SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #83

October 17, 2014

TOP OF THE NEWS

White House Issues Executive Order To Use Chip and Pin
Bash/Shellshock Patches May Not be Enough to Protect Systems
Cyber Security Must be Built Into Battlefield Systems Acquisition Process

THE REST OF THE WEEK'S NEWS

FBI Director Acknowledges Some Warrantless Data Collection, Calls for Updated Wiretapping Laws
Drupal Issues Patch for Critical Vulnerability
South Korea Considering Issuing New National ID Numbers
Universal Plug-and-Play Devices Could be Used in Reflection DDoS Attacks
Poodle Vulnerability Breaks SSL 3.0
Updates This Week From Microsoft, Adobe, Oracle, Google, and Apple
Microsoft's Patch Tuesday
Sandworm
Mozilla Updates Firefox to Version 33
FBI Warns US Companies of Cyber Attacks Linked to China

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Bit9 + Carbon Black *********************
Make your PCI assessment process smoother and more efficient! Download the eGuide: 5 Steps to Reduce the Complexity of PCI Assessments to learn how to reduce the scope of the assessment and other positive security maps to the PCI DSS requirements.
http://www.sans.org/info/169567
***************************************************************************

TRAINING UPDATE


--SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 48 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


--SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today?; A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

White House Issues Executive Order To Use Chip and Pin (October 17, 2014)

The U.S. President today signed a new Executive Order directing the government to lead by example in securing transactions and sensitive data. Multiple initiatives are included. The most important is an example of the government leading by example to secure payments to and from the Federal government by applying chip and PIN technology to newly issued and existing government credit and debit cards.
-http://www.whitehouse.gov/the-press-office/2014/10/17/fact-sheet-safeguarding-co
nsumers-financial-security
[Editor's Note (Pescatore): Pushing government point of sale to Chip and PIN is a good thing, but of course doesn't do anything for online payments - only point of sale. The section about stronger authentication (Building Public-Private Awareness About More Secure Authentication:) is equally important - moving away from reusable passwords would reduce identity theft way more than Chip and PIN will. The USG hasn't been consistent on this, since they've been pushing an obsolete Smart Card based solution (PIV) and have rejected less secure, but much more usable/feasible, solutions like text messages as a second factor - such as Google, Paypal, Microsoft and many others are using. In fact, the DEA rejected this approach in its Two Factor Authentication Protocol for Electronic Prescriptions for Controlled Substances - it would be good to see the administration revisit that. ]

Bash/Shellshock Patches May Not be Enough to Protect Systems (October 15, 2014)

Simply patching systems against the Bash/Shellshock vulnerability may not be adequate. Attacks exploiting the flaw appeared within a day of its disclosure. Those attacks may have made changes to systems that would not be remedied by the application of a patch. The problem is due in part to the incomplete patches that were issued initially. Attackers reportedly exploited Bash/Shellshock to create a botnet for a phishing campaign against Spanish-speaking Citibank customers. Many of the compromised machines are running Linux. The command-and-control server for the botnet has been taken offline.
-http://arstechnica.com/security/2014/10/ghost-in-the-bourne-again-shell-fallout-
of-shellshock-far-from-over/
-http://www.scmagazine.com/bash-bug-used-to-assemble-botnet/article/377504/
[Editor's Note (Murray): And it was only three weeks ago that we did not need them at all. Is it likely that bash code is worse than all the other code that we are using, or are we only finding these problems here because this is where we are looking? We are here because, at least collectively, this is where we chose to be. ]

Cyber Security Must be Built Into Battlefield Systems Acquisition Process (October 14, 2014)

Cyber security needs to be built into the acquisitions process for battlefield components. Weapons platforms and systems need to be secure. Failing to embed security within these systems is giving adversaries "an advantage that they have not earned."
-http://www.nextgov.com/cybersecurity/2014/10/pentagon-needs-build-cybersecurity-
acquisition-process/96461/?oref=ng-channelriver
[Editor's Note (Pescatore): The real issue is: there are already a myriad of STIGs and NSA guides, Defense Acquisition Guidelines on program protection, and other existing DoD cybersecurity guidance around building and configuring systems and components, why isn't the security level better? One area that stands out: the lack of prioritization of what are the most important things to do first to thwart as many real world attacks, vs. "do everything under the sun in security" approaches that lead to $5,000 coffee pots that don't make coffee very well.
(Murray): Security requirements are met only at the expense of other requirements of a system. They cannot be considered in isolation. They must be placed on the same list as all of the other requirements and the whole list prioritized. Only then will we appreciate the costs and limitations. ]

---

**************************** SPONSORED LINKS ******************************
1) The Top 3 Threats to Retail IT Security and How You Can Defend your Data - Tuesday, October 21 at 3:30 PM EDT with Dave Shackleford, Brian Nuszkowski and Josh Daymont. http://www.sans.org/info/169572

