SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #1

January 06, 2015

How To Give A Winning Security Briefing That Leads To Action At the upcoming 10th ICS Security Summit (the longest running conference on securing the Internet of Things), the keynote will focus on how to gain senior management approval for important security initiatives. Senior executives are bombarded with proof that the threats to control systems are real. They get it. Now they have new questions: "What do we need to do? How much is enough? And whom can we trust to answer the first two questions?" The keynote will show how ICS security professionals can shape technical briefings to make them persuasive and also to set the presenter apart as a person senior management can trust. It covers key errors technical people make when presenting their proposals and one technique that has worked remarkably well in gaining support from top executives and a few techniques for handling tough questions. This will help you get support to implement the technical approaches you'll learn at the Summit.
http://www.sans.org/event/ics-security-summit-2015
Alan

---

TOP OF THE NEWS

Possible Breach of Chick-fil-A Payment Systems
Did Insiders Help With Sony Attack?

THE REST OF THE WEEK'S NEWS

Bitstamp Bitcoin Exchange Suspends Service
Apple Patches iCloud Vulnerability
Morgan Stanley Employee Fired Over Alleged Customer Data Theft
FBI Says Warrants Not Necessary to Use Stingray in Public
Google Discloses Windows 8.1 Flaw 90 Days After Notifying Microsoft
USPS Breach Affected Some Health Data
Majority of PHP Installations are Unsecure
NVIDIA Breach

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec *************************
Join Symantec and ITS Partners in a practical conversation about the current landscape of devices, industry-specific challenges for BYOD and just how to keep your workforce connected, secure, and productive.
http://www.sans.org/info/173527
***************************************************************************

TRAINING UPDATE


--SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015


--Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


--10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


--SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


--SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


--Multi-week Live SANS training

http://www.sans.org/mentor/about

Contact mentor@sans.org


--Looking for training in your own community?

http://www.sans.org/community/


--Save on OnDemand training (30 full courses) - See samples at

http://www.sans.org/ondemand/specials

Plus Brussels, Dubai, Bangalore, and Oslo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

Possible Breach of Chick-fil-A Payment Systems (December 30 & 31, 2014)

According to information from several US financial institutions, fast-food chain Chick-fil-A may have experienced a payment system breach. The financial institutions note a pattern of fraud connected with payment cards used at the restaurants in the US. At one financial institution alone, nearly 9,000 cards appear to have been affected. Brian Krebs notes that in similar cases, the particular franchises affected were those that had outsourced point-of-sale system management to a third party.
-http://krebsonsecurity.com/2014/12/banks-card-breach-at-some-chick-fil-as/
-http://www.darkreading.com/attacks-breaches/chick-fil-a-investigating-possible-d
ata-breach/d/d-id/1318436?
[Editor's Note (Murray): Merchants should stop waiting for external evidence that they have been compromised; they should assume that there is a good chance that they are breached and actively look for evidence. Consumers should assume that their credit card numbers are compromised: they should request new (EMV) cards and actively monitor charges to their accounts. ]

Did Insiders Help With Sony Attack? (December 30, 2014)

Some researchers suspect that the attack on Sony Pictures' computer systems was aided by at least one former employee. The theory is based on leaked documents that show a series of layoffs in spring 2014.
-http://www.scmagazine.com/one-or-more-former-employees-may-have-aided-in-hack/ar
ticle/390385/

---

**************************** SPONSORED LINKS ******************************
1) Download the free eGuide: Breach Preparation - Plan for Compromise. http://www.sans.org/info/173532

2) Analyst Webcast: Securing Oracle Databases Made Easy. Wednesday, January 21 at 1:00 PM EST (18:00:00 UTC) with Pete Finnigan. http://www.sans.org/info/173537

3) Another chance to win $400 Amazon Card - Take New Survey on Insider Threats. http://www.sans.org/info/173397
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Bitstamp Bitcoin Exchange Suspends Service (January 5, 2015)

The Bitstamp Bitcoin exchange has been taken offline due to a reported attack. Users have been warned to cease deposits to addresses issued prior to 4am ET Monday, December 5. Funds are currently frozen in accounts, and Bitstamp says that it has sufficient offline reserves to cover compromised Bitcoins. Bitstamp is based in the US and Slovenia.
-http://www.wired.com/2015/01/bitstamp-offline/
-http://www.scmagazine.com/bitstamp-goes-offline-in-cautionary-move/article/39090
8/
-http://www.darkreading.com/major-bitcoin-exchange-suspends-service-suspecting-at
tack-/d/d-id/1318453?
-http://threatpost.com/bitcoin-exchange-bitstamp-offline-following-apparent-compr
omise/110187

Apple Patches iCloud Vulnerability (January 5, 2015)

Apple has fixed a vulnerability in its iCloud service that could have been exploited by a hacking tool released late last week. The tool used brute force attacks to guess users' iCloud passwords.
-http://www.scmagazine.com/apple-patches-icloud-vulnerability-exploited-by-idict-
hacking-tool/article/390922/

Morgan Stanley Employee Fired Over Alleged Customer Data Theft (January 5, 2015)

