SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #81

October 10, 2014

TOP OF THE NEWS

Government Says Accessing Foreign Servers Without a Warrant is Legal
Bruce Schneier, CTO of Incident Response Startup, Says Incident Response is Failing In All Areas

THE REST OF THE WEEK'S NEWS

UK Police Say Some Smartphones Have Been Remotely Wiped After Seizure
Microsoft Will Release Nine Security Bulletins on October 14
MBIA Acknowledges Customer Data Compromised
Whistleblower Alleges Northrup Grumman Falsified GPS Tests
Australian Broadcasting Corporation Hit With Ransomware
Adobe Collects eReader Data and Transmits it in Cleartext
Tyupkin Malware Infects ATMs
Half a Million Systems Infected with Qakbot
Alleged Key-logging Scheme Ringleader Arrested

PESCATORE FIRST TAKE - THE SYMANTEC SPLIT

PESCATORE FIRST TAKE - THE SYMANTEC SPLIT

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By SANS ******************************
In case you missed these two webcasts: The Value of On-Demand Endpoint Visibility with Dave Shackleford and Bret Lenmark: http://www.sans.org/info/169247 Also - Analyst Webcast: Advanced Network Protection with McAfee Next Generation Firewall - featuring Dave Shackleford and Steve Smith. http://www.sans.org/info/169202
***************************************************************************

TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 48 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today?; A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Government Says Accessing Foreign Servers Without a Warrant is Legal (October 7 & 8, 2014)

The US Justice Department maintains that the government can break into servers outside the country without a warrant. The statement is part of a response to a motion from the legal team of alleged Silk Road mastermind Ross Ulbricht, which claimed that the government's activity violated their client's Fourth Amendment rights and that all information the government gathered when it accessed Silk Road servers should be suppressed.
-http://www.forbes.com/sites/katevinton/2014/10/08/feds-say-that-even-if-the-fbi-
hacked-silk-road-ulbrichts-rights-werent-violated/
-http://www.wired.com/2014/10/feds-silk-road-hack-legal/
-http://arstechnica.com/tech-policy/2014/10/us-says-it-can-hack-into-foreign-base
d-servers-without-warrants/
[Editor's Note (Honan): If this is upheld I believe it will be a very slippery slope as it could give law enforcement a blank cheque to access systems they "believe" to be conducting illegal activity. ]

Bruce Schneier, CTO of Incident Response Startup, Says Incident Response is Failing In All Areas (October 9, 2014)

In a keynote speech at the IP Expo conference in London, Bruce Schneier said that while preventing and detecting attacks is necessary, organizations need to pay more attention to incident response, because attacks are inevitable, and the ability to recover quickly is essential to an organization's integrity.
-http://www.theregister.co.uk/2014/10/09/your_security_defences_are_going_to_fall
_get_over_it_schneier/
[Editor Comment (Paller): These are specialized skills. Organizations that believe they can contract for them when needed, with Bruce's start up or any other firm, can look forward to being the next Target. Financial leaders and other smart organizations call these key on-staff people "threat analysts" and pay them among the highest salaries in security. One great "ah ha" those leaders shared with me is that a bunch of security people call themselves threat analysts but do not have the advanced forensics and technical mastery of exploits and mitigations to be useful. Relying on non-technical threat analysts is dangerous. Get them technically skilled, or get them out. ]

(Northcutt): Organizations need to consider having a response coach on retainer. There are several qualified groups such as Mandiant and Dell Secureworks:
-http://www.mandiant.com/resources/downloads/
-http://go.secureworks.com/lp-incident-response-preparedness]

---

**************************** SPONSORED LINKS ******************************
1) The Top 3 Threats to Retail IT Security and How You Can Defend your Data - Tuesday, October 21 at 3:30 PM EDT (19:30:00 UTC) with Dave Shackleford, Brian Nuszkowski and Josh Daymon. http://www.sans.org/info/169207

