SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #48

June 19, 2015

TOP OF THE NEWS

OPM Chiefs Face Congress Over Breach
Legacy Systems Are Not the Only Reason for OPM Breach

THE REST OF THE WEEK'S NEWS

Drupal Updates
Samsung Will Release Fix for Galaxy Smartphones
Allegations of Illegal System Access in MLB
Vulnerabilities Could Expose Information Held in Apple Keychain
Free Digital Certificate Project
Canadian Government Systems Attacked
Digital Steganography Hides Malicious Code
Another Attack on Bundestag Network?
Fiber-Optic Cables Cut in San Francisco
Strong Security Looks Beyond Malware

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By SANS *************************
SANS 2nd Financial Sector Security Survey: Tuesday, June 23 at 1:00 PM EDT (17:00:00 UTC) with G. Mark Hardy, John Pescatore (moderator), Patrick Bedwell, James Carder, Rakesh Shah, and Ann Sun. This webcast reveals the results of our 2015 Financial Services survey conducted between March and April 2015. Register and attend the webcast to be among the first to receive the associated whitepaper.
http://www.sans.org/info/178537
***************************************************************************

TRAINING UPDATE


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
http://www.sans.org/u/53t


- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact. http://www.sans.org/u/53N


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

OPM Chiefs Face Congress Over Breach (June 16, 2015)

A Department of Homeland Security Official said that encryption would not have helped protect the data exposed in the OPM breach because the intruders managed to obtain valid user credentials.
-http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-
says-dhs-official/
House Committee Chairman Jason Chaffetz (R-Utah) called on the president to fire OPM officials, saying "If we want a different result, we're going to have to have different people."
-http://thehill.com/policy/cybersecurity/245145-gop-chair-fire-opm-director-over-
hack
[Editor's Note (Pescatore): So, back to the "hit the snooze button on the alarm about moving away from reusable passwords": Why is the government still talking about Smart Card-based PIV cards for authentication, but few if any critical applications seem to actually require their use? The September 2014 OMB Annual FISMA Report to Congress showed that OPM required PIV use on exactly zero percent of network access.
(Cornelius): I'm not sure cutting the head off the snake is the solution in this case. I don't think anyone really believes that these issues are isolated to the OPM alone. There are far greater, systemic problems that have been perpetuated though every federal network. Some say it's a people problem, which is true. Some say it's a technology problem, also true. Others say it's the cumbersome processes that must be abided by in the federal space, true again. In my mind the government (at least in the broad sense, I'm sure there are pockets of excellence) seems to fall short in all the areas of cybersecurity that we would consider to be fundamental. The question in my mind is: "what can be done to change the overall security posture of the entire federal space in short order?" I'm sure there will be plenty of sage advice given to the government and new special spending measures enacted, but do we as a community have the capacity to provide a solution that the government has the capability to implement in a meaningful way?
(Honan): This is timely reminder to people that encryption by itself is not a silver bullet to security and is simply just another control amongst others that need to be in place to properly secure systems. This testimony also highlights how under-investment and cost cutting in IT and in information security will inevitably cost an organization more. ]

Legacy Systems Are Not the Only Reason for OPM Breach (June 17, 2015)

Office of Personnel Management (OPM) officials pointed to legacy systems as a central reason for the attacks on the OPM's network. While it is true that the older systems do not support adequate encryption and other methods of data protection, other factors, including a lack of adequate talent, poor network design, and focusing on security reactively rather than proactively, contributed to the breaches as well.
-http://www.zdnet.com/article/feds-cyber-security-woes-cant-all-be-blamed-on-lega
cy-systems/
[Editor's Note (Assante): The first reason advanced in this piece is talent, but I would like to dive a little deeper on this important topic. Federal organizations must field an appropriate number of technically skilled staff serving in cyber defense critical roles. More important than the actual number is the balance or mix of roles and skills in sufficient numbers to achieve the necessary critical mass for a functional defense. We need to do better by striving for the appropriate balance between implementing and sustaining passive defenses and good hygiene while fielding a team that takes a more active defense approach capable of rapidly detecting footholds and quickly collapsing attacker free time.
(Murray): Resisting future breaches is necessary but not sufficient. The Verizon Data Breach Incident Report suggests that the time to detection of breaches is measured in months. Managers of large organizations must also be looking for evidence of earlier and continuing breaches.
(Pescatore): Lots of excuses being given, but two major failures really rise to the "disconnect them from the Internet" level of concern: (1) OPM had a serious breach just one year ago and hadn't addressed the problems yet; and (2) the Department of the Interior shared services data center hosted the OPM application and apparently had nothing indicating attacks or breaches - or unusual outflow. Remember, back in the 2001 - 2004 time frame a federal judge required the Department of Interior to disconnect systems from the Internet because of failure to protect Bureau of Indian affairs information.
(Weatherford): This continues to be a leadership problem. I guarantee if you go into these federal agencies and ask the IT administrators and security engineers, they understand the problems. They may not have the skills to fix them, but they understand them. Leadership within the agencies are not listening and therefore not prioritizing, and the historically broken IT acquisition process (another leadership problem) compounds the problem. Anyone who understands technology understands that when you write an RFP that takes two years to get through the process, you are far too often deploying something that innovation has left in the dust. ]

