SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #35

May 05, 2015

TOP OF THE NEWS

Every Day Will Be Patch Tuesday
Psychometric Tests Help Military Identify Strong Cyber Security Candidates
Malware Takes Bold Steps to Avoid Analysis

THE REST OF THE WEEK'S NEWS

US Justice Department to Review Cell Site Simulator Use
Hard Rock Casino Says Customer Data Compromised
Two Indicted on Charges Related to Data Theft and Fraud
Canadian Police Arrest Suspect in Internet Harassment Case
Aleynikov Convicted Again in Goldman Sachs Code Theft Case
Google's Password Alert Feature Flaw Fixed; Another Flaw Found
Qihoo 360 Loses Certifications for Cheating on Tests

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By RSA ******************************
See Everything. Fear Nothing. Detect threats with complete visibility from the endpoint to the cloud with RSA Security Analytics 10.5. See it in action at the virtual launch event on May 6. Learn more & register: http://www.sans.org/info/177462
**************************************************************************

TRAINING UPDATE


- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Melbourne, Bangkok, and Dublin all in the next 90 days.


For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Every Day Will Be Patch Tuesday (May 4, 2015)

At Microsoft Ignite 2015, the company announced that with the introduction of Windows 10, there will be changes in the way it distributes software updates. Microsoft plans to release updates for devices 24/7. Businesses with Windows 10 enterprise arrangements will still be on a monthly patch release schedule so managers can decide which updates to use and when they will be installed.
-http://www.theregister.co.uk/2015/05/04/microsoft_windows_10_updates/
-http://arstechnica.com/information-technology/2015/05/04/microsoft-bangs-the-cyb
ersecurity-drum-with-advanced-threat-analytics/
-http://www.informationweek.com/software/enterprise-applications/microsoft-ignite
-2015-windows-10-office-2016-azure-updates/d/d-id/1320273
[Editor's Note (Pescatore): This is a good thing, especially since Chrome, Android and iOS software already essentially patch at will. It is long overdue for app developers to better isolate their apps from OS patches, which then enables the long overdue change of IT moving away from the "we must patch everything all at once and can't do that very often" approach. Of course, this is dependent on all vendors pushing out high quality patches. Another thing I hope to see: Microsoft raising the security bar in the "Windows Store" app store that is supposed to also come out with Windows 10.
(Murray): This MS initiative is not about a new way of patching but about a new security architecture for the "Windows enterprise." It takes into account not only the repair of implementation-induced flaws but also how they are exploited. It recognizes that attackers are relying not only upon exploiting such flaws but increasingly upon user behavior; it resists the system and application compromise and data leakage that results from such compromise. It is perhaps the biggest change in the approach to enterprise security architecture in a generation, timely if not overdue. If you have security responsibility in an enterprise with Windows desktops and servers, start thinking about how you will implement it and exploit it.
(Honan): In my opinion this will be a step backwards for security in many non-enterprise companies. Patch Tuesday for many is the one day of the month when the focus is on patching systems, moving to a 24/7 update process may result in many system administrators for small businesses losing this focus resulting in insecure systems in many organisations. ]

Psychometric Tests Help Military Identify Cyber Security Candidates (April 24, 2015)

The US military has begun using psychometric tests to help identify strong candidates for cyber security training. New research indicates that people best suited for these positions not only have strong math and logic skills, but also an eye for detail and an ability to intuit how people will behave. In addition, there is a correlation with musical ability. Well-designed tests not only identify people who will likely do well in the field, but may also identify which candidates are best suited for offensive work and which for defensive.
-http://www.militarytimes.com/story/military/careers/2015/04/23/cyber-tests/26245
187/
[Editor's Note (Paller): Commercial companies are now using a further developed version of these same tests to determine which prospective or existing employees can be expected to do well in advanced cybersecurity education and roles. Details at
-https://www.sans.org/cybertalent]

Malware Takes Bold Steps to Avoid Analysis (May 4, 2015)

