SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #56

July 15, 2014

TOP OF THE NEWS

Despite Breaches, Most Critical Infrastructure Executives Say Security is Not a Priority
US Justice Dept. Charges Chinese Businessman In Connection With Boeing Data Theft

THE REST OF THE WEEK'S NEWS

Suspect in US $14 Million ATM Heist Scheme Agrees to Plea Deal
Hotels Urged to Check Business Center Computers for Malware
New GameOver ZeuS Variant Detected
More Details About Effort to Derail Shylock Botnet
Java Updates Should Continue to Work on Windows XP
Microsoft Patches Causing Problems With Some Dell Data Protection Products
Oracle's Quarterly Security Update Will Fix 115 Flaws
PayPal Fixes Application-Side Filter Vulnerability
Apple Blocks Outdated Versions of Flash Plug-ins in Safari
17-Year-Old Responsible for Attacks on Banks and Other Companies in Norway
Malware Found on Inventory Scanners Used by Shipping Companies

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Lancope ***************************
FREE eBook: "Incident Response with NetFlow for Dummies". Download now!
http://www.sans.org/info/163697
***************************************************************************
TRAINING UPDATE


--SANS San Francisco 2014 San Francisco, CA July 14-19, 2014 7 courses. Bonus evening presentations include Aligning Your Defenses with Today's Evolving Threats; and Malware Reloaded.
http://www.sans.org/event/san-francisco-2014


--SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


--SANS Virginia Beach 2014 Virginia Beach, VA August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


--Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share their lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.ans.org/ondemand/specials

Plus Houston, Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Despite Breaches, Most Critical Infrastructure Executives Say Security is Not a Priority (July 11, 2014)

According to a study that compiles responses from nearly 600 IT and IT security executives around the world, two-thirds of those responding said that their infrastructure had been compromised in the preceding 12 months, but just over a quarter said that security is a top priority. Nearly 60 percent acknowledged that the threat to ICS and SCADA networks is increasing, but just five percent have a dedicated ICS and SCADA security department. Fifty-five percent of those responding said that there is just one person at their organization responsible for the security of those systems, and a quarter have no dedicated personnel at all. The report was conducted by the Ponemon Institute and sponsored by Unisys.
-http://www.scmagazine.com/study-security-not-prioritized-in-critical-infrastruct
ure-though-most-admit-compromise/article/360538/
-http://www.unisys.com/unisys/inc/pdf/misc/14-0316.pdf
[Editor's Note (Murray): Operators of infrastructure, particularly energy infrastructure, often believe that their need to operate the infrastructure trumps the need to keep others from mis-operating it. ]

US Justice Dept. Charges Chinese Businessman In Connection With Boeing Data Theft (July 11, 12, 13, & 14, 2014)

The owner of a Chinese aviation company has been charged in connection the theft of data from computer systems at Boeing. Su Bin allegedly conspired with two other individuals to steal information from defense contractors. They allegedly broke into networks of Boeing and other contractors in the US and Europe. Su, who has an office in Canada, was arrested by the Royal Canadian Mounted Police (RCMP) in late June.
-http://www.theregister.co.uk/2014/07/14/us_military_aircraft_intel_captured_in_a
lleged_chinese_hacker_raid/
-http://arstechnica.com/tech-policy/2014/07/chinese-businessman-charged-with-hack
ing-boeing-and-lockheed/
-http://www.cnet.com/news/us-charges-chinese-executive-with-hacking-military-data
/
-http://www.bloomberg.com/news/2014-07-11/chinese-citizen-charged-with-hacking-bo
eing-computer-in-u-s-.html
-https://www.documentcloud.org/documents/1216505-su-bin-u-s-district-court-compla
int-june-27-2014.html

---

**************************** SPONSORED LINKS ******************************
1) In case you missed it: More web traffic, more problems. How CARFAX consolidated security concerns, saved money and grew their business. Thursday, June 26 at 1:00 PM EDT (17:00:00 UTC) John Pescatore, Chris Thomas and Preston Hogue. http://www.sans.org/info/163702

2) Early CDM adopters improving security: SANS survey webcast August 6 at 1 PM EDT. http://www.sans.org/info/163707

3) What would you change about Log Management in your organization? Tell us and enter to win an iPad! http://www.sans.org/info/163712
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Suspect in US $14 Million ATM Heist Scheme Agrees to Plea Deal (July 14, 2014)

