SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVII - Issue #4
January 16, 2015
TOP OF THE NEWS
The Crypto QuestionGE Multilink Switch Vulnerabilities
LinkedIn Account Credentials Targeted in Phishing Scheme
THE REST OF THE WEEK'S NEWS
Ad Company Using Verizon Tracking HeaderNOAA Forecasting Supercomputer Upgrade Drawing GAO Attention
Marriott to Stop Blocking Personal Wi-Fi Hotspots
Mozilla Updates Firefox, SeaMonkey, and Thunderbird
Microsoft Issues Windows Patches
Adobe Patches Flash Vulnerabilities
Oracle Warns of Phony Patches
Google Stops Malicious Advertisement Attack
Military Social Media Security
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER************************* Sponsored By Symantec ***************************
Compliments of Symantec: Gartner Magic Quadrant for Endpoint Protection Platforms - Find out which vendors Gartner positions as Leaders, Challengers, Visionaries or Niche Players based on their ability to execute and their completeness of vision. Gain in-depth knowledge of the market. Learn about factors driving market growth and unique challenges. Get an unbiased analysis of vendors.
http://www.sans.org/info/173737
***************************************************************************
TRAINING UPDATE
-SANS Security East 2015 | New Orleans, LA | January 16-21, 2015 11 courses. Bonus evening sessions include Stop Giving the Offense an Unfair Advantage; and Client Access is the Achilles' Heel of the Cloud.
http://www.sans.org/event/security-east-2015
-Cyber Threat Intelligence Summit | Washington, DC | Feb 2-9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015
-10th Annual ICS Security Summit | Orlando, FL | Feb 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015
-DFIR Monterey 2015 | Monterey, CA | Feb 23-28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/event/dfir2015
-SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015
-SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015
-Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!
-Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org
-Looking for training in your own community?
http://www.sans.org/community/
-Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Brussels, Dubai, Bangalore, and Oslo all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
***************************************************************************
TOP OF THE NEWS
The Crypto Question (January 15, 2015)
UK Prime Minister David Cameron pledged to ban encrypted communications without backdoors for government. Cameron is urging President Obama to pressure Apple, Google and Facebook to stop using stronger encryption in their communications products. An article published in The Guardian on Thursday includes details from a 2009 report from the US National Intelligence Council that has surfaced expresses concern that both government and private computers are not adequately protected because encryption is not being implemented as quickly as it ideally should be.-http://arstechnica.com/security/2015/01/with-crypto-in-uk-crosshairs-secret-us-r
eport-says-its-vital/
[Editor's Note (Northcutt): I suspect the richer nations are going to have to develop their own encryption systems. The NSA may say that maintaining a known flawed algorithm was regrettable, but that dog won't hunt.
(Honan): Interesting to note the day after Mr Cameron made the above promise the European Network and Information Agency (ENISA) issued a report called "Privacy and Data Protection by Design - from policy to engineering Agency" which urges governments within the European Union to use strong encryption.
