SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #63

August 08, 2014

TOP OF THE NEWS

Billions of Digital Credentials Stolen
UK's Information Commissioner Voices Concerns About Data Security in Legal Profession
Google Boosts Search Result Rankings for HTTPS Sites

THE REST OF THE WEEK'S NEWS

Man Arrested in UK for Allegedly Running Proxy Server
WordPress Plug-In Flaw Leaves Sites Vulnerable to Remote Takeovers
FinFisher Business Details Leaked to Internet
Black Hat: TSA Security Equipment Has Backdoors
Microsoft Update Will Block Out-of-Date Java Plug-ins in Internet Explorer
Security Companies Team Up to Help Users Recover Files Locked by CryptoLocker
DHS Contractor Breach
FBI Using Drive-by Downloads to Catch Criminals
Wireless Emporium Notifying Customers of Possible Data Breach
Oracle Offers Fix for Problem with Recent Java Update
Reservists Trounced CYBERCOM Cyber Specialists in War Game Exercise

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Bit9 + Carbon Black ********************
Download the free eGuide: How a Positive Security Solution Manages 5 Core Compliance Controls.
http://www.sans.org/info/165297
***************************************************************************
TRAINING UPDATE


- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/event/chicago-2014


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Nashville, Bangkok, Tallinn, and Hong Kong all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Billions of Digital Credentials Stolen (August 5 & 6, 2014)

A group of Russian thieves has collected a stash of Internet account credentials: 1.2 billion user name and password combinations and 500 million email addresses. The data were taken from more than 420,000 websites. The group believed to be responsible for the massive data heist appears to be using the information to send spam.
[Alan: In light of all the noise being made about this story, before you read the articles, you might find value in Brian Kreb's validation at
-http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accoun
ts/]

-http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-tha
n-a-billion-stolen-internet-credentials.html?_r=0
-http://money.cnn.com/2014/08/05/technology/security/russian-hackers-theft/index.
html
-http://www.darkreading.com/biggest-cache-of-stolen-creds-ever-includes-12-billio
n-unique-logins/d/d-id/1297811?
-http://www.v3.co.uk/v3-uk/news/2358987/russian-hackers-steal-12-billion-web-pass
words
-http://www.holdsecurity.com/news/cybervor-breach/

UK's Information Commissioner Voices Concerns About Data Security in Legal Profession (August 5, 2014)

The UK Information Commissioner's Office (ICO) has received reports of 15 incidents in the past three months involving mishandling of client data by those in the legal profession. The ICO is warning that barristers and solicitors who do not take adequate precautions to protect their clients' data would face fines of up to GBP 500,000 (US $840,000).
-http://www.v3.co.uk/v3-uk/news/2358882/ico-sounds-the-alarm-over-legal-professio
ns-shoddy-data-handling
[Editor's Note (Paller): I have first hand evidence that US law firms have lost huge troves of their clients' data; the FBI disclosed that US law firms were targets of nation-state attacks in 2009; and the head of MI5 made it clear that the same was happening in the UK in a disclosure the year before. Nation states (as well as economic competitors) have figured out that organizations run by lawyers (as well as the consulting companies run by ex Federal officials) are the most cost-effective way to steal intellectual property from companies seeking to do business in their countries because those companies share the crown jewels with their lawyers and consultants and think they will protect the information. ]

Google Boosts Search Result Rankings for HTTPS Sites (August 7, 2014)

Google has acknowledged that is giving HTTPS sites a small boost to in search-engine rankings. The encryption is currently a small portion of Google's search result ranking algorithm, but may play a larger role in the future.
-http://www.zdnet.com/google-confirms-its-giving-https-sites-higher-search-rankin
gs-7000032428/
-http://www.nbcnews.com/tech/security/google-give-secure-websites-search-ranking-
boost-n175336
[Editor's Note (Northcutt): Bravo for Google. Encryption does not solve all problems, but it beats plain text any day. ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eGuide: How a Positive Security Solution Manages 5 Core Compliance Controls. http://www.sans.org/info/165302

2) Early CDM adopters improving security: SANS survey webcast August 6 at 1 PM EDT http://www.sans.org/info/165287

3) In case you missed it: Simple, Effective Patch Management: From Dilemma to Done Deed Find out more on this Dell KACE webcast: http://www.sans.org/info/165282
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Man Arrested in UK for Allegedly Running Proxy Server (August 6 & 7, 2014)

