SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #32

April 24, 2015

An interview with Ed Skoudis about SANS NetWars CyberCity is scheduled to air on CBS Sunday Morning this Sunday, April 26. It's worth seeing: the first cost-effective cyber simulation environment, one that delivers real world attacks and defenses and doesn't cost the military millions of dollars to build and populate. If you don't catch the interview live, we will have a link to view it next week.
Also, the national CyberTalent Fair, May 14-15, includes employers such as the NSA, Deloitte, Next Jump, the US Army's INSCOM and more! The CyberTalent Fair is open to employers who have current cyber vacancies and all talented jobseekers. To demonstrate talent, all registrants have the opportunity to take the important new SANS CyberTalent Assessment exam at no cost! This exam allows employers to have much better knowledge about which jobs you may qualify for. The exam is used by large employers to select new employees who can be developed into highly productive security professionals.
Employers contact mshuftan@sans.org
Candidates visit https://app.brazenconnect.com/events/SANS-cybertalent-fair

---

TOP OF THE NEWS

US Military Using Tests To Identify Future Cyber Warriors
Both Houses Introduce Legislation to Update Computer Fraud and Abuse Act
DOD Says it May Respond to Threats With Offensive Cyber Measures

THE REST OF THE WEEK'S NEWS

Auditors Tell Nuclear Plant Operator to Migrate 48,000 PCs Still Running Windows XP
Many eCommerce Sites Have Not Yet Patched Magento Flaw
Detecting NSA Quantum Insert Attacks
FBI Warns Airlines to be Aware of Unusual Computer Activity on Planes
US House Passes Cyber Security Information Sharing Bill
CozyDuke APT Likely Behind Attacks on US State Department and White House
WordPress and Plugins Patched Against Cross-Site Scripting Attacks
DHS to Open Satellite Office in Silicon Valley

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By SANS *****************************
Healthcare Cybersecurity Summit & Training - Atlanta - May 12-13. Discussing some of the biggest concerns the industry is facing: incident response, software security best practices, in-bound phishing emails, mobile security ecosystem controls, behavior-based authentication capabilities for pharmas, providers, payers and consumers and more. Plus, SEC401, SEC504, & Health Care Security Essentials courses. http://www.sans.org/u/33t
***************************************************************************

TRAINING UPDATE


- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- -SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community? Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Bahrain, Bangalore, Melbourne, and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Military Using Tests To Identify Future Cyber Warriors (April 24, 2015)

The services are slowly expanding their use of "psychometric" testing to help identify who is best suited to join the military's growing cyber force. In part, it's an effort to save money, as training programs are costly and time consuming. "They want to make pretty darn sure they have a successful candidate coming through their program," said Scott Cassity, a managing director at SANS. "In a very large organization like the military, even modest small increments in
[predictability ]
can have a significant effect because we're talking about bringing in thousands of people a year," the commandant for the Army Cyber School at Fort Gordon, Georgia told Military Times.
-http://www.militarytimes.com/story/military/careers/2015/04/23/cyber-tests/26245
187/
[Editor's Note (Paller) Job candidates who want to see how well they do on the new talent assessment exams can try a version of SANS CyberTalent assessment exam for free as part of the national CyberTalent Career Fair at
-https://app.brazenconnect.com/events/SANS-cybertalent-fair]

Both Houses Introduce Legislation to Update Computer Fraud and Abuse Act (April 23, 2015)

Legislation aimed at updating the Computer Fraud and Abuse Act (CFAA) has been introduced in both US houses. The proposed changes are known as Aaron's Law after the overzealous prosecution of Aaron Swartz for downloading academic journal articles. Senator Ron Wyden (D-Oregon) noted that "numerous and recent instances of heavy-handed prosecutions for non-malicious computer crimes have raised serious questions as to how the law treats violations of terms of service, employer agreement, or website notices," and that "the CFAA is ... inconsistently and capriciously applied."
-http://www.theregister.co.uk/2015/04/23/congress_reintroduces_aarons_law/
-http://www.wyden.senate.gov/news/press-releases/wyden-lofgren-paul-introduce-bip
artisan-bicameral-aarons-law-to-reform-abused-computer-fraud-and-abuse-act-

DOD Says it May Respond to Threats With Offensive Cyber Measures (April 23, 2015)

The US Defense Department announced on Thursday, April 23 that while it is looking to strengthen its cyber security defense posture, it would also use offensive cyber measures in response to threats from other countries.
-http://www.cnet.com/news/us-to-use-cyber-attacks-to-defend-against-threats-repor
t-says/
-http://www.computerworld.com/article/2914372/cyberwarfare/defense-dept-wants-to-
rebuild-trust-with-the-tech-industry.html

---

**************************** SPONSORED LINKS ******************************
1) Mark Your Calendar for 4/29 Webcast at 2 PM EDT: Insider Threats and the Real Financial Impact to Orgs - A SANS Survey. http://www.sans.org/u/3fp

2) What IS and ISN'T working in Incident Response? Take 2015 Survey & Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/177077

3) Analyst Webcast: RASP vs. WAF: Comparing Capabilities and Efficiencies: Tuesday, April 28 at 1:00 PM EST (17:00:00 UTC) with Jake Williams. http://www.sans.org/info/177032
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Auditors Tell Nuclear Plant Operator to Migrate 48,000 PCs Still Running Windows XP (April 23, 2015)

Japan's Board of Audit has instructed the Tokyo Electric Power Company (TEPCO) to move its 48,000 PCs still running Windows XP to a more current and more secure operating system. TEPCO operates the Fukushima Daiishi nuclear energy plant that experienced nuclear meltdown in 2011. According to the results of a recent audit, TEPCO made the decision to defer upgrading to save money.
-http://www.theregister.co.uk/2015/04/23/fukushima_nuke_plant_owner_told_to_upgra
de_from_windows_xp/

