SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #85

October 24, 2014

The 2nd National Cybersecurity Career Fair is on November 20-21. Nearly 1,000 jobseekers (30% are veterans, 33% have a security clearance, and 48% have a certification) as well as US Air Force members transitioning to private jobs, have already registered. Great employers have also signed up: CBS, Juniper, NBC Universal, Solutionary, Mayo Clinic, and Partners Healthcare. Jobseekers can stand out via the SANS CyberTalent test, with domains in AppSec, Digital Forensics, Pen Testing, and general InfoSec. Email Max Shuftan (mshuftan@cyberaces.org) or see how it works at https://app.brazenconnect.com/events/cyberaces-us-career-fair

---

TOP OF THE NEWS

Google Now Offering USB Key Security
US Justice Department Reorganizes Division to Focus on Cyber Crime
Koler Android Ransomware Now Spreading Through SMS

THE REST OF THE WEEK'S NEWS

Facebook and Yahoo Develop Mechanism to Protect Recycled eMail Addresses from Abuse
FTDI Admits Releasing Update That Bricks Cloned Chips
DHS ICS-CERT Investigating Medical Device Vulnerabilities
Apple to Stop Using SSL 3.0 for Push Notifications
Microsoft Warns of Attacks That Use PowerPoint Documents
Apple Issues iCloud Security Advisory
Virginia Police Departments Sharing Suspects' Phone Metadata
Government Encourages Cooperation in Cyber Security Incidents

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec **************************
Symantec Webcast: Look at the Threat Landscape to Improve Your Endpoint Security For those paying attention to the threat landscape this has been a busy year. Trends spotted last year have evolved and in some cases exploded in 2014. Join Symantec and learn how to spot the trends, how to plan protection for your business, and some highlights in the latest Symantec security products.
http://www.sans.org/info/170197
***************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Google Now Offering USB Key Security (October 21 & 22, 2014)

Google is now offering optional enhanced security for users of its many services. The Security Key technology lets users of Google's Chrome browser insert a key into a USB port on the device and tap it when prompted. It's a more streamlined version of the 2-Step verification the company already offers, which sends users a code as a text message or email that users then enter. The new system requires that users purchase the USB key.
-http://arstechnica.com/security/2014/10/google-offers-usb-security-key-to-make-b
ad-passwords-moot/
-http://krebsonsecurity.com/2014/10/google-accounts-now-support-security-keys/
-http://www.cnet.com/news/google-endorses-a-simpler-way-to-secure-your-data/
[Editor's Note (Pescatore): Google incorporated the Universal 2nd Factor Standard from the FIDO Alliance, a good thing since USB devices have limited use and since few users only use Google services. There are a lot of barriers to broad, interoperable use of a single token, however. Other than reusable passwords, the only other currently viable "readerless" 2nd factor is the text message to a mobile device method that has been gaining in use.
(Northcutt), I think Google's time tested 2 step authentication is more than adequate. I use it with my primary bank account; I am a two factor kid. I carry two Symantec VIP and two Verisign dongles. The thought of one dongle to rule them all is attractive. I am going to sign on to this for two reasons: (1) to help test it and (2) to demonstrate leadership. If we talk about two factor authentication, people need to see us use it.
-http://www.amazon.com/Plug-up-International-U2F-SK-01-FIDO-Security/dp/B00OGPO3Z
S/ref=sr_1_2?s=electronics&ie=UTF8&qid=1414011524&sr=1-2&keyword
s=FIDO+U2F+Security+Key
(Murray): Those security officers who continue to resist the use of strong authentication should look carefully at Google's offering. The combination of features and options overcomes many of their objections. Incidentally, the hardware security key is available on Amazon for as little as $6, depending upon features. ]

US Justice Department Reorganizes Division to Focus on Cyber Crime (October 21, 2014)

The US Department of Justice (DoJ) has announced the reorganization of its National Security Division to devote more resources to fighting cyber crime, particularly "state-sponsored economic espionage and theft of corporate secrets." John Carlin, Assistant Attorney General for National Security, announced the changes, saying, "We have assembled a talented, dedicated, and experienced team of seasoned professionals to launch" the new endeavor.
-http://www.networkworld.com/article/2836310/security0/us-justice-dept-focuses-ne
w-squad-on-cybercrime-combat.html
-http://www.mainjustice.com/2014/10/21/dojs-national-security-division-reorganize
s-for-cyber-and-corporate-espionage-threats/

Koler Android Ransomware Now Spreading Through SMS (October 22, 2014)

A variant of Android ransomware known as Koler is now spreading through SMS. The previous version infected devices of users who had viewed certain pornographic websites. The new variant sends SMS messages to every contact in the address book of infected devices, telling them that someone has created a profile using their pictures. Infected devices display a screen telling users that they have been accused of viewing illicit content and that they must pay US $300 to unlock the device.
-http://www.scmagazine.com/worm-variant-of-android-ransomware-koler-spreads-via-s
ms/article/378785/
-http://www.computerworld.com/article/2836760/android-ransomware-koler-turns-into
-a-worm-spreads-via-sms.html

