SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #46

June 12, 2015

TOP OF THE NEWS

Did OPM Breach Affect All Federal Employees?
Other Federal Systems Targeted by Same Attack that Hit OPM
More Details Emerge About Airbus Crash

THE REST OF THE WEEK'S NEWS

Fix Available for OpenSSL LogJam Flaw
State Department 3-D Printing Restrictions
Kaspersky Systems Breached by Duqu 2.0
Poweliks Evades Detection by Hiding in Registry
Cell-Site Simulator Towers Found in UK
Adobe Releases Updates
Microsoft's Patch Tuesday for June
Justice Department Seeks Identities of Those Who Posted Threats to Judge in Silk Road Case

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By RSA **************************
The RSA Cyber Security Poverty Index(TM) Join RSA's CTO Zulifikar Ramzan as he discusses the inaugural RSA Cybersecurity Poverty Index, based on the results from RSA's Cybersecurity Maturity Assessment survey. This June 23 live webcast will provide insight into how prepared global organizations believe they are for today's cyber threat environment. See how your organization compares! Register today: http://www.sans.org/info/178357
************************************************************************

TRAINING UPDATE


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
http://www.sans.org/u/53t


- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Did OPM Breach Affect All Federal Employees? (June 11, 2015)

According to the American Federation of Government Employees (AFGE), the breach of the Office of Personnel Management's (OPM's) systems affected all current and one million former federal employees. In a letter to OPM Director Katherine Archuleta, AFGE President J. David Cox lists the types of information that AFGE believes were compromised, and adds that it appeared that the data were not encrypted.
-http://www.forbes.com/sites/katevinton/2015/06/11/federal-union-says-opm-data-br
each-hit-every-single-federal-employee/
-http://www.computerworld.com/article/2935132/cybercrime-hacking/hacked-data-on-m
illions-of-us-govt-workers-was-unencrypted.html
-http://www.cnet.com/news/hack-affected-every-single-federal-employee-union-says/
-http://www.nextgov.com/cybersecurity/2015/06/opm-hackers-stole-data-every-federa
l-employee/115117/?oref=ng-channeltopstory
Text of AFGE Letter:
-http://www.scribd.com/doc/268412148/AFGE-President-Cox-Letter-to-OPM-Archuletta-
Cyber-Breach
[Editor's Note (Northcutt): Something happened, we just do not know exactly what. Blaming the Chinese is easy, but is an unfair out. OMB needed to protect that information; whatever was lost and, do we/they even know what happened? NewsBites has tried to find a source other than the union official, (J. David Cox), and has come up empty. If I can make a personal statement I am starting to feel a bit let down. My information was lost with the VA laptop disaster and I was also a federal employee and I pay taxes so the IRS has data on me. I am pretty careful so that no one search engine, social media site, credit card, online anything has a complete picture of me, but I can't manage what the U.S. Government has, wants more of, and does not properly protect. The Bush and Obama administrations were very excited about collecting every possible shred of information on every living being foreign and domestic, but they were/are totality clueless about protecting said information:
-https://epic.org/privacy/vatheft/
-http://www.washingtonpost.com/realestate/irs-was-told-in-2011-that-its-security-
and-privacy-controls-were-inadequate/2015/06/01/de42884a-0886-11e5-95fd-d580f1c5
d44e_story.html
(Honan): An interesting development in this case are claims in a Wall Street Journal article (
-http://www.wsj.com/articles/u-s-spy-agencies-join-probe-of-personnel-records-the
ft-1433936969)
that the breach was not discovered by the EINSTEIN program but instead was discovered during a demo by a security vendor of one of their products on the OPM network. If this is the case, then OPM owes it to the victims of this attack that they revise their statements and be as transparent as possible as to how the breach happened and what is being done to prevent a recurrence. ]

Other Federal Systems Targeted by Same Attack that Hit OPM (June 9, 2015)

The attackers who breached OPM's network are likely to have targeted other federal systems as well. Once the OPM breach was disclosed, its signature was entered into the Department of Homeland Security's (DHS's) Einstein cyber threat detection program; Einstein found that the threat signature matched malicious activity directed at other government systems.
-http://www.federaltimes.com/story/government/cybersecurity/2015/06/09/opm-hack-o
ther-networks/28749945/
[Editor's Note (Honan): This is a good example of why we need to focus on the how an attack happens and not so much on the who carried out the attack so that other organisations can better protect themselves. ]

More Details Emerge About Airbus Crash (June 10, 2015)

