SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #73

September 12, 2014

TOP OF THE NEWS

GAO Report Finds Agencies Not Providing Adequate Contractor Control Oversight
Office of Personnel Management Will End Contract with USIS
Microsoft Found in Contempt of Court; Foreign Server Data Case Moves Closer to Appeal

THE REST OF THE WEEK'S NEWS

Unsealed Documents Show Yahoo Fought PRISM Compliance
Google Says Dumped Account Credentials "Stale" and Denies Internal Breach
Malware Used in Home Depot Attack May Not be Related to That Used in Target Breach
Senate Committee Hears Testimony on State of Government Cyber Security
Comcast Using Public Wi-Fi Hotspots to Inject Ads
Malvertising Campaign Hits PCs and Macs
DARPA Seeking Proposals for Software Algorithm Vulnerability Detection
Adobe Releases Some Fixes, Others Delayed a Week
Microsoft Releases September Security Updates
IE Now Blocks Outdated ActiveX Controls
Traffic Sensor Vulnerabilities Patched

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ***************************
Symantec Webcast: The Internet of Things (IOT) today is in its infancy. There are no standards overall and there are industry nuances that further complicate security. Join our webcast to learn what the IoT means today, what devices have been hacked and what have not and best practices for dealing with the security issues that IoT creates.
http://www.sans.org/info/167152
***************************************************************************

TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 16 courses. http://www.sans.org/event/london-2014 Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

GAO Report Finds Agencies Not Providing Adequate Contractor Control Oversight (September 9 & 10, 2014)

According to a report from the US Government Accountability Office (GAO), most agencies are not providing adequate oversight of contractor controls. The report reviewed contractor oversight at the Departments of Homeland Security, Transportation, Energy, and State, as well as the Environmental Protection Agency, and the Office of Personnel Management. The report found inconsistencies in overseeing and reviewing assessments and noted that the Office of Management and Budget (OMB) needs to provide more concrete guidance.
-http://www.nextgov.com/cybersecurity/2014/09/agencies-contractor-employees-cyber
-workforce/93620/?oref=ng-channelriver
-http://www.govinfosecurity.com/how-many-contractors-run-fed-it-a-7297
-http://www.gao.gov/assets/670/665246.pdf
[Editor's Note (Paller): This report has uncovered a small fraction of the risk. Agencies are allowing contractors (and cloud providers) to deliver technology that is devoid of even the basic elements of the critical controls - and especially missing software security testing. As a result, agency systems are being infected at rates that would shock Congress if the agencies didn't hide the information. ]

Office of Personnel Management Will End Contract with USIS (September 9, 2014)

The Office of Personnel Management (OPM) will end its contract to conduct employee background checks with USIS, which suffered a cyber attack in August 2014, compromising sensitive data about as many as 25,000 people who work for the US government. OPM oversees background check contracting for many agencies.
-http://www.stripes.com/news/us/federal-agency-to-end-contracts-of-background-che
ck-contractor-usis-1.302244
[Editor's Note (Henry): This will get someone's attention inside the corporation. A direct impact to a company's bottom line should get leadership to focus on the importance of this issue. There's been a lot of talk, too, regarding the Defense Industrial Base (DIB) and the likelihood the Department of Defense will cut or eliminate contracts to vendors who fail to adequately secure data. This is not a "be all, end all," but certainly a wake up call to industry.
(Honan): This is a case study for business executives as to how a security breach can directly impact business and customer loyalty. ]

Microsoft Found in "Contempt of Court;" Expediting Appeal Of Order To Disclose Data Stored In Ireland. (September 9 & 10, 2014)

