SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #13

February 17, 2015

TOP OF THE NEWS

Proposed Legislation Would Limit Purview of US Warrants Seeking Data Held on Overseas Servers
President Obama Issues Executive Order to Promote Cyberthreat Information Sharing
Bill Would Promote Information Sharing

THE REST OF THE WEEK'S NEWS

Bringing Women Into the Cyber Security Field
Kaspersky Presents Findings on Equation Group
Vulnerability in Netgear Devices
Carbanak Malware Used in Cyber Attacks on Banks
Carnegie Mellon University's CERT
Microsoft Pulls Problematic PowerPoint Patch
Google Tweaks Project Zero Disclosure Policy

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************
Symantec Webcast: Combat Advanced Cyber Attacks with Adversary and Threat Intelligence, Feb 26, 10am PT - The threat environment has become increasingly hostile. The volume of attacks has grown dramatically, along with the sophistication of attackers. Join Symantec to understand the role intelligence should play to more effectively identify, prioritize and protect against key threats to your environment. http://www.sans.org/info/174787
***************************************************************************

TRAINING UPDATE


- -SANS Scottsdale 2015 | Scottsdale, AZ | February 16-February 21, 2015 | 7 courses. Bonus evening presentations include APT: It is Time to Act, and Privileged Domain Account Protection: How to Limit Credentials Exposure
http://www.sans.org/u/18r


- -10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/u/Vx


- -DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/u/VH


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/u/Wq


- - Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course http://www.sans.org/u/1nB


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

*****************************************************************************

---

TOP OF THE NEWS

Proposed Legislation Would Limit Purview of US Warrants Seeking Data Held on Overseas Servers (February 12, 2015)

A bill introduced in the Senate would limit the purview of US warrants served by the US government on overseas companies to information pertaining to a US citizen. It would also require that the warrant be modified or vacated if it is challenged in court and it is found that complying with the warrant would violate the laws of the country. Currently, the Justice Department maintains that companies that operate in the US must comply with warrants demanding data even if those data are held overseas. Last summer, a federal court ruled that Microsoft must provide data requested by DOJ even though it is stored on a server in Ireland. That ruling is on hold pending appeal.
-http://arstechnica.com/tech-policy/2015/02/proposed-bill-limits-reach-of-us-sear
ch-warrants-on-overseas-servers/
[Editor's Note (Murray): Drafting is difficult. However, it should not be the policy of the United States to coerce its citizens into violating the laws of the foreign states in which it does business and which are intended by those states to protect the rights of its citizens. The US should try to avoid the role of the "biggest bully on the block." ]

President Obama Issues Executive Order to Promote Cyberthreat Information Sharing (February 13, 2015)

President Obama has issued an executive order aimed at improving cooperation between law enforcement, military, government agencies, and the private sector to share information about cyber threats and protect systems from security breaches. The order calls for the creation of information sharing and analysis organizations (ISAOs) and designates the Department of Homeland Security (DHS) as the handler of the information sharing.
-http://www.eweek.com/security/president-issues-executive-order-for-unity-in-cybe
rsecurity-plan.html
-http://www.scmagazine.com/obama-executive-order-paves-way-for-threat-intelligenc
e-sharing/article/398244/
-http://www.wired.com/2015/02/president-obama-signs-order-encourage-sharing-cyber
-threat-information/

Bill Would Promote Information Sharing (February 12, 2015)

A bill introduced in the US Senate last week aims to improve information sharing between government agencies and the private sector. Companies would voluntarily share information with the National Cybersecurity and Communications Integration Center, which would then share the data with government agencies. The information companies provide would be protected from disclosure through Freedom of Information Act (FOIA) requests, and the companies would not face legal and regulatory penalties regarding the information shared.
-http://www.nextgov.com/cybersecurity/2015/02/senate-bill-pushes-sharing-sensitiv
e-cyber-threat-data-between-government-and-companies/105195/
-http://www.executivegov.com/2015/02/sen-thomas-carper-cyber-bill-pushes-govt-pri
vate-sector-data-sharing/
[Editor's Note (Murray): Drafting is difficult but this bill is likely to suffer the same fate as the long series of such bills that have died in the legislative process. Any such legislation should first seek to increase necessary trust in government. The government needs to demonstrate an ability to protect information entrusted to it. Such legislation will continue to attract opposition to the extent that it is seen as an attempt to encourage private enterprise to escape its duties to its constituents by snitching on them to the government. ]

---

************************** Sponsored Links: ******************************
1) Download the free eGuide: An IT Auditor's Guide to Security Controls & Risk Compliance: http://www.sans.org/info/174792

