SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #76

September 23, 2014

UP FRONT: Can the U.S. power grid succumb to cyber attacks alone? In the final item in Top of the News, the person who actually knows the answer weighs in.

---

TOP OF THE NEWS

Cyber Security as a Matter of Resilience
Home Depot Ignored Security Concerns, Plus A Note From John Pescatore On Lessons From The Home Depot Breach
Former Home Depot Security Architect in Prison For Sabotaging Previous Employer's Network
Can the US Power Grid Succumb To Cyber Attacks Alone

THE REST OF THE WEEK'S NEWS

Four MIT Students Fighting Subpoenas Over Hackathon Bitcoin Mining Tool
Google Shuts Down Malvertising Attack
Senate Bill Would Limit Power of US Warrants for Data Stored in Other Countries
Senate Bill Would Expedite DHS's Hiring of Cyber Security Experts
eBay Vulnerability Has Been Present for at Least Six Months
DoJ Seeks Authority to Bust Through Anonymization
Russian Police Arrest Two in Connection with Android Malware
HealthCare.gov Website Getting Security Fixes
Next Android Release Will Encrypt Data By Default

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Promisec *************************
The Promisec Integrity service enables immediate and comprehensive visibility into all of your endpoints - without installing any agents and operates without any increase in network bandwidth or the CPU performance on the endpoints being inspected. Get Integrity now for free for 30 days and find out fast where you stand...
http://www.sans.org/info/167802
***************************************************************************
TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Cyber Security as a Matter of Resilience (September 22, 2014)

Experts say that the cyber security conversation is better served by focusing on resilience rather than on prevention. Adm. Michael Rogers, NSA Director and commander of US Cyber Command, said that the question is "How, in the midst of degradation and penetration, can we still have confidence in the systems?"
-http://www.federaltimes.com/article/20140922/CYBER/309220008/IT-security-shifts-
from-prevention-resiliency
[Editor's Note (Weatherford): This is the new theme for cybersecurity - the ability to continue fighting when you're hurt is the differentiator between a successful security organization and the one picking up the pieces after an incident and wondering what happened.
(Murray): I have liked this idea since I first heard it three years ago. That said, resilience of the whole is improved by the "prevention" of the parts.
(Honan): Focusing on resilience provides an added advantage as it requires a shift from thinking about cyber security in pure technical terms into what does the business need in order to survive an incident? This approach brings the whole topic of cyber security to the board and senior management as they have to determine what is important from a business perspective for the organisation to survive a security incident. ]

Home Depot Ignored Security Concerns (September 19, 20 & 22, 2014)

Former Home Depot employees say that management ignored warnings from the company's computer security team that its systems were vulnerable to attack. Some team members even quit in frustration over the company's slow response to warnings of serious problems. The company was using outdated antivirus software and did not regularly scan critical systems. An engineer hired to work on the security team is now in prison for sabotaging his previous employer's network (see below).
-http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data
-vulnerable.html
-http://www.theregister.co.uk/2014/09/22/home_depot_ignored_staff_warnings_of_sec
urity_fail_laundry_list/
-http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for
-years-employees-say/
[Editor's Note (Murray): One should not conclude that Home Depot is a special case. Home Depot is typical of retail chains operating point of sale technology. If one is in this industry, one must follow the recommendations in the Verizon Data Breach Incident Report including strong authentication on remote access, resisting changes to the program content of point of sale systems, and monitor those systems for exfiltration of PCI data. These measures will still be necessary even if and when the industry puts in place fundamental controls (e.g., digital tokens) to resist the fraudulent reuse of credit card numbers, ]
A NOTE FROM JOHN PESCATORE ON LESSONS FROM THE HOME DEPOT BREACH: More information continues to come out about the Home Depot "biggest breach ever," reinforcing that something as simple as Critical Security Control 2, Inventory of Authorized and Unauthorized Software, implemented on Home Depot's point of sales systems would have prevented the breach. Cyberpoint has used their Cyber Value at Risk tool to show how the use of whitelisting could have prevented an estimated $246M impact to Home Depot's bottom line and SANS' John Pescatore has estimated that the worst case cost for Home Depot to implement whitelisting would have been $25M. You can see the Cyberpoint CyberVaR report at
-http://www.cyberpointllc.com/products/docs/CyberVaR_ScenariosAndSolutions_05.pdf
and John Pescatore's analysis at
-http://blogs.sans.org/security-trends/?p=3097

Former Home Depot Security Architect in Prison For Sabotaging Previous Employer's Network (September 22, 2014)

