SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #43

June 02, 2015

TOP OF THE NEWS

Airbus Says Software Configuration Error to Blame for Crash
US Senate Allows Patriot Act Provisions to Expire
Survey: Corporate Boards Likely to Hold CEO Responsible for Breaches

THE REST OF THE WEEK'S NEWS

Facebook Rolling Out Support for PGP
Windows 10 to be Released in Late July
Mac Flaw Could be Exploited to Modify Firmware
Apple Publishes Workaround for Flaw that Crashes Message App
Silk Road Mastermind Sentenced to Life in Prison
Blockchain Updates Android App to Fix Flaws
Judicial Rule Change Could Allow Broader Warrants for Remote Computer Access
UK Government Chooses Not to Renew Extended Support for Windows XP
Correction: Columbia Casualty Company and Cottage Health System

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Trend Micro Inc. **********************
Targeted Attacks: 2014 Attack Review: Knowing your enemies tactics can give you an edge in defending against attack campaigns that use them. Trend Micro published its 2014 annual report detailing a number of case studies as well as the trends of the threat actors tools, tactics, and procedures (TTPs) used during the past year. http://www.sans.org/info/178090
***************************************************************************


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses.
http://www.sans.org/u/3gH


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
http://www.sans.org/u/4Ph


- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/4Pm


- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/4Pr


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Dublin, Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Airbus Says Software Configuration Error to Blame for Crash (June 1, 2015)

An Airbus executive has confirmed that incorrectly configured software was responsible for the crash of an A400M military transport aircraft near Seville, Spain on May 9. The A400M is a novel aircraft and this crash occurred during a test flight.
-http://arstechnica.com/information-technology/2015/06/airbus-confirms-software-c
onfiguration-error-caused-plane-crash/
-http://www.theregister.co.uk/2015/05/31/airbus_software_config_brought_down_a400
m/
[Editor's Note (Assante): Improper control unit settings as the root cause of the crash places a top cybersecurity priority on assuring the integrity of the programming and testing process associated with critical flight safety related components. The next challenge is making sure unauthorized changes are prevented; when that fails all changes should be detected prior to the next flight.
(Murray): We have seen a number of cases recently in which safety and security failures of software resulted from installation, configuration, initialization, and administration problems rather than the routine operation of the software itself. ]

US Senate Allows Patriot Act Provisions to Expire (May 31 & June 1, 2015)

The US Senate failed to pass the USA Freedom Act, which would have amended Section 215 of the Patriot Act to apply stricter rules to government access to phone metadata. The measure is likely to be taken up again later in the week.
-http://www.wired.com/2015/05/parts-patriot-act-expire-tonight-senate-fails-pass-
reform/
-http://www.scmagazine.com/usa-freedom-act-fails-to-pass-and-section-215-sunsets/
article/418018/

Survey: Corporate Boards Likely to Hold CEO Responsible for Breaches (May 28 & June 1, 2015)

According to a survey from Veracode and the New York Stock Exchange, boards are most likely to hold a company's chief executive officer (CEO) accountable when a breach occurs. The chief information officer (CIO) and chief information security officer (CISO) and the entire executive team were also near the top of the list.
-http://www.csmonitor.com/World/Passcode/2015/0528/Who-should-take-the-fall-after
-a-corporate-hack-It-may-soon-be-the-CEO
-http://www.scmagazine.com/boards-members-view-ceo-as-more-responsible-for-breach
es-than-ciso-and-it-team/article/418020/
[Editor's Note (Pescatore): There has been a slew of these "what do boards think about security" surveys. When you talk to board members and to CISOs who regularly brief their board on security (and the majority of CISOs already do) you hear consistent feedback from the board: (1) Don't just tell us scary stories, tell us if we are safe now and if not what is the strategy to get there; (2) Don't give us different scary numbers each time we hear from you, have consistent and business-relevant metrics; (3) Better yet, how do our metrics compare against others in our industry; and, most importantly, (4) The board doesn't allocate resources or deal with tactical issues - don't raise those problems to us, you have a "C" in your title for a reason - solve the problems.
(Henry): The CEO is ultimately responsible for the long-term success or failure of any company. A breach needs to be dealt with as a business risk rather than merely a "technical issue," and the accountability for that rests at the top. CISOs, CIOs, CROs all require support and resources from the corporate leadership. Expansion into a new geographic area, resulting in 20% corporate growth? The CEO is responsible for that, and realizes success. Share value increases 10% due to profits from new product development? The CEO made that happen, and gets a huge bonus. Data breach resulting in lost customer data, company R&D, diminished stock price, and a significant impact on the company's reputation? That's the CEO's failure, and the CEO must be held accountable.
(Murray): If we have learned nothing else in the last two years, we should have learned that breaches cannot be "averted." They can be anticipated, planned for, limited, detected, mitigated, and remediated. Standards for all of these can be agreed to in advance and measured after the fact. While one might want to discipline executives at eBay, Sony, and Anthem, where the damage to constituents and the brand was severe, one might commend those at JPMorgan Chase where 99% of servers, applications, and customers were untouched. ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook - Next Generation Endpoint Security for Dummies. http://www.sans.org/info/178095

