SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #55

July 11, 2014

The Cyber Defense Summit, hosted by Dr. Eric Cole (Aug. 19-20 in Nashville), is the 2014 annual gathering of key players in the cybersecurity field responsible for protecting government and commercial assets and data from the consistent and persistent threats of offensive-minded attackers/hackers. Security experts will share real-life success stories and a range of practical how-to techniques. Walk away with both the key principles behind a winning cyber defense formula and the ability to apply that formula immediately to the specific challenges your organization faces.
Register here http://www.sans.org/event/cyber-defense-summit

---

TOP OF THE NEWS

Intruders Accessed US Government Databases Containing Security Clearance Data
Simultaneous Cyber Attacks Target Norwegian Banks, Airlines, Insurance Companies
Code Spaces Attack Demonstrates Need for Multifactor Authentication for Cloud Services

THE REST OF THE WEEK'S NEWS

UK Parliament Fast Tracking Emergency Data Retention Law
Microsoft Settles No-IP Civil Case
European Authorities Help Disrupt Shylock Botnet
US Senate Committee Approves Cyber Threat Information Sharing Bill
BrutPOS Botnet
Phony Certificates Issued by Indian Intermediate Certificate Authority Revoked
Microsoft Issues Emergency Update to Revoke Unauthorized Certificates
Prison Time for Man Convicted in Phishing Case
Patch Available for Critical Flash Flaw
Facebook and Greek Authorities Disrupt Lecpetex Botnet
Jail Time for UK Man Who Refused to Surrender Crypto Keys
Microsoft Security Updates

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************** Sponsored By Bit9 + Carbon Black *********************
XP End of Life is here - there are NO MORE security updates or critical patches available unless you pay for high cost support. How will you protect your organization? Keep your XP systems compliant and secure - without upgrading or paying for out-of-band support! Positive security is the best compensating control.
http://www.sans.org/info/163372
***************************************************************************
TRAINING UPDATE


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS San Francisco 2014 San Francisco, CA July 14-19, 2014 7 courses. Bonus evening presentations include Aligning Your Defenses with Today's Evolving Threats; and Malware Reloaded.
http://www.sans.org/event/san-francisco-2014


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Virginia Beach 2014 Virginia Beach, VA August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share their lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.ans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Intruders Accessed US Government Databases Containing Security Clearance Data (July 9 & 10, 2014)

Senior US officials say that an attack that has been traced to China managed to gain access to databases at the Office of Personnel Management, which contain information about people who have applied for top-secret security clearances. The intrusion was discovered and the intruders' access blocked, but ... A Department of Homeland Security (DHS) official said that an emergency response team will "assess and mitigate any risks identified."
-http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-
us-workers.html?module=Search&mabReward=relbias%3Aw%2C%7B%221%22%3A%22RI%3A1
0%22%7D

Simultaneous Cyber Attacks Target Norwegian Banks, Airlines, Insurance Companies (July 9, 2014)

Earlier this week, attackers targeted the websites and payment systems of DNB, Danske Bank, Nordea, and several other companies, including airlines and insurance companies. While the attack itself was not particularly large, it was unusually broad for Norway, targeting so many companies at once. A group claiming ties to Anonymous has taken credit for the attacks.
-http://www.digitaljournal.com/internet/anonymous-norway-claim-massive-cyber-atta
ck-on-norwegian-banks/article/389030
-http://www.presstv.ir/detail/2014/07/10/370682/cyber-attack-strikes-norway-insti
tutions/
[Editor's Note (Honan): Norwegian police have arrested a 17-year old in connection with these attacks.
-http://news.softpedia.com/news/17-Year-Old-Behind-Norway-DDoS-Attacks-this-Week-
450391.shtml]

Code Spaces Attack Demonstrates Need for Multifactor Authentication for Cloud Services (July 8, 2014)

