SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #78

September 30, 2014

TOP OF THE NEWS

China Blocks Social Media in Wake of Hong Kong Protests
Apple Says Shellshock Will Not Affect Most Mac Users
Dissolution of Trustworthy Computing Group Could Change Company's Security Culture

THE REST OF THE WEEK'S NEWS

UK Government Contractors Will be Held to Cyber Security Standards
Man Indicted for Allegedly Selling Stalking Software
Ello Hit with Distributed Denial-of-Service Attack
New Patches for Bash Vulnerability
Signature Systems Admits Breach Extends Beyond Jimmy John's
Apple Releases iOS 8.0.2
GM Appoints First Chief Cyber Security Officer

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Veracode ***************************
Shell Shock - What you need to know: Wednesday, October 01 at 3:00 PM EDT (19:00:00 UTC) - There is speculation that Shellshock, the latest vulnerability in a long line of major discoveries, will be more catastrophic than Heartbleed. During this webinar, Johannes Ullrich, SANS and Chris Wysopal, co-founder and CTO of Veracode, will outline what you need to know about Shellshock. They will also explain how you can respond to this specific vulnerability and what you can do to prepare for the inevitable future vulnerability discoveries.
http://www.sans.org/info/168182
***************************************************************************
TRAINING UPDATE


--SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 48 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


--DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014


--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


--SANS London 2014 | London, UK | November 15-24, 2014 17 courses.
http://www.sans.org/event/london-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

China Blocks Social Media in Wake of Hong Kong Protests (September 29, 2014)

Emerging reports suggest that Chinese censors have blocked Instagram in the face of pro-democracy protests in Hong Kong. People in Hong Kong have been posting pictures of demonstrations, including police use of tear gas and pepper spray, to the photo-sharing website.
-http://www.bbc.com/news/technology-29409533
-http://money.cnn.com/2014/09/29/technology/instagram-blocked-china/index.html
-http://www.zdnet.com/instagram-blocked-in-china-reports-7000034127/
[Editor's Note (Ullrich): Apparently, due to the high mobile device density in China, protesters found ways to communicate without relying on central infrastructure. Software like Firechat is used to communicate directly from device to device. ]

Apple Says Shellshock Will Not Affect Most Mac Users (September 26, 2014)

Apple says that the "vast majority" of Mac users will not be affected by the recently disclosed Shellshock vulnerability in Bash. In an emailed statement, Apple told CNET, "With OS X, systems are safe by default and not exposed to remote exploits of Bash unless users configure advanced UNIX services."
-http://www.cnet.com/news/vast-majority-of-os-x-users-safe-from-bash-shellshock-b
ug-apple-says/
-http://www.computerworld.com/article/2688535/two-scenarios-that-would-make-os-x-
vulnerable-to-the-shellshock-bug.html
Apple has released updates for OS X 10.0, 10.8, and 10.7 to address vulnerabilities in Bash.
-http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-in-os-x-1
0-9-10-8-and-10-7/
[Editor's Note (Ullrich): Apple is correct in that OS X is not exploitable (but vulnerable) by default. Bash is not exposed via DHCP like in Linux, and a web server is not installed by default. However, it is easy to make OS X vulnerable once a web server is installed. Apple released a patch yesterday for the two original shellshock vulnerabilities and users should apply it. With shellshock, it is very important to distinguish "vulnerable" from "exploitable" systems and prioritize accordingly. ]

Dissolution of Trustworthy Computing Group Could Change Microsoft's Security Culture (September 24 & 29, 2014)

Microsoft has cut several positions within the Trustworthy Computing Group, split the security and privacy teams, and placed them in other business groups. While the change has caused concerns that the company may be reducing its focus on security, others have pointed out that the change could point to integrating security into the entire culture of the company, so it is present at all phases of development.
-http://www.eweek.com/security/how-reorganization-might-change-microsofts-securit
y-strategy.html
-http://windowsitpro.com/security/microsoft-vp-scott-charney-outs-himself-archite
ct-trustworthy-computing-changes
[Editor's Note (Pescatore): The TWC group in Microsoft was formed long after Microsoft finally started taking security seriously, after the famous Bill Gates memo of January 2002. At that time, the market told Microsoft it had to improve security - the Code Red and Nimda worms of 2001 were causing huge business impact and the share of Microsoft IE and IIS web browser/server was dropping. It took several years of Gates' focus on security to get product managers and developer managers to emphasize security - Slammer and Blaster in 2003 showed it wasn't going to happen quickly. What is more important than the existence of the TWC group is if Microsoft's new CEO Satya Nadella makes sure that new product managers and developer managers still have that same urgency about security.
(Murray): The Windows architecture is open, general, flexible, feature rich, and backward compatible. This fundamentally insecure architecture is essential to the business model of low price, high volume. No reorganization is likely to alter this culture in any noticeable way. It will take a post Gates/Ballmer (Jobs like) leadership to do that. It may require a change to the business strategy. ]

