Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #64

August 12, 2014

TOP OF THE NEWS

Some "Experts" Say Planes Cannot be Digitally Hijacked
US Federal Communications Commission Quizzes Wireless Providers About Speed Throttling Decisions
NIST Aims to Improve Industrial Control System Security with Testbed
Federal Judge Says Law Enforcement Can Access Entire eMail Account in Investigation

THE REST OF THE WEEK'S NEWS

Russian Government Bans Anonymous Wi-Fi
Only Three Critical Infrastructure Sectors Participating in DHS Threat Info Sharing Program
New Gameover Zeus Variants Detected
Firmware Study Finds Security Concerns
What's Happening with Dark Mail?
ISP-Supplied Home Routers Could be Compromised Through Protocol That Allows Remote Troubleshooting
Watch Group Says Bahrain Government Used FinFisher to Spy on Activists and Others

PESCATORE FIRST LOOKS

IBM acquired Lighthouse Security Group
Gemalto (spun off from Schlumberger in 2004) acquired Safenet

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


********************* Sponsored By Symantec *********************
Symantec Webcast: Getting Beyond Standalone Antivirus to Advanced Threat Protection: Increasingly complex, advanced threats are more prevalent than ever and even with the myriad of security tools available, the news is still filled with information about organizations getting breached. A better approach is needed. Learn how to ensure your organization has the strongest protection, detection and response capabilities.
http://www.sans.org/info/165477
***************************************************************************
TRAINING UPDATE

- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
http://www.sans.org/event/cyber-defense-summit


- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/event/chicago-2014


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Nashville, Bangkok, Tallinn, and Hong Kong all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

Some "Experts" Say Planes Cannot be Digitally Hijacked (August 9 & 10, 2014)

In a presentation at DefCon, two aviation experts allayed concerns that airplanes could be hijacked with computers. Avionics systems are not accessible through in-flight entertainment system or Wi-Fi. Phil Polstra, associate professor of digital forensics at Bloomsburg University, said "One thing everyone needs to understand, you cannot override the pilot." Autopilot functions could conceivably be altered, but the activity would generate alerts and pilots would disconnect that function. Attackers could attempt to compromise a system that is used to send messages about weather, flight plan changes, delays, and the like, but those attempts are likely to appear suspicious to those who interact with the system, and they would be ignored.
-http://www.scmagazine.com/defcon-you-cannot-cyberhijack-an-airplane-but-you-can-
create-mischief/article/365465/

-http://www.theregister.co.uk/2014/08/10/why_hackers_wont_be_able_to_hijack_your_
next_flight_the_facts/

[Editor's Note (Pescatore): There definitely have been over-hyped presentations and announcements about hacks into aircraft. Of all the industries out there, the aviation industry has the strongest approach to secure software development life cycle. But, as aircraft get more complex and the way flights are handled get more computer-driven, there are way more opportunities for unforeseen consequences. Given that one of the leading causes of many crashes is pilot error, I would also not be very comfortable with the "well, the pilots would notice" argument. ]

US Federal Communications Commission Quizzes Wireless Providers About Speed Throttling Decisions (August 8, 2014)

The Federal Communications Commission (FCC) is seeking particulars from wireless providers about how they make decisions about data traffic throttling. The inquiry was prompted by Verizon's announcement that starting in October, the top five percent of data users on unlimited data plans may experience a slowing of their Internet speeds. Verizon maintains that the plan meets the definition of "reasonable network management."
-http://www.csmonitor.com/Innovation/2014/0808/FCC-to-wireless-providers-When-do-
you-slow-download-speeds

-http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/08/fcc-to-verizon-all-
the-kids-do-it-is-no-excuse-for-throttling-unlimited-data/

[Editor's Note (Pescatore): That famed security researcher, Dolly Parton, once said something like "It takes a lot of work to put 10 gallons of mud into a 5 gallon bucket." If we could go back 20 years and have all the ISPs do way *more* filtering and throttling, the Internet would be a safer place. Wireless bandwidth is even more limited, needs more management. It is very much like the electricity industry - you pay for what you use but occasionally everyone tries to use too much at the same time and throttling has to happen. Consistent guidelines are needed to make sure that there are ways to filter out known bad stuff and to make sure that such throttling is not anti-competitive. ]

NIST Aims to Improve Industrial Control System Security with Testbed (August 12, 2014)

The US National Institute of Standards and Technology (NIST) is planning to build a testbed to help improve supervisory control and data acquisition (SCADA) system security. Currently in an early stage of development, the Reconfigurable Industrial Control Systems Cybersecurity Testbed will "measure the performance of industrial control systems when instrumented with cyber-security protections in accordance with best practices prescribed by national and international standards and guidelines," according to the request for information.
-http://www.theregister.co.uk/2014/08/12/nist_wants_better_scada_security/
RFI:
-https://www.fbo.gov/index?s=opportunity&mode=form&id=34058f1c96ba5cab935
633acc50011c9&tab=core&_cview=0

