SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #92

November 18, 2014

TOP OF THE NEWS

US State Department Unclassified eMail System Breached
Government Does Not Hoard Zero Days, Says White House Cybersecurity Coordinator
AT&T Ends "Test" of Phone Tracking IDs

THE REST OF THE WEEK'S NEWS

Apple Issues Update for Yosemite Reportedly Not Fixing Wi-Fi Problems, But Still Should Be Installed
Apple Says Masque is Not Much of a Risk
Microsoft Security Intelligence Report Looks at Risk of Expired Security Software
Chinese Authorities Make WireLurker Arrests
Judges Require Stricter Rules for Stingray Use
Microsoft Warns of Problems With SChannel Update
Two Arrested in Connection with ATM Fraud
Malware Injected By Tor Exit Node Linked to Attacks
Prison Sentence for Man Convicted on Racketeering Charges Related to Carder Ring

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************
Read the Forrester Research, Inc. report and get in-depth expertise on the enterprise mobility market. Symantec recommends this analyst report for anyone evaluating enterprise mobility solutions or looking to gain a better understanding of the market. Access the report for leading industry insight and learn why Symantec is positioned as a leader. Download Today.
http://www.sans.org/info/171872
***************************************************************************

TRAINING UPDATE


- --Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


- - --Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- - - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, Brussels, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

US State Department Unclassified eMail System Breached (November 16 & 17, 2014)

The US State Department has taken its unclassified email system offline following a security breach. Three other government networks - at the White House, The US Postal Service, and the national Oceanic and Atmospheric Administration (NOAA) - have also been targets of recent attacks.
-http://www.eweek.com/security/u.s.-state-department-is-latest-hacking-victim.htm
l
-http://www.nbcnews.com/news/us-news/state-department-joins-growing-list-hacked-f
ederal-agencies-n249711
-http://www.nextgov.com/cybersecurity/2014/11/state-department-hacked-same-time-w
hite-house/99131/?oref=ng-HPtopstory
-http://www.theregister.co.uk/2014/11/17/email_system_suspended_after_us_state_de
pt_hack_attacks/
-http://www.computerworld.com/article/2847891/reports-state-department-admits-int
rusion-into-unclassified-email.html
[Editor's Note (Paller): In the aftermath of John Streufert leaving for DHS several years ago, the State Department's cybersecurity program regressed toward the traditional federal FISMA compliance regime that has left federal systems deeply vulnerable to attack (as contrasted with active security management programs, using the Critical Security Controls, like the program Streufert implemented while at State). One cannot say that the State Department's regression caused the current breach, but it cannot have been a good thing. ]

Government Does Not Hoard Zero Days, Says White House Cybersecurity Coordinator (November 17, 2014)

The US government does not hoard zero-day vulnerabilities for use against adversaries, according to White House Cybersecurity Coordinator Michael Daniel. Although the Obama administration acknowledged earlier this year that the NSA and law enforcement agencies sometimes do hold vulnerabilities back for their own use, Daniel says that it is the exception rather than the rule.
-http://www.wired.com/2014/11/michael-daniel-no-zero-day-stockpile/

AT&T Ends "Test" of Phone Tracking IDs (November 14, 2014)

AT&T says it has stopped using hidden tracking numbers in customers' communications. The practice made news recently. AT&T was using unique identifiers in customers' web traffic sent by devices on its network. The numbers can be used by websites to compile profiles of users' activity. AT&T said that the tracking was a test, but did not rule out the possibility of using a similar program that will allow customers to opt out.
-http://www.wired.com/2014/11/att-hits-pause-privacy-busting-perma-cookie-test/
-http://arstechnica.com/security/2014/11/att-stops-using-undeletable-phone-tracki
ng-ids/
[Editor's Note (Ullrich): Issues like AT&T's as well as Verizon's tracking ID will hopefully convince more users to consider all networks not managed by the user hostile and insist on more end-to-end encryption. ]

---

**************************** SPONSORED LINKS ******************************
1) Learn new ways to stop hacks in their tracks once they're inside. Join Guidance Software, Blue Coat Systems, and other security experts for our final event in London - NOV 20. Find out how to upgrade your security posture for faster post-event detection and remediation. http://www.sans.org/info/171877

2) Take the SANS 2nd Annual Endpoint Security Survey and enter to win a $400 Amazon Gift Card! http://www.sans.org/info/171882

3) BIG DATA SECURITY SURVEY: What are the biggest risks to your big data applications? Take survey by 11/24 and enter to win iPad. http://www.sans.org/info/171887
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Issues Update for Yosemite Reportedly Not Fixing Wi-Fi Problems But Still Should Be Installed (November 17, 2014)

