SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #45

June 06, 2014

TOP OF THE NEWS

Another Critical Flaw in OpenSSL
UK Legislators Plan to Increase Penalties for Certain Computer Crimes
NIST Provides Guidance to Help Agencies Make Shift to Continuous Monitoring

THE REST OF THE WEEK'S NEWS

Database Compromise Affects South Korean Employees of US Military
Microsoft Will Release Seven Bulletins on June 10
Hardcoded Passwords Make Electronic Billboards Vulnerable to Attacks
Google's Transparency Report Lists Providers that Do and Do Not Support Encryption
Google Testing eMail Encryption Plug-in
Software Updates for Cars
DARPA's Cyber Grand Challenge
Judge Says Stingray Transcript Should be Unsealed in its Entirety
US Marshals Seize Stingray Files Before ACLU Sees Them

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 *****************************
Data security has become the No. 1 priority for most retailers in 2014. Want to learn how your company can implement strategies to protect against costly data breaches? Find out 10 ways you can achieve this goal while maintaining required PCI compliance. Download This Check List Today!
http://www.sans.org/info/160905
***************************************************************************
TRAINING UPDATE


--Digital Forensics Incident Response Summit Austin, TX June 3-10, 2014 8 courses. Bonus evening presentations include Extracting User Credentials Using Memory Forensics, and Dealing with Persistent Smartphone Forensic Challenges.
http://www.sans.org/event/dfir-summit-2014


--SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Another Critical Flaw in OpenSSL (June 5, 2014)

The OpenSSL Project has released an update to address six new vulnerabilities. The most serious of the bunch could be exploited in a man-in-the-middle attack or to run arbitrary code. News of this flaw comes just weeks after the disclosure of the Heartbleed vulnerability in the OpenSSL cryptographic library drew attention to the lack of support for the widely used open source software.
-https://isc.sans.edu/forums/diary/Critical+OpenSSL+Patch+Available+Patch+Now+/18
211
-https://isc.sans.edu/forums/diary/Updated+OpenSSL+Patch+Presentation/18219
-https://isc.sans.edu/forums/diary/More+Details+Regarding+CVE-2014-0195+DTLS+arbi
trary+code+execution+/18217
-http://www.theregister.co.uk/2014/06/05/openssl_bug_batch/
-http://www.scmagazine.com/seven-vulnerabilities-addressed-in-openssl-update-one-
enables-mitm-attack/article/351323/
-http://www.darkreading.com/vulnerabilities---threats/new-openssl-flaw-exposes-ss
l-to-man-in-the-middle-attack/d/d-id/1269452?
-http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-su
ffers-from-crypto-bypass-flaw/
-http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/
-http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ssl-uncove
red/
[Editor's Note: (Northcutt): If you are using OpenSSL, stop and breathe. These guys are on it; you are going to be fine. If you are NOT using OpenSSL the big question is whether your implementation is secure:
-http://bits.blogs.nytimes.com/2014/06/05/new-bug-found-in-widely-used-openssl-en
cryption/?_php=true&_type=blogs&_r=0
(Honan): These latest vulnerabilities, together with the earlier Heartbleed issues and the ending of the Truecrypt project, are a good reminder that not all code is fully secure. Just because something is Opensource with its source code available to be read by thousands of eyes does not automatically mean that all bugs, particularly security bugs, will be detected. One of the latest OpenSSL vulnerabilities has been around for over 10 years. As with any systems or software deployed in your environment carry out your own risk assessment of it before deploying it and ensure you have vulnerability management strategy to manage any issues that may arise. ]

UK Legislators Plan to Increase Penalties for Certain Computer Crimes (June 4 & 5, 2014)

In her speech marking the start of a new session of Parliament, Queen Elizabeth noted that the government would seek to amend the Computer Misuse Act "to ensure sentences for attacks on computer systems fully reflect the damage they cause." The monarch's speech traditionally includes a list of the government's priorities for the upcoming legislative session.
-http://www.govinfosecurity.com/uk-seeks-hacking-life-sentences-a-6913
-http://www.theregister.co.uk/2014/06/04/queens_speech_computer_misuse/

NIST Provides Guidance to Help Agencies Make Shift to Continuous Monitoring (June 4, 2014)

