SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #86

October 28, 2014

TOP OF THE NEWS

Law Firms Forced To Invest in Cybersecurity
POS Malware Persistent
MyE-Verify to Use Cloud Services for Backend

THE REST OF THE WEEK'S NEWS

Verizon Tracking Mobile Internet Activity
Suspicious Tor Exit Node Flagged
ACLU Challenging School District Digital Policy for Violating Students' Rights
NIST Warns of Security Issue in Samsung's "Find My Mobile" Service
Eleven-Year Prison Sentence for Role in RBS WorldPay Scheme
Google Changes Search Algorithm to Help Fight Piracy
Attack Targeting Outlook Web App Users
Court Orders Shutdown of Company Selling Useless Tech Support
Microsoft Offers "Fix-it" for New Zero-Day in OLE

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec **************************
SANS Report - Breaches Happen: Be Prepared (Sponsored by Symantec) A whitepaper by SANS Analyst and Senior Instructor Stephen Northcutt. It describes how improved malware reporting and gateway monitoring, combined with security intelligence from both internal and external resources, helps organizations meet the requirements of frameworks such as the Critical Security Controls.
http://www.sans.org/info/170272
***************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Law Firms Forced To Invest in Cybersecurity (October 28, 2014)

Banks are now requiring that their law firms meet high standards of cybersecurity protection. "A spate of cyberattacks has sharpened financial institutions' focus on security when dealing with outside law firms. Every bank has changed from a year ago." A related blog, says that smaller law firms, especially those involved in international human rights projects, are facing attacks and attempting to find low cost, cloud-based mechanisms of protecting their employees and clients.
-http://online.wsj.com/articles/banks-demand-that-law-firms-harden-cyberattack-de
fenses-1414354709
-http://blogs.wsj.com/law/2014/10/27/cybersecurity-not-just-for-biglaw-and-its-cl
ients/

POS Malware Persistent (October 26, 2014)

Point-of-sale malware known as Backoff is still being found on systems in the US. According to numbers from Damballa, Backoff infections increased 57 percent in August and 27 percent in September. It is unlikely that infections will decrease any time soon as the holiday shopping season draws near.
-http://www.theregister.co.uk/2014/10/26/pesky_pos_poison_wont_backoff/
-http://www.nbcnews.com/tech/security/pos-malware-infections-soar-ahead-holiday-s
eason-n233156
[Editor's Note (Murray): All merchants and retailers are at high risk. They must assume themselves compromised and act accordingly. ]

MyE-Verify to Use Cloud Services for Backend (October 27, 2014)

The US Department of Homeland Security's (DHS's) MyE-Verify identity check tool allows people to place freezes on their Social Security numbers (SSNs). MyE-Verify has been available in some states since October 6 and is expected to be rolled out across the country by mid-2015. While DHS will operate the public facing website, the agency is looking for a cloud service provider to host the system's backend. Here's how the government describes Mye-Verify: "myE-Verify is a free, Web-based service that provides you with self-service features to participate in the E-Verify process. E-Verify is a Web-based system that enables an employer, using information reported on an employee's Form I-9 for Employment Eligibility Verification, to determine if that employee is eligible to work in the United States. Many employers use E-Verify to verify the employment eligibility of their new employees."
-http://www.nextgov.com/cybersecurity/2014/10/dhs-expects-outsource-employment-ve
rification-checks-cloud/97400/?oref=ng-channeltopstory

---

**************************** SPONSORED LINKS ******************************
1) SANS Analyst James Tarala explains how to get more secure as a result of each investigation, Thursday, November 6 at 1 PM EDT. http://www.sans.org/info/170277

2) New Paper in the SANS Reading Room: Detect, Investigate, Scrutinize and Contain with Rapid7 UserInsight. http://www.sans.org/info/170282

3) SANS What Works: University Uses Fireeye Advanced Threat Detection to Reduce Malware Impact Monday, November 10 at 1:00 PM EDT (18:00:00 UTC) with John Pescatore and Dan Han. http://www.sans.org/info/170287
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Verizon Tracking Mobile Internet Activity (October 27, 2014)

For the past two years, Verizon has been inserting a string of about 50 characters into communications between its customers and the websites they visit. Verizon calls the string a Unique Identifier Header (UIDH). This identifier can be read by any web server that users visit and the information it conveys can be used to build a profile of Internet activity, which is useful to advertisers.
-http://www.wired.com/2014/10/verizons-perma-cookie/
-http://arstechnica.com/security/2014/10/verizon-wireless-injects-identifiers-lin
k-its-users-to-web-requests/
-http://www.verizonwireless.com/support/faqs/AccountManagement/mobile_ads.html

Suspicious Tor Exit Node Flagged (October 27, 2014)

The Tor project has identified an exit node server in Russia that appears to add malware to downloads as the files exit the anonymization network.
-http://www.theregister.co.uk/2014/10/27/tor_exit_node_mashes_malware_into_downlo
ads/
-http://www.zdnet.com/rogue-tor-node-wraps-executables-with-malware-7000035060/
-http://www.computerworld.com/article/2838788/tor-project-flags-russian-exit-node
-server-for-delivering-malware.html
-http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/

ACLU Challenging School District Digital Policy for Violating Students' Rights (October 27, 2014)