Ricky Joe Mitchell, a former Home Depot security architect, is currently serving a four-year sentence for sabotaging his previous employer's network. Mitchell was hired by the home improvement chain in 2012 and was made Senior Architect for Security in March 2013. In January 2014, Mitchell pleaded guilty to intentionally damaging the network of EnerVest Operating in June 2012 after learning that he was going to be fired. Mitchell remotely accessed the company's servers and reset them to factory settings. He also went into the office after hours and disabled the equipment cooling system. Mitchell remained employed by Home Depot after his July 2013 indictment until his January 2014 guilty plea.
-http://arstechnica.com/security/2014/09/home-depots-former-security-architect-ha
d-history-of-techno-sabotage/
Mitchell Indictment:
-http://www.bradreese.com/blog/8-20-2013.pdf
Mitchell Plea:
-http://www.justice.gov/usao/wvs/press_releases/Jan2014/attachments/012814_Mitche
ll_Plea.html
Mitchell Sentencing:
-http://www.justice.gov/usao/wvs/press_releases/May2014/attachments/0520143_Mitch
ell_Sentence.html

Can the US Power Grid Succumb To Cyber Attacks Alone?

Last week we covered a story in which observers say that cyber attacks alone could not take down the US power grid. (
-http://www.politico.com/story/2014/09/power-grid-safety-110815.html)
Here Michael Assante provides a more nuanced and accurate answer. Mike served as CSO for American Electric Power, CSO of NERC, and as the most trusted advisor to the White House on exactly this question. Now he leads the international consortium that is defining and measuring the critical skills needed by power engineers and IT security professionals charged with ensuring such damage does not occur.

---

**************************** SPONSORED LINKS ******************************
1) Premium support extensions are ending next month! Download: XP End of Life for Upgrade Latecomers. http://www.sans.org/info/167807

2) Beating the Status Quo: Reinforce Your Defense to Detect & Resolve Evolving Threats Wednesday, September 24 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Mohan Sadashiva. http://www.sans.org/info/167662

3) Don't Miss: Hardening Retail Security: Why and How to Prevent Breaches and Attacks - Thursday, September 25 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Erick Ingleby: http://www.sans.org/info/167667
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Four MIT Students Fighting Subpoenas Over Hackathon Bitcoin Mining Tool (September 22, 2014)

Four Massachusetts Institute of Technology (MIT) students are fighting a subpoena demanding they surrender the source code for a Bitcoin mining tool they created for a hackathon. A legal team from the Electronic Frontier Foundation (EFF) is representing the students. The subpoena, from the New Jersey Division of Consumer Affairs, claims that the students violated computer crime laws in that state and demanded that they turn over the source code and any attendant documentation. MIT has sent a letter to the New Jersey attorney general asking that the subpoena be withdrawn, saying that such demands have "a chilling effect on MIT teaching and research."
-http://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-demanding-sou
rce-code-bitcoin-mining-tool/
-http://www.bostonmagazine.com/news/blog/2014/09/22/mit-students-head-court-bitco
in-hackathon-project/

Google Shuts Down Malvertising Attack (September 22, 2014)

On September 19, Google shut down a malvertising campaign that affected visitors to several different websites, including Last.fm and The Jerusalem Post. The questionable ads were being served by the Zedo ad platform through Google's DoubleClick. The malicious ads were serving up a downloader known as Zermot.
-http://arstechnica.com/security/2014/09/google-stops-malicious-advertising-campa
ign-that-could-have-reached-millions/
[Editor's note (Northcutt): Google has worked for years to identify malware on web sites:
-http://static.googleusercontent.com/media/research.google.com/en/us/archive/prov
os-2008a.pdf]

Senate Bill Would Limit Power of US Warrants for Data Stored in Other Countries (September 19, 2014)

A bill proposed in the US Senate last week would limit the type of data that US authorities could obtain from foreign servers with a warrant. The legislation appears to be a response to the case in which Microsoft has refused to surrender customer emails that are stored on a server in Ireland. A US District Judge recently ruled in favor of the government, saying that "it is a question of control, not a question of the location of that information." The case is moving to appeal. The Law Enforcement Access to Data Stored Abroad Act (LEADS Act) would limit the US's warrant access to data of US citizens. To obtain data belonging to citizens of other countries, the US would have to follow that country's legal protocol. US Technology companies maintain that if they are required to surrender data belonging to non-US citizens, trust in their businesses would deteriorate.
-http://arstechnica.com/tech-policy/2014/09/bill-would-limit-reach-of-us-search-w
arrants-for-data-stored-abroad/
-http://www.computerworld.com/article/2686099/senate-bill-would-limit-access-to-e
mails-stored-abroad.html

Senate Bill Would Expedite DHS's Hiring of Cyber Security Experts (September 20, 2014)

The US Senate has passed a bill that would increase the authority of the defense secretary to hire and retain cyber security professionals. The legislation would allow DHS to hire qualified security professionals more quickly and offer them better compensation.
-http://www.govinfosecurity.com/senate-passes-cybersecurity-skills-shortage-bill-
a-7340
[Editor's Note (Weatherford): Two issues, one far more important than the other. Frank Reeder has it right that pay is NOT the main reason that DHS has a recruiting (or retention) problem. Expediting the hiring process would make a big dent in the recruiting issue very quickly and demonstrated to the many talented people who want to work for the government that they actually care. ]

eBay Vulnerability Has Been Present for at Least Six Months (September 19, 2014)