2) What's in your software? Reduce risk from third-party and open source components. Thursday, October 23 at 1:00 PM EDT (17:00:00 UTC) with Adrian Lane. http://www.sans.org/info/169212

3) In Case You Missed It: Hardening Retail Security: Why and How to Prevent Breaches and Attacks - Thursday, September 25 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Erick Ingleby: http://www.sans.org/info/167667
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK Police Say Some Smartphones Have Been Remotely Wiped After Seizure (October 9, 2014)

Police in the UK have reported that several mobile phones in their possession as evidence have been remotely wiped. The feature is designed to prevent owners' data from being exposed if a phone is stolen.
-http://www.bbc.com/news/technology-29464889
-http://www.zdnet.com/smartphones-remotely-wiped-in-police-custody-as-encryption-
vs-law-enforcement-heats-up-7000034521/
[Editor's Note (Pescatore): Since remote wipe is an important security feature, this piece should really be titled "UK Police Forget to Protect Seized Smartphones from Remote Wipe."
(Honan): Let this be a lesson for all incident response handlers and forensic investigators that just because the device is physically in your possession does not necessarily mean it is in your total control. Remember to take appropriate steps to ensure the integrity of the evidence you are dealing with, whether this be faraday cases/bags or examining the devices when they are totally disconnected from a network. ]

Microsoft Will Release Nine Security Bulletins on October 14 (October 9, 2014)

On Tuesday, October 14, Microsoft plans to release nine security bulletins to address issues in Internet Explorer (IE), Windows, SharePoint Server, and Web app development tools/kit. Three of the bulletins have been given a critical rating, five an important rating, and one a moderate rating.
-http://www.zdnet.com/microsoft-to-issue-nine-security-updates-to-windows-office-
7000034524/
-http://www.computerworld.com/article/2824556/microsoft-slates-critical-windows-i
e-fixes-for-next-week.html
-https://technet.microsoft.com/en-us/library/security/ms14-oct.aspx

MBIA Acknowledges Customer Data Compromised (October 7, 8, & 9, 2014)

US bond insurer MBIA has acknowledged that a misconfigured server was exposing customers' personal information, including account numbers and balances. The company took down the affected site. Google had already indexed more than 200 pages of account statements.
-http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/
-http://www.scmagazine.com/mbias-client-data-may-have-been-accessed-illegally/art
icle/376195/

Whistleblower Alleges Northrup Grumman Falsified GPS Tests (October 8, 2014)

A Northrup Grumman employee has accused the military contractor of falsifying tests of its LN-100 Inertial Navigation System/Global Positioning System (INS/GPS), which is used in the company's aircraft, missiles, and submarines. Although the case was filed in September 2012, it was only just made public after a judge in Utah ordered it unsealed on Friday, October 3. Each LN-100 unit was tested, with each test taking 10 minutes, according to the complaint, because they often failed the test, technicians were told to "manually key in positive responses" so that the test printouts would indicate that the units had passed.
-http://arstechnica.com/tech-policy/2014/10/whistleblower-suit-accuses-northrop-g
rumman-of-fudging-gps-systems-testing/
Complaint:
-http://cdn.arstechnica.net/wp-content/uploads/2014/10/Todd-Donaldson-Vs-Northrop
-Grumman.pdf
[Editor's Note (Murray): One would like to think that engineering ethics, industry and corporate culture, and enterprise controls would be sufficient to avoid this kind of failure before the False Claims Act kicks in. Industry must learn that the FCA is a very expensive control. ]

Australian Broadcasting Corporation Hit With Ransom-ware (October 8, 2014)

