SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #27

April 07, 2015

The 2015 National CyberTalent Fair (in May) will attract thousands of online attendees seeking opportunities in cybersecurity. Employers such as Deloitte, the US Army's INSCOM, United Health Group, MSSP leader Solutionary, Next Jump, Workday, and more have already signed up. Please visit
https://app.brazenconnect.com/events/SANS-cybertalent-fair for more information. It's open to any employer who has cyber vacancies or interested jobseekers. Please contact mshuftan@sans.org or visit
https://app.brazenconnect.com/events/SANS-cybertalent-fair to sign up now!
Alan

---

TOP OF THE NEWS

US Technology Companies Wary of Data Sharing
FAA Systems Breached in February

THE REST OF THE WEEK'S NEWS

Companies Still Vulnerable to Heartbleed
NIST Seeks Input on Draft Guidelines for Procuring Controlled Unclassified Information
Gmail Problems Due to Expired Certificate
Dyre Wolf Malware Campaign Targeting US Companies
NewPosThings Variant
Microsoft Says Do Not Track Will Not be Default Settings in Windows Express
Snapchat Transparency Report
Turkey's Widespread Power Outage Blamed on Management Errors

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

**************************** Sponsored By HP ****************************
Think like a Bad Guy: Understanding Advanced Threats and How to Mitigate Them In 90 percent of breaches, hackers use common, simple techniques like email and phishing to penetrate your network. But once in they employ new techniques to evade traditional defenses and spread to find and steal your most sensitive customer data or intellectual property. You need a new approach to combat today's advanced threats. Learn what HP TippingPoint has done to counter them and keep you safe. Read now: http://www.sans.org/info/176512
***************************************************************************

TRAINING UPDATE


- --Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- --SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- --Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- --SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- --SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- --SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses.
http://www.sans.org/u/2bG


- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Technology Companies Wary of Data Sharing (April 2, 2015)

Technology companies in the US are wary of sharing threat information with the federal government, according to a Department of Homeland Security (DHS) official. Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications for the National protection and Programs Directorate says that her "top priority is building that trust." Technology companies are reluctant to be seen to be working too closely with the government because they want to assure their customers that their personal data are safe and their privacy protected. Schneck says that companies are more likely to warm to the idea when the government can prove the value of sharing such information to fight cyber crimes while protecting citizens' privacy.
-http://www.usatoday.com/story/news/politics/2015/04/02/phyllis-schneck-cybersecu
rity-technology-summit/70838226/
[Editor's Note (Murray): Part of the problem is that these companies are subject to many governments, some of which see the governed as the "threat" about which they want information. These companies do not want to be "the agency in charge of receiving service" and having to account to their customers, not to mention other governments, for how they exercise this power. Increasingly they are choosing simply to forego the power. The US government wants to make it illegal for them to forego the power, for example to offer secure communication services, but may not fully understand the implications of that. While Schneck's "top priority is building that trust," her problem is that "trust" does not even make the priority list for much of government. The Clinton, Bush, and Obama administrations have been consuming and wasting trust as though it were free and infinite. While government has not yet exhausted what trust the American people are prepared to grant, it is getting noticeably, not to say perilously, close. ]

FAA Systems Breached in February (April 6, 2015)

According to officials at the US Federal Aviation Administration (FAA), an agency network was infected with malware earlier this year. The incident was disclosed in an interim presolicitation notice for a new contract. The FAA has extended the current contractor's agreement through the end of February 2016. "Due to a recent cyber attack, the FAA requires additional planning time to determine the impact to the competitive procurement's requirements."
-http://www.nextgov.com/cybersecurity/2015/04/faa-computer-systems-hit-cyberattac
k-earlier-year/109384/?oref=ng-HPtopstory
-https://www.fbo.gov/index?s=opportunity&mode=form&id=c4a71161b7bae8f6a37
e6020cf874863&tab=core&_cview=0

---

**************************** SPONSORED LINKS ******************************
1) Download the eBook: Cracking the Endpoint - Insider Tips for Endpoint Security. http://www.sans.org/info/176517

2) Detecting Breaches through Security Investigations with Platfora: Thursday, April 09 at 1:00 PM EST (17:00:00 UTC) with John Pescatore and Mustafa Rassiwala. http://www.sans.org/info/176522

3) Stop Cyber Attacks in Real Time: Modern Defense in Depth: Friday, April 10 at 1:00 PM EST (17:00:00 UTC) with John Pescatore and Wade Williamson. http://www.sans.org/info/176527
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Companies Still Vulnerable to Heartbleed (April 7, 2015)

According to a report from Venafi, nearly three-quarters of Global 2000 companies that have public-facing systems are vulnerable to Heartbleed. While the companies may have applied patches when they became available, protecting systems from attacks that exploit the Heartbleed vulnerability requires that companies revoke old SSL certificates, generate new keys, and issue new certificates.
-http://www.darkreading.com/vulnerabilities---threats/3-of-4-global-2000-companie
s-still-vulnerable-to-heartbleed/d/d-id/1319768?
[Editor's Note (Murray): And lots of other vulnerabilities. This simply demonstrates the limitation of our strategy of early widespread deployment, late discovery of vulnerabilities, and voluntary remediation. What part of this do you not like? ]

NIST Seeks Input on Draft Guidelines for Procuring Controlled Unclassified Information (April 6, 2015)