Malware known as Rombertik goes to great lengths to evade analysis. Rombertik employs a number of methods to prevent researchers from examining its workings, including a component that self-destructs if it detects it is being examined, and when it does, it attempts to delete hard drive data and render the infected machine useless until the operating system is reinstalled. Rombertik spreads through spam and phishing emails and is designed to harvest all plain text entered in the browser window.
-http://arstechnica.com/security/2015/05/04/super-secretive-malware-wipes-hard-dr
ive-to-prevent-analysis/
-http://www.pcworld.com/article/2918632/rombertik-malware-destroys-computers-if-d
etected.html

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Cracking the Endpoint - Insider Tips for Endpoint Security. http://www.sans.org/info/177467

2) Threat Intelligence: Going from Theory to Practice: Friday, May 15 at 1:00 PM EDT (17:00:00 UTC) with Dave Shackleford and Andy Manoske. http://www.sans.org/info/177472

3) Protecting the Things, Including the Ones You Already Have (and don't know about). Monday, May 18 at 1:00 PM EDT (17:00:00 UTC) with Tom Byrnes and Johannes Ullrich. http://www.sans.org/info/177477
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Justice Department to Review Cell Site Simulator Use (May 3 & 4, 2015)

The US Justice Department (DoJ) will review the policies involved in the use of cell-site simulators, also known as IMSI catchers, or by the brand name Stingray. The technology tricks cell phones by making them trust the technology as a cellphone tower, while collecting data about the communications including device locations, metadata, and even content of communications. One of the American Civil Liberties Union's (ACLU's) concerns is that the device collects data from phones that are not being targeted in an investigation.
-http://www.computerworld.com/article/2917803/data-privacy/us-reviews-use-of-cell
phone-spying-technology.html
-http://www.scmagazine.com/cell-site-simulators-put-under-doj-review/article/4128
17/
-http://arstechnica.com/tech-policy/2015/05/03/department-of-justice-will-review-
how-it-deploys-cell-phone-snooping-tech/

Hard Rock Casino Says Customer Data Compromised (May 4, 2015)

The Las Vegas Hard Rock Hotel and Casino has acknowledged that attackers stole customer payment card data and personal information from computer systems there. The business found malware on its systems. Hard Rock detected the issue on April 3; the breach affects card transactions conducted between September 3, 2014 and April 2, 2015.
-http://www.theregister.co.uk/2015/05/04/hard_rock_breach/
-http://www.scmagazine.com/possible-payment-card-breach-at-hard-rock-hotel-casino
-las-vegas/article/412819/
-http://www.pcworld.com/article/2918057/hard-rock-hotel-and-casino-warns-of-possi
ble-payment-card-hack.html
-http://oag.ca.gov/system/files/Individual%20Notice%20TEMPLATE_0.pdf
[Editor's note (Northcutt): RAM swipers are one more tool that undermine trust in commerce. I guess what happens in Vegas doesn't necessarily stay in Vegas. A key point is that the malware was active for at least seven months. That takes the shine off one of the more famous pools, (pool parties), in sin city:
-http://blog.credit.com/2015/05/hard-rocks-las-vegas-hotel-casino-hacked-115593/
-http://www.yelp.com/biz/rehab-las-vegas-2]

Two Indicted on Charges Related to Data Theft and Fraud (May 4, 2014)

Two men have been indicted on multiple charges arising from their alleged roles in a data theft scheme. The men and their co-conspirators allegedly broke into a cosmetics company website and stole customer payment card data and personal information. The payment card data were used to conduct fraudulent transactions. The men and their co-conspirators also allegedly developed a plan to break into computers at the US State Department.
-http://www.scmagazine.com/twin-brothers-indicted-on-computer-hacking-charges/art
icle/412825/

Canadian Police Arrest Suspect in Internet Harassment Case (May 1, 2015)

Police in Canada have arrested a woman who allegedly created a botnet that was used to harass people over the Internet. The suspect allegedly used a Remote Access Trojan (RAT) to spy on targets and communicate with them through speakers. The suspect also allegedly took control of targets' computers and logged them on to risky websites.
-http://www.theregister.co.uk/2015/05/01/canadian_mounties_nab_woman_for_webcam_h
acking_shenanigans/
-http://www.scmagazine.com/canadian-woman-arrested-for-online-harrasment/article/
412537/