The Australian Broadcasting Corporation's (ABC) 24-hour news programming was disrupted for less than an hour after the organization became the victim of a ransom-ware attack. The malware gained purchase in the system after an employee clicked on a link provided in a phishing email that appeared to be from Australia Post and which claimed to contain information about a package that could not be delivered. The attack also targeted Australia Post customers.
-http://www.abc.net.au/news/2014-10-07/fake-auspost-emails-used-in-crypto-ransomw
are-attack/5795734
-http://www.cnet.com/au/news/crypto-ransomware-scam-email-brings-down-abc-news-24
/
-http://www.scmagazine.com/ransomware-phishing-campaign-takes-australian-station-
off-the-air/article/376190/
-http://www.nextgov.com/cybersecurity/threatwatch/2014/10/unauthorized-use-system
-administrator-privileges/1601/
[Editor's Note (Murray): "...an employee clicked on a link provided in a phishing email..." must not be sufficient to compromise mission critical systems. Think restrictive access controls, multi-party controls, layering, and end-to-end encryption. (Honan): A prime example of why you should not have critical networks interfacing or connected in any way with non-critical networks, especially those connected to the Internet. ]

Adobe Collects eReader Data and Transmits it in Cleartext (October 7 & 8, 2014)

Adobe has acknowledged that its Digital Editions ebook reader gathers information about users' reading histories and sends the data back to the company unencrypted. Adobe maintains that the feature is designed to prevent piracy. The company says the information it collects, which includes user, device and app IDs; IP addresses; duration of reading; and percentage of book read is data that could be demanded by publishers. Adobe now says it plans to issue an update to the software to address the cleartext data transmission.
-http://www.nbcnews.com/tech/security/adobe-issue-software-fix-after-report-leaki
ng-user-reading-habits-n220506
-http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-
logs-back-to-adobe-in-plain-text/
-http://www.theregister.co.uk/2014/10/08/adobe_says_it_slurps_ebook_data_in_plain
_text_because_privacy_is_important/
-http://www.theregister.co.uk/2014/10/07/adobe_digital_editions_4_caught_snooping
_into_ebook_collections_of_users/
-http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-eboo
k-libraries/#.VDSA0r4XkzD
[Editors Note (Pescatore): I think I see a connection: Adobe was building in spyware capabilities into its ebook reader software at the same time it has been unable to prevent its Acrobat PDF software from being compromised by attackers. Adobe needs to change its business values to focus on privacy and security of the users of their software. Just adding encryption when the spyware capabilities in their ebook software talks to the Adobe Command and Control server does *not* do that. ]

Tyupkin Malware Infects ATMs (October 7 & 8, 2014)

ATMs around the world are being infected with malware known as Tyupkin that allows thieves to steal piles of cash. The scheme requires physical access to the targeted ATMS, both to inject the malware and to retrieve the money. Tyupkin is active only during certain times, which makes it more difficult to detect the attacks. The money is gathered by so-called "mules," who obtain one-time-use codes to enter to access the machines from the ringleaders. The targeted machines are running on Windows 32-bit platforms.
-http://www.bbc.com/news/technology-29537907
-http://www.zdnet.com/atm-malware-dispenses-cash-to-attackers-7000034416/
-http://arstechnica.com/security/2014/10/dozens-of-european-atms-rooted-allowing-
criminals-to-easily-cash-out/
-http://www.scmagazine.com/new-tyupkin-malware-has-spread-to-atms-in-the-us-and-o
ther-countries/article/375948/
-http://www.darkreading.com/hackers-steal-millions-in-cash-from-atms-using-tyupki
n-malware/d/d-id/1316421?_mc=sm_dr
-http://www.theregister.co.uk/2014/10/08/atm_hack_report/
[Editor's Note (Pescatore): Putting any computer in unattended public spaces *without* physical alarms/tamper protection is pretty much like *not* putting covers on manholes/utility vaults in streets. Whitelisting has been used quite successfully on ATMs to prevent remote malware installs, but physical access that allows root-kitting/reboot of ATM machines means game over. ]

Half a Million Systems Infected with Qakbot (October 7, 2014)

