SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #39

May 19, 2015

TOP OF THE NEWS

FBI: Data Breaches Up 400%; Workforce Needs To Be 'Doubled or Tripled'
FBI Says Man Claims He Took Control of Plane in Flight
Hedge Funds Targeted by Cyber Extortionists

THE REST OF THE WEEK'S NEWS

Cyber Security a Growing Concern for Financial Services Companies
Address Spoofing Flaw Affects Safari for OS X and iOS
Oracle Releases Patch for VENOM Vulnerability
Penn State College of Engineering Takes Systems Offline After Attacks
Idaho Students Face Charges Related to DDoS Attack Against District System
Panda Labs: Attack Targeted Organizations in Oil Industry
Naikon Cyber Attack Group Targets Countries in South China Sea Area
mSpy Database Posted on Dark Web
Responsible Disclosure, or Two Can Play at That Game, Google
FBI Says it Does Not Prevent Local law Enforcement from Disclosing StingRay Use
Two Indicted in Photobucket Case

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec ************************


Cybercrime: New Tricks of the Trade
Knowing how cybercriminals are threatening security is the first step to securing your information-and your company's goals. From social media vulnerabilities to digital extortion, the 2015 Symantec(TM) Internet Security Threat Report leverages an unparalleled amount of data and is the resource you need to quickly uncover digital threats. http://www.sans.org/info/177770


***************************************************************************

TRAINING UPDATE


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 9 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response. http://www.sans.org/u/2bG


- -ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses. http://www.sans.org/u/3gH


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24. http://www.sans.org/u/3hl


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security. http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses. http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses. http://www.sans.org/u/3hg


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training Mentor - http://www.sans.org/u/X4 Contact mentor@sans.org


- -Looking for training in your own community? Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Dublin, Minneapolis, Delhi, and Milan all in the next 90 days.


For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

FBI: Data Breaches Up 400%; Workforce Needs To Be 'Doubled or Tripled' (May 14, 2015)

James Trainor, acting assistant director of the FBI's Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. "Now, it is close to every two to three days," Trainor also said the cybersecurity industry needs to "double or triple" its workforce in order to keep up with hacking threats.
-http://thehill.com/policy/cybersecurity/242110-fbi-official-data-breaches-increa
sing-substantially
[Editor's Note (Paller): The "aha" moment on cyber workforce usually arises when senior managers find out that the skills (and certifications) they hired for policy and compliance with frameworks and FISMA and HIPAA and SOX and ISO, are not the ones needed for finding and mitigating the increasing number of breaches. If you are looking for people with the skills to meet the new security requirements, hire people who did well on "Continuous Monitoring and Security Operations" (Security 511) because it prepares them to analyze threats and detect anomalies that often indicate cybercriminal behavior. Also look for GCFE (forensic examiners) and GCFA (forensics analysts) certifications because they have demonstrated they have the knowledge and skills to play an important technical role in the new era. Training for these and more: Immediately at SANSFIRE
-http://www.sans.org/event/sansfire-2015
and many more cities at
-http://www.sans.org/security-training/by-location/all]

FBI Says Man Claims He Took Control of Plane in Flight (May 16 and 17, 2015)

According to an April 17, 2015, search warrant application filed by an FBI agent, Chris Roberts, who was kicked off a United Airlines flight in April after he tweeted about being able to make the oxygen masks drop, reportedly did at one time take control of a plane while it was in flight. The agent who filed the warrant said that Roberts made the claim during a February 2015 interview.
-http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/
-http://arstechnica.com/security/2015/05/fbi-researcher-admitted-to-hacking-plane
-in-flight-causing-it-to-climb/
-http://www.cnet.com/news/fbi-claims-security-researcher-took-control-of-plane/
-https://regmedia.co.uk/2015/05/17/fbi_chris_roberts_search_warrant_application.p
df
Application for Search Warrant:
-http://www.wired.com/wp-content/uploads/2015/05/Chris-Roberts-Application-for-Se
arch-Warrant.pdf
[Editor's Note (Honan): I hope that at some stage the actual details will come to light; there are a lot of lessons to be learnt from this episode for security researchers, law enforcement, regulators, and indeed for enterprises on how to handle allegations of vulnerabilities in their systems.
(Assante): I am confident that the FBI investigation resulting from examination of the seized articles will provide some insight into the claims that had been made by Chris. I am hopeful but less confident that onboard system logs will reveal a clear picture of all the interactions or behaviors from accessed or impacted components on the involved aircraft. ]

Hedge Funds Targeted by Cyber Extortionists (May 8, 2015)

