SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #74
September 16, 2014
New Cybersecurity Press Fellowship allows journalists to attend intense SANS courses on how hacking exploits work. It is challenging for journalists to write great stories when they don't understand how attacks and defenses work, so SANS is allowing 20 journalists to attend two key days of one of our most popular courses, and attend mealtime and evening briefings by some of the nation's top analysts and law enforcement officials to better understand the forces shaping cybersecurity. By invitation only. For a summary of the program and possibly to request an invitation, email apaller@sans.org with name, publication, role, and level of experience. Deadline for registration for the October Fellowship is September 30.
TOP OF THE NEWS
US Power Grid Would Not Succumb to Cyber Attack AlonePatched IE Flaw Was Used in Attack on US Military Website
THE REST OF THE WEEK'S NEWS
Comcast is Not Disconnecting Tor UsersAppeals Court Says NCIS Scan of Civilian Computers Went Too Far
Air Force Seeking Improved Network Mapping and Analysis Technology
Hospital CIO Shares How They Fought Attacks From Anonymous
Open Source Project Aims to Provide Encryption for Communications
Connect.gov Password Consolidation to be Tested Next Month
NIST Releases Draft Guidelines for 3-D Printer Security
Tech Companies Urge Lawmakers to Move Forward with Bill to Amend ECPA
DHS Program Will Bring Technologies from Lab to Practice
NIST Creates Digital Evidence Subcommittee
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER**************************** Sponsored By SANS ***************************
2nd Annual Analytics & Intel Survey Results Presented in 2 Webcasts: 10/9 Part 1 - Current State: Detection and Response, REGISTER HERE: http://www.sans.org/info/167537
10/14 Part 2 - Future State: Improving Intelligence and Threat Prevention, REGISTER HERE: http://www.sans.org/info/167542 Register and attend both webcasts to be eligible to win a $75 American Express gift card to be awarded LIVE during the October 14 webcast.
***************************************************************************
TRAINING UPDATE
- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014
- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014
- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014
- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/
- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses.
http://www.sans.org/event/london-2014
- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************
TOP OF THE NEWS
US Power Grid Would Not Succumb to Cyber Attack Alone (September 10, 2014)
Experts say that a cyber attack alone could not take down the US power grid. While no one denies that attackers could possibly gain access to bulk power provider networks, that alone could not cause a sustained grid outage.-http://www.politico.com/story/2014/09/power-grid-safety-110815.html
[Editor's Note (Murray): The grid is designed to fail in a non-destructive manner. There are hundreds of component failures every day; the grid is so resilient that most are mitigated automatically in seconds. Every twenty years or so we experience a sufficient number of simultaneous component failures that, by design, a large portion of the grid shuts down. However, by design it does this in such a manner that it can be restarted in tens of hours. All that said, this discussion has resulted in identifying sensitive components that cannot be replaced from inventory. That is a good thing. It will result in reducing dependence on these components and shorten their replacement times. ]
Patched IE Flaw Was Used in Attack on US Military Website (September 11, 2014)
One of the Internet Explorer (IE) vulnerabilities patched in Microsoft's September set of security updates was used in an attack on the US veterans of Foreign Wars website to steal sensitive military information. A proof-of-concept exploit for the flaw was released in April 2013; in February 2014, that proof-of-concept exploit was used in what appears to have been a watering hole attack; experts say the attack aimed to infect the computers of those who visited the site.-http://www.csoonline.com/article/2607297/data-protection/microsoft-patch-fixed-i
e-flaw-used-against-u-s-military.html
[Editor's Note (Paller): The most productive attack vector is through announced vulnerabilities where the vendor has released a patch, but the user has not implemented it. ]
**************************** SPONSORED LINKS ******************************
1) Database Encryption - Defining the Root of Trust - Friday, September 19 at 1:00 PM EDT (17:00:00 UTC) with Andreas Philipp and Greg Porter. http://www.sans.org/info/167547