2) Watering Hole Attacks: Detect End-User Compromise Before the Damage is Done Wednesday, October 22 at 1:00 PM EDT (17:00:00 UTC) with Garrett Gross and Victor Obando. http://www.sans.org/info/169577

3) What's in your software? Reduce risk from third-party and open source components. Thursday, October 23 at 1:00 PM EDT (17:00:00 UTC) with Adrian Lane. http://www.sans.org/info/169212
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

FBI Director Acknowledges Some Warrantless Data Collection, Calls for Updated Wiretapping Laws (October 16, 2014)

FBI Director James Comey has admitted that in some cases, his agency does collect information without a warrant. Speaking at the Brookings Institution on Thursday, Comey qualified his statement on television news magazine 60 Minutes earlier in the week that the FBI never conducts surveillance without first obtaining a court order. Comey noted that the two types of cases in which the FBI gathers information without a warrant are when consent has been obtained and when conducting surveillance of foreign suspects under Section 702 of the Foreign Intelligence Surveillance Act. Comey also spoke of his concerns that stronger encryption on new iPhones and Android devices will make it more difficult to pursue investigations. He said that the government needs wiretapping powers because CALEA is outdated and has not kept up with changing technology. He did acknowledge that any provision that allows law enforcement to gain access to communications could also be abused by criminals.
-http://www.nextgov.com/cybersecurity/2014/10/comey-says-fbi-collects-some-digita
l-information-without-warrant/96659/?oref=ng-channelriver
-http://www.nextgov.com/big-data/2014/10/fbi-wants-internet-wiretapping-powers/96
671/?oref=ng-channelriver
-http://www.darkreading.com/fbi-director-urges-new-encryption-legislation/d/d-id/
1316711?

Drupal Issues Patch for Critical Vulnerability (October 15 & 16, 2014)

A critical vulnerability in Drupal 7.x could be exploited to gain elevated privileges or execute PHP code through SQL injection attacks. The Drupal team is urging admins to update to version 7.32, which addresses the issue. For those unable to update, a patch is available. Drupal claims more than 1,000,000 users and developers have built web sites. Examples of named users include Sony Music, the Economist, and MIT.
-http://www.computerworld.com/article/2834650/drupal-releases-patch-for-serious-s
ql-injection-flaw.html
-http://www.theregister.co.uk/2014/10/16/drupal_megavuln_sql_injection/
-http://www.scmagazine.com/drupal-core-contains-highly-critical-sql-injection-vul
nerability/article/377718/
-http://threatpost.com/drupal-fixes-highly-critical-sql-injection-flaw/108861
-http://www.zdnet.com/sql-injection-flaw-opens-drupal-sites-to-attack-7000034719/

South Korea Considering Issuing New National ID Numbers (October 14 & 16, 2014)

South Korea is considering reissuing national ID cards for every citizen following a series of breaches that compromised the current national ID numbers of nearly 80 percent of the country's population. Replacing cards for all 50 million citizens would cost US $650 million. Businesses would incur costs associated with updating systems with the new numbers. Current numbers are not randomized.
-http://www.scmagazine.com/replacing-cards-after-breach-could-cost-govt-650m/arti
cle/377721/
-http://www.theregister.co.uk/2014/10/14/south_korea_national_identity_system_hac
ked/

Universal Plug-and-Play Devices Could be Used in Reflection DDoS Attacks (October 15, 2014)

Akamai says that misconfigured Universal Plug-and-Play (UPnP) devices could be used to launch DDoS reflection attacks. In an advisory, Akamai warned that weaknesses in the UPnP standard put more than four million devices at risk of being recruited by attackers.
-http://www.eweek.com/security/akamai-warns-of-reflection-ddos-attacks-using-mill
ions-of-upnp-devices.html

Poodle Vulnerability Breaks SSL 3.0 (October 14 & 15, 2014)

A vulnerability that has been given the name Poodle could put systems at risk of man-in-the-middle attacks. Poodle, which stands for Padding Oracle on Downgraded Legacy Encryption, allows attackers to break SSLv3, also known as SSL 3.0, which is an outdated yet still used cryptographic protocol.
-http://www.nbcnews.com/tech/security/new-poodle-bug-takes-bite-out-ssl-3-0-web-n
225911
-http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/
-http://www.wired.com/2014/10/poodle-explained/
-http://www.eweek.com/security/poodle-flaw-found-in-legacy-ssl-3.0-encryption.htm
l
-http://www.zdnet.com/google-reveals-major-flaw-in-outdated-but-widely-used-ssl-p
rotocol-7000034677/
Internet Storm Center:
-https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Re
lease/18827
-https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+a
nd+client+/18837
-https://www.sans.org/webcasts/about-poodle-99032
[Editor's Note (Ullrich): It is tricky to accurately determine the impact of this vulnerability. The issue is tricky to exploit, and so far, we haven't seen any evidence of exploitation against vulnerabilities like BEAST. But overall, SSLv3 is showing its age and you should consider disabling it. Browsers started to disable SSLv3, or at least no longer support block ciphers with SSLv3 which is a bit a questionable choice. An additional link to this story:
-https://poodletest.com
(site to test your browser for SSLv3 support) ]