Cyber extortionists have targeted several hedge funds. John Carlin, head of the US Justice Department's National Security Division, told the audience at the SALT hedge fund conference earlier this month that "nation-state
[actors ]
from Russia, China, Iran, and North Korea target your companies ... to use your information against you." Carlin said that DOJ is working with hedge funds that have been victims of these attacks, and urged people to contact DOJ if they find themselves targeted, stressing that DOJ aims to go after the criminals, not the companies that are victimized.
-http://www.usatoday.com/story/money/business/2015/05/08/hedge-funds-conference-c
yber-espionage/26983845/

---

**************************** SPONSORED LINKS ******************************
1) Download the free White Paper - Advanced Threat Hunting: http://www.sans.org/info/177775

2) The Evolution of Network Security, and how Network Packet Brokers (NPBs) enable the Layered Security Era: Wednesday, May 20 at 3:00 PM EDT (19:00:00 UTC) with Icaro Vazquez and David Hoelzer. http://www.sans.org/info/177780

3) Securing the mobile workforce. Attend Webcast May 21 at 1 pm EDT for 2015 survey results: http://www.sans.org/info/177785
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Security a Growing Concern for Financial Services Companies (May 15, 2015)

Close to 50 percent of US financial institutions rank cyber security as their number one concern, according to a survey from the Depository Trust & Clearing Corporation (DTCC), topping geo-political risks and new regulations. The DTCC's Systemic Risk Barometer Study compiled responses from 250 financial market participants. In last year's report, just 24 percent of respondents ranked cyber security as their top concern.
-http://www.scmagazineuk.com/cyber-security-now-the-top-concern-for-financial-ser
vices/article/414885/

Address Spoofing Flaw Affects Safari for OS X and iOS (May 18, 2015)

Proof-of-concept code has been released for a vulnerability in Safari for OS X and iOS. The flaw could be exploited to spoof addresses, enabling phishing and malware attacks, allowing attackers to trick users into believing they are visiting one site but are actually connected to a different address. Internet Storm Center:
-https://isc.sans.edu/forums/diary/Address+spoofing+vulnerability+in+Safari+Web+B
rowser/19705/
-http://arstechnica.com/security/2015/05/safari-address-spoofing-bug-could-be-use
d-in-phishing-malware-attacks/

Oracle Releases Patch for VENOM Vulnerability (May 18, 2015)

Oracle has released a fix for a critical overflow vulnerability known as VENOM. The problem lies in QEMU's virtual Floppy Disk Controller, which is part of some virtualization platforms and is used in certain Oracle products.
-http://www.scmagazine.com/oracle-patches-buffer-overflow-bug-venom/article/41532
9/
-http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.ht
ml?elq_mid=18422&sh=&cmid=WWMK14052431MPP004C005

Penn State College of Engineering Takes Systems Offline After Attacks (May 15 and 18, 2015)

In November 2014, the FBI notified Penn State University that attackers had breached systems at its College of Engineering. The "highly sophisticated" breaches compromised personally identifiable information belonging to roughly 18,000 people and appeared to target research data as well. The systems were taken offline in mid-May to bolster their security. One of the attacks is likely to have originated in China. Penn State learned of the breach on November 21, 2014 and began an investigation, but did not take immediate action because any change in the networks' status quo would alert the attackers that their activity had been detected.
-http://www.v3.co.uk/v3-uk/news/2408952/chinese-hackers-hit-top-us-university-wit
h-data-harvesting-attacks
-http://www.nbcnews.com/tech/security/penn-state-hit-china-based-hacker-universit
y-says-n359631
-http://www.theregister.co.uk/2015/05/15/penn_state_hack/
-http://www.cnet.com/news/penn-state-cyberattack-exposes-passwords-from-18k-peopl
e/
-http://arstechnica.com/security/2015/05/penn-state-severs-engineering-network-af
ter-incredibly-serious-intrusion/

Idaho Students Face Charges Related to DDoS Attack Against District System (May 18, 2015)

Two Idaho school students are facing charges related to their alleged involvement in a distributed denial-of-service (DDoS) attack against their school district's network. According to a news report, one of the students allegedly paid someone to launch the attack, which caused the loss of student and teacher work and of educational materials.
-http://www.scmagazine.com/two-students-paid-for-ddos-attacks-may-face-felony-cha
rges/article/415319/

Panda Labs: Attack Targeted Organizations in Oil Industry (May 18, 2015)

Panda Labs has uncovered evidence of a series of attacks targeting the oil industry. The attacks were discovered during an investigation of what appeared to be a one-off attack on a computer at an oil trading company. The attackers used email attachments that contained common Windows scripts and tools to evade detection. The tools requested credentials from the targeted machine and sent the harvested data back to an FTP server, which was found to contain information from multiple oil companies.
-http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-tanker-en.pdf
-http://www.nbcnews.com/tech/security/phantom-menace-hack-strikes-oil-industry-co
mputers-n360776

