SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #84

October 21, 2014

TOP OF THE NEWS

No Repercussions for Failing to Comply with FedRAMP Standards?
Staples Breach
Eight Industries Now Receiving Classified Cyber Threat Information

THE REST OF THE WEEK'S NEWS

China Using Phony Apple Certificate to Snoop on iCloud
Apple's New OS X Yosemite Sends Search Data and Location Back To Company Servers
Login Page for Dropbox Phishing Scheme Hosted on Dropbox
Microsoft Pulls a Patch After Reports of "Unexpected Behavior"
Florida Supreme Court Says Warrant Required for Cell Phone Tracking
Washington, DC Police and Stingray
Sandworm Targets SCADA Systems

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Bit9 + Carbon Black *********************
Download the free eGuide: An IT Auditor's Guide to Security Controls and Risk Compliance.
http://www.sans.org/info/169877
***************************************************************************
TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

No Repercussions for Failing to Comply with FedRAMP Standards? (October 15, 2014)

US government agencies that missed a June 5, 2014 deadline for ensuring that their cloud computing systems met a set of baseline security standards appear unlikely to face repercussions. The Federal Risk and Authorization Management Program (FedRAMP) established the standards in late 2011. The Office of Management and Budget (OMB) created the FedRAMP program office and the Joint Authorization Board in 2011, but neither has the authority to enforce agency FedRAMP compliance.
-http://www.nextgov.com/cloud-computing/2014/10/fedramp-toothless-unauthorized-cl
oud-systems-abound-agencies-igs-say/96569/
[Editor's Note (Pescatore): There are really 3 major findings here: (1) The Federal CIO issued a "cloud first edict" back in 2011, before the FedRAMP process was operational, with no accredited services yet available. (2) OMB never provided guidance on contractual terms for government procurements of cloud services; and (3) Government agencies who routinely fail audits on asset inventory of the their own systems are failing audits of the inventory of the cloud services they use. The first two findings reflect on the "Cloud First" approach vs. "Secure Cloud First" that could have been pushed. The third finding is just another advertisement for the Critical Security Controls.
(Murray): Government standards are usually written in the passive voice so as to avoid any accountability for the authors. The result includes avoiding accountability for those to whom the standards are intended to apply. ]

Staples Breach (October 20, 2014)

Staples is the latest retailer to have been identified as having likely experienced a data security breach. The Massachusetts-based office supply store chain is investigating "a potential issue" and has contacted law enforcement. Information from sources at banks in the northeastern US suggest that the breach affects stores in Pennsylvania, New York, and New Jersey.
-http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/
[Editor's Note (Honan): It is worrying to see such a large number of US retailers becoming victims of cybercrime. As there is no mandatory reporting in Europe (except for personal data breaches in Telecommunication companies) we shouldn't be too smug in thinking European retailers are more secure, it may simply be they are not telling anyone about the breaches.
(Murrray): All retailers are at high risk. We must now assume that many more are compromised than know about it. Merchants should be actively looking for evidence of breaches. Consumers should join with the White House in requesting EMV ("Chip") cards. They should avoid the use of accounts where the issuers fail to comply, prefer merchants that are EMV ready, and reconcile their accounts on a timely basis. ]

Eight Industries Now Receiving Classified Cyber Threat Information (October 20, 2014)

The number of industries participating in the US Department of Homeland Security's Enhanced Cybersecurity Services Initiative has more than doubled since July 2014. The program provides participating companies with classified threat information that they can use to help protect their systems. As of July, just energy, communications, and defense industries were participating, but they have since been joined by the financial, water, chemical, transportation, and information technology industries. The voluntary program was previously open only to defense contractors, but in 2013 was expanded to include companies that manage the country's critical infrastructure.
-http://www.nextgov.com/cybersecurity/2014/10/number-industries-getting-classifie
d-cyberthreat-tips-dhs-has-doubled-july/96923/?oref=ng-HPtopstory
[Editor's Note (Murray): Securely sharing intelligence with those best able to act on it is often as difficult as collecting it in the first place. ]

---

**************************** SPONSORED LINKS ******************************
1) BIG DATA SECURITY SURVEY: What are the biggest risks to your big data applications? Take survey and enter to win iPad. http://www.sans.org/info/169847

2) Data Center Server Security - Hear Results of Survey and Receive Whitepaper 10/29 at 1pm ET http://www.sans.org/info/169852

3) Learn how to avoid man-in-the-middle and DOS attacks - free webcast on 11/13 at 1pm ET http://www.sans.org/info/169857
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

China Using Phony Apple Certificate to Snoop on iCloud (October 20, 2014)

A group that monitors Chinese government censorship, GreatFire.org, says that censors in China are conducting man-in-the-middle attacks on Apple's iCloud in that country. Technical information suggests that a phony Apple certificate is being used to intercept the traffic.
-https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack
-coincides-launch-new-iphone
-http://arstechnica.com/security/2014/10/chinese-government-launches-man-in-middl
e-attack-against-icloud/
-http://www.informationweek.com/mobile/mobile-devices/china-accused-of-attacking-
apple-icloud/d/d-id/1316787
-http://www.v3.co.uk/v3-uk/news/2376677/china-targets-icloud-users-with-cyber-att
acks-after-iphone-6-and-iphone-6-plus-launch
-http://www.computerworld.com/article/2836084/chinese-big-brother-launches-nation
wide-attack-on-icloud.html