The attack on the Amazon Web Services' control panel of Code Spaces that resulted in the shutdown of the code-hosting provider has raised questions about how organizations that depend on cloud services should be protecting themselves. The Code Spaces incident brings to light several security issues. Single users should not have control over a company's cloud environment; companies should not rely on a single cloud services provider; continuity plans should be established well ahead of any actual incidents; and companies that use cloud services should employ multifactor authentication.
-http://searchsecurity.techtarget.com/news/2240224102/Multifactor-authentication-
key-to-cloud-security-success
[Editor's Note (Pescatore): Standard guidance for all remote access is to *not* rely on reusable passwords; cloud is just one example of remote access. Consumers seem to get it. The percentage of people using two step verification (usually via text message to a mobile device) on their personal email accounts is now higher than the percentage of business employees doing so on their work email accounts. Time to bury the myth that users will never accept anything other than reusable passwords - they are doing so at home. By the way, two factor authentication isn't a miracle cure but if you sit around waiting for that miracle cure you will catch a lot of easily avoidable diseases along the way.
(Murray): Not merely multi-factor but strong (resistant to re-play). It is only a matter of time until we discover that we have already had another eBay. ]

---

**************************** SPONSORED LINKS ******************************
1) In case you missed it: More web traffic, more problems. How CARFAX consolidated security concerns, saved money and grew their business Thursday, June 26 at 1:00 PM EDT (17:00:00 UTC) John Pescatore, Chris Thomas and Preston Hogue. http://www.sans.org/info/163377

2) Webcast: Get Real-time Threat Detection Starting on Day 1 with AlienVault USM. Webcast: Thursday, July 17 at 1:00 PM EDT (17:00:00 UTC) Tom D'Aquino. http://www.sans.org/info/163047

3) Webcast: An Incident Response Playbook: From Monitoring to Operations Wednesday, July 30 at 1:00 PM EDT (17:00:00 UTC) Dave Shackleford and Joe Schrieber. http://www.sans.org/info/163052
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK Parliament Fast Tracking Emergency Data Retention Law (July 10, 2014)

The UK government is pushing emergency legislation through Parliament that will require telecommunications service providers to store communications metadata for up to one year. All three major political parties have expressed their support of the measure. Prime Minister David Cameron says the law does not create new surveillance powers. The Data Retention and Investigation Powers Bill is being rushed through Parliament because in April, the European Court of Justice overturned the EU Data Retention Directive on the grounds that it "interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data."
-http://www.bbc.com/news/uk-politics-28237111
-http://www.v3.co.uk/v3-uk/news/2354617/emergency-data-law-forces-isps-to-store-t
ext-call-and-internet-use-records
-http://www.zdnet.com/emergency-phone-and-internet-data-surveillance-bill-to-be-r
ushed-through-parliament-7000031443/

Microsoft Settles No-IP Civil Case (July 9 & 10, 2014)

Microsoft and dynamic domain name provider No-IP have reached a settlement that calls for No-IP to disable certain domains. Microsoft had filed a civil suit against Vitalwerks, which operates as No-IP, for hosting malware that infected millions of computers. Microsoft initially took control of 23 No-IP domains, a move that interrupted service for legitimate customers. The domains have been restored to No-IP and Microsoft is working with Vitalwerks to disable the specific subdomains that are being used to spread malware.
-http://www.computerworld.com/s/article/9249646/Microsoft_settles_with_No_IP_afte
r_seizing_its_domains_in_botnet_hunt?taxonomyId=17
-http://arstechnica.com/security/2014/07/microsoft-drops-case-that-severed-dns-ho
sting-for-millions-of-no-ip-users/
[Editor's Note (Honan): The EFF have posted a very useful overview to the background of this case and highlighted a number of lessons that Microsoft, and hopefully others, will learn from this debacle.
-https://www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking]

European Authorities Help Disrupt Shylock Botnet (July 9 & 10, 2014)

Law enforcement agencies in Europe have disrupted the command-and-control infrastructure of the Shylock botnet, which is designed to steal online bank account access data. According to Europol, Shylock has infected more than 30,000 PCs, most of which are in the UK. Police from eight countries participated in the operation.
-http://www.computerworld.com/s/article/9249660/International_police_operation_di
srupts_Shylock_banking_Trojan?taxonomyId=17
-http://www.bbc.com/news/technology-28245598
-http://www.v3.co.uk/v3-uk/news/2354671/european-cybercops-team-up-to-neutralise-
shylock-trojan

US Senate Committee Approves Cyber Threat Information Sharing Bill (July 9, 2014)

In a 12-3 vote, the US Senate Intelligence Committee has approved the Cybersecurity Information Sharing Act (CISA). The bill aims to improve data sharing between the government and private sector to help protect systems from attacks. However, civil liberties advocates say the bill does not go far enough to protect citizens' privacy. The bill provides liability protection for private companies that monitor their own networks and that share information.
-http://www.forbes.com/sites/gregorymcneal/2014/07/09/controversial-cybersecurity
-bill-known-as-cisa-advances-out-of-senate-committee/
-http://www.computerworld.com/s/article/9249619/Senate_Intelligence_Committee_oka
ys_cybersecurity_bill?taxonomyId=17
[Editor's Note (Murray): One might well wish that this bill had anything at all to do with security. ]