A group of cyber criminals has reportedly infected more than half a million systems around the world with malware known as Qakbot. The malware seeks access credentials of online bank accounts. The group behind the attack is being called Northern Gold. The malware was spread through compromised WordPress sites.
-http://www.theregister.co.uk/2014/10/07/monster_banking_trojan_botnet_claims_500
000_victims/
-http://www.scmagazine.com/banking-credentials-targeted-by-russian-cybercrime-gro
up/article/375914/

Alleged Key-logging Scheme Ringleader Arrested (October 6 & 7, 2014)

Authorities have arrested a man who allegedly orchestrated a scheme in which California high school students placed keystroke loggers on teachers' computers so he could change students' grades. Timothy Lance Lai, a tutor, disappeared after the scheme came to light, but was arrested earlier this week in Los Angeles. The scheme resulted in 11 students being expelled from the school.
-http://arstechnica.com/tech-policy/2014/10/high-school-tutor-accused-of-planning
-keylogging-ring-finally-arrested/
-http://www.ocregister.com/articles/lai-637551-police-students.html

---

PESCATORE FIRST TAKE - THE SYMANTEC SPLIT

--Pescatore First Take - Symantec publicly announced that it would split into two companies: one will be focused on security and the other on data and storage. Symantec had underperformed in the security market ever since acquiring Veritas in 2005 and then Altiris in 2007 while pursuing a strategy that treated security the same as storage management or desktop management. Over that same timeframe, threats continued to evolve and trends like BYOD and cloud/everything as a service drove changes in the security market that Symantec failed to address in its products and services.

Overall, Symantec abandoning this failed approach and having a business focused on security is a positive move. For users of Symantec's varied security products and services, however, there will be near term impacts that will not all be positive. The security-only part of Symantec will need to look at its security product offerings and make decisions on what survives and what is discontinued. On the endpoint security product side, in 2013 Symantec announced a strategy that combined the security and non-security desktop product teams. If Symantec will truly focus on security, the split will require major changes to that strategy and those product areas.

---

STORM CENTER TECH CORNER

CSAM: You better start listening when servers start talking IRC
-https://isc.sans.edu/forums/diary/CSAM+My+servers+started+speaking+IRC+and+that+
is+when+I+started+to+listen+/18799

HongKong Protest Websites Spread Malware
-http://www.volexity.com/blog/?p=33

NCSAM: Your ISP is Calling.
-https://isc.sans.edu/forums/diary/CSAM+Month+of+False+Positives+-+Our+ISP+Says+W
ere+Hosting+a+BotNet/18785

Security Vulnerability in Bugtracker Bugzilla
-http://www.checkpoint.com/blog/bug-bug-tracker/

RSA 1024 Bit Key Update: Not quite broken yet, but still weak
-https://isc.sans.edu/forums/diary/Confusion+over+SSL+and+1024+bit+keys/18775

Belkin Routers Block Internet Access after "Heartbeat" server goes offline
-https://isc.sans.edu/forums/diary/Belkin+Router+Apocalypse+heartbeat+belkin+com+
outage+taking+routers+down/18779

Cookoo Sandbox Vulnerability
-http://cuckoosandbox.org/2014-10-07-cuckoo-sandbox-111.html

Odd "Window Size 6667" traffic
-https://isc.sans.edu/forums/diary/Shellshock+More+details+released+about+CVE-201
4-6277+and+CVE-2014-6278+Also+Does+Windows+have+a+shellshock+problem+/18769

CSAM: Patching leaves system more vulnerable
-https://isc.sans.edu/forums/diary/CSAM+Patch+and+get+pw0ned+not+OR+/18771

Manuel's nmap tips and tricks
-https://isc.sans.edu/forums/diary/Detecting+irregular+programs+and+services+inst
alled+in+your+network/18763
-https://isc.sans.edu/forums/diary/Testing+for+opened+ports+with+firewalk+techniq
ue/18761

iWorm Infection Method
-http://www.thesafemac.com/iworm-method-of-infection-found/

JPMorgan Update
-http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-
assault/?_php=true&_type=blogs&_r=0

Details About two more bash vulnerabilities
-http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/