SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #52

July 01, 2014

When the Wall Street Journal reported yesterday that corporate boards are taking cyber more seriously (1st story in Top of the News) security people both cheered ("Finally!") and feared ("Now they are going to ask us to find the problems, fix them, and prove we have done so.") It may be a great time to update skills in the more advanced areas of forensics and incident handling and penetration testing and mobile and wireless security as well as in industrial control systems security. The great thing about SANS finally becoming regionally accredited last year is that many students have found their employers will now pay, using tuition reimbursement, for everything from a full degree program, to the new a graduate certificates (3-4 courses in incident response or penetration testing), and even for an individual course. To learn the process to apply to any one of those, including the single courses, go to www.sans.edu/admissions. (.edu not .org)

Alan

---

TOP OF THE NEWS

Corporate Boards Taking Cyber Security More Seriously
Microsoft No-IP.com Domain Seizure Affects Legitimate Servers
Malware Targets Online Bank Transactions

THE REST OF THE WEEK'S NEWS

Women in Security
UK Teen Charged in Connection with Spamhaus DDoS Attacks
Microsoft's eMail Security Notifications Will Continue
PlugX Remote Access Trojan Uses Dropbox to Communicate with Infected Machines
Study Says Cyber Security Professional Shortage Will Fix Itself
Privacy Groups Concerned About Cybersecurity Information Sharing Bill
Android Malware Selfmite Spreads Through SMS Messages
US Director of National Intelligence Transparency Report
Oil and Gas Industry Form Information Sharing and Analysis Center
Dept. of Health and Human Services CISO on Information Sharing

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec *************************
Webcast: Dragonfly --The Latest Cyber-espionage Threat July 10, 10am PT
New research from Symantec has uncovered an attack campaign against targets in the energy sector. This new malware campaign Dragonfly, also known as Energetic-Bear, follows in the footsteps of Stuxnet, although it has a much broader focus. Join us to find out how you can protect your business.
http://www.sans.org/info/162667
***************************************************************************
TRAINING UPDATE


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS San Francisco 2014 San Francisco, CA July 14-19, 2014 7 courses. Bonus evening presentations include Aligning Your Defenses with Today's Evolving Threats; and Malware Reloaded.
http://www.sans.org/event/san-francisco-2014


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Virginia Beach 2014 Virginia Beach, VA August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Corporate Boards Taking Cyber Security More Seriously (June 30, 2014)

Boards at prominent US companies are starting to take cyber security seriously. In 2012, Kellogg's board hired its first Chief Information Security Officer (CISO) and established "a dedicated security group" to help prevent theft of company secrets. Other companies' boards get cyber security briefings; test employees susceptibility to suspicious email; and Delta Airlines added a board member for his "substantial expertise in the information technology security industry." (Please note that this site requires a subscription)
-http://online.wsj.com/articles/boards-race-to-bolster-cybersecurity-1404086146
[Editor's Note (Henry): The National Association of Corporate Directors (NACD) is leading the way here, holding many conferences and courses, and actually going into boardrooms to meet with the entire board. I've participated in a number of their events, where they highlight the risks associated with network breaches, and focus on the obligations Corporate Directors have to their companies, clients, and shareholders. The key here, in my opinion, is identifying the specific role Directors have; they do NOT have to be technical experts to understand the risk. This risk is not unlike any other business risk facing a company, and when it's understood and viewed that way Directors begin to get their arms around it to successfully address it.
(Ullrich): Most businesses are heavily "data driven" these days and an important differentiator of a business' success is its ability to process and analyze data. Just as much as lawyers and accountants need to be part of C-level business decisions, a voice from the group protecting the data that these decisions are based on need to be part of it as well.
(Honan): I have seen boards of directors and audit committees take more interest in information security. Hopefully this is a sea-change in attitude from senior business people to realising that information security is not just a technical problem but in fact is a business issue that needs to have senior management focus similar to any other business issue. ]

Microsoft No-IP.com Domain Seizure Affects Legitimate Servers (June 30, 2014)

When Microsoft seized 22 domain names from No-IP.com the company was aiming to put criminals out of business; the domains were allegedly being used to conduct attacks against Windows users. Microsoft obtained a court order allowing it to take control of the targeted domains. However, while some subdomains were allegedly being used in the attacks, the effective takedown affected other servers that were using the dynamic DNS service.
-http://arstechnica.com/security/2014/06/millions-of-dymanic-dns-users-suffer-aft
er-microsoft-seizes-no-ip-domains/
[Editor's Note (Ullrich): Microsoft may have overstepped its bounds a bit with this takedown. No-IP hosts numerous legitimate businesses as well as services operated by criminal operations. According to No-IP, Microsoft failed to reach out to them to take down the malicious domains. In addition, Microsoft apparently has problems keeping services for legitimate No-IP customers operational as asked for in the court order. Many legitimate services are being abused by criminals, and there is no clearly established "SLA" for abuse handling. For example, Amazon's cloud service has been called the largest malware hosting infrastructure available, and even Microsoft's Azure cloud has been used to host malicious services in the past. (For example, see also the Dropbox story below.)
(Honan): According to the official No-IP's blog statement on this issue (
-https://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/),
Microsoft made no attempts to deal with the No-IP abuse team to report and address any concerns over malicious activity on their network. The Internet will not continue to function if a large corporation with a big legal team can decide, backed by a US court, to effectively shut down other companies' businesses because they are not happy with their abuse handling capabilities. There are established mechanisms in place to deal with abuse on networks, such as through CERTs and other trusted networks. If these are not working to Microsoft's satisfaction then they should engage with the security community to develop better ways to do so, rather than unilaterally taking action which could affect many innocent legitimate businesses and users. ]

