SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #79
October 03, 2014
18 employers found a rich new source of job seekers with strong cybersecurity skills at the first US National Cybersecurity Career Fair (NCCF) in June where candidates differentiated themselves to employers through their scores on the SANS CyberTalent Assessment exam. Nearly 3,000 candidates attended the totally-online, two-day event to connect with 18 top employers such as JP Morgan Chase, the NSA, NBC Universal, CBS, Citi, Juniper, Solutionary, and Stroz Friedberg. The NCCF will be run again in November and this time is open to all US employers. To learn more, email Max Shuftan at mshuftan@cyberaces.org or go to nationalcybersecuritycareerfair.com. More information on the CyberTalent Assessment is at https://app.brazenconnect.com/events/cyberaces-us-career-fair
Alan
TOP OF THE NEWS
JP Morgan Chase: Breach Affected 76 Million HouseholdsShellshock BASH Flaw Exploited in Attacks on NAS Devices
FDA Issues Medical Device Cyber Security Guidance
THE REST OF THE WEEK'S NEWS
FBI Develops Malware Analysis Tool for Wider UseCode to Exploit Insidious USB Flaw Posted to Web
House Intelligence Committee Chairman Says Country Needs Offensive Cyber Policy
Four Charged in Military and Xbox Data Theft
ComputerCOP Safety Software Not So Safe
Interpol Cyber Crime Center
Man Sentenced to Prison for Trying to Buy Stolen Data
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER************************** Sponsored By SANS ***************************
Healthcare Cyber Security Summit - San Francisco, CA - Dec 3-10, 2014 - SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses: ICS410, SEC301, SEC504, SEC542, FOR508 & Health Care Security Essentials.
http://www.sans.org/info/168042
***************************************************************************
TRAINING UPDATE
--SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 48 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014
--DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014
--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/
--SANS London 2014 | London, UK | November 15-24, 2014 17 courses.
http://www.sans.org/event/london-2014
--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/
--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
--Looking for training in your own community?
http://www.sans.org/community/
--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************
TOP OF THE NEWS
JP Morgan Chase: Breach Affected 76 Million Households (October 2, 2014)
In a filing with the US Securities and Exchange Commission (SEC), JPMorgan Chase disclosed that a security breach earlier this year affected 76 million households and seven million businesses, and that the data compromised include phone number and email addresses, but not account information. The company has denied emerging reports of a second breach.-http://www.nbcnews.com/tech/security/jpmorgan-chase-says-76-million-households-a
ffected-data-breach-n217156
-http://www.nbcnews.com/tech/security/jpmorgan-we-are-not-aware-new-cyber-attack-
n216901
JPMorgan Chase SEC Filing:
-http://archive.fast-edgar.com//20141002/AP22A22FZZ2RM2Z222TQ2CXQC7C8YZ22N262/
[Editors Note (Murray): While only half the size of the eBay compromise, this breach is similar in that it compromises personal information that cannot be easily changed. Unlike credit card numbers, which are used in transaction fraud but are easily changed and traced, this is the kind of information used in social engineering support desks, application fraud, and identity theft, but which can neither be changed or tracked back to the source of the compromise.
(Northcutt): It is no secret that some of the Wall Street banks have been seriously targeted in the past couple years. Kathy and I have transferred our IRAs from Morgan Stanley in the past year, but of course they still have our PII. I expect to see a few interesting emails in the coming months. I have learned to NEVER respond to any Internet stimulus of any kind. When I need a good or service I will go get it; but ignore and delete 100% of email offers.
-http://blog.creditcardslab.com/more-banks-and-wall-street-targeted-in-cyber-atta
cks.html]
Shellshock BASH Flaw Exploited in Attacks on NAS Devices (October 2, 2014)
Attackers are actively exploiting the Shellshock vulnerability in Bash to target network attached storage (NAS) devices. The attacks could be used to gain access to all data stored on the systems. Most of the targeted systems have been in Japan and Korea.-http://www.darkreading.com/operations/shellshock-attacks-spotted-against-nas-dev
ices-/d/d-id/1316285?
