SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #19

March 10, 2015

TOP OF THE NEWS

Man Arrested at Canadian Border for Refusing to Divulge Phone Password
CIA 'Blueprint for the Future' Focus on Cyber Ops
Japanese Government Will Ask Infrastructure Companies to Help with Cyber Security

THE REST OF THE WEEK'S NEWS

FTC's Primary Domain Now HTTPS by Default
Firefox Update to Add Certificate Security Feature
Ethiopian Government May be Using Spyware Against Journalists
Former Employee Pleads Guilty to Breaking Into Former Employer's Network
NEXTEP Investigating Report of Point-of-Sale Systems Breach
Google Admin Console Flaw
Three People Indicted in Huge eMail Theft and Spam Campaign
UK's National Crime Agency "Strike Week" Nets 56 Cyber Crime Related Arrests
PI Pleads Guilty to Hiring Someone to Break Into eMail Accounts

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************
Symantec Webcast: Cloud Security - Top Fundamentals You Need to Know, March 24th at 10am PT The cloud is forcing us to rethink security. The fact that information flows freely outside of the enterprise and back again means we need to consider how we secure that information. Join guest speaker Pete Lindstrom from IDC and Symantec for discussion on the fundamentals.
http://www.sans.org/info/175612
***************************************************************************

TRAINING UPDATE


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-SANS Northern Virginia 2015 | Reston, VA | March 9-March 14, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


-Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Man Arrested at Canadian Border for Refusing to Divulge Phone Password (March 6, 2015)

A Canadian man returning from the Dominican Republic was arrested in Halifax, Nova Scotia, for refusing to provide law enforcement at the border with the code to unlock his smartphone. A Canadian Border Services Agency spokesperson said the man was arrested for "hindering" border guards from performing their duties.
-http://www.cnet.com/news/man-charged-for-refusing-to-give-up-phone-passcode-to-c
anadian-border-agents/
-http://www.cbc.ca/news/canada/nova-scotia/quebec-resident-alain-philippon-to-fig
ht-charge-for-not-giving-up-phone-password-at-airport-1.2982236
[Editor's Note (Murray): In a world of the cloud, reliable any-to-any connectivity, and gigabytes of storage smaller than a fingernail, one need not challenge customs agents over contraband data. One should not attempt to cross borders with information that one wants to be confidential or available. And do not mess with ICE either. Precedent suggests that any and all searches and seizure by customs officials are "reasonable." This includes personal "papers and effects." ]

CIA "Blueprint for the Future" Focuses on Cyber Ops (March 6 & 9, 2015)

In an unclassified letter released on March 6, CIA Director John Brennan describes a restructuring of the agency with an increased focus on digital and cyber issues. Among the changes will be the establishment of a "new directorate that will be responsible for accelerating the integration of our digital and cyber capabilities across all of our mission areas."
-http://www.wired.com/2015/03/cias-new-directorate-makes-cyberespionage-top-prior
ity/
-http://www.zdnet.com/article/cia-reinvents-itself-to-focus-on-cyber-operations/

Japanese Government Will Ask Infrastructure Companies to Help with Cyber Security (March 1, 2015)

The Japanese government plans to ask organizations that manage key elements of the country's critical infrastructure to help bolster protection against cyber threats. The entities include highway operators, the Bank of Japan, and Nippon Telegram and Telephone Corp. The government wants to promote cooperation in dealing with cyber threats.
-http://www.japantimes.co.jp/news/2015/03/01/national/crime-legal/48-infrastructu
re-entities-to-get-cybersecurity-cooperation-requests/#.VP3xIkKR_wz
[Editor's Note (Murray): Not only are the Japanese well mannered, their government assumes that the citizen is vested in the common good. ]

---

**************************** SPONSORED LINKS ******************************
1) Combat Advanced Malware - Download the Free White Paper: Advancing Threat Hunting: http://www.sans.org/info/175617

2) Level Up Your Security Strategy with Cyber Threat Intelligence Wednesday, March 11 at 1:00 PM EDT (17:00:00 UTC) with Joe Schreiber and Dave Shackleford. https://www.sans.org/webcasts/level-security-strategy-cyber-threat-intelligence-
99322

3) A risk-based approach to identification, impact estimation, and effective remediation of data breaches in web-based applications Wednesday, March 18 at 1:00 PM EST (17:00:00 UTC) with Dr. Eric Cole and Demetrios Lazarikos (Laz). http://www.sans.org/info/175627
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

