SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVII - Issue #23
March 24, 2015
TOP OF THE NEWS
Patched Flash Vulnerability Now Part of Exploit KitShort Duration DDoS Attacks on the Rise
THE REST OF THE WEEK'S NEWS
Google Warns of Unauthorized TLS CertificatesPoSeidon Malware Stealing Payment Card Data
Swedish Teen Fined Over Breach
Hilton Honors Loyalty Club Accounts at Risk
Man Facing 16 Felony Accounts Over High School Grade-Changing Scheme
New South Wales Moves to Fix Electronic Voting Vulnerability
Malvertising on the Rise
Rocket Kitten Cyber Attack Group Has New Campaign
Chinese Anti-Censorship Group Hit with DDoS Attack
Girls Hack Ireland
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER*********************** Sponsored By Symantec ***************************
Symantec Research: Insecurity in the Internet of Things -To find out for ourselves how IoT devices fare when it comes to security, Symantec analyzed 50 smart home devices. None of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Learn more in Symantec's latest research paper.
http://www.sans.org/info/176037
***************************************************************************
TRAINING UPDATE
- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq
- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1
- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro
- -SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh
- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8
- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 5 Courses: SEC401, SEC504, MGT512, MGT414 & Health Care Security Essentials
http://www.sans.org/u/2is
- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses.
http://www.sans.org/u/2bG
- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.
For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
Patched Flash Vulnerability Now Part of Exploit Kit (March 20, 2015)
A vulnerability in Adobe's Flash Player that was patched on March 12 has already been added to an exploit kit. Exploits for known flaws are appearing in such malware kits more and more quickly, pointing to a smaller and smaller window of time in which users need to patch systems.-http://www.scmagazine.com/recently-patched-adobe-flash-bug-added-to-nuclear-expl
oit-kit/article/404710/
-http://www.computerworld.com/article/2899702/new-attacks-suggest-timeline-for-pa
tching-flash-player-is-shrinking.html
[Editor's Note (Paller): One of the great overstatements of cybersecurity is the near daily news from software vendors that they have "fixed the problem" by publishing an update in which a vulnerability is patched. Their issuing a patch in no way guarantees that their users are safer. Large percentages of users never install patches. Blaming the users is foolhardy. As the physical and executive damage (at Sony, for example) from cyber attacks mount, software vendors will need to take a far more active role in ensuring their users are protected or take on the economic liability they are causing for their users. ]
Short Duration DDoS Attacks on the Rise (March 23, 2015)
According to Corero's DDoS Trends and Analysis quarterly report, distributed denial-of-service (DDoS) attacks with short durations and lower bandwidth are becoming more prevalent. The attacks are likely being used as a distraction while conducting other sorts or attacks, or as probes to gauge an organization's response to such an incident.-http://www.darkreading.com/perimeter/when-ddos-isnt-all-about-massive-disruption
/d/d-id/1319581?
-http://www.eweek.com/security/short-duration-ddos-attacks-becoming-more-popular.
html
[Editor's Note (Henry): This has been a trend in recent years...DDOS to obfuscate other malicious activity, distract first responders, and tie up valuable resources. It is the digital equivalent of calling 911 and screaming "a police officer has been shot" on one side of the city, while robbing a bank on the other. As the cops race across town, the thieves have a relatively easy get away.
(Murray): As we move from criminal activity to state sponsored, we should expect to see coordinated attacks.
(Honan): Most organisations by default now have spam filters on their email services, it is now past time when organisations should similarly have DDOS protection on their key Internet services by default. ]
**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know: http://www.sans.org/info/176042
2) Defending against advanced targeted threats with the SANS Critical Controls Thursday, March 26 at 11:00 AM EST (15:00:00 UTC) with Andrew Avanessian and John Pescatore. http://www.sans.org/info/176047
3) Analyst Webcast: Enabling Enterprise Mobility With Security From The Ground Up Tuesday, March 31 at 1:00 PM EDT (17:00:00 UTC) with Lee Neely and Cheryl Tang. http://www.sans.org/info/176052
***************************************************************************
THE REST OF THE WEEK'S NEWS
Google Warns of Unauthorized TLS Certificates (March 23, 2015)
Google has issued a warning that unauthorized digital certificates were issued for some of its domains. The phony TLS (transport layer security) certificates were issued by an intermediate certificate authority operating under the China Internet Network Information Center.-http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certifi
cates-trusted-by-almost-all-oses/
PoSeidon Malware Stealing Payment Card Data (March 23, 2015)
Malware dubbed PoSeidon targets point-of-sale systems. It scans RAM of infected devices for unencrypted strings that look like payment card data, a technique known as memory-scraping. Unlike other malware that targets these systems, PoSeidon communicates directly with exfiltration servers. It takes steps to evade detection and is "self-updateable."-http://www.computerworld.com/article/2900310/new-malware-program-poseidon-target
s-pointofsale-systems.html
-http://www.darkreading.com/will-poseidon-preempt-blackpos/d/d-id/1319585?
