SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #91

November 14, 2014

6 days left for employers and job candidates to sign up for the totally online U.S. National Cybersecurity Career Fair on November 20-21. Nearly 2,000 candidates have registered along with many cool employers like Target, Mayo Clinic, Cisco, American Express, State Farm, CBS, Juniper, NBC Universal, Solutionary, Partners Healthcare, and more! Email Max Shuftan (mshuftan@cyberaces.org) or visit https://app.brazenconnect.com/events/cyberaces-us-career-fair for more info.

---

TOP OF THE NEWS

DHS and Industry Seeking to Develop Resilient Information Systems
Initial Stuxnet Infections Identified

THE REST OF THE WEEK'S NEWS

NOAA Breach
EFF: ISP is Stripping STARTTLS Flags from eMail
BrowserStack Says Attackers Exploited Shellshock Flaw
DOJ Defends Agents Cutting Cable Access, Posing as Repairmen
Microsoft Patch Tuesday
US-CERT Warns of End of Support for Windows Server 2003
Adobe Issues Updates for Flash Player and AIR
Changes in Firefox 33.1 Focus on Privacy
Masque Attack Exploits Vulnerability in iOS
Cybersecurity for Girls Workshop Held at University of Maryland

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************
Targeted attacks and Advanced Persistent Threats cannot be stopped by antivirus alone, but require layered protection and intelligent security at the endpoint. Only Symantec Endpoint Protection 12.1.5 provides the security you need through a single, high-powered agent, for the fastest, most-effective protection available. Download Symantec Endpoint Protection free for 30 days. http://www.sans.org/info/171767
**************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- - --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, Brussels, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

DHS and Industry Seeking to Develop Resilient Information Systems (November 12, 2014)

In an effort to bolster the resilience of its information systems, the US Department of Homeland Security (DHS) is working with industry partners to develop automated cyber defense mechanisms for the government. The concept, dubbed Enterprise Automated Security Environment (EASE) could possibly develop a network that repairs itself.
-http://www.nextgov.com/cybersecurity/2014/11/dhs-drafts-blueprints-self-repairin
g-networks-hacks-mount/98906/?oref=ng-channeltopstory
[Editor's Note (Murray): Resilience is not free; it comes at the cost of redundancy, falling, and complexity, not so much. Given the threat, persistent vulnerability, and the consequences, it is efficient. Promoting it is the kind of leadership from DHS that we should expect, appreciate, and follow. ]

Initial Stuxnet Infections Identified (November 11 & 12, 2014)

Researchers have traced the Stuxnet attack back to its five original infection points - all Iranian companies involved in industrial control systems (ICS). Stuxnet was used to sabotage centrifuges at the Natanz uranium enrichment plant in Iran. The five companies were targeted between June 2009 and March 2010; all are contractors for the Natanz plant. One of the five companies has been identified as the source of the leak of Stuxnet to other systems around the world. The researchers were able to determine the source of the infections because Stuxnet records data about each machine it infects in an updated executable file.
-http://www.darkreading.com/stuxnet-patient-zero-attack-targets-revealed/d/d-id/1
317394?
-http://arstechnica.com/security/2014/11/stuxnet-worm-infected-high-profile-targe
ts-before-hitting-iran-nukes/
-http://www.scmagazine.com/first-stuxnet-victims-identified/article/382967/
-http://www.theregister.co.uk/2014/11/12/stuxnet_patient_zero/
[Editor's Note (Honan): Another prime example of how the supply chain can be leveraged by attackers to breach their ultimate target. ]

---

**************************** SPONSORED LINKS ******************************
1) A Managed Approach to Security Controls to Ensure Effective Security - - Thursday, November 20 at 1:00 PM EDT with Kevin Landt, Product Manager. http://www.sans.org/info/171772

2) Best Practices for Eliminating SSL Encrypted Traffic Blind Spots Friday, November 21 at 1:00 PM EDT with John Pescatore, SANS Institute; Greg Mayfield and David Wells, Blue Coat. http://www.sans.org/info/171777

3) NEW SURVEY: Who's Using Cyberthreat Intelligence & How? Participate & Enter to Win iPad. http://www.sans.org/info/171782
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

NOAA Breach (November 12 & 13, 2014)

The US National Oceanic and Atmospheric Administration (NOAA) suffered a security breach in September, according to the Washington Post. To prevent further infiltration, the government shut down some services. When satellite data suddenly became unavailable in October, NOAA attributed it to "unscheduled maintenance." Officials say that NOAA did not notify the necessary authorities when it learned of the attack.
-http://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-ne
twork/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html
-http://www.eweek.com/security/noaa-other-u.s.-agency-security-breaches-connectin
g-the-dots.html
-http://www.zdnet.com/federal-agency-covered-up-chinese-hack-which-toppled-us-wea
ther-system-7000035763/
-http://www.theregister.co.uk/2014/11/13/china_noaa_hack/
-http://money.cnn.com/2014/11/12/technology/security/weather-system-hacked/index.
html?iid=Lead&hpt=te_t1
-http://www.scmagazine.com/four-noaa-websites-compromised-by-an-internet-sourced-
attack/article/382918/
-http://www.computerworld.com/article/2846978/noaa-confirms-cyberattack-on-four-w
eather-sites.html
-http://www.itnews.com.au/News/397829,us-weather-systems-hacked-satellites-affect
ed.aspx?utm_source=feed&utm_medium=rss&utm_campaign=iTnews+

