SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #58

July 22, 2014

TOP OF THE NEWS

ICS-CERT Warns Heartbleed Still Unpatched in Some Siemens Products
Microsoft XML Core Services Vulnerabilities
Government Grade Malware Used in Criminal Attacks

THE REST OF THE WEEK'S NEWS

Court Orders to Block The Pirate Bay are Ineffective
Second-hand Aloha Point-of-Sale Terminal Contains Sensitive Data
Dark Mail Project Seeks to Hide Metadata from Snoops
Two Sentenced for Apple Phishing Scheme
GAO Says FDIC Cyber Security Still Needs Improvement
NASDAQ Attack Attribution Questioned
Fake Flash Update Steals Credit Card Data

PESCATORE'S FIRST LOOK AT MICROSOFT'S ANNOUNCEMENT

PESCATORE'S FIRST LOOK AT MICROSOFT'S ANNOUNCEMENT

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Symantec *************************
Are Virtualized Environments Immune to Attack? Symantec research has uncovered some key security issues and threats to hit virtualized environments. Join threat Analyst Candid Wueest on Tuesday, July 29th to learn about the challenges with virtual machines and networks, and the attackers targeting virtualized systems and how their behavior is evolving.
http://www.sans.org/info/164442
**************************************************************************
TRAINING UPDATE


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Virginia Beach 2014 Virginia Beach, VA August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share their lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Houston, Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

ICS-CERT Warns Heartbleed Still Unpatched in Some Siemens Products (July 18, 2014)

According to a warning from the Industrial Control System Computer Emergency Response Team (ICS-CERT), some critical Siemens industrial control systems remain unpatched against the Heartbleed flaw in the OpenSSL library. Heartbleed was disclosed more than three months ago and could, in the cases of the Siemens products, be exploited to hijack or crash vulnerable systems. There are mitigations available for the products that have not yet been patched.
-http://arstechnica.com/security/2014/07/critical-industrial-control-systems-rema
in-vulnerable-to-heartbleed-exploits/
-http://ics-cert.us-cert.gov/advisories/ICSA-14-198-03
[Editor's Note (Assante): Actually the ICS-CERT is warning that Siemens has not yet issued a patch for subset of impacted products. It is not news that patches have yet to be applied for a host of vulnerable ICS around the world. Patching is not trivial nor is it standard practice in many ICS applications.
(McBride): Siemens products, like industrial control products from other vendors, rely on 3rd party OEM or open source components. Siemens appears to have realized this and is releasing updated versions of its products. In this case the updates mitigate various OpenSSL bugs (not just heartbleed). The big questions are: 1) whether Siemens customers care enough to patch; and 2) whether other vendors will adopt a similarly responsible approach. ]

Microsoft XML Core Services Vulnerabilities (July 18, 2014)

According to a Secunia report about vulnerable software, Microsoft XML Core Services 4 poses the greatest security threat to PC users in the US based on its market share and the number of users running unpatched versions. According to the report, which is based on information gathered from scans conducted by the company, 43 percent of US users are running vulnerable versions of MS XML 4.
-http://www.scmagazine.com/report-old-bugs-in-microsoft-xml-still-haunt-users-pro
gram-most-exposed/article/361675/
-http://secunia.com/?action=fetch&filename=PSI-Country-Report-(US)-(2014Q2).p
df
[Editor's Note (Pescatore): MSXML 4.0 is obsolete and support for SP3 on it ended in April, but a number of third party software products still install it because MSXML 6 doesn't support some legacy features that 4 supports. Most of those third party products are consumer products, like Quicken - shouldn't be much left of corporate whitelists that needs MSXML 4. ]

Government Grade Malware Used in Criminal Attacks (July 17 & 18, 2014)

Researchers at Sentinel Labs say that "government grade malware," originally created for espionage purposes, is in the hands of people with malicious intent, who are incorporating the malware's strengths into rootkits and ransomware. The particular malware is called Gyges. It adds sophistication to attacks because of its methods to evade detection and the ways in which it sneaks onto systems.
-http://www.zdnet.com/government-grade-malware-in-hacker-hands-7000031765/
-http://www.darkreading.com/government-grade-stealth-malware-in-hands-of-criminal
s/d/d-id/1297362?

