SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #93

November 21, 2014

Two of the nation's highest-rated journalists on the cybersecurity beat just published new books. Both are GREAT reads. Kim Zetter (Wired) wrote the definitive story of Stuxnet and made read like a novel. It's called Countdown to Zero Day and, in addition to the great story, shows how digital warfare developed in the US, how the zero-day "grey markets" work, and why the critical infrastructure in the United States is so vulnerable. In Spam Nation, Brian Krebs (krebsonsecurity.com) tells the story of a feud between two Russian companies that produce much of the drug spam and tracks them deep into the underground of spammers, hackers and financial companies. The spammers hack each other's systems, steal data, out the other to law enforcement (and to Brian) and more. One goes to jail; the other is out of business.

Alan

---

TOP OF THE NEWS

NSA Director Says Critical Infrastructure Data Stolen
Citadel Trojan Now Targeting Password Managers
Senate NSA Bill Blocked in Procedural Vote

THE REST OF THE WEEK'S NEWS

Webcam Streaming Site Found Underscores Need to Reexamine Security
NATO Cyber Defense Exercise
NotCompatible Android Malware Botnet
WhatsApp Adopts End-to-End Encryption
US Legislators Critical of USPS Breach Response
UK Banks Invite Intrusion Testing
Amnesty International Releases Free Anti-Spyware Tool
Chrome 39 Removes SSL 3.0 Fallback
Microsoft Issues Emergency Patch for Flaw in Kerberos Authentication Protocol

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Oracle ****************************
In case you missed it: Simplifying Data Encryption and Redaction Without Touching the Code. In this webcast, a recent review by SANS Analyst and Instructor Dave Shackleford of Oracle Advanced Security for Oracle Database 12c and its encryption and redaction capabilities was discussed.
http://www.sans.org/info/171962
***************************************************************************

TRAINING UPDATE


--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today? A Night of Crypto; and NetWars Tournament of Champions.
http://www.sans.org/event/cyber-defense-initiative-2014


--SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
http://www.sans.org/event/london-2014


--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


--Special Online Training Offer available through December 3 - Receive a MacBook Air or $800 discount on any vLive or OnDemand course. Learn more:
http://www.sans.org/online-security-training/specials


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Muscat, Brussels, and Dubai all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

NSA Director Says Critical Infrastructure Data Stolen (November 20, 2014)

NSA Director Michael S. Rogers told US lawmakers that China and other foreign countries have breached systems at organizations supporting US critical infrastructure with the intent of stealing information that could be used to launch a destructive attack. Entities working on behalf of foreign governments have been detected trying to do reconnaissance and to steal "specific schematics of most of our control systems."
-http://www.washingtonpost.com/world/national-security/nsa-chief-foreign-powers-s
teal-data-on-critical-us-infrastructure/2014/11/20/ddd4392e-70cb-11e4-893f-86bd3
90a3340_story.html
-http://www.bloomberg.com/news/2014-11-20/foreign-governments-have-hacked-u-s-pow
er-system-nsa-head-says.html
[Editor's Note (McBride): Stuxnet taught us about the importance of the engineering details in planning cyber attacks for physical consequence. Hence I am as concerned about the engineering firms as targets as I am about the companies that own and operate the infrastructure. The former is frequently a key to the latter. ]

Citadel Trojan Now Targeting Password Managers (November 19 & 20, 2014)

The Citadel Trojan, which in the past has been used to steal bank account access credentials and was used in targeted attacks against Middle Eastern petro-chemical companies, has recently been used in attacks against password managers. The newest version of Citadel now targets the master passwords for the three most widely used password management systems.
-http://www.darkreading.com/operations/identity-and-access-management/new-citadel
-attack-targets-password-managers/d/d-id/1317642?
-http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-m
aster-passwords/
[Editor's Note (Honan0: If you have not done so already its time to turn on the two factor authentication features on your account that many of these password managers offer. ]

Senate NSA Bill Blocked in Procedural Vote (November 18, 2014)

By a narrow margin, the US Senate has blocked a bill aimed at curtailing NSA data gathering practices from reaching the floor. The USA Freedom Act was two votes short of the 60 it needed to pass. The bill would have ended bulk phone metadata collection, instead leaving those data under the control of telecommunications companies from which the NSA can access them with court orders from the Foreign Intelligence Surveillance Court. It would also have required the NSA to focus its search terms more narrowly to ensure that only relevant records are accessed. It would also have granted telecommunications companies more transparency in disclosing the number and types of data requests it receives.
-http://www.wired.com/2014/11/usa-freedom-act-fails-in-senate/
-http://www.cnet.com/news/bill-overhauling-nsa-programs-blocked-in-senate/