Microsoft has been found in contempt of court for refusing to provide US authorities access to customer email stored on a server in Ireland. Microsoft actually requested the action because it hastens the company's ability to appeal a July 31 ruling that it must disclose the data, which are being sought in connection with a narcotics investigation. The contempt ruling is more procedural than anything else; it allows the case to move more swiftly to appeal. While Microsoft is not facing consequences at this point, the government did not rule out the possibility of penalties in the future.
-http://www.zdnet.com/microsoft-refuses-to-hand-over-foreign-data-held-in-contemp
t-of-court-7000033508/
-http://www.scmagazine.com/microsoft-held-in-contempt-moves-closer-to-appeal-over
-customer-email-warrant/article/370848/
-http://www.theregister.co.uk/2014/09/10/microsoft_contempt_of_court/
-http://arstechnica.com/tech-policy/2014/09/microsoft-agrees-to-contempt-order-so
-e-mail-privacy-case-can-be-appealed/
Stipulation Regarding Contempt Order:
-http://digitalconstitution.com/wp-content/uploads/2014/09/Contempt-Stipulation-a
nd-Order.pdf

---

**************************** SPONSORED LINKS ******************************
1) Download the eGuide: Windows XP End-of-Life Handbook for the Upgrade Latecomers http://www.sans.org/info/167157

2) Hardening Retail Security: Why and How to Prevent Breaches and Attacks - Thursday, September 25 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Erick Ingleby. Attendees will learn how to evaluate their risk and improve their security posture, as well as how to prevent becoming the next Target or other high-visibility breach. http://www.sans.org/info/167162

3) Security for the People: End-User Authentication Security on the Internet Tuesday, September 23 at 3:00 PM EDT (19:00:00 UTC) with Mark Stanislav and Paul Robert. http://www.sans.org/info/167167
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Unsealed Documents Show Yahoo Fought PRISM Compliance (September 11, 2014)

Recently unsealed documents reveal that the US government threatened Yahoo with a US $250,000-a-day fine if it did not comply with the PRISM data collection program and surrender user communications information. Yahoo had been fighting the demand in court; the government was able to use the ruling from the Foreign Intelligence Surveillance Court of Review to convince other technology companies to comply with their data demands. That same court ordered the documents unsealed.
-http://www.washingtonpost.com/business/technology/us-threatened-massive-fine-to-
force-yahoo-to-release-data/2014/09/11/38a7f69e-39e8-11e4-9c9f-ebb47272e40e_stor
y.html
-http://www.nytimes.com/2014/09/12/technology/documents-unsealed-in-yahoos-case-a
gainst-us-data-requests.html?ref=technology
-http://arstechnica.com/tech-policy/2014/09/us-govt-threatened-yahoo-with-250k-da
ily-fine-if-it-didnt-use-prism/

Google Says Dumped Account Credentials "Stale" and Denies Internal Breach (September 11, 2014)

Google has acknowledged that information about five million user accounts were posted to the Internet, but says that it was not the result of a breach of its internal systems. Google says that less than two percent of the information is usable and that their anti-hijacking systems would likely have blocked attempted misuse of the stolen information.
-http://www.darkreading.com/operations/identity-and-access-management/google-no-b
reach-in-latest-online-dump-of-credentials/d/d-id/1315624?
-http://www.scmagazine.com/google-says-gmail-credential-dump-not-result-of-compan
y-breach/article/371092/
-http://www.v3.co.uk/v3-uk/news/2364799/google-confirms-five-million-customer-dat
a-dump-but-denies-breach
-http://googleonlinesecurity.blogspot.ca/2014/09/cleaning-up-after-password-dumps
.html

Malware Used in Home Depot Attack May Not Be Related To That Used In Target Breach (September 11, 2014)

