SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #52

July 10, 2015

If you are a security auditor, take a close look at the first story this week on the new draft of the Critical Security Controls, and if you have time, submit suggestions. There is a high probability that the Critical Controls will be the foundation of your audit procedures beginning in 2016 as enterprises and agencies increasingly demand that auditors reliably measure the Controls, so they can compare their security status with that of comparable organizations and so they can claim that they are meeting a minimum standard of due care.

Alan

---

TOP OF THE NEWS

OPM: Breach Affects 21.5 Million People
Telecom Companies Fined for Poor Customer Data Security
FISC Approves Six-Month Extension for NSA's Data Gathering

THE REST OF THE WEEK'S NEWS

OpenSSL Issues Fix
Adobe Patches Critical Flash Vulnerability
Stolen Hacking Team Code Includes Details of Critical Vulnerabilities
DARPA Grand Challenge Finals to be Held in 2016
Finnish Teen Gets Suspended Sentence for Numerous Cyber Crimes
Microsoft Windows 10 Support
Experts Explain Why Backdoors in Encryption Won't Work
Triple Outages Not Attacks
Apple Updates Operating Systems

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Splunk ***************************
No matter how effective you think your security technology is, attackers will find a way to penetrate your organization. Organizations must come to grips with the new cybersecurity realities. Learn how an analytics-based approach can help your team quickly determine the root cause of incidents in order to contain and remediate them.
http://www.sans.org/info/178862
***************************************************************************

TRAINING UPDATE


-DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
http://www.sans.org/u/53t


-Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


-Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


-SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz


-SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


-SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
46 courses
http://www.sans.org/u/5ZT


-Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


-Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


-Looking for training in your own community?
Community - http://www.sans.org/u/Xj


-Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials - http://www.sans.org/u/Xy

Plus Minneapolis, Delhi, Milan, Amsterdam, and Seoul all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

OPM: Breach Affects 21.5 Million People (July 9, 2015)

The US Office of personnel management (OPM) has acknowledged that one of the breaches of its systems compromised sensitive personal information belonging to 21.5 million people. The data include Social Security numbers and other information collected for background checks. The breach appears to affect everyone who has submitted a background check form since 2000 as well as 1.8 million people who were not background check applicants.
-http://www.forbes.com/sites/katevinton/2015/07/09/21-5-million-americans-were-co
mpromised-in-opms-second-breach/
-http://arstechnica.com/security/2015/07/call-it-a-data-rupture-hack-hitting-opm-
affects-21-5-million/
[Editor's Note (Murray): While this breach does not compromise as many people as the infamous eBay breach, it compromises more sensitive information. The data compromised by eBay will be used for credit application fraud and tax fraud. The data compromised by OPM may go beyond that to extortion. Victims of application fraud have recourse to law enforcement: part of what makes extortion so insidious is that victims are afraid to go to law enforcement. ]

Telecom Companies Fined for Poor Customer Data Security (July 9, 2015)

Two US telecommunications companies will pay a combined US $3.5 million to resolve a Federal Communications Commission (FCC) investigation that found the companies stored customer data on servers that were unprotected and accessible from the Internet. The issue affects more than 300,000 customers of TerraCom and YourTel America.
-http://www.computerworld.com/article/2946104/technology-law-regulation/two-us-te
lecoms-to-pay-35m-for-data-breach.html
-http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0709/DA-15-776A1.
pdf
[Editor's Note (Murray): While one may favor the government holding the private sector accountable, accountability should begin at home. The Obama administration does not have a good record of accountability for abuse, much less breaches. ]

FISC Approves Six-Month Extension for NSA's Data Gathering (June 30 & July 1, 2015)

The Foreign Intelligence Surveillance Court (FISC) has approved a 180-day extension for the NSA to continue its collection of cellphone metadata. The program was halted in late May when the Patriot Act expired. The USA Freedom Act, which passed at the beginning of June, includes provisions for data collection to continue in a more limited fashion, but that law does not take effect for another five months.
-http://www.scmagazine.com/fisc-judge-gives-nsa-go-ahead-to-resume-surveillance/a
rticle/424232/
-http://www.cnet.com/news/nsa-can-track-everyones-phone-calls-again-for-a-while/
-http://www.theregister.co.uk/2015/07/01/section_215_rules/
-http://www.forbes.com/sites/katevinton/2015/06/30/nsa-will-continue-mass-surveil
lance-program-for-180-days-with-court-approval/

