SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #25

March 31, 2015

TOP OF THE NEWS

DDoS Attack on GitHub Targets Tools That Help Circumvent China's Great Firewall
U.S. Secretary of Defense Considers Paying Student Loans and Other Incentives for Improved Cyber Talent
Citigroup Report Warns Banks About Law Firm Breaches

THE REST OF THE WEEK'S NEWS

Documents Obtained Through FOIA Fail to Clarify Government's Zero-Day Policy
Penetration Testing Guidance for Payment Card Industry
British Airways Frequent Flyer Accounts Compromised
Two New Jersey Universities Facing Cyber Attacks
Virginia Governor Alters License Plate Reader Data Retention Bill
Army Security Awareness Message Addresses Online Security Issues
Australian Telecom Optus Will Undergo Audit in Wake of Security and Privacy Problems
Power Grid Security Concerns
Lack of Consensus on What Constitutes a Cyber Incident Can Omit Important Data

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Symantec *****************************
Symantec Research: Twitter Spam Methods - A single spam operator has used hundreds of thousands of Twitter accounts in a large spam operation over the past year. This paper takes a look inside a Twitter spam operation, breaking down its mechanics and explaining the tactics used to maintain persistence on the service.
http://www.sans.org/info/176222
***************************************************************************

TRAINING UPDATE


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- -SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 5 Courses: SEC401, SEC504, MGT512, MGT414 & Health Care Security Essentials
http://www.sans.org/u/2is


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses.
http://www.sans.org/u/2bG


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

DDoS Attack on GitHub Targets Tools That Help Circumvent China's Great Firewall (March 27, 29, & 30, 2015)

Public code repository GitHub is working to stave off the largest distributed denial-of-service (DDoS) attack it has ever experienced. The attack targets two projects aimed at helping people in China circumvent that country's Internet censorship.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/27/someone-hijacked-th
e-google-of-china-to-attack-anti-censorship-tools/
-http://www.eweek.com/security/github-under-sustained-ddos-attack.html
-http://www.theregister.co.uk/2015/03/27/github_under_fire_from_weaponized_great_
firewall/
-http://www.zdnet.com/article/github-suffers-largest-ddos-attack-in-sites-history
/
-http://arstechnica.com/security/2015/03/github-battles-largest-ddos-in-sites-his
tory-targeted-at-anti-censorship-tools/
-http://www.computerworld.com/article/2903318/github-recovering-from-massive-ddos
-attacks.html
-http://insight-labs.org/?p=1682
">
-http://insight-labs.org/?p=1682

[Editor's Note (Ullrich): This is a very scary attack, and probably best explained not by the news articles cited here, but by a blog post with technical details about the attack:
-http://insight-labs.org/?p=1682
">
-http://insight-labs.org/?p=1682

. We have seen past "misconfigurations" in the Chinese Firewall that led to random hosts receiving large amounts of traffic from users inside China. If you are not conducting business in China, then these requests are relatively easy to block. This attack against github however appears to use the Chinese Firewall to intentionally alter content to turn users outside China in a large "botnet" attacking a site whose content is inconvenient to China. Blocking this attack is much more difficult as the requests will originate from hosts outside of China, and they will come from regular users not aware that they where exposed to malicious Javascript. This Javascript is not to be confused with more persistent malware, and will not be detected by standard anti-malware software as it does use normal Javascript functionality. This attack is similar to "Low Orbit Ion Canon" in that it uses simple JavaScript code to turn normal browsers against a site. ]

U.S. Secretary of Defense Considers Paying Student Loans and Other Incentives for Improved Cyber Talent (March 30, 2015)

Saying the military needs to do more to compete with corporate America for quality recruits, Defense Secretary Ash Carter opened the door Monday to relaxing some enlistment standards - particularly for high-tech or cybersecurity jobs. Ideas under consideration include paying off student loans in order to recruit greater cyber talent.
-http://bigstory.ap.org/article/48643bf7477d44fe833286c057bae99a/pentagon-chief-m
ay-ease-military-enlistment-standards

