SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVII - Issue #51
June 30, 2015
TOP OF THE NEWS
Encryption is Often Implemented IncorrectlyRansomware Exploits Flash Flaw
THE REST OF THE WEEK'S NEWS
OPM System Taken OfflineApp Secretly Mined Cryptocurrencies
Malwarebytes Will Trade Pirated License Keys for Legitimate Ones
Two Plead Guilty to Charges Related to Intrusions at State Department
Magento Vulnerability is Being Exploited
Ikea Addressed Shellshock Efficiently
Samsung Will Stop Disabling Windows Update
Documents Show US's Zero Day Exploit Policy Dates to 2010
Findikoglu Extradited to US, Pleads Not Guilty
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER******************** Sponsored By AlienVault ***************************
Don't Miss: How to Detect SQL Injection & XSS Attacks with AlienVault USM. Wednesday, July 15 at 1:00 PM EDT (17:00:00 UTC) featuring Mark Allen and Bjorn Hovd. Join us for this demo to learn more about how these attacks work and how AlienVault USM gives you the built-in intelligence you need to spot trouble quickly.
http://www.sans.org/info/178737
***************************************************************************
TRAINING UPDATE
- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg
- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
http://www.sans.org/u/53t
- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I
- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N
- -SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 | 13 courses
http://www.sans.org/u/5Zz
- -SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 | 8 courses
http://www.sans.org/u/5ZO
- -SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 | 46 courses
http://www.sans.org/u/5ZT
- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy
Plus Minneapolis, Delhi, Milan, Amsterdam, and Seoul all in the next 90 days.
For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
Encryption is Often Implemented Incorrectly (June 26, 2015)
According to a report from Veracode, many software developers are not implementing encryption correctly. This is due in part to inadequate training and the complexity of crypto libraries.-http://www.computerworld.com/article/2941412/encryption/software-developers-aren
t-implementing-encryption-correctly.html
[Editor's Note (Murray): My mentor, Jonathon Oseas, taught me forty years ago that there are an infinite number of ways to implement encryption, almost all of them wrong. That is why IBM developed its Common Cryptographic Architecture, a set of mandatory worked examples. Adi Shamir says that no one attacks crypto (algorithms), they bypass it. In our colleges and universities we teach algorithms, not implementations. We do not even teach applications (e.g., Schneier), safe use, key management, or limitations. Little wonder that (amateur) "developers are not implementing encryption correctly." ]
Ransomware Exploits Flash Flaw (June 29, 2015)
Ransomware known as CryptoWall is being used in attacks that exploit a flaw in Adobe Flash Player for which Adobe issued a patch just last week.-http://www.theregister.co.uk/2015/06/29/ransomware_exploit_kit_slinger_exploits_
flash_remote_code_execution/
-http://www.computerworld.com/article/2941597/malware-vulnerabilities/cybercrimin
als-adopt-just-patched-zero-day-flash-exploit.html
[Editor's Note (Murray): Flash is apparently beyond repair. That we continue to tolerate it is evidence that we are not serious about security. ]
**************************** SPONSORED LINKS ******************************
1) In Case You Missed It: The Evolution of Network Security, and how Network Packet Brokers (NPBs) enable the Layered Security Era - with Icaro Vazquez and David Hoelzer.http://www.sans.org/info/178742
2) In Case You Missed This Webcast: An updated look at security in our financial institutions:http://www.sans.org/info/178752
3) New Whitepaper in the SANS Reading Room: Six Steps to Stronger Security for SMBs An Analyst Program whitepaper by Dr. Eric Cole. It describes a six-step approach that small and medium-size businesses can use as a template for enhancing their overall security posture.http://www.sans.org/info/178747
***************************************************************************
THE REST OF THE WEEK'S NEWS
OPM System Taken Offline (June 29, 2015)
The Office of Personnel Management has taken its Electronic Questionnaires for Investigations Processing (e-QIP) system offline temporarily. e-QIP links to the Pentagon's Joint Personnel Adjudication System. The decision to suspend e-QIP was made after the discovery of a security issue during a review of OPM IT systems. e-QIP could remain unavailable for four to six weeks.-http://www.nextgov.com/defense/2015/06/after-hack-officials-pull-plug-pentagon-a
nd-opm-background-check-systems/116515/?oref=ng-dropdown
-http://www.zdnet.com/article/opm-suspends-security-background-investigation-syst
em-to-fix-new-flaw/
App Secretly Mined Cryptocurrencies (June 29, 2015)
The Federal Trade Commission has settled a case against a man who created an app that secretly mines for Dogecoin and other less-well-known cryptocurrencies in the background. Ryan Ramminger's app, Prized, gave users points and prizes for playing games, but also used the devices' resources to mine the cryptocurrencies, draining batteries and consuming mobile data. Equiliv Investments, the company that offered the app claimed it was free of viruses and malware.-http://arstechnica.com/tech-policy/2015/06/busted-app-maker-whod-hijack-your-pho