According to new reports, configuration data were wiped from three of four electronic control units (ECUs) on the Airbus aircraft while software was being installed. The deleted torque calibration parameter files are necessary to interpret engine readings. The situation caused the three affected engines to shut down. The way the system is constructed, the pilot would not have been alerted to the problem until the aircraft was at an altitude of 400 feet.
-http://arstechnica.com/information-technology/2015/06/report-airbus-transport-cr
ash-caused-by-wipe-of-critical-engine-control-data/
-http://www.bbc.com/news/technology-33078767
-http://www.computerworld.com/article/2933491/security0/vital-engine-software-fil
es-accidentally-wiped-linked-to-fatal-a400m-plane-crash.html
[Editor's Note (Assante): This tragic accident reminds us of the nature of cyber and its ability to achieve scales that often surprises us. The safety basis for the aircraft failed to analyze a scenario involving software problems for more than one engine. There are numerous process safety efforts that also fail to account for software errors or malware conditions in many places at once (horizontal susceptibility) throughout the worlds power systems, chemical plants, and transportation systems.
(Murray): It is not sufficient to get the code right. Like any tool, one must configure and use it properly. Configuration management is also essential in hardware but is easier to get wrong where there are more degrees of freedom, i.e. in "soft" ware. Mis-configuration is a "failure mode;" resisting it is a requirement that must be on the list. This one clearly will be when this aircraft is operational. However, this was a very expensive "test" to discover an unspecified and uncompensated failure mode. The failure to specify the ways that a system can fail, and which must be guarded against, is a common problem in much software, less so in aviation software where specification of failure modes is essential practice.
(Honan): Effective change control with post change testing, much maligned by many IT professionals, is a very powerful tool in preventing such issues from occurring. Time to review your own change control procedures to ensure your post change testing includes security and operational issues and not just functional tests. ]

---

**************************** SPONSORED LINKS ******************************
1) The survey results are in! Big Data: Identifying Major Threats and Removing Security and Compliance Barriers -- Webcast & Free Whitepaper on Thursday, June 18 at 1:00 PM EDT. http://www.sans.org/info/178362

2) Webcast: An updated look at security in our financial institutions on June 23 at 1:00 PM EDT. http://www.sans.org/info/178367

3) June 25 at 1:00 PM EST: Hear results of the 3rd annual State of Security in Control Systems Survey. http://www.sans.org/info/178372
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Fix Available for OpenSSL LogJam Flaw (June 12, 2015)

OpenSSL has released an updated version of the open source cryptographic protocol that addresses seven vulnerabilities, including a flaw known as LogJam. Users are urged to upgrade as soon as possible.
-http://www.theregister.co.uk/2015/06/12/openssl_slings_patch_to_free_logjam/
-http://www.zdnet.com/article/logjam-openssl-security-hole-patched/
Internet Storm Center Fixes for LogJam:
-https://isc.sans.edu/forums/diary/Updates+to+OpenSSL+fix+vulnerabilities+related
+to+Logjam/19793/
[Editor's Note (Murray):It is almost always more important that a fix be applied thoroughly than it is that it be applied "as soon as possible." This is all the more true for Logjam, a vulnerability that has existed for a generation and remains expensive to exploit even in the face of publicity. ]

State Department 3-D Printing Restrictions (June 11, 2015)

The US State Department has issued two statements indicating that it will restrict the publication of technical information online that can be used to print weapons on 3-D printers. The State Department classifies the plans as a controlled "foreign export" of munitions, and their presence online would violate the International Trade in Arms Regulations (ITAR).
-http://www.wired.com/2015/06/feds-restrict-3d-printed-gun-files/
[Editor's Note (Murray): Call it what you like, this is not a restriction on fabrication or export but on the exchange of information. At least this time it is really about weapons. However, the First Amendment to the Constitution is always implicated when the U.S. government undertakes to regulate the publication or free exchange of ideas, whatever the justification. ]

Kaspersky Systems Breached by Duqu 2.0 (June 10, 2015)

Kaspersky Lab has announced that its systems were attacked last year. The intruders did not go after customer data; instead, they were interested in Kaspersky's intellectual property and the company's systems. The malware used in the attack is an updated version of Duqu, which is related to Stuxnet and is used for intelligence gathering. Kaspersky believes the actor is working on behalf of a nation-state.
-http://www.cnet.com/news/none-of-us-are-safe-major-cybersecurity-company-hacked/
-http://www.darkreading.com/endpoint/duqu-20-attack-on-kaspersky-lab-opens-chilli
ng-new-chapter-in-cyber-espionage-/d/d-id/1320810?
-http://arstechnica.com/security/2015/06/stepson-of-stuxnet-stalked-kaspersky-for
-months-tapped-iran-nuke-talks/
[Editor's Note (Murray): The breaches of RSA and Kaspersky should caution us that "knowing better" is no substitute for doing well. It should also caution us that the threat of espionage is increasing. While I have never been convinced that the breach of RSA significantly lowered the cost of attack against its customers, doing so was clearly the motive for the attack.
(Honan): To me the interesting aspect of this story is not that a security company was breached, by their nature security vendors and companies are prime targets for many adversaries, but it is the complexity of the malware that is of importance. It shows a leap in how attackers are designing their tools to avoid detection for longer. Also big kudos to Kaspersky for going public with this story, their actions enable many others to be aware of this threat and subsequently to be more secure. ]

Poweliks Evades Detection by Hiding in Registry (June 10, 2015)

