SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #60

July 29, 2014

TOP OF THE NEWS

Russian Government Seeking Technology to Break Tor Anonymity
Court Fines Phony Antivirus Purveyors US $5.1 Million

THE REST OF THE WEEK'S NEWS

Dept. of Commerce IG Report Finds "Significant" Security Issues at NOAA
Attackers Exploiting Flaws in Elasticsearch to Use Amazon's Cloud Service for DDoS Attacks
Siemens Releases Updates to Fix Flaws in Two SIMATIC Builds
Apple iOS Diagnostics Tool Could be Exploited to Access Personal Data
Cloud Services Can Impede Forensic Investigations
Pentagon's Cyber Warfare Lexicon
Company Informs Customers of Breach Three Years After the Fact

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By Symantec ************************
Symantec eGuide: 2013 - Year of the Mega Breach, Fight Back with a Layered Defense: With attacks becoming more common, more serious and harder to detect, traditional antivirus software isn't enough. A layered defense approach is needed -- companies must use multiple tactics at the same time to maintain data security. This paper will discuss the kinds of attacks corporations face and how multilayered defenses can help.
http://www.sans.org/info/164927
***************************************************************************
TRAINING UPDATE


- --SANS Boston 2014 | Boston, MA | July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/event/chicago-2014


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Nashville, Bangkok, Tallinn, and Hong Kong all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Russian Government Seeking Technology to Break Tor Anonymity (July 25 & 28, 2014)

The Russian government is offering a 3.9 million rubles (US $109,500) contract for a technology that can be used to identify Tor users. Tor was initially developed by the US Naval Research Laboratory and DARPA, but is now developed by The Tor Project, a non-profit organization. Tor is used by journalists and others who need to keep their identities hidden for their own safety; it is also used by criminals for the same purposes. The entrance fee for the competition is 195,000 rubles (US $5,500).
-http://www.bbc.com/news/technology-28526021
-http://www.computerworld.com/s/article/9249974/Russian_gov_t_is_willing_to_pay_f
or_a_way_to_ID_Tor_users?taxonomyId=17
-http://arstechnica.com/security/2014/07/russia-publicly-joins-war-on-tor-privacy
-with-111000-bounty/
[Editor's Note (Murray): In his most recent novel, Richard Clarke implied that NSA had targeted and broken TOR. ]

Court Fines Phony Antivirus Purveyors US $5.1 Million (July 28, 2014)

A federal court in New York has issued default judgments against 14 companies for selling phony antivirus products. The companies have been ordered to pay a total of US $5.1 million in fines. The schemes involved selling so-called antivirus products over the phone. Once the targets had paid for the fake product, they were told to install software that actually gave those running the scheme remote access to their computers.
-http://www.scmagazine.com/companies-accused-of-peddling-bogus-av-ordered-to-pay-
51m/article/363212/

---

**************************** SPONSORED LINKS ******************************
1) Have your antivirus technologies become less effective at stopping attacks? Forrester Research recommends considering third-party AV alternatives like application whitelisting, endpoint execution isolation and endpoint visibility & control. Download the free Forrester report today. http://www.sans.org/info/164932

2) Attend the SANS DHS Continuous Diagnostics & Mitigation Award Workshop - PART II. August 1, 2014 in Washington, DC. This SANS CDM event provides government security managers the opportunity to get the latest status on the DHS Continuous Diagnostic and Mitigiation program and to learn how the early adopters in government are using CDM to increase security. http://www.sans.org/info/159487

3) New SANS survey looks at security and compliance in managing data center server assets. Take survey and enter to win an iPad. Results Webcast on 10/29. http://www.sans.org/info/164507
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Dept. of Commerce IG Report Finds "Significant" Security Issues at NOAA (July 28, 2014)

According to a report from the US Department of Commerce's office of inspector general, satellite data were stolen from a National Oceanic and Atmospheric Administration (NOAA) contractor's personal computer last year, but there has not been an investigation because the employee refused to allow NOAA to conduct a forensic investigation on the laptop. The report also noted other "significant security deficiencies" at NOAA, including unauthorized use of smartphones and thumb drives on sensitive systems.
-http://www.nextgov.com/cybersecurity/2014/07/hacker-breached-noaa-satellite-data
-contractors-pc/89771/?oref=ng-HPtopstory
-http://www.oig.doc.gov/OIGPublications/OIG-14-025-A.pdf
[Editor's Note (Pescatore): This report reads like a "How to *Not* Implement the Critical Security Controls" tutorial - the deficiencies are pretty much the security 101 controls focused on by the Critical Controls. However, the systems looked at are legacy applications that have been in use for more than a decade and poorly managed/maintained - sprinkling security on top of that doesn't work and it sure wasn't built in. The report also points out that the assessments done to give Authority to Operate were very lightweight.
(Murray): "Finding significant security issues" is what auditors do. "Inspectors general" publish theirs in the newspaper. These reports have become so routine and generic as to be interchangeable. Even the examples happened in your enterprise too.
(Honan): Before introducing BYOD into your organization remember to implement a policy and the tools that will enable you to ensure any data stored on these devices is secured to your organisation's requirements and that you can forensically seize and examine the device in the event of a security breach. ]

Attackers Exploiting Flaws in Elasticsearch to Use Amazon's Cloud Service for DDoS Attacks (July 28, 2014)

Attackers have discovered a way to use Amazon cloud services to launch distributed denial-of-service (DDoS) attacks on other websites by exploiting flaws in Elasticsearch, an open-source analytics application.
-http://arstechnica.com/security/2014/07/hackers-seed-amazon-cloud-with-potent-de
nial-of-service-bots/
-http://www.computerworld.com/s/article/9249991/Attackers_install_DDoS_bots_on_Am
azon_cloud_exploit_Elasticsearch_weakness?taxonomyId=17
[Editor's Note (Pescatore): The use of "Amazon Cloud Service" in the headlines is largely just for hype - this is really a vulnerability in an application that is run on servers and cloud instances, nothing really cloud specific. Looks like Elastisearch has issued both a newer version to address the vulnerability, and guidelines on how to deploy securely. ]