2) What Works: Increasing Vulnerability Management Effectiveness While Reducing Cost. Wednesday, February 18 at 1:00 PM EST (18:00:00 UTC) with John Pescatore. http://www.sans.org/info/174772

3) The survey results are in! Big Data: Identifying Major Threats and Removing Security and Compliance Barriers -- Webcast on Tuesday, February 24 at 1:00 PM EDT. Register: http://www.sans.org/info/174782
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Bringing Women Into the Cyber Security Field (February 2015)

Women are underrepresented in the cyber security industry. Less than 20 percent of the information security workforce is women, and women receive just 10 percent of cyber security computer science degrees. Intel Security chief privacy officer Michelle Dennedy points out that the cybersecurity industry would benefit from the diversity of including more women in its numbers.
-http://www.csmonitor.com/World/Passcode/2015/0216/To-attract-more-women-cybersec
urity-industry-could-drop-macho-jargon
[Editor's Note (Pescatore): At SANS CDI in December, we awarded Difference Makers awards to several people and groups that have been very effective in bringing women into the cybersecurity field. Joyce Brocaglia of Alta Associates runs the Executive Women's Forum, which has been giving scholarships out to women since 2007. Jeremy Epstein and the ACSA, with funding from HP, run the Scholarships for Women Studying Information Security program, which gave out 11 scholarships to women in 2014.
(Murray): Certainly one contribution to this goal would be to recognize the outstanding contributions to the field made by women. At such an advanced age as mine, one hesitates to name names for fear of overlooking the obvious but Zella Ruthberg, Becky Bace, Cynthia Irving, Dorothy Denning, Deborah Russell, Sheila Brand, Micki Krause, Diana Contesti, Vaune Rimkus, Sandy Lambert, Robin Roberts, Patricia Myers, Barbara Endicott-Popovsky, Sheila Dillon, Tanya Zlateva are among my many colleagues who come quickly to mind. Without their leadership we would not be where we are. We cannot afford to lose their like. It seems clear that it is a gender identity issue that we do not understand. While there is no feminine of geek, most of us are professionals, managers, and leaders, not geeks. ]

Kaspersky Presents Findings on Equation Group (February 16, 2015)

At its recent Security Analyst Summit conference, Kaspersky Lab presented a report about a group of cyber attack specialists it has called the Equation Group. Those behind the group's operations are believed to have intercepted CDs of pictures and other information sent to attendees of a 2009 scientific conference and tampered with them, so that they infected recipients' machines. According to Kaspersky, the Equation group is responsible for at least 500 infections in more than 40 countries. Because the malware includes a self-destruct feature, researchers posit that the actual number of infections may be significantly larger.
-http://www.nytimes.com/2015/02/17/technology/spyware-embedded-by-us-in-foreign-n
etworks-security-firm-says.html
-http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-h
id-for-14-years-and-were-found-at-last/
-http://www.wired.com/2015/02/kapersky-discovers-equation-group/
-http://www.zdnet.com/article/beyond-stuxnet-and-flame-equation-group-most-advanc
ed-cybercriminal-gang-recorded/
-http://www.darkreading.com/vulnerabilities---threats/advanced-threats/newly-disc
overed-master-cyber-espionage-group-trumps-stuxnet/d/d-id/1319104?

Vulnerability in Netgear Devices (February 16, 2015)

A vulnerability in that affects several Netgear wireless routers could be exploited to steal sensitive information. The flaw can be exploited over local area networks (LANs) and over the Internet if the routers are configured for remote administration. The flaw lies in an application that lets people monitor and control their routers from their smartphones or computers.
-http://www.computerworld.com/article/2884377/information-disclosure-flaw-exposes
-netgear-wireless-routers-to-attcks.html
[Editor's Note (Murray): One should discourage the use of firewalls that can be configured from the public side and the development of gratuitous controls. ]

Carbanak Malware Used in Cyber Attacks on Banks (February 14 & 16, 2015)

Recent reports say that a group of criminals may have stolen as much as $1 billion from banks around the world through attacks that targeted banks, not account holders. The malware used in the scheme is being called Carbanak and helped the thieves in their scheme to make ATMs dispense cash with no physical interaction and transfer funds from targeted banks to accounts set up in other countries for just this purpose. Brian Krebs covered the story back in December 2014. Machines within banks were infected when employees opened phishing emails and clicked on malicious attachments; the malware exploited known vulnerabilities in systems that were not up to date with patches. The attack, says Krebs, points to the importance of focusing less on preventing intrusions and more on detecting attacks quickly and taking steps to stanch losses.
-http://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/
-http://www.zdnet.com/article/carbanak-hacking-group-steal-1-billion-from-banks-w
orldwide/
-http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.
html?partner=socialflow&smid=tw-nytimes&_r=1
[Editor's Note (Murray): 2014 was the year that bankers should have learned about strong authentication. In 2015 they should learn that, in a world of cheap hardware, prudent bankers do not do high risk applications like e-mail and web browsing on the same systems and networks as they do mission critical applications. ]