Apple has issued an update for Yosemite, OS X 10.10, to address an issue with wi-fi connectivity that has been affecting some users. In certain configurations on routers and Macs, the wi-fi was intermittently dropping. However, some initial reports suggest that the update does not solve the problem. The update, OS X 10.10.1, also fixes numerous other issues with the operating system.
-http://www.zdnet.com/apple-issues-yosemite-patch-for-wi-fi-bug-7000035874/
-http://www.computerworld.com/article/2848835/os-x-yosemite-update-fails-to-solve
-mac-wi-fi-mess.html
[Editor's Note (Ullrich): Don't discard the update just because the headline states that it doesn't fix a Wi-Fi issue. It does patch a critical flaw in webkit across all platforms (OS X, iOS, Apple TV) that could be used for remote executing code. It also fixes problems with the iOS lock screen and prevents Spotlight from saving indexes for files on your main disk to portable devices like USB sticks. For a summary including impact and severity (something Apple's minimalistic advisories do not easily provide), see
-https://isc.sans.edu/forums/diary/Updates+for+OS+X+iOS+and+Apple+TV/18961]

Microsoft Security Intelligence Report Looks at Risk of Expired Security Software (November 14 & 17, 2014)

According to the most recent Microsoft Security Intelligence Report, running computers with expired security software is nearly as risky as running a computer without any security software at all. The study was done on computers running Windows 8 and Windows 8.1. Computers with updated real-time security software had a 0.6 percent infection rate, while machines running expired security software and no security software at all had 2.2 and 2.4 percent infection rates, respectively. Users may be running expired products because new systems come with trial subscriptions that they do not renew.
-http://www.scmagazine.com/microsoft-report-explores-dangers-of-running-expired-s
ecurity-software/article/383769/
-http://www.zdnet.com/expired-security-software-an-open-door-to-malware-700003582
3/
[Editor's Note (Pescatore): Contrast this story to the Apple Masque item below: in order for the Masque malware to work, a user has to actively subvert the built-in App Store mechanism in iOS, which is essentially a white list. That mechanism is not perfect - nothing is - but raises the bar against malware tremendously. On Windows, signature-based malware blacklists must still be constantly updated and even then are nowhere near as effective as even very large whitelists. Google Play for Android is somewhere in between - effective whitelist but easier for the user to disable or bypass than on iOS. ]

Apple Says Masque is Not Much of a Risk (November 13 & 14, 2014)

Apple appears not to be concerned about the Masque malware despite a warning from US-CERT not to download apps from anywhere except the official App Store. Apple is downplaying the threat, noting that no one appears to have been affected by it. Apple says that its operating systems are designed to prevent malware downloads.
-http://www.v3.co.uk/v3-uk/news/2381390/us-cert-issues-warning-on-apple-ios-masqu
e-malware
-http://www.theregister.co.uk/2014/11/14/apple_masque_ios_security_response/
-http://www.cnet.com/news/apple-downplays-threat-posed-by-masque-attack-bug/
-http://www.computerworld.com/article/2848205/masque-the-major-security-flaw-that
-wasnt.html
[Editor's Note (Ullrich): Agreed (Masque is Not Much of a Risk). The main risk is users installing trusted certificates ("Enterprise configurations") to be able to load software not distributed via the Appstore. Maybe Apple could come up with a way to make installing these certificates a bit more difficult and communicate the impact to the user more clearly.
(Pescatore): Contrast this story to the Microsoft SIR expired malware item above: in order for the Masque malware to work, a user has to actively subvert the built-in App Store mechanism in iOS, which is essentially a white list. That mechanism is not perfect - nothing is - but raises the bar against malware tremendously. On Windows, signature-based malware blacklists must still be constantly updated and even then are nowhere near as effective as even very large whitelists. Google Play for Android is somewhere in between - effective whitelist but easier for the user to disable or bypass than on iOS.
(Murray): A generation ago Fred Cohen told a small group at IBM Research in Hawthorne NY that, in a world of application-only machines, we could enjoy most, but not all, of the advantages of the general-purpose computer, without viruses. Steve Jobs has given us such a world, and has proven Cohen correct, if, in the immortal words of Ben Franklin, "you can keep it." ]

Chinese Authorities Make WireLurker Arrests (November 14 & 17, 2014)

Police in Beijing have arrested three people alleged to be responsible for the WireLurker malware, which targets users of Apple products. WireLurker infects OS X devices through apps downloaded from an unauthorized app store. When iOS devices are connected to an infected OS X machine through USB, the malware infects them as well. Authorities have also taken down websites associated with the malware.
-http://www.scmagazine.com/authorities-nab-wirelurker-masterminds/article/383567/
-http://www.computerworld.com/article/2848043/suspected-wirelurker-malware-creato
rs-arrested-in-china.html
-http://www.zdnet.com/wirelurker-site-in-china-taken-down-suspects-arrested-70000
35867/