Aleynikov Convicted Again in Goldman Sachs Code Theft Case (May 1 & 2, 2015)

Sergey Aleynikov has once again been convicted on charges that he abused his position as a programmer at Goldman Sachs to steal proprietary code. Aleynikov was convicted in 2011 on charges of espionage and theft of trade secrets. That conviction was reversed in 2012 after a federal appeals court found that the code Aleynikov took was not physical property, thus he could not be charged under the federal theft statute prosecutors invoked in that case. Following the reversal, Goldman Sachs pursued the case with charges under state laws for unlawful use of secret scientific material and unlawful duplication of computer related material. Aleynikov was found guilty on the first charge and acquitted of the second.
-http://www.wired.com/2015/05/programmer-convicted-bizarre-goldman-sachs-caseagai
n/
-http://arstechnica.com/tech-policy/2015/05/02/former-goldman-sachs-programmer-co
nvicted-of-stealing-code-in-second-trial/
[Editor's Note (Murray): Three generations ago the great Bob Courtney observed that insiders attack us where they work. For example, programmers steal code, not money. ]

Google's Password Alert Feature Flaw Fixed; Another Flaw Found (May 1, 2015)

Last week, Google introduced a new feature in its Chrome browser that aims to help protect users from phishing attacks and from the security mistake of using their Google password for multiple sites. Password Alert warns users when they have entered their Google password into a non-Google site. Shortly after the feature debuted, an exploit to circumvent it was released. Google has since addressed that issue, but there are reports that the update has its own security issue.
-http://www.cnet.com/news/google-patches-password-alert-after-flaw-exposed/
-http://arstechnica.com/security/2015/05/01/googles-new-version-of-password-alert
-blocking-bypass-is-bypassed/

Qihoo 360 Loses Certifications for Cheating on Tests (May 1, 2015)

Chinese anti-virus company Qihoo 360 has been called out for cheating on benchmarking tests. Qihoo 360 submitted versions of its products for testing with an A-V engine from Bitdefender enabled and its own engine disabled. The versions submitted for testing are not the same as the versions that customers receive. Several testing companies have withdrawn certification for Qihoo 360.
-http://www.computerworld.com/article/2917384/malware-vulnerabilities/antivirus-t
est-labs-call-out-chinese-security-company-as-cheat.html
-http://www.theregister.co.uk/2015/05/01/cheater_test_labs_out_av_vendor_for_usin
g_rivals_engine/
-http://www.csoonline.com/article/2917446/security-industry/chinese-anti-virus-ve
ndor-caught-cheating-on-industry-tests.html
[Editor's Note (Honan): Customer trust in tech companies, including security companies, is at an all-time low. This type of behaviour will not help in rebuilding that trust. ]

---

STORM CENTER TECH CORNER

Fiesta Exploit Kit Traffic Pattern Change
-https://isc.sans.edu/forums/diary/Traffic+pattern+change+noted+in+Fiesta+exploit
+kit/19655/

Upatre / Dyre Spam
-https://isc.sans.edu/forums/diary/UpatreDyre+the+daily+grind+of+botnetbased+mals
pam/19657/

Barracuda Update Fixes SSL Flaws in Web Inspections
-https://community.barracudanetworks.com/forum/index.php?%2Ftopic%2F25516-barracu
da-delivers-updated-ssl-inspection-feature%2F

USBKill "Kills" Computer in case of USB Port Change
-https://github.com/hephaest0s/usbkill

Microsoft Releases "Local Administrator Password Solution"
-https://technet.microsoft.com/en-us/library/security/3062591

Mozilla Going to Deprecate HTTP
-https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
-https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf

MySQL "BACKRONYM" Vulnerability
-https://www.duosecurity.com/blog/backronym-mysql-vulnerability

Dridex Malware now Localized
-https://isc.sans.edu/forums/diary/Massive+malware+spam+campain+to+corporate+doma
ins+in+Colombia/19647/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/