---

**************************** SPONSORED LINKS ******************************
1) Take the SANS 2nd Annual Endpoint Security Survey and enter to win a $400 Amazon Gift Card! http://www.sans.org/info/171967

2) BIG DATA SECURITY SURVEY: What are the biggest risks to your big data applications? Take survey by 11/24 and enter to win iPad. http://www.sans.org/info/171972

3) Find out what is driving INFOSEC health care priorities in 2015. Survey results in two parts: Part 1 - December 9 at 1 pm ET. http://www.sans.org/info/171977 Part 2 - December 11 at 1 pm ET. http://www.sans.org/info/171982
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Webcam Streaming Site Found Underscores Need to Reexamine Security (November 20, 2014)

The UK Information Commissioner's Office is urging people who use webcams to reset passwords and login information. A Russian-hosted website is offering streams from hundreds of webcams around the world, including more than 500 in the UK. The website accesses the webcams through default access credentials. There are streams for webcams in more than 250 countries and territories. Users are also being urged to disable remote access if it is not needed.
-http://www.v3.co.uk/v3-uk/news/2382511/russians-hacking-into-webcams-showing-liv
e-footage-from-uk-offices-shops-and-baby-monitors
-http://www.bbc.com/news/technology-30121159

NATO Cyber Defense Exercise (November 20, 2014)

On November 18, NATO launched Cyber Coalition 2014, a multinational cyber defense training exercise to test the Alliance's "ability to defend its networks from the various challenges that exist when operating in the contested cyber domain." Nearly 700 technical, government, and cyber experts participated in the exercise, which focused on rapid information sharing.
-http://www.nato.int/cps/en/natohq/news_114902.htm

NotCompatible Android Malware Botnet (November 20, 2014)

A new variant of Android malware known as NotCompatible has been detected sneaking onto companies' networks and stealing data. When it was first discovered several years ago, NotCompatible was being used as a proxy in spam attacks. Now the malware's botnet has expanded its reach to include click-fraud, fraudulent ticket purchasing, and automated brute force attacks.
-http://www.v3.co.uk/v3-uk/news/2382696/android-encrypted-notcompatible-malware-c
aught-infiltrating-company-systems
-http://www.scmagazine.com/android-malware-notcompatible-evolves-spawns-resilient
-botnet/article/384379/

WhatsApp Adopts End-to-End Encryption (November 18, 19, & 20, 2014)

WhatsApp has upped its encryption game to offer better protection for messages sent from Android devices running the app. The change means that WhatsApp will not be able to decrypt users' messages. The encryption system WhatsApp has chosen to use encrypts messages from the time they leave one device until they arrive at the recipient's device.
-http://www.v3.co.uk/v3-uk/news/2382368/whatsapp-bolsters-security-encryption-for
-android-app
-http://www.nbcnews.com/tech/security/big-brother-watching-amnestys-new-app-scans
-spyware-n252501
-http://www.scmagazine.com/whatsapp-and-open-whisper-systems-team-up/article/3842
83/
-http://arstechnica.com/security/2014/11/whatsapp-brings-strong-end-to-end-crypto
-to-the-masses/
[Editor's Note (Honan): One thing the revelations by Edward Snowden highlighted is how useful metadata when tracking people online. So while this is a welcome move by WhatsApp to secure the content of user messages, it still enables Facebook, who own WhatsApp, to gather the metadata of the uses to see who talks to whom, and when. ]

US Legislators Critical of USPS Breach Response (November 19, 2014)

The intruders who breached security of US Postal Service (USPS) computer systems may have copied employees' compensation information. The USPS has already acknowledged that the breach compromised Social Security numbers (SSNs) and other personal data of 800,000 employees. USPS is "still conducting forensic analysis of the impacted servers." Randy Miskanic, USPS Secure Digital Solutions vice president and incident commander on this case testified before the House Oversight and Government Reform subcommittee on the federal workforce earlier this week, describing the events of the incident in a timeline. Committee members took USPS to task for the way the incident was handled. The breach affected 100 machines. USPS has 25,000 servers and 200,000 workstations.
-http://www.scmagazine.com/congress-criticizes-usps-data-breach-response/article/
384520/
-http://www.nextgov.com/cybersecurity/2014/11/hackers-possibly-copied-postal-empl
oyee-pay-records/99470/?oref=ng-channelriver
USPS Breach Timeline:
-http://www.nextgov.com/cybersecurity/2014/11/timeline-how-postal-service-data-br
each-went-down/99494/?oref=ng-channeltopstory

