SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #54

July 08, 2014

The SANS Continuous Diagnostics and Monitoring Summit (1 August in Washington DC and free to government employees) has greatly expanded since last year. The SANS CDM Summit will give federal, state and local security professionals guidance on how to use the CDM contract award funds to make immediate security improvements and reduce the cost of demonstrating FISMA compliance. The DHS CDM program management team will answer your questions in the opening session moderated by John Pescatore. You will hear from users of the products and services offered through the CDM contract, and Alan Paller and Tony Sager will add perspective. SANS training courses will follow the CDM Summit - details at http://www.sans.org/event/continuous-monitoring-workshop-2014

---

TOP OF THE NEWS

Oracle Not Updating Java for Windows XP
The Internet of Things: Smart Lightbulb Exposes Wi-Fi Password
Proposed Law Would Require Russian Citizens' Data to Be Stored on Servers There

THE REST OF THE WEEK'S NEWS

NSA Retains Data Belonging to Non-Suspects
Australian Teen Won't Face Charges for Finding Transportation Site Flaw
Man Arrested in Connection with Point-of-Sale Data Theft Scheme
Invisible IM Project Aims to Leave No Forensic Trail
German Authorities Arrest Alleged Double Agent
Ruby on Rails Patches Two Vulnerabilities
Malicious iframe on Dailymotion Redirects Users to Malicious Site

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************** Sponsored By Bit9 + Carbon Black *********************
Advanced Threat Confidential White Paper: Top Lessons Learned From REAL Attacks! http://www.sans.org/info/163042
***************************************************************************
TRAINING UPDATE


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS San Francisco 2014 San Francisco, CA July 14-19, 2014 7 courses. Bonus evening presentations include Aligning Your Defenses with Today's Evolving Threats; and Malware Reloaded.
http://www.sans.org/event/san-francisco-2014


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Virginia Beach 2014 Virginia Beach, VA August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent - --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share their lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Oracle Not Updating Java for Windows XP (July 3, 4, & 7, 2014)

Oracle's next quarterly patch update will be released on Tuesday, July 15, but the fixes will not include updates for Java running on Windows XP. Oracle stopped supporting Java for XP on April 8, the date Microsoft announced months earlier as the operating system's cut-off date. The current version of Java, Java 8, will not install on XP. Oracle says people running XP can continue using Java 7 "at their own risk." Oracle will update Java 7 through April 2015.
-http://searchsecurity.techtarget.com/news/2240224016/Oracle-Future-Java-updates-
for-Windows-XP-users-may-not-arrive
-http://www.zdnet.com/java-support-over-for-windows-xp-7000031226/
-http://www.theregister.co.uk/2014/07/04/oracle_winxp_end_of_support/
[Editor's Note (Honan): This will be the first of many software vendors who will not provide updates for the Windows XP platform. If you have not migrated yet you need to review your vulnerability management program for how you will manage these vulnerabilities until you are migrated from Windows XP. ]

The Internet of Things: Smart Lightbulb Exposes Wi-Fi Password (July 7, 2014)

In a proof-of-concept attack, Internet connected LED lightbulbs were used to gain access to the Wi-Fi network that controls them. LIFX smart lightbulbs can be controlled with iOS and Android devices. LIFX was made aware of the problem and has issued a firmware update to address it. The attackers were able to trick the devices into revealing the network password; they had to be within 30 meters of the devices they were targeting.
-http://www.cnet.com/news/hackers-discover-security-weaknesses-within-the-lifx-sm
art-led/
-http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-
exposes-wi-fi-passwords/
-http://www.theregister.co.uk/2014/07/07/wifi_enabled_led_light_bulb_is_hackable_
shocker/
[Editor's Note (Pescatore): At the SANS 2013 "Securing the Internet of Things Summit" Nitesh Dhanjani demonstrated remote hacking of smart lightbulbs and WiFi enabled baby monitors. There has been more talk than action around IoT security since then. The automobile industry realized in *1920* that cars needed door locks to prevent theft - no government agency or security framework was needed to tell them that, it was good business. The various IoT consortium need to take that same approach. (Assante): Embedded system security has posed a significant challenge to organizations developing and managing industrial devices. The recent pressure by end-users/customers that invest millions for the deployment of just one system is just starting to move the needle on issues like firmware download integrity features, etc. I don't expect to see buyer behavior impacted by these types of risks in IoT home user applications and more concerning will be the lack of security at the integration-level as your light bulb becomes one more weak link in your smart home or building.
(Murray): "Crypto is harder than it looks." But not so hard that it is impossible to get right. Unfortunately, many of these "things" will be programmed by individuals, or even teams, that lack the necessary knowledge, skills, and abilities. ]