NIST's "Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management," aims to help agencies move to continuous monitoring for their information systems. CIOs and CISOs have been dragging their feet about adopting the new system. In 2000, the Office of Management and Budget (OMB) began requiring agencies to reauthorize their IT systems every three years. In 2012, OMB said that agencies that adopt continuous monitoring would be exempt from the three-year reauthorization requirement.
-http://www.govinfosecurity.com/authorizing-federal-systems-continuously-a-6912
-http://csrc.nist.gov/publications/nistpubs/800-37-rev1/nist_oa_guidance.pdf
[Editor's Note (Pescatore): There is a lot of heavy lifting required for any agency to meet the criteria to actually avoid the three year reauthorization requirement. Just producing continuous monitoring data doesn't do it: the Authorizing Official will have to be continually review the continuous monitoring information and before the AO does such continual reviewing, the data first has to be "produced/analyzed by an entity that meets the independence requirements defined by the organization as part of NIST Special Publication 800-53 security control CA-7 (1), Continuous Monitoring | Independent Assessment." Bottom line: for most agencies, unless they are using some form of external service provider such as the DHS Continuous Monitoring as a Service offerings, doing all this will be way more expensive than doing C&A every three years - especially since any major change or major breach of a system will likely require such "zero-based" C&A all over again anyway. ]

---

************************** Sponsored Links: ******************************
1) What are barriers small/med organizations face in protecting their digital assets? Free webcast on 6/13: http://www.sans.org/info/160910

2) Provide input to the Critical Security Controls! Tell us your wins, misses and wish lists with the CSCs in this quick survey: http://bit.ly/2014CSCSurv. At the end of the survey, sign up for the paper and results webcast airing on September 9 webcast link: http://www.sans.org/info/160675

3) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II to learn how the early adopters in government are using CDM to increase security. August 1, 2014 in Washington, DC. http://www.sans.org/info/159487
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Database Compromise Affects South Korean Employees of US Military (June 5, 2014)

Information stored in The Korean National Recruitment System, which contains data about South Koreans employed by the US military, has been compromised, according to a notification letter from the Commander of US Forces Korea General Curtis M. Scaparrotti. The data include contact information, education and work history, and Korean Identification Numbers. There are roughly 16,000 South Koreans working for the US Forces Korea.
-http://www.nextgov.com/defense/2014/06/hackers-compromise-database-south-koreans
-who-work-us-military/85945/?oref=ng-channelriver
Notification Letter:
-https://www.usfk.mil/usfk/Uploads/210/20140605_PII_Compromise_English.pdf

Microsoft Will Release Seven Bulletins on June 10 (June 5 & 6, 2014)

Microsoft plans to issue seven security bulletins on Tuesday, June 10. Two of the bulletins will address critical flaws in Windows, Internet Explorer, Office, and Lync. June 10 is also the deadline for users running Window 8.1 who want to continue using Windows Update to move to Windows 8.1 Update, which Microsoft released in April.
-http://www.computerworld.com/s/article/9248875/Microsoft_s_latest_countdown_Upda
te_Windows_8.1_before_Tuesday?taxonomyId=17
-http://www.zdnet.com/microsoft-to-release-seven-security-updates-next-week-70000
30264/
-http://www.theregister.co.uk/2014/06/06/office_ie_and_windows_in_line_for_critic
al_fixes_from_redmond/
-https://technet.microsoft.com/library/security/ms14-jun

Hardcoded Passwords Make Electronic Billboards Vulnerable to Attacks (June 5, 2014)

The presence of a hard-coded password, also known as a backdoor, in some electronic billboards that provide information to drivers could be exploited to display phony messages. The Department of Homeland Security (DHS) has warned transportation operators about the issue, which was detected in certain Daktronics Vanguard highway notification sign configuration software. A proof-of-concept exploit has been released.
-http://www.nextgov.com/cybersecurity/2014/06/flaw-lets-hackers-control-electroni
c-highway-billboards/85849/?oref=ng-channeltopstory
[Editor's Note (Pescatore): Daktronics reports this is *not* a hardcoded password, it is a default password which should be changed, as should *all* default passwords. I think, actually, it is long beyond the time where any software should even be sold with default passwords - it is not all that hard to have unique per device passwords that require out of band communications for activation. ]

Google's Transparency Report Lists Providers that Do and Do Not Support eMail Encryption (June 4, 2014)

Google's transparency report will now include a list of which service providers encrypt email to and from Gmail and which do not. An announcement on Google's blog noted that "Gmail has always supported encryption in transit by using transport layer security (TLS), and will automatically encrypt ... incoming and outgoing emails if it can. The important thing is that both sides of an email exchange need to support encryption for it to work."
-http://www.scmagazine.com/google-transparency-report-outs-providers-lacking-emai
l-encryption/article/350069/
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/06/03/google-will-now-nam
e-and-shame-e-mail-providers-that-dont-support-encryption/

Google Testing eMail Encryption Plug-in (June 3 & 4, 2014)

