SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #89

November 07, 2014

Very cool! A cybersimulator with full kinetic cyber range capabilities - - CyberCity - in a SANS course environment. The new course provides hands-on immersion training in a small-scale physical city with a real power grid, water system, traffic lights, an ISP, and several enterprise environments. It's a little like the FBI training range at Quantico - but for cyber. You'll work through in-depth missions, with real-time streaming video showing 5 independent views of the kinetic actions inside the city and you'll have top SANS instructors helping tune your skills. It's called SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise and it will debut in 5 weeks in Washington DC. Check it out at sans.org/SEC562

Alan

---

TOP OF THE NEWS

FISMA Reforms Stalled
Home Depot Says Breach Affected eMail Addresses
Phishing Just Got Easier for the Bad Guys

THE REST OF THE WEEK'S NEWS

Apple Revokes Certificate Used to Sign WireLurker Malware
Authorities Arrest Alleged Silk Road 2.0 Kingpin
FBI Arrests Man Wanted in Data Theft and Financial Fraud Case
Microsoft to Issue 16 Security Bulletins on November 11
Pirate Bay Co-Founder Neij Arrested in Thailand
UK Information Commissioner's Office Issues Warning About SQL Injection Attacks
Justice Department Seeks to Expand Judges' Search Warrant Purview
Clarification of iCloud Autosave Issue

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By Bit9 + Carbon Black ***********************
Download the free eGuide: An IT Auditor's Guide to Security Controls and Risk Compliance
http://www.sans.org/info/171097
***************************************************************************

TRAINING UPDATE

--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


--SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Sydney, Tokyo, and Muscat all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

FISMA Reforms Stalled (November 5, 2014)

Changes to the 2002 Federal Information Security Management Act (FISMA) may not be as easily brought about as legislators would like. The compliance requirements of the original plan were correctly criticized for generating vast quantities of paper reports (and vast fees for consultants) while providing little true assurance of security. The changes would require a move toward continuous monitoring. While including the FISMA changes in the 2015 National Defense Authorization Act is one a possibility, sources say that its inclusion is unlikely, particularly because "there are provisions in FISMA that are raising concerns."
-http://www.nextgov.com/cybersecurity/2014/11/long-awaited-fisma-reforms-hit-stum
bling-block/98294/?oref=ng-HPtopstory
[Editor's Note (Henry): Congress continues to kick the can down the road on FISMA reform year-after-year, and as citizens we should all be outraged. Government officials and Congressional representatives (rightfully) stand up and shout about the threat daily. DHS put out an advisory two weeks ago about an ongoing sophisticated malware campaign compromising Industrial Control Systems, and there's speculation it's tied to Russia. I work DAILY with companies whose computer networks are completely OWNED by foreign governments, and I've investigated intrusions into US government agencies that, likewise, reveal complete compromise of those networks. There is some value in "checking the box" as a start, but proactive monitoring, detection, attribution, and disruption are necessary elements for protecting networks. How many more years do we stick with the status quo? I've spoken to Congressional representatives about this dozens of times...we need to demand more. ]

Home Depot Says Breach Affected eMail Addresses (November 6 & 7, 2014)

Home Depot says that in addition to payment card information, thieves stole 53 million email addresses in a security breach of the company's computer system earlier this year. The company also says that the intruders gained access to the system with stolen credentials.
-http://www.bbc.com/news/world-us-canada-29946792
-https://bobsullivan.net/cybercrime/home-depot-hack-even-worse-53-million-email-a
ddresses-stolen-too/
-http://www.computerworld.com/article/2844491/home-depot-attackers-broke-in-using
-a-vendors-stolen-credentials.html

Phishing Just Got Easier for the Bad Guys (November 5, 2014)