-http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/pr
ivacy-and-data-protection-by-design
(Weatherford): This is absurd. For the past two decades we've been evangelizing for better security to protect our infrastructures and our information to ultimately advance our societies through the economic benefits of technology. This position is essentially saying, technology has advanced too far too fast so let's dumb down security to make law enforcement's job easier. It's a Bizarro World argument. Dumbing down security simply makes the bad guys job easier and the security professional's job harder - much harder. I understand (and truly don't mean to minimize) the dilemma it presents to the intelligence community and law enforcement but that's why the legal system has an entire branch of the U.S. Federal government dedicated to it. ]
GE Multilink Switch Vulnerabilities (January 15, 2015)
The US Department of Homeland Security's (DHS's) Industrial Control System Computer Emergency Response Team (ICS-CERT) has issued an advisory about hard-coded credentials in certain GE Ethernet switches. The issue lies in the RSA key used to encrypt SSL traffic, which is hard-coded into the devices' firmware.-http://www.theregister.co.uk/2015/01/15/got_a_ge_industrial_ethernet_switch_get_
patching/
ICS-CERT Advisory:
-https://ics-cert.us-cert.gov/advisories/ICSA-15-013-04
LinkedIn Account Credentials Targeted in Phishing Scheme (January 15, 2015)
Attackers are using phony security alerts to steal LinkedIn account access credentials. The messages pretend to come from LinkedIn support staff saying that users must download an attachment that will tell users how to install an update. The attachment appears to be the LinkedIn website but it sends entered data to the attackers. Users can protect themselves by activating LinkedIn's two-factor authentication.-http://www.v3.co.uk/v3-uk/news/2390485/linkedin-credentials-being-harvested-via-
bogus-security-notifications
-http://www.scmagazine.com/phishing-scam-uses-linkedin-security-update-to-steal-c
redentials/article/392700/
[Editor's Note (Pescatore): Forgive me for waxing lyrical, but a great line in John McCutcheon's "Step by Step" is, "Drops of water turn a mill, singly none singly none." The vast number of phishing attacks succeeding at capturing reusable passwords are drops of water slowly starting to turn the wheel of stronger authentication... ]
**************************** SPONSORED LINKS ******************************
1) How is your application security program changing? Tell us in the 2015 Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/173742
2) Avoid Making the Headlines. Protect Your Retail Business from Cyber Attacks Wednesday, January 28 at 1:00 PM EST with Isabelle Dumont and Dave Shackleford. http://www.sans.org/info/173747
3) Another chance to win $400 Amazon Card - Take New Survey on Insider Threats. http://www.sans.org/info/173397
***************************************************************************
THE REST OF THE WEEK'S NEWS
Ad Company Using Verizon Tracking Header (January 15, 2015)
An advertising company appears to be using Verizon unique identifier token headers (UIDH) to track users' online behavior. Clearing cookie caches will not prevent this tracking.-http://www.computerworld.com/article/2868410/cleared-your-browser-cookies-it-won
t-stop-ad-company-using-verizon-tracking-header.html
-http://www.theregister.co.uk/2015/01/15/ad_agency_reanimating_verizons_zombie_co
okies_for_indepth_tracking/
-http://www.pcworld.com/article/2871512/how-to-protect-yourself-against-verizons-
mobile-tracking.html
NOAA Forecasting Supercomputer Upgrade Drawing GAO Attention (January 15, 2015)
Auditors from the US Government Accountability Office (GAO) are monitoring the National Oceanic and Atmospheric Administration's (NOAA's) forecasting supercomputer upgrade as the contractor, IBM, is selling a portion of its business to Lenovo, a Chinese company. NOAA is also facing scrutiny regarding its polar satellite system, which will be addressed at a House Science and Technology Committee in February.-http://www.nextgov.com/cybersecurity/2015/01/watchdog-zeroes-supercomputer-suppl
y-chain-risks-review-noaa-satellites/103044/?oref=ng-channeltopstory
Marriott to Stop Blocking Personal Wi-Fi Hotspots (January 15, 2015)
Marriott International will no longer block personal wi-fi hotspots in its hotels. The US Federal Communications Commission (FCC) investigated the issue after a customer complained, and found that a hotel in Tennessee was using a monitoring system that de-authenticated guests' hotspots. The FCC fined Marriott US $600,000. Marriott believed it was acting within its rights to block the hotspots and maintained that blocking customers' wi-fi hotspots was a security measure.-http://www.bbc.com/news/technology-30827706
-http://www.siliconrepublic.com/comms/item/40191-marriott-hotels-vow-to-end/