---

**************************** SPONSORED LINKS ******************************
1) BEYOND DEFENSE-IN-DEPTH: Learn new ways to stop hacks in their tracks once they're inside. Join Guidance Software, Blue Coat Systems, HP ArcSight and other security experts for a seminar near you. Find out how to upgrade your security posture for faster post-event detection and remediation. http://www.sans.org/info/170032

2) Be Ready for a Breach with Intelligent Response. Thursday, November 06 at 1:00 PM EST (18:00:00 UTC) with James Tarala and Ofir Arkin. http://www.sans.org/info/170207

3) Data Center Server Security - Hear Results of Survey and Receive Whitepaper 10/29 at 1pm ET. http://www.sans.org/info/170212
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Facebook and Yahoo Develop Mechanism to Protect Recycled eMail Addresses from Abuse (October 23, 2014)

Facebook and Yahoo are taking steps to prevent users of recycled email addresses from taking control of other accounts. When Yahoo began recycling email addresses last year, critics were concerned that the information could be used to change passwords on accounts that used the old email address for password change confirmation, and that the new email user could possibly receive sensitive messages intended for the former user. Yahoo and Facebook have together developed a mechanism for preventing such abuse. Using Simple Mail Transfer Protocol (STMP), sensitive email messages will include a field within the header that notes the date since the sender has known the address. If the address is determined to have changed ownership since that date, the message will not be delivered.
-http://www.computerworld.com/article/2838283/facebook-yahoo-prevent-use-of-recyc
led-email-addresses-to-hijack-accounts.html
-http://www.wired.com/2014/10/fb-yahoo-email/
[Editor's Note (Honan): And the book is now open on how long before that date field will be maliciously manipulated. ]

FTDI Admits Releasing Update That Bricks Cloned Chips (October 22 & 23, 2014)

Chip maker FTDI has acknowledged releasing a silent update that rendered cloned versions of its products useless. The chip in question (FTDI FT232
[USB to UART ]
) is widely used, and there is no way of knowing for sure who has cloned chips. The company says the action is necessary to stop counterfeiters. Many are indicating that the decision to do this was a poor business move because people buying the chips have no reason to suspect that they've been cloned. As one person tweeted, "We only get FTDI Chip products from reputable channels. But will our future customers assume that? Best not to design FTDI products in." FTDI drivers can be obtained directly, or downloaded by Windows automatically through Windows Update; the company used a recent Windows Update to deliver the bricking update. Microsoft has noted that "FTDI removed two driver versions from Windows Update. Our engineering team is engaging with FTDI to prevent these problems with their future driver updated via Windows Update."
-http://www.zdnet.com/ftdi-admits-to-bricking-innocent-users-chips-in-silent-upda
te-7000035019/
-http://www.csoonline.com/article/2837851/supply-chain-security/chipmaker-deliber
ately-cripples-user-devices-with-driver-update.html
-http://arstechnica.com/information-technology/2014/10/windows-update-drivers-bri
cking-usb-serial-chips-beloved-of-hardware-hackers/

DHS ICS-CERT Investigating Medical Device Vulnerabilities (October 22 & 23, 2014)

An unnamed official at the US Department of Homeland Security (DHS) said that the agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is investigating approximately two dozen cases of vulnerabilities in medical devices. While there have been no reported attacks exploiting these flaws, DHS is concerned that they could be exploited to cause heart implants and drug infusion pumps to malfunction.
-http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fa
tal-cybersecurity-flaws/
-http://www.informationweek.com/healthcare/security-and-privacy/dhs-investigates-
dozens-of-medical-device-cybersecurity-flaws-/d/d-id/1316882
-http://www.bbc.com/news/technology-29737540
-http://www.scmagazine.com/dhs-investigates-possible-vulnerabilities-in-medical-d
evices-report-indicates/article/378735/
[Editor's Note (Murray): The risk/reward for murder has never been very good. Unfortunately, computer programmers are not good at security; they do not check inputs and they include gratuitous, and often vulnerable, features and functions. They appear to be highly resistant to improvement; DHS focus is not likely to fix that. Also unfortunate is that we have "researchers" willing to put lives at risk for no better reason than to prove that the programmers are inept. That said, while the consequences are scary, this is a sparse vulnerability with an attack rate near zero. I plan to focus on it right after shark attacks. ]

Apple to Stop Using SSL 3.0 for Push Notifications (October 22 & 23, 2014)

Apple plans to stop using the Secure Sockets Layer 3.0 (SSL 3.0) encryption standard for its Apple Push Notification service following the disclosure of a vulnerability. Developers have until October 29 to update their apps. More information on the SSL 3.0 flaw can be found here:
-https://isc.sans.edu/forums/diary/SSLv3+POODLE+Vulnerability+Official+Release/18
827/
-http://www.zdnet.com/apple-leashes-poodle-in-apple-push-notification-pulls-ssl-3
-0-7000034996/
-http://www.cnet.com/news/apple-dumps-ssl-3-0-for-push-notifications-due-to-poodl
e-flaw/