-http://www.computerworld.com/article/2690796/security0/shellshock-attackers-targ
eting-nas-devices.html
-http://www.v3.co.uk/v3-uk/news/2373493/hackers-using-shellshock-to-sneak-into-na
s-systems
FDA Issues Medical Device Cyber Security Guidance (October 1, 2014)
The US Food and Drug Administration (FDA) has released guidance for medical device cyber security. The publication offers recommendations to manufacturers and urges them to "consider cybersecurity risks as part of the design and development of a medical device." The agency also encourages manufacturers provide the FDA with documentation about risks in devices and plans to mitigate those risks, as well as plans for providing updates and patches. The FDA is holding a workshop on the issue later this month.-http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm
-http://www.scmagazine.com/food-and-drug-administration-finalize-guidelines-on-me
dical-device-security/article/374882/
-http://www.usatoday.com/story/tech/2014/10/01/fda-medical-devices-cybersecurity/
16543731/
[Editor's Note (Assante): The FDA has embarked on an important effort that can serve as a model for future greenfield design of critical industrial processes and facilities. Placing cyber into the functional requirements phase of a design charges engineers with accounting for cyber in their engineering design process and in determining their safety basis. Cyber-informed engineering is a powerful tool that will help us unlock the benefits of technology while responsibly managing and reducing the consequences of its misuse by others.
(Henry): I'm glad to see the movement here, though it's a long-time coming. The healthcare sector is one that is lagging in terms of awareness of the risk. I recently spoke with a company in the medical device industry. The product life cycle in their specific industry is typically 5 years...original idea to proof-of-concept to engineering to testing to manufacturing to more testing to re-engineering to sale. Their Chinese competitors' "life cycle"? It's only 18 months. Know why? They only have to worry about manufacturing and sales, because the "original idea", the engineering, etc. is stolen from their US counterpart. Eliminating 3.5 years from the product life cycle provides a significant competitive advantage, and that can stifle innovation and cripple US manufacturers. ]
**************************** SPONSORED LINKS ******************************
1) SANS 9th Log Management Survey Results Webcast, October 6 at 1pm EDT. Hear new findings and update on log analysis software implementation. http://www.sans.org/info/168432
2) Next Generation Endpoint Security to Stay Ahead of Evolving Advanced Targeted Threats Friday, October 17 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore, Steve Lowing. http://www.sans.org/info/168437
3) Are insiders and electronic health records still top concerns among health care orgs? Take 2nd SANS Health Care Security Survey and enter to win an iPad. http://www.sans.org/info/168442
***************************************************************************
THE REST OF THE WEEK'S NEWS
FBI Develops Malware Analysis Tool for Wider Use (September 30, 2014)
The FBI is developing a version of its Binary Analysis Characterization and Storage System (BACSS) to be used by "other government agencies, law enforcement, researchers, and private sector partners." Called Malware Investigator, the tool will scan suspicious files.-http://www.scmagazine.com/fbi-announces-malware-investigator-security-portal/art
icle/374487/
-https://www.virusbtn.com/conference/vb2014/abstracts/BurnsOpacki.xml
-http://malwareinvestigator.gov
Code to Exploit Insidious USB Flaw Posted to Web (October 2, 2014)
Code that can be used to exploit a serious vulnerability in USB devices has been posted to the Internet. The flaw can be exploited to corrupt USB devices with malware that is virtually undetectable. The issue was revealed in a demonstration at a conference in August, but the code was not released at that time because the researchers knew that it would be dangerous in the wild. Another pair of researchers, who did release code, believes "that all of this should be public."-http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
-http://www.scmagazine.com/researchers-release-badusb-code-at-derbycon/article/37
5126/
-http://gizmodo.com/now-anyone-can-get-the-malware-that-exploits-usbs-funda-16418
21985
-https://github.com/adamcaudill/Psychson
[Editor's Note (Murray): Part of the cost of attack is the acquisition of special knowledge; the publication of such special knowledge is irresponsible. "Nice people" do not do it. These "researchers" have reduced the cost of attack and increased the chances that one will encounter a hostile USB device. They have "chosen to be part of the problem." While this disclosure did not change the risk of using any given USB device, it has raised the risk of using USB devices in general and reduced their value. Good hygiene just became a little more important. (When I have made this point in the past, the "researchers" have accused me of personal attacks. For the record, I do not know or care to know the identity of these "researchers." "If the shoe fits, wear it.") ]
House Intelligence Committee Chairman Says Country Needs Offensive Cyber Policy (October 1, 2014)
