SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #50

June 24, 2014

A possible gamechanger this week, from Brian Krebs. The first story shows an insurance company paying for fraudulent losses at a bank to protect a corporate customer. In the past corporate customers were on their own; banks usually covered losses for individuals but not corporate customers. Notice, however, the pushback from the bank CEO.

Alan

---

TOP OF THE NEWS

California Company Wins Settlement in Fraudulent Transaction Case
More Than 300,000 Servers Still Have Not Patched Heartbleed
Singapore Concerned About Lack of Cyber Security Skills

THE REST OF THE WEEK'S NEWS

Browser Add-on Aims to Decipher Privacy Policies
Microsoft Makes Use-After-Free Flaws Harder to Exploit in Internet Explorer
Documents Suggest Illinois State Police Purchased Stingray
Law Enforcement Officers Were Purposely Deceptive About Stingray Use
Hedge Fund Targeted in Stealth Attack
Google's Made With Code Initiative Encourages Girls to Create Technology
EFF Says Opening Wi-Fi Networks Would be a Boon to Privacy
Android 4.4.4 Addresses Heartbleed Flaw
US Legislators Approve Measure to Cut Funds for NSA Backdoor Installations

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec *************************
Gartner 2014 Magic Quadrant for Endpoint Protection Platforms - Complimentary Copy Symantec Endpoint Protection 12.1 was, once again, positioned as a Leader in Gartner's Magic Quadrant and rated highest in the ability to execute. Read the report to learn about the Endpoint Protection landscape, growth drivers and challenges, and where vendors are positioned.
http://www.sans.org/info/162397
***************************************************************************
TRAINING UPDATE


- --SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

California Company Wins Settlement in Fraudulent Transaction Case (June 20, 2014)

A California oil production company received an insurance settlement to compensate for a series of fraudulent transactions in which nearly US $3.5 million was siphoned from company accounts to accounts in Ukraine. TRC Operating Co. Inc. sued its bank, United Security Bank, alleging that the bank had not employed adequate security measures to prevent fraudulent transactions. The bank blocked or recalled all but one of the dozen attempted transactions; the outstanding transaction totaled US $299,000. United Security Bank's insurance company settled the case before it went to trial, paying TRC $350,000; neither party admitted fault. The bank's founder and CEO maintains that the attack occurred on TRC's system, not on the bank's. He expressed disappointment that the case did not go to trial.
-http://krebsonsecurity.com/2014/06/oil-co-wins-350000-cyberheist-settlement/
[Editor's Note (Murray): Under Common Law, banks are responsible for ensuring that transactions are properly authorized. This responsibility is codified in Article 4A of the UCC. Banks should use Strong Authentication, resistant to replay, not merely "two factor." They should confirm transactions out-of-band, e.g., e-mail, SMS. For commercial accounts confirmations should be sent to two or more parties. They should use "back office" controls that require an officer to approve transfers that the bank would not want to absorb. ]

More Than 300,000 Servers Still Have Not Patched Heartbleed (June 23, 2014)

According to a recent scan of web servers, at least 300,000 have not been patched to protect them from exploits targeting the Heartbleed vulnerability. The flaw was disclosed in April; a scan run at that time indicated more than 615,000 publicly available SSL servers with the vulnerability. A month later, the number had dropped to 318,000. However, the most recent scan showed that fewer than 10,000 servers had been patched in the last month.
-http://www.cnet.com/news/heartbleed-still-a-threat-over-300000-servers-remain-ex
posed/
-http://www.computerworld.com/s/article/9249310/Despite_patching_efforts_300K_ser
vers_are_still_vulnerable_to_Heartbleed?taxonomyId=17
-http://www.v3.co.uk/v3-uk/news/2351563/heartbleed-flaw-still-a-threat-to-more-th
an-300-000-servers

Singapore Concerned About Lack of Cyber Security Skills (June 22, 2014)