A man has pleaded guilty to bank fraud for his part in a highly coordinated scheme that stole US $14 million from ATMs in 20 countries over a period of two days. Qendrim Dobruna and his cohorts broke into the JPMorgan Chase computer system, raised withdrawal limits on American Red Cross debit card accounts and disabled security features that would have warned of suspicious activity. Dobruna was arrested in Germany and extradited to the US in 2012. His sentencing is scheduled for October 24.
-http://www.scmagazine.com/man-pleads-guilty-to-bank-fraud-48-hour-global-operati
on-netted-14-million/article/360763/
-http://www.justice.gov/usao/nye/pr/July14/11-July-2014.php

Hotels Urged to Check Business Center Computers for Malware (July 14, 2014)

An advisory from the US Secret Service and the National Cybersecurity and Communications Integration Center warns organizations in the country's hospitality sector that computers available for hotel guests' use in their hotels are likely being infected with keystroke loggers. The advisory was issued after suspects who had managed to compromise public use computers in hotels were arrested in Texas. The advisory urges hotels to check the computers in their business centers.
-http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/
-http://www.zdnet.com/us-secret-service-warns-of-keyloggers-on-public-hotel-compu
ters-7000031557/
[Editor's Note (Murray): This is certainly good advice. The hospitality industry is both targeted and vulnerable. These computers should be used with caution. That said, most of these computers that I have tried to use were sufficiently "locked down" that they resisted my attempts to install a virtual machine for my own safety or even print from a thumbdrive. Of course, a "rooted" machine might do that too. Just as these computers have become ubiquitous, notebooks, mobiles, tablets, e-boarding passes, and "air printing" have made them unnecessary. ]

New GameOver ZeuS Variant Detected (July 14, 2014)

A new variant of the GameOver Zeus malware is rearing its head. Law enforcement agents around the world helped disrupt the GameOver command-and-control infrastructure in early June. The Gameover Zeus botnet has been relatively quiet over the past month. The malware associated with the botnet is believed to have infected half a million machines worldwide. The botnet was being used to spread CryptoLocker ransomware and to steal financial account information. The new variant is less sophisticated than the earlier version.
-http://www.theregister.co.uk/2014/07/14/gameover_zeus_botnet_back/
-http://www.darkreading.com/new-gameoverzeus-variant-found-in-the-wild/d/d-id/129
7263?
[Editor's Note (Murray): Taking down "command and control" of a bot-net is clearly a good thing. However, the compromised machines remain compromised. We have seen other malware specifically designed to mitigate loss of command and control by using alternates. We have also seen at least one case in which command and control was used to instruct the malware to stand down. ]

More Details About Effort to Derail Shylock Botnet (July 11 & 14, 2014)

The UK's National Crime Agency said that law enforcement authorities and security experts around the world joined forces to disrupt the Shylock botnet. The investigation was headquartered at Europol's European Cybercrime Centre (EC3) in The Hague; the operation was coordinated by the UK's National Crime Agency. Internet domains and servers believed to be instrumental to the botnet's operation were seized.
-http://www.net-security.org/malware_news.php?id=2806
-http://www.cnet.com/news/shylock-malware-gets-stung-by-law-enforcement/
-http://www.theregister.co.uk/2014/07/11/bank_trojan_takedown/

Java Updates Should Continue to Work on Windows XP (July 14, 2014)

In response to earlier reports to the contrary, Oracle's vice-president of product management in the Java Platform Group says that Java updates will be pushed out to machines running Windows XP, and that the patches should continue to work. The next round of Java updates is due out on July 15 and will address 20 remotely exploitable flaws. The announcement that implied that Java patches would not work on XP actually indicates that as long as Java vulnerabilities that affect XP also affect supported versions of Windows, the flaws will be patched.
-http://www.computerworld.com/s/article/9249702/Future_Java_7_patches_will_work_o
n_Windows_XP_despite_end_of_official_support?taxonomyId=17
-http://www.zdnet.com/oracle-elaborates-on-end-of-windows-xp-support-for-java-700
0031559/
-http://www.theregister.co.uk/2014/07/14/we_so_do_support_java_on_xp_maybe_even_j
dk_8_says_oracle/

Microsoft Patches Causing Problems With Some Dell Data Protection Products (July 14, 2014)

Some patches included in Microsoft's monthly update that was released last week are causing problems on machines encrypted with Dell Data Protection-Encryption and on those protected by CMGShield. In the case of the first product, the patches cause the blue screen of death, and in the second, the machines freeze up.
-http://www.infoworld.com/t/microsoft-windows/microsoft-patches-crash-dell-data-p
rotection-encryption-and-cmgshield-246108

Oracle's Quarterly Security Update Will Fix 115 Flaws (July 11, 2014)