---

**************************** SPONSORED LINKS ******************************
1) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II. August 1, 2014 in Washington, DC. This SANS CDM event provides government security managers the opportunity to get the latest status on the DHS Continuous Diagnostic and Mitigiation program and to learn how the early adopters in government are using CDM to increase security. http://www.sans.org/info/159487

2) New SANS survey looks at security and compliance in managing data center server assets. Take survey and enter to win iPad. Results Webcast on 10/29. http://www.sans.org/info/164457

3) The Modern Incident Responder: Detect, Respond and Recover from a Data Breach Tuesday, July 29 at 1:00 PM EDT (17:00:00 UTC) Jeffrey (J.J.) Guy - Director of Operations. http://www.sans.org/info/164452
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Court Orders to Block The Pirate Bay are Ineffective (July 19, 2014)

Traffic to The Pirate Bay site has doubled since 2011, even though courts in several countries have ordered Internet service providers (ISPs) to block the site and its founders have been sentenced to prison for various offenses. Nearly 10 percent of users visiting the site do so through a proxy. In a nod to the ineffectiveness of such blocks, a Dutch appeals court recently ruled that ISPs should not block The Pirate Bay at IP and DNS levels because those methods are ineffective.
-http://arstechnica.com/tech-policy/2014/07/pirate-bay-traffic-has-doubled-post-i
sp-blocks/

Second-hand Aloha Point-of-Sale Terminal Contains Sensitive Data (July 18, 2014)

A Hewlett Packard malware researcher bought a used Aloha point-of-sale (POS) terminal on eBay for US $200. The terminal was found to hold a database containing Social Security numbers of employees who were authorized on the system. One of the applications found on the secondhand POS system dates back to the 1990s and runs on a version of Windows XP, which, on that particular device, was last updated in 2007. The POS terminal was in active use within the past year.
-http://www.computerworld.com/s/article/9249825/Aloha_point_of_sale_terminal_sold
_on_eBay_yields_security_surprises?taxonomyId=17
-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Hacking-POS-Terminal-for-
Fun-and-Non-profit/ba-p/6540620#.U820hFYXk2_
[Editor's Note
(Murray): Before using a PIN at any POS device, one should be aware that one can buy one of them, with all the stickers, on eBay for tens to low hundreds of dollars. Our retail payment system is broken and will remain so for months to years. ]

Dark Mail Project Seeks to Hide Metadata from Snoops (July 18, 2014)

An email privacy project called Dark Mail aims to hide users' communications metadata, information the NSA has been collecting wholesale for years. Metadata is usually not encrypted, even when the email messages are. The project is a joint effort between Ladar Levison, who founded security email service Lavabit, and Steven Watt, who in 2011 completed a two-year in prison sentence for writing a packet sniffer for TJX data breach mastermind Albert Gonzalez. The Dark Mail project comprises an eMail client called Volcano; server software Magma Classic and Magma dark; and the Dark Mail protocol. Most email encryption services work within a closed community - users can communicate only with other people who also use the service. But Dark Mail is seeking to move beyond that model; Levison and Watt want it to work with existing email programs.
-http://www.wired.com/2014/07/dark-mail-hides-metadata-from-nsa/
[Editor's Note (Pescatore): Individuals and businesses routinely put sensitive information into unencrypted emails, yet people are worried about hiding metadata from intelligence agencies? I call this the "Ostrich" style of security. (Murray): It is sad, but a fact of life, that unless one takes effective measures, one must assume that all one's e-mail can be, is being, or will be, read by any and every nation state that wishes to. While most of us can live with that, it is sad that we must. It is particularly sad for those of us whose government is explicitly forbidden from doing so. (Northcutt): That is a bit of a sensational article. I applaud what they are trying to do; we want secure email. However, while it will hopefully foil your business competitor, I would not count too heavily on nation state actors being unable to collect some of that meta-data; same goes for TOR/TAILS. I suppose Mr. Snowden has created the opportunity for a number of privacy-focused startups; just read about Blackphone last week:
-https://www.torproject.org
-http://en.wikipedia.org/wiki/Blackphone]

Two Sentenced for Apple Phishing Scheme (July 18, 2014)

A UK court has sentenced two people to prison for their roles in a phishing scheme that targeted Apple customers. Constanta Agrigoroaie and Radu Savoae stole more than GBP 15,000 (US $25,610) by sending messages claiming that users' accounts had been compromised and required resets; the site the users were directed to asked for personal and bank account information. Agrigoroaie received a six-year sentence, and Savoae an eight-year sentence. More than 150 Apple customers were affected by the scheme.
-http://www.v3.co.uk/v3-uk/news/2356084/apple-fraudsters-get-jail-time-for-gbp15-
000-phishing-scam