In a new twist on phishing, attackers have been targeting online shoppers of a Japanese department store. Instead of creating a phony duplicate website to trick people into divulging their access credentials, the new technique involves establishing a proxy to act as a relay between the target and the website. When targets go to make a purchase online, the attack serves up a page to steal information.
-http://www.darkreading.com/attacks-breaches/hackers-devise-new-simplified-phishi
ng-method/d/d-id/1317242?
-http://www.scmagazine.com/researchers-observe-a-new-phishing-technique/article/3
81628/

---

**************************** SPONSORED LINKS ******************************
1) Download a free trial of Log & Event Manager and get security management, compliance monitoring, and root-cause analysis. http://www.sans.org/info/171102

2) Join Palo Alto Networks, VMware and VMUG to learn how the software-defined datacenter is transforming today's computing environment. Register here: http://www.sans.org/info/171107

3) In case you missed it: Be Ready for a Breach with Intelligent Response Thursday, November 06 t 1:00 PM EST (18:00:00 UTC) with James Tarala and Ofir Arkin. http://www.sans.org/info/171112
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Revokes Certificate Used to Sign WireLurker Malware (November 6, 2014)

Apple has revoked a cryptographic certificate that was being used to sign malware known as WireLurker that targets both OS X and iOS. So far, the malware appears to be affecting users in China. WireLurker has been infecting devices through apps downloaded to OS X machines from unauthorized, third party app stores. The malware then infects iOS devices when they are plugged into infected OS X machines. Apple urges customers to obtain apps only from the legitimate app store.
-http://www.v3.co.uk/v3-uk/news/2379824/wirelurker-malware-attacking-mac-os-x-and
-ios-systems-on-a-large-scale
-http://www.zdnet.com/os-x-malware-infecting-connected-iphones-ipads-7000035497/
-http://www.theregister.co.uk/2014/11/07/apple_moves_to_kill_off_wirelurker_malwa
re/

Authorities Arrest Alleged Silk Road 2.0 Kingpin (November 6, 2014)

International law enforcement authorities have arrested Blake Benthall, who has allegedly been operating the criminal underground marketplace known as Silk Road 2.0. International law enforcement agents have also seized the website. Benthall was arrested in San Francisco, California.
-http://arstechnica.com/tech-policy/2014/11/prosecutor-silk-road-2-0-suspect-did-
admit-to-everything/
-http://www.wired.com/2014/11/feds-seize-silk-road-2/
-http://www.computerworld.com/article/2844397/alleged-operator-of-silk-road-20-ar
rested-faces-narcotics-charges.html
-http://krebsonsecurity.com/2014/11/feds-arrest-alleged-silk-road-2-admin-seize-s
ervers/
-http://www.nbcnews.com/tech/security/fbi-arrests-alleged-silk-road-2-0-operator-
blake-benthall-n242751

FBI Arrests Man Wanted in Data Theft and Financial Fraud Case (November 6, 2014)

The FBI has arrested a man from its "Most Wanted Cyber Fugitives" list. John Gordon Baden was arrested in Tijuana, Mexico. He allegedly stole sensitive personal information and used it to commit fraud, taking funds from banking and brokerage accounts. As many as 40,000 people were affected. Baden allegedly worked with two accomplices, Jason Ray Bailey and Victor Alejandro Fernandez, to gain access to a mortgage broker's system, where they obtained the misused data, including names, birth dates, Social Security numbers (SSNs), tax information and driver's license numbers.
-http://www.scmagazine.com/fbi-arrests-most-wanted-cyber-fugitive-in-tijuana/arti
cle/381914/

Microsoft to Issue 16 Security Bulletins on November 11 (November 6 & 7, 2014)

Microsoft plans to issue 16 security bulletins on Tuesday, November 11, to address vulnerabilities in Windows, Office, Microsoft.NET Framework, Microsoft Server Software, and Internet Explorer. Five of the bulletins have been given critical ratings.
-http://www.zdnet.com/microsoft-to-issue-16-security-updates-7000035526/
-http://www.theregister.co.uk/2014/11/07/november_patch_tuesday_advistory/
-https://technet.microsoft.com/library/security/ms14-nov