---

**************************** SPONSORED LINKS ******************************
1) Healthcare Cyber Security Summit - San Francisco, CA - Dec 3-10, 2014 - - SANS and the National Health-ISAC brings together health care CIOs, CISOs and technology leaders who will share lessons learned. Also 6 intensive training courses including Advanced Forensics and Health Care Security Essentials. http://www.sans.org/info/168042

2) In Case You Missed It: Hardening Retail Security: Why and How to Prevent Breaches and Attacks - Thursday, September 25 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Erick Ingleby: http://www.sans.org/info/167667

3) 2nd Annual Analytics & Intel Survey Results Presented in 2 Webcasts: 10/9 Part 1 - Current State: Detection and Response, REGISTER HERE: http://www.sans.org/info/168187 10/14 Part 2 - Future State: Improving Intelligence and Threat Prevention, REGISTER HERE: http://www.sans.org/info/168192 Register and attend both webcasts to be eligible to win a $75 American Express gift card to be awarded LIVE during the October 14 webcast.
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK Government Contractors Will be Held to Cyber Security Standards (September 29, 2014)

As of October 1, 2014, companies bidding for UK government contracts must comply with a set of cyber security standards known as Cyber Essentials (CE) if they are to handle information or provide IT services. Some companies have already been certified as CE compliant, including Barclays, Vodafone, and Hewlett Packard, which is starting to require CE compliance from its own supply chain.
-http://www.contractoruk.com/news/0011739state_it_suppliers_face_cyber_security_r
equirement.html
[Editor's Note (Pescatore): The Cyber Essentials is a subset of the Critical Security Controls, focused on Critical Controls 2, 4, 5, 13 and 16. It is a very, very low bar to leap in assessing the supply chain for any large business or any business that would be a real target of cybercriminals.
(Paller): A bar so low that it is not worthy of government authority. But what does one say to the claim that "we have to start somewhere?" Answer: Yes, but not with CE. Global consensus is growing that the Critical Security Controls (
-http://www.counciloncybersecurity.org/critical-controls/)
comprise the minimum set of first steps that organizations should take, and that auditors should measure, because their implementation actually eliminates the vast bulk of the risk. ]

Man Indicted for Allegedly Selling Stalking Software (September 29, 2014)

Authorities in California have arrested Hammad Akbar, CEO of InvoCode, which makes software for mobile devices known as StealthGenie. That application, according to US federal prosecutors, is "expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim's personal life ... without
[their ]
knowledge." The indictment charges Akbar with conspiracy, sale of a surreptitious interception device, and advertisement of that device.
-http://arstechnica.com/tech-policy/2014/09/spyware-executive-arrested-allegedly-
marketed-mobile-app-for-stalkers/
-http://www.nbcnews.com/tech/security/maker-stealthgenie-cellphone-spyware-app-in
dicted-u-s-charges-n214356
-http://www.computerworld.com/article/2688809/ceo-indicted-for-companys-alleged-m
obile-spyware-app.html
Complaint:
-http://cdn.arstechnica.net/wp-content/uploads/2014/09/akbar.pdf
DOJ Press Release:
-http://www.justice.gov/opa/pr/pakistani-man-indicted-selling-stealthgenie-spywar
e-app

Ello Hit with Distributed Denial-of-Service Attack (September 28, 2014)

The new, alternative social media site Ello was the target of a distributed denial-of-service (DDoS) attack over the weekend. The site experienced an outage of less than an hour. Ello is currently in beta and accounts are available by invitation only.
-http://www.theregister.co.uk/2014/09/28/ello_hit_by_massive_ddos_attack/
-http://www.pcmag.com/article2/0,2817,2469406,00.asp
[Editor's Note (Pescatore): It is sort of a rite of passage for new Internet startups to get hit by and be impacted by a DDoS attack. Hey, Venture Capitalists - make sure when those startups show you their budget for cloud hosting that they include DDoS protection as part of the services. ]

New Patches for Bash Vulnerability (September 26, 27, & 28, 2014)

New patches to fix the Shellshock flaw in Bash were released late last week. Initial patches had proven inadequate because they addressed only one of the vulnerabilities in Bash; while Shellshock is the most serious, there are others as well.
-http://www.theregister.co.uk/2014/09/28/bash_shellshock_bug_patches_released_by_
red_hat/
-http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/
-http://arstechnica.com/security/2014/09/new-shellshock-patch-rushed-out-to-resol
ve-gaps-in-first-fix/
-http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shell
shock-becomes-whack-a-mole/
[Editor's Note (Ullrich): There are now a total of 6 vulnerabilities in bash. This will keep us busy for a while, and make sure you keep good notes as you patch. Expect to have to do this again in the next couple weeks.
-https://isc.sans.edu/forums/diary/Shellshock+Updated+Webcast+Now+6+bash+related+
CVEs+/18727]