Citigroup Report Warns Banks About Law Firm Breaches (March 26, 2015)

An internal report from Citigroup's cyber intelligence center issued last month warns banks to be aware that large law firms are likely targets of foreign governments seeking intellectual property and information about business deals. The legal industry does not have breach reporting requirements, which makes it "not possible to determine whether cyberattacks against law firms are on the rise." Banks are starting to ask more of law firms, especially about their cyber security measures, before putting them on retainer. Citigroup has recently distanced itself from the report, saying that "the analysis relied on and cited previously published reports. We have apologized to several parties mentioned for not giving them an opportunity to respond prior to publication..."
-http://www.nytimes.com/2015/03/27/business/dealbook/citigroup-report-chides-law-
firms-for-silence-on-hackings.html

---

**************************** SPONSORED LINKS ******************************
1) In case you missed it! How SANS Critical Security Controls Lead to PCI DSS Quick Wins - with John Pescatore and Chris Strand. They discuss how to simultaneously address SANS best practices and PCI DSS requirements, leading to a compliant and more secure position. http://www.sans.org/info/176087

2) ICS Security Survey: Help SANS Assess Security Trends -- Enter to Win a $400 Amazon Gift Card. http://www.sans.org/info/176227

3) SANS 2015 Financial Sector Security Survey. Results webcast on June 23. http://www.sans.org/info/176232
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Documents Obtained Through FOIA Fail to Clarify Government's Zero-Day Policy (March 30, 2015)

According to documents the Electronic Frontier Foundation (EFF) obtained through a Freedom of Information Act (FOIA) lawsuit, the US government began to consider a policy for zero-day vulnerabilities between 2008 and 2010. While the documents shed some light on the development of a policy and why the government felt it needed one, they do not support the government's claim that it discloses most of the vulnerabilities it discovers instead of hoarding them.
-http://www.wired.com/2015/03/us-used-zero-day-exploits-policies/
-http://www.scmagazine.com/electronic-frontier-foundation-obtains-zero-day-docume
nts/article/406230/
-https://www.eff.org/deeplinks/2015/03/government-says-it-has-policy-disclosing-z
ero-days-where-are-documents-prove-it

Penetration Testing Guidance for Payment Card Industry (March 26 & 30, 2015)

The Payment Card Industry (PCI) Standards Security Council has published updated guidance for merchants to use when conducting penetration tests on their payment card systems. Included in the publication are best practices for penetration testing components, penetration tester qualifications, and methodology and reporting. This is an update to the last version of PCI guidance, which was published in 2008.
-http://www.scmagazine.com/pci-council-updates-penetration-testing-guidance-for-m
erchants/article/405963/
-http://www.darkreading.com/risk/pci-council-publishes-guidance-on-penetration-te
sting/d/d-id/1319646
-https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_Marc
h_2015.pdf
[Editor's Note (Murray): "Social Engineering," specifically bait messages, is the "penetration" method of choice against payment and other systems. It is the method of first choice because it is efficient. It is the method of last choice because it works when all else fails. We do not need "penetration testing" to tell us that or to tell us that that will continue to be the case at least until we use strong authentication and end-to-end (client to application) encryption. Are you hopeful?
(Honan): Having dealt with clients who confuse what a penetration test and a vulnerability test is, or even what they need from a test, I see this as a welcome move. It provides those requiring penetration tests with some good references for them to get a better understanding of what their own requirements are before engaging with any security services firm. A better educated customer makes for a more secure customer. Even if PCI-DSS does not apply to your organisation I recommend that you read this guidance document. ]

British Airways Frequent Flyer Accounts Compromised (March 29 & 30, 2015)