Emerging reports are now saying that the malware used in the attack on Home Depot's payment system is different from that used in the Target breach. The malware was initially identified as a variant of BlackPOS. New analysis has led some to conclude that the malware used in the Home Depot breach is entirely different.
-http://www.darkreading.com/home-depot-breach-may-not-be-related-to-blackpos-targ
et/d/d-id/1315636?
[Editor's Note (Murray): The announcement this week of Visa Token Service
-http://tinyurl.com/orbks4o
">
-http://tinyurl.com/orbks4o

is a major step in addressing the fundamental vulnerability exploited by this kind of malicious code. Intended to be used with mobile computers and contactless point-of-sale readers (NFC
-http://tinyurl.com/nayhudc
), this service will accept one-time digital tokens in lieu of credit card numbers. Apple Pay, Google Wallet, and similar applications can be expected to use this service. Provisioning mobile and digital payments through the use of tokens minimizes the risk of fraudulent use of data if the device or account is compromised. Visa Token Service is based on the EMVCo payment token standard
-http://tinyurl.com/orbks4o
">
-http://tinyurl.com/orbks4o

and aligns with EMV technology-the global requirement for secure payments that also protects businesses from fraud liability. The necessary contactless readers are those used with contactless (RFID) cards. They are cheaper than those required by EMV cards and are already widely deployed in those retailers that have high transaction volume. ]

Senate Committee Hears Testimony on State of Government Cyber Security (September 10, 2014)

In testimony before the Senate Committee on Homeland Security and Governmental Affairs, several experts provided disheartening answers to questions about cyber security. Suzanne Spaulding, undersecretary of the Department of Homeland Security's National Protection and Programs Directorate, told the committee that DHS's National Cybersecurity and Communications Integration Center has responded to more than 600,000 cyber incidents so far this fiscal year. In nearly 80 of those cases, teams were sent on-site to give technical assistance. And Robert Anderson, executive assistant director for the FBI's Criminal, Cyber, Response and Services branch was unable to give a precise figure for the number of government agencies that had not experienced cyber attacks; Anderson did say that any government entity that says it hasn't been attacked probably has but just doesn't know it yet. Officials said that collaboration and information sharing with the private sector are essential to improving overall cyber security posture.
-http://www.nextgov.com/cybersecurity/2014/09/there-any-part-government-hasnt-bee
n-hacked-yet/93704/?oref=ng-channelriver
-http://www.hsgac.senate.gov/hearings/cybersecurity-terrorism-and-beyond-addressi
ng-evolving-threats-to-the-homeland
[Editor's Note (Murray): I listened to much of the testimony. Rather than "disheartening," I found it balanced and reassuring. I had expected it to be alarmist but did not find it so. ]

Comcast Using Public Wi-Fi Hotspots to Inject Ads (September 8, 9 & 10, 2014)

People who use Comcast's public Wi-Fi network are finding that they are receiving pop-up advertisements for the company's service. Comcast calls the practice "watermarking." Comcast uses JavaScript to inject the content into the data flows of users who have signed up to use the company's Wi-Fi hotspots around the country. Comcast says that the messages are there to assure users that they are using a legitimate Comcast hotspot.
-http://www.theregister.co.uk/2014/09/10/comcast_using_javascript_to_inject_adver
tising_from_wifi_hotspots/
-http://www.pcworld.com/article/2604422/comcasts-open-wi-fi-hotspots-inject-ads-i
nto-your-browser.html
-http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections
-threaten-security-net-neutrality/

Malvertising Campaign Hits PCs and Macs (September 8 & 10, 2014)

A malware campaign that began in May 2014 is delivering customized concoctions of spyware, adware, and browser hijacking malware to PCs and Mac users. The malvertising network, which has been dubbed Kyle and Stan, has 700 domains. Getting a malicious ad into an advertising network distribution even for a short time can infect many computers, especially if it is on a popular site like Amazon or YouTube. The combination of malware downloaded to each machine is different, which means the checksum varies, thwarting detection.
-http://www.darkreading.com/kyle-and-stan-parks-malvertising-on-amazon-youtube/d/
d-id/1307036?
-http://www.theregister.co.uk/2014/09/10/big_names_caught_in_kyle_and_stan_malici
ous_ad_attack/
-http://blogs.cisco.com/security/kyle-and-stan/#more-151920

DARPA Seeking Proposals for Software Algorithm Vulnerability Detection (September 9, 2014)