---

**************************** SPONSORED LINKS ******************************
1) Protecting ICS Investments - Mike Assante and Ultra Electronics 3eTI. Friday, June 26 at 1:00 PM EST http://www.sans.org/info/178542

2) What are the biggest challenges to data center and cloud security? Take Survey - Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/178547

3) Webcast: An updated look at security in our financial institutions on June 23 at 1:00 PM EDT http://www.sans.org/info/178552
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Drupal Updates (June 18, 2015)

Updates for the Drupal content management system are available. The Drupal security team's advisory describes one critical and three "less critical" vulnerabilities that the updates address. The critical flaw lies in Drupal's implementation of OpenID; it allows attackers to log in to websites as administrators. The issues affect Drupal versions 6 and 7.
-http://www.scmagazine.com/drupal-patches-multiple-vulnerabilities-in-versions-6-
and-7/article/421553/
-http://www.theregister.co.uk/2015/06/19/drupal_vulnerabilities/

Samsung Will Release Fix for Galaxy Smartphones (June 17 7& 18, 2015)

Samsung plans to release a fix for a critical security flaw that affects more than 600 million of its mobile phones. The issue affects Galaxy smartphones that come with the SwiftKey keyboard preinstalled. The flaw could be exploited to access data on the devices. Galaxy devices running Knox security software will receive a new security policy that makes the vulnerability invalid. Phones that are not running Knox will have to wait until a firmware update is ready.
-http://www.zdnet.com/article/samsung-plans-security-fix-for-600-million-galaxy-p
hones/
-http://www.csmonitor.com/Technology/2015/0617/Is-your-Samsung-Galaxy-vulnerable-
to-hackers
[Editor's Note (Murray): Unfortunately, these reports do not contain sufficient information to enable Android/SwiftKey users to know whether or not they are vulnerable or how to limit the risk while waiting for a fix. This is a general problem with the Android supply chain. Mobile users with sensitive applications, data, messages, or voice call content should prefer closed systems (iOS). ]

Allegations of Unauthorized System Access in MLB (June 16, 17, & 18, 2015)

The FBI is investigating allegations that front office employees of the St. Louis Cardinals baseball team may have accessed the systems of the Houston Astros without authorization. By guessing passwords, intruders gained access to a system that held sensitive information about players.
-http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros
-fbi.html?_r=0
-http://www.darkreading.com/application-security/houston-astros-breach-a-wake-up-
call-on-industrial-cyber-espionage/d/d-id/1320947?
-http://www.eweek.com/security/fbi-investigates-baseball-rival-in-houston-astros-
breach-reports.html
-http://www.wired.com/2015/06/hack-brief-cardinals-astros/
[Editor's Note (Pescatore): This type of thing happens weekly, when employees go from Company A to Company B. Either they can still access their old accounts at the company they left, or they had shared passwords with coworkers at Company A who say "Look I can log into Joe's new company account at salesforce.com or Google mail." This is less a wake-up call on industrial espionage, more a call *not* to hit the snooze button for the umpteenth time on the alarm about reusable passwords being the highest risk any business/agency faces.
(Murray): Concern for competitive espionage should not be limited to those that might be targeted by foreign nation states. Sensitive intellectual property should be stored only on enterprise document management system servers, never on user managed systems.
(Honan): A nice real world example to use in security awareness training to highlight to employees the threat of industrial espionage is real and why using secure passwords are so important. ]

Vulnerabilities Could Expose Information Held in Apple Keychain (June 17, 2015)

Security flaws in Apple's OS X and iOS could be exploited to steal information from the Apple keychain and from applications. The problem lies in the operating systems' application sandboxes and can be exploited by specially created apps.
-http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-s
teal-keychain-1password-contents/
-http://money.cnn.com/2015/06/18/technology/apple-keychain-passwords/index.html
-http://krebsonsecurity.com/2015/06/critical-flaws-in-apple-samsung-devices/
-http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_re
search_blitzkrieg/
[Editor's Note (Murray): Apple iOS users need not rely exclusively on iOS process-to-process isolation (better than on OS X or other open operating systems) but are also protected by the supply chain that provides some resistance to malware.
(Northcutt): I have been wary of these "One ring to rule them all" solutions since the get go. I do not use iCloud, even though they make me have an ID, but I do use iTunes. There will always be a flaw in these types of systems. The CNN Money link above is also a story about responsible disclosure and the responsibility of the corporation, in this case Apple. I think XiaoFeng Wang and his team did everything by the numbers. The earlier CNN article that Apple is having its Microsoft moment seems to be coming true big time:
-http://money.cnn.com/2015/06/05/technology/apple-bugs/index.html?iid=EL]

Free Digital Certificate Project (June 17, 2015)

