SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #77

September 26, 2014

This morning, more than 1,500 people watched Internet Storm Center's Johannes Ullrich giving an authoritative briefing on how Shellshock works and what to do about it. Here's the url: https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerabi
lity/18709 Plus, the ISC constantly updated blog: https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+
shellshock+/18707 Alternative, direct alternative link to YouTube video: https://www.youtube.com/watch?v=W7GaVyzkCs0

Also: Who is making a difference in cybersecurity? Since 2011, SANS has been celebrating "Difference Makers" whose quiet innovation, skill and effort have driven real increases in information security at their organizations or beyond. We'll present the 2014 winners on December 13th at the SANS Cyber Defense Initiative Conference. We need your help to find them and also to find the Best Security Products and Services of 2014. Go to http://www.sans.org/cyber-innovation-awards for details or send nominations directly to trends@sans.org

Alan

---

TOP OF THE NEWS

Bash Shellshock Flaw
Shellshock Flaw is Being Actively Exploited
Shellshock May Further Marginalize Open Source Software

THE REST OF THE WEEK'S NEWS

New Scripting Language Will Limit Permissions
FBI Director Critical of Default Encryption on Mobile Phones
Mozilla Fixes Network Security Services Library Flaw in Several Products
TripAdvisor Customer Data Compromised
US Will Adopt Chip-and-PIN
Internet Crime Complaint Center Warns of Spoofed Messages
Jimmy John's Confirms Data Breach
Japan Airlines Data Breach
UK Banks to Get Real-Time Threat Alerts
Medical Device and Healthcare Cyber Security Workshop

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

**************************** Sponsored By SANS **************************
Healthcare Cyber Security Summit - San Francisco, CA - Dec 3-10, 2014 - SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses: ICS410, SEC301, SEC504, SEC542, FOR508 & Health Care Security Essentials.
http://www.sans.org/info/168042
***************************************************************************
TRAINING UPDATE


--SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 48 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


--DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014


--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


--SANS London 2014 | London, UK | November 15-24, 2014 17 courses.
http://www.sans.org/event/london-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Bash Shellshock Flaw (September 25, 2014)

A serious flaw in a software component called Bash is said to be more serious that the Heartbleed vulnerability that was disclosed earlier this year. The flaw, which is being called Shellshock, can be exploited to remotely take control of vulnerable systems. It affects an estimated 500 million UNIX and LINUX machines. Bash, or the GNU Bourne Again Shell, is a command prompt on many Unix systems. The US Computer Emergency Response Team (US-CERT) has issued a warning and is urging admins to patch the flaw. Others have expressed concern that the patches that have been made available are incomplete.
-http://www.bbc.com/news/technology-29361794
-http://www.csmonitor.com/Innovation/Latest-News-Wires/2014/0925/Cybersecurity-Wh
at-is-the-Bash-Shellshock-bug
-http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-securit
y/
-http://arstechnica.com/security/2014/09/concern-over-bash-vulnerability-grows-as
-exploit-reported-in-the-wild/
-https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash
-Remote-Code-Execution-Vulnerability
[Editor Comment (Northcutt): The advice they are giving us at SANS is be careful about any unusual attachments. That's always a smart idea. ]

Shellshock Flaw is Being Actively Exploited (September 25, 2014)

There are reports that attackers have already begun exploiting this flaw to infect vulnerable servers around the world.
-http://www.eweek.com/security/linux-malware-uses-shellshock-flaw-to-infiltrate-w
eb-servers.html
-http://www.zdnet.com/first-attacks-using-shellshock-bash-bug-discovered-70000340
44/
-http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets
-ddos-attacks/

Shellshock May Further Marginalize Open Source Software (September 25, 2014)

Nicole Perlroth's article in the New York Times tells the story of how Bash and its flaw came to be. The most impactful paragraph in her story may be the final one, where she wrote, 'The mantra of open source was perhaps best articulated by Eric S. Raymond, one of the elders of the open-source movement, who wrote in 1997 that "given enough eyeballs, all bugs are shallow." But, in this case, Steven M. Bellovin, a computer science professor at Columbia University, said, those eyeballs are more consumed with new features than quality. "Quality takes work, design, review and testing and those are not nearly as much fun as coding," Mr. Bellovin said. "If the open-source community does not develop those skills, it's going to fall further behind in the quality race."'
-http://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-
software-bug-to-be-significant.html?ref=technology&_r=0

---

**************************** SPONSORED LINKS ******************************
1) Upcoming Webcast: How to Prevent One Hundred Percent of Browser-Borne Malware: Thursday, October 02 at 1:00 PM EDT (17:00:00 UTC)with Franklyn Jones. http://www.sans.org/info/168067

2) Are insiders and electronic health records still top concerns among health care orgs? Take 2nd SANS Health Care Security Survey and enter to win an iPad. http://www.sans.org/info/168057

3) SANS 9th Log Management Survey Results Webcast, October 6 at 1pm EDT. Hear new findings and update on log analysis software implementation. http://www.sans.org/info/168062
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