UK Banks Invite Intrusion Testing (November 19, 2014)

Banks in the UK are inviting attackers to probe their systems as part of a security test. Bank of England will set guidelines for the testing but individual banks will determine the boundaries they want set within those guidelines. Knowledge of the test attack will be limited to just a few people at each institution.
-http://www.dailymail.co.uk/wires/reuters/article-2840995/Hackers-probe-cyber-cri
me-defences-British-banks.html

Amnesty International Releases Free Anti-Spyware Tool (November 19, 2014)

Amnesty International has released a tool that can detect spyware that governments use against activists and dissidents. Detekt runs intense scans on hard drives during which the computer may be used for other purposes. The version available now runs on Windows machines. Concerns remain about maintaining Detekt.
-http://www.bbc.com/news/technology-30115679
-http://money.cnn.com/2014/11/20/technology/security/detekt-spying-tool/index.htm
l

Chrome 39 Removes SSL 3.0 Fallback (November 19, 2014)

Google has updated its Chrome browser to version 39; the newest stable version of Chrome includes fixes for 42 security issues. Of particular note is the removal of fallback to SSL 3.0; the protocol will be completely disabled in Chrome 40. The change is a response to a vulnerability known as POODLE disclosed last month.
-http://www.scmagazine.com/chrome-39-contains-42-security-fixes-fallback-to-ssl-3
0-removed/article/384279/
-http://www.zdnet.com/google-advances-ssl-with-new-chrome-versions-7000035966/
[Editor's note (Northcutt): I applaud this decision.:
-http://en.wikipedia.org/wiki/Backward_compatibility]

Microsoft Issues Emergency Patch for Flaw in Kerberos Authentication Protocol (November 18 & 19, 2014)

Microsoft has released an out-of-cycle update (MS14-068) to address a critical flaw in the Kerberos authentication protocol that is being actively exploited. The vulnerability can be exploited to elevate privileges to those of the domain administrator. The issue affects all currently supported versions of Windows and Windows Server. The protocol manages authentication for Windows PCs on local networks. The problem is more serious for Windows Server than for Windows home users.
-https://technet.microsoft.com/library/security/MS14-068
-http://arstechnica.com/security/2014/11/unscheduled-windows-update-kills-critica
l-security-bug-under-active-attack/
-http://www.theregister.co.uk/2014/11/18/youll_most_definitely_believe_what_micro
soft_did_today/
-http://www.zdnet.com/details-emerge-on-windows-kerberos-vulnerability-7000035976
/
-http://krebsonsecurity.com/2014/11/microsoft-releases-emergency-security-update/
Internet Storm Center:
-https://isc.sans.edu/forums/diary/Microsoft+November+out-of-cycle+patch+MS14-068
/18967

---

STORM CENTER TECH CORNER

Critical Wordpress Update fixes XSS
-https://isc.sans.edu/forums/diary/Critical+WordPress+XSS+Update/18977

Google Releases Web Application Scanner "Firing Range"
-https://isc.sans.edu/forums/diary/Google+Web+Firing+Range+Available/18975

Detekt Scanner Focusing on State Surveillance Malware
-https://www.eff.org/deeplinks/2014/11/detekt-new-malware-detection-tool-can-expo
se-illegitimate-state-surveillance

PHP Backdoor Included in Templates/Themes for various Content Management Systems
-https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4
.pdf

jQuery CAPTCHA XSS Flaw Patched
-http://sijmen.ruwhof.net/weblog/256-cross-site-scripting-in-millions-of-web-site
s#more-256

NoSQL Big Data Security
-https://isc.sans.edu/forums/diary/+Big+Data+Needs+a+Trip+to+the+Security+Chiropr
acter+/18971

Phone Typo Squatting
-http://www.theregister.co.uk/2014/11/19/lamer_scammers_mimick_phone_numbers_to_f
leece_the_fat_fingered/

"NotCompatible" Botnet new and improved
-https://blog.lookout.com/blog/2014/11/19/notcompatible/

MS14-066 Re-Released for Server 2008 R2 and 2012
-https://technet.microsoft.com/library/security/MS14-066

Google et al promises free and easy SSL
-https://www.letsencrypt.org

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.