-http://www.scmagazine.com/poseidon-point-of-sale-malware-targets-payment-card-in
formation/article/404968/
-http://blogs.cisco.com/security/talos/POSeidon
Swedish Teen Fined Over Breach (March 23, 2015)
The Swedish municipality of Umea is seeking SEK 500,000 (US $58,700) from a teenager who broke into Umea's municipal system and caused damage. The young man claims he accessed the system to demonstrate vulnerabilities. He was sentenced to 35 hours of community service.-http://www.theregister.co.uk/2015/03/23/swedish_city_demands_40000_to_clean_up_t
eenage_hacking/
Hilton Honors Loyalty Club Accounts at Risk (March 23, 2015)
A flaw in the way the Hilton Honors loyalty club is managed online puts all user accounts at risk of being taken over with a cross-site request forgery attack. Once logged into one Hilton Honors account, attackers could take control of the accounts using only account numbers. The issue puts email and home addresses, trip information, and reward points, at risk of exposure and theft. The flaw was discovered when Hilton recently offered to give customers 1,000 free points if they changed their online passwords prior to April 1, 2015, when the change would become mandatory. The system did not require users to enter their current passwords when choosing new ones.-http://krebsonsecurity.com/2015/03/hilton-honors-flaw-exposed-all-accounts/
[Editor's note (Northcutt): Hmmm, I didn't get a note from Hilton. I learned about this from the NewsBites draft. I have already visited the site and have to give them kudos for having a readable CAPTCHA; I hate it when I fail Turing tests. The My Account interface is fairly straightforward. I was a bit surprised to see they allow 8 character passwords:
-http://deloitte.wsj.com/riskandcompliance/2013/07/19/the-8-character-password-is
-no-longer-secure/
(Liston): This doesn't sound as much like a CSRF problem as an Insecure Direct Object Reference issue. Based on Krebs description, the attack doesn't seem to require any action by a user with an authenticated session. ]
Man Facing 16 Felony Accounts Over High School Grade-Changing Scheme (March 20 & 22, 2015)
Timothy Lance Lai, who allegedly broke into the network of a California high school and changed students grades, is now facing felony charges of computer access and fraud for his alleged role in a keylogging ring at the high school that saw 11 students expelled. Lai could face up to 16 years in prison. He was arrested in October 2014.-http://arstechnica.com/tech-policy/2015/03/former-tutor-charged-with-16-new-felo
ny-counts-in-alleged-keylogging-scheme/
-http://www.ocregister.com/articles/lai-654957-felony-school.html
New South Wales Moves to Fix Electronic Voting Vulnerability (March 22 & 23, 2015)
The New South Wales (Australia) Electoral Commission is taking steps to fix a vulnerability in the electronic voting system they use that could put voters at risk of having their ballots manipulated. iVote was initially put in place for voters whose vision is impaired or who live in remote rural areas, but its use is being expanded. Researchers found that the voting website used JavaScript from an external server to track visitors, which left the site vulnerable to attacks. That issue has been fixed.-http://www.canberratimes.com.au/act-news/international-experts-warns-of-the-risk
s-of-australian-online-voting-tools-20150323-1m4rah.html
-http://www.zdnet.com/article/nsw-electoral-commission-scrambles-to-patch-ivote-f
law/
-http://www.theregister.co.uk/2015/03/22/ivote_hack/
[Editor's Note (Liston): Wow. Just wow. You're designing a *voting* website and it never occurs to you that including a remote script might be a security issue. Sheesh... Kids nowadays...