The Let's Encrypt Project wants to increase the use of encryption on websites by offering free digital certificates. A corporation backed by technology companies, including Mozilla, Akamai, Cisco, and the Electronic Frontier Foundation (EFF), runs the project. Let's Encrypt expects to release the first certificates in July.
-http://www.computerworld.com/article/2936347/security/free-ssltls-certificate-pr
oject-moves-closer-to-launch.html
[Editor's Note (Pescatore): This is like offering to go into an area after a hurricane and offer house painting to all the houses without roofs. I'd rather see all those folks offer free web application vulnerability scanning and remediation services to those web sites and once those glaring vulnerabilities are fixed then start worrying about SSL. ]

Canadian Government Systems Attacked (June 17, 2015)

Attackers have targeted the Canadian government's networks with a distributed denial-of-service (DDoS) attack, rendering the sites intermittently unreachable and email access sporadic. A group claiming responsibility for the attack said it was conducted to protest new laws that pave the way to increased surveillance.
-http://www.thestar.com/news/canada/2015/06/17/canadian-government-websites-hit-w
ith-massive-outage.html
-http://www.zdnet.com/article/canada-government-websites-offline-amid-ongoing-cyb
erattack/
-http://www.theguardian.com/technology/2015/jun/18/canada-government-websites-tak
en-down-in-cyber-attack

Digital Steganography Hides Malicious Code (June 16 & 17, 2015)

Malware known as Stegoloader is being used to hide malicious code in a PNG image file. The recently detected attacks are hiding data-stealing malware.
-http://www.scmagazine.com/stegoloader-malware-uses-png-files-to-hide-data-steale
r/article/421280/
-http://www.darkreading.com/endpoint/new-malware-found-hiding-inside-image-files/
d/d-id/1320895?

Another Attack on Bundestag Network? (June 17, 2015)

Germany's Bundestag has suffered a second cyber attack. A Trojan horse program known as Swatbanker was used in the recent attack; it in unclear whether this is a new attack or a continuation of the previous attack that began last month.
-http://www.scmagazineuk.com/german-bundestag-breach-two-threat-actors-two-differ
ent-trojans/article/421142/
-http://www.theregister.co.uk/2015/06/17/banking_trojan_hits_bundestag/

Fiber-Optic Cables Cut in San Francisco (June 16, 2015)

Over the past year, fiber-optic cables in the San Francisco Bay Area were cut. The incidents occurred on four separate occasions. The FBI is seeking assistance from the public in finding those responsible for the vandalism.
-http://arstechnica.com/tech-policy/2015/06/fbi-baffled-over-wave-of-nighttime-fi
ber-optic-cable-vandalism/
-http://www.computerworld.com/article/2936269/cybercrime-hacking/fbi-investigatin
g-series-of-fiber-cuts-in-san-francisco-bay-area.html
[Editor's Note (Murray): Repeated attacks against infrastructure may not be treated appropriately if they are labeled or treated as mere "vandalism" rather than as sabotage. That said, it is very difficult to provide physical protection to communications media across its entire length. Provide redundant capacity; avoid single points of failure. ]

Strong Security Looks Beyond Malware (June 16, 2015)

Organizations that place too much of their attention on malware detection risk becoming victims of targeted attacks. Breach detection practices need to consider not just malware, but anomalous behavior on networks. Finding malware may be just the first step, and simply removing it may not address the underlying attack.
-http://www.darkreading.com/attacks-breaches/is-your-security-operation-hooked-on
-malware/a/d-id/1320882?

---

STORM CENTER TECH CORNER

Latest Dridex Malware Spam
-https://isc.sans.edu/forums/diary/Botnetbased+malicious+spam+seen+this+week/1980
7/

AV Bypass Used In Recent Targeted Attacks
-https://isc.sans.edu/forums/diary/CVE20144114+and+an+Interesting+AV+Bypass+Techn
ique/19809/

FBI Probe into Houston Cardinals Hacking Rival Baseball Team
-http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros
-fbi.html?smid%3D=tw-nytsports&_r=1

Mackeeper Weakness Exploited By Malware
-http://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.ht
ml

Apple iOS Cross Application Resource Access (XARA)
-https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?usp=sharing

Samsung Smartphone Keyboard Vulnerability
-https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-o
n-samsung-phones/

New Version of VolDiff
-https://github.com/aim4r/VolDiff

Let's Encrypt Updated Timeline
-https://letsencrypt.org/2015/06/16/lets-encrypt-launch-schedule.html

SAP HANA Database Default Key Vulnerability
-http://erpscan.com/press-center/news/static-encryption-keys-as-the-latest-trend-
in-sap-security/#more-8205

National Vulnerability Database Vulnerable to XSS
-https://www.youtube.com/watch?v=dhfnUE-EQyg

Drupal Vulnerabilities
-https://www.drupal.org/SA-CORE-2015-002

IPv6 Leakage in Commercial VPNS
-http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

Presentation Slides: How to Contribute to the Internet Storm Center
-https://isc.sans.edu/presentations/ISCContributing.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/