FTC's Primary Domain Now HTTPS by Default (March 6, 2015)

The US Federal Trade Commission (FTC) has made its primary domain HTTPS by default, which enhances security and privacy for users. Browsers will automatically verify the website's authenticity, which will help guard against website impersonation.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/06/the-federal-governm
ents-online-privacy-watchdog-just-made-its-web-site-more-secure/
-http://thehill.com/policy/technology/234873-ftc-enables-default-encryption
[Editor's Note (Pescatore): This is overselling the benefits of turning HTTPS on: the use of SSL only "automatically verifies the website's authenticity" when everything goes right at the CA, the website and the user. If you multiply those three probabilities together, you have about the same odds that your flight from Boston to Seattle, with stops in Chicago and Denver, will arrive on time in February.
(Paller): While John Pescatore's comment is valid, the FTC's action shows leadership among federal agencies and is worthy of commendation. (Murray): It seems prudent to conclude that what the regulator does, it is likely to expect of the regulated. ]

Firefox Update to Add Certificate Security Feature (March 9, 2015)

Firefox 37 will include a new mechanism to check SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates. While the technology, dubbed OneCRL (Certification Revocation List), will not supplant the currently used Online Certificate Status protocol (OCSP) for the time being, Mozilla may eventually disable OCSP for certificates covered by OneCRL. Firefox 37 is expected to be available at the end of March.
-http://www.eweek.com/security/firefox-37-feature-to-improve-ssltls-certificate-s
ecurity.html
-http://thestack.com/firefox-security-certificates-onecrl-050315
[Editor's Note (Ullrich): Neat idea to apply more duct tape to broken CAs. In the meantime, make sure your servers support OCSP stapling as this will reduce latency for SSL connections if the browser bothers to check OCSP.
(Pescatore): Deja vu all over again: the debate between the local/static CRL approach and the remote/dynamic OCSP approach. OCSP always had weakness against man in the middle attacks but that was considered a low risk attack back then. OCSP stapling was a way to address the issue but hasn't caught on. Pushing ever growing CRLs out frequently to every browser seemed like it wouldn't work back then, but now all modern browsers developers are pushing all kinds of updates out to browsers constantly anyway - using both techniques makes sense given the sad state of Certificate Authority security. ]

Ethiopian Government May be Using Spyware Against Journalists (March 9, 2015)

The Ethiopian government is allegedly spying on Washington-area journalists who work for Ethiopian Satellite Television (ESAT) with spyware intended for use by law enforcement. ESAT computers were infected in 2013 when an employee opened what turned out to be a malicious file. That attack was likely aided by a tool from Italian company Hacking Team. A more recent incident revealed another attempt at such an attack. A spokesperson for the Hacking Team said the company cannot divulge clients' identities or locations, and that it would take action if it learned that entities were misusing its products.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/09/spyware-vendor-may-
have-helped-ethiopia-spy-on-journalists-even-after-it-was-aware-of-abuses-resear
chers-say/
[Editor's Note (Murray): That simply makes them busted for what all the wise guys are doing. It is tragic that journalists become enemies of the state for doing the job that society relies upon them to do. The idea that there is "white market" in malware, or that the use of malware can be restricted to "legitimate" purposes is ludicrous on its face. "By their fruits you shall know them." ]

Former Employee Pleads Guilty to Breaking Into Former Employer's Network (March 9, 2015)

A man who used to work at a New York company has pleaded guilty to breaking into his former employer's network and causing damage. Michael Meneses left his job at a high-voltage power supply manufacturer in January 2012 after three-and-a-half years of employment. Before he left, he had created a program to steal other employees' login credentials. He used that information to gain access to the network and altering code to cause problems with work order cost calculations.
-http://www.scmagazine.com/disgruntled-former-employee-pleads-guitly-to-power-sup
plies-co-hack/article/402473/
-http://www.fbi.gov/newyork/press-releases/2015/software-programmer-pleads-guilty
-to-hacking-into-network-of-long-island-high-voltage-power-manufacturer

NEXTEP Investigating Report of Point-of-Sale Systems Breach (March 9, 2015)

Point-of-sale system vendor NEXTEP has learned that some of its customer locations were compromised, potentially exposing payment card data. Financial industry sources noticed fraud on payment cards that had been used at Zoup restaurants. NEXTEP is investigating the issue.
-http://krebsonsecurity.com/2015/03/point-of-sale-vendor-nextep-probes-breach/
[Editor's Note (Murray): Read the Verizon Data Breach Incident report, to the effect that vendors of POS software often put their clients at risk by not using strong authentication and by sharing passwords across both users and customers. That said, "There is nothing left to hide." ]