Malware Targets Online Bank Transactions (June 27 & 30, 2014)

Malware known as Emotet is targeting online banking customers. Emotet spreads through links in email messages that purport to be invoices or bank transfer notifications. For a computer to become infected, the user must click on the link provided in the spammed message. Once a computer is infected, the malware downloads a file with information specific to the targeted financial institution, and another that intercepts and logs network traffic.
-http://www.scmagazine.com/emotet-banking-malware-captures-data-sent-over-secured
-https-connections/article/358586/
-http://www.computerworld.com/s/article/9249458/New_malware_program_targets_banki
ng_data?taxonomyId=17
Trend Micro Post:
-http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-u
ses-network-sniffing-for-data-theft/

---

************************** Sponsored Links: ******************************
1) Do you know how to protect your enterprise? Download the eBook: Endpoint Threat Detection, Response and Prevention for Dummies! http://www.sans.org/info/162672

2) In case you missed it: More web traffic, more problems. How CARFAX consolidated security concerns, saved money and grew their business with John Pescatore, Chris Thomas and Preston Hogue. http://www.sans.org/info/162682

3) In case you missed it: Insider Threat Kill Chain: Detecting Human Indicators of Compromise Thursday, June 26 at 12:30 PM EDT (16:30:00 UTC). Bryce Schroeder, Director of Systems Engineers, Tripwire. http://www.sans.org/info/162177
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Women in Security (June 30, 2014)

The numbers of women at security conferences like Black Hat and DefCon is up from nearly none in 2000 to hundreds or even more. Studies show that "women outnumber men in the specific jobs of analysts and advisers working on preventing breaches and strengthening technology defenses." In the larger technology industry, the numbers of women are significantly lower. The increase in the number of women in the white hat arena can be in part attributed to the field's meritocracy; people are judged on their skills. Women still comprise just 11 percent of information security staff worldwide, and just one of the 80 largest publicly traded security companies, Trend Micro, has a female CEO.
-http://www.bloomberg.com/news/2014-07-01/female-cyber-sleuths-hack-into-silicon-
valley-s-boys-club.html

UK Teen Charged in Connection with Spamhaus DDoS Attacks (June 30, 2014)

British authorities have charged a teenager with computer misuse, fraud, and money laundering for his alleged role in distributed denial-of-service (DDoS) attacks against Spamhaus in March 2013 that caused problems for Internet exchanges and services worldwide. The minor was arrested based on evidence obtained from equipment seized following his arrest.
-http://www.theregister.co.uk/2014/06/30/ddos_charges/
-http://www.scmagazine.com/nca-charges-17-year-old-london-man-for-role-in-massive
-spamhaus-ddos-attack/article/358561/

Microsoft's eMail Security Notifications Will Continue (June 28, 28, & 30, 2014)

After announcing on June 27 that it was discontinuing its security email notification service due to "changing governmental policies concerning the issuance of automated electronic messaging," Microsoft has now said that it will resume the service as of Tuesday, July 3, the date of its next scheduled Advanced Notification of security bulletins. The mailing list has been around since 2002, before regularly scheduled monthly security updates were established.
-http://krebsonsecurity.com/2014/06/microsoft-kills-security-emails-blames-canada
/
-http://www.zdnet.com/microsoft-to-resume-email-security-notifications-7000031089
/
-http://www.computerworld.com/s/article/9249445/Microsoft_to_shutter_security_not
ification_service?taxonomyId=17
-http://www.theregister.co.uk/2014/06/29/microsoft_shutters_dustclad_security_mai
ling_list/

PlugX Remote Access Trojan Uses Dropbox to Communicate with Infected Machines (June 27 & 30, 2014)

Researchers at Trend Micro say that the group behind PlugX remote access Trojan (RAT) used a Dropbox account to transmit command-and-control updates to infected computers. This attack is reportedly aimed at the government of Taiwan. PlugX captures keystrokes, maps ports, and opens remote shells.
-http://www.theregister.co.uk/2014/06/30/dropbox_used_as_command_and_control_in_t
aiwanese_govt_attack/
-http://www.darkreading.com/cloud/plugx-rat-armed-with-time-bomb-leverages-dropbo
x-in-attack/d/d-id/1278946?
[Editor's Note (Murray): "'The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents,' Trend Micro's Menrige said." Welcome to The Cloud. ]

Study Says Cyber Security Professional Shortage Will Fix Itself (June 27, 2014)