Police in the UK have arrested a man for his alleged role in a music and movie piracy scheme. The unnamed 20-year-old allegedly ran a proxy server that allowed users to connect to Internet services, such as the Pirate Bay, that Internet service providers (ISPs) have been ordered to ban.
-http://www.bbc.com/news/technology-28689407
-http://www.wired.co.uk/news/archive/2014-08/06/pipcu-proxy-server-immunicity
[Editor's Note (Murray): It is not an offense to run a proxy server. It may not even be an offense to do so for the purpose of bypassing controls. ]

WordPress Plug-In Flaw Leaves Sites Vulnerable to Remote Takeovers (August 7, 2014)

Another critical flaw in a WordPress plug-in affects thousands of websites. The flaw in the Custom Contacts Form plug-in could be exploited to take control of vulnerable sites. Attackers can exploit a certain function to create new administrative users and modify the contents of databases. Custom Contacts Form has been downloaded more than 600,000 times.
-http://arstechnica.com/security/2014/08/critical-wordpress-plugin-bug-affects-hu
ndreds-of-thousands-of-sites/

FinFisher Business Details Leaked to Internet (August 5, 6, & 7, 2014)

An attacker has posted confidential business documents detailing operations of Gamma Group, the company that makes and sells spyware known as FinFisher. The product is sold only to governments and law enforcement agencies. The software has allegedly been used by governments in authoritarian regimes to spy on journalists and dissidents.
-http://www.zdnet.com/top-govt-spyware-company-hacked-gammas-finfisher-leaked-700
0032399/
-http://www.nextgov.com/cybersecurity/2014/08/spyware-maker-accused-peddling-auto
crats-gutted-hacker/90812/?oref=ng-channeltopstory
-http://www.scmagazineuk.com/government-spyware-exposed-after-massive-data-breach
/article/365047/
-http://www.theregister.co.uk/2014/08/05/finfisher_spy_malware_docs_leaked/

Black Hat: TSA Security Equipment Has Backdoors (August 6 & 7, 2014)

According to a presentation given by Billy Rios at the Black Hat security conference in Las Vegas, a US Transportation Safety Administration (TSA) system in use at airport checkpoints contains default backdoor passwords. The technician accounts are hardwired into the software, and changing the associated passwords would be disruptive to the system.
-http://www.scmagazine.com/black-hat-airport-security-equipment-at-risk/article/3
65044/
-http://www.darkreading.com/vulnerabilities---threats/advanced-threats/tsa-checkp
oint-systems-found-exposed-on-the-net/d/d-id/1297843?
-http://ics-cert.us-cert.gov/advisories/ICSA-14-205-01

Microsoft Update Will Block Out-of-Date Java Plug-ins in Internet Explorer (August 6 & 7, 2014)

Microsoft will update Internet Explorer to block outdated ActiveX controls - in particular, the update will block outdated Java plug-ins. The changes will be included in the updates scheduled for release on Tuesday, August 12. When web pages try to launch an out-of-date plug-in, IE users will see a warning that allows them to choose either to ignore the alert and run the out-of-date control, or to update the Java plug-in. The changes in the update apply to users running Windows 7 SP1 and Windows 8.x. Microsoft advance notification indicates that there will be nine bulletins released on Tuesday, two of which have maximum severity ratings of critical. One of those is the IE update. Business users running Windows 8.1 have to have installed Update 1, which was released in April, before August 12 if they want to receive the updates.
-http://www.computerworld.com/s/article/9250209/IE_plays_security_catch_up_will_b
lock_outdated_Java_plug_ins?taxonomyId=17
-http://arstechnica.com/information-technology/2014/08/internet-explorer-to-start
-blocking-old-java-plugins/
-http://www.zdnet.com/microsoft-to-block-outdated-java-versions-in-internet-explo
rer-7000032395/
-http://www.theregister.co.uk/2014/08/07/ie_out_of_date_activex_control_blocking/
-http://www.computerworld.com/s/article/9250240/Windows_8.1_biz_users_face_patch_
freeze_as_Microsoft_sets_critical_updates?taxonomyId=17
-https://technet.microsoft.com/library/security/ms14-aug

Security Companies Team Up to Help Users Recover Files Locked by CryptoLocker (August 6, 2014)

