SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #80
October 10, 2014
TOP OF THE NEWS
JPMorgan Chase BreachDOD Aims for More Transparency in Cyber Strategy
New FISMA Regulations Allow DHS to Scan Some Civilian Networks
THE REST OF THE WEEK'S NEWS
AT&T Employee Fired for Accessing Customer DataBugzilla Flaws Could Expose Lists of Undisclosed Vulnerabilities
NYC Says Bluetooth Beacons Must be Removed from Pay Phones
Heartland CEO Talks About Security
Attackers Used Bash Vulnerability to Target Yahoo Servers
Mac Botnet
FCC Fines Marriott for Blocking Guests' Wi-Fi Hotspots
************************* Sponsored By Symantec **************************
Symantec Webcast: How not to be Dumb with a Smart Phone, Oct. 16 Join Symantec and learn the security risks of a smart phone, the latest mobile scams; and simple, practical steps to keeping yourself and your organization safe while using a mobile device.
http://www.sans.org/info/168852
***************************************************************************
TRAINING UPDATE
- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 48 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014
- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014
- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/
- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014
- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Sydney, Tokyo, and Muscat all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************
TOP OF THE NEWS
JPMorgan Chase Breach (October 3,4,5, & 6, 2014)
According to the New York Times, the breach that compromised personal information at JPMorgan Chase also affected nine other as-yet unnamed financial institutions in the US.-http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-
assault/
-http://www.csmonitor.com/Innovation/Latest-News-Wires/2014/1004/Hackers-hit-bank
.-Is-your-money-safe-anywhere
-http://www.theregister.co.uk/2014/10/05/report_says_russians_behind_jpmorgan_cha
se_cyber_attack/
-http://www.computerworld.com/article/2691736/jpmorgan-chase-attackers-hit-other-
banks.html
-http://www.zdnet.com/jpmorgan-chase-bank-hack-it-gets-worse-7000034337/
-http://www.scmagazine.com/the-chase-data-breach-has-prompted-a-regulator-to-meet
-with-chief-executives-of-regulated-firms/article/375675/
[Editor's Note (Pescatore): The attackers seem to be launching SMS message phishing attacks against the customers they identified. Worth reminding users that no real bank would ever ask for meaningful information over text messaging. ]
DOD Aims for More Transparency in Cyber Strategy (October 3, 2014)
The US Defense Department (DOD) is well aware that it must incorporate deterrence into its cyber strategy, and Eric Rosenbach, assistant secretary of defense for homeland defense and global security says that DOD also needs to be more transparent about that strategy, noting that a lack of transparency can create suspicion among other countries.-http://www.federalnewsradio.com/241/3714846/DoD-to-be-more-transparent-about-str
ategy-to-deter-cyber-attacks
New FISMA Regulations Allow DHS to Scan Some Civilian Networks (October 3, 2014)
The US Office of Management and Budget (OMB) is granting the Department of Homeland Security (DHS) authority to scan certain civilian networks for indications of threats. The issue came up after DHS had to get permission from agencies to scan for Heartbleed, which delayed mitigating that threat. New rules for compliance with the Federal Information Security Management Act (FISMA) require the agencies to agree to the DHS scanning.-http://www.federalnewsradio.com/513/3715204/White-House-gives-DHS-new-powers-to-
scan-some-civilian-agency-networks-for-cyber-vulnerabilities
-http://www.nextgov.com/cybersecurity/2014/10/dhs-no-longer-needs-permission-slip
s-monitor-other-agencies-networks-vulnerabilities/95807/?oref=ng-HPtopstory
[Editor's Note (Pescatore): Last month DISA, DHS and OMB put out the FY15 FISMA Metrics, which nicely tracks the Critical Security Controls and the DHS Continuous Diagnostics and Mitigation program. These new rules essentially allow DHS to do the scanning and network IDS monitoring of external facing government sites - a good thing to do consistently and thoroughly. The Multi-State ISAC has launched a similar effort for US State government web sites. ]
**************************** SPONSORED LINKS ******************************
1) FREE e-book: "Incident Response with NetFlow for Dummies" - Download Today: http://www.sans.org/info/168857
2) Are insiders and electronic health records still top concerns among health care orgs? Take 2nd SANS Health Care Security Survey and enter to win an iPad. http://www.sans.org/info/168862
3) Join the SANS Institute as we bring the Industrial Control Systems Security briefing to the Oil & Gas Community in the Calgary area. This 1/2 day event provides a unique opportunity to engage in dialogue around Industrial Control Systems cybersecurity issues specific to the Energy Industry and learn about key solution capabilities/customer success stories. Register here: http://www.sans.org/info/168867
***************************************************************************
THE REST OF THE WEEK'S NEWS
AT&T Employee Fired for Accessing Customer Data (October 6, 2014)
AT&T has fired an employee for allegedly accessing customers' personal data, including driver's license and Social Security numbers, as well as customer metadata about calls made. AT&T notified the affected customers by letter,-http://www.theregister.co.uk/2014/10/06/att_cops_to_insider_data_breach/
-http://www.zdnet.com/at-and-t-hit-by-insider-data-breach-unspecified-number-of-a
ccounts-accessed-7000034386/
-http://www.net-security.org/secworld.php?id=17456
Text of Letter:
-http://ago.vermont.gov/assets/files/Consumer/Security_Breach/AT&T%20ltrt%20C
onsumer%20re%20Security%20Breach.pdf
[Editor's Note (Pescatore): AT&T had similar insider abuse back in April. In both cases it seems to have taken nearly two months from the time of the database access to ATT's public notification. On the positive side, it seems AT&T is detecting such abuse before customers start complaining about account fraud, but two months is still a long way from "continuous monitoring." ]