Malware known as Poweliks has tried to infect nearly 200,000 computers over the past six months. Poweliks is hard to detect because it "does not exist as a file on a disk but instead resides solely in the registry." It also remains on systems after they have been restarted. Poweliks is used to generate fraudulent ad-clicks to generate revenue.
-http://www.zdnet.com/article/poweliks-trojan-goes-fileless-to-evade-detection-an
d-removal/
-http://www.v3.co.uk/v3-uk/news/2412473/poweliks-malware-targets-200-000-computer
s-with-covert-windows-registry-attacks
-http://www.symantec.com/connect/blogs/poweliks-click-fraud-malware-goes-fileless
-attempt-prevent-removal

Cell-Site Simulator Towers Found in UK (June 10, 2015)

Phony cell phone towers have been found in the UK. Police there have not said anything about their use of technology commonly known as Stingray, although news stories as far back as 2011 suggested that it might be in use. The towers were found by a news investigation.
-http://www.v3.co.uk/v3-uk/news/2412421/fake-mobile-phone-towers-found-in-uk-in-m
ass-surveillance-sting
-http://arstechnica.com/tech-policy/2015/06/fake-mobile-phone-towers-discovered-i
n-london-stingrays-come-to-the-uk/

Adobe Releases Updates (June 10, 2015)

Adobe has released an update for Flash Player and Adobe AIR for Windows, Mac, and Linux that addresses 13 vulnerabilities.
-http://www.zdnet.com/article/adobe-issues-patch-update-for-13-security-vulnerabi
lities-in-flash-player/
-http://krebsonsecurity.com/2015/06/adobe-microsoft-issue-critical-security-fixes
-4/

Microsoft's Patch Tuesday for June (June 9, 2015)

On Tuesday, June 9, Microsoft issued eight security bulletins to address flaws in Windows, Internet Explorer (IE), Office, and Microsoft Exchange Server. Two of the bulletins are rated critical; they affect Windows and IE. A gap in the numbering sequence of bulletins suggests that Microsoft has held back a planned fix. Internet Storm Center Summary:
-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+Summary+for+June+2015/
19781/
-http://www.zdnet.com/article/june-2015-patch-tuesday/
-http://www.v3.co.uk/v3-uk/news/2412434/microsoft-fixes-critical-windows-and-inte
rnet-explorer-bugs-in-patch-tuesday-release
-http://www.scmagazine.com/low-key-patch-tuesday-as-microsoft-releases-eight-bull
etins/article/419677/
-http://www.computerworld.com/article/2933775/application-security/a-moderate-jun
e-patch-tuesday-with-a-critical-update-to-ie.html
-https://technet.microsoft.com/en-us/library/security/dn903782.aspx

Justice Department Seeks Identities of Those Who Posted Threats to Judge in Silk Road Case (June 9, 2015)

The US Department of Justice has subpoenaed Reason(dot)com for information about people who posted threatening comments about the judge who sentenced Silk Road creator Ross Ulbricht to life in prison. A Grand Jury subpoena seeking the account information, email addresses, telephone numbers, IP addresses, and billing information of six people who posted the threats.
-http://www.forbes.com/sites/katevinton/2015/06/09/feds-subpoena-libertarian-medi
a-site-over-comments-threatening-silk-road-judge/
-http://arstechnica.com/tech-policy/2015/06/prosecutors-hunt-for-online-commenter
s-who-trash-talked-silk-road-judge/
Text of Subpoena:
-http://popehat.com/wp-content/uploads/2015/06/Revised-Grand-Jury-Subpoena.pdf

---

STORM CENTER TECH CORNER

OpenSSL Update
-https://isc.sans.edu/forums/diary/Updates+to+OpenSSL+fix+vulnerabilities+related
+to+Logjam/19793/

Decrypted WhatsApp Messages Lead to Terror Arrests
-http://www.bloomberg.com/news/articles/2015-06-08/belgium-arrests-16-in-terror-r
aid-triggered-by-whatsapp-messages

Python Library To Use GMail as a Backdoor/C&C Service
-https://github.com/byt3bl33d3r/gcat

Just Metadata Project
-https://www.christophertruncer.com/just-metadata-intel-gathering-and-analysis-of
-ip-metadata/

Cryptowall 3.0 via Malspam and Angler EK
-https://isc.sans.edu/forums/diary/Increase+in+CryptoWall+30+from+malicious+spam+
and+Angler+exploit+kit/19785/

iOS Vulnerability Allows for Simple Mail Credential Phishing
-https://github.com/jansoucek/iOS-Mail.app-inject-kit/tree/master

QEMU PCNET Virtual Machine Escape
-http://xenbits.xen.org/xsa/advisory-135.html

Duqu 2.0 Malware Attacks Kaspersky
-https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyb
erespionage_actor_returns.pdf

Apple Pushing Apps to Use HTTPS in iOS 9.0
-https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNew
IniOS/Articles/iOS9.html#AppTransportSecurity

VMWare Workstation "COM1" Escape
-https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_Fwi2Ov-YBgMtl5hdrYd4/
preview?sle=true#heading=h.dv8d1g4lp83q

Special Webcast: Ask the Expert
-https://www.sans.org/webcasts/government-breach-tells-about-state-security-10040
0

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/