Researchers at FireEye and Fox-IT have managed to obtain the private encryption keys that the malware uses to lock files. They are offering people whose files have been locked by CryptoLocker ransomware a free service to recover those files. Until now, those who had the misfortune of being victims of the malware had to choose to pay the ransom demanded or consider the files gone forever. CryptoLocker first emerged last fall.
-http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cryptolocke
r-ransomware/
-http://arstechnica.com/security/2014/08/whitehats-recover-victims-keys-to-crypto
locker-ransomware/
-https://decryptcryptolocker.com

DHS Contractor Breach (August 6, 2014)

A data breach at a contractor doing work for the US Department of Homeland Security (DHS) likely exposed employees' personal information. US Investigations Services (USIS) conducts background checks on individuals for DHS; its contract has been suspended pending the outcome of an FBI investigation. USIS said that "experts ... believe it has all the markings of a state-sponsored attack."
-http://www.washingtonpost.com/world/national-security/dhs-contractor-suffers-maj
or-computer-breach-officials-say/2014/08/06/8ed131b4-1d89-11e4-ae54-0cfe1f974f8a
_story.html
-http://www.zdnet.com/us-contractor-firm-that-vetted-snowden-suffers-major-breach
-data-likely-snatched-7000032397/
-http://www.cnet.com/news/us-homeland-security-data-possibly-stolen-in-cyberattac
k/
-http://www.computerworld.com/s/article/9250219/U.S._agencies_halt_background_che
cks_by_contractor_after_cyberattack?taxonomyId=17

FBI Using Drive-by Downloads to Catch Criminals (August 5, 2014)

The FBI has been using drive-by downloads to identify people who visit certain suspicious websites. Specifically, the Justice Department is attempting to identify people who visit child pornography websites hiding in the Tor network. The tactic has paid off - more than a dozen people are now facing trial. However, critics say that the FBI has "glossed over the technique when describing it to judges" and has hidden its use from defendants. The FBI calls the method a network investigative technique (NIT) and has been using some form of it since 2002. There is also concern about mission creep, because the technology's deployment has grown from targeted operations to a dragnet-like approach. Others are worried about weakening a technology useful to human rights and other activists.
-http://www.wired.com/2014/08/operation_torpedo/

Wireless Emporium Notifying Customers of Possible Data Breach (August 5, 2014)

The Wireless Emporium website has been notifying customers that malware detected on the site could have compromised their personal data, including payment card information. The breach appears to affect people who made purchases through the site between December 24, 2013 and January 19, 2014.
-http://www.scmagazine.com/payment-cards-used-on-wireless-emporium-website-compro
mised-by-malware/article/364686/

Oracle Offers Fix for Problem with Recent Java Update (August 5, 2014)

Oracle has fixed an issue in a recent Java update that caused problems with some web applications. Java 7 Update 65 contained a bug that prevented some applications from launching. Oracle has issued Java 7 Update 67 to address the issue.
-http://www.computerworld.com/s/article/9250163/Oracle_issues_fix_for_Java_update
_that_crippled_some_Web_apps?taxonomyId=17
-https://blogs.oracle.com/java-platform-group/entry/java_7_update_67_patch

Reservists Trounced CYBERCOM Cyber Specialists in War Game Exercise (August 4, 2014)

At a cyber war exercise pitting members of the Pentagon's CYBERCOM force against reservists last year, the reservists came out on top. Although the outcome of the exercise is classified, a Capitol Hill staffer who attended the event noted, "The active-duty team didn't even know how they'd been attacked."
-http://www.navytimes.com/article/20140804/NEWS04/308040019

---

STORM CENTER TECH CORNER

BGP Hijacking of Crypto-currency Mining Pool
-http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-c
ryptocurrency-profit/

Stay up to date with Internet Explorer
-http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-expl
orer.aspx

OpenSSL Patches
-http://www.openssl.org/news/secadv_20140806.txt

Symantec Endpoint Protection Exploit
-https://isc.sans.edu/forums/diary/Exploit+Available+for+Symantec+End+Point+Prote
ction/18491

Mozilla Outlines Plans for Future Certificate Revocation Implementations
-https://wiki.mozilla.org/CA:RevocationPlan

Center for Internet Security Releases VMWare ESXi 5.5 Benchmark
-https://benchmarks.cisecurity.org/downloads/form/index.cfm?download=esxi55.100

Multi Function Devices used to compromise Networks
-http://www.theregister.co.uk/2014/08/05/printer_pwnage_just_getting_worse_resear
cher_finds/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/