Judges Require Stricter Rules for Stingray Use (November 15 & 17, 2014)

Law enforcement agencies in Pierce County in Washington state must now specify when they will use stingray technology in their investigations and must also swear in the affidavit that they will not retain data belonging to people who are not the target of the order. The 22 Pierce County Superior Court judges have approved a new requirement for law enforcement agencies "... requir
[ing ]
language in pen register applications that spells out
[that ]
police intend to use the
[tracking ]
device."
-http://arstechnica.com/tech-policy/2014/11/judges-impose-rare-stricter-requireme
nt-for-stingray-use-by-police/
-http://www.scmagazine.com/washington-judges-approve-stringent-stingray-rules/art
icle/383760/
-http://www.thenewstribune.com/2014/11/15/3488642_tacoma-police-change-how-they.h
tml?sp=/99/289/&rh=1

Microsoft Warns of Problems With SChannel Update (November 16 & 17, 2014)

Microsoft has acknowledged problems some users are experiencing with a security bulletin released last week. This bulletin, MS14-066, was rated critical, and addresses at least one flaw in SChannel, Microsoft's implementation of SSL/TLS encryption. In certain configurations, services become intermittently unresponsive.
-http://www.zdnet.com/microsoft-warns-of-problems-with-schannel-security-update-7
000035835/
-http://www.infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-
2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html
-https://support.microsoft.com/kb/2992611
[Editor's Note (Ullrich): Microsoft did a lot wrong with this update. First of all, they didn't fully disclose the number and scope of vulnerabilities patched. Second, they included new functionality (new ciphers), something usually reserved for updates released later in the month. The additional ciphers now cause problems preventing expeditious application of this critical patch. Luckily, the SChannel vulnerability has proven to be difficult to exploit so far. ]

Two Arrested in Connection with ATM Fraud (November 14, 2014)

Two men are facing charges of computer fraud and conspiracy for exploiting a simple vulnerability in kiosk ATMs to withdraw more cash than the machine realized it was dispensing. Using just the keypad, the men were able to trick the machines into dispensing twenty-dollar bills in the place of one-dollar bills. The trick works on kiosk ATMs, which can be switched into operator mode by entering a specific sequence on the keypad. The men allegedly used the trick to withdraw more than US $400,000. They were discovered because they used their own debit cards.
-http://www.wired.com/2014/11/nashville/

Malware Injected By Tor Exit Node Linked to Attacks (November 14, 2014)

Malware that was being injected into executable files downloaded through the Tor network has been linked to attacks on computer systems at European government agencies. The malware, known as OnionDuke, was being injected into files by a Tor exit node in Russia.
-http://www.computerworld.com/article/2847549/cyberespionage-group-tied-to-oniond
uke-malware.html

Prison Sentence for Man Convicted on Racketeering Charges Related to Carder Ring (November 14, 2014)

A federal judge in Nevada has sentenced Cameron Harrison to more than nine years in prison for buying stolen payment card information from the underground carder.su website. He was also ordered to pay US $50.8 million in restitution. Harrison pleaded guilty to racketeering charges earlier this year. Fifty-four other people have been charged in connection with carder.su; nearly 8,000 people are believed to be involved.
-http://www.scmagazine.com/cameron-harrison-sentenced-to-prison-time-and-restitut
ion/article/383473/
-http://www.theregister.co.uk/2014/11/14/us_carder_gets_nine_years_in_cooler_must
_pay_back_i50_meellioni/
[Editor's Note (Murray): Such markets increase the efficiency of crime and lower the risk for the individual criminal. Taking down the market should be a top priority of law enforcement. ]

---

STORM CENTER TECH CORNER

Apple Releases updates for iOS, OS X and Apple TV
-https://isc.sans.edu/forums/diary/Updates+for+OS+X+iOS+and+Apple+TV/18961

Immunity releases MS14-066 PoC/DoS exploit
-https://community.rapid7.com/community/infosec/blog/2014/11/12/schannel-and-ms14
-066-another-red-alert

New Tricks to Deanonymize Tor Users
-https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545

Whitehat Security Webcast
-https://www.sans.org/webcasts/top-10-1-2-things-undermine-security-program-98937

Update to MS14-066
-https://isc.sans.edu/forums/diary/Microsoft+Updates+MS14-066/18957

Exploit available for MS14-064 (but NOT 66)
-http://packetstormsecurity.com/files/129101/ms14_064_packager_run_as_admin.rb.tx
t

IAB Statement on Internet Confidentiality
-https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/

Exploiting Philips Smart TV
-http://www.fredericb.info/2014/11/exploitation-of-philips-smart-tv.html

Simple guest to host VM escape for Parallels Desktop
-http://blog.cr4.sh/2014/11/simple-guest-to-host-vm-escape-for.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/