New Scripting Language Will Limit Permissions (September 25, 2014)

Researchers at Harvard University are developing a scripting language called Shill that is based on the principle of least privilege. Shill would limit shell-based scripts to the minimum required resources for their tasks.
-http://www.computerworld.com/article/2687891/security0/harvard-researchers-take-
aim-at-shellshocklike-woes-with-new-scripting-language.html

FBI Director Critical of Default Encryption on Mobile Phones (September 25, 2014)

FBI Director James Comey has expressed concerns about Apple's and Google's decisions to increase encryption on mobile devices. Comey said that the new features appear to be "something expressly to allow people to place themselves beyond the law."
-http://arstechnica.com/tech-policy/2014/09/apple-google-default-cell-phone-encry
ption-concerns-fbi-director/
-http://www.computerworld.com/article/2688095/fbi-director-worries-about-encrypti
on-on-smartphones.html
-http://www.nbcnews.com/tech/security/fbi-chief-scolds-apple-google-over-new-smar
tphone-encryption-n211921
-http://www.theregister.co.uk/2014/09/25/fbi_boss_slams_google_apple_for_encrypti
on_that_puts_users_above_law/
[Editor's Note (Pescatore): This is deja vu all over again, back to the crypto export control debates of the 1990s. Strong encryption is needed to protect sensitive information from attackers and criminals, and yes - - it does also protect that information from law enforcement. The same dynamic occurs when valuables are put into a physical safe - and law enforcement has the same options (brute force it, or get a warrant compelling owner to open) with encryption as they have with safes.
(Honan): It is really disconcerting to hear those in law enforcement equating using encryption with criminal activity or intention. My threat model ensures I encrypt data as much as possible to protect it from various parties, the same way I use a safe to store sensitive items and have secure locks on doors.
(Murray): Comey is channeling Louis Freeh who testified to Congress that "strong crypto equals perfect security for the criminal." In fact, the best that crypto can do is raise security in the middle to that of the end points. While the governing class views the governed as criminal by default, only a tiny fraction of the traffic protected by cryptography is criminal. One might take Mr. Comey seriously if he had a program to resist the rogue cell sites springing up all over the country or if the NSA was not storing all electronic communications by default. ]

Mozilla Fixes Network Security Services Library Flaw in Several Products (September 25,2014)

Mozilla has fixed a vulnerability in its Network Security Services (NSS) libraries that could have been exploited to launch man-in-the-middle attacks. The issue affects Firefox, Thunderbird, and SeaMonkey; updates are available.
-http://www.scmagazine.com/mozilla-addresses-bug-allowing-signature-forgery-in-ns
s/article/373737/
-http://www.theregister.co.uk/2014/09/25/mozilla_firefox_thunderbird_patch_ssl_vu
ln/
In a separate story, Mozilla says it will phase out certificates with SHA-1 hash algorithms.
-http://www.scmagazine.com/mozilla-plans-to-phase-out-support-of-sha-1-hash-algor
ithm/article/373487/

TripAdvisor Customer Data Compromised (September 23 & 25, 2014)

Viator, a website recently acquired by TripAdvisor, has learned that a breach of a payment card service provider's system exposed customer data. The breach affects approximately 1.4 million customers. Viator learned of the breach after investigators looked into fraudulent payment card transactions that led back to the website.
-http://www.nextgov.com/cybersecurity/2014/09/14-million-tripadvisor-site-users-a
ffected-payment-and-account-breach/95141/?oref=ng-channelriver
-http://www.theregister.co.uk/2014/09/23/tripadvisor_subsidiary_viator_breach_car
d_fraud_link/
[Editor's Note (Murray): Internet enterprises like TripAdvisor, Facebook, and eBay must be held to a higher security standard than others. ]

US Will Adopt Chip-and-PIN (September 25, 2014)

The idea of storing credit card account information on a magnetic stripe, while innovative in 1960 when it was first conceived, is now vulnerable to theft, particularly because the data encoded on the magnetic stripes are static. The US is finally following the rest of the world in moving to the more secure chip-and-PIN, or EMV technology (so-called because it was started by Europay, MasterCard, and Visa).
-http://www.wired.com/2014/09/emv/
[Editor's Note (Pescatore): The mag stripe data has been vulnerable and exploited for years, there is no "is *now*" about it. The retail industry has long considered the damage done to be less than the cost of upgrading the infrastructure. The recent spate of high visibility breaches is like the elevator video of the American football player punching his wife - the problem was there all along but publicity amplifies risk perception.
(Honan): It is important to remember that while introducing Chip and Pin is a welcome move, its main impact will be on card present fraud. The experience in Europe where Chip and Pin has been in place for a number of years is that criminals will focus on card not present fraud. So it's important merchants adjust their threat models and security postures accordingly.
(Murray): The Wired hopeful headline is not supported by the content of its article, much less the plans of the industry. While the merchants are making great progress toward accommodating EMV, only a small number of cards have chips and ALL cards issued in the US continue to have credit card numbers in the clear on a magnetic strip. There is no commitment to issue all cards with chips and none to eliminate magnetic stripes. The most hopeful sign is Visa Token Service. ]

