SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #31

April 21, 2015

TOP OF THE NEWS

US Government Lagging in Cyber Workforce
Bill Would Exempt Researchers from Prosecution Under DMCA
Robbery Case Dropped to Protect Stingray Use Information

THE REST OF THE WEEK'S NEWS

Cook County, Illinois Subpoenas Suggest Misunderstanding of Tor
Russian Doll Campaign Targeting Foreign Governments
'Researcher' Who Tweeted Joke About Security Plane Security Barred From United Flight
IBM's Threat Intelligence Sharing Platform
Pawn Storm APT
US Naval Academy Wins NSA Cyber Defense Competition
HSBC Customer Data Compromised
US Army Wants Another Year of Support for Windows XP

SANS WEBCAST - MICROSOFT MS15-034 PATCH AND HTTP.SYS VULNERABILITY

SANS Webcast - Microsoft MS15-034 Patch and HTTP.sys vulnerability

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk **************************
Have you implemented the SANS Top 20 Critical Security Controls? This time-proven, "what works" list of 20 controls can be used to minimize security risks to enterprise systems and the critical data they maintain.
Learn how Splunk software can provide new insights to verify, execute and support requirements for the SANS Top 20 CSC. http://www.sans.org/info/176822
***************************************************************************

TRAINING UPDATE


- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- -SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Government Lagging in Cyber Workforce (April 14, 2015)

According to a report from the Partnership for Public Service, the US government faces several obstacles to establishing a strong cyber workforce capable of defending the country's systems from attacks. Among the factors hindering the government's ability to build a strong cyber force are "rigid hiring processes" and salaries that fall short of those offered in the private sector.
-http://www.washingtonpost.com/blogs/federal-eye/wp/2015/04/14/federal-cyber-work
force-woefully-inadequate-report-says/
[Editor's Note (Pescatore): When I graduated college, NSA needed electrical engineers and couldn't compete with private industry, and they offered a "skills premium" bonus of about 20% over the standard GS-7 salary back then. Definitely makes sense to do something like that now for security skills, but I think the government should really join industry in working to make the security talent pool larger.
(Paller): As long as the skills pipeline continues to be too small, government skills premiums will be ineffective, as well. People with great skills want to work for people from whom they can learn, and the concentration in government of highly skilled cyber technologists is too thin (other than at 4 or 5 sites) to be competitive for the good technical people even if salaries go up. A promising development is emerging in the military where the Army and Air Force have found a way to grow the pool at scale. The breakthrough is their combination talent assessments to determine which of their recruits have the technical aptitude/skills and personality to do well combined with intensive 2-4 month training. They are getting good people out of their programs and it scales. ]

Bill Would Exempt Researchers from Prosecution Under DMCA (April 16 and 17, 2015)

US legislators in both houses have introduced a bill that would protect security researchers from prosecution under the Digital Millennium Copyright Act (DMCA), which prohibits circumvention of digital protection on copyrighted works. "The Breaking Down Barriers to Innovation Act makes sensible reforms to an antiquated law, reforms that will benefit journalism, research, privacy rights, and freedom of expression."
-http://thehill.com/policy/cybersecurity/239235-bill-would-protect-security-resea
rch-hacking
-http://www.wyden.senate.gov/news/press-releases/wyden-polis-introduce-breaking-d
own-barriers-to-innovation-act-to-modernize-outdated-copyright-laws
[Editor's Note (Pescatore): The proposed language seems like it addresses the silliest parts of the way the DMCA can be interpreted. Even after this change, it's probably still *not* a good idea to tweet airplane hacking jokes while on a plane using airline WiFi... ]

Robbery Case Dropped to Protect Stingray Use Information (April 20 and 21, 2015)