GAO Says FDIC Cyber Security Still Needs Improvement (July 18, 2014)

According to a report from the Government Accountability Office (GAO), The Federal Deposit Insurance Corporation's (FDIC's) security posture needs work. The report acknowledges that while the FDIC has made some progress, the agency has failed to implement security measures recommended in earlier reports. The FDIC did not establish controls to identify and authenticate users and restrict access to sensitive data and systems. It did not encrypt sensitive data or audit system access. Configurations current at the time of the report places the FDIC's systems at "unnecessary risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction." The report makes four recommendations, which the FDIC has agreed to implement by the end of this calendar year.
-http://www.nextgov.com/cybersecurity/2014/07/gao-weaknesses-remain-fdics-informa
tion-security/89126/?oref=ng-HPriver
[Editor's Note (Pescatore): FDIC actually scores pretty well in this audit. Most of the issues that are under the control of the security group look like getting to the last 20% of issues before the next audit. This is where a better job of prioritization and a recognition of prioritization by auditors is key - the business/mission critical systems and data should be in the 80% side of the equation.
(Murray): I am in favor of government transparency and accountability. However, it is nave to believe that enterprises, not subjected to the same scrutiny, are doing any better. That said, auditors have no sense of humor or proportion. If one fails to respond to their recommendations, one had best be sure that one has documented the decision before they come back. ]

NASDAQ Attack Attribution Questioned (July 18, 2014)

Despite claims by some people that the October 2010 attack on NASDAQ servers was launched by a nation state, likely Russia, experts say that assigning attribution is a tricky business. In fact, not only is it uncertain who conducted the attack, but the attackers' motives are still unknown, as there is no evidence that the affected systems were altered. Although some of the malware recovered in the course of the investigation was developed by Russian state security agency FSB, it could have been sold to other entities. Security consultant Brian Honan notes, "It is not possible to confidently state the attacks were the result of nation-state involvement." Some of the problems attending the investigation include the fact that NASDAQ was not adequately logging network access.
-http://www.govinfosecurity.com/nasdaq-hack-attribution-questioned-a-7080

Fake Flash Update Steals Credit Card Data (July 18, 2014)

Malware masquerading as a Flash update infects Android devices to steal payment card information. Currently, the malware appears to be targeting Russian customers. It attempts to gain administrative privileges on affected devices by persistently asking for permission; the pop ups will not stop until permission is granted.
-http://www.net-security.org/malware_news.php?id=2812
[Editor's Note (Murray): My favorite bait message remains "Click here to update Adobe...." ]

---

PESCATORE'S FIRST LOOK AT MICROSOFT'S ANNOUNCEMENT

In the past week, Microsoft's new CEO Satya Nadella sent an email to all 128,000 Microsoft employees that made only token mentions of security, and then later announced that 18,000 (14%) of Microsoft's workforce would be terminated. While Google, Amazon, Salesforce.com and Apple have zoomed past Microsoft in leadership in many areas of IT, every enterprise and the vast majority of consumers are still dependent on the security of Windows and Office. Back in 2002, then CEO Bill Gates also sent a letter to every Microsoft employee, making security of Microsoft software products the company's top priority, saying, "... when we face a choice between adding features and resolving security issues, we need to choose security." That emphasis on security from Microsoft's founder and CEO had a tremendous impact on changing the company's product management culture - and Microsoft made huge strides in increasing the security of their products and services and raising the bar for the entire industry. It is important that Mr. Nadella as CEO, or Bill Gates in his role as technical advisor to Nadella, re-affirms Microsoft's commitment to security and trustworthiness being Job 1 at Microsoft.

---

STORM CENTER TECH CORNER

iOS Back Doors Identified
-http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Po
ints_Surveillance_Mechanisms.pdf

Tesla Car Hacked at Syscan
-http://www.theregister.co.uk/2014/07/21/chinese_uni_students_pop_tesla_model_s/

Browser Canvas Fingerprinting
-http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtua
lly-impossible-to-block

Keeping the RATs out: Part 3
-https://isc.sans.edu/forums/diary/Keeping+the+RATs+out+the+trap+is+sprung+-+Part
+3/18415

SOHOPlessly Broken Challenge to Find Router Backdoors
-http://sohopelesslybroken.com

Open CrossDomain.XML file on Bing allows for CSRF
-http://sethsec.blogspot.com/2014/07/crossdomain-bing.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/