British Airways (BA) has acknowledged that an attack compromised thousands of frequent flyer accounts. BA says it does not believe that personal information was compromised. However, customers are reporting that their frequent flyer reward points, known as Avios, have disappeared and some users say they have been locked out of their accounts. BA has frozen accounts while it sorts out the problem. BA said the attack was launched using data found elsewhere on the Internet and used in an automated process, and was not a direct attack on BA's network.
-http://www.zdnet.com/article/british-airways-confirms-frequent-flyer-hack/
-http://www.v3.co.uk/v3-uk/news/2401971/british-airways-admits-frequent-flyer-acc
ount-hack
-http://www.computerworld.com/article/2903188/british-airways-notifies-frequent-f
lyers-of-possible-breach-of-their-accounts.html
-http://www.theregister.co.uk/2015/03/29/british_airways_frequent_flyers_hacked/
[Editor's Note (Honan): Many point to users using insecure passwords or re-using passwords across multiple systems as being the root of this problem. That is only one issue. Signing up for a frequent flyer account with British Airways forces you to use only alphanumeric characters, the site does not support the use special characters
-http://www.csoonline.com/article/2903937/data-breach/british-airways-frequent-fl
yer-program-grounded.html
Companies need to do better in protecting customers data, and indeed protecting their customers from themselves, by employing more rigorous online authentication mechanisms. ]

Two New Jersey Universities Facing Cyber Attacks (March 31, 2015)

Both Rutgers and Fairleigh Dickenson have experienced debilitating denial of service attacks.
-http://www.nj.com/middlesex/index.ssf/2015/03/cyber_attacks_hit_fairleigh_dickin
son_rutgers_work.html

Virginia Governor Alters License Plate Reader Data Retention Bill (March 27 & 30, 2015)

Virginia's governor amended the length of time that license plate reader data may be held without being part of an active criminal investigation from seven days to 60 in a bill submitted for his signature from the state legislature. He also altered language that was aimed to limit future surveillance technology, and limited the bill's purview to license plate readers. Because of the governor's amendments, the bill now goes back to the General Assembly. The bill has broad bipartisan support in the state legislature as originally drafted.
-http://arstechnica.com/tech-policy/2015/03/governor-ups-license-plate-data-reten
tion-to-60-days-from-seven/
-http://www.washingtonpost.com/news/local/wp/2015/03/27/va-gov-mcauliffe-amends-l
icense-plate-reader-bill-angers-legislators/

Army Security Awareness Message Addresses Online Security Issues (March 28, 2015)

The US Army has issued a security awareness message urging its troops and their families to take steps to protect themselves from extremist attacks. The advice includes being careful about what they post to Twitter, Facebook, and other social media and refraining from including any geolocation data in posts. The message also lists physical security tips, including installing heavy-duty locks and doors and using window security systems.
-http://www.washingtontimes.com/news/2015/mar/28/army-issues-troops-safety-instru
ctions-following-i/
-http://thehill.com/blogs/blog-briefing-room/news/237299-army-instructs-troops-to
-take-precautions-online-report
[Editor's note (Northcutt): Bravo US Army! And combining physical security with cyber security makes all the sense in the world. The bad news is that you can't get where you need to be with just a mail message. There has to be some testing as well. SANS tests its employees monthly and we have yearly training based on the Securing The Human, (selected topics). When I was in the Navy, we received a monthly safety mishap summary. Sometimes you felt guilty laughing about the misfortune of a fellow sailor, but to this day, I will never extend past my frame on a ladder, or do electrical work without knowing someone is watching the power panel so it does not get turned back on:
-http://www.securingthehuman.org
-http://www.public.navy.mil/comnavsafecen/pages/funnies/funnies.aspx]

Australian Telecom Optus Will Undergo Audit in Wake of Security and Privacy Problems (March 27, 2015)