Oracle's quarterly critical patch update, due out on July 15, is expected to include fixes for 115 vulnerabilities. Twenty of the fixes are for Java SE, 29 for the company's Fusion Middleware suite, and six for Oracle's database.
-http://www.computerworld.com/s/article/9249690/Oracle_to_release_115_security_pa
tches?taxonomyId=17
-http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

PayPal Fixes Application-Side Filter Vulnerability (July 14, 2014)

PayPal has fixed a vulnerability on its internal portal that could have been exploited to place malicious scripts onto the company's systems. The application-side filter bypass flaw could have been used to steal admin and developer account data or to execute code in the Ethernet console backend portal.
-http://www.theregister.co.uk/2014/07/14/paypal_portal_peril_plugged/

Apple Blocks Outdated Versions of Flash Plug-ins in Safari (July 11, 2014)

People who use Apple's Safari browser will find themselves unable to view Flash-enabled sites unless they have updated Adobe Flash Player. Flash is not popular with Apple; it has been banned on iPhones and iPads. A recent critical patch for Flash addresses a flaw that could be exploited to steal cookies.
-http://www.cnet.com/news/apple-blocks-older-risky-flash-plug-ins-forcing-you-to-
upgrade/
[Editor's Note (Northcutt): This is certainly true, happened to me this morning when I was trying to get a screen shot while updating MGT 514, Security Planning, Policy and Leadership. I was trying to get a Google finance comparison shot of three NGFW vendors, (Palo Alto, Juniper and Check Point), relative stock performance since the Palo Alto IPO and got the outdated flash popup. Easy enough to fix, but would prefer to have an override option. Class here in San Fran is going great, gotta love teaching security managers in Silicon Valley, they are so very switched on, but so are the people that traveled to be here and Frank Kim did an awesome job of kicking the class off. In the futures section one student contributed "A Day of Glass", I will post the YouYube link below and there are two others. We live in an amazing time.
-http://www.sans.org/event/san-francisco-2014/course/security-strategic-planning-
policy-leadership
-http://www.youtube.com/watch?v=6Cf7IL_eZ38&feature=kp
(Murray): Flash is not popular with Apple because it is a performance "dog" and is "historically broken." It is tolerated only because it is popular with web side developers. The use of the preferred (by Steve, Apple and others) HTML5 remains sparse. I rarely miss Flash but if I really want to render a page that uses it, I use a sacrificial proxy. ]

17-Year-Old Responsible for Attacks on Banks and Other Companies in Norway (July 11, 2014)

The multiple attacks that hit bank, airline, and insurance company websites in Norway are now believed to be the work of a single teenager. The young man has confessed, according to his attorney. The 17-year-old, who lives in Bergen, has been arrested.
-http://www.newsinenglish.no/2014/07/11/teenager-set-off-major-cyber-attack/
-http://www.digitaljournal.com/internet/norway-s-massive-cyber-attack-the-work-of
-one-lone-teenager/article/389261

Malware Found on Inventory Scanners Used by Shipping Companies (July 10 & 11, 2014)

Certain handheld scanners used in the international shipping industry have been found to be infected with malware that steals information and exfiltrates it to a database. The scanners, which gather information about the origin, destination, contents of shipments, are sold by a Chinese manufacturer. The malware is also present in software available for download on the manufacturer's website. The scanners. The scanners are also used by logistics companies and at manufacturing plants.
-http://www.darkreading.com/attacks-breaches/chinese-hackers-target-logistics-and
-shipping-firms-with-poisoned-inventory-scanners/d/d-id/1297182
-http://www.nextgov.com/cybersecurity/2014/07/chinese-made-inventory-scanners-all
ow-hackers-track-shipments/88546/?oref=ng-channelriver
-http://www.csoonline.com/article/2452986/data-protection/shipping-companies-comp
uters-compromised-by-malware-infected-chinese-scanners.html

---

STORM CENTER TECH CORNER

EZ Pass Malware
-https://isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389
-http://garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html

Vulnerabilities in Web Based Password Managers
-http://devd.me/papers/pwdmgr-usenix14.pdf

The Importance of Fine Grained Egress Filtering
-https://isc.sans.edu/forums/diary/Egress+Filtering+What+-+do+we+have+a+bird+prob
lem+/18379

Secure E-Mail Service Suffers from XSS Flaw
-http://blog.tutanota.de/security-issue-fixed/2014/07/11/

PoC Exploit for LZO Vulnerability
-http://www.theregister.co.uk/2014/07/11/firefox_lzo_rce/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/