SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #62

August 05, 2014

TOP OF THE NEWS

Microsoft Releases Updated Enhanced Mitigation Experience Toolkit (EMET) 5.0
An Argument for Not Disclosing Breaches
Study Calls for Cyber Security Professional Organization

THE REST OF THE WEEK'S NEWS

Poweliks Malware Hides in Registry
Hacking Through Satellite Communications Systems
Database Error May Have Exposed Mozilla Developer Data
Samba Flaw Could be Exploited to Gain Root Privileges
PF Chang's Identifies Restaurants Possibly Affected by Breach
Researchers Found Security Issues at Healthcare Facilities
Jimmy John's Investigating Report of Breach
Australian Optometry Firm Loses Defence Dept. Contract After Outsourcing Claims

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Trend Micro Inc. **********************
Trend Micro Forward-Looking Threat Research (FTR) team regularly does research on new technology trends and how cybercriminals could exploit them. Read our latest research on the Smart Grid and Smart Meters.
http://www.sans.org/info/165227
***************************************************************************
TRAINING UPDATE


- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/event/chicago-2014


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Nashville, Bangkok, Tallinn, and Hong Kong all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.or

*****************************************************************************

---

TOP OF THE NEWS

Microsoft Releases Updated Enhanced Mitigation Experience Toolkit (EMET) 5.0 (August 4, 2014)

Microsoft has released a new version of its Enhanced Mitigation Experience Toolkit (EMET). Among the new features being touted in EMET 5.0 are the improved Attack Surface Reduction tool and Export Address Table Filtering Plus (EAF+) service.
-http://www.v3.co.uk/v3-uk/news/2358646/microsoft-releases-hacker-busting-enhance
d-mitigation-experience-toolkit-50
-http://www.theregister.co.uk/2014/08/04/microsoft_hacks_out_new_emet_spits_out_a
dobe_flash/
[Editor's Note (Honan): Given the focus on criminals is to attack computers via their browsers I recommend to my clients that they deploy EMET amongst their Windows PC estate as soon as possible. (Murray): EMET would be very effective if implemented. By Microsoft's own analysis it would resist ninety percent of attacks against Windows. However, consistent with Microsoft's commitment to backward compatibility, EMET is still not enabled by default because it might break (a small number of very old) legacy applications. For the same reason enterprises fail to use it. Consumers do not even know about it. By such perverse reasoning, the more vulnerable Windows is, the more popular it will be and the more effective EMET, the less likely it will be used. I continue to argue that it is past time to change the default. ]

An Argument for Not Disclosing Breaches (August 4, 2014)

Some information security chiefs are skeptical of the need to disclose data breaches soon after they are detected. They say that many breaches are not very harmful, can be managed quietly, and that reporting every incident can cause a lot more trouble than necessary. Disclosing every breach quickly could also put other companies at risk of being attacked through the same vulnerability. Going public with a breach right away also could let foreign operatives know that their activities have been detected. That said, those arguing for less disclosure say that organizations have to have a plan for dealing with breaches. (Please note that this story requires a paid subscription.)
-http://online.wsj.com/articles/a-contrarian-view-on-data-breaches-1407194237
[Editor's Note (Murray): The assumption behind disclosure laws is that consumers need the information, not only to remediate the exposure to themselves, but to decide with whom to do business. I think that continues to be true. ]

Study Calls for Cyber Security Professional Organization (July 28 & August 1, 2014)

