SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #68

August 26, 2014

TOP OF THE NEWS

China to Launch PC Operating System This Fall
USIS Breach Affected Undercover Investigators
White House Cyber Security Czar's Technical Experience Comments Spark Debate
Shortage of Cybersec Professionals Exacerbated by Hiring Barriers

THE REST OF THE WEEK'S NEWS

NIST Report Urges Tighter Implementation of SSH
European Automobile Industry Businesses Targeted in Phishing Attack
Sixteen People Arrested in Connection with Korean Data Theft
Survey Says Companies Not Prepared to Manage Insider Threats
Backoff Point-of-Sale Malware Has Compromised 1,000+ Networks
DHS Cyberthreat Information Sharing Program Information is Hard to Find
33-Month Prison Sentence for Film Piracy
Researchers are Developing Web Server Attack Prediction Tool

PESCATORE FIRST LOOK - FACEBOOK ACQUIRES PRIVATECORE

PESCATORE FIRST LOOK - Facebook Acquires PrivateCore

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec ****************************
Research from Symantec has uncovered yet another attack campaign. This malware campaign, Dragonfly, also known as Energetic Bear, follows in the footsteps of Stuxnet, although this new campaign has a much broader focus. Download our research to find out exactly what is Dragonfly and how you can protect your business.
http://www.sans.org/info/166352
**************************************************************************
TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by August 27 and save $400. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Tallinn, Hong Kong, Sydney, and Tokyo all in the next 90 days

For a list of all upcoming events, on-line and live: http://www.sans.org

**************************************************************************

---

TOP OF THE NEWS

China to Launch PC Operating System This Fall (August 24, 2014)

China's Xinhua news agency reports that the government plans to release its own operating system (OS) so that users there do not need to run OSes made outside the country. China banned the use of Windows 8 on government computers earlier this year. The as-yet unnamed OS is expected to be available for desktop PCs in October; a mobile version is expected to be available in three to five years.
-http://www.bbc.com/news/technology-28928369
-http://www.computerworld.com/s/article/9250627/China_to_launch_homegrown_OS_in_O
ctober_as_Windows_replacement
[Editor's Note (Pescatore): What if China came up with really good PC and mobile operating systems? The magic and curse of an interconnected global economy means that China trying to force adoption of garbage won't work but it also means that a superior product doesn't stay in one country. I hope Microsoft, Apple, Google management see this as a market threat and rely on innovation/nimbleness to stay ahead. Oh, and that they also make sure they are protecting their intellectual property from attempts to steal it...
(Murray): The Chinese will discover that building a desktop operating system that runs all the applications that one wants it to and that supports all the devices that one wants it to is a lot harder than it looks. ]

USIS Breach Affected Undercover Investigators (August 22 & 23, 2014)

The data security breach at US military contractor US Investigations Services (USIS) is believed to have affected 25,000 individuals, some of whom are undercover investigators. USIS conducts employee background checks for the US Department of Homeland Security (DHS) and several other government agencies. The breach is particularly concerning because the files contain sensitive information that could be of use to foreign intelligence agencies. The FBI is investigating the incident.
-http://www.reuters.com/article/2014/08/22/us-usa-security-contractor-cyberattack
-idUSKBN0GM1TZ20140822
-http://www.zdnet.com/breach-at-us-security-contractor-exposed-at-least-25000-wor
kers-7000032890/
-http://www.nbcnews.com/tech/security/hack-homeland-security-contractor-exposed-d
ata-25-000-workers-n187266
[Editor's Note (Northcutt): It is amazing how little they know (or are telling) about the extent of the data that was compromised. Good reminder for two of the cardinal rules for highly sensitive data: compartmentalize, (don't store it in one big block of text, store it in multiple categories with different access control on each) and tokenize, (don't store things like social security numbers in the main file, replace with a token and require additional access control to substitute the real social security number for the token). ]

White House Cyber Security Czar's Technical Experience Comments Spark Debate (August 22 & 25, 2014)