EFF: ISP is Stripping STARTTLS Flags from eMail (November 12 & 13, 2014)

According to the Electronic Frontier Foundation (EFF), a US Internet service provider (ISP) is removing encryption from the traffic between customers and email servers, stripping the communications of the expected level of privacy. There have been incidents in which the ISP intercepted email to remove STARTTLS flags, which signal requests for encryption while communicating with another server or client. If the flag is removed, the email is sent in clear text. Some firewalls use this technique to prevent spam from emanating from their servers, but when it affects legitimate email, the unencrypted messages become vulnerable to interception and eavesdropping.
-http://arstechnica.com/tech-policy/2014/11/condemnation-mounts-against-isp-that-
sabotaged-users-e-mail-encryption/
-http://www.theregister.co.uk/2014/11/12/customers_email_encryption_stripped_out_
by_isps/
-https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks
[Editor's Note (Ullrich): This STARTTLS header issue may not be intentional after all. Some Cisco ASA firewalls will strip these headers from SMTP traffic. Using port 25/SMTP to send mail from a client to a mail server should be discouraged anyway and the submit port should be used per RFC 6409 which uses port 587. SMTP is intended to be used for mail servers to communicate with each other and often blocked by consumer ISPs to avoid spam.
(Murray): In order to resist spam, many ISPs will not permit SMTP at consumer rates; if one wishes to operate an SMTP server, one must pay a commercial rate, one that probably includes more bandwidth. One cannot rely on good manners for voluntary encryption requests. That said, transparency would seem to require disclosure of this practice. The protocol might well provide an indication if a request for encryption is not honored. Spam should cost more; privacy should not. Contribute to EFF. ]

BrowserStack Says Attackers Exploited Shellshock Flaw (November 12, 2014)

BrowserStack, the browser testing service that recently disclosed a security breach, has released more information about the incident. The attackers exploited the Shellshock vulnerability on an older, unpatched server to gain access to BrowserStack data. The attacker sent a spoofed email to roughly 5,000 of the company's customers, making it appear to come from the company itself and discrediting its security.
-http://www.scmagazine.com/shellshock-used-in-browserstack-attack/article/382957/

DOJ Defends Agents Cutting Cable Access, Posing as Repairmen (November 12, 2014)

The US Justice Department (DOJ) maintains that its agents acted entirely within the law when they cut Internet access to certain rooms at a Las Vegas hotel and posed as repairmen to gain access to the rooms and gather evidence without a warrant. They maintain that because the rooms' occupants invited them in because they believed them to be repairmen, a warrant was not required. The phony repairmen secretly filmed activity in the rooms, leading to eight arrests.
-http://arstechnica.com/tech-policy/2014/11/fbi-defends-ruse-of-undercover-agents
-posing-as-hotels-cable-guys/

Microsoft Patch Tuesday (November 11 & 12, 2014)

On Tuesday, November 11, Microsoft released 14 bulletins to address 33 vulnerabilities in a variety of products. Two bulletins that were originally scheduled for release have been held back due to concerns that they did not adequately address certain security issues in Microsoft Exchange Server.
-http://www.computerworld.com/article/2846448/november-patch-tuesday-a-massive-up
date-with-a-few-misses.html
-http://www.scmagazine.com/microsoft-remediated-33-vulnerabilities/article/382691
/
-http://www.zdnet.com/ms-exchange-updates-delayed-until-december-7000035755/
-https://technet.microsoft.com/library/security/ms14-nov
Among the vulnerabilities addressed is a critical flaw that affects all versions of Windows since Windows 95 and has existed for nearly 20 years. This particular flaw could be exploited to launch drive-by attacks and run code remotely. It also circumvents Microsoft's Enhanced Mitigation Experience Toolkit (EMET).
-http://www.bbc.com/news/technology-30019976
-http://www.theregister.co.uk/2014/11/12/driveby_unicorn_0day_beats_emet_affects_
all_windows_versions/
-http://www.darkreading.com/vulnerabilities---threats/microsoft-fixes-critical-19
-year-old-schannel-bug-but-no-patch-for-xp/d/d-id/1317423?
[Editor's Note (Ullrich): This was not only a large, but also a very "tricky" patch Tuesday. First of all, with MS14-066 (SCHANNEL), Microsoft dropped the first unauthenticated remote code execution vulnerability in years. This fall could become a huge problem, even though it looks that up to this point, exploitation will be a bit more difficult. To make things worse, Microsoft's bulletin and patch quality seems to be waning. Two of the bulletins announced for November have been moved to December without further announcement. The bulletin for MS14-066 is lacking significant details, for example the fact that this patch covers multiple flaws (a certificate evasion flaw plus at least two buffer overflows). MS14-064 is another incomplete attempt to fix the ongoing "sandworm" OLE issue, and apparently it is still not complete (the first attempt, MS14-060 fell short as well). Microsoft used to do better then that.
(Murray): Does the risk really go up simply because support ends on a mature product or is the risk, if any, in the continued use of an obsolete product? I am reminded that ShellShock was at least twenty-five years old. While it made systems in which it was used vulnerable, it seems to me that it operated the way that it was intended to operate. It was an embedded escape mechanism, one of many. The real vulnerability was in the use of a component that was not fully understood. "Software Engineering" is a contradiction in terms if it does not include the concept of "strength of materials." It may be an over constrained problem, but if so, we should not call it engineering. ]

