SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #90

November 11, 2014

The deadline for nominations for the SANS "Best of 2014" awards for the products and services that really worked for you in 2014 is December 8th. Information and instructions on how to participate in the SANS "Best of 2014" survey are at https://www.surveymonkey.com/s/SANSBestof2014 All who send in a nomination or participate in the survey are eligible to win an iPad.

---

TOP OF THE NEWS

Employee Mistakes Undermine US Government Data Security
Microsoft Releases EMET 5.1

THE REST OF THE WEEK'S NEWS

DarkHotel Attacks Target High-Level Executives Through Hotel Wi-Fi
USPS Breach Affects Employee Data
BrowserStack Acknowledges Breach
South Korea Arrests Student for Allegedly Breaking Into Websites and Stealing Data
Patching for Heartbleed is not Enough
Russian Internet Traffic is Being Routed Through Other Countries
DarkNet Domains Seized, Black Market Websites Shuttered
Belkin Issues Firmware Fix for Router Vulnerability

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Lancope ****************************
FREE eBook: "Incident Response with NetFlow for Dummies". Download now! http://www.sans.org/info/171277
***************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, Brussels, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Employee Mistakes Undermine US Government Data Security (November 10, 2014)

According to an Associated Press analysis of information obtained through Freedom of Information Act (FOIA) requests, at least half of US government IT security incidents are the result of mistakes made by workers. Employees have violated workplace policies; lost or had stolen devices containing sensitive information; and shared sensitive information.
-http://www.theguardian.com/technology/2014/nov/10/us-government-hacking-cybercri
me-workers-crime
[Editor's Note (Pescatore): The numbers aren't tremendously different for private industry; if anything, employee error is responsible for a higher percentage of incidents. Attacker-driven breaches get the press coverage, but errors by well-meaning insiders (both users and sys admins) both directly cause a high percentage of breaches and are the root cause of enabling many external attacker breaches, as well. The dreaded "email address autocomplete leads to spreadsheet with sensitive information being sent to competitor/world" error is a common example of the former, "OK, I'll spin up www25.acme.com just for tonight for you on the DMZ" is an example of the latter.
(Murray): This is no more likely to be true in the US Government than in any other organization. Even in the unlikely event that we were to solve all of our software quality problems, we would still be vulnerable to errors and omissions by otherwise well motivated but gratuitously privileged users. "The dummies have it, hands down, now and forever." - --Robert H. Courtney. Such errors should be resisted by application design, training, supervision, multi-party controls, and automatic confirmations. Management should recognize and reward timely detection and correction of errors. ]

Microsoft Releases EMET 5.1 (November 10 & 11, 2014)

Microsoft has updated its Enhanced Mitigation Experience Toolkit (EMET) to version 5.1. The tool "allows users or administrators to lock down the security of specific programs to a greater degree than allowed by Windows." Users running Internet Explorer 11 are urged to update to EMET 5.1 before Microsoft's monthly security updates are released on Tuesday, November 11 because of compatibility issues detected with the IE update.
-http://www.zdnet.com/microsoft-updates-emet-anti-hack-tool-7000035626/
-http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx
-http://www.theregister.co.uk/2014/11/11/emet_version_5_1_released/
[Editor's Note (Murray): EMET dramatically improves the securability of Windows. That it is not enabled by default on consumer shipments of Windows must be because it breaks games. It is not enabled in enterprises because it MIGHT break one or more applications. The improved security of all applications should trump any disruption to a few.
(Honan): This is a great security tool from Microsoft and it is free. This link
-http://technet.microsoft.com/en-us/security/jj653751
is a good starting point when looking to deploy EMET in an enterprise. ]

---

**************************** SPONSORED LINKS ******************************
1) Learn how to avoid man-in-the-middle and DOS attacks - free webcast on 11/13 at 1pm ET. http://www.sans.org/info/171287