A vulnerability in some eBay postings has been present for months. The flaw has been exploited to redirect some customers to malicious websites. eBay initially said the problem was limited to certain postings and removed them. But the BBC has learned that the issue has been present in eBay systems since at least February 2014 and has found more listings that put customers at risk.
-http://www.bbc.com/news/technology-29279213

DoJ Seeks Authority to Bust Through Anonymization (September 19 & 22, 2014)

The US Department of Justice has proposed an amendment to Rule 41 of the Federal Rules of Criminal procedure that would pave the way for law enforcement authorities to break into computers being used by people who are hiding their identities online with anonymizing technologies like Tor.
-http://www.networkworld.com/article/2686187/microsoft-subnet/doj-wants-to-give-t
he-fbi-permission-to-hack-into-pcs-of-tor-and-vpn-users.html
-http://www.theregister.co.uk/2014/09/19/fbi_overseas_hacking_powers/
[Editor's Note (Honan): This has the hallmarks of a pending legal disaster should this amendment be passed. With the nature of anonymization networks the FBI and the US Court will not be able to guarantee the targeted computer is within US jurisdiction, leading to potential breaches of laws in other countries and indeed potential disruption of law enforcement efforts in other countries. It could also further deepen the distrust many non-US corporations and citizens have regarding excessive US government surveillance. ]

Russian Police Arrest Two in Connection with Android Malware (September 19, 2014)

Police in Russia have arrested two people in connection with malware that infected Android mobile devices through deceptive MMS messages. The messages appeared to be 'romantic" in nature, but when recipients clicked on a provided link, their phones were infected with malware that steals money from bank accounts linked to the devices.
-http://www.theregister.co.uk/2014/09/19/mobile_botnet_arrests_russia/

HealthCare.gov Website Getting Security Fixes (September 18, 2014)

At a September 18 congressional hearing, Marilyn Tavenner, administrator for the Centers for Medicare and Medicaid Services (CMS) said her agency will implement 28 recommended actions to improve the security of the HealthCare.gov website before the next open enrolment period begins on November 15. Six of the actions are executive; the other 22 are technical. The Government Accountability Office (GAO) made the recommendations in a September 16 report.
-http://www.govinfosecurity.com/healthcaregov-security-fixes-promised-a-7335
GAO Report:
-http://www.gao.gov/assets/670/665840.pdf

Next Android Release Will Encrypt Data By Default (September 18 & 21, 2014)

Google says that the next version of its Android mobile operating system, due to be released before the end of 2014, will encrypt data by default. Android L's activation features will automatically encrypt data. (Encryption has been available and optional on Android devices since 2011.) The announcement comes as Apple releases iOS 8, the newest version of its mobile operating system, which also has enhanced security. One notable difference between the operating systems is that while most iOS users will update their devices within the next few weeks, Android users must wait for manufacturers to make the updates available.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-wil
l-join-iphones-in-offering-default-encryption-blocking-police/
-http://www.eweek.com/security/new-android-l-os-to-encrypt-data-to-reduce-hacking
-snooping.html
-http://www.informationweek.com/mobile/mobile-devices/google-plans-to-encrypt-and
roid-data-by-default/d/d-id/1315928
-http://www.cnet.com/news/google-to-encrypt-data-by-default-on-new-version-of-and
roid/

---

STORM CENTER TECH CORNER

October: Cyber Security Awareness Month
-https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+What+s+your+fav
orite+most+scary+false+positive/18691

iOS 7 Exploit released
-https://isc.sans.edu/forums/diary/iOS+7+1+x+Exploit+Released+CVE-2014-4377+/1869
3

LogMeIn Fake Certificate Update E-Mails
-https://isc.sans.edu/forums/diary/Fake+LogMeIn+Certificate+Update+with+Bad+AV+De
tection+Rate/18695

Privacy of Location Data
-http://ceur-ws.org/Vol-1225/pir2014_submission_11.pdf

ICMP Packets: Got Samples?
-https://isc.sans.edu/forums/diary/Strange+ICMP+traffic+seen+in+destination/18685

OS X Keychain Extraction Tool
-http://forensic.n0fate.com/wp-content/uploads/2012/12/Keychain-Analysis-with-Mac
-OS-X-Memory-Forensics.pdf

HeatMiser Thermostat Vulnerability
-http://cybergibbons.com/security-2/heatmiser-wifi-thermostat-vulnerabilities/

Windows XP: Common link to recent large PoS/Credit Card Breaches
-http://www.networkworld.com/article/2685295/microsoft-subnet/home-depot-target-b
reaches-exploited-windows-xp-flaw-report-says.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/