House Intelligence Committee chairman Mike Rogers (R-Michigan) told an audience at a conference that the government has not developed a policy regarding offensive cyber attacks. Rogers's committee is working on a draft policy.-http://www.federaltimes.com/article/20141001/CYBER/310010028/U-S-not-ready-launc
h-offensive-cyber-attacks-charges-Congressman
-http://fcw.com/articles/2014/10/01/intel-chairman-on-cyber.aspx
[Editor's Note (Murray): The absence of a policy is a policy. Cyber weapons, like Stuxnet, are fundamentally different from kinetic weapons; they are not consumed in use, they are easily replicated, and they are just as dangerous to the creator as to the intended target ]
Four Charged in Military and Xbox Data Theft (October 1, 2014)
Four people have been indicted for allegedly breaking into computer systems at several technology companies and the US Army to steal intellectual property and proprietary data. The four men allegedly stole software and information related to Xbox One and several games for that console as well as software used in military Apache helicopter pilot training. The men are facing a variety of charges, including conspiracy to commit computer fraud, aggravated identity theft, and unauthorized computer access. A fifth man has been charged in Australia in connection with the operation.-http://www.scmagazine.com/international-hacking-group-members-charged-with-steal
ing-xbox-and-apache-helicopter-secrets/article/374880/
-http://www.zdnet.com/teen-hackers-charged-with-stealing-100-million-in-army-micr
osoft-tech-7000034241/
DOJ Press Release:
-http://www.justice.gov/opa/pr/four-members-international-computer-hacking-ring-i
ndicted-stealing-gaming-technology-apache
ComputerCOP Safety Software Not So Safe (October 1, 2014)
Local law enforcement agencies in more than 35 US states have been distributing spyware to families, ostensibly so that parents can protect their children from online predators. According to the Electronic Frontier Foundation (EFF), the software, known as ComputerCOP, "is neither safe nor secure ...[and ]
isn't particularly effective." The product's keylogger does not encrypt data, and the product can be used to spy on the online activity of anyone with whom the computer is shared.
-https://www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-soft
ware-hundreds-police-agencies
-http://www.wired.com/2014/10/cops-giving-parents-spyware/
-http://www.nextgov.com/cybersecurity/2014/10/police-around-country-are-distribut
ing-software-makes-it-easier-hack-your-computer/95603/?oref=ng-channeltopstory
-http://www.cnet.com/news/police-boosted-parental-control-app-is-a-privacy-mess-s
ays-report/
Interpol Cyber Crime Center (October 1, 2014)
Interpol has opened a Global Complex for Innovation (IGCI) center in Singapore; the international law enforcement organization hopes the center will become a "nerve center" in combatting cyber crime around the world. In addition to a forensics lab, IGCI will have a Cyber Fusion Centre to coordinate work in law enforcement, industry, and academia.-http://www.v3.co.uk/v3-uk/news/2373319/interpol-opens-global-nerve-centre-to-tac
kle-cyber-crime
Man Sentenced to Prison for Trying to Buy Stolen Data (October 1, 2014)
A Florida man has been sentenced to more than three years in prison for trying to purchase data stolen from a company that essentially operated as an identity theft service. Derric Theoc pleaded guilty to attempting to buy Social Security and bank account information that belongs to 100 people, intending to use the data to open new accounts and file fraudulent tax returns. The individual who operated the service was arrested in 2012. US Secret Service investigators then took over the operations in an attempt to catch customers.-http://krebsonsecurity.com/2014/10/id-theft-service-customer-gets-27-months/
DOJ Press Release:
-http://www.justice.gov/opa/pr/florida-man-sentenced-27-months-prison-attempting-
purchase-100-stolen-identities
[Editor's Note (Murray): This is welcome. With the exception of child pornography, trading in the market for illicit data has been perceived as risk free. ]
STORM CENTER TECH CORNER
Scary False Positives: Outbound SSH Traffic from your Disk Array;-https://isc.sans.edu/forums/diary/CSAM+My+Storage+Array+SSHs+Outbound+/18751
Mac Malware / Adware: How people fall for it
-https://isc.sans.edu/forums/diary/Why+is+your+Mac+all+for+sudden+using+Bing+as+a
+search+engine+/18753
2nd Same Origin Flaw in Android Browser
-http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-android-brows
er/108653
Shellshock: SIP, OpenVPN, VMWare vulnerabilities; HP & Cisco publish bulletins
-http://blog.securityonion.net/2014/10/new-securityonion-bro-scripts-and.html
-http://www.vmware.com/security/advisories/VMSA-2014-0010.html
-https://github.com/zaf/sipshock
-https://news.ycombinator.com/item?id=8385332
XEN Vulnerability
-http://xenbits.xen.org/xsa/advisory-108.html
Apple starts to require app specific passwords
-http://support.apple.com/kb/HT6186
Android and iOS Trojan infecting Hong Kong protesters
-https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/
Securing the Human Releases October Edition of Ouch! Newsletter
-http://www.securingthehuman.org/resources/newsletters/ouch/2014
Stored Attribute-Based XSS in RadEditor
-http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cros
s-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-cont
rol/
Cloudflare offers free SSL for everybody
-https://blog.cloudflare.com/introducing-universal-ssl/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