Carnegie Mellon University's CERT (February 15, 2015)

The Computer Emergency Response Team (CERT) was created in late 1988 in response to the Morris worm. The first computer virus, the Morris worm infected 6,000 computers. DARPA researchers Bill Scherlis and Stephen Squires worked for days to identify the malware and halt its spread; once it was contained, Scherlis recommended that the agency create a team focused on responding to cyber attacks, and CERT was formed at Carnegie Mellon University in Pittsburgh. The team is directed by Richard Pethia, which has held the job since CERT's inception.
-http://triblive.com/news/editorspicks/7693096-74/computer-attacks-pittsburgh#axz
z3RvBBRmg4

Microsoft Pulls Problematic PowerPoint Patch (February 15, 2015)

Microsoft has removed one of the patches it released on Thursday, February 12 because of problems. The patch was supposed to improve the stability of PowerPoint 2013, but users have been reporting that it breaks the application.
-http://www.theregister.co.uk/2015/02/15/microsofts_patchwork_falls_apart_again/
-http://www.infoworld.com/article/2883639/patch-management/microsoft-yanks-kb-292
0732-patch-for-killing-powerpoint-2013-on-windows-rt-with-error-0xc0000428.html
[Editor's Note (Ullrich): Again another rough patch Tuesday for windows users. I counted a total of 4 problem patches. For a quick summary of the problems with February's patch Tuesday, see
-https://isc.sans.edu/forums/diary/Microsoft+February+Patch+Failures+Continue+KB3
023607+vs+Cisco+AnyConnect+Client/19331/]

Google Tweaks Project Zero Disclosure Policy (February 13 & 14, 2015)

Google has changed its strict 90-day disclosure policy for security flaws, allowing vendor to request a two-week grace period if the companies are planning to release a patch within the two weeks following the deadline, and if they request the extension before the 90-days are up. In addition, disclosure dates that fall on a weekend or a holiday will be pushed out to the first following business day. Google will obtain CVE identifiers for the flaws prior to the disclosure.
-http://arstechnica.com/security/2015/02/google-updates-disclosure-policy-after-w
indows-os-x-zero-day-controversy/
-http://www.theregister.co.uk/2015/02/14/google_vulnerability_disclosure_tweaks/
-http://www.computerworld.com/article/2883749/google-relaxes-strict-bug-disclosur
e-rules-after-microsoft-grievances.html
[Editor's Note (Pescatore): Good for Google to push the state of the practice forward, but also good for them to adjust to companies like Microsoft and Oracle that have to support enterprise needs for old style software.
(Murray): Google is finding that, even with the best of intentions, "doing no evil" is harder than it sounds. They must decide whether they want to be part of the solution or garner notoriety by being part of the problem. ]

---

STORM CENTER TECH CORNER

MongoDB Security Guide Released
-http://docs.mongodb.org/manual/administration/security-checklist/

MSFT Adding HTTP Strict Transport Security and Removing SSLv3 from IE
-https://technet.microsoft.com/library/security/3009008
-http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-com
es-to-internet-explorer.aspx
-https://isc.sans.edu/forums/diary/Did+PCI+Just+Kill+ECommerce+By+Saying+SSL+is+N
ot+Sufficient+For+Payment+Info+spoiler+TLSSSL/19323/

Windows Server 2003 Extended Support Pricing
-http://www.theregister.co.uk/2015/02/16/windows_server_2003_600_dollars/

More Microsoft Patch Trouble
-https://isc.sans.edu/forums/diary/Microsoft+February+Patch+Failures+Continue+KB3
023607+vs+Cisco+AnyConnect+Client/19331/
Kaspersky Reveals Malware Infiltrating Banks
-https://securelist.com/analysis/kaspersky-security-bulletin/68720/financial-cybe
r-threats-in-2014-things-changed/

m0n0wall to be discontinued
-http://seclists.org/oss-sec/2015/q1/565

Weak random numbers in Wordpress
-http://seclists.org/fulldisclosure/2015/Feb/42

Facebook Picture Deletion Bug Fixed
-http://www.7xter.com/2015/02/how-i-hacked-your-facebook-photos.html

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/

SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743