Apple's New OS X Yosemite Sends Search Data and Location back to Company Servers (October 20, 2014)

While Apple has made headlines recently for its enhanced encryption in iOS 8, the company's newest Mac operating system, OS X Yosemite, reportedly leaks user information by sending location and search data when users query Spotlight, the operating system's search feature.
-http://arstechnica.com/security/2014/10/mac-os-x-yosemite-reportedly-leaks-locat
ion-search-data/
-http://www.theregister.co.uk/2014/10/20/apple_spotlight_privacy_qualms/
Users can turn off the setting in Mac OS X's System Preferences:
-http://www.wired.com/2014/10/how-to-fix-os-x-yosemite-search/
[Editor's Note (Pescatore): For it's privacy walk to match its privacy talk, Apple should change this behavior to be enabled only via opt-in. Otherwise Apple is showing that user privacy is not a core corporate value, just a marketing slogan to be trotted out occasionally.
(Northcutt): This counts as inappropriate for sure. Apple could have positioned itself as the company that respects your privacy. There is a link above on how to ostensibly disable Spotlight. It is not hard; it has been possible since Mountain Lion. The question on the table is does it really work. There is an outbound firewall called "Little Snitch" that any Mac user should consider. It is a bit of a hassle, but lets you know which apps are selling your private information:
-http://osxdaily.com/2011/12/10/disable-or-enable-spotlight-in-mac-os-x-lion/
-http://little-snitch.onfreedownload.com/?lp=bing&tg=us&os=mac&utm_so
urce=Bing&utm_medium=CPC&utm_campaign=Search]

Login Page for Dropbox Phishing Scheme Hosted on Dropbox (October 19 & 20, 2014)

A phishing scheme tries to get Dropbox users to disclose their account access credentials by sending a message telling recipients that someone has sent them a file that is too large to be sent through regular email so they must sign in to Dropbox to view it. The phony login page was actually hosted on Dropbox. It has been taken down.
-http://www.scmagazine.com/phony-dropbox-login-page-steals-credentials/article/37
8244/
-http://www.computerworld.com/article/2835166/dropbox-used-for-convincing-phishin
g-attack.html

Microsoft Pulls a Patch After Reports of "Unexpected Behavior" (October 18 & 20, 2014)

Microsoft has pulled a recently released fix that is reportedly causing "unexpected behavior." The fix in question addresses a vulnerability in Windows 7 and Windows Server 2008. Users are being urged to uninstall the patch as soon as possible. Some users reported that the patch caused their systems to reboot.
-http://www.v3.co.uk/v3-uk/news/2376644/microsoft-pulls-faulty-windows-patch-tues
day-fix
-http://www.theregister.co.uk/2014/10/20/microsoft_pulls_ianotheri_dodgy_patch/
-http://www.zdnet.com/microsoft-withdraws-another-buggy-update-7000034819/
Revised Advisory:
-https://technet.microsoft.com/en-us/library/security/2949927

Florida Supreme Court Says Warrant Required for Cell Phone Tracking (October 17 & 20, 2014)

Florida's Supreme Court has ruled that law enforcement must obtain a warrant before collecting cell phone location data. The court ruled that obtaining cell tower location data from service providers in real-time constitutes a Fourth Amendment search and therefore requires a warrant. The case involves cell data from a provider but could likely be applied to devices like StingRays, which simulate cell tower signals.
-http://www.wired.com/2014/10/florida-court-requires-warrant-cell-tower-data/
-http://arstechnica.com/tech-policy/2014/10/florida-court-come-back-with-a-warran
t-to-track-suspects-via-mobile-phone/
-http://www.scmagazine.com/court-says-warrantless-tracking-violates-fourth-amendm
ent-rights/article/378254/
Ruling:
-http://www.floridasupremecourt.org/decisions/2014/sc11-2254.pdf

Washington, DC Police and Stingray (October 20, 2014)

Documents obtained through a Freedom of Information Act (FOIA) request show that police in Washington, DC have had a StingRay cellular surveillance device since 2003, but it remained unused until 2009, when officers were trained in its use. StingRay is a trademarked name, but has come to serve as a generic term for the technology. The devices, also known as IMSI catchers, can determine the location of cell phones as well as intercept calls and text messages. They also vacuum up data from other phones in the area.
-http://arstechnica.com/tech-policy/2014/10/dc-polices-stingray-trackers-sat-in-a
-vault-unused-for-6-years/

Sandworm Targets SCADA Systems (October 17, 2014)

The Sandworm attack campaign has been found to be targeting Supervisory Control and Data Acquisition (SCADA) systems. Sandworm has recently been exploiting a vulnerability that Microsoft patched last week.
-http://www.scmagazineuk.com/sandworm-vulnerability-seen-targeting-scada-based-sy
stems/article/377846/

---

STORM CENTER TECH CORNER

Apple iOS 8.1 and Apple TV 7.0.1
-https://support.apple.com/kb/HT1222

US Government to Require Chip-and-Pin for Federal Payments
-http://www.whitehouse.gov/the-press-office/2014/10/17/fact-sheet-safeguarding-co
nsumers-financial-security

PHP Update Released
-http://php.net/ChangeLog-5.php

Apple Releases Security Updates
-http://support.apple.com/kb/ht1222

Yosemite Privacy Impact
-https://github.com/fix-macosx/yosemite-phone-home/

PoS Malware Uses DNS For Data Exfiltration
-https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates
-data-via-dns-requests.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/