A study from the Pell Center at Salve Regina University in Rhode Island acknowledges that "there are not enough people equipped with the appropriate knowledge, skills, and abilities to protect the information infrastructure, improve resilience, and leverage information technology for strategic advantage." The report "proposes the creation of a national professional association in cybersecurity to solidify the field as a profession, to support individuals engaged in this profession, to establish professional standards, prescribe education and training, and ... to support the public good."
-http://pellcenter.salvereginablogs.com/cybersecurity-report-recommends-path-to-p
rofessional-standards-in-cybersecurity-industry/
-http://www.fiercecio.com/story/pell-study-calls-creation-national-professional-c
ybersecurity-association/2014-08-01
Study:
-http://pellcenter.salvereginablogs.com/files/2014/07/Professionalization-of-Cybe
rsecurity-7-28-14.pdf
[Editor's Note (Assante): I learned long ago that a people-focused approach to cybersecurity brings with it the necessary clarity to understand the true nature of the challenges and establishes a clear framework for planning, engineering, and implementing measures that can be sustained and built upon. We all know of countless organizations that reacted to a specific incident by implementing outside-expert-recommended technology only to fail in its deployment and operation. Getting a competent handle on cybersecurity means engaging, integrating, equipping and training people to make the difference. Our attention should turn to identifying and enhancing the knowledge and skills of cybersecurity professionals as a field while involving business architects and engineers to make cyber-informed decisions. Getting this right sets the stage for game changing progress in cyber resilience and defense.
(Honan): This is something that I have argued for in the past,
-http://www.net-security.org/article.php?id=1842,
To me the issue is not one of creating more qualifications for individuals working in the field, but on the lack of accountability for those that are practising in the industry but are providing below par services or products.
(Paller): We can do reliable assessments for the technical roles - forensics, secure coding, penetration testing, intrusion detection, incident response, etc. but any attempt to reliably measure skills for security managers and policy people is hopeless. Why do you think there is no certification for corporate managers? ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eGuide! Gartner Guide for Endpoint Detection & Response Solutions http://www.sans.org/info/165232

2) Early CDM adopters improving security: SANS survey webcast August 6 at 1 PM EDT http://www.sans.org/info/165237

3) Detect and Block Advanced Targeted Threats and Foreign Espionage and Protect Your Trade Secrets: A SANS WhatWorks webinar Featuring Fidelis XPS. Tuesday, August 12 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore. http://www.sans.org/info/165242
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Poweliks Malware Hides in Registry (August 4, 2014)

Researchers at Trend Micro have detected malware called Poweliks that arrives in a maliciously crafted Microsoft Word document and ensconces itself in the computer's registry, evading detection by antivirus products. It persists after a system reboot. Poweliks can be used to steal data.
-http://www.scmagazine.com/poweliks-downloads-additional-malware-abuses-powershel
l/article/364463/
-http://www.theregister.co.uk/2014/08/04/registryinfecting_rebootresisting_malwar
e_has_no_files/
-http://www.computerworld.com/s/article/9250138/Stealthy_malware_39_Poweliks_39_r
esides_only_in_system_registry?taxonomyId=17
Trend Micro Blog:
-http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hide
s-in-windows-registry/

Hacking Through Satellite Communications Systems (August 4, 2014)

A presentation at the Black Hat security conference this week will demonstrate how airplanes, ships, oil rigs, and other modes of transportation and elements of critical infrastructure are at risk from attacks on satellite communications systems. Researcher Ruben Santamarta says that passenger jets' navigation systems could also be infiltrated through the in-flight entertainment and Wi-Fi systems.
-http://www.v3.co.uk/v3-uk/news/2358750/airplanes-ships-and-oil-rigs-all-at-risk-
from-satellite-cyber-attacks
-http://www.nbcnews.com/tech/security/could-hackers-really-attack-passenger-jet-t
hrough-wi-fi-n172181
[Editor's Note (Assante): Ruben is gifted at ferreting out the common vulnerabilities in firmware-based systems. What would be shocking is finding an example where embedded devices were engineered with security as a required design element at both the component and system level. Internet of Things (IoT) developers need to learn from this research before building a world full of stranded devices and committing us to a perpetual sea of insecurity.
(Murray): Wow! This time the sky really is falling. ]

Database Error May Have Exposed Mozilla Developer Data (August 2 & 4, 2014)

A database error may have compromised the email addresses and encrypted passwords of as many as 76,000 Mozilla developers. The problem was a data sanitization process in the Mozilla developer network that was failing and accidentally exposing the developers' data. Once Mozilla became aware of the problem, "the database dump file was removed from the server." While the compromised data cannot be used to access Mozilla's developer network, if people used the same passwords on other sites, the information could be used to compromise those accounts.
-http://www.scmagazine.com/script-fails-thousands-of-mozilla-developer-emails-pas
swords-possibly-exposed/article/364452/
-http://www.v3.co.uk/v3-uk/news/2358584/mozilla-developer-email-addresses-and-pas
swords-exposed
-http://www.zdnet.com/mozilla-accidentally-reveals-developer-emails-and-passwords
-7000032271/
-http://arstechnica.com/security/2014/08/thousands-of-mozilla-developers-e-mail-a
ddresses-password-hashes-exposed/

Samba Flaw Could be Exploited to Gain Root Privileges (August 3 & 4, 2014)