[Editor's Note (Assante): I have been involved in the design and use of ICS testbeds. There is no question they bring value through learning, but they must be paired with the proper incentives and motivations to see that learning applied in any meaningful way. I am hopeful that a center will be opened up that allows security researchers access to expensive and difficult to obtain systems and provides direct teaming opportunities with ICS stakeholders. ]

Federal Judge Says Law Enforcement Can Access Entire eMail Account in Investigation (August 11, 2014)

A federal judge in Washington, DC, has issued a ruling that law enforcement may access an entire email account and examine it for evidence, reversing a lower court decision that denied a request for the information was a violation of the Fourth Amendment protections against unreasonable search and seizures. Chief Judge Richard W. Roberts ruled that the request does not violate Fourth Amendment rights.
-http://www.computerworld.com/s/article/9250281/U.S._court_rules_in_favor_of_prov
iding_officials_access_to_entire_email_account?taxonomyId=17

-http://blogs.wsj.com/law/2014/08/08/judge-blesses-justice-department-email-searc
hes/

[Editor's Note (Murray): Which way this is decided is not nearly so important as that it is decided and supervised by the courts, not the investigators, not the service providers. How "particular" a warrant is to be is exactly what the Constitution requires that the courts must decide.

**************************** SPONSORED LINKS ******************************
1) Download your FREE copy of "Incident Response with NetFlow for Dummies" ebook today! http://www.sans.org/info/165482

2) Under Threat or Compromise: Every Detail Counts - Wednesday, August 20 at 1:00 PM EDT (17:00:00 UTC)with Jake Williams and John Vecchi. http://www.sans.org/info/165487

3) New SANS survey looks at security and compliance in managing data center server assets. Take survey and enter to win an iPad. Results Webcast on 10/29. http://www.sans.org/info/165492
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Russian Government Bans Anonymous Wi-Fi (August 8 & 11, 2014)

Russian Prime Minister Dmitry Medvedev has signed a decree prohibiting anonymous wireless Internet access. People using public wi-fi must provide identification before they are allowed to access the network.
-http://www.theregister.co.uk/2014/08/11/anonymous_wifi_the_latest_casualty_of_ru
ssia_net_neurosis/

-http://www.zdnet.com/russia-bans-anonymous-wifi-7000032464/
-http://www.cbc.ca/news/world/russia-restrictions-on-public-wifi-access-go-into-e
ffect-1.2731354

[Editor's Note (Pescatore): When you hear it this way, requiring authentication for public WiFi sounds ominous. If you phrased it "to combat crime, WiFi hotspots will be required to ask users to identify themselves, as is required at all hotel check-in desks" it sound different. Whether anonymity is valued or feared is a societal norm, not some universal constant. (Murray): This is not so much a "ban" as a requirement. While it may be the largest country to do so, Russia is not the first, nor likely to be the last, to do so. Wireless access providers are cautioned against allowing anonymous access lest it be used for malicious purposes such as spam. I have been in several countries where one was required to have a national ID to connect to WiFi in a coffee shop. ]

Only Three Critical Infrastructure Sectors Participating in DHS Threat Info Sharing Program (August 11, 2014)

According to a report from the US Department of Homeland Security (DHS) Office of Inspector General (OIG), just three of 16 identified industries that support elements of the country's critical infrastructure have joined a DHS threat information-sharing program. The Enhanced Cybersecurity Service program, originally limited to Pentagon contractors, was expanded early last year to include the critical infrastructure industries, but just three - energy, communications service, and the defense industrial base - have joined the program.
-http://www.nextgov.com/cybersecurity/2014/08/who-receiving-hacker-threat-info-dh
s/91154/?oref=ng-HPriver

-http://www.oig.dhs.gov/assets/Mgmt/2014/OIG_14-119_Jul14.pdf
[Editor's Note (McBride): Indicator soup... From an asset owner point of view, information sharing is near useless unless you have a team trained and dedicated to make it work, as well as technology to facilitate consumption of indicators. It appears that the "new" government program is substantially the same as the "old program". ]

New Gameover Zeus Variants Detected (August 11, 2014)

Two new variants of Gameover Zeus malware have been found in the wild. Bitdefender Labs, which detected the new variants, says that they use a domain-generation algorithm to hide. Earlier this summer, law enforcement agencies around the world cooperatively took steps to dismantle the Gameover Zeus botnet.
-http://www.scmagazine.com/two-new-gameover-zeus-variants-in-the-wild/article/365
647/

Firmware Study Finds Security Concerns (August 11, 2014)

A study conducted by researchers at a French technology graduate school found that much of firmware is not very secure. The research was conducted with information gathered using a web crawler that discovered more than 30,000 firmware images from manufacturers' websites. Among the issues found in the samples are encryption mechanisms with inadequate protection and backdoors.
-http://www.pcworld.com/article/2464060/study-finds-firmware-plagued-by-poor-encr
yption-and-backdoors.html

[Editor's Note (Assante): The security community has pecked away at this problem, but has been unable to drive real change in embedded system engineering practices or deliver security tools and practices to compensate for existing weaknesses. Firmware vulnerabilities will continue to plague us for a long time to come, but we keep on pouring this unstable foundation to build the Internet of Things (IoT) upon. ]