(Murray): Most election fraud has been in the tabulating and reporting steps, rather than in the recording steps. Online voting can be at least as safe as mail voting or online banking. However, politicians and the media have succeeded in making us so afraid of "voter fraud" that we are unlikely to ever use it in the US. ]
Malvertising on the Rise (March 22, 2015)
Malvertising is more insidious than some other forms of attacks because it situates itself within web pages, piggybacking on advertising that targets users. It does not generally require user interaction to infect computers, and does not exploit vulnerabilities in websites or browsers beyond the fact that "the ad ecosystem has fundamental flaws."-http://www.eweek.com/security/why-malvertising-has-become-a-pervasive-security-r
isk.html
Rocket Kitten Cyber Attack Group Has New Campaign (March 20, 2015)
A group known as Rocket Kitten and believed to be responsible for attacks on systems belonging to organizations in Europe and Israel has launched a new campaign. The older campaign, known as GHOLE, required user interaction to infect machines. The new campaign, called Operation Woolen-Goldfish, is more sophisticated, and appears to be focused on stealing intellectual property using a keystroke logger.-http://www.scmagazine.com/targets-in-rocket-kitten-campaign-indicate-state-spons
orship/article/404689/
-https://isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+i
t+off+the+shelf/19123
-http://www.theregister.co.uk/2015/03/20/rocket_kitten_apt_hackers_israel_defence
_it/
[Editor's Note (Murray): Professionals keep their heads down. They certainly do not boast. Amateurs damage the brand; professionals bring down businesses and governments. ]
Chinese Anti-Censorship Group Hit with DDoS Attack (March 20, 2015)
A group of anonymous activists that monitor online censorship in China has come under attack. GreatFire.org, which offers access to sites blocked in China and to messages that censors there have deleted, was hit with a massive distributed denial-of-service (DDoS) attack. Reuters also reported being blocked in China last week.-http://sinosphere.blogs.nytimes.com/2015/03/20/hackers-attack-greatfire-org-a-wo
rkaround-for-websites-censored-in-china/
Girls Hack Ireland (March 20 & 23, 2015)
On March 21, nearly 100 teenage girls participated in the Girls Hack Ireland event where they learned how to manipulate web pages and build websites. The event is part of a broad effort to address gender imbalance in STEM.-http://www.siliconrepublic.com/careers/item/41275-wit2015/
-http://www.siliconrepublic.com/innovation/item/41256-wit2015/
[Editor's Note (Honan): This is an excellent initiative to encourage young people into the industry. Another similarly excellent movement is the Coderdojo open source network to teach children and teenagers how to code and be competent with computers and the Internet.
(Paller): This program is good, but many girls do not have the basic networking and sysadmin skills to master hacking. However an important recent discovery about cyberskills is that people who are programmers often make the best high-end cyberthreat analysts, and take on advanced forensics adversary interdiction roles. Since women have a much higher participation rate in programming classes than in networking or sysadmin classes, great programming skill, followed by programs like the Women's Cyber Skills Academy (an emerging partnership between SANS and the Aspirations in Computing program of NCWIT to add the key security elements to their knowledge) is a direct path for women to leap ahead to the higher paid jobs in cybersecurity. ]
STORM CENTER TECH CORNER
Cisco IP Phones Vunerable To Evesdropping-http://tools.cisco.com/security/center/viewAlert.x?alertId=37946
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
150320-openssl
Dell System Detect RCE Vulnerability
-http://tomforb.es/dell-system-detect-rce-vulnerability
Slides for BIOS Exploit Talk now Online
-http://legbacore.com/Research_files/HowManyMillionBIOSWouldYouLikeToInfect_Full2
VirtualBox Host->Guest Memory Leak
-https://hsmr.cc/palinopsia/
Cansec West: Pwn20wn demonstrates vulnerabilities in all tested browsers
-http://www.theregister.co.uk/2015/03/21/thats_cloud_security_up_the_spout_all_br
owsers_pwned_in_minutes/
Cansec West: BIOS Attacks
-https://threatpost.com/new-bios-implant-vulnerability-discovery-tool-to-debut-at
-cansecwest/111710
Apple Removes "Anti Virus" Software From Appstore
-http://www.macrumors.com/2015/03/19/apple-removing-anti-virus-apps-from-app-stor
e/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/