While the White House has defended Michael Daniel's assertion that his lack of technical expertise is an asset to his position as the administration's cybersecurity coordinator, others say that it raises concerns.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/22/does-the-white-hous
es-cybersecurity-czar-need-to-be-a-coder-he-says-no/
-http://www.forbes.com/sites/frontline/2014/08/25/it-does-matter-that-the-white-h
ouse-cybersecurity-czar-lacks-technical-chops/
[Editor's Note (Pescatore): Three thoughts: (1) For a "Coordinator" there probably really isn't any need for any subject matter expertise, since the position isn't actually responsible for an actual outcome; (2) If there is actual action being taken, vs. coordination, I would definitely rather see a resume like Howard Schmidt's in that position. (3) A thought experiment: if that position had never been created, would we notice any difference in US cybersecurity today?
(Murray): White House staffers are politicians, not executives, managers, or professionals, security or otherwise. The problem that we have in Washington is not that they cannot do our jobs but they cannot do theirs. The more senior a security person, the less likely he is to work for someone who could do his job. ]

Shortage of Cybersec Professionals Exacerbated by Hiring Barriers (August 25, 2014)

It was apparent at the Black Hat USA 2014 conference this month that the demand for capable and qualified information security professionals far outstrips the supply. James Arlen, who was seeking people for his team at the Leviathan Security Group, found himself being recruited by others. Arlen believes that the US faces problems hiring talent because of the red tape involved in hiring people from outside the country. He also said that the most serious hindrance to hiring capable individuals lies in the fact that education is often erroneously equated with experience.
-http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032
923/

---

**************************** SPONSORED LINKS *****************************
1) How to Prevent One Hundred Percent of Browser-Borne Malware - Thursday, October 02 at 1:00 PM EDT (17:00:00 UTC) with Franklyn Jones. http://www.sans.org/info/166357

2) Kill Shot: Stopping Unknown Malware with Trust Based Application Control. Thursday, September 04 at 2:00 PM EDT (18:00:00 UTC) with Harry Sverdlove and Dave Shackleford. http://www.sans.org/info/166362

3) Critical Security Controls survey results revealed in 9/9 Webcast at 1 pm EDT. Learn about the current state of CSC adoption & implementation. http://www.sans.org/info/166177
**************************************************************************

---

THE REST OF THE WEEK'S NEWS

NIST Report Urges Tighter Implementation of SSH (August 25, 2014)

According to a report from the National Institute of Standards and Technology (NIST), US companies are not implementing Secure Shell (SSH) appropriately or well. SSH is often used to allow automated communications between hosts. The report says, "The security of SSH-based automated access has been largely ignored." NIST is accepting comments on the document through September 26, 2014.
-http://www.theregister.co.uk/2014/08/25/nist_to_sysadmins_clean_up_your_ssh_mess
/
-http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf

European Automobile Industry Businesses Targeted in Phishing Attack (August 25, 2014)

Data thieves are using spear phishing attacks to steal data from automobile industry companies in Europe. The attacks began earlier this month and targeted car rental, insurance, transport and other related companies. The targeted email messages claimed to be sent from a company seeking to buy used vehicles; an attachment, which was purported to be a list of vehicles they were seeking, contained an installer for a Trojan called Carbon Grabber.
-http://www.computerworld.com/s/article/9250633/Attack_targets_auto_industry_firm
s_in_Europe?taxonomyId=17

Sixteen People Arrested in Connection with Korean Data Theft (August 25, 2014)

Police in South Korea have arrested 16 people in connection with a scheme that compromised the personal information of as many as 75 million people. The data were stolen through targeted attacks on site registration webpages. The compromised data include resident registration numbers, usernames, and passwords. The group behind the attacks accessed the accounts, used them to buy online gaming items and currency, and resold their purchases, making about US $390,000. They also allegedly sold information to criminal groups.
-http://www.scmagazine.com/south-korean-data-breach-impacts-27-million/article/36
7859/

Survey Says Companies Not Prepared to Manage Insider Threats (August 22, 2014)

According to the "2014 Insider Threat Survey" from Spectorsoft, more than half of IT and security professionals feel that their organizations are not adequately prepared to deal with insider threats. The study surveyed 255 people at small and medium sized businesses in the US, Latin America, and Europe. Fifty-five percent attributed the lack of preparedness to a lack of training; 51 percent attributed it to insufficient budgets; and 34 percent said that inside threats were not a priority.
-http://www.scmagazine.com/study-organizations-lack-training-budget-to-thwart-ins
ider-threats/article/367613/
[Editor's Note (Murray): If one does not understand that insiders are a small threat but big risk, one's survey on the topic is not likely to elicit useful results. ]

Backoff Point-of-Sale Malware Has Compromised 1,000+ Networks (August 22 & 23, 2013)