Prosecutors in Missouri have dropped a criminal case against three suspects who allegedly robbed seven people, at least one of whom was injured, rather than disclose information about law enforcement's use of cell-site simulator technology often referred to as stingray. The news of the decision came one day before police were scheduled to testify about they obtained information from the suspects' mobile phones.
-http://arstechnica.com/tech-policy/2015/04/prosecutors-drop-robbery-case-to-pres
erve-stingray-secrecy-in-st-louis/
-http://www.theregister.co.uk/2015/04/21/st_louis_stingray/
[Editor's Note (Pescatore): This points out why "threat information sharing" tends to result in not so much information being shared *from* the government, only the other way around. Fears of compromised sources and methods to watch the next bad guys, conflict with useful action to help a company stop the current bad guys.
(Northcutt): The sixty thousand dollar question is why. Law enforcement may have entered into a legal agreement with their provider that does not allow them to reveal data, note the second link below. Needless to say, this may not be in the taxpaying public's best interest:
-http://www.nytimes.com/2015/03/16/business/a-police-gadget-tracks-phones-shhh-it
s-secret.html?_r=0
-http://www.businessinsider.com/stingray-phone-tracker-used-by-police-2015-3
-http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa-p
olice/3902809/]

---

**************************** SPONSORED LINKS ******************************
1) Read the Results: Windows Server 2003 End of Life Preparedness Survey. http://www.sans.org/info/176872

2) Analyst Webcast: RASP vs. WAF: Comparing Capabilities and Efficiencies: Tuesday, April 28 at 1:00 PM EST (17:00:00 UTC) with Jake Williams. http://www.sans.org/info/176877

3) What IS and ISN'T working in Incident Response? Take 2015 Survey & Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/176882
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cook County, Illinois Subpoenas Suggests Misunderstanding of Tor (April 20, 2015)

Cook County, Illinois has subpoenaed a Romanian security company, demanding the "real IP address" that used a Tor exit node to access Cook County systems. The company, Alistar Security, runs Tor exit nodes.
-http://www.computerworld.com/article/2912234/cook-county-subpoenas-romanian-secu
rity-firm-a-tor-exit-node-operator-for-real-ip.html

Russian Doll Campaign Targeting Foreign Governments (April 19 and 20, 2015)

A group of cyber attackers with apparent links to Russia has been exploiting known vulnerabilities in Windows and Flash to seek out information about other governments, militaries, and security organizations. The group is known as APT28 and the attack has been dubbed Operation Russian Doll. Adobe has released a fix for the Flash vulnerability; Microsoft is working on a fix for the Windows flaw. FireEye detected the group's most recent campaign, which began on April 13.
-http://www.theregister.co.uk/2015/04/20/russian_cyberspies_two_zero_days/
-http://www.zdnet.com/article/russian-hackers-exploit-flash-windows-flaws-to-spy-
on-diplomat-targets/
-http://www.v3.co.uk/v3-uk/news/2404780/russiandoll-hackers-caught-exploiting-ado
be-and-windows-zero-days
-http://www.cnet.com/news/russian-hacking-group-reportedly-exploited-flash-window
s/
-http://www.computerworld.com/article/2911932/russian-hackers-use-flash-windows-z
ero-day-flaws-in-latest-attack.html
-http://www.bloomberg.com/news/articles/2015-04-18/russian-hackers-use-zero-days-
in-attempt-to-get-sanctions-data%20
-https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html

'Researcher' Who Tweeted Joke About Security Plane Security Barred From United Flight (April 19 and 20, 2015)

A 'researcher' who tweeted a joke about airline communications system security during a United Airlines flight was detained by the FBI for several hours after that flight landed. Three days later, Chris Roberts was prevented from boarding a United flight from Denver to San Francisco.
-http://www.zdnet.com/article/jokes-hackers-and-airline-safety/
-http://www.v3.co.uk/v3-uk/news/2404811/security-researcher-thrown-off-flight-aft
er-hack-threats-on-twitter
-http://arstechnica.com/security/2015/04/researcher-who-joked-about-hacking-a-jet
-plane-barred-from-united-flight/
-http://www.cnet.com/news/twitter-joking-security-expert-prevented-from-getting-o
n-another-united-flight-lawyer-says/

IBM's Threat Intelligence Sharing Platform (April 16 and 20, 2015)

