HPriver
-http://www.va.gov/oig/pubs/VAOIG-13-01391-72.pdf
[Editor's Note (Murray): These problems are pervasive across the government and industry; they must be addressed. In enterprises that are failing at their mission, they may appropriately be delayed. In some failing enterprises, security fails may be simply an instance of the same systemic problems causing the failure. However, security failures are almost as pervasive in successful enterprises as in failing ones. ]

Backdoor in Wiretap Kit (May 28 & 29, 2014)

Researchers in Austria have found a vulnerability in a widely used wiretap kit that could be exploited to access recordings as well as the names and email addresses of suspects being monitored by law enforcement agencies. NICE Systems' Recording eXpress is used by first responders and police. Researchers found the flaw in version 6.3.5.
-http://www.theregister.co.uk/2014/05/29/spy_platform_zero_day_exposes_cops_wiret
apped_calls/
-http://arstechnica.com/security/2014/05/root-backdoor-found-in-surveillance-gear
-used-by-law-enforcement/
-http://krebsonsecurity.com/2014/05/backdoor-in-call-monitoring-surveillance-gear
/
[Editor's Note (Murray): This is a joke, right? If one is being tapped, the additional risk of leakage to others is the least of one's problems. ]

Microsoft's myBulletins Dashboard (May 28 & 29, 2014)

Microsoft has launched a dashboard for systems administrators that displays which Microsoft patches are available for the products their company currently uses. myBulletins is available on Microsoft's Technet website. The new product does not offer notifications or advisories about unpatched vulnerabilities.
-http://www.theregister.co.uk/2014/05/29/microsoft_mybulletins_service/
-http://www.computerworld.com/s/article/9248626/Microsoft_debuts_personalized_pat
ch_dashboard_for_IT_pros?taxonomyId=17
-http://www.zdnet.com/new-microsoft-service-lists-security-bulletins-for-your-sof
tware-7000029955/

Eleven Arrested in Skimming Case (May 28, 2014)

Law enforcement agents in Bulgaria have arrested 11 people in connection with a scheme that involved skimming ATM card data. The group's victims were in France and other European countries.
-http://www.scmagazine.com/police-in-europe-arrest-11-in-skimming-op-takedown/art
icle/348895/
-http://nakedsecurity.sophos.com/2014/05/26/11-arrested-as-europol-busts-bulgaria
n-carding-gang/
-https://www.europol.europa.eu/content/joint-operation-takes-down-bulgarian-organ
ised-crime-network-affecting-european-electronic-p

Avast User Support Forum Breached (May 27, 2014)

The user support forum of security company Avast suffered a breach last week that compromised usernames, email addresses, and hashed passwords. Avast has taken down the forum so they can rebuild and relaunch it on a different platform. An Avast spokesperson said that the attackers exploited an unknown vulnerability in Simple Machines Form (SMF), the platform on which the forum was running. An SMF developer denied that assertion, saying that there is no evidence to support it. It appears as though Avast never used the SMF package manager to update the software. An SMF project manager said that if Avast performed a manual update, all pertinent patches might not have been applied.
-https://isc.sans.edu/forums/diary/Avast+forums+hacked/18171
-http://www.cnet.com/news/avast-support-forum-hack-snags-usernames-passwords/
-http://www.scmagazine.com/smf-copyright-indicates-avasts-forum-was-manually-patc
hed-possibly-vulnerable/article/349066/

LulzSec Member Turned FBI Informant Sentenced to Time Served (May 27, 2014)

LulzSec member turned FBI informant Hector Xavier Monsegur has been given a sentence of time served for his role in several high profile attacks, including those on HBGary, InfraGard, and government systems around the world. Monsegur was arrested in June 2011 and since that time, has been aiding law enforcement in their efforts to identify and locate other people involved in the attacks and stopping hundreds of potentially damaging attacks. Monsegur will serve one year of supervised release.
-http://www.wired.com/2014/05/hector-monsegur-sabu-sentencing/
-http://money.cnn.com/2014/05/25/technology/security/hacker-sabu-fbi/index.html
-http://www.nbcnews.com/tech/security/hacker-turned-informant-sabu-wins-leniency-
spared-more-prison-time-n115666

---

STORM CENTER TECH CORNER

Fake Heartbleed Removal Tool
-http://thehackernews.com/2014/05/beware-of-fake-heartbleed-bug-remover.html

Fake WeChat App Installing Banking Trojan
-http://thehackernews.com/2014/05/fake-wechat-app-targeting-android-users.html

SAP Netweaver Flaw
-http://blog.ptsecurity.com/2014/05/positive-technologies-helps-to-fix.html

Assessing SOAP APIs with Burp
-https://isc.sans.edu/forums/diary/Assessing+SOAP+APIs+with+Burp/18175

Kali Linux 1.0.7 with media encryption and self-destruct
-http://www.heise.de/security/meldung/Kali-Linux-Pentesting-Stick-mit-Verschluess
elung-und-Notfallknopf-2210716.html

Australian iDevices Hijacked
-http://www.smh.com.au/digital-life/consumer-security/australian-apple-idevices-h
ijacked-held-to-ransom-20140527-zrpbj.html

Android Camera may be used without user's consent
-http://snacksforyourmind.blogspot.co.uk/2014/05/exploring-limits-of-covert-data.
html?m=1

Spotify Breach / Android Update
-http://news.spotify.com/us/2014/05/27/important-notice-to-our-users/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/