The Defense Advanced Research Projects Agency (DARPA) is seeking research proposals for techniques and tools that will help analysts find vulnerabilities in algorithms in software used by various government, military, and economic entities. Proposals will be accepted through October 28, 2014.
-http://net-security.org/secworld.php?id=17346

Adobe Releases Some Fixes, Others Delayed a Week (September 9, 2014)

Adobe has released an update for Flash to address a dozen critical flaws. Chrome and IE 11 users will find their versions of Flash automatically updated. Fixes for flaws in Reader and Acrobat that had been scheduled to be released will be delayed a week so Adobe can conduct further testing.
-http://www.computerworld.com/article/2604738/adobe-fixes-critical-flaws-in-flash
-player-delays-reader-and-acrobat-updates.html
-http://krebsonsecurity.com/2014/09/critical-fixes-for-adobe-microsoft-software/
-http://www.theregister.co.uk/2014/09/09/everyone_taking_part_in_patch_tuesday_st
ep_forward_not_so_fast_adobe/

Microsoft Releases September Security Updates (September 9, 2014)

On Tuesday, September 9, Microsoft issued four security bulletins to address a total of 42 vulnerabilities in Internet Explorer (IE), ASP.Net, Windows, and Lync Server. The bulletin with the IE fixes is rated critical; the other three are rated important. The IE bulletin accounts for 37 of the vulnerabilities addresses this month. One of those is already being actively exploited.
-http://www.theregister.co.uk/2014/09/09/september_patch_tuesday/
-http://www.theregister.co.uk/2014/09/11/microsoft_kills_dangerous_aspnet_setting
_for_good/
-http://www.computerworld.com/article/2604631/microsoft-patch-tuesday-thwarts-nos
ey-malware.html
-http://www.computerworld.com/article/2604433/september-patch-tuesday-an-easy-sta
rt-to-the-year.html
-https://technet.microsoft.com/library/security/ms14-sep

IE Now Blocks Outdated ActiveX Controls (September 9 & 10, 2014)

Among the changes made in Internet Explorer (IE) this month is the blocking of outdated ActiveX controls. Users will be notified when the browser is blocking an out-of-date control and will be given the option of updating the control or interacting with portions of the page that are not affected by the control.
-http://www.scmagazine.com/internet-explorer-security-feature-blocks-outdated-act
ivex-controls/article/370854/
-https://ics-cert.us-cert.gov/advisories/ICSA-14-247-01

Traffic Sensor Vulnerabilities Patched (September 9, 2014)

Traffic signal supplier Sensys Networks has released updates to address flaws in its products that could be exploited to damage the sensors or cause inaccuracies in collected data. One of the vulnerabilities allowed the sensors to accept software modifications without adequate integrity checking. The other involves failure to encrypt sensitive data.
-http://www.scmagazine.com/sensys-networks-releases-updates-to-address-vehicle-tr
affic-sensor-vulnerabilities/article/370595/
[Editor's Note (Northcutt): This is not the first time cyber controls for traffic lights have come under stress. They should be built so that an "all green" condition is impossible to achieve. Hackers can still make a mess of things, but loss of human life is greatly reduced if this is built into the firmware.
-http://www.wired.com/2014/04/traffic-lights-hacking/]

---

STORM CENTER TECH CORNER

Microsoft No Longer Allows Disabling "ViewStateMac"
-http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.as
px

Mobile Applications Often Provide Faulty Privacy Statements (or none at all)
-https://www.priv.gc.ca/media/nr-c/2014/bg_140910_e.asp

Most iOS "Backdoors" Closed in iOS 8 beta
-http://www.zdziarski.com/blog/?p=3820

iCloud Phishing E-mails using nude-picture leaks as pretense
-http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing
-campaign

Enigmail Bug May lead to e-mails not getting encrypted as expected
-http://sourceforge.net/p/enigmail/bugs/294/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/