IBM has launched a threat intelligence sharing platform called IBM X-Force Exchange. The cloud-based exchange, which is being touted as a social network for security analysts, will offer 700 terabytes of data at no cost.
-http://www.scmagazine.com/ibm-launches-x-force-exchange/article/409774/
-http://www.cio.com/article/2911173/ibm-opens-up-its-threat-data-as-part-of-new-s
ecurity-intelligence-sharing-platform.html
[Editor's Note (Murray): As if it were needed, more evidence that one does not need immunity from liability in order to share "threat" intelligence. ]

Pawn Storm APT (April 17, 2015)

A group responsible for an advanced persistent threat (APT) scheme known as Pawn Storm has targeted members of the US military, embassies, defense contractors, and more recently, NATO members and White House employees. The perpetrators of Pawn Storm have been active since at least 2007. The scheme's goal appears to be economic and political espionage.
-http://www.computerworld.com/article/2911499/pawn-storm-cyberspy-group-targets-n
ato-other-govt-agencies.html
-http://www.darkreading.com/vulnerabilities---threats/apt-group-pawn-storm-ratche
ts-up-attacks/d/d-id/1320019?

US Naval Academy Wins NSA Cyber Defense Competition (April 17, 2015)

A team from the US Naval Academy took top honors in the NSA's 15th Annual Cyber Defense Exercise (CDX). Participating teams from the service academies defended networks they had created against attacks from the NSA red cell. Scoring was based on the integrity and confidentiality of data and availability of services.
-http://www.federalnewsradio.com/412/3841248/Naval-Academy-takes-trophy-at-CDX-20
15

HSBC Customer Data Compromised (April 17, 2015)

HSBC Finance Corporation has acknowledged that a breach late last year compromised mortgage account data belonging to an unspecified number of customers. The information remained exposed for several months until the issue was detected in late March 2015.
-http://www.scmagazineuk.com/accidental-breach-left-hsbc-customer-data-exposed-fo
r-three-months/article/409653/

US Army Wants Another Year of Support for Windows XP (April 13, 2015)

The US Army has issued a request for information "seeking sources of continued support for Windows XP." When Microsoft ended support of XP last April, the company offered a custom support service that cost US $200 for each device running the retired operating system. The price was expected to double for the following year, and the Army is ending its support contract with Microsoft. The Army is migrating its computers to more current operating systems, but still has about 8,000 devices running Windows XP.
-http://gcn.com/articles/2015/04/13/army-xp-support.aspx
-https://www.fbo.gov/?s=opportunity&mode=form&id=e8a940808d83864f174aab85
e45b7777&tab=core&_cview=0

---

SANS WEBCAST - MICROSOFT MS15-034 PATCH AND HTTP.SYS VULNERABILITY

SANS Webcast - Microsoft MS15-034 Patch and HTTP.sys vulnerability In a 30-minute webcast, Dr. Johannes Ullrich discusses the HTTP.sys vulnerability, how to test if your systems are vulnerable, and how the vulnerability is currently being exploited. View the webcast archive here -
-http://www.sans.org/u/3E5

---

STORM CENTER TECH CORNER

Google Serving Ads Over https
-http://googleonlinesecurity.blogspot.com.au/2015/04/ads-take-step-towards-https-
everywhere.html

Javascript CPU Cache Sidechannel Attack
-http://arxiv.org/pdf/1502.07373v2.pdf

DNS Rebinding Attack to Steal Wifi Passwords
-https://miki.it/blog/2015/4/20/the-power-of-dns-rebinding-stealing-wifi-password
s-with-a-website/

RSA Panel
-https://www.rsaconference.com/events/us15/agenda/sessions/1731/the-six-most-dang
erous-new-attack-techniques-and

Extracting Compressed Streams From PDFs
-https://isc.sans.edu/forums/diary/Handling+Special+PDF+Compression+Methods/19597
/

Minecraft Server DoS Vulnerability
-http://blog.ammaraskar.com/minecraft-vulnerability-advisory/

BeEf used to Exploit iNotes Flaw
-http://blog.beefproject.com/2015/04/the-email-thats-watching-you.html

Malware Memory Footprint Analysis
-https://github.com/aim4r/VolDiff

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/