SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #44

June 05, 2015

TOP OF THE NEWS

US Office of Personnel Management Acknowledges Second Breach
Top Four Security Controls Have Prevented Attackers from Stealing Australian Government Data
NSA Surveillance Authority Broadened to Include Domestic Internet Traffic

THE REST OF THE WEEK'S NEWS

Telstra CISO Says Attribution and Threat Hype Overshadow Defense Strategies
China Blocking VPNs
Senate Passes USA Freedom Act
FBI Wants Access to Social Media User Information
Mozilla and Google to Make Scripting Safer
Protect Systems Against Old Malware, Too
GAO: Defense Agencies Need to Improve Insider Threat Monitoring
Australian Company Paid Extortionists in Bitcoin
Microsoft Releases Fix for Flaw that Crashes Skype

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By RSA ****************************
RSA Webcast: Turn Security into Strategic Advantage with the Help of GRC June 9 at 8am PT/11am ET/3pm GMT. Learn how GRC can help turn security into business opportunities with intelligence-driven actions that lead to priorities that align with the business. Please join the RSA Live Webcast on June 9 to learn more and assess your current IT security risk management maturity:
http://www.sans.org/info/178130
***************************************************************************

TRAINING UPDATE


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
http://www.sans.org/u/53t


- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact. http://www.sans.org/u/53N


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Dublin, Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Office of Personnel Management Acknowledges Second Breach (June 4, 2015)

The US Office of Personnel Management (OPM) has acknowledged that its network was breached late last year, compromising the personal information of four million current and former federal employees. The incident, detected in April, is the second breach of OMP systems in less than a year.
-http://www.washingtonpost.com/world/national-security/chinese-hackers-breach-fed
eral-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44
e_story.html
-http://thehill.com/policy/cybersecurity/244084-hackers-make-off-with-4-million-f
ederal-employees-data
-http://www.zdnet.com/article/as-federal-agency-reels-from-massive-data-breach-ch
inese-hackers-suspected/
-http://arstechnica.com/security/2015/06/federal-agency-hit-by-chinese-hackers-ar
ound-4-million-employees-affected/
[Editor's Note (Pescatore): The focus on this breach should be how and why, but most of the attention is immediately jumping to who. How the attackers got in and why the vulnerability was there even after OPM had a serious breach less than a year ago needs to lead to lessons learned and fixing what must be systemic problems.
(Paller): The U.S. Department of Homeland Security's (DHS) failure to focus federal agencies on cyber hygiene, and measure and report progress on the effectiveness of defenses inplace, leads to the ease with which these attacks succeed. The U.S. Department of Defense (DoD) has seen the light and is now measuring cyber hygiene as a core readiness metric - - in both military and civilian elements. If DHS cannot match this capability, rapidly, it is reasonable for the next President to consider removing government-wide cybersecurity responsibility from DHS and concentrating it under the Department of Defense, as the Australians have done so effectively. (See the following story.) ]

Top Four Security Controls Have Prevented Attackers from Stealing Australian Government Data (June 2, 2015)

Australia's Signals Directorate director Steve Day told an audience at the Check Point Cyber Security Symposium in Sydney that cyber attackers have not stolen any sensitive information from the government over the last two years even when they have managed to breach networks. Day says the government's success in keeping data safe is due to agencies having adopted the Top 4 Security Controls.
-http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_ha
cker_since_2013/
[Editor's Note (Pescatore): The Critical Security Controls "First Five" and the ASD Top 4 (done right) show up in over 80% of breach investigations as ways breaches could have been prevented. While doing these right is non-trivial, many enterprises and some government agencies are focusing on them as the foundation layer for increasing both the effectiveness *and* the efficiency of the entire security architecture and control set - and reaping those benefits. I used several real word examples (including the Australians) at my talk at the recent RSA Conference - see
-https://www.rsaconference.com/events/us15/agenda/sessions/1539/news-flash-some-t
hings-actually-do-work-in]

NSA Surveillance Authority Broadened to Include Domestic Internet Traffic (June 4, 2015)

According to classified documents leaked by Edward Snowden, in 2012, the NSA was granted the authority to conduct surveillance on US Internet traffic without a warrant to investigate foreign cyber attacks. The documents indicate that the NSA pursued attackers even if there was no proof that the attacks originated outside the US. The expanded surveillance powers were the result of two secret Justice Department memos.
-http://www.computerworld.com/article/2931724/internet/the-nsa-boosted-internet-m
onitoring-to-catch-hackers.html
-http://www.theregister.co.uk/2015/06/04/nsa_warrantless_internet_snooping/
-http://www.nextgov.com/defense/2015/06/obama-administration-secretly-expanded-sc
ope-nsa-spying-catch-foreign-hackers/114535/?oref=ng-HPriver
[Editor's Note (Ullrich): Looks like this edition of NewsBites has two stories about how government agencies want to collect more data (this one, and the one about social networking above) and two stories about how these agencies fail at protecting data (GAO story about insider threat, and OPM breach). ]

