SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #57

July 18, 2014

TOP OF THE NEWS

Google's Project Zero Aims to Protect Privacy and Improve Internet Security
More Details Emerge About 2010 NASDAQ Breach
Treasury Secretary Urges Information Sharing

THE REST OF THE WEEK'S NEWS

Australian Government Keeping Voting Source Code Secret
Communication Between IT Security Teams and Executives is Inadequate
Remote Code Execution Flaw in Cisco Products
Oracle's Critical Patch Update Addresses 113 Flaws
Aloha Point-Of-Sale Terminal, Sold On eBay, Yields Security Surprises
vBulletin Flaw
Pushdo Variant Spreading Quickly
UK Information Commissioner's Office Investigated Internal Breach
Microsoft Says Active Directory Vulnerability is a Known Limitation

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Symantec *************************
Download the latest edition of the Symantec Intelligence report. Between May and June the total identities exposed equaled almost 147 million, the second-worst month for data breaches in the last 12 months. Read more detail in Symantec's monthly analysis of cyber security threats.
http://www.sans.org/info/164117
*************************************************************************** TRAINING UPDATE


--SANS San Francisco 2014 San Francisco, CA July 14-19, 2014 7 courses. Bonus evening presentations include Aligning Your Defenses with Today's Evolving Threats; and Malware Reloaded.
http://www.sans.org/event/san-francisco-2014


--SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


--SANS Virginia Beach 2014 Virginia Beach, VA August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


--Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share their lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Houston, Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Google's Project Zero Aims to Protect Privacy and Improve Internet Security (July 17, 2014)

Google Project Zero is aiming to find software vulnerabilities and to protect Internet users' privacy. People should "be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications," according to Google Researcher Herder Chris Evans.
-http://www.zdnet.com/google-recruits-top-ps3-hacker-for-project-zero-7000031718/
-http://money.cnn.com/2014/07/17/technology/security/google-cyberattacks/index.ht
ml
-http://googleonlinesecurity.blogspot.com/2014/07/announcing-project-zero.html
[Editor's Note (Northcutt): If any company is positioned with the size, capability, and position to make interacting with the Internet safer, it is Google. Sign me up. Oh I guess I am already signed up. ]

More Details Emerge About 2010 NASDAQ Breach (July 17, 2014)

A Bloomberg investigation into a 2010 attack on NASDAQ revealed that servers of the exchange were infected with malware that exploited two unpatched vulnerabilities. The attack was first reported in February 2011. In October 2010, the FBI noticed unusual traffic emanating from NASDAQ systems. When the FBI alerted NASDAQ to the likelihood of a malware infection, the exchange admitted that it already knew its systems had been compromised. The attack appears to have been launched by Russia or another nation state, and was designed to cause damage.
-http://www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-na
sdaq
-http://arstechnica.com/security/2014/07/how-elite-hackers-almost-stole-the-nasda
q/
-http://www.theregister.co.uk/2014/07/17/nasdaq_hack_report/
[Editor's Note (Honan): This article on the story
-http://www.bankinfosecurity.co.uk/nasdaq-hack-attribution-questioned-a-7080
highlights how difficult it can be to attribute blame and motive, in particular when log files etc. were not adequate or available for investigators. ]

Treasury Secretary Urges Information Sharing (July 17, 2014)

In a speech at the Delivering Alpha conference in New York, Treasury Secretary Jack Lew described how cyber attacks affect people's lives. He voiced support for legislation that would allow threat information sharing while affording companies liability protection is essential to protect critical networks from attacks. He also said that any new legislation should be crafted to protect privacy and civil liberties. Lew noted that many companies keep breaches a secret, which hinders everyone's ability to learn from the attacks.
-http://www.executivegov.com/2014/07/jack-lew-cyber-intrusions-not-insurmountable
-for-public-private-sectors/
-http://thehill.com/policy/technology/212407-lew-gives-support-for-new-cyber-law

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: An IT Auditor's Guide to Security Controls & Risk Compliance. http://www.sans.org/info/164122

2) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II. August 1, 2014 in Washington, DC. http://www.sans.org/info/159487

3) In case you missed it: It's not about the number of filters-it's how effective they are. Thursday, July 10 at 11:00 AM EDT (15:00:00 UTC) Joanna Burkey and Dave Shackleford. http://www.sans.org/info/164127
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Australian Government Keeping Voting Source Code Secret (July 17, 2014)