2) The Tor network is rising in popularity as infrastructure for malicious Web activity and as a vector for cyber attacks. Live demo and briefing--using threat intelligence to monitor Tor exit nodes for better defense--with Dr. Christopher Ahlberg, Co-founder and CEO of Recorded Future, on June 3, 1pm ET. http://www.sans.org/info/178100

3) In case you missed it: The Evolution of Network Security, and how Network Packet Brokers (NPBs) enable the Layered Security Era. http://www.sans.org/info/178105
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Facebook Rolling Out Support for PGP (June 1, 2015)

Facebook will soon offer support for PGP encryption for its email notification messages to users, who can add OpenPGP public keys to their profiles. The "experimental new feature" will allow users to receive encrypted messages, which is helpful for sensitive information like password resets.
-http://www.theregister.co.uk/2015/06/01/facebook_pgp_support/
-http://www.v3.co.uk/v3-uk/news/2410933/facebook-rolls-out-pgp-email-encryption-f
or-privacy-focused-users
-https://www.facebook.com/notes/protecting-the-graph/securing-email-communication
s-from-facebook/1611941762379302
[Editor's Note (Pescatore): "Experimental new feature" and encryption are never good things when appearing in the same sentence. Certainly not a bad idea to have legitimate Facebook email and response be encrypted, but if the approach is complex/unstable, key management problems will just cause brand new phishing attacks.
(Ullrich): Facebook implementing PGP before any financial institution implements any kind of authenticated/encrypted email solution either tells us how important social networking has become, or how far financial institutions are lagging behind. Also note how this newsletter (NewsBites) has been using PGP signatures for the last 10+ years, but communications from your bank probably have only "improved" by adding more graphical logos and short links.
(Murray): The first "experimental" application of PGP contemplated by Facebook is to authenticate its messages to its users, just as SANS does with NewsBites. This is a high reward to risk application. While the option of publishing a user's public key in his profile suggests other uses, these are likely to be optional. Keep in mind that PGP stands for "pretty good privacy" and that the paper on its limitations that Phil Zimmerman published with the code remains required reading for anyone that intends to use it for sensitive applications in a hostile environment. ]

Windows 10 to be Released in Late July (June 1, 2015)

Microsoft has announced that its next operating system, Windows 10, will be released at the end of July. The next generation OS will be available as a free download to users already running Windows 7 and 8. (Windows 7 users must use the free upgrade within one year.) Windows 10 will include the return of the Start menu and the debut of a new browser called Edge.
-http://www.bbc.com/news/technology-32962830
-http://www.cnet.com/news/windows-10-update-july-29-with-start-menu-cortana-secur
ity-perks/

Mac Flaw Could be Exploited to Modify Firmware (June 1, 2015)

Macs shipped prior to mid-2014 contain a vulnerability that could be exploited to remotely overwrite firmware that boots up the computer. The vulnerability allows attackers access to the computer's unified extensible firmware interface (UEFI) after a machine has been in sleep mode and is restarted.
-http://www.theregister.co.uk/2015/06/01/apple_suspend_bug_0day/
-http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vuln
erable-to-permanent-backdooring/
-http://www.computerworld.com/article/2929081/security/apple-vulnerability-could-
allow-firmware-modifications-researcher-says.html
[Editor's Note (Ullrich): The key issue here is that, first of all, it is possible to update firmware as a normal user (so in other words: any user on your system, intentionally or not, can obtain persistence). Secondly, Apple doesn't make it easy to obtain trusted firmware images to compare to determine whether what you have is genuine. Rather than relying of the second hand articles listed below, please also make sure to read the original post at
-https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-fir
mware-security-is-completely-broken/
which includes links to tools to retrieve your current firmware. ]

Apple Publishes Workaround for Flaw that Crashes Message App (May 29, 2015)