---

**************************** SPONSORED LINKS ******************************
1) Don't Miss: Visibility, Analytics, & Action: A strategy to address Critical Control 4 - Continuous Vulnerability Assessment & Remediation: Wednesday, June 17 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore, Michelle Cobb, and Sean Keef. http://www.sans.org/info/178135

2) In case you missed it: Meeting New CSC Guidelines for SSL Certificate Management with Barb Filkins and Kevin Bocek. http://www.sans.org/info/178140

3) What are the biggest challenges to data center and cloud security? Take Survey - Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/178145
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Telstra CISO Says Attribution and Threat Hype Overshadow Defense Strategies (June 3, 2015)

Telstra CISO Mike Burgess, also speaking at the Check Point Cyber Security Symposium, said that "attribution distraction" and "threat distraction" take the focus away from what's important regarding breaches - the root cause of the incident. Rather than addressing the existing problems in an organization's defense strategy, Burgess noted that media coverage often appears to place greater emphasis on identifying the culprit or on overstating the nature of the threat. For the majority of major breaches, there is an identifiable root cause with a known solution.
-http://www.zdnet.com/article/telstra-ciso-blasts-cyber-attribution-distraction/
[Editor's Note (Pescatore): Reinforcing my comment on the OPM breach, above, there definitely is a lot of "Don't blame me/it was China and an APT" kind of hype and distraction going on. Much more fun for the press to write about, but boards of directors are much more interested in reducing the impact on the company's bottom line vs. threat attribution. (Murray): The media may trumpet it but the concern over attribution originates with law enforcement. They want to identify the perpetrator so that they can remove them.
(Ullrich): This story, and the story about companies not defending against old threats, are both indicators of an all too common tendency to chase the "latest greatest threat". Security professionals like life to be exciting and filled with new and fascinating exploits. On the other hand, security usually works best if it is boring. ]

China Blocking VPNs (June 3, 2015)

The Chinese government is taking steps to prevent its citizens from accessing Internet content it deems inappropriate by blocking virtual private networks (VPNs), which have come into greater use as the government has blocked more websites.
-http://www.theregister.co.uk/2015/06/03/china_cracks_down_on_censorship_vpn/
[Editor's Note (Murray): While China may have escalated it, the first shot in this trade war was fired by the US (Huawei). Retaliation should have been expected. We should not have embarked upon a trade war in one of the few markets where the balance of trade was in our favor. ]

Senate Passes USA Freedom Act (June 2, 2015)

The US Senate has passed the USA Freedom Act, which officially ends the NSA's wholesale collection of phone call metadata. Under the bill, which President Obama signed into law on Tuesday, June 2, telecommunications will store the data and the government can access them with orders from the Foreign Intelligence Surveillance Court.
-http://www.wired.com/2015/06/senate-finally-passes-bit-nsa-reform/
-http://www.cnet.com/news/senate-approves-sweeping-reforms-to-nsa-phone-surveilla
nce/
-http://arstechnica.com/tech-policy/2015/06/how-the-end-of-patriot-act-provisions
-changes-nsa-surveillance/

FBI Wants Access to Social Media User Information (June 3 & 4, 2015)

The FBI wants congress to pass a law mandating that operators of social media sites and other web communication tools share customer information with law enforcement just as telecommunications companies do. Michael Steinbach, assistant director of the FBI's counterterrorism division, told the House Homeland Security Committee earlier this week that congress should develop Internet communication rules that are informed by the Communications Assistance for Law Enforcement Act (CALEA).
-http://www.computerworld.com/article/2931080/cybercrime-hacking/fbi-calls-for-ne
w-wiretap-law-covering-social-media.html
-http://www.executivegov.com/2015/06/fbis-michael-steinbach-terrorists-using-vira
l-messaging-tech-to-spread-propaganda/
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/06/04/fbi-official-compan
ies-should-help-us-prevent-encryption-above-all-else/
[Editor's Note (Honan): If passed this could have a major impact on the user base of US based social media sites outside of the US. Many non-users may not feel comfortable that their data will be subject to US law even if they are not located within the US. ]

Mozilla and Google to Make Scripting Safer (June 4, 2015)