Australia's government is refusing to share the source code for the software used in the country's elections, claiming that "publication of the software could leave the voting system open to hacking or manipulation." Experts point out that the source code for voting software "implements a very subtle, complex algorithm," and needs to be open to scrutiny to find and fix problems.
-http://www.smh.com.au/it-pro/government-it/government-rejects-senate-order-to-di
sclose-electoral-commission-software-code-20140716-zti03.html
[Editor's Note (Pescatore): I think Australia had this national debate in 2005 and moved away from the "obscurity means security" view. In 2011 the Australian govt. put out a directive that all government projects over a certain dollar amount had to consider open source software, noting it was already widely in use and was generally competitive with proprietary software.
(Honan): Democracy is built on fair and transparent voting for all. Not being able to verify and therefore trust the source code used in electronic voting undermines those principles. ]

Communication Between IT Security Teams and Executives is Inadequate (July 17, 2014)

According to study conducted by the Ponemon Institute and sponsored by Websense, nearly one third of IT security teams never talk with company executives about security and of those that do, nearly a quarter talk to executives just once a year. The lack of communication could put companies at greater risk of attacks.
-http://www.scmagazine.com/report-31-percent-of-it-security-teams-dont-speak-to-c
ompany-execs/article/361263/
[Editor's Note (Assante): The lack of effective communications up to executives and into lines of businesses is a deadly combination that results in bad risk decisions, flawed organizational responses to serious breaches, and a lack of ownership for outcomes. Cyber security is not simply a technical problem owned by a small group of practitioners some where in the bowls of the organization. Cyber represents a set of problems that should be addressed by decision makers, practitioners, business process owners, and engineers through out the organization.
(Honan): At some of the talks I give at conferences on the topic of engaging with the business it always disappoints me how few security professionals have not read their company's annual report and even less are aware of the company's business plans. If we do not understand or appreciate the business environment and challenges our organisations work in we will struggle to provide effective assurance and security guidance to our business peers.]

Remote Code Execution Flaw in Cisco Products (July 17, 2014)

Cisco has released updates to address a remote code execution vulnerability in the web server used in certain Cisco Wireless Residential Gateway products. A specially crafted HTTP request sent to vulnerable devices could allow attackers to crash the web server and execute arbitrary code with elevated privileges. Users with Cisco service contracts can get updates from the company website. Cisco has released software updates to service providers so users whose devices came from ISPs or resellers can contact those sources for updates.
-http://www.scmagazine.com/severe-rce-vulnerability-affects-several-cisco-product
s/article/361495/
-http://www.computerworld.com/s/article/9249799/Flaw_exposes_some_Cisco_home_wire
less_devices_to_hacking?taxonomyId=17

Oracle's Critical Patch Update Addresses 113 Flaws (July 15, 2014)

Oracle has released patches for a total of 113 vulnerabilities in a variety of products. The company's quarterly Critical Patch Update includes 20 fixes for flaws in the Java browser plug-in, all of which can be remotely exploited without authentication.
-http://www.scmagazine.com/oracle-releases-113-bug-fixes-in-critical-patch-update
/article/361039/
-https://isc.sans.edu/forums/diary/Oracle+Java+20+new+vulnerabilities+patched/183
95
-https://isc.sans.edu/forums/diary/Oracle+July+2014+CPU+patch+bundle/18399
-https://isc.sans.edu/forums/diary/Oracle+July+2014+Update+Pre-Notification/18383

Aloha Point-Of-Sale Terminal, Sold On eBay, Yields Security Surprises (July 18, 2014)

An HP researcher's findings highlight ongoing problems with POS software and Hardware. The research found default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.
-http://news.techworld.com/security/3531445/aloha-point-of-sale-terminal-sold-on-
ebay-yields-security-surprises/?olo=rss
Editor's Note (Pescatore): PoS terminals continue to causes security problems even *after* they are replaced. This is a good reminder that secure disposal has to apply to more than PCs and servers - these days just about anything with a plug stores data. PoS terminals, medical machinery, SCADA/process control, copiers/printers, etc - all need to be wiped if not destroyed before turning over to those firms that resell them online. ]

vBulletin Flaw (July 17, 2014)

Developers have released an emergency patch for an SQL injection vulnerability in the vBulletin Internet forum software. Attackers could exploit the flaw to read and alter information databases of vBulletin sites.
-http://www.computerworld.com/s/article/9249803/Emergency_vBulletin_patch_fixes_S
QL_injection_vulnerability?taxonomyId=17