What's Happening with Dark Mail? (August 9, 10, & 11, 2014)

Ladar Levison, creator of the now defunct Lavabit encrypted email service, described the progress of his new project, which aims to revolutionize email. Speaking at DefCon, Levison said that he is unhappy that the communications environment is such that "we need a
[military grade ]
cryptographic mail system ... just to be able to talk to our friends and family without ... fear of government surveillance." Now known as DIME, for the Dark Internet Mail Environment, the project uses layered cryptography to provide one-click, end-to-end email encryption. Levison expects DIME to be running by early next year.
-http://www.theregister.co.uk/2014/08/11/spy_busting_dark_mail_relaunched_as_dime
/

-http://www.cnet.com/news/lavabit-founders-darkmail-needs-help-to-cross-finish-li
ne/

-http://time.com/3096341/email-encryption-hackers/

ISP-Supplied Home Routers Could be Compromised Through Protocol That Allows Remote Troubleshooting (August 10, 2014)

At the DefCon conference, security researcher Shahar Tal gave a presentation in which he warned that home routers supplied by Internet service providers (ISPs) could be compromised en masse. The servers that many ISPs use to manage these devices are accessible from the Internet and vulnerable to hijacking. The issue lies in the TR-069 or customer-premises equipment wide area network management protocol (CWMP) that allows ISPs to fix problems on customers' routers remotely.
-http://www.computerworld.com/s/article/9250278/Home_routers_supplied_by_ISPs_can
_be_compromised_en_masse?taxonomyId=17

Watch Group Says Bahrain Government Used FinFisher to Spy on Activists and Others (August 8, 2014)

According to the Bahrain Watch rights group, the Bahrain government allegedly used FinFisher to conduct surveillance on activists and lawyers there. The spyware would allow those controlling it to steal passwords and files, and to use infected machines' cameras and microphones to spy on people.
-http://www.v3.co.uk/v3-uk/news/2359469/bahrain-government-accused-of-using-finfi
sher-spyware-to-snoop-on-activists


PESCATORE FIRST LOOKS

IBM acquired Lighthouse Security Group, who offered managed Identity and Access Management services that were largely based around IBM IAM technology and largely offered through IBM Global Services. This looks like part of IBM trying to expand managed services, especially anything that can be called "cloud." The use of IAM as a Service has been slow to grow, as it is rarely the first thing an enterprise will outsource. The acquisition by IBM should make it easier for such services to be bundled into large IBM outsourcing/cloud services contracts and should be beneficial to IBM-centric Lighthouse customers.
-http://www-03.ibm.com/press/us/en/pressrelease/44503.wss

Gemalto, who was spun off from Schlumberger back in 2004 acquired Safenet, who was known as IRE until 1996. Gemalto was largely a smart card vendor years ago, obviously not a growth market so they have been making a lot of acquisitions around payment infrastructure security. Safenet mostly sells encryption hardware and software used in ecommerce websites, but has made acquisitions to get into authentication over the years. This is a large acquisition for Gemalto, there are likely to be many redundancies eliminated as well as product portfolio pruning that may impact Safenet customers.
-http://www.reuters.com/article/2014/08/08/gemalt-safenet-deals-idUSL6N0QE14U2014
0808

Gemalto, who was spun off from Schlumberger back in 2004 acquired Safenet, who was known as IRE until 1996. Gemalto was largely a smart card vendor years ago, obviously not a growth market so they have been making a lot of acquisitions around payment infrastructure security. Safenet mostly sells encryption hardware and software used in ecommerce websites, but has made acquisitions to get into authentication over the years. This is a large acquisition for Gemalto, there are likely to be many redundancies eliminated as well as product portfolio pruning that may impact Safenet customers.
-http://www.reuters.com/article/2014/08/08/gemalt-safenet-deals-idUSL6N0QE14U2014
0808


STORM CENTER TECH CORNER

Verifying Preferred SSL/TLS Ciphers with nmap
-https://isc.sans.edu/forums/diary/Verifying+preferred+SSL+TLS+ciphers+with+Nmap/
18513

Nest Thermostat Hack
-http://venturebeat.com/2014/08/10/hello-dave-i-control-your-thermostat-googles-n
est-gets-hacked/

Cryptowall Spreading via Yahoo! Ads
-https://www.bluecoat.com/company/press-releases/blue-coat-uncovers-new-malvertis
ing-attack-leveraging-major-ad-network

Xiaomi Phones Call Home With User Data
-http://www.f-secure.com/weblog/archives/00002731.html

Exploiting Web Applications Using XSRF
-https://isc.sans.edu/forums/diary/Complete+application+ownage+via+Multi-POST+XSR
F/18507

Incident Response with Triage-IR
-https://isc.sans.edu/forums/diary/Incident+Response+with+Triage-ir/18509

Blackphone Hacked
-https://twitter.com/TeamAndIRC/status/498187730023501824

Oracle Data Redaction Easily Bypassed
-http://packetstorm.foofus.com/papers/database/Oracle_Data_Redaction_is_Broken.pd
f



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/