SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #67

August 22, 2014

TOP OF THE NEWS

Wired Asks Tech Leaders How to Save The Internet
Amazon Web Services First Cloud Provider Authorized to Handle Sensitive DOD Data
Military Contractors Face New Breach Disclosure and Procedure Deadlines

THE REST OF THE WEEK'S NEWS

Microsoft to Preview New Operating System Next Month
Study Finds University Networks Less Secure Than Retail and Healthcare Sectors
FBI and DHS Plan to Provide Healthcare Organizations More Threat Info More Quickly
Rogue Anti-Virus Malware Defru Targeting Users in Russia
UPS Discloses Data Breach
Attackers Made Initial Breach of Community Health Services Through Heartbleed Flaw
Analysis of Chrome Extensions Finds Malicious Activity

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By LogRhythm ****************************
Hardening Retail Security: Why and How to Prevent Breaches and Attacks - Thursday, September 25 at 1:00 PM EDT with John Pescatore and Erick Ingleby. Attendees will learn how to evaluate their risk and improve their security posture, as well as how to prevent becoming the next Target or other high-visibility breach.
http://www.sans.org/info/166207
***************************************************************************
TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by August 27 and save $400. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/event/chicago-2014


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Tallinn, Hong Kong, and Sydney all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Wired Asks Tech Leaders How to Save The Internet (August 19, 2014)

Wired Magazine asked technology and security leaders for their ideas about how to "maintain the Internet as a home for innovation, community, and freely exchanged information." Read responses from Bruce Schneier, Reed Hastings, Peter W. Singer, Vinton G. Cerf, Danny Hillis, and Mitchell Baker.
-http://www.wired.com/2014/08/how-to-save-the-net/
[Editor's Note (Murray): A timely and cogent question elicited some very terse and useful answers. Driven and guided by economics and technology, without design but through cooperation and collaboration, we have created a "commons" few would have dared to imagine. We are now so dependent upon it that the only alternative to "saving the Internet" is a decent into chaos in which as many as half of us become victims of violence or want. As suggested by these thoughtful leaders, with some sacrifice from all stakeholders, we will, we must, "muddle through." ]

Amazon Web Services First Cloud Provider Authorized to Handle Sensitive DOD Data (August 21, 2014)

The Defense Information Systems Agency has granted Amazon Web Services a provisional authority to operate (ATO), making it the first commercial cloud services provider to be authorized to handle "the most sensitive unclassified" Defense Department data. The ATO allows Amazon Web Services to operate at security impact levels 3 and 5.
-http://www.nextgov.com/cloud-computing/2014/08/big-win-amazon-first-provider-aut
horized-handle-sensitive-dod-workloads/92069/?oref=ng-HPtopstory
-http://defensesystems.com/articles/2014/08/21/aws-govcloud-disa-security-approva
l.aspx?admgarea=DS
[Editor's Note (Paller): Amazon gets two big wins here: First they get access to the billions in IT expenditures that has been the nearly all going to traditional government contractors and secondly they will undoubtedly argue to careful commercial clients that "it is good enough for DoD; isn't that good enough for you?"
|(Pescatore): This is another example of "location matters" in cloud computing. The DoD will use Amazon's "GovCloud" which is an isolated AWS Region for Government use. The other thing to point out is the FedRAMP and DISA Cloud Security Model do a good job of requiring cloud service providers to provide continuous monitoring feeds. ]

Military Contractors Face New Breach Disclosure and Procedure Deadlines (August 13, 2014)

Contractors for the US Defense Department are facing a new deadline for rules that will require them to report breaches to the Pentagon and to grant the government access to their networks so they can conduct attack analysis. Concerns about the rules include requiring companies to report even minor breaches and allowing the government access to trade secrets and personal information. The rules were part of a congressional Defense Department budget authorization measure in 2013. Director of communications for the Aerospace Industries Association Daniel Stohr said, "Cyber security is increasingly becoming the cost of doing business with the federal government."
-http://www.bloomberg.com/news/2014-08-13/military-companies-brace-for-rules-on-m
onitoring-hackers.html
[Editor's Note (Pescatore): I'm a bit dismayed an aerospace industry spokesperson would make it sound like security was not *already* an important part of performing on sensitive DoD contracts, but good to see the DoD funding bill put more oomph behind existing efforts to focus on supply chain integrity and the security of the Defense Industrial Base. ]

---

**************************** SPONSORED LINKS ********************************
1) Kill Shot: Stopping Unknown Malware with Trust Based Application Control - Thursday, September 04 at 2:00 PM EDT (18:00:00 UTC) with Harry Sverdlove and Dave Shackleford. http://www.sans.org/info/166212

2) Critical Security Controls survey results revealed in 9/9 Webcast at 1 pm EDT. Learn about the current state of CSC adoption & implementation. http://www.sans.org/info/166217

3) How to Detect System Compromise & Data Exfiltration Wednesday, September 03 at 1:00 PM EDT (17:00:00 UTC) with Tom DAquino. http://www.sans.org/info/165707
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft to Preview New Operating System Next Month (August 21, 2014)