Singapore is facing a shortage of skilled cyber security specialists. The country has recently faced attacks on government websites and breaches that have compromised private companies' client data. Singapore's Infocomm Development Authority is establishing a cyber security training center and, in partnership with SANS, Singapore will host the largest security training conference in Asia in October: SOS. SOS details:
-http://www.sans.org/event/sos-sans-october-singapore-2014
Shortage story:
-http://www.bloomberg.com/news/2014-06-22/cybersecurity-skills-shortage-looms-in-
singapore-southeast-asia.html
[Editor's Note (Paller): SOS (SANS October Singapore 2014 - 7-18 October) key courses and associated certifications: FOR526: Memory Forensics In-Depth (NEW!); SEC503: Intrusion Detection In-Depth (GCIA); ICS410: ICS/SCADA Security Essentials (GICSP); SEC401: Security Essentials Bootcamp Style (GSEC); Network Penetration Testing and Ethical Hacking (GPEN); Advanced Computer Forensic Analysis and Incident Response (GCFA); Mobile Device Security and Ethical Hacking (GMOB) Register for any course and pay by August 27, 2014 to save US$350. ]

---

************************** Sponsored Links: ******************************
1) Provide input to the Critical Security Controls Survey and enter to win iPad! Tell us your wins, misses and wish lists with the CSCs here: http://bit.ly/2014CSCSurv. At the end of the survey, sign up for the paper and results webcast airing on September 9: http://www.sans.org/info/162000

2) Webcast: Insider Threat Kill Chain: Detecting Human Indicators of Compromise Thursday, June 26 at 12:30 PM EDT (16:30:00 UTC). Bryce Schroeder, Director of Systems Engineers, Tripwire. http://www.sans.org/info/162177

3) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II. August 1, 2014 in Washington, DC. http://www.sans.org/info/159487
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Browser Add-on Aims to Decipher Privacy Policies (June 23, 2014)

Privacy-focused companies Disconnect and TRUSTe have worked together to develop a browser add-on that translates website privacy policies into easily understandable language. The product, Privacy Icons, analyzes privacy policies, describing them in nine categories, including data retention, location tracking, expected use of data, and vulnerability to Heartbleed. Each category is accompanied by an icon that is colored, green, yellow, or red to indicate levels of concern about the site's policy. The average website privacy policy is 2,400 words long and is written at a college student reading level. The pay-whatever-you-want add-on is currently available for Chrome, Firefox, and Opera. Versions for Safari, Internet Explorer, and mobile browsers will be available soon.
-http://www.computerworld.com/s/article/9249314/New_software_targets_hard_to_unde
rstand_privacy_policies?taxonomyId=17
-https://disconnect.me/icons
[Editor's Note (Pescatore): To quote a former Vice Presidential candidate, this is pretty much just "putting lipstick on a pig." Imagine if there were nine traffic lights at each intersection and you had to guess whether you should proceed or not when you saw 3 greens, 4 yellows and 2 reds. The large ecommerce vendors would have a lot to gain by establishing an opt-in based industry standards to enable legitimate sites to stand out from the overall sleaze level that is out there. (Murray): May work in the short run. In the long run, it may simply encourage more obscure language. These policies are written by lawyers with the intent to forestall litigation and to preserve the options of the application owners. They are often obscure by design and intent.
(Northcutt): A long time ago, there was a similar tool for Internet Explorer called Privacy Bird, but it required the policies to be coded in P3P, I hope this is more successful:
-http://www.privacybird.org/tour/1_3_beta/tour.html]

Microsoft Makes Use-After-Free Flaws Harder to Exploit in Internet Explorer (June 23, 2014)

Use-after-free vulnerabilities, which may be used to install malware on users' computers, will be more difficult to exploit in Internet Explorer (IE) thanks to changes in the way the browser handles its memory space. The "isolated heap for DOM objects" establishes separate heap memory for different object types; it was released last week as part of Microsoft's monthly security update.
-http://arstechnica.com/security/2014/06/ie-users-get-new-protection-against-pote
nt-form-of-malware-attack/