Updates This Week From Microsoft, Adobe, Oracle, Google, and Apple (October 14 & 16, 2014)

This has been a big week for updates. This week alone brought scheduled fixes from Microsoft, Adobe, and Oracle as well as an update for Google's Chrome browser and Chrome OS, and for Apple's OS X, which addresses issues resulting from the Bash/Shellshock vulnerability.
-http://krebsonsecurity.com/2014/10/microsoft-adobe-push-critical-security-fixes/
-http://www.computerworld.com/article/2833823/a-bumper-harvest-patch-of-updates-f
or-october.html
[Editor's Note (Pescatore): I think a quad core Intel I7 CPU is rated at something like 80 Million Instructions per second. This month's Vulnerability Tuesday patching and rebooting will take about 15 minutes per PC (more if Oracle or Adobe trick you into loading those annoying toolbar addons and you have to remove them...) The installed base of Windows PCs is about 1.5 billion. If you multiply all that out, it means that 108,000,000,000,000,000,000 instructions will be executed, or about 56,000 Megawatts of power consumed - all to remediate crappy software that we actually paid for. ]

Microsoft's Patch Tuesday (October 14 & 15, 2014)

Microsoft's set of updates address 24 vulnerabilities in a variety of products, including a flaw in Windows and Windows Server 2008 and 2012 that is actively exploited as part of the Sandworm attack (see below). The updates include fixes for a pair of critical flaws in the Windows kernel that could be exploited to execute code.
-http://www.cnet.com/news/microsofts-patch-tuesday-fixes-trio-of-zero-day-flaws/
-http://www.v3.co.uk/v3-uk/news/2375778/microsoft-patches-critical-windows-net-an
d-ie-zero-day-flaws
-https://technet.microsoft.com/library/security/ms14-oct

Sandworm (October 13, 2014)

A malware attack/espionage attack known as Sandworm targeted systems belonging to the North Atlantic Treaty Organization (NATO), government agencies in Poland and Ukraine, and several European industries over the past five years. One of the flaws exploited in the attack has been patched in Microsoft's most recent set of updates. The Sandworm campaign is believed to originate in Russia.
-http://arstechnica.com/security/2014/10/suspected-russian-sandworm-cyber-spies-t
argeted-nato-ukraine/
-http://www.wired.com/2014/10/russian-sandworm-hack-isight/

Mozilla Updates Firefox to Version 33 (October 14, 2014)

The newest version of Mozilla's Firefox browser, Firefox 33, addresses eight security issues. Firefox 33 also includes improved security features, including a new Content Security Policy to help limit the likelihood of cross-site scripting attacks.
-http://www.eweek.com/security/firefox-33-fixes-flaws-improves-content-security-p
olicy.html
[Editor's Note (Murray): Browsers continue to be the Achilles Heel of personal computers and personal computers remain the Achilles Heel of the Internet. One can hardly imagine that we might patch our way to a better place. Yet we, save Steve and we will not see his like again, lack the fortitude for the alternative. ]

FBI Warns US Companies of Cyber Attacks Linked to China (October 15 & 16, 2014)

The FBI has issued a private warning to US organizations about cyber attacks being launched by groups with links to the Chinese government. The FBI says that it has given the organizations "information they can use to help determine whether their systems have been compromised by these actors and provides steps they can take to mitigate any continuing threats." Companies are asked to contact the FBI if they believe their systems have been affected.
-http://www.computerworld.com/article/2834496/fbi-warns-of-cyberattacks-linked-to
-china.html
-http://www.nbcnews.com/tech/security/fbi-warns-u-s-businesses-china-backed-cyber
attacks-n226821

---

STORM CENTER TECH CORNER

Logging SSL Parameters
-https://isc.sans.edu/forums/diary/Logging+SSL/18847

US-Cert warns of Ebola Malware
-https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-an
d-Malware-Campaigns

Oracle Forms 10g Arbitrary Remote Code Execution
-https://www.netspi.com/blog/entryid/243/advisory-oracle-forms-10g-unauthenticate
d-remote-code-execution-cve-2014-4278

OS X Leaves Indexes With Private Data on USB Drives
-http://www.f-secure.com/weblog/archives/00002752.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/