Microsoft plans to preview the next incarnation of its Windows operating system, codenamed Threshold, on September 30, 2014. The event is largely for Microsoft to present the operating system's new features. It will be released to developers shortly after the preview; the public release is scheduled for spring 2015.
-http://www.theverge.com/2014/8/21/6052807/windows-9-preview-press-event-septembe
r
-http://www.siliconrepublic.com/digital-life/item/38054-microsoft-gives-date-for/
-http://www.cnet.com/news/windows-9-unveiling-set-for-september-30-report-says/
-http://www.zdnet.com/microsofts-windows-9-much-ado-about-little-given-cloud-shif
t-7000032858/

Study Finds University Networks Less Secure Than Retail and Healthcare Sectors (August 21, 2014)

According to a report from BitSight Technology, college and university networks face greater risk of attacks than retail and healthcare networks. Attackers target university systems during the academic year, and many schools do not have the resources to protect their networks. The report says that part of the reason that network security is worse during the academic year is the presence of so many devices that students bring. Universities can also be appealing targets for data thieves because of the abundance of personal data and research data. Also, many schools have partnerships with government agencies, which could put those agencies at risk as well. Most attacks on university systems come from malware, and most of those are from Flashback, which targets Macs.
-http://www.scmagazine.com/study-most-higher-ed-malware-infections-attributed-to-
flashback/article/367513/
-http://www.zdnet.com/us-universities-at-greater-risk-for-security-breaches-than-
retail-and-healthcare-bitsight-7000032843/
-http://www.nbcnews.com/tech/security/hackers-target-colleges-steal-personal-data
-university-research-n185866
[Editor's Note (Pescatore): Universities have unique challenges in security, to put it mildly. At this year's SANS Security Leadership summit in Boston, a university CISO pointed out college campuses are more like cities than businesses, since they provide housing, entertainments, sports team, meals, etc. to their customers. Larry Wilson at UMASS has done a great job using the Critical Security Controls to focus security budgets and efforts on the highest payback areas first.
(Murray): A decade ago Richard Clarke told twenty-five college and university presidents in Redmond WA that, because their networks and systems were so open, seventy-five percent of the attack traffic in the Internet could be traced to them and no further. Prompted by government, the RIAA and the MPAA, and led by EDUCAUSE, we have come a very long way. While "retail" and "health care" do not represent a very high standard, and while they have very trying applications and users, colleges and universities are now responsible members of the Internet community.
(Honan): Instead of looking at how susceptible to attack University networks may be, we should concentrate on how those networks are made to be resilient to attacks. With BYOD, cloud computing, and more and more non-computing devices connecting to corporate networks we are seeing the traditional corporate network becoming more like a University network. Universities have dealt with all these challenges for years, it's time we learnt from them in more ways than one.
(Paller): Throughout the history of computing, university security TECHNICAL leaders have provided stronger prevention, detection and response to cyber attacks at far lower costs (and at lower pay) than their counterparts in commercial and government organizations. Randy Marchany at Virginia Tech is the best example I know, but he is not alone. The findings reported in this article are accurate, however, because the challenge of security, as John Pescatore points out, is nearly overwhelming and 60-70% of colleges approach security as a compliance issue and fail to invest in making their systems difficult to penetrate nor do they deploy teams to detect and respond. They should - it would be great preparation for their students enabling them to fill high value jobs after graduation. ]

FBI and DHS Plan to Provide Healthcare Organizations More Threat Info More Quickly (August 21, 2014)

Following a breach that compromised personal information of 4.5 million patients seen at hospitals operated by Community Health Systems (CHS), representatives from the FBI and the US Department of Homeland Security (DHS) say they are taking steps to share more threat information more quickly with organizations in the healthcare sector.
-http://www.computerworld.com/s/article/9250579/US_agencies_to_release_cyberthrea
t_info_faster_to_healthcare_industry?taxonomyId=17
[Editor's Note (Henry): I have deep respect for government officials, particularly in the cyber space, many of whom are making great sacrifices to keep this country safe. I have some concern, however, with the statement "U.S government agencies will work to release cyberthreat information faster to the healthcare industry after a massive breach..." The need for ACTIONABLE intelligence is required across all sectors. The "classification" issue, while certainly a consideration, often seems to be the default. In my experience, the USG can share much more across all vertical industries than is currently being shared, without compromising "sources and methods," and that intelligence is often over-classified. In other words, there's no need to "take something with a fairly high security classification ... and get that in a useable context to people that need it," if it's not "highly classified" to begin with. I'm not minimizing the challenges here...I was part of this process, too, when I spent the last seven years of my career at the FBI focused primarily on the USG's policy and strategy in Cybersecurity. It is an incredibly complex issue...but the risk of not expeditiously sharing is too high, and we've been at this now for more than a decade. The time for urgency is past.
(Pescatore): The National Health ISAC is being revitalized, after being largely dormant for a long time. Increased sharing across industry is probably more important than faster sharing with government, as sharing of solutions that work is at least as equally important as sharing threat information. ]