Internet Crime Complaint Center Warns of Spoofed Messages (September 24 & 25, 2014)

The FBI's Internet Crime Complaint Center (IC3) is warning that it is being impersonated in an attempted cyber extortion attack. Spoofed email messages claim that the recipient has been identified in a criminal report and must purchase prepaid credit cards and send them to a certain address or be arrested. IC3 has recently issued a warning to organizations about an increase in insider threat cases.
-http://www.theregister.co.uk/2014/09/25/feds_cheeky_scammers_are_impersonating_u
s_in_criminal_capers/
-http://www.computerworld.com/article/2687877/security0/internet-crime-complaint-
center-warns-that-scam-uses-ic3-email-as-way-to-con-victims.html
-http://www.scmagazine.com/insider-threat-cases-on-the-rise-ic3-warns/article/373
442/
-http://www.zdnet.com/ic3-flags-scam-after-branding-disgruntled-it-staff-a-threat
-7000034030/

Jimmy John's Confirms Data Breach (September 24, 2014)

US sandwich restaurant chain Jimmy John's has acknowledged that a payment vendor's data breach compromised customer payment card information. The incident affects transactions at 216 stores between June 16 and September 5, 2014.
-http://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/
-http://www.darkreading.com/jimmy-johns-gourmet-sandwiches-pos-systems-hacked/d/d
-id/1316045?
-http://www.darkreading.com/perimeter/breached-retailers-harden-pos-for-now/d/d-i
d/1316091?
[Editor's Note (Murray): Retail breaches are now so common that the consumer cannot be expected to keep track of them. They must assume that their cards are compromised and reconcile their accounts on at least a weekly basis. They should close accounts that they do not use at least monthly. ]

Japan Airlines Data Breach (September 24 & 25, 2014)

Japan Airlines (JAL) has confirmed that a cyber attack compromised personal information of as many as 750,000 customers. The incident involved unauthorized access to a JAL database from an external server. The compromised data include names, addresses, and workplaces. The malware appears to have infected 23 computers and did not affect financial information. The attack is believed to have gained purchase through a phishing attack and may have remained undetected for over a month.
-http://www.scmagazine.com/japan-airlines-experiences-data-breach/article/373722/
-http://www.zdnet.com/japan-airlines-customers-data-leaked-7000034027/

UK Banks to Get Real-Time Threat Alerts (September 23, 2014)

British banking industry association BBA will now offer member financial institutions access to real-time threat warnings that affect customer data and the general integrity of their systems as a whole. The Financial Crime Alerts Service (FCAS) will allow professionals to track data from a dozen government and law enforcement agencies to spot emerging issues. The system is scheduled to go live in early 2015.
-http://www.theregister.co.uk/2014/09/23/uk_bank_fraud_alert_system/
[Editor's Note (Pescatore): I hope they first focus on getting real time vulnerability alerts. ]

Medical Device and Healthcare Cyber Security Workshop (September 23, 2014)

The US Food and Drug Administration (FDA) is holding a workshop on October 21-22. The event, "Collaborative Approaches for Medical Devices and Healthcare Cybersecurity," is being held in collaboration with stakeholders within the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS). The workshop is open to the public. The FDA will accept written comments through November 24, 2014.
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/23/the-fda-wants-to-ta
lk-about-medical-device-cybersecurity/
-https://www.federalregister.gov/articles/2014/09/23/2014-22515/collaborative-app
roaches-for-medical-device-and-healthcare-cybersecurity-public-workshop-request-
for
[Editor's Note (Murray): Securing a single application computer is not difficult if one follows one simple rule: Do not include one line of code that is not essential to the application. Most of our vulnerabilities are related to function that is only "nice to have." ]

---

STORM CENTER TECH CORNER

Bash Code Injection Update Vulnerability Update
-https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerabi
lity/18709/1#32107
-https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+
shellshock+/18707

Critical SSL Flaw in Firefox and Thunderbird
-https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

Critical Update for bash
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271

Apple iOS 8.0.1 leads to disabled cellular connectivity
-http://www.macrumors.com/2014/09/24/ios-8-0-1-issues-possible-fix/

2nd jQuery Compromise
-http://blog.jquery.com/2014/09/24/update-on-jquery-com-compromises/

Arris Cable Modem Authentication Bypass
-http://console-cowboys.blogspot.com/2014/09/arris-cable-modem-backdoor-im.html

jQuery.com Compromise
-http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-en
terprise-it-accounts-risk

Microsoft Expanding Bug Bounty
-http://technet.microsoft.com/en-US/security/dn800983

iPhone 6 Fingerprint Sensor as vulnerable to fake finger prints as prior model
-https://blog.lookout.com/blog/2014/09/23/iphone-6-touchid-hack/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/