Many eCommerce Sites Have Not Yet Patched Magento Flaw (April 23, 2015)

Attackers are actively exploiting a vulnerability in a widely-used content management system for online shopping sites. The flaw lies in Magento and a patch was released in February, but more than 98,000 sites remain vulnerable. The attacks in the wild give the attackers full control of the sites.
-http://arstechnica.com/security/2015/04/potent-in-the-wild-exploits-imperil-cust
omers-of-100000-e-commerce-sites/

Detecting NSA Quantum Insert Attacks (April 22 & 23, 2015)

Researchers have found a method for detecting NSA Quantum Insert attacks. Open source tools can "detect duplicate sequence numbers of HTTP packets with different data sizes," which signals these attacks.
-http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-inser
t-hacks/
-http://www.theregister.co.uk/2015/04/23/detecting_nsa_style_hacking_tool_unsheat
hed/

FBI Warns Airlines to be Aware of Unusual Computer Activity on Planes (April 22 & 23, 2015)

The FBI has issued a formal alert regarding the threat of cyber attacks against aircraft navigation networks. Flight crews are being urged to report suspicious passenger activity, including unfamiliar wires being connected to unusual ports. The warning also recommends that the airlines review network logs for suspicious activity.
-http://www.scmagazine.com/fbi-issues-flight-hacking-warning/article/410570/
-http://www.v3.co.uk/v3-uk/news/2404811/security-researcher-thrown-off-flight-aft
er-hack-threats-on-twitter
-http://www.bbc.com/news/technology-32411491
-http://www.wired.com/2015/04/fbi-tsa-warn-airlines-tampering-onboard-wifi/

US House Passes Cyber Security Information Sharing Bill (April 22, 2015)

The US House of Representatives has passed the Protecting Cyber Networks Act that aims to pave the way for private companies and the government to share threat information. Civil liberties groups are concerned that the bill does not adequately protect citizens' privacy.
-http://www.wired.com/2015/04/house-passes-cybersecurity-bill-despite-privacy-pro
tests/

CozyDuke APT Likely Behind Attacks on US State Department and White House (April 22, 2015)

The advanced persistent attack (APT) intrusions of networks at the US State Department and the White House are believed to have been perpetrated by a group known as CozyDuke. The group has targeted government and private sector entities in the US, Germany, South Korea, and Uzbekistan.
-http://www.theregister.co.uk/2015/04/22/cozyduke_hackers_white_house_state_dept_
malware/
-http://www.computerworld.com/article/2913210/cybercrime-hacking/malware-used-in-
white-house-and-state-department-hacks-possibly-linked-to-russia.html
-http://www.scmagazine.com/kaspersky-lab-details-cozyduke-group/article/410582/
-http://www.v3.co.uk/v3-uk/news/2405256/cozyduke-hackers-infiltrate-the-white-hou
se-with-funny-monkey-videos

WordPress and Plugins Patched Against Cross-Site Scripting Attacks (April 21 & 22, 2015)

WordPress pushed out an updated version of its content management system to address four security issues, including two flaws that could be exploited through cross-site scripting attacks. Patches are also available for seventeen WordPress plugins with vulnerabilities that could be exploited through cross-site scripting attacks. The problems are due to the misuse of a pair of programming functions that modify or add query strings to URLs. Administrators are urged to apply the updates as soon as possible.
-http://www.eweek.com/security/wordpress-automatically-updates-to-v4.1.2-to-fix-c
ritical-flaws.html
-http://arstechnica.com/security/2015/04/swarm-of-wordpress-plugins-susceptible-t
o-potentially-dangerous-exploits/

DHS to Open Satellite Office in Silicon Valley (April 21, 2015)

The US Department of Homeland Security (DHS) plans to open an office in Silicon Valley as part of a push to improve public/private cooperation, improve agency cyber security, and hire security experts. The office will be a satellite of the National Cybersecurity and Communications Integration Center (NCCIC).
-http://www.computerworld.com/article/2912468/cybercrime-hacking/us-plans-a-cyber
security-center-in-silicon-valley.html
-http://www.cnet.com/news/homeland-security-department-to-open-silicon-valley-off
ice/
-http://www.nextgov.com/cybersecurity/2015/04/dhs-open-shop-silicon-valley/110680
/?oref=ng-channelriver

---

STORM CENTER TECH CORNER

Case Study: Why Web Application Pentests Need to Include Manual Tests
-https://isc.sans.edu/forums/diary/When+automation+does+not+help/19615/

Gaps In OS X Security
-https://threatpost.com/bypassing-os-x-security-tools-is-trivial-researcher-says/
112410

Samsung S5 Fingerprint Leak
-https://www.rsaconference.com/writable/presentations/file_upload/hta-f01-to-swip
e-or-not-to-swipe-a-challenge-for-your-fingers_final.pdf

Point Of Sale System Vulnerabilities
-https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-that-po
int-of_sale-is-a-pos_final.pdf

Android Touchjacking
-http://www.nes.fr/securitylab/?p=1865

Dridex Now Using Google to Obfuscate Link Further
-https://isc.sans.edu/forums/diary/Dridex+Redirecting+to+Malicious+Dropbox+Hosted
+File+Via+Google/19609/

OS X Rootpipe Bug Still Not Fixed in Yosemite
-https://objective-see.com/blog.html

Google Allows Downloading / Deleting Search History
-https://support.google.com/websearch/answer/6068625?p=ws_history_download&rd
=1

iOS WiFi DoS Attack
-https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-devices/

Quick "Network Security Test"
-http://Internet.nl

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/