Morgan Stanley has fired an employee for allegedly stealing customer data, including account access credentials, and offering them for sale online. The breach affected approximately 10 percent of the company's 3.5 million wealth management customers. The employee had worked at Morgan Stanley since 2008.
-http://www.bloomberg.com/news/print/2015-01-05/morgan-stanley-fires-employee-acc
used-of-stealing-client-data.html
-http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data
-on-350000-clients-was-stolen/
-http://www.scmagazine.com/account-names-numbers-transaction-data-posted-on-inter
net/article/390984/
[Guest Editor Note (Russell Eubanks): Expect to be asked by your leadership teams how your current security program would detect a similar incident. Be prepared with recommendations on the improvements that should be made if your capabilities are lacking. If at all possible, provide this information to them proactively. ]

FBI Says Warrants Not Necessary to Use Stingray in Public (January 2 & 5, 2015)

US Senators are questioning the FBI's use of cell-tower spoofing technology known familiarly as Stingray. The agency says it does not need a warrant to harvest data. Senators Patrick Leahy (D-Vermont) and Chuck Grassley (R-Iowa), chairman and ranking member of the Senate Judiciary Committee, have written a letter expressing concern "about whether the FBI and other law enforcement agencies have adequately considered
[American's ]
privacy interests," and seeking additional information on the technology's use.
-http://arstechnica.com/tech-policy/2015/01/fbi-says-search-warrants-not-needed-t
o-use-stringrays-in-public-places/
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/01/02/senators-question-f
bis-legal-reasoning-behind-cell-tower-spoofing/

Google Discloses Windows 8.1 Flaw 90 Days After Notifying Microsoft (January 2, 3, & 5, 2015)

A Google researcher has publicly disclosed a vulnerability in Windows 8.1, 90 days after informing Microsoft of its existence. Google has been criticized by some for disclosing the unpatched local privilege elevation flaw. Google's recently launched Project Zero, which aims to find flaws in popular software, placed a 90-day deadline on the notification.
-http://www.scmagazine.com/windows-8-elevation-of-privilege-flaw-detailed-online/
article/390995/
-http://www.theregister.co.uk/2015/01/03/google_discloses_windows_0day/
-http://www.computerworld.com/article/2864373/google-discloses-unpatched-windows-
vulnerability.html
[Editor's Note (Pescatore): While 90 days from being informed of a vulnerability to releasing a production-ready patch is a reasonable timeframe, automated disclosure without some common sense in the loop is not right. That said, Google pointed out that the world of software is changing - continual updates is the norm and the old style infrequent, big bang releases is *not*. Faster patching should be the new normal. Of course, supporting an OS for 10 years (as Microsoft does) is *not* the norm for Google and others either - that may have to change, as well. ]

USPS Breach Affected Some Health Data (January 2, 2015)

Additional details being released about the September 2014 intrusion of US Postal Service computers indicates that certain health information was compromised as well. The affected data are related to workers' compensation claims. Because the compromised health data are not part of an insurance plan, the breach will not incur health data security fines.
-http://www.nextgov.com/cybersecurity/2015/01/medical-file-hack-affected-nearly-h
alf-million-postal-workers/102144/?oref=ng-channelriver
[Editor's Note (Henry): The lack of visibility into the impact of a breach continues to concern me. Understanding the depth and breadth of an intrusion, what was taken, and who it affected, is a critical part of the remediation process. Nevertheless, companies routinely take months to understand what happened, if they even figure it out at all. It is equally important for companies to have greater fidelity into their architecture, their data, and what's happening on their network as it is to protect the perimeter from the initial intrusion. ]

Majority of PHP Installations are Unsecure (December 31, 2014)

More than three-quarters of PHP installations contain at least one security issue. Other software packages were found to contain flaws as well: 38 percent of sites running Apache web server were found to be unsecure, as were 36 percent of sites running Nginx, 22 percent of sites running Python, and 18 percent of sites running Perl.
-http://www.theregister.co.uk/2014/12/31/want_to_have_your_server_pwned_easy_run_
php/
-http://blog.ircmaxell.com/2014/12/php-install-statistics.html

NVIDIA Breach (December 29, 2014)

NVIDIA employees have been notified of a breach that compromised their user accounts and passwords. The incident occurred in early December 2014. It is likely that the attack was perpetrated with information stolen elsewhere and made possible because people reused passwords on multiple sites.
-http://www.forbes.com/sites/davelewis/2014/12/29/nvidia-corporate-network-breach
ed/

---

STORM CENTER TECH CORNER

More Details About NTP Vulnerabilities Patched Last Month
-http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html

UEFI Vulnerabilities
-http://www.kb.cert.org/vuls/id/976132

ZAP Community Script Library
-https://github.com/zaproxy/community-scripts

oledump analysis of Rocket Kitten
-https://isc.sans.edu/forums/diary/oledump+analysis+of+Rocket+Kitten+Guest+Diary+
by+Didier+Stevens/19137/

MS14-068 Exploit Now in Metasploit
-https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-hax
mas-ms14-068-now-in-metasploit

Lizard Squad Arrests
-http://techcrunch.com/2015/01/02/u-k-police-arrest-alleged-lizard-squad-hacker/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.