2) BIG DATA SECURITY SURVEY: What are the biggest risks to your big data applications? Take survey and enter to win iPad. http://www.sans.org/info/171292

3) NEW SURVEY: Who's Using Cyberthreat Intelligence & How? Participate & Enter to Win iPad. http://www.sans.org/info/171302
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

DarkHotel Attacks Target High-Level Executives Through Hotel Wi-Fi (November 10, 2014)

Malware created by a group known as DarkHotel or Tapaoux targets high-level executives staying at luxury hotels by infiltrating the hotels' networks. The individuals are targeted through spear-phishing attacks that exploit unpatched vulnerabilities. The malware lies in wait on the hotels' networks and deletes itself once it has accomplished its mission. The campaign reportedly began in August 2010. The majority of infections occurred in Japan, Taiwan, China, Russia, and South Korea.
-http://www.theregister.co.uk/2014/11/10/corporate_bosses_clobbered_as_they_sleep
/
-http://www.wired.com/2014/11/darkhotel-malware/
-http://qz.com/294028/somebody-is-snooping-on-ceos-by-hacking-hotel-wi-fi/
-http://www.zdnet.com/traveling-business-executives-targeted-through-luxury-hotel
-wi-fi-7000035601/
-https://securelist.com/blog/research/66779/the-darkhotel-apt/
[Editor's Note (Henry): 3rd-party sites are continuously being exploited by criminal groups, and likely by nationstates during specific industry conferences and government gatherings at known hotels and coffeeshops. Use a personal MIFI as an alternitive while traveling away from a "trusted site", and avoid these potentially vulnerable networks as often as you can.

USPS Breach Affects Employee Data (November 10, 2014)

A breach of US Postal Service (USPS) information systems compromised personally identifiable information of more than 600,000 employees, including employees of the US Postal Regulatory Commission. The breach was detected in September. Customers who contacted the USPS customer care center by phone or email between January and August 2014 may be affected as well. The FBI is investigating.
-http://www.computerworld.com/article/2845621/government/us-postal-service-suffer
s-breach-of-employee-customer-data.html
-http://www.nextgov.com/cybersecurity/2014/11/postal-employees-youve-been-hacked/
98627/?oref=ng-HPtopstory
-http://arstechnica.com/security/2014/11/all-us-postal-service-employees-personal
-data-exposed-by-hackers/

BrowserStack Acknowledges Breach (November 10, 2014)

BrowserStack, a browser testing service, has acknowledged that it suffered a breach, but has not yet offered details beyond saying that the attacker accessed a list of email addresses. The attacker sent an email message to BrowserStack customers, claiming that the company's security was less than adequate. BrowserStack has temporarily suspended its service while cleaning up the problem. The company says that it will provide more information when it knows more about the issue.
-http://www.computerworld.com/article/2845319/browserstack-hacked-attacker-sends-
email-to-customers-alleging-shoddy-security.html
-http://www.theregister.co.uk/2014/11/10/browserstack_hack_attack_service_still_s
uspended_after_rogue_email/

South Korea Arrests Student for Allegedly Breaking Into Websites and Stealing Data (November 10, 2014)

Police in South Korea have arrested a student for allegedly breaking into more than 100 websites in 24 countries. The 20-year-old man allegedly stole 280,000 pieces of information during the attacks.
-http://www.scmagazine.com/20-year-old-student-named-jang-hacked-sites-in-24-coun
tries/article/382395/

Patching for Heartbleed is not Enough (November 10, 2014)

While patching for the Heartbleed flaw is important, if old certificates have not been revoked, the websites could remain vulnerable to attacks. The sites needed to be patched, their old certificates revoked, and new ones issued. However, in some cases, the middle step was skipped.
-http://www.theregister.co.uk/2014/11/10/sys_admins_your_weekends_slowed_the_resp
onse_to_heartbleed/
[Editor's Note (Murray): The issue is changing keys: certificate revocation is a mechanism for signaling that a key may be compromised, as can potentially happen in Heartbleed.
(Honan): Another step people need to take, depending on their web server software, is to reboot or restart their web server. We have run vulnerability scans for some clients who applied the patches but never restarted their web instances to enable the patches to take effect. Anytime you make a major change to a system or apply a patch it is worthwhile running a vulnerability scan against the system to ensure the patch has addressed the issue or that it has not introduced any other vulnerabilities. ]