The US National Institute of Standards and Technology (NIST) has released the second draft of its guidelines, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." NIST is accepting comments through May 12, 2015 and expects to release the final version in June.
-http://www.scmagazine.com/nist-and-nara-collaborate-to-release-final-draft/artic
le/407586/
-http://www.nextgov.com/big-data/2015/04/nist-refining-rules-non-federal-groups-h
andling-federal-data/109399/?oref=ng-channelriver
-http://csrc.nist.gov/publications/drafts/800-171/sp800_171_second_draft.pdf

Gmail Problems Due to Expired Certificate (April 6, 2015)

Because Google allowed a server's security certificate to expire, Gmail users experienced problems for several hours on April 4. Users were greeted with error messages and safety warnings when they tried to send messages through Gmail and some of the company's messaging apps. A valid certificate was reissued within hours.
-http://www.zdnet.com/article/gmail-back-up-and-running-after-weekend-of-glitches
/
-http://www.bbc.com/news/technology-32194202
[Editor's Note (Pescatore): Letting customer-facing SSL certs expire is like not paying the corporate phone bill. However, usually businesses only have one telephone service provider, but often use many SSL certificate providers (including internally generated ones). There are tools from companies like Symantec, Trustwave and Venafi to find and track your SSL certs to avoid this form of business interruption. ]

Dyre Wolf Malware Campaign Targeting US Companies (April 2, 3, & 4, 2015)

A malware campaign dubbed Dyre Wolf is targeting medium and large companies in the US. The campaign uses a Trojan called Dyre, and involves spear phishing, social engineering, and distributed denial-of-service (DDoS) attacks to distract organizations and prevent them from detecting the fraudulent wire transfers.
-http://www.theregister.co.uk/2015/04/04/dyre_wolf_malware_ibm_security/
-http://www.zdnet.com/article/dyre-wolf-attacks-your-corporate-bank-account-door/
-http://www.computerworld.com/article/2905977/enterprise-bank-accounts-targeted-i
n-new-malware-attack.html
-http://www.nytimes.com/reuters/2015/04/02/business/02reuters-cyberattack-ibm.htm
l

NewPosThings Variant (April 3, 2015)

Traffic attempting to connect to the NewPosThings point-of-sale malware command and control center resolved to IP addresses linked to airports, according to TrendMicro. (Arbor Networks initially detected the malware in September 2014.) TrendMicro has detected variants that targeted 64-bit Windows systems; older versions of NewPosThings targeted 32-bit systems.
-http://www.scmagazine.com/suspicious-traffic-came-from-two-us-airports/article/4
07331/
-http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-
pos-things/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+A
nti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

Microsoft Says Do Not Track Will Not be Default Settings in Windows Express (April 3, 2015)

Microsoft will no longer have "Do Not Track" as the default setting for future versions of its browsers in Windows Express Settings. The change is being made to be sure that the setting reflects the user's choice, which is a requirement of the World Wide Web Consortium's (W3C's) privacy standard. The most recent draft of that standard says: "A tracking preference is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed."
-http://www.computerworld.com/article/2905551/microsoft-rolls-back-commitment-to-
do-not-track.html
-http://www.scmagazine.com/microsoft-makes-dnt-users-choice/article/407330/
-http://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-appr
oach-to-do-not-track/
[Editor's Note (Pescatore): Since it is purely voluntary for web sites to honor Do Not Track preferences, the whole thing has largely been (to use a previous US Vice Presidential candidate's memorable phrase) lipstick on a pig. I suppose it is always better, though, to have the most attractive pig possible - seems pretty simple for all the browsers to have the initial browser setup phase include having the user choose a tracking preference, but all that advertising revenue seems to continually cloud this issue.
(Honan): hmm, maybe changing the option to Do Track and leaving it unchecked would satisfy both the requirement to protect users from unwanted tracking and those of the World Wide Web Consortium's (W3C's) privacy standard? ]

Snapchat Transparency Report (April 3, 2015)

Snapchat received 403 requests for user information affecting 701 accounts from governments around the world between November 1, 2014 and February 28, 2015. In 92 percent of the requests, the company provided some data. The figures do not include National Security Requests from the US government under the Foreign Intelligence Surveillance Act, because data about those requests must be delayed at least six months.
-http://www.scmagazine.com/snapchat-discloses-government-requests/article/407347/
-https://www.snapchat.com/transparency/
[Editor's Note (Murray): And this is just one quarter for one provider. Compliance with government legal service is now a major business function. Unlike accounts receivable, it cannot be easily "out sourced." ]

Turkey's Widespread Power Outage Blamed on Management Errors (April 1 & 6, 2015)

Last week, Turkey experienced a massive power outage that lasted nearly 10 hours. While the cause was not immediately known, Turkey's Energy Minister now says that the outage was caused by management errors and that the head of the grid, which is a state-run entity, has resigned and two department heads have been suspended. The outage affected an estimated 70 million people.
-http://www.reuters.com/article/2015/04/06/turkey-power-outage-idUSL6N0X30GS20150
406
-http://www.bloomberg.com/news/articles/2015-04-01/turkish-blackout-shows-world-p
ower-grids-under-threat
[Editor's Note (Murray): The system prefers short mean time to recovery over long mean time to outage. Indeed we are so good at it that most component failures result in outages so short and limited to so few customers as to be beneath our level of notice. "As you ramble through life, brother, whatever be your goal, keep your eye upon the doughnut and not upon the hole." ]

---

STORM CENTER TECH CORNER

ChameleonMini RFID/NFC Emulator
-https://github.com/emsec/ChameleonMini/wiki

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/