Siemens Releases Updates to Fix Flaws in Two SIMATIC Builds (July 25, 2014)

Siemens has released security updates for two SIMATIC builds to address five vulnerabilities, four of which can be exploited remotely. The flaws could be exploited to gain elevated privileges and access data without authorization.
-http://threatpost.com/siemens-patches-five-vulnerabilities-in-simatic-system
-http://ics-cert.us-cert.gov/advisories/ICSA-14-205-02
[Editor's Note (Assante): "Hardening attack surfaces by deploying security updates is becoming more accepted in ICS. The implementation of updates requires broader decision, planning, and testing. Many OT environments have fewer available options than enterprise systems to quickly roll out compensating measures. Real-time systems rarely have real-time defenses." ]

Apple iOS Diagnostics Tool Could be Exploited to Access Personal Data (July 25, 2014)

Diagnostic services built into Apple's iOS mobile operating system could be used to access personal data in iPhones. The services, which Apple says are designed for engineers, are not documented. Apple says that the feature was not designed to let the NSA access data in the devices.
-http://in.reuters.com/article/2014/07/26/apple-security-spying-idINKBN0FV01Q2014
0726
-http://www.theregister.co.uk/2014/07/24/ios_secret_slurpware_documents_added_app
le_support_site/
[Editor's Note (Murray): If an attacker has physical control of your device for a sufficient time, it will leak. Tools provided for a benign purpose can be misused. Poor or incomplete documentation will embarrass you. However, in the light of the leaked NSA boast, this goes beyond merely embarrassing. Still one should not attribute to malice that which can be explained by stupidity.
(Northcutt): I still think the iPhone is the safest mobile device, but this is not good news. ]

Cloud Services Can Impede Forensic Investigations (July 24, 2014)

As governments have moved to cloud services, they have saved money and improved efficiency, but the technology holds some challenges to forensic investigations. A draft report from the National Institute of Standards and Technology (NIST) describes 65 "challenges" forensic investigators encounter when dealing with cloud computing. The report classifies the challenges into nine categories, including data collection, analysis, and architecture. One example of a challenge is email. On non-cloud systems, deleted email messages can often be recovered because they are not truly deleted until they are over-written. Because of the shared nature of the cloud, deleted files are more likely to be overwritten.
-http://www.nextgov.com/cloud-computing/2014/07/cloud-computing-complicates-digit
al-forensics-investigations/89579/
-http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006.pdf
[Editor's Note (Pescatore): This is an "evergreen" story: "New Technology X Can Impede Old Security Process Y" - I'm trying to think of an instance where Old Security Process Y won this battle, largely drawing a blank. The next headline generally has to be "Enterprises Move to Security Process Z to Secure New Technology X." ]

Pentagon's Cyber Warfare Lexicon (July 23, 2014)

The Cyber Warfare Lexicon, published by the US Strategic Command in 2009, defines terms normally used to describe physical combat in ways that make sense in the context of cyber warfare. The document was recently obtained by research group Public Intelligence.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/07/23/how-to-talk-about-b
lowing-things-up-in-cyberspace-according-to-the-military/
-https://publicintelligence.net/cyber-warfare-lexicon/
[Editor's Note (Pescatore): Looks more like someone got paid to sprinkle "cyber" into an old definition list, but I would like to point out: "(U) collateral effect: Unintentional or incidental effects, including injury or damage, to persons or objects that would not be lawful military targets in the circumstances ruling at the time." This is where cyberwarfare needs to be thought of like Weapons of Mass Destruction vs. ballistic munitions. ]

Company Informs Customers of Breach Three Years After the Fact (July 19, 2014)

Australian daily bargain website Catch of the Day recently revealed that it suffered a security breach in 2011. The incident compromised user passwords and payment card data. While the breach was reported to police, banks, and credit card issuers shortly after it occurred, the company delayed informing the Australian Privacy Commissioner. Customers with accounts created before May 7, 2011 are now being advised to change their passwords.
-http://www.itnews.com.au/News/390097,catch-of-the-day-reveals-three-year-old-dat
a-breach.aspx
[Editor's Note (Murray): One would like to think that the notified issuers did send out new credit cards on a timely basis, a more important remedy. Changing passwords after three years is not likely to have much effect. Perhaps the most important remedy will be sanctions invoked by the Australian Privacy Commission. ]

---

STORM CENTER TECH CORNER

Odd User-Agent Used to Scan Web Servers
-https://isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/
18453

Kaspersky Analysis of Koler Android Ransomware
-https://kasperskycontenthub.com/securelist/files/2014/07/201407_Koler.pdf

BugCrowd Publishes Bug Bounty Program Guidelines
-https://github.com/bugcrowd/disclosure-policy/blob/master/setting_up_a_responsib
le_disclosure_program.md

Flashbang: Tool to analyze Flash scripts
-https://github.com/cure53/Flashbang

TAILS published advisory for I2P Problem
-https://tails.boum.org/security/Security_hole_in_I2P_0.9.13/

Synology Patches for DSM 4.2
-http://ukdl.synology.com/download/DSM/4.2/3250/

New Version of Honeydrive
-http://bruteforce.gr/honeydrive-3-royal-jelly-edition.html

How a Bot Can Use Internet Explorer to Learn More about a Victim
-http://www.alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-e
xplorer-to-enumerate-software-and-detect-securi/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/