Pirate Bay Co-Founder Neij Arrested in Thailand (November 4 & 5, 2014)

Pirate Bay co-founder Fredrik Neij was arrested in Thailand when he tried to cross the border into Laos. Neij is that last of the four founders of the Pirate Bay to be apprehended. He has evaded authorities for five years. He will be sent back to Sweden to face punishment for his conviction on copyright violation charges there.
-http://www.scmagazine.com/pirate-bay-co-founder-arrested-on-copyright-charges/ar
ticle/381634/
-http://www.cnet.com/news/the-pirate-bay-co-founder-fredrik-neij-arrested-in-thai
land/

UK Information Commissioner's Office Issues Warning About SQL Injection Attacks (November 5, 2014)

The UK Information Commissioner's office (ICO) has issued a warning about SQL injection attacks after a popular travel website lost credit card numbers to such an attack. ICO fined WorldView Limited GBP 7,500 (US $11,880) for the attack, which compromised payment card details of nearly 4,000 customers. Although the stolen data were encrypted, the decryption key was stored with those data.
-http://www.theregister.co.uk/2014/11/05/hotel_booking_website_fined_over_breach_
that_exposed_credit_card_details/
-http://www.v3.co.uk/v3-uk/news/2379659/ico-warns-on-sql-attacks-after-travel-fir
m-has-4-000-card-details-stolen
ICO's SQL Injection Attack Warning:
-http://ico.org.uk/news/latest_news/2014/organisations-must-act-now-to-avoid-olde
st-hackers-trick-in-the-book-says-ico-05112014

Justice Department Seeks to Expand Judges' Search Warrant Purview (November 5, 2014)

The US Department of Justice (DOJ) has petitioned the Advisory Committee on Criminal Rules to expand magistrate judges' reach in granting search warrants. Rule 41 of the Federal Rules of Criminal Procedure allows judges to issue search warrants within their judicial district. DOJ wants to broaden the judges' purviews to allow them to issue warrants for electronic surveillance regardless of the device's location. Opponents say that the change DOJ is asking for would threaten the Fourth Amendment's limitations on search and seizure, and that it could allow for unprecedented access to foreign networks.
-http://www.nextgov.com/cybersecurity/2014/11/fbis-quiet-plan-expand-its-hacking-
powers/98273/?oref=ng-channeltopstory
-http://rt.com/usa/202647-fbi-computer-search-warrants/

Clarification of iCloud Autosave Issue

Earlier this week we ran a story about documents being saved to iCloud without notifying users. The headline suggested that the issue affected all documents, when in fact, the feature is on by default for iWork apps, Preview, and TextEdit. It does not affect Word. Apple describes the autosave default in an August 2014 support document:
-https://support.apple.com/en-us/TS4372

---

STORM CENTER TECH CORNER

EFF rates Messenger Applications
-https://www.eff.org/de/secure-messaging-scorecard

Using QEMU to Reverse MIPS binaries (and develop exploits)
-https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belk
in-n750-cve-2014-1635/

GnuPG Version 2.1 Released
-https://gnupg.org/faq/whats-new-in-2.1.html

Flash Script used to inject malicious iframe
-http://blog.sucuri.net/2014/11/malicious-injector-in-swf-adobe-flash-file.html

Visa responds to contactless card foreign currency fraud potential
-http://www.theregister.co.uk/2014/11/05/visa_contactless_card_flaw/

Undisclosed Wordpress Vulnerability Disclosed by Finish Paper
-https://www.viestintavirasto.fi/tietoturva/tietoturvanyt/2014/11/ttn201411041006
.html

Rootpipe: Relax and await patch
-http://www.macworld.co.uk/news/mac-software/swedish-hacker-finds-serious-vulnera
bility-in-os-x-yosemite-3583723/

DDoS Used Against HK Pro-Democracy Sites
-http://cw.com.hk/news/next-media-under-cyberattack-and-operations-disruption

---

***********************************************************************
|The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/