Signature Systems Admits Breach Extends Beyond Jimmy John's (September 26, 2014)

Signature Systems, the point-of-sale (POS) vendor that has been pinpointed as the source of the Jimmy John's data breach, now says that more than 100 additional may have been affected. The company write, "An unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems" and install malware that stole payment card data. The other affected restaurants are mostly independent establishments.
-http://krebsonsecurity.com/2014/09/signature-systems-breach-expands/
-http://www.computerworld.com/article/2687802/data-breach-that-hit-jimmy-johns-is
-larger-than-first-thought.html
Signature Systems Notice:
-http://www.pdqpos.com/notice.html
[Editor's Note (Pescatore): The retail industry is showing some very lemming-like behavior as PoS breach follows PoS breach. The PCI compliance regime tends to reinforce this kind of "march off the cliff" together behavior since the card brands never actually feel the impact - - the retailers (deservedly) and the customers (unfairly) bear the brunt of the damage.
(Paller): In fact, the processors make money on every fraudulent transaction. Wonder why they did not act sooner to protect the merchants who end up paying most of the costs.
(Murray): Payment system breaches are now so numerous that it is difficult for consumers to trust the system at all. Consumers interested in their own security, whether or not they have shopped at a merchant where a breach is known to have occurred, should request replacement EMV chip cards now. They should close any account where the card issuer will not accommodate this request. For reasons of backward compatibility, even EMV chip cards will also have magnetic stripes; consumers who use magnetic stripe will be compromised if the merchant or his suppliers are breached. Consumers should prefer merchants who are equipped to accept EMV cards and avoid any who are not yet ready. ]

Apple Releases iOS 8.0.2 (September 26 & 27, 2014)

Just two days after pulling iOS 8.0.1 due to complaints that it was buggy, Apple has released iOS 8.0.2. Users are encouraged to upgrade to the newest version because it addresses a number of serious security problems.
-http://www.scmagazine.com/ios-802-released-following-complaints-of-bugs/article/
373978/
-http://arstechnica.com/security/2014/09/cant-upgrade-to-ios-8-beware-bugs-in-the
-system/

GM Appoints First Chief Cyber Security Officer (September 23, 24 & 29, 2014)

General Motors has appointed the company's first chief cyber security officer. Jeffrey Massimilla, who has been with GM since 2010, will oversee security issues for the computers that are built into the company's cars.
-http://www.computing.co.uk/ctg/news/2372722/general-motors-hires-first-cyber-sec
urity-chief
-http://fortune.com/2014/09/24/general-motors-appoints-its-first-cybersecurity-of
ficer/
-http://www.detroitnews.com/story/business/autos/general-motors/2014/09/23/gm-cyb
ersecurity-chief/16123127/
[Editor's Note (Henry): It's 2014, and this shouldn't be news; EVERY Fortune 500 should have a CISO... ]

---

STORM CENTER TECH CORNER

Shellshock bash code injection update
-https://isc.sans.edu/forums/diary/Shellshock+Updated+Webcast+Now+6+bash+related+
CVEs+/18727
-https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+th
e+wild/18725

Apple releases bash update
-http://lists.apple.com/archives/security-announce/2014/Sep/msg00001.html

Perl "Data::Dumper" Vulnerability
-https://www.lsexperts.de/security-advisory/items/schwachstelle-perl-core.html

iOS 8 undocumented APIs leak phone call data
-http://www.andreas-kurtz.de/2014/09/malicious-apps-ios8.html

WordPress Vulnerability Database
-https://wpvulndb.com

"ShellShock" Update
-https://isc.sans.edu/forums/diary/Why+We+Have+Moved+to+InfoCon+Yellow/18715
-https://isc.sans.edu/forums/diary/What+has+Bash+and+Heartbleed+Taught+Us+/18717

Amazon/Rackspace Cloud Reboot
-https://aws.amazon.com/blogs/aws/ec2-maintenance-update/
-https://community.rackspace.com/general/f/34/t/4318?mkt_tok=3RkMMJWWfF9wsRons6nL
ce%2FhmjTEU5z16uglXqe1ipd41El3fuXBP2XqjvpVQcBkMbnPRw8FHZNpywVWM8TILNQVt8RvLAziCm
4%3D

iOS 8 MAC Randomization Usually Disabled
-http://blog.airtightnetworks.com/ios8-mac-randomization-analyzed/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/