Naikon Cyber Attack Group Targets Countries in South China Sea Area (May 18, 2015)

Researchers at Kaspersky Lab say a cyber espionage group known as Naikon targets systems belonging to government, military and civilian organizations in the South China Sea area, including Malaysia, Indonesia, Myanmar, and the Philippines. Naikon has been active for at least five years and appears to be state-sponsored. The group uses custom malware that includes platform-independent code and the ability to intercept traffic from the entire targeted network. Naikon also often establishes command and control infrastructures within the targeted countries; if the stolen data are not moving outside a country's borders, the activity is less likely to raise suspicions.
-http://www.theregister.co.uk/2015/05/18/naikon_cyberspies_spying/

mSpy Database Posted on Dark Web (May 14 and 15, 2015)

A database belonging to mSpy, a company that makes spyware for mobile devices, has been leaked to the dark web, on a web page accessible only through Tor. The compromised data include emails, text messages, payment information, and account access credentials. The breach affects more than 400,000 people. mSpy is advertised as an application for keeping tabs on children and employees. The company has not responded to inquiries about the breach.
-http://krebsonsecurity.com/2015/05/mobile-spy-software-maker-mspy-hacked-custome
r-data-leaked/
-http://www.theregister.co.uk/2015/05/15/mspy_snoopware_breach_spy/

Responsible Disclosure, or Two Can Play at That Game, Google (May 15, 2015)

A Polish company has released details about seven security flaws in Google's App Engine (GAE) cloud software. Security Explorations reported the issues to Google several weeks ago, but after Google filed to respond, Security Explorations decided to disclose information about the flaws, which include three Java sandbox escapes. Google has faced criticism over its Project Zero initiative, which gives companies 90 days to address vulnerabilities that Google finds before the company released information about the flaws.
-http://www.darkreading.com/cloud/polish-security-firm-discloses-unpatched-securi
ty-flaws-in-google-app-engine/d/d-id/1320458?
-http://arstechnica.com/security/2015/05/researcher-turns-tables-discloses-unpatc
hed-bugs-in-google-cloud-platform/

FBI Says it Does Not Prevent Local law Enforcement from Disclosing StingRay Use (May 14 and 15, 2015)

The FBI has issued a statement regarding US law enforcement use of cell-site simulators, known colloquially as StingRay, the brand name of a particular device. Several recent lawsuits revealed that the FBI has a non-disclosure agreement with local law enforcement agencies and that in at least one case, local law enforcement was urged to drop a case rather than divulge details about the technology's use. The recent statement from the FBI says that local law enforcement are not prevented from disclosing its use of StingRays, but that "the FBI's concern is with protecting the law enforcement sensitive details regarding the tradecraft and capabilities of the device."
-http://arstechnica.com/tech-policy/2015/05/fbi-now-claims-its-stingray-nda-means
-the-opposite-of-what-it-says/
-http://www.washingtonpost.com/world/national-security/fbi-clarifies-rules-on-sec
retive-cellphone-tracking-devices/2015/05/14/655b4696-f914-11e4-a13c-193b1241d51
a_story.html
-https://www.documentcloud.org/documents/2082240-urgent-copy-of-stingray-statemen
t.html

Two Indicted in Photobucket Case (May 8, 2015)

The US Justice Department (DOJ) has released a statements revealing that two people have been indicted on charges stemming from allegations that they breached systems of image and video-hosting website Photobucket. The two men allegedly developed and sold an application that circumvented protections on content hosted by Photobucket.
-http://www.justice.gov/opa/pr/two-men-who-breached-photobucketcom-indicted-and-a
rrested-conspiracy-and-fraud-related

---

STORM CENTER TECH CORNER

ProFTP Vulnerability Exploited
-http://bugs.proftpd.org/show_bug.cgi?id=4169

USIS Breached via SAP Vulnerability
-http://seclists.org/fulldisclosure/2015/May/64

IEEE Releases Guidelines to Build Security Code for Medical Devices
-http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-d
evice-software-security.pdf

SANS Web Application Security Checklist
-https://www.sans.org/security-resources/posters/securing-web-application-technol
ogies-swat-2014-60

A Quick Update on VENOM (Don't panic)
-https://isc.sans.edu/forums/diary/VENOM+Does+it+live+up+to+the+hype/19701/

New Details About Plane Hack
-https://regmedia.co.uk/2015/05/17/fbi_chris_roberts_search_warrant_application.p
df

McAfee Phishing Quiz
-https://blogs.mcafee.com/consumer/phishing-quiz-results

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/