Apple has released a workaround for an SMS bug that can be exploited to crash the Message app on iPhones, iPads, and the Apple Watch. The temporary fix involves asking Siri to read unread messages and to respond to the malicious string. Apple says a more permanent fix will be available in a later software update.
-http://www.zdnet.com/article/apple-issues-temporary-workaround-for-iphone-crashi
ng-messages-bug/
-http://www.v3.co.uk/v3-uk/news/2410243/apple-ios-bug-can-crash-an-iphone-with-a-
text

Silk Road Mastermind Sentenced to Life in Prison (May 29, 2015)

Ross Ulbricht, the mastermind behind the Silk Road underground marketplace, has been sentenced to life in prison without possibility of parole. Ulbricht was convicted on seven counts, including conspiracy to commit or aid and abet computer hacking and conspiracy to traffic in fraudulent identity documents.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/29/ross-ulbricht-maste
rmind-behind-online-drug-market-silk-road-sentenced-to-life-in-prison/
-http://www.forbes.com/sites/katevinton/2015/05/29/ulbricht-sentencing-silk-road/

Blockchain Updates Android App to Fix Flaws (May 29 & June 1, 2015)

Bitcoin wallet Blockchain has issued an update for its Android app to address several issues that can cause users to send Bitcoins to the incorrect address. The random number generator Blockchain uses recently switched to HTTPS and began returning a "moved permanently" or 301 error when apps requested a random number through HTTP, so instead of generating a number, Blockchain used "301" to generate private keys no matter which address users specified.
-http://www.theregister.co.uk/2015/06/01/blockchain_app_shows_how_not_to_code/
-http://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-android-app-s
ent-bitcoins-to-the-wrong-address/

Judicial Rule Change Could Allow Broader Warrants for Remote Computer Access (June 29, 2015)

A United States Courts Committee has approved a judicial rule change proposal that would allow judges to issue warrants for remote access to target computers regardless of the machines' locations. Other judges have rejected similar requests on Fourth Amendment grounds. The Judicial Conference and the Supreme Court must also approve the rule. If Congress does not step in after that, the rule will take effect December 1, 2016.
-http://arstechnica.com/tech-policy/2015/05/proposed-rule-change-to-expand-feds-l
egal-hacking-powers-moves-forward/

UK Government Chooses Not to Renew Extended Support for Windows XP (May 26, 2015)

The UK government will not renew its paid contract with Microsoft to continue support for Windows XP. Microsoft discontinued regular support for XP in April 2014, but offered paid extensions for the service to large organizations. Last year, the Crown Commercial Service paid GBP 5.5 million (US $8.4 million) for one year of service to allow agencies time to migrate to newer operating systems. The Government Digital Service has decided not to renew, which means that government departments with computers still running Windows XP must each make their own continued support arrangements with Microsoft.
-http://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hack
ers-as-paid-windows-xp-support-ends

Correction: Columbia Casualty Company and Cottage Health System The lawsuit that Columbia Casualty Company brought against Cottage Health System seeking reimbursement for a breach payout noted Cottage's "failure to follow minimum required practices," which included the failure to apply patches within 30 days of their availability, not 3 days.
-http://www.theregister.co.uk/2015/05/28/cottage_healthcare_system_sued
-https://regmedia.co.uk/2015/05/28/columbia-v-cottage.pdf

---

STORM CENTER TECH CORNER

Submitting DShield Logs Using Cisco ASA
-https://isc.sans.edu/forums/diary/Submit+Dshield+ASA+Logs/19753/

Sourceforge Injecting Adware Installers into Projects
-https://plus.google.com/+gimp/posts/cxhB1PScFpe
-http://sourceforge.net/blog/third-party-offers-will-be-presented-with-opt-in-pro
jects-only/

Hola Insecure and Fixes Incomplete
-http://adios-hola.org/index.html

Bluecoat SSL Visibility Appliance Bugs
-https://isc.sans.edu/forums/diary/Blue+Coat+SSL+Visibility+Appliance+web+based+v
ulnerabilities/19749/

Multiple D-Link NAS Vulnerabilities
-http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf

Github Commit Crawler
-https://github.com/jfalken/github_commit_crawler

LaCie 5Big Network Arbitrary File Read
-http://www.syndis.is/blog/2015/5/29/arbitrary-file-read-in-lacie-5big-network-2

Spoofer Project
-https://isc.sans.edu/forums/diary/Weekend+Learning+Spoofer+Project/19747/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/