BrutPOS Botnet (July 9, 2014)

A botnet that targets point-of-sale (POS) systems has infected thousands of computers with malware. Known as BrutPOS, the botnet uses brute force to guess remote administrative access credentials. The botnet targets POS systems that use weak passwords and poor implementation of remote desktop protocol (RDP).
-http://www.scmagazine.com/attackers-brute-force-pos-systems-utilizing-rdp-in-glo
bal-botnet-operation/article/360156/
-http://www.darkreading.com/brutpos-botnet-targets-retails-low-hanging-fruit/d/d-
id/1297154?
-http://www.computerworld.com/s/article/9249630/Botnet_aims_brute_force_attacks_a
t_point_of_sale_systems?taxonomyId=17
-http://www.theregister.co.uk/2014/07/09/botnet_brute_forces_pos/
-http://www.v3.co.uk/v3-uk/news/2354449/hackers-hitting-point-of-sale-systems-wit
h-brutpos-botnet

Phony Certificates Issued by Indian Intermediate Certificate Authority Revoked (July 9, 2014)

An intermediate certificate authority in India, the National Informatics Centre (NIC), was issuing unauthorized certificates for Google domains. A Microsoft spokesperson said that the company is "aware of the mis-issued third-party certificates and ... has not detected any of the certificates being issued against Microsoft domains." The fraudulent certificates have been revoked.
-http://www.darkreading.com/endpoint/authentication/fake-google-digital-certifica
tes-found-and-confiscated/d/d-id/1297165?
-http://www.zdnet.com/indian-government-agency-issues-fake-google-certificates-70
00031396/
-http://www.theregister.co.uk/2014/07/09/google_warns_of_dodgy_digital_certificat
es_coming_from_indian_authorities/

Microsoft Issues Emergency Update to Revoke Unauthorized Certificates (July 10, 2014)

Microsoft has issued an emergency update to revoke 45 of the unauthorized certificates from NIC. The update will be automatically delivered to PCs running Windows 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 RS, Phone 8, and Phone 8.1. Users running Windows 7, Vista, Server 2008, and Server 2008 RS may not have the automatic updater installed. There is presently no way to revoke the certificates for Windows 2003. The updates revoke trust in three intermediary certificates from NIC so that all domain certificates, including some legitimate ones, will be invalid.
-http://arstechnica.com/security/2014/07/emergency-windows-update-revokes-dozens-
of-bogus-google-yahoo-ssl-certificates/
Microsoft Advisory:
-https://technet.microsoft.com/en-us/library/security/2982792
[Editor's note (Murray): While PKI is stronger than the alternatives, it is no stronger than the manual and physical controls that are used to implement it.
(Northcutt): Good for Microsoft; they made an excellent choice. We really do need an alternative to the current certificate system as it is implemented. Doesn't make sense to make the criteria to be a Certificate Authority a beating heart and some funding. There is some promise down the Extended Validation Certificate path, though it does raise costs. Other ideas have been proposed including better procedures and vetting for the current system or an entirely new approach. It is not just ecommerce, the whole SCEP thing has been a head scratcher for me. However, since online commerce is growing so rapidly, this is really important:
-http://www.certificate-transparency.org/what-is-ct
-http://www.css-security.com/wp-content/themes/css/scep/SCEP_and_Untrusted_Device
s.pdf
-http://www.webtrust.org/item27804.pdf
-http://www.webtrust.org/item64428.aspx]

Prison Time for Man Convicted in Phishing Case (July 9 & 19, 2014)

A US District Judge sentenced Iulian Schiopu to nearly four years in prison for his role in a phishing scheme. Schiopu was arrested in Sweden in May 2013 and was extradited to the US four months later.
-http://www.scmagazine.com/romanian-man-sentenced-to-45-months-for-role-in-phishi
ng-scheme/article/360356/
-http://www.fbi.gov/newhaven/press-releases/2014/romanian-citizen-involved-in-int
ernet-phishing-scheme-sentenced-to-45-months-in-federal-prison
[Editor's Note (Murray): No matter what cutesy terms that the perpetrators and the media use to describe it, and no matter how gullible the victim, fraud is fraud and should be punished as such. ]