Proposed Law Would Require Russian Citizens' Data to Be Stored on Servers There (July 4, 2014)

Russian legislators have passed a bill that would require Internet companies that collect personal data to store Russian citizens' data on servers in that country. The bill is reportedly aimed at protecting data, but there is also concern that the law is intended to restrict the use of social networks like Facebook and Twitter. The bill must pass the upper chamber of Russian legislature and be signed by President Vladimir Putin before it becomes law. If it does pass, it would take effect in September 2016. It would also give the Russian government the authority to block sites that do not comply with the law.
-http://www.bbc.com/news/world-europe-28173513

---

**************************** SPONSORED LINKS ******************************
1) Get Real-time Threat Detection Starting on Day 1 with AlienVault USM. Webcast: Thursday, July 17 at 1:00 PM EDT (17:00:00 UTC) Tom D'Aquino. http://www.sans.org/info/163047

2) Webcast: An Incident Response Playbook: From Monitoring to Operations Wednesday, July 30 at 1:00 PM EDT (17:00:00 UTC) Dave Shackleford and Joe Schrieber. http://www.sans.org/info/163052

3) How do you respond to incidents, attacks and breaches? New results from the SANS Incident Response Survey will be presented in two webcasts: August 14, 2014, 1:00 pm EDT, REGISTER HERE: http://www.sans.org/info/163057 August 15, 2014, 1:00 pm EDT, REGISTER HERE: http://www.sans.org/info/163062 Attend both for a chance to win a $50 Starbucks gift card.
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

NSA Retains Data Belonging to Non-Suspects (July 5, 6, & 7, 2014)

The Washington Post conducted analysis on 160,000 intercepted conversations intercepted by the National Security Agency (NSA) and found that the majority of the people whose personal information was stored by the NSA (according to information provided by Snowden) were not suspects in investigations. The information includes highly personal messages, medical records, school transcripts, baby pictures, and resumes. The analysis of the data supports the contention that the NSA is not taking steps to exclude personal information of US citizens, as required by US law. An NSA spokesperson acknowledged that the agency "incidentally intercept
[s ]
the communications of persons in contact with valid foreign intelligence targets," and maintains that the NSA takes precautions to protect the privacy of the data it collects.
-http://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-th
ose-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-1
1e4-8572-4b1b969b6322_story.html
-http://arstechnica.com/tech-policy/2014/07/new-snowden-leak-of-160000-intercepte
d-messages-only-10-from-offical-targets/
-http://www.computerworld.com/s/article/9249586/NSA_defends_collecting_data_from_
U.S._residents_not_suspected_of_terrorist_activities?taxonomyId=17
-http://money.cnn.com/2014/07/06/technology/security/snowden-nsa-privacy/index.ht
ml
[Editor's Note (Murray): The more data that the NSA "retains," the less confidence the citizen, or the subject of the data, can have in the "precautions" that the agency takes to protect the confidentiality of that data. ]

Australian Teen Won't Face Charges for Finding Transportation Site Flaw (July 7, 2014)

A Melbourne, Australian teen who discovered a security flaw in a public transportation authority website will not face charges. Joshua Rogers accepted a caution, which acknowledges that he broke the law, but lets him avoid jail time. The caution will be removed from his permanent record if he does not commit the offense again within the next five years. Rogers discovered a vulnerability in the Public Transport Victoria website that could be exploited with an SQL-injection attack. He reportedly accessed 600,000 records that included sensitive information.
-http://www.networkworld.com/article/2451162/legal/australian-teen-accepts-police
-caution-to-avoid-hacking-charge.html

Man Arrested in Connection with Point-of-Sale Data Theft Scheme (July 7, 2014)