Rogue Anti-Virus Malware Defru Targeting Users in Russia (August 20 & 21, 2014)

Malware known as Defru blocks its victims from visiting certain websites; it is currently targeting users in Russia, and some in the US and in Kazakhstan. Defru is a rogue anti-virus program, which alerts users to non-existent security threats on their devices and urges them to purchase useless software to address those threats. Microsoft researcher Daniel Chipiristeanu detected Defru.
-http://www.theregister.co.uk/2014/08/21/new_twist_as_rogue_antivirus_enters_deat
h_throes/
-http://www.ibtimes.co.uk/new-defru-malware-masquerades-anti-virus-software-affec
t-windows-users-russia-cautions-1462034
-http://www.v3.co.uk/v3-uk/news/2361211/microsoft-warns-of-fake-virus-alert-hitti
ng-windows-users
-http://blogs.technet.com/b/mmpc/archive/2014/08/19/the-fall-of-rogue-antivirus-s
oftware-brings-new-methods-to-light.aspx

UPS Discloses Data Breach (August 20, 2014)

The UPS Store shipping company has disclosed that malware in its systems may have compromised customer payment card information at 51 stores in 24 US states. The incident affects customers who used payment cards at the stores between January 20, 2014, and August 11, 2014. UPS was alerted to the breach by the US government, which informed the company of a "broad-based malware intrusion" in its systems.
-http://www.cnet.com/news/the-ups-store-is-hacked-user-data-possibly-compromised/
-http://arstechnica.com/security/2014/08/ups-says-51-stores-infected-with-credit-
card-stealing-malware/
-http://www.nbcnews.com/tech/tech-news/ups-says-hack-may-have-exposed-customer-da
ta-51-stores-n185506
-http://www.scmagazine.com/ups-announces-breach-impacting-51-us-locations/article
/367257/
[Editor's Note (Murray): This is merely this week's manifestation of our broken retail payment system. Small merchants and consumers must seriously consider if and how they want to continue to participate in this risky system.
(Murray and Honan): However, see
-http://www.theupsstore.com/security/Pages/default.aspx#faq4
This is a model for how to disclose a breach. Internet companies like eBay must take a lesson from this retail franchiser and its vendors on how to do it. Kudos to all involved. ]

Attackers Made Initial Breach of Community Health Services Through Heartbleed Flaw (August 20, 2014)

The initial vector of attack in the Tennessee-based Community Health Systems (CHS) breach was the Heartbleed vulnerability in OpenSSL. The breach affected 4.5 patients at facilities operated by CHS in 29 states.
-http://www.cnet.com/news/heartbleed-may-be-culprit-in-hospital-chain-hack/
-http://www.theregister.co.uk/2014/08/20/heartbleed_chs_hospital_mega_breach_link
/
-https://www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedse
c/
[Editor's Note (Pescatore): The publicity over Heartbleed resulted in the establishment of the Core Infrastructure Initiative which was funded by a number of large US, Chinese and Japanese technology companies to increase the security of key open source software such as OpenSSL. That has funded an additional full time staffer and a comprehensive code audit of OpenSSL. ]

Analysis of Chrome Extensions Finds Malicious Activity (August 19, 2014)

Researchers analyzed extensions for Google's Chrome browser and found that many conduct malicious activity, including fraud and data theft. The activity often remains undetectable to most users. Of 48,000 extensions analyzed, 130 were "outright malicious," and more than 4,700 exhibited signs of suspicious behavior.
-http://www.computerworld.com/s/article/9250498/Many_Chrome_browser_extensions_do
_sneaky_things?taxonomyId=17

---

STORM CENTER TECH CORNER

ISC update: OpenIOC output for our API
-https://isc.sans.edu/api

Side Channel Attacks via Shared Memory on Android
-http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Reading Encryption Keys from Surface Electric Potential Measurement
-http://www.cs.tau.ac.il/~tromer/handsoff/

Mobile Applications use bad SSL Implementations
-http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-wh
en-android-applications-talk.html

Manipulating Traffic Signals
-https://jhalderm.com/pub/papers/traffic-woot14.pdf

Stuxnet Vulnerability Still Frequently Unpatched
-http://www.theregister.co.uk/2014/08/20/oi_rip_van_winkle_patch_already/

Google Chrome Leading the Charge in Deprecating SHA-1 for SSL Certificates
-https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/2-R4XziFc7A/YO0ZS
rX_X4wJ

1024 Bit CAs even less trusted
-https://kuix.de/blog/index.php?entry=Cleanup-of-1024-bit-CA-certificates

Facebook sees vast improvement in STARTTLS use over only 3 months
-https://www.facebook.com/notes/protect-the-graph/massive-growth-in-smtp-starttls
-deployment/1491049534468526

PGP Showing Its Age, but no suitable replacement in sight
-http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/