Point-of-sale malware known as Backoff reportedly used in the breach of systems at UPS stores is also believed to be responsible for compromising networks of more than 1,000 other US businesses including Target. The US Department of Homeland Security (DHS), the US Secret Service, and the National Cybersecurity and Communications Integration Center issued a warning at the end of July, urging companies to look for evidence of Backoff in their systems.
-http://bits.blogs.nytimes.com/2014/08/22/secret-service-warns-1000-businesses-on
-hack-that-affected-target/?_php=true&_type=blogs&_r=0
-http://www.theregister.co.uk/2014/08/23/us_homeland_security_says_ups_malware_co
mpromised_significant_number_of_enterprise_networks/
-http://www.computerworld.com/s/article/9250607/US_warns_39_significant_number_39
_of_major_businesses_hit_by_Backoff_malware?taxonomyId=17
-https://www.us-cert.gov/ncas/alerts/TA14-212A

DHS Cyberthreat Information Sharing Program Information is Hard to Find (August 22, 2014)

Despite a 2013 executive order directing the US Department of Homeland Security (DHS) to expand a cyber threat information-sharing program to 16 critical infrastructure sectors, including state and local governments, most state officials are unaware of the program. The DHS Enhanced Cybersecurity Services program was initially open only to defense contractors. Three state chief information security officers (CISOs) contacted for the article expressed interest in the program but reported difficulty finding information about the program. A recent report found that just three of the 16 sectors were participating and indicated that enrollment was low due to "limited outreach and resources." Others say that participation is limited because the specialized equipment to read and process the data is expensive.
-http://www.govtech.com/federal/Some-Governments-Unaware-of-Special-DHS-Cybersecu
rity-Program.html

33-Month Prison Sentence for Film Piracy (August 22, 2014)

A 25-year-old British man has been sentenced to nearly three years in prison for filming a movie in a theater. He sold copies of the file before its release for sale for GBP 1.50 (US $2.50) each, earning a total of GBP 1,000 (US $1,660). Universal Pictures, which distributed the film, argued that the actions cost it GBP 2.5 million (US $4.14 million).
-http://arstechnica.com/tech-policy/2014/08/british-man-sentenced-to-nearly-three
-years-in-prison-for-movie-piracy/

Researchers are Developing Web Server Attack Prediction Tool (August 21, 2014)

Researchers from Carnegie Mellon University are developing a tool to predict cyber web server attacks. Using data from the Wayback Machine, the pair has devised a classification algorithm that scrutinizes websites' characteristics, including the software the site's server runs and how the web pages are structured. The tool, which researchers Kyle Soska and Nicolas Christin call a "classifier," has a 66 percent correct prediction rate; its false positive rate is 17 percent. It updates itself to incorporate new attack data.
-http://www.dailydot.com/technology/website-hack-prediction-big-data-carnegie-mel
lon/
[Editor's Note (Murray): Interesting research. Better than flipping a coin, but probably not enough better for many security people to buy it. ]

---

PESCATORE FIRST LOOK - FACEBOOK ACQUIRES PRIVATECORE

-http://www.techtimes.com/articles/12545/20140810/facebook-acquires-server-securi
ty-startup-privatecore.htm
Back in 2012 Twitter acquired Dasient to increase the security of Twitter's web server and Facebook is making a similar "build security in" move by acquiring PrivateCore., whose vCage software both hardens virtual machines and provides data encryption services. Social media sites integrating security technologies into their server stacks should result in better protection of both consumer and business data that ends up there. However, all infrastructure will always fail to protect itself completely - the onus is still on enterprises to protect their customer's data when external sites are used.

---

STORM CENTER TECH CORNER

Are you seeing abnormal CRL Downloads?
-https://isc.sans.edu/forums/diary/Unusual+CRL+traffic+/18575

UDP port 1900 (UPNP) Reflective DDoS Attacks
-https://isc.sans.edu/forums/diary/UDP+port+1900+DDoS+traffic/18577

SONY Playstation Network DoS Attack and Bomb Threat
-http://thehackernews.com/2014/08/sony-playstation-network-taken-down-by_24.html

Kaspersky Report Shows Users are concerned about online risks but don't do anything about them
-http://media.kaspersky.com/en/Kaspesky_Lab_Consumer_Security_Risks_Survey_2014_E
NG.pdf

NSS Cyber Resiliance Report
-https://www.nsslabs.com/system/files/public-report/files/Cyber%20Resilience_0.pd
f

F-Secure Releases Tool to Help Decrypt Synolocker Files (IF YOU PAID THE RANSOM)
-http://www.f-secure.com/weblog/archives/00002737.html

---

**************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/