2) Beating the Status Quo: Reinforce Your Defense to Detect & Resolve Evolving Threats Wednesday, September 24 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Mohan Sadashiva. http://www.sans.org/info/167552
3) Hardening Retail Security: Why and How to Prevent Breaches and Attacks Thursday, September 25 at 1:00 PM EDT (17:00:00 UTC)with John Pescatore and Erick Ingleby. http://www.sans.org/info/167557
*****************************************************************************
THE REST OF THE WEEK'S NEWS
Comcast is Not Disconnecting Tor Users (September 15, 2014)
Comcast says there is no truth to the rumor that it is threatening to disconnect users who connect to Tor. There have been reports that the telecommunications company has contacted some customers and advised them to stop using Tor or risk having their service terminated. A Comcast spokesperson said that the company "doesn't monitor users' browser software or web surfing and has no program addressing the Tor browser."-http://arstechnica.com/business/2014/09/comcast-calls-rumor-that-it-disconnects-
tor-users-wildly-inaccurate/
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/15/why-a-thinly-source
d-unverified-report-about-comcast-has-the-web-in-an-uproar/
Editor's Note (Northcutt): Plus 1. Tor is my default browser and Comcast is my Internet service. I have not been threatened by Comcast. ]
Appeals Court Says NCIS Scan of Civilian Computers Went Too Far (September 15, 2014)
A US federal appeals court in California ruled that the Naval Criminal Investigative Service (NCIS) overstepped its authority when an NCIS agent used a tool to search for hashed child pornography images on the computers of all Washington state computer users running Gnutella file-sharing software. Judge Marsha Berzon wrote that the "surveillance of all computers in Washington amounted to impermissible direct active involvement in civilian enforcement of the child pornography laws, not permissible indirect assistance."-http://arstechnica.com/tech-policy/2014/09/court-blasts-us-navy-for-scanning-civ
ilians-computers-for-child-porn/
Air Force Seeking Improved Network Mapping and Analysis Technology (September 15, 2014)
According to a presolicitation notice, the Air Force is seeking situational awareness technologies to help it see what is happening on its networks. The program, called Mission Awareness for Mission Assurance (MAMA) "will investigate the automated assessment of mission execution by analyzing network traffic flows" so personnel can "prioritize essential functions, map out cyber assets, and assess and mitigate vulnerabilities." The Air Force wants to be able to carry out core missions in the face of attacks.-http://defensesystems.com/Articles/2014/09/15/Air-Force-MAMA-network-mapping-ana
lysis.aspx?admgarea=DS&Page=1
Presolicitation Notice:
-https://www.fbo.gov/index?s=opportunity&mode=form&id=6cdfd7a686687f447c7
1e6154ce10c93&tab=core&_cview=0
Hospital CIO Shares How They Fought Attacks From Anonymous (September 15, 2014)
Boston Children's Hospital senior vice president for information services and CIO Dr. Daniel J. Nigrin, shares how his organization defended itself against a series of attacks launched earlier this year. The hospital received a warning about the attacks several weeks before they began. The hospital incident response team prepared for the attacks along with the IT department. They managed to fend off a series of distributed denial-of-service (DDoS) attacks for a while, but when those reached a certain level of intensity - 27 Gbps - the hospital called in third-party help. The attacks affected the hospital's external websites and networks. When Nigrin saw what was happening, he shuttered all the websites and took down email service. Employees communicated through a secure messaging application.-http://www.csoonline.com/article/2607302/data-breach/how-boston-childrens-hospit
al-hit-back-at-anonymous.html
[Editor's Note (Pescatore): Nice realistic account of a success story. Testing out some of the procedures (like the transfer to a DDoS mitigation service provider) in advance can make the next one go even better. ]
Open Source Project Aims to Provide Encryption for Communications (September 15, 2014)
An open source project aimed at providing easy-to-use encryption for email launched on Monday, September 15. The Pretty Easy Privacy (PEP) Project plans to develop the technology to interact with "existing communication tools on different desktop and mobile platforms."-http://www.csoonline.com/article/2683140/application-security/opensource-project