Bugzilla Flaws Could Expose Lists of Undisclosed Vulnerabilities (October 6, 2014)
Vulnerabilities in the Bugzilla bug-tracking tool could be exploited to add users to the administrator group, which would allow them to view information about unpatched vulnerabilities. Bugzilla has released a public patch; last week, it notified large projects that use the tool after it was informed of the problem.-http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/
-http://arstechnica.com/security/2014/10/check-point-hacks-bugzilla-tracking-syst
em-to-demonstrate-bad-bug/
-http://www.theregister.co.uk/2014/10/07/bugzilla_buggy/
NYC Says Bluetooth Beacons Must be Removed from Pay Phones (October 6, 2014)
The New York City Mayor's office has ordered Bluetooth beacons that a digital advertising company placed on pay phones in the city must be removed. The technology is designed "to log nearby phones' Bluetooth addresses" to track movements and potentially allow advertisers to send customized, localized advertisements. Users who have turned off Bluetooth are not "seen" by the beacons. The company responsible for the beacons says they do not collect personal data and that they can be used with smartphones only if users have downloaded an app that has the technology embedded and have opted in to the process.-http://arstechnica.com/tech-policy/2014/10/new-york-city-orders-bluetooth-beacon
s-in-pay-phones-to-come-down/
-http://www.forbes.com/sites/kashmirhill/2014/10/06/no-need-to-freak-out-about-be
acons/
Heartland CEO Talks About Security (October 6, 2014)
Unlike many executives at companies that have experienced major breaches, Heartland Payment Systems' CEO Robert Carr has spoken candidly about the company's 2008 breach and what they have learned from the experience. Carr said that Heartland decided it was "not going to clam up and try to point fingers at somebody else," and instead, took steps to improve information security, implementing end-to-end encryption, tokenization, and EMV chip-and-PIN payment card technology. Carr also said that "liability needs to be held by the breached party. Otherwise, there's no other way to police anything."-http://www.darkreading.com/attacks-breaches/heartland-ceo-on-why-retailers-keep-
getting-breached/d/d-id/1316388?_mc=sm_dr
[Editor's Note (Pescatore): The Heartland CEO points out "... a lot of companies haven't implemented the basics, and they are paying the price for it." Which echoes Verizon's findings in their Data Breach Investigation Report that more than 75% of breaches took advantage of simple vulnerabilities, and the DBIR also includes a chart that shows that maps breaches in various industries to which Critical Control would have prevented that breach.
(Murray): It is difficult to argue with the one CEO in this space who really knows what he is talking about. However, there is just too much of this system that is not in the control of any one enterprise to hold them accountable for breaches. As long as we pass credit card numbers in the clear at the point of sale and fraudulent reuse of credit card numbers is easy, merchants will continue to be victimized. We need to be able to substitute tokens, a la Apple Pay/Visa Token Service, at transaction time. This requires a minimum of an EMV card, preferably a mobile computer. Let's spend our energy fixing the broken system, not fixing blame. ]
Attackers Used Bash Vulnerability to Target Yahoo Servers (October 6, 2014)
Attackers targeted at least two Yahoo servers by exploiting a recently disclosed vulnerability in Bash. The attack was reportedly part of an effort to build a network of infected machines. While Yahoo initially confirmed the Bash attack, the company's CIO later amended the statement to indicate that the attackers did not exploit the Bash vulnerability, but instead, a different flaw in a debugging script that the company was using.-http://www.forbes.com/sites/thomasbrewster/2014/10/06/yahoo-hacked-by-bash-bug-a
ttackers/
-http://www.theregister.co.uk/2014/10/06/yahooi_shellshockedii_asii_bashii_bugii_
bangsii_upii_gamingii_serversii/
Mac Botnet (October 3 & 6, 2014)
Apple is taking steps to shutter a botnet made up of compromised Macs. Apple has released an updated version of its OS X antimalware component with new signatures so that it detects several variants of the malware responsible for the infections.-http://www.darkreading.com/attacks/new-mac-botnet-leverages-reddit/d/d-id/131635
2?
-http://www.darkreading.com/perimeter/apple-makes-move-to-shut-down-mac-botnet/d/
d-id/1316392?_mc=sm_dr
-http://www.scmagazine.com/apple-updates-xprotect-blacklists-iworm-variants/artic
le/375649/
-http://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-thousands
-of-macs-worldwide/
-http://arstechnica.com/apple/2014/10/apple-updates-definitions-to-prevent-iworm-
botnet-malware-on-macs/
FCC Fines Marriott for Blocking Guests' Wi-Fi Hotspots (October 3, 2014)
Marriott has agreed to pay the US Federal Communications Commission (FCC) US $600,000 to settle charges that the company blocked guests' personal hotspots, forcing them to use the hotel's WiFi at significant cost. The Gaylord Opryland Hotel in Nashville, Tennessee, admitted to the blocking, saying that it normally established wireless services and networks for groups at the convention facility, charging US $250 to US $1,000 per access point. The service provided by the hotel includes a monitoring system that blocks networks that are not its own.-http://arstechnica.com/tech-policy/2014/10/after-blocking-personal-hotspot-at-ho
tel-marriott-to-pay-fcc-600000/
-http://www.theregister.co.uk/2014/10/03/marriott_jamming_wifi_fcc/
[Editor's Note (Murray): Accountability in lieu of transparency. While objectionable in any case, the hotel could easily have made this a part of its contract. ]
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/