SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #37

May 12, 2015

TOP OF THE NEWS

USIS Attackers Exploited SAP ERP Vulnerability
US DoD Report Claims China is Developing Tools to Attack Critical Infrastructure
Russia and China Sign Cyber Security Pact
Judge Says Airport Laptop Search "Unreasonable"

THE REST OF THE WEEK'S NEWS

RSA President Questions Government's Role In Cybersecurity
U.S. Ports Under Cyber Attack
MacKeeper Vulnerability
Ed Felten Becomes White House Tech Official
Paper Says Open Smart Grid Protocol Crypto is Weak
Former Dept. of Energy Employee Indicted for Alleged Phishing Attack
Adobe to Patch Critical Flaws in Reader and Acrobat
Malvertising Attack Targets Adult Website Visitors

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Palo Alto Networks *********************
WhatWorks Webcast: Using Palo Alto Networks Next Generation Firewalls to Increase Visibility into Threats and Reduce Threat Risks
Wednesday, May 13 at 11:00 AM EDT with John Pescatore and Lance Spencer. Learn how The Palo Alto Networks Next Generation Firewall met all those needs and identified threats that other security solutions had not detected
http://www.sans.org/info/177592
***************************************************************************

TRAINING UPDATE


- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- -ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses.
http://www.sans.org/u/3gH


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Melbourne, Bangkok, and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

USIS Attackers Exploited SAP ERP Vulnerability (May 10, 2015)

A digital forensics company retained by Department of Homeland Security (DHS) contractor USIS said that a breach of its system last year was the work of attackers exploiting a vulnerability in a third-party enterprise resource planning (ERP) application. It is unclear if a fix for the unnamed SAP application was available at the time of the breach, and it has not been determined whether USIS or SAP was the party responsible for fixing the vulnerability.
-http://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-poin
t-background-check-system-hack/112354/?oref=ng-channeltopstory
[Editor's Note (Paller): A useful (slighted dated) report on the status of SAP security was published 3 years ago
-https://media.blackhat.com/bh-eu-12/DiCroce/bh-eu-12-DiCroce-CyberAttacks_to_SAP
_systems-WP.pdf
and updated data was released a few days ago.
-http://www.onapsis.com/onapsis-research-study-reveals-top-three-cyber-attack-vec
tors-sap-systems
(Murray): This is not unusual; it suggests that enterprise management was often not even aware that the server was there. If your vendor installs a server on your enterprise network, that server represents a vulnerability that you must compensate for. Appropriate controls include ensuring that this server can be accessed only by a VPN under your control (think your VPN server between the public network and the vendor's server), employs strong authentication, and is accessed by appointment or under supervision. Consider a VLAN or VPN between this server and anything on your network that it accesses. ]

US DoD Report Claims China is Developing Tools to Attack Critical Infrastructure (May 11, 2015)

The US government has issued a warning that China is developing attacks capable of disrupting systems responsible for running a country's critical infrastructure. In its annual report to Congress, Military and Security Developments Involving the People's Republic of China, the US Defense Department (DoD) says "China is using its cyber espionage capabilities to support intelligence collection against the US diplomatic, economic, and defense industrial base sectors that support US national defense programs."
-http://www.v3.co.uk/v3-uk/news/2407889/china-developing-network-killing-cyber-at
tack-tools-warns-us-government
-http://www.defense.gov/pubs/2015_China_Military_Power_Report.pdf

Russia and China Sign Cyber Security Pact (May 11, 2015)

Russia and China have signed a pact agreeing not to launch cyber attacks against each other. The agreement also calls for the countries' law enforcement agencies to share information to help ensure that their critical infrastructures are protected.
-http://www.darkreading.com/vulnerabilities---threats/advanced-threats/what-does-
china-russia-no-hack-pact-mean-for-us-/d/d-id/1320365?
-http://www.zdnet.com/article/russia-china-cuddle-up-on-cyber-warfare-rules/

Judge Says Airport Laptop Search "Unreasonable" (May 11, 2015)

A US federal judge in the District of Columbia has ruled that a laptop search conducted at Los Angeles International Airport violated the laptop owner's constitutional privacy protections. The ruling allows the defendant, a South Korean businessman, to suppress evidence collected from his computer. He has been accused of selling aircraft parts to Iran.
-http://arstechnica.com/tech-policy/2015/05/warrantless-airport-search-of-laptop-
cannot-be-justified-judge-rules/
-http://www.zdnet.com/article/border-laptop-search-unreasonable-violated-privacy/
[Editor's Note (Murray): This is not "Riley" at the border. ICE will continue to search the "container" for "contraband." Other law enforcement agencies will continue to use the "border exception" to advance other investigations. However, this decision says that there are still limits to what is "reasonable" and some courts will enforce those limits. While these searches are not yet so frequent as to interfere with the average traveler with a laptop, one continues to wish that ICE would publish the direction or guidance given to border agents about how to use this very broad and easily abused exception to the Fourth Amendment. ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know. http://www.sans.org/info/177597

2) Exploit threat intelligence from the open Web (OSINT) using Recorded Future and Splunk. In this webcast on May 20, learn how to enrich data in Splunk with emerging threat indicators and IOCs from Recorded Future to improve SOC effectiveness: http://www.sans.org/info/177602

3) Hear what we learned about application security from the 2015 Survey: Part 1: Management Issues, May 13, 1 pm EDT. http://www.sans.org/info/177607 and Part 2: Application Development Issues, May 14, 1 pm EDT. http://www.sans.org/info/177612
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

RSA President Questions Government's Role In Cybersecurity (April 29, 2015)