Microsoft Warns of Attacks That Use PowerPoint Documents (October 22, 2014)

Microsoft has issued an advisory warning of attacks that use maliciously crafted PowerPoint documents to exploit an unpatched vulnerability in all currently supported versions of Windows except for Windows Server 2003. Although the attacks that have been detected thus far are using PowerPoint documents to exploit the flaw, it could potentially be exploited using any Office document. More details available here:
-https://isc.sans.edu/forums/diary/Microsoft+MSRT+October+Update/18853/
-http://www.theregister.co.uk/2014/10/22/powerpoint_attacks_exploit_ms_0day/

Apple Issues iCloud Security Advisory (October 22, 2014)

Apple has issued a security warning about attacks attempting to steal information from iCloud users with fraudulent certificates. An Apple support page warns users to heed invalid certificate warnings while visiting iCloud and that they should never enter login information into websites that present certificate warnings.
-http://support.apple.com/kb/HT6550?viewlocale=en_US&locale=en_US
-http://www.theregister.co.uk/2014/10/22/apple_icloud_snooping_china/
-http://www.csmonitor.com/Innovation/Latest-News-Wires/2014/1022/Apple-says-hacke
rs-attacked-iCloud
-http://www.v3.co.uk/v3-uk/news/2377038/apple-offers-security-guidance-following-
china-icloud-hack-reports
[Editor's Note (Murray): And, of course, iCloud users should employ Apple's strong authentication. This mechanism resists attacks against UID and password and is so cleverly implemented in iOS 8 as to be almost transparent.
(Honan): The fact that users still disregard security warnings, particularly with regards to web security, is a clear indicator as to how far we have still to go in making security a transparent and easy to use experience for users. ]

Virginia Police Departments Sharing Suspects' Phone Metadata (October 22, 2014)

For nearly two years, several law enforcement agencies in Virginia have been sharing suspects' phone metadata with each other. The information, shared between five police departments, has been compiled into a database.
-http://arstechnica.com/tech-policy/2014/10/handful-of-virginia-police-agencies-s
haring-seized-phone-data/

Government Encourages Cooperation in Cyber Security Incidents (October 20, 2014)

At a recent conference hosted by the Financial Services Roundtable in Washington, DC, law enforcement officials urged organizations to cooperate with federal officials early on during cyber incidents. A Secret Service special agent said that when a small business in upstate New York experienced a significant level of payment card theft earlier this year, two Secret Service agents visited that business and located and removed malware from its server. The agency worked with the business and with a private security firm to determine the malware's origins; the cooperation allowed DHS's CERT to issue an industry alert about the Backoff point-of-sale malware.
-http://fcw.com/articles/2014/10/20/cyber-resiliency-from-cooperation.aspx

---

STORM CENTER TECH CORNER

VMware Updates
-http://www.vmware.com/security/advisories/VMSA-2014-0011.html

NIST Publication 800-125A : Deploying Hypervisors
-http://csrc.nist.gov/publications/drafts/800-125a/sp800-125a_draft.pdf

Adobe eReader now using SSL to phone home
-http://www.theregister.co.uk/2014/10/23/adobe_updates_digital_editions_encryptio
n/

Analysis of Samsung KNOX
-http://mobilesecurityares.blogspot.de/2014/10/why-samsung-knox-isnt-really-fort-
knox.html

Cryptowall coming back via paid-for ads
-http://www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-vis
itors-and-jeopardizes-brands.php

Telnetd Vulnerability in Cisco Ironport WSA
-https://isc.sans.edu/forums/diary/+telnetd+rulez+Cisco+Ironport+WSA+Telnetd+Remo
te+Code+Execution+Vulnerability/18869

Misconfigured Routers Allow Config Changes via NAT-PMP
-https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat
-pmp-implementation-and-configuration-vulnerabilities

Jailbreak for iOS 8.1
-http://pangu.io

Ruxcon Slides / Intercepting Pager Data
-https://ruxcon.org.au/slides/

April 911 Outages Affected 3.5 % of US Population
-http://threatpost.com/april-911-outage-affected-3-5-percent-of-u-s-population/10
8974

Microsoft Releases Special Security Advisory for new OLE Vulnerability
-https://technet.microsoft.com/library/security/3010060

False Positives in Pentest Reports
-https://isc.sans.edu/forums/diary/CSAM+Month+of+False+Positives+Ghosts+in+the+Pe
ntest+Report/18861

Misconfigured Palo Alto Firewalls Leak Credentials
-https://community.rapid7.com/community/infosec/blog/2014/10/14/palo-alto-network
s-userid-credential-exposure
-http://live.paloaltonetworks.com/docs/DOC-8125/

UEFI Vulnerability exploitable for Windows 8
-https://www.mitre.org/publications/technical-papers/presentation-extreme-privile
ge-escalation-on-windows-8uefi-systems

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org