US law enforcement authorities have announced the arrest of Roman Valerevich Seleznev, a Russian man who allegedly had a role in a scheme that included breaking into point-of-sale systems at several US companies. Seleznev was indicted in March 2011 on charges stemming from his alleged involvement with stolen credit card forums. He was arrested in Guam.
-http://bits.blogs.nytimes.com/2014/07/07/russian-arrested-in-guam-on-array-of-u-
s-hacking-charges/?ref=technology
-http://www.computerworld.com/s/article/9249580/Accused_Russian_point_of_sale_hac
ker_arrested_will_face_U.S._charges?taxonomyId=17

Invisible IM Project Aims to Leave No Forensic Trail (July 4 & 7, 2014)

The Invisible IM project aims to develop a means for people to communicate "without leaving a retrospectively recoverable forensic trail behind on third-party servers." The technology establishes a local XMPP server on a user's computer, which then connects to the Tor network. A secure mode will be available that will prevent anyone from knowing who is on someone else's buddy list or even if they have ever communicated through Invisible IM. The project is being designed to provide anonymity for whistleblowers.
-http://www.theregister.co.uk/2014/07/04/anonymous_im_for_whistleblowers/
-http://www.computerworld.com/s/article/9249568/Encrypted_instant_messaging_proje
ct_seeks_to_obscure_metadata?taxonomyId=17
[Editor's Note (Northcutt): I wish them luck. About 20 years ago, I watched a panel of three folks from CSC give an evening presentation about traffic analysis. The key point was that "a message was passed". Once you have that event identified, you can start to dig into your big data repository for referential matches. Tor is cool, but be aware there is some US Govt funding:
-http://www.nrl.navy.mil/itd/chacs/dingledine-tor-second-generation-onion-router
(Murray): While the idea of such a service is appealing, those who really need it, dare not trust it. ]

German Authorities Arrest Alleged Double Agent (July 4 & 7, 2014)

German authorities have arrested a man who is allegedly an NSA mole; the man had been working for German intelligence agency BND. Reports in German publications Der Spiegel and Bild say that the unnamed 31-year-old provided the NSA with information about a German Parliamentary inquiry into NSA spying. He is also reportedly suspected of supplying the NSA with hundreds of documents.
-http://www.theregister.co.uk/2014/07/07/federal_intel_agency_staffer_allegedly_s
pied_on_nsa_inquiry_report/
-http://www.v3.co.uk/v3-uk/news/2353831/germany-arrests-suspected-mole-from-nsa-w
orking-at-top-intelligence-group
-http://uk.reuters.com/article/2014/07/04/uk-germany-usa-spying-idUKKBN0F915A2014
0704

Ruby on Rails Patches Two Vulnerabilities (July 4, 2014)

Ruby on Rails developers have released fixes for a pair of vulnerabilities in the open source web development framework that can be exploited through SQL injection attacks.
-http://www.computerworld.com/s/article/9249557/Ruby_on_Rails_patches_tackle_SQL_
injection_vulnerabilities?taxonomyId=17
Advisory:
-https://groups.google.com/forum/#!msg/rubyonrails-security/wDxePLJGZdI/WP7EasCJT
A4J

Malicious iframe on Dailymotion Redirects Users to Malicious Site (July 4 & 7, 2014)

A malicious code injection attack on file sharing site Dailymotion redirected site visitors to another website that downloaded malware into their computers. The attackers placed a malicious iframe on the Dailymotion site that sent users to a site that was hosting an attack tool kit that exploits flaws in Java, Internet Explorer, and Adobe Flash Player.
-http://www.scmagazine.com/dailymotion-users-redirected-to-exploits-in-pay-per-cl
ick-ruse/article/359668/
-http://www.computerworld.com/s/article/9249565/Attack_on_Dailymotion_redirected_
visitors_to_exploits?taxonomyId=17

---

STORM CENTER TECH CORNER

New Version of Zollard Worm Probing Sercomm Backdoor
-https://isc.sans.edu/forums/diary/Multi+Platform+Coin+Miner+Attacking+Routers+on
+Port+32764/18353

Microsoft Patch Tuesday Advance Notice
-https://technet.microsoft.com/library/security/ms14-jul

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/