Google is testing a tool for its Chrome browser that allows users to encrypt their email. The End-to-End plug-in uses OpenPGP to encrypt, decrypt, digitally sign, and verify messages in Chrome. The plug-in is currently in alpha testing mode and is not yet available in the Chrome Web Store.
-http://www.darkreading.com/endpoint/privacy/google-adds-chrome-encryption-option
-for-webmail/d/d-id/1269434?
-http://www.v3.co.uk/v3-uk/news/2348160/google-to-offer-end-to-end-email-encrypti
on-to-hide-data-from-spying-eyes
-http://money.cnn.com/2014/06/03/technology/security/google-encryption/index.html
-http://arstechnica.com/security/2014/06/google-released-chrome-extension-allows-
easy-in-browser-webmail-encryption/
-https://code.google.com/p/end-to-end/
[Editor's Note (Pescatore): The Google End to End Extension only supports message encryption, not attachment encryption. That is in-line with Google's business model where stored data needs to be exposed in order for Google to index it and sell ads around it. It also avoids tackling the hard problems around key distribution/archiving/recovery that would be required if meaningful persistent data encryption was supported. So, not really much of a move forward. ]

Software Updates for Cars (June 4, 2014)

In the not-too-distant future, cars will be receiving software updates, much as computers and other electronic devices already do. The next generation of vehicles will be wirelessly connected, which manufacturers view as a way to improve cars. For example, wireless updating could reduce the number of recalls. However, the prospect of wireless updates for vehicles raises several important questions: Can drivers accept updates while driving? What about problematic updates? What if vehicle owners have chosen not to receive automatic updates, but there's a critical flaw that needs to be fixed?
-http://money.cnn.com/2014/06/04/technology/security/car-update/index.html
[Editor's Note (Pescatore): I remember back in 1999, when I worked at Entrust, discussing the required security for such over-the-air updates with some of the major car manufacturers. Not an unsolvable problem - the goal is to *not* repeat the mistakes made in early "Internet of Things" devices, such as in those Daktronic's highway signs in the earlier item, for example. ]

DARPA's Cyber Grand Challenge (June 3, 4, & 5, 2014)

The US's Defense Advanced Research Projects Agency (DARPA) is launching the Cyber Grand Challenge Tournament. Thirty-five teams have signed up to take part in the two-year capture-the-flag style competition, which will culminate in a final round at DEF CON in Las Vegas in 2016. DARPA hopes the competition will "accelerate the development of capable, automated network defense systems ...
[and ]
encourage the diverse communities now working on computer and network security issues in the public and private sectors to work together in new ways."
-http://arstechnica.com/information-technology/2014/06/darpa-prepares-2-million-c
yber-warfare-challenge-for-def-con-2016/
-http://www.zdnet.com/competition-drives-development-of-automated-security-system
s-7000030194/
-http://www.darkreading.com/darpa-announces-teams-for-first-cyber-grand-challenge
/d/d-id/1269393?

Judge Says Stingray Transcript Should be Unsealed in its Entirety (June 4, 2014)

A judge in Tallahassee, Florida has found in favor of the ACLU and ordered that transcript on testimony about stingray use by law enforcement be unsealed. The ACLU's motion to unseal the transcript was filed in February; at that time, the State asked that portions remain sealed. The judge has ordered the complete transcript unsealed.
-http://www.scmagazine.com/florida-judge-sides-with-aclu-testimony-unsealed-on-po
lice-use-of-stingray-devices/article/350053/

US Marshals Seize Stingray Files Before ACLU Sees Them (June 3 & 5, 2014)

In a startling move, US Marshals have seized records of Florida law enforcement officers' use of technology known as stingray to keep the information from the American Civil Liberties Union (ACLU), which had obtained authorization to access the documents. The Marshals maintain that they deputized the police officer involved and therefore the records belong to them and not to the state.
-http://www.wired.com/2014/06/feds-seize-stingray-documents/
-http://arstechnica.com/tech-policy/2014/06/us-marshals-step-in-thwart-efforts-to
-learn-about-cell-tracking-devices/
-https://www.aclu.org/sites/default/files/assets/aclu_complaint.pdf

---

STORM CENTER TECH CORNER

Cryptolocker like Encryption Malware for Android
-http://www.virusradar.com/en/Android_Simplocker.A/description

Privilege Escalation Vulnerability in chkrootkit Could Aide Attackers
-http://www.openwall.com/lists/oss-security/2014/06/04/9

Artist Develops Script to Kick Google Glass off WiFi Networks
-http://julianoliver.com/output/log_2014-05-30_20-52

Vulnerability in GNUTLS SSL Library
-http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/

Buffalo Distributing Malware as Part of Driver Downloads in Japan
-http://www.symantec.com/connect/blogs/bankeiya-malware-targets-users-japan-or-wi
thout-vulnerabilities

Truecrypt Update
-http://truecrypt.ch

Huawei MiFi Routers Web Admin Interface Vulnerabilities (German only)
-http://www.fhstp.ac.at/ueberuns/newsevents/news/kritische-sicherheitslucken-bei-
router-modellen

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/