Mozilla Updates Firefox, SeaMonkey, and Thunderbird (January 15, 2015)
Mozilla has released Firefox 35. The latest version of the browser includes fixes for a number of security issues. Several of the flaws have been rated critical. Mozilla has also issued updates for Firefox ESR, SeaMonkey, and Thunderbird.-http://www.scmagazine.com/gecko-media-plugin-sandbox-escape-among-vulnerabilitie
s-fixed/article/392802/
-http://www.v3.co.uk/v3-uk/news/2390409/mozilla-patches-critical-bugs-in-firefox-
seamonkey-and-thunderbird
[Editor's Note (Murray): Browsers continue to be the weak spot on the desktop and the desktop continues to be the weak spot in the Internet. We appear to have chosen to tolerate it. ]
Microsoft Issues Windows Patches (January 13 & 14, 2015)
On Tuesday, January 13, Microsoft issued eight bulletins to address security issues in various versions of Windows. Included in the patches are fixes for two flaws in Windows 8.1 that Google recently disclosed as part of its Project Zero security program. Both flaws are also exploitable in other versions of Windows, although Google tested them in Windows 8.1 only. None of the bulletins address flaws in Internet Explorer, a rare occurrence for Microsoft. Internet Storm Center:-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+January+2015+Really+Te
lnet/19179/
-http://www.computerworld.com/article/2868761/microsoft-patches-windows-bugs-that
-got-under-its-skin.html
-http://www.computerworld.com/article/2868480/microsofts-patch-tuesday-focuses-on
-windows.html
-http://www.eweek.com/security/microsoft-patches-zero-day-windows-flaws-disclosed
-by-google.html
-https://technet.microsoft.com/en-us/library/security/dn903782.aspx
Adobe Patches Flash Vulnerabilities (January 14, 2015)
Adobe has issued fixes for nine flaws in Flash Player. The flaws could be exploited to record keystrokes or take control of vulnerable systems. Flash Player 16.0.0.257 is available for Windows and Mac OS X, and FlashPlayer 11.2.202.429 is available for Linux. Flash will be automatically updated in Google's Chrome browser and in Internet Explorer running on Windows 8 and 8.1.-http://www.computerworld.com/article/2868669/adobe-patches-remote-code-execution
-and-keylogging-flaws-in-flash-player.html
[Editor's Note (Murray): Flash is historically broken and appears to be resistant to anything that even approaches a permanent fix. Whatever happened to HTML5? ]
Oracle Warns of Phony Patches (January 13 & 14, 2015)
Oracle has issued a warning alerting users that attackers are touting phony security patches. The company has not provided details about what the downloads actually contain, but it is likely that they are not good for people's systems.-http://www.net-security.org/malware_news.php?id=2940
-http://www.v3.co.uk/v3-uk/news/2390055/oracle-alerts-firms-to-bogus-malware-lade
n-security-patches
Google Stops Malicious Advertisement Attack (January 14, 2015)
Google has stopped a malicious advertising, or malvertising, attack that redirected users to suspect websites. The malicious ads were served to websites that had signed up to use Google's AdSense program, which provides banner ads.-http://www.computerworld.com/article/2870785/google-nixes-widespread-malvertisin
g-attack.html
Military Social Media Security (January 14, 2015)
The US Office of the Secretary of Defense has instructed its social media managers to ensure that their accounts are secure, days after the Twitter and YouTube accounts of Centcom were hijacked. The compromised accounts were back online under Centcom control on Monday night, January 12.[Editor's Note (Pescatore): More drops of water! ]
STORM CENTER TECH CORNER
Wordpress Scans with Fake Google User Agent-https://isc.sans.edu/forums/diary/Strange+wordpress+login+patterns/19191/
Scans for NoSQL Databases (Redis)
-https://isc.sans.edu/forums/diary/tcp6379+trolling+Redis+NoSQL+Or+something+else
/19193/
Spam Migrates to WhatsApp
-http://www.adaptivemobile.com/blog/headsup-for-whatsapp
New DANE validation service
-https://dane.sys4.de
AMD Fixes Firmware Bug
-https://blogs.oracle.com/soaproactive/entry/malware_sites_offering_oracle_patches">https://blogs.oracle.com/soaproactive/entry/malware_sites_offering_oracle_patche
s">https://blogs.oracle.com/soaproactive/entry/malware_sites_offering_o
racle_patches
Gitrob: Searching Github For Sensitive Information
-http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/
Asus Published Update to Fix "Port 9999" Bug
-http://www.asus.com/microsite/2014/networks/routerfirmware_update/
Skeleton Key
-http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malwar
e-analysis/
Banking Trojans Hit Scada Networks
-http://www.darkreading.com/attacks-breaches/banking-trojans-disguised-as-ics-sca
da-software-infecting-plants/d/d-id/1318542
Please participate in our Internet Storm Center Survey:
-https://www.surveymonkey.com/summary/dJATaOOK8AjFj3XD_2Bi6Xm6i55Rm62JqNup_2FFhe1
v1fc_3D
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.