Amit Yoran, president of RSA, rejected calls by U.S. intelligence chiefs for limits on the commercial use of encryption and was skeptical that a stronger government role in cyberdefense will abate the growing number of attacks.
-http://www.pcworld.com/article/2917012/rsa-president-questions-governments-role-
in-cybersecurity.html
[Editor's Note (Paller): Yoran was the nation's first cyber czar; he knows what government can and cannot do well. ]

U.S. Ports Under Cyber Attack; 37% of the servers running Microsoft had not been patched (May 11, 2015)

Ninety percent of the world's goods are shipped on boats; the ports through which those boats deliver the goods are under attack. "The threat is very real," said Rear Adm. Marshall Lytle, the assistant commandant responsible for U.S. Coast Guard Cyber Command. "These intrusions and attacks are taking place every minute and every second of every day." More than one third of Windows servers in ports had not been patched.
-http://www.slate.com/articles/technology/future_tense/2015/05/maritime_cybersecu
rity_ports_are_unsecured.html
-http://www.networkworld.com/article/2917856/microsoft-subnet/maritime-cybersecur
ity-firm-37-of-microsoft-servers-not-patched-vulnerable-to-hacking.html

MacKeeper Vulnerability (May 11 & 12, 2015)

A critical vulnerability in MacKeeper could be exploited to execute malicious code remotely. The issue lies in the way MacKeeper handles custom URLs. The software allows commands to be run as root with no user interaction if users have previously provided MacKeeper with their passwords.
-http://www.computerworld.com/article/2921115/malware-vulnerabilities/mackeeper-s
ecurity-program-opens-critical-hole-on-macs.html
-http://www.theregister.co.uk/2015/05/12/userbothering_mackeeper_patches_0day_vul
n/
[Editor's note (Northcutt): If you are using MacKeeper, upgrade to the latest version today. If you are not using it, consider staying that course, it can be hard to get rid of:
-https://discussions.apple.com/thread/3255417?tstart=0]

Ed Felten Becomes White House Tech Official (May 11, 2015)

Princeton Professor Ed Felten has been named White House deputy chief technology officer Office of Science and Technology Policy. Felten served as the Federal Trade Commission's (FTC's) first chef technologist from 2011 to 2012. He is also an outspoken critic of the NSA's information gathering practices.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/11/the-white-house-jus
t-snagged-one-of-the-most-valuable-players-in-the-tech-policy-world/
-http://www.nextgov.com/cio-briefing/2015/05/nsa-critic-named-no-2-white-house-te
ch-official/112492/
[Editor's Note (Murray): Ed is now safely "inside the tent." One trusts that he will continue to "speak truth to power" but we may no longer know what he says. ]

Paper Says Open Smart Grid Protocol Crypto is Weak (May 11, 2015)

According to a paper presented at the International Association for Cryptologic Research, the Open Smart Grid Protocol (OSGP) lacks adequate security. The paper describes OSGP as "a non-standard composition of RC4 and home-brewed MAC."
-http://www.zdnet.com/article/smart-grid-group-rolls-out-its-own-flawed-crypto-ri
sking-device-security/
-http://www.theregister.co.uk/2015/05/11/smart_grid_security_worse_than_we_though
t/

Former Dept. of Energy Employee Indicted for Alleged Phishing Attack (May 11, 2015)

A man who used to work for the US Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC) has been indicted on charges that he launched a spear phishing campaign against DOE employees. Charles Harvey Eccleston allegedly sent the phishing messages in January 2015. He allegedly intended to infect the DOE's network with malware that would steal information about US nuclear weapons for a foreign country.
-http://www.scmagazine.com/charles-harvey-eccleston-detained-in-manila-and-extrad
ited-to-us/article/414075/
-http://www.fbi.gov/washingtondc/press-releases/2015/former-u.s.-nuclear-regulato
ry-commission-employee-charged-with-attempted-spear-phishing-cyber-attack-on-dep
artment-of-energy-computers

Adobe to Patch Critical Flaws in Reader and Acrobat (May 8 & 11, 2015)

Adobe plans to issue fixes for Reader and Acrobat on Tuesday, May 12. There will be updated versions for Reader and Acrobat X and XI for both Windows and Mac.
-http://www.theregister.co.uk/2015/05/08/adobe_reader_patch_pre_alert/
-http://www.zdnet.com/article/adobe-critical-acrobat-reader-security-flaws/

Malvertising Attack Targets Adult Website Visitors (May 8, 2015)

Computers belonging to people who have visited popular adult content websites were infected by malicious advertisements through Flash exploits. The malicious ad attempts to drop malware on site visitors' computers with no user interaction. The ad does not redirect users to another website, but instead drops the malware itself.
-http://www.computerworld.com/article/2920306/malware-vulnerabilities/visitors-to
-top-adult-sites-hit-by-malvertising-attack.html
-http://www.scmagazine.com/malwarebytes-identifies-new-malvertising-campaign/arti
cle/413764/

---

STORM CENTER TECH CORNER

Alienvault Vulnerability Fix
-http://seclists.org/fulldisclosure/2015/May/36

Two Men Arrested for Selling Photobucket Hacking Tool
-http://www.justice.gov/opa/pr/two-men-who-breached-photobucketcom-indicted-and-a
rrested-conspiracy-and-fraud-related

IOActive Releases Cyberlock Advisory
-http://www.ioactive.com/pdfs/IOActive_Advisory_CyberLock.pdf

GPU Rootkits
-https://github.com/x0r1/jellyfish

Counterfeit Cisco Equipment Sale Leads to Arrest
-http://www.securingindustry.com/electronics-and-industrial/uk-police-smash-count
erfeit-cisco-ring/s105/a2339/#.VU-fBmA33le

SSDs Loose Information Quickly if Powered Down
-https://blog.korelogic.com/blog/2015/03/24#ssds-evidence-storage-issues

Bullguard and Panda Antivirus Authentication Bypass
-https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-019.t
xt

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/