Patch Available for Critical Flash Flaw (July 8 & 9, 2014)

An update for Flash released on July 8 addresses a critical flaw that could be exploited with a cross-site request forgery attack to steal users' account access credentials. Google's Chrome browser and Microsoft's Internet Explorer 10 (IE10) and IE11 will be patched automatically. Users running Safari, older versions of IE, Firefox and Opera browsers need to visit the Adobe website to obtain the necessary update.
-http://arstechnica.com/security/2014/07/weaponized-exploit-can-steal-user-cookie
s-on-ebay-tumblr-other-sites/
-http://www.cnet.com/news/adobe-pushes-critical-flash-update-for-windows-mac/
-http://www.theregister.co.uk/2014/07/09/patch_flash_inowi_or_risk_credential_the
ft/
-http://www.computerworld.com/s/article/9249611/Patch_alert_Update_browsers_Flash
_ASAP_to_block_log_on_theft?taxonomyId=17

Facebook and Greek Authorities Disrupt Lecpetex Botnet (July 8 & 9, 2014)

Working with law enforcement authorities in Greece, Facebook has helped disrupt the Lecpetex botnet, which infected as many as 250,000 computers with the aim of using their computing resources to mine cryptocurrency. The botnet also installs the DarkComet remote access Trojan (RAT). The malware initially made its way to computers through malicious .zip files attached to spam email. Two suspects with alleged ties to Lecpetex have been arrested in Greece.
-http://www.scmagazine.com/facebook-disrupts-cryptocurrency-mining-botnet-lecpete
x/article/360154/
-http://www.theregister.co.uk/2014/07/09/facebook_scuttles_250kstrong_cryptocurre
ncy_botnet/
-http://www.darkreading.com/attacks-breaches/facebook-helps-cripple-greek-botnet-
/d/d-id/1279213?
-http://www.computerworld.com/s/article/9249616/Facebook_kills_Lecpetex_botnet_wh
ich_hit_250K_computers?taxonomyId=17
-http://www.zdnet.com/facebook-fights-botnet-as-malware-authors-talk-trash-700003
1360/

Jail Time for UK Man Who Refused to Surrender Crypto Keys (July 8, 2014)

A UK man has been sentenced to six months in jail for refusing to surrender cryptographic keys to police. Computer science student Christopher Wilson was asked to provide police with keys to unlock his computer because he is suspected of breaking into the Northumbria Police website and attempting to break into the website of the Serious Organised Crime Agency.
-http://www.theregister.co.uk/2014/07/08/christopher_wilson_students_refusal_to_g
ive_up_crypto_keys_jail_sentence_ripa/

Microsoft Security Updates (July 8, 2014)

On Tuesday, July 8, Microsoft released six security bulletins to address a total of 29 vulnerabilities, two dozen of which are for Internet Explorer. The remains patches address issues in Windows and Microsoft Server Software.
-http://www.theregister.co.uk/2014/07/08/microsoft_swats_29_bugs_adobe_updates_fl
ash_for_patch_tuesday/
-http://searchsecurity.techtarget.com/news/2240224140/July-2014-Patch-Tuesday-fix
es-two-dozen-IE-vulnerabilities
-https://technet.microsoft.com/library/security/ms14-jul
-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+-+July/18359

---

STORM CENTER TECH CORNER

Microsoft Uses Wrong Certificate for Office 365 Login Page
-https://isc.sans.edu/forums/diary/Certificate+Errors+in+Office+365+Today/18371

Analyzing Logs quickly and on the cheap
-https://isc.sans.edu/forums/diary/Finding+the+Clowns+on+the+Syslog+Carousel/1837
3

Multiple Flaws in FireEye Appliance OS
-http://www.forbes.com/sites/thomasbrewster/2014/07/09/researcher-i-was-suspended
-for-finding-flaws-in-fireeye-security-kit/

Dangers of Reused IP Addresses
-https://isc.sans.edu/forums/diary/Who+inherits+your+IP+address+/18365

Typo Squatting Used to Intercept E-Mail
-https://isc.sans.edu/forums/diary/Who+owns+your+typo+/18363

Google Bad Certificates
-http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-
security.html

Netgear Hardcoded Password
-https://isc.sans.edu/forums/diary/Hardcoded+Netgear+Prosafe+Switch+Password+/183
57

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/