US-CERT Warns of End of Support for Windows Server 2003 (November 13, 2014)

The US Computer Emergency Response Team (US-CERT) has issued a warning to organizations that Microsoft will be ending support for Windows Server 2003 in July 2015. The absence of patches, technical support, and software updates will put organizations still using Windows Server 2003 after July 2015 at risk of malware infections and data breaches.
-http://www.zdnet.com/homeland-security-alerts-on-end-of-windows-server-2003-supp
ort-7000035778/
-https://www.us-cert.gov/ncas/alerts/TA14-310A

Adobe Issues Updates for Flash Player and AIR (November 11 & 12, 2014)

Adobe has released updates for its Flash player and AIR to address 18 security flaws. Updates are available for Windows, Mac, and Linux. The Most current version of Flash is now 15.0.0.223; the most current version of AIR for Windows, Mac, and Android is now 15.0.0.356. Windows users who run browsers other than Internet Explorer (IE) may need to updates twice: once for IE and once for the other browser.
-http://www.scmagazine.com/flash-and-air-updates-available-after-adobe-addresses-
18-vulnerabilities/article/382958/
-http://krebsonsecurity.com/2014/11/adobe-microsoft-issue-critical-security-fixes
-3/
-http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

Changes in Firefox 33.1 Focus on Privacy (November 11, 2014)

Mozilla has released version 33.1 of its Firefox browser. While incremental updates usually go unannounced, this update is notable for the Forget Button, which allows users to delete recent history and cookies for the last five minutes, two hours, or 24 hours, with a simple click. The button is new, but the capability is not - until version 33.1, it has been buried in the Firefox menu. Firefox also has a Private Mode that has been available since version 3.1, released in 2008.
-http://www.eweek.com/security/firefox-33.1-debuts-with-security-privacy-and-deve
loper-focus.html

Masque Attack Exploits Vulnerability in iOS (November 11, 2014)

The Masque attack exploits a vulnerability in iOS to replace legitimate apps on iOS devices with malicious ones. Once the malware has gained purchase in the device, it can then access email, login credentials, and other stored data. The WireLurker malware campaign that was recently in the news is a "limited form of Masque Attacks."
-http://arstechnica.com/security/2014/11/ios-security-hole-allows-attackers-to-po
ison-already-installed-iphone-apps/
-http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-y
our-ios-apps-belong-to-us.html
[Editor's Note (Ulrich): The demo videos showing the exploitation of these various flaws leave out one important detail: To facilitate exploitation, the user will first have to install an "Enterprise Profile" to trust the attackers signature. Without such an enterprise profile, you will not be able to install the malware. Regardless, Apple should probably address the "app id" issue to prevent one developer from overwriting another developer's app. ]

Cybersecurity for Girls Workshop Held at University of Maryland (November 13, 2014)

On Tuesday, November 11, the Cool Careers in Cybersecurity for Girls Workshop brought 350 girls from Maryland middle schools together at the University of Maryland. The annual event is a joint effort by the Maryland Cybersecurity Center, the Maryland Center for Women in Computing, and the National CyberWatch Center K-12 Division. This year's event focused on medical device security. The students put together computers from parts, discussed work environment security issues, and heard NSA employees speak about their jobs.
-http://www.diamondbackonline.com/news/article_04d5a9a0-6aea-11e4-b9f3-1bbb47a920
b7.html
[Editor's Note (Pescatore): More of this type of thing is needed, as it would be great to see higher numbers of women in the cybersecurity workforce. Another good sign: we saw a huge influx of nominations of women for the SANS 2014 Difference Makers awards, which will be announced next week and presented at the SANS CDI event at the Grand Hyatt in Washington DC on December 16th. ]

---

STORM CENTER TECH CORNER

Pwn2Own Day 1 Recap
-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Mobile-Pwn2Own-2014-The-d
ay-one-recap/ba-p/6669592#.VGVdDYdUFZk

Sandworm Update from McAfee
-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day
-root-cause

Update on SCHANNEL Vulnerability
-https://isc.sans.edu/forums/diary/How+bad+is+the+SCHANNEL+vulnerability+CVE-2014
-6321+patched+in+MS14-066/18947

Using ssh-agent Properly
-http://rabexc.org/posts/pitfalls-of-ssh-agents

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.