A critical flaw in Samba could be exploited to gain network access with administrative privileges. Samba is an open-source implementation of a network filesharing protocol used on Windows networks. The remote code execution flaw exists in Samba's nmbd NetBIOS name service daemon's handling of certain memory operations. The new versions of Samba are 4.1.11 and 4.0.21.
-http://arstechnica.com/security/2014/08/critical-code-execution-bug-in-samba-giv
es-attackers-superuser-powers/
-http://www.zdnet.com/samba-patch-fixes-critical-vulnerability-7000032265/
Security advisory:
-https://www.samba.org/samba/security/CVE-2014-3560

PF Chang's Identifies Restaurants Possibly Affected by Breach (August 4, 2014)

PF Chang's has identified 33 restaurants from which customer data may have been taken during a breach of point-of-sale systems. The compromised data include card numbers as well as associated names and expiration dates. The restaurant chain reports that it addressed the issue that was exploited in the breach, which was reported in June, and "has been processing credit and debit card data securely at all locations since June 11, 2014."
-http://www.nbcnews.com/tech/security/p-f-changs-names-33-restaurants-hit-securit
y-breach-n172121
-http://www.computerworld.com/s/article/9250145/PF_Chang_39_s_hack_hit_33_restaur
ants_for_8_months?taxonomyId=17
-http://www.cnet.com/news/p-f-changs-reveals-more-details-on-data-breach/

Researchers Found Security Issues at Healthcare Facilities (August 3, 2014)

According to research conducted by Norse for a SANS report, between September 2012 and October 2013, identified nearly 50,000 unique malicious events on health care networks and more than 700 unique malicious source IP addresses. Norse gathered the data from its global sensor network. Among the malicious source IP addresses was one belonging to a visible, network-attached, multi-function printer. While such devices come with default login and password and instructions to change the default login and password, in many cases, these are never changed.
-http://www.forbes.com/sites/danmunro/2014/08/03/just-how-secure-are-it-networks-
in-healthcare/
[Editor's Note (Honan): Securing systems in the health care sector is always going to be a challenge, not least with the end users as their focus is on patient care and keeping them healthy, not on keeping computer systems free from infection. Until we make computer systems secure by design for the environment they will be used in we will always face these challenges. By the way, a search on the ShodanHQ website will quickly reveal that healthcare is not the only industry that finds keeping their network attached printers secure from the Internet a challenge. ]

Jimmy John's Investigating Report of Breach (July 31, 2014)

Illinois-based sandwich restaurant chain Jimmy John's says it is investigating reports that its systems suffered an intrusion, which led to the compromise of customer payment card information. Brian Krebs reports in his KrebsOnSecurity blog that several financial institutions have reported fraudulent activity on payment cards that were recently used at Jimmy John's.
-http://krebsonsecurity.com/2014/07/sandwich-chain-jimmy-johns-investigating-brea
ch-claims/

Australian Optometry Firm Loses Defence Dept. Contract After Outsourcing Claims (July 25, 2014)

Australian optometry company Luxottica lost its contract with the Australian Defence Force (ADF) after the ADF learned that the company had outsourced claims work that included patient data. The AU $33.5 million (US $31.3 million) contract specified that the claims be processed domestically.
-http://www.news.com.au/national/luxottica-loses-contract-with-adf-after-sending-
diggers-data-offshore/story-fncynjr2-1227002006719

---

STORM CENTER TECH CORNER

Threat & Indicators: A Security Intelligence Lifecycle
-https://isc.sans.edu/forums/diary/Threats+Indicators+A+Security+Intelligence+Lif
ecycle+/18475

Crypto Malware Infecting Synology Disk Storage Devices
-http://forum.synology.com/enu/viewtopic.php?f=3&t=88716

Malware Uses Yahoo Mail for C&C
-https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript

PayPal 2 Factor Authentication Bypass
-http://blog.internot.info/2014/06/paypals-2-factor-authentication2fa-good.html

Citadel Malware Adds User with Remote Access Ability to Gain Persistence
-http://securityintelligence.com/citadels-new-trick-persistent-device-remote-cont
rol#.U97N_VYXk29

Conpot can now emulate smart meters (thanks to proxy mode)
-http://honeynet.org/node/1179

Symantec Analyzes Wearable Devices Security
-http://www.symantec.com/connect/blogs/how-safe-your-quantified-self-tracking-mon
itoring-and-wearable-tech

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/