The American Civil Liberties Union (ACLU) is challenging a Tennessee school district's policy of searching students' electronic devices and monitoring and controlling what the students post to social media. The policy also allows schools to monitor communications sent through or stored on school networks. The ACLU says the policy is broadly written and "demonstrates a fundamental misunderstanding" of students' constitutional rights.
-http://www.wired.com/2014/10/tennessee-school-boards-rights-violations/
Policy:
-http://www.wcs.edu/wp-content/pdf/BoardPolicies/4406p1415.pdf
ACLU Letter:
-https://www.eff.org/files/2014/10/27/finalwilliamsoncountyletter.pdf

NIST Warns of Security Issue in Samsung's "Find My Mobile" Service (October 27, 2014)

A vulnerability in Samsung's "Find My Mobile" service could be exploited by attackers to lock the devices. The National Institute of Standards and Technology (NIST) has issued a warning about the problem.
-http://www.computerworld.com/article/2839240/zero-day-in-samsung-find-my-mobile-
service-allows-attacker-to-remotely-lock-phone.html
-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8346

Eleven-Year Prison Sentence for Role in RBS WorldPay Scheme (October 27, 2014)

Sergei Nicolaevich Tsurikov has been sentenced to 11 years in prison for his part in the scheme that stole US $9.4 million from RBS WorldPay in 2008. The scheme involved breaking encryption used to protect payroll debit cards and raising the limits on the associated accounts. The group stole more than US $9 million in just one day from ATMs around the world.
-http://www.scmagazine.com/an-estonian-man-who-hacked-rbs-worldplay-received-11-y
ears/article/379555/
-http://www.fbi.gov/atlanta/press-releases/2014/international-hacker-sentenced

Google Changes Search Algorithm to Help Fight Piracy (October 27, 2014)

Last week, Google made changes to its search algorithm that have had a noticeable effect on the number of video streaming and torrent sites that appear at the tops of results. Visibility of many sites known to offer pirated content has been significantly reduced.
-http://arstechnica.com/tech-policy/2014/10/project-free-tv-torrent-sites-drop-in
-google-results-with-new-algorithm/

Attack Targeting Outlook Web App Users (October 24, 2014)

A cyber espionage operation has been targeting users of Office 365's Outlook Web App. The attack begins with spear phishing messages sent to employees at military agencies, embassies, defense contractors, and media outlets that use the product. Called Pawn Storm by Trend Micro, the campaign has reportedly been going on since 2007. The group also uses exploits hidden in certain websites.
-http://www.computerworld.com/article/2837824/cyberespionage-group-goes-phishing-
for-outlook-web-app-users.html

Court Orders Shutdown of Company Selling Useless Tech Support (October 24 & 27, 2014)

A federal court in New York has shut down a company called Pairsys for selling useless tech support, according to a US Federal Trade Commission (FTC) announcement. On October 9, the court issued a preliminary injunction, which froze company assets and required that its websites and phone numbers be disconnected. Pairsys made US $2.5 million in less than two years selling scareware and software that was available elsewhere at no cost. Company employees posed as Microsoft and Facebook representatives.
-http://www.informationweek.com/software/microsoft-facebook-support-services-a-sc
am-ftc-says/d/d-id/1316968
-http://www.scmagazine.com/court-shutters-ny-co-selling-security-software-with-no
-value/article/379261/
-http://www.ftc.gov/news-events/press-releases/2014/10/ftcs-request-court-shuts-d
own-new-york-based-tech-support-scam
-http://www.ftc.gov/system/files/documents/cases/141024pairsyscmpt.pdf
[Editor's Note (Murray): One would hope to see more FTC enforcement action against "Scareware." It is an obnoxious "con" targeting the elderly and the naive. It is a blight on our space. ]

Microsoft Offers "Fix-it" for New Zero-Day in OLE (October 24, 2014)

Earlier this month, Microsoft issued patches for a number of vulnerabilities, including one in the Microsoft Object Linking and Embedding (OLE) technology that has been dubbed the Sandworm bug. A new set of attacks is now exploiting another vulnerability in OLE; Microsoft has issued a "Fix-it" for the problem but has not yet issued a patch.
-http://www.eweek.com/security/microsoft-scrambles-to-fix-zero-day-flaw-in-ole.ht
ml
-https://support.microsoft.com/kb/3010060

---

STORM CENTER TECH CORNER

New Android Ransom Wear Spreads via SMS
-http://research.zscaler.com/2014/10/android-ransomware-koler-learns-to.html

Arbitrary Code Execution Vulnerability in "strings"
-http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html

"Al Quaida" SSID causes flight delay
-http://abc7.com/news/lax-flight-delayed-after-wifi-hotspot-name-prompts-concerns
/367110/

Shellshock Exploit used against mail servers
-https://isc.sans.edu/forums/diary/Shellshock+via+SMTP/18879

Scanning For Specific Vulnerabilities
-https://isc.sans.edu/forums/diary/Scanning+for+Single+Critical+Vulnerabilities/1
8881

Micasa Verda / Vera Home Automation Gateway Security Review (and fail)
-http://www.xipiter.com/musings/the-insecurity-of-things-part-two

Samsung Responds to claims about Knox Insecurity
-http://www.theregister.co.uk/2014/10/26/samsung_denies_knox_security_vuln_allega
tions/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/