Documents Suggest Illinois State Police Purchased Stingray (June 21, 2014)

Documents obtained through a public records request indicate that Illinois State Police paid more than US $250,000 for "covert cellular tracking equipment" from the Harris Corporation, which makes the device known as Stingray. Harris is reputed to require customers to sign non-disclosure agreements. The Illinois governor's office approved the purchase, authorizing an exemption from the usual competitive bid process. The purchase was funded by a grant from the US Department of Homeland Security (DHS). Illinois State Police also spent US $7,000 to send four special agents for a weeklong training class at Harris Corp. headquarters in Florida.
-http://arstechnica.com/tech-policy/2014/06/illinois-spent-over-250000-on-covert-
cellular-tracking-equipment/

Law Enforcement Officers Were Purposely Deceptive About Stingray Use (June 19 & 20, 2014)

Emails obtained by the American Civil Liberties Union show that law enforcement officers in Florida used deceptive language when asked about the source of information they obtained about a suspect's location. The emails refer to a case in which a detective from one Florida police department referred to "the investigative means used to locate the suspect." Another department asked them to seal the affidavit in which that phrase appeared and submit a new one with less specific language, noting that they said they "received information from a confidential source regarding the location of the suspect," and that the assertion had never been challenged. The departments involved in the email exchanges do not own the Stingray devices, but borrowed them from US Marshals.
-http://arstechnica.com/tech-policy/2014/06/legal-experts-cops-lying-about-cell-t
racking-is-a-stupid-thing-to-do/
-http://arstechnica.com/tech-policy/2014/06/cops-hid-use-of-phone-tracking-tech-i
n-court-documents-at-feds-request/
[Editor's Note (Murray): These tactics, encouraged by DHS, embarrass Law enforcement without a commensurate improvement in effectiveness. ]

Hedge Fund Targeted in Stealth Attack (June 20 & 23, 2014)

Last year, attackers successfully targeted servers at an unnamed US hedge fund. Over a two-month period, the attackers stole information about the organization's trading strategy by briefly diverting trades to machines they controlled before sending the trades on their way. The malware was installed on the company's system through a spear phishing attack. The delay in the timing of the trades is what eventually led to the discovery of the scheme. Losses have been cited at US $2 million.
-http://www.theregister.co.uk/2014/06/23/hackers_steal_trade_secrets_from_major_u
s_hedge_firm/
-http://www.nextgov.com/cybersecurity/2014/06/hackers-breached-major-hedge-fund-s
teal-information-trades/86899/?oref=ng-channelriver
[Editor's Note (Pescatore): Good example of a targeted attack, but for some reason this piece says they are "rare in the financial services sector" - definitely not rare, probably the highest rate of targeted attacks, for obvious reasons.
(Henry) These funds are part of the Financial Services' Sector, and are targeted just like other firms in that sector. While network owners have typically focused on the "theft" of data (personally identifiable information, proprietary strategy, etc.,) they should also be very concerned about the integrity and disruption of their networks. They are key assets to economic security, and a failure in the structure of those networks should be cause for concern. In addition to standard ITsec protocols and strategies, companies should ensure they have a continuity of operations and resiliency program in place.
(Murray): Enterprises not employing Strong Authentication are courting compromise. Apparently resistance to this simple measure is too high to be overcome by the examples of eBay, Target, et.al. ]

Google's Made With Code Initiative Encourages Girls to Create Technology (June 20, 2014)

Google has launched the Made With Code initiative, which focuses on exposing girls to computer science and encouraging them to create technology. The program gives high school juniors and seniors the opportunity to take coding classes at major IT companies, including Google, Twitter, and eBay. The organization's website is a source for interactive coding projects and video profiles of women who have found ways to merge their tech skills with their passions for other subjects, including music, dance, and art. Google's recent diversity report showed that just 30 percent of company employees are female; on tech teams, that number falls to 17 percent. Google has committed US $50 million over three years to help bring more women into computer science.
-http://money.cnn.com/2014/06/20/technology/innovation/google-girls-made-with-cod
e/index.html
-http://www.latimes.com/business/technology/la-fi-tn-google-made-with-code-201406
20-story.html
-https://www.madewithcode.com