Google Admin Console Flaw (March 9, 2015)

A vulnerability in the Google Admin console can be exploited to spoof email so it appears to come from unclaimed domains. The console is used to manage the Google Apps suite. Google has patched the flaw.
-http://www.zdnet.com/article/email-spoofing-security-hole-discovered-in-google-a
dmin-console/
-http://www.scmagazineuk.com/google-apps-for-work-flaw-discovered/article/402439/

Three People Indicted in Huge eMail Theft and Spam Campaign (March 9, 2015)

The US Justice Department (DOJ) has indicted three people in connection with an email address theft scheme. Two of the three people have been arrested; one remains at large. The three allegedly broke into email servers, stole data, and used them to make more than $2 million from sales resulting from spam. One of the email service providers affected in the case is Epsilon, which manages customer email marketing for companies, and became aware of a breach in April 2011.
-http://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/
-http://www.eweek.com/security/feds-charge-three-with-theft-of-1-billion-email-ad
dresses.html
-http://www.v3.co.uk/v3-uk/news/2398718/us-cops-charge-suspects-in-worlds-largest
-data-breach
-http://www.scmagazine.com/indictment-reveals-theft-of-one-billion-email-addresse
s-from-esps-three-charged/article/402180/
-http://www.computerworld.com/article/2893725/two-indicted-for-stealing-1b-email-
addresses-in-historic-breach.html
-http://www.justice.gov/opa/pr/three-defendants-charged-one-largest-reported-data
-breaches-us-history
[Editor's Note (Northcutt): Hmmm, I wonder if their award-winning "Mastering Epsilon" had information that helped the attackers.
-https://www.google.com/finance?q=Epsilon+Data+Management
-http://finance.yahoo.com/news/epsilon-franklin-covey-co-presented-111300690.html
;_ylt=AwrSyCN3af5UdwoAE_OTmYlQ]

-http://www.scmagazine.com/cia-to-reorganize-create-digital-directorate/article/4
02275/
-http://www.theregister.co.uk/2015/03/09/cia_reorgs_to_build_cybersnooping_into_a
ll_investigations/
-http://touch.latimes.com/#section/-1/article/p2p-82984681/
Brennan's letter:
-https://www.cia.gov/news-information/press-releases-statements/2015-press-releas
es-statements/message-to-workforce-agencys-blueprint-for-the-future.html

UK's National Crime Agency "Strike Week" Nets 56 Cyber Crime Related Arrests (March 6 & 7, 2015)

The UK's National Crime Agency arrested 56 people during a "strike week" targeting suspected cyber criminals. Among those arrested was an unidentified 23-year-old man who allegedly broke into a system at the US Department of Defense last spring and stole information.
-http://arstechnica.com/tech-policy/2015/03/uk-man-arrested-on-suspicion-of-us-de
partment-of-defense-hacking/
-http://www.bbc.com/news/technology-31753934
-http://www.zdnet.com/article/uk-cops-nab-man-accused-of-hacking-us-dod-to-threat
en-lizard-squad/
-http://www.scmagazine.com/uk-crime-agency-arrests-56-alleged-cyber-criminals/art
icle/402191/

PI Pleads Guilty to Hiring Someone to Break Into eMail Accounts (March 6, 2015)

A private investigator from New York has pleaded guilty to a charge of conspiracy for hiring someone to help him gain unauthorized access to email accounts for one of his cases. Eric Saldarriaga could face up to six months in prison.
-http://www.nytimes.com/2015/03/07/business/dealbook/a-guilty-plea-in-a-hacker-fo
r-hire-case.html

---

STORM CENTER TECH CORNER

Apple Security Updates
-https://support.apple.com/en-us/HT1222

Google Exploits "Rowhammer"
-http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-g
ain.html

Seagate Confirms NAS Code Execution Flaw
-http://knowledge.seagate.com/articles/en_US/FAQ/006133en?language=en_US

Cryptowall Uses .chm File To Probagate
-https://isc.sans.edu/forums/diary/Cryptowall+again/19427/

How Malware Generates Mutex Names to Evade Detection
-https://isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Det
ection/19429/

New Skype Worm
-http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/

Epicscale Litecoin Miner Including in uTorrent
-http://forum.utorrent.com/topic/95041-warning-epicscale-riskware-silently-instal
led-with-latest-utorrent/

---

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/