Pushdo Variant Spreading Quickly (July 16 & 17, 2014)

A new variant of the Pushdo Trojan horse program has infected more than 11,000 PCs in just one day. The majority of the newly-infected machines are in India, but it has also managed to find its way onto computers in the UK, France, the US, Vietnam, and Turkey.
-http://www.theregister.co.uk/2014/07/17/pushdo_trojan_outbreak/
-http://www.scmagazine.com/pushdo-botnet-gets-dga-update-over-6000-machines-host-
new-variant/article/361253/
[Editor's Note (Murray): Articles are silent on attack vector. As might be expected from its success, it uses multiple attack scenarios. See
-http://www.symantec.com/connect/blogs/trojanpandex-new-spam-affair
Removal instructions are available at:
-http://www.spyware-techie.com/pushdo-trojan-removal-guide]

UK Information Commissioner's Office Investigated Internal Breach (July 16, 2014)

The UK Information Commissioner's Office (ICO) has acknowledged an internal data breach, but the agency has not been forthcoming with details about the incident. The ICO conducted an investigation, which "concluded that the likelihood of damage or distress to any affected data subjects was low and that it did not amount to a serious breach of the data protection Act."
-http://www.v3.co.uk/v3-uk/news/2355300/ico-calls-for-more-cash-as-data-protectio
n-gets-more-complicated
-http://business-technology.co.uk/2014/07/information-commissioners-office-launch
ed-investigation-following-data-breach/
[Editor's Note (Honan): Quis custodiet ipsos custodes? (Wikepedia) Quis custodiet ipsos custodes? is a Latin phrase which is literally translated as "Who will guard the guards themselves?"

Microsoft Says Active Directory Vulnerability is a Known Limitation (July 15, 2014)

A vulnerability in Microsoft's Active Directory could be exploited to change users' network passwords. Microsoft says that the flaw "is a well-known industry limitation in the Kerberos Network Authentication Service." The vulnerability involves Active Directory's single sign on authentication, which mishandles a pair of protocols. The proof-of-concept exploit involves using a penetration-testing tool to steal NTLM hashes from vulnerable devices.
-http://www.scmagazine.com/active-directory-flaw-opens-enterprise-services-to-una
uthorized-access/article/361017/
-http://www.csoonline.com/article/2454367/identity-access/why-the-microsoft-activ
e-directory-design-flaw-isnt-serious.html
-http://searchsecurity.techtarget.com/news/2240224607/Pass-the-hash-Severity-of-A
ctive-Directory-security-flaw-questioned
-http://www.eweek.com/security/aorato-uncovers-critical-microsoft-active-director
y-vulnerability.html
[Editor's Note (Murray): Well MS is correct in saying that the NT LAN Manager vulnerability is not new. In fact it is more than a decade old. It is well known. It is inherent in MS's strategy of maintaining backwards compatibility. It has resisted all attempts to fix it. ]

---

STORM CENTER TECH CORNER

IPTables Backdoor
-http://researchcenter.paloaltonetworks.com/2014/07/iptables-backdoor-even-linux-
risk-intrusion/

SONY Forgets to Pay for Domain Name
-http://eq2wire.com/2014/07/15/sonyonline-net-domain-expires-shenanigans-ensue-fo
r-all-soe-games-websites/

Apache mod_status Remote Code Execution Vulnerability
-http://www.zerodayinitiative.com/advisories/ZDI-14-236/

Google Releases New Version of Chrome and Fixes URL Spoofing Bug
-http://www.osvdb.org/show/osvdb/109214

Deriving IOCs Using Mandiant's IOCe tool
-https://isc.sans.edu/forums/diary/Keeping+the+RATs+out+an+exercise+in+building+I
OCs+-+Part+1/18401

Libre SSL Vulnerabilities on Linux
-https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux

CNet Breached and User Database as well as Source Code Leaked
-http://www.cnet.com/news/cnet-attacked-by-russian-hacker-group/

Microsoft Asks Us to Rethink Password Policies
-http://research.microsoft.com/pubs/217510/passwordPortfolios.pdf

Where is Your Cloud?
-https://isc.sans.edu/forums/diary/AOC+Cloud/18393

Hotel Business Center Computers Compromised
-http://krebsonsecurity.com/2014/07/beware-keyloggers-at-hotel-business-centers/

Dropcam Vulnerabilities
-https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Wardle

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based i Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/