Mozilla, Google, and Dropbox are developing a resource for browsers to help prevent man-in-the-middle attacks. The Subresource Integrity (SRI) check will allow browsers to check the integrity of scripts using hashes. SRI will be available in developer builds of Chrome and Firefox within a month.
-http://www.theregister.co.uk/2015/06/04/new_firefox_chrome_sri_script_whip_to_fo
il_maninthemiddle_diddle/
-http://www.w3.org/TR/SRI/
[Editor's Note (Ullrich): This is an interesting proposal. Right now, developers have two options when making use of popular javascript libraries like jQuery: (1) download the entire library and serve it from their own system, which offers more control about the integrity of the library, but takes a small amount of additional resources and may slow page load, or (2) keep them in their original location, trusting the developer to properly secure them. This proposal will allow web sites to add hashes to script tags to allow the browser to verify the integrity of the library.
(Murray): Welcome move. However, the browser remains the Achilles Heel of the desktop and the desktop that of the enterprise and the Internet. ]

Protect Systems Against Old Malware, Too (June 4, 2015)

Microsoft UK chief security advisor Stuart Aston told an audience at the RSA unplugged conference in London earlier this week that old malware can be just as harmful as the newly-discovered exploits that make headlines. Data indicates that 20 percent of Windows installations does not have current anti-virus protection.
-http://www.theregister.co.uk/2015/06/04/ms_old_malware_peril/

GAO: Defense Agencies Need to Improve Insider Threat Monitoring (June 4, 2015)

According to a report from the US Government Accountability Office (GAO), the Defense Department needs to establish programs to help detect and prevent insider threats. The unclassified version of the report said that just half of the military "components" the report examined had established "a baseline of normal activity patterns" derived from observed system and user behavior.
-http://www.nextgov.com/cybersecurity/2015/06/watchdog-says-dod-needs-crank-insid
er-threat-monitoring/114430/?oref=ng-channeltopstory

Australian Company Paid Extortionists in Bitcoin (June 3, 2015)

A company based in Brisbane, Australia, paid online extortionists thousands of dollars in Bitcoins after the thieves stole data. When the company refused to pay an additional ransom, the attackers made threats against a child of a senior member of the company. The case has prompted Queensland police to warn businesses not to pay extortionists and to warn individuals about the dangers of posting personal information on social media.
-http://www.theguardian.com/technology/2015/jun/04/hackers-extorted-multinational
-firm-in-australia-and-threatened-employee

Microsoft Fixes Flaw that Crashes Skype (June 3, 2015)

Microsoft has released an update to fix a flaw that crashes Skype when a specific eight-character string is received in an instant message. Users found that even when they tried to log on to Skype after the crash, Skype would download the most recent chat and it would crash again. The cycle would stop only when the user who sent the string deleted it. The issue affects Skype on Windows and Android platforms, with the exception of the touch version of Skype for Windows 8.1.
-http://www.eweek.com/security/skype-rushes-update-to-fix-http-crash-bug.html
-http://www.cnet.com/news/skype-gets-tripped-up-by-stray-characters/

---

STORM CENTER TECH CORNER

Exploit Kit Roundup
-https://isc.sans.edu/forums/diary/Exploit+kit+roundup+early+June+2015/19763/

MalwareTech SBK - Hard Drive Firmware Bootkit
-http://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html

PhishMe Disrupts Skype Botnet
-http://phishme.com/disrupting-an-adware-serving-skype-botnet/

Opening Garage Doors With Toy Messenger
-http://www.wired.com/2015/06/hacked-kids-toy-opens-garage-doors-seconds/

Turning on Two Factor Authentication
-https://www.turnon2fa.com

Survey of Github SSH Keys
-https://blog.benjojo.co.uk/post/auditing-github-users-keys

Sourceforge Hijacks NMAP
-http://seclists.org/nmap-dev/2015/q2/194

piwik allows anonymous access to statistics
-http://networktoolbox.de/scary-piwik-findings/

Facebook Phases Out SHA-1
-https://developers.facebook.com/blog/post/2015/06/02/SHA-2-Updates-Needed

Japanese Users Targeted by iOS Malware
-http://www.symantec.com/connect/blogs/japanese-one-click-fraudsters-target-ios-u
sers-malicious-app-delivered-over-air

MyFax Spam E-Mail Leads to Neutrino Exploit Kit
-https://isc.sans.edu/forums/diary/Myfax+malspam+wave+with+links+to+malware+and+N
eutrino+exploit+kit/19759/

Blockchain Bitcoin Wallet Random Number Fail
-https://www.reddit.com/r/Bitcoin/comments/37oxow/the_security_issue_of_blockchai
ninfos_android/crolfk4

Microsoft Planning to Add SSH Support To Windows Powershell
-http://blogs.msdn.com/b/looking_forward_microsoft__support_for_secure_shell_ssh1
/archive/2015/06/02/managing-looking-forward-microsoft-support-for-secure-shell-
ssh.aspx

Locker Ransom Ware Giving up and releasing keys / decrypting files
-http://blog.knowbe4.com/is-your-network-infected-with-sleeper-ransomware

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/