ne-to-secretly-mine-dogecoin/
-http://www.nextgov.com/mobile/2015/06/feds-app-secretly-hijacked-phones-mine-dig
ital-money/116497/?oref=ng-dropdown
-https://www.ftc.gov/system/files/documents/cases/150625equilivstip.pdf
Malwarebytes Will Trade Pirated License Keys for Legitimate Ones (June 29, 2015)
People who are using counterfeit versions of Malwarebytes antivirus license keys can trade them for legitimate keys that will remain valid for one year. Malwarebytes says that some people may have been tricked into downloading pirated versions of the product.-http://www.zdnet.com/article/malwarebytes-to-turn-illegal-license-keys-into-good
-ones-for-free/
-http://www.v3.co.uk/v3-uk/news/2415368/malwarebytes-offers-amnesty-for-pirated-v
ersions-of-anti-malware-suite
Two Plead Guilty to Charges Related to Intrusions at State Department (June 26 & 29, 2015)
Two men have pleaded guilty to breaking into computer systems at the US State Department. Muneeb and Sohaib Akhter admitted to that attack as well as to breaking into a cosmetics company website, where they stole payment card information and used it to make fraudulent purchases.-http://www.scmagazine.com/brothers-accused-of-state-dept-hack-plead-guilty/artic
le/423470/
-http://www.justice.gov/usao-edva/pr/twin-brothers-guilty-wire-fraud-conspiring-h
ack-state-department-and-private-company
Magento Vulnerability is Being Exploited (June 26 & 29, 2015)
Data thieves are exploiting a vulnerability in Magento, eBay's ecommerce platform, to steal customer billing information. Many other sites also use the platform.-http://www.theregister.co.uk/2015/06/29/blackhats_using_mystery_magento_card_ste
alers/
-http://www.computerworld.com/article/2940865/security/magento-e-commerce-platfor
m-targeted-with-sneaky-code.html
-https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scraper
s.html
Ikea Addressed Shellshock Efficiently (June 28, 2015)
Swedish furniture and housewares retailer Ikea managed to remove the Shellshock vulnerability from its systems in less than three hours. Ikea has more than 3,500 servers worldwide that needed to be fixed. The company enforces consistent system management across all its systems, including a Standard Operating Environment that governs hardware platforms and software and operating systems.-http://www.eweek.com/security/ikea-patched-for-shellshock-by-methodically-upgrad
ing-all-servers.html
[Editor's comment (Northcutt): Ikea, if you are listening I suggest you raise Magnus Glantz, your IT Manager's compensation. Great article, great example of common sense applied to IT. If you are not familiar with The Phoenix Project and how it illustrates why an Ikea style approach is so important, I strongly recommend:
-http://www.amazon.com/The-Phoenix-Project-Helping-Business/dp/0988262592]
Documents Show US's Zero Day Exploit Policy Dates to 2010 (June 26, 2015)
Newly released documents show that the US government's policy regarding the use of zero-day vulnerabilities was established in February 2010, about five months before Stuxnet was discovered. Documents obtained earlier under FOIA show that in 2008, a task force was established to discuss the policy's development. The task force recommended establishing a vulnerabilities equity process to decide when to disclose flaws and when to keep the secret.-http://www.wired.com/2015/06/turns-us-launched-zero-day-policy-feb-2010/
Findikoglu Extradited to US, Pleads Not Guilty (June 24, 25, & 27, 2015)
The US Secret Service has extradited Ercan Findikoglu to face charges that include conspiracy to commit computer intrusion. Findikoglu allegedly organized cyber crimes that cost financial institutions around the world an estimated US $55 million. Findikoglu pleaded not guilty in a New York court. The scheme involved breaking into systems at three payment processing companies and raising balances and eliminating withdrawal limits on prepaid debit card accounts. Findikoglu and his accomplices then allegedly used the card information to make phony cards and make withdrawals.-http://gsnmagazine.com/node/44758?c=cyber_security
-http://www.nbcnews.com/tech/security/accused-turkish-mastermind-55m-cyber-spree-
extradited-u-s-n381061
-http://www.nytimes.com/aponline/2015/06/24/us/ap-us-cyber-attacks-suspect-extrad
ition-.html
-http://krebsonsecurity.com/2015/06/a-busy-week-for-neer-do-well-news/
-http://www.justice.gov/usao/nye/pr/June15/2015-June-24.php
STORM CENTER TECH CORNER
Powershell: Software Inventory-https://isc.sans.edu/forums/diary/The+Powershell+Diaries+2+Software+Inventory/19
851/
Leap Second
-https://hpiers.obspm.fr/eoppc/bul/bulc/bulletinc.49
-https://access.redhat.com/articles/15145
Sophos Update Kills Citrix
-http://www.theregister.co.uk/2015/06/29/sophos_update_glitch/
ARIN Expects to Run out of IPv4 This Week
-http://teamarin.net/category/ipv4-depletion/
Windows 2003 EOL in July - Status of Windows XP
-https://isc.sans.edu/forums/diary/Is+Windows+XP+still+around+in+your+Network+a+y
ear+after+Support+Ended/19845/
Eicar Test File
-https://isc.sans.edu/forums/diary/The+EICAR+Test+File/19847/
XEN 4.5.1 fixes PCNET VM Escape
-http://www.xenproject.org/downloads/xen-archives/xen-45-series/xen-451.html
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/