Russian Internet Traffic is Being Routed Through Other Countries (November 9, 2014)

Domestic Internet traffic in Russia is being routed through other countries, including China. The border Gateway Protocol (BGP), which provides structure for the Internet's routing system, is complex enough that unusual routings could be caused by human error. However, it could also be used by entities with an interest in inspecting certain Internet traffic.
-http://arstechnica.com/security/2014/11/wtf-russias-domestic-internet-traffic-my
steriously-passes-through-china/
-http://research.dyn.com/2014/11/chinese-routing-errors-redirect-russian-traffic/
[Editor's Note (Murray): With few exceptions, all countries Internet traffic is routed through other countries. For the most part, Internet topology is unaware of borders. Again, with few exceptions, all Internet traffic is recorded in Utah on the rare chance that it may be of interest in the future. The Internet is relatively flat and its routing obscure. Users should not assume or rely upon "safe" or beneficent routing. ]

DarkNet Domains Seized, Black Market Websites Shuttered (November 7, 2014)

In an international effort, law enforcement officials seized and shut down hundreds of dark net domains associated with black market websites. Seventeen people have also been arrested. Among the seized domains are 414 .onion domains, addresses used by the Tor anonymity software. Last week, news of the arrest of alleged Silk Road 2.0 operator Blake Benthall made headlines, but that arrest was just part of Operation Onymous, the larger effort to dismantle online black markets.
-http://www.wired.com/2014/11/operation-onymous-dark-web-arrests/
Europol have corrected the statement regarding over 400 domains being seized. The figure is closer to 27, the 400 number refers to URL links pointing back to the domains.
-http://www.bbc.com/news/technology-29987379
[Editor's Note (Pescatore): Nice! Good to see international law enforcement agencies cooperating in cybersecurity enforcement action, vs. complaining about need for technology to stop advancing in order for law enforcement to keep up.
(Honan): This is very significant for a number of reasons. It highlights how effective law enforcement can be when they cooperate at an international level and also sends a message to the criminals that they are not immune to police action even if they use anonymization techniques. No doubt criminals will learn from the mistakes that led to this takedown but it increases the costs for them to maintain their security, which will have an impact on their operations. So well done to Europol, the FBI, the NCA, and the other police forces involved in this operation proving that even in the darkweb police can be effective in deterring, detecting, and/or detaining those involved in criminal activity. It is also interesting to note the arrests in Dublin resulted in unencrypted laptops being seized by Irish police which should lead to more intelligence for police but a good example that encryption alone does not guarantee perfect security. ]

Belkin Issues Firmware Fix for Router Vulnerability (November 7, 2014)

Belkin has a fix for a vulnerability in its N750 dual band router that could be exploited by people using guest networks to gain root access. Users are urged to update the firmware to F9K1103_WW_1.10.17m.
-http://www.theregister.co.uk/2014/11/07/belkin_flings_patch_after_metasploit_mod
ule_turns_guests_to_admins/
-https://labs.integrity.pt/advisories/cve-2014-1635/

---

STORM CENTER TECH CORNER

Microsoft Patch Tuesday Pre-Announcement
-https://technet.microsoft.com/library/security/ms14-nov

New Firmware Available for Synology Routers
-https://www.synology.com/en-global/releaseNote/DS411slim

dpkg Format String Vulnerability
-http://blog.internot.info/2014/11/dpkg-format-string-vulnerability-cve.html

More Possible iOS Malware
-http://www.theregister.co.uk/2014/11/10/ios_masque_attack/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/