-promises-easytouse-encryption-for-email-instant-messaging-and-more.html
[Editor's Note (Pescatore): The time is right for this kind of thing, depending on how the hard part (key distribution and management) is handled. PGP's "ring of trust" approach was ahead of its time - centralized direction approaches (like PKI) were favored by enterprises used to thinking of telephone directories and Active Directory. However, cellphones and social media have shown that "ring of trust" modes of identification and authorization are actually where the world has gone. ]
Connect.gov Password Consolidation to be Tested Next Month (September 15, 2014)
Starting as soon as October 2014, Connect.gov, a system that will eliminate the need for users to remember at least some of their sets of access credentials, will "launch with a few key anchor agencies that will be testing it out in the first round." More agencies are expected to join within the next two years.-http://www.nextgov.com/cybersecurity/2014/09/new-connectgov-aims-consolidate-you
r-passwords/94154/?oref=ng-channeltopstory
[Editor's Note (Murray): While it is true that the proliferation of passwords is a problem, associating more privilege with fewer passwords is not a good solution. We need Identification and Authentication solutions that are less, not more, dependent on passwords. Most edge computers have cameras and microphones. Many have specialized authentication sensors like fingerprint readers. We should be decreasing, not increasing our reliance on passwords. ]
NIST Releases Draft Guidelines for 3-D Printer Security (September 11, 2014)
The US National Institute of Standards and Technology (NIST) has released draft guidelines for 3-D printer security. The guidelines note that attackers who manage to breach the printers' security could not only steal sensitive plans but also pose physical threats to the plants and employees. The specialized printers, which sometimes use metal powders to "print" objects, could explode. The machines' commands could also be altered, undermining the printed objects' integrity. NIST will accept comments on the document through October 17, 2014.-http://www.nextgov.com/cybersecurity/2014/09/heres-why-you-dont-want-your-3-d-pr
inter-get-hacked/93923/
-http://csrc.nist.gov/publications/drafts/nistir-8023/nistir_8023_draft.pdf
Tech Companies Urge Lawmakers to Move Forward with Bill to Amend ECPA (September 10, 2014)
Technology companies are calling on US legislators to pass Email Privacy Act, a bill that would update the 1986 Electronic Communications Privacy Act (ECPA), which allows law enforcement authorities to search, without a warrant, communications that have been stored in what we now call the Cloud for more than 180 days. The bill's supporters say that ECPA is outdated and poses a threat to people's privacy.-http://thehill.com/policy/technology/217252-tech-giants-demand-email-privacy-bil
l-gets-a-vote
DHS Program Will Bring Technologies from Lab to Practice (September 10, 2014)
The US Department of Homeland Security's (DHS's) Transition to Practice (TTP) program aims to bring cyber security technology developed at federal laboratories "into the real world."-http://www.hstoday.us/industry-news/general/single-article/dhs-transition-to-pra
ctice-program-aided-by-sandia-cyber-testing/9f791636ab96e20f161b754df7e8527c.htm
l
NIST Creates Digital Evidence Subcommittee (September 8, 2014)
The National Institute of Standards and Technology (NIST) has established a new digital evidence/forensic science subcommittee in its Organization of Scientific Area Committees (OSAC). The committee will "identify and establish national standards and guidelines for forensic science practitioners."-http://www.nist.gov/forensics/forensics-090814.cfm
STORM CENTER TECH CORNER
Spoofed SNMP Scans: Mercy Killings or Troll?-https://isc.sans.edu/forums/diary/Google+DNS+Server+IP+Address+Spoofed+for+SNMP+
reflective+Attacks/18647
Android Browser Same Origin Bypass
-http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.h
tml
Unauthenticated Firmware Uploads for Canon Pixma Printers
-http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-en
cryption/
SSDEEP Update
-http://jessekornblum.livejournal.com/295883.html
What to do with credential dumps
-https://isc.sans.edu/forums/diary/Are+credential+dumps+are+worth+reviewing/18641
Wordpress Themes: Vulnerable yet again
-http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-b
eing-exploited.html
Weaknesses in Password Managers
-https://crypto.stanford.edu/~dabo/pubs/papers/pwdmgrBrowser.pdf
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/