EFF Says Opening Wi-Fi Networks Would be a Boon to Privacy (June 20, 2014)

The Electronic Frontier Foundation (EFF) wants people to start opening their home wi-fi connections, saying that the change would actually improve privacy. While some companies have already begun testing this model, they have charged customers for use of their network. The EFF's plan would be free. The organization says the initiative will boost privacy, sharing connectivity would drive home the point that an IP address is not an individual, and linking illegal activity to an IP address does not mean that the person whose router is running on that address is the culprit. Each link to the router will be encrypted, which will require users to download a certificate. Network owners' traffic will receive priority. The EFF plans to release firmware for the project next month.
-http://www.wired.com/2014/06/eff-open-wireless-router/
-http://arstechnica.com/tech-policy/2014/06/new-router-firmware-safely-opens-your
-wi-fi-network-to-strangers/
[Editor's Note (Pescatore): Why not have everyone put public car charging stations attached to their home electric system, or public hoses for car washing attached to their home water services? This EFF idea seems to believe that unlimited bandwidth is free for everyone's home. That is far from the case - as people who see the spinning wheel all too often while bingeing on "House of Cards" episodes quickly learn. Wait until they see how it looks with 5 neighborhood kids watching YouTube and the World Cup via encrypted connections to their $69 WiFi router... ]

Android 4.4.4 Addresses Heartbleed Flaw (June 19 & 20, 2014)

Google has made available an update for Android for certain Nexus devices that includes a fix for the Heartbleed vulnerability. Android 4.4.4 also addresses several other security issues.
-http://www.v3.co.uk/v3-uk/news/2351340/android-444-with-openssl-heartbleed-fix-r
eleased-for-google-nexus-devices
-http://www.theregister.co.uk/2014/06/20/android_kitkat_4_4_4/
-http://arstechnica.com/gadgets/2014/06/android-4-4-4-is-rolling-out-to-devices-c
ontains-openssl-fix/
-http://www.computerworld.com/s/article/9249251/Android_4.4.4_fixes_OpenSSL_conne
ction_hijacking_flaw?taxonomyId=17

US Legislators Approve Measure to Cut Funds for NSA Backdoor Installations (June 19, 2014)

The US House of Representatives has approved a measure that would strip funding from NSA surveillance programs that involve placing backdoors on IT equipment. The measure, an amendment to the Department of Defense Appropriations Act 2015, would also forbid access to citizens' Internet communications under Section 702 of the Foreign Intelligence Surveillance Act, without a warrant.
-http://www.cnet.com/news/house-oks-measure-defunding-nsa-backdoor-surveillance/

---

STORM CENTER TECH CORNER

Microsoft Introduces Interflow Threat Exchange
-http://technet.microsoft.com/en-us/security/dn750892

Aviva Suffers Compromised due to Mobile Device Mgmt Platform Exploit
-http://www.theregister.co.uk/2014/06/23/aviva_heartbleed_hack/

Large Hong Kong DDoS Attack Takes Advantage of CPU Intensive SSL Cipher
-http://www.theregister.co.uk/2014/06/23/most_sophisticated_ddos_strikes_hk_democ
racy_poll/

Using OfficeMalScanner to Investigate Malicious Word Documents
-https://isc.sans.edu/forums/diary/OfficeMalScanner+helps+identify+the+source+of+
a+compromise/18291

Google May be Creating Another OpenSSL Fork
-https://www.imperialviolet.org/2014/06/20/boringssl.html

Many Google Play Store Apps Include Secret Keys
-http://www.cs.columbia.edu/~nieh/pubs/sigmetrics2014_playdrone.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/