Australian telecommunications company Optus will not pay a fine for a series of security and privacy incidents over the past seven years. The incidents include a coding error that resulted in 122,000 private phone numbers being published in the phone book; a failure to put password protection on certain voicemail accounts that affected 100,000 customers; and sending out modems with exposed management ports and default access credential enabled. Optus avoided a fine because it reported the issues voluntarily, according to the Australian Privacy Commissioner. Instead, Optus has agreed to submit to a third-party audit of its information security practices and to implement recommendations made in that process.
-http://www.theregister.co.uk/2015/03/27/optus_must_hire_checkbox_champion_after_
epic_router_voicemail_borking/
-http://www.computerworld.com.au/article/571422/optus-review-information-security
-after-privacy-snafu/
-http://www.theaustralian.com.au/business/latest/optus-admits-to-huge-privacy-bre
aches/story-e6frg90f-1227281206349

Power Grid Security Concerns (March 24, 2015)

According to an analysis of federal energy records, the US power grid is the target of a cyber or physical attack about every four days. So far, none of the attacks has caused a cascading outage like the one that hit the Northeast in 2003, but the fact that the grid is interdependent means that such a risk exists. A physical attack on a California plant in April 2013 has been called a "game changer" because of its sophistication and severity. Attackers there cut underground fiber-optic lines and used guns to shoot substation transformers. The incident made the industry reevaluate what needs to be done to protect critical facilities, and FERC directed the industry to create new rules for physical security.
-http://www.usatoday.com/story/news/2015/03/24/power-grid-physical-and-cyber-atta
cks-concern-security-experts/24892471/
[Editor's Note (Murray): The power grid is designed to be vulnerable to "cascading failures." This is how it maintains continuous service in the face of inevitable component failures. While the resilience of the system is continually improving, there will always be an upper bound to the number of simultaneous component failures that the system can tolerate. When that threshold is crossed, apparently about once a generation, the system is designed to shut down in an orderly and non-destructive manner. These successful shutdowns enable the system to resume normal service in hours to tens of hours. Such successful shutdowns will continue to be described by politicians and the media as "failures." The designers and operators of the network will continue to think of them as "power grid security." ]

Lack of Consensus on What Constitutes a Cyber Incident Can Omit Important Data (March 23, 2015)

The US Department of Homeland Security (DHS) says critical sectors of the US economy suffered 245 cyber incidents last year, but experts say the actual number is likely to be much higher. The issue lies in what criteria must be present for an attack to be deemed a cyber incident. Non-malicious events can also provide important data. Some serious incidents were due to SCADA failure, but were not results of attacks.
-http://www.csmonitor.com/World/Passcode/2015/0323/How-cyberattacks-can-be-overlo
oked-in-America-s-most-critical-sectors
[Editor's Note (Honan): The European Network and Information Security Agency (ENISA) issued a whitepaper in 2013 titled "Can we learn from SCADA security incidents?"
-https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructu
re-and-services/scada-industrial-control-systems/can-we-learn-from-scada-securit
y-incidents]

---

STORM CENTER TECH CORNER

YARA Rules For Shellcode
-https://isc.sans.edu/forums/diary/YARA+Rules+For+Shellcode/19527/

Converting PCAPs into XML and SQLite
-https://isc.sans.edu/forums/diary/Select+Star+from+PCAP+Treating+Packet+Captures
+as+Databases/19529/

G20 Data Sent to Wrong Email Address
-http://www.theguardian.com/world/2015/mar/30/personal-details-of-world-leaders-a
ccidentally-revealed-by-g20-organisers?CMP=share_btn_tw

FBI Agents Take Silk Road Bitcoins
-http://www.theguardian.com/technology/2015/mar/30/silk-road-agents-accused-fraud

Malicious XML with Nested ("Matryoshka") Encodings
-https://isc.sans.edu/forums/diary/Malicious+XML+Matryoshka+Edition/19521/

Prisoner Sends Fake Release E-Mail to Prison
-http://www.bbc.com/news/uk-england-london-32095189

Filtering Traffic on NIC
-https://github.com/FastVPSEestiOu/fastnetmon/wiki/Traffic-filtration-using-NIC-c
apabilities-on-wire-speed-(10GE,-14Mpps)

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/