Jobs in cyber security are among the most difficult to fill. A study from the Rand Corporation says that desirable compensation will increase the number of people in the cyber security field. The report says the positions that are the hardest to fill include coding, forensics, and red-teaming.
-http://www.washingtonpost.com/business/capitalbusiness/an-argument-that-the-shor
tage-of-cyber-workers-is-a-problem-that-will-solve-itself/2014/06/27/dbab364a-fe
00-11e3-8176-f2c941cf35f1_story.html
-http://www.rand.org/pubs/research_reports/RR430.html
[Editor's Note (Honan): My concern is that those attracted by higher pay to the security industry will soon find themselves disillusioned and frustrated by the technical, business, and policy challenges many of us face. The best security professionals I know work in security not solely because of money but rather because of their passion for working in a challenging and at times rewarding sector. To retain any talent we get we need to ensure we can motivate and reward people beyond a pay cheque. ]

Privacy Groups Concerned About Cybersecurity Information Sharing Bill (June 27, 2014)

Cyber security legislation currently being considered in the US Senate could result in the NSA having access to even more personal data. The Cybersecurity Information Sharing Act aims to facilitate cyber threat and attack information sharing between government and private sector companies. Certain provisions of the bill require that companies remove identifiable information from the data they share, but privacy groups are concerned that the law would allow companies to share large sets of email or other data with the government. The problem is that once the data are in the government's possession, there is a considerable amount of leeway in how it can be used.
-http://www.nationaljournal.com/tech/a-new-cybersecurity-bill-could-give-the-nsa-
even-more-data-20140627
[Editor's Note (Murray): One need only consider the source. This bill is not about "cyber" security but about "intelligence." ]

Android Malware Selfmite Spreads Through SMS Messages (June 27, 2014)

Android malware known as Selfmite spreads through links in text messages. It sends itself automatically to 20 contacts in infected devices' address books. The message urges the recipient to click on a link, which is in the form of a shortened URL. The link directs users to an APK (Android application package) on a remote server. If the user agrees to download and install the APK, their device becomes infected. After the spam has been sent, the victim is offered to download and install an Android app manager called Mobegenie. The group behind the malware attack appears to make money on the number of Mobogenie apps installed.
-http://www.theregister.co.uk/2014/06/27/selfmite_android_self_replicating_sms_wo
rm/
-http://www.computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmit
e_targets_Android_devices?taxonomyId=17

US Director of National Intelligence Transparency Report (June 27, 2014)

A transparency report from the US Office of the Director of National Intelligence says that the intelligence community targeted 89,000 foreigners and/or organizations in 2013. Privacy groups say that the actual numbers of individuals affected is probably "orders of magnitude" greater than the numbers cited in the report, because others "ancillary to a target ... are caught up in the dragnet," and because the definition of a "target" can mean anything from an individual to large groups. The report also says that the government issued 19,212 national security letters in 2013.
-http://www.wired.com/2014/06/90000-foreigners-targeted-for-spying/
-http://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2013

Oil and Gas Industry Form Information Sharing and Analysis Center (June 26, 2014)

The US oil and gas industry has launched the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) where member organizations can share vulnerability and attack intelligence specific to that industry as well as guidance to mitigate problems and fix vulnerabilities. The system will allow members to alert other members of urgent issues within one hour and provide a hub for coordinating responses to attacks.
-http://www.infosecurity-magazine.com/view/39024/us-oil-gas-industry-establishes-
information-sharing-center/

Dept. of Health and Human Services CISO on Information Sharing (June 25, 2014)

The US Department of Health and Human Services (HHS) CISO Kevin Charest says that his agency has worked to develop a federated security environment for the various organizations within its purview, which include the Centers for Disease Control and Prevention (CDC) and the Food and Drug Administration (FDA). While the divisions retain control of their operations, they are overseen by a central organization with budgetary authority. HHS has also been charged with helping the health care industry improve its cyber security posture. HHS works with HITRUST (Health Information Trust Alliance), a coalition of leaders from health care, business, technology, and information security who work to develop a framework for health care information security.
-http://gcn.com/articles/2014/06/25/hhs-cybersecurity-hitrust.aspx?admgarea=TC_Se
cCybersSec
[Editor's Note (Murray): There is treasure to be mined in health care data. Such mining is resisted by the continued preference for paper records in the industry. This preference is motivated in part by the abysmal state of information security within the industry. Neither the "carrot" nor the "stick" have proven to be effective. It is time for public shaming. ]

---

STORM CENTER TECH CORNER

How to convince management that I should run a honeypot
-https://isc.sans.edu/forums/diary/Should+I+setup+a+Honeypot+SANSFIRE/18323

Apple Security Updates
-http://support.apple.com/kb/ht1222

New Bitcoin Extortion Arrives As Paper Mail
-http://woodtv.com/2014/06/24/bitcoin-new-payoff-for-extortionists/

New Version of PHP Fixes FileInfo Security Bugs
-http://php.net/index.php#id2014-06-26-1

LZO Compression Library Bug
-http://www.oberhumer.com/opensource/lzo/

Mobile Browsers Leak IP Address over TOR
-http://xordern.net/ip-leakage-of-mobile-tor-browsers.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/