---

**************************** SPONSORED LINKS ******************************
1) Detect and prioritize security events faster by enriching your SIEM with real-time threat intelligence. Recorded Future webcast with live demo on July 21, 11am ET. Register now: http://go.recordedfuture.com/arcsight-integration-webinar?utm_campaign=ARC-WR&am
p;utm_content=SANS-1&utm_source=email

2) File Security 2.0: Collaboration Controls, Considerations and Technology? Tuesday, July 21 at 1:00 PM EDT (17:00:00 UTC) with Barbara Filkins and Scott Gordon. http://www.sans.org/info/178867

3) APTs in ICS - Understanding and Preparing for the Rising Threat Landscape in Critical Infrastructure Wednesday, July 22 at 1:00 PM EDT (17:00:00 UTC) featuring Mike Assante and Del Rodillas. http://www.sans.org/info/178872
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

OpenSSL Issues Fix (July 9, 2015)

Developers at the OpenSSL cryptographic library project have patched a vulnerability in the cryptographic protocol that could allow certificate forgery. The advisory is titled, "Alternative chains certificate forgery," and could be exploited to impersonate legitimate digital certificates. While the issue is severe, it affects only versions 1.0.01n, 1.0.1o, 1.0.2b, and 1.0.2c, the oldest of which was released in June.
-http://www.darkreading.com/vulnerabilities---threats/openssl-fixes-high-severity
-narrow-scope-vulnerability/d/d-id/1321240?
-http://www.theregister.co.uk/2015/07/09/openssl_vuln_fixed_patched_forgery/
-http://www.eweek.com/blogs/security-watch/openssl-patches-for-boring-certificate
-risk.html
-http://www.zdnet.com/article/another-day-another-openssl-patch/
-https://www.openssl.org/news/secadv_20150709.txt
[Editor's Note (Honan): This vulnerability while serious is not on the same scale as Heartbleed, it is also worth noting that the impact is further limited as it only impacts versions of OpenSSL released during and after June 2015. ]

Adobe Patches Critical Flash Vulnerability (July 9, 2015)

Adobe has rushed out a patch for its Flash Player to address a vulnerability that had been leaked and was being used in active attacks. Users should update to Flash version 18.0.0.203 for Windows and Mac; version 11.2.202.481 for Linux; and version 13.0.0.302 for users on the extended support channel. The Flash plug in on Google Chrome and on Internet Explorer on Windows 8.x will be updated automatically.
-http://www.computerworld.com/article/2946152/security/emergency-flash-player-upd
ates-fix-for-vulnerability-used-in-widespread-attacks.html
[Editor's Note (Murray): The user community prefers "Dancing Pigs" to security. This week the White House published the record of its accomplishments in "cybersecurity" with no mention of browsers, Flash, desktops, or essential practices in government. Will we ever get serious? Is it too late? ]

Stolen Hacking Team Code Includes Details of Critical Vulnerabilities (July 7 & 8, 2015)

Code that was stolen from Hacking Team and then leaked online includes several serious software vulnerabilities that the surveillance company used in its surveillance products. One is a critical flaw in Flash for which Adobe rushed out a fix (see above). There are also reportedly flaws in Windows and SELinux. Hacking Team is the developer of Remote Control System or Galileo, a computer surveillance program sold to governments and law enforcement agencies around the world. The company's network was breached last week. A member of the European Parliament has asked the European Commission to investigate Hacking Team to determine if the company violated rules by selling its products to repressive regimes.
-http://www.theregister.co.uk/2015/07/07/hacking_team_zero_days_flash_windows_ker
nel/
-http://www.computerworld.com/article/2944862/cybercrime-hacking/researchers-find
-previously-unknown-exploits-among-hacking-teams-leaked-files.html
-http://www.theregister.co.uk/2015/07/08/dutch_mep_whacks_hacking_team_over_embar
gobusting/
[Editor's Note (Murray): "By their fruits you shall know them," rather than by what they say or who pays them. ]

DARPA Grand Challenge Finals to be Held in 2016 (July 8 & 9, 2015)

The Defense Advanced Research Projects Agency (DARPA) will hold its first Grand Challenge Competition in Las Vegas, Nevada in 2016. The competition aims to hasten the development of security systems that are capable of defending against cyber attacks from the moment they are launched. More than 100 teams registered for this particular challenge in 2014; the field was winnowed down to 28 that competed in a qualifying event last month. From that event, seven teams won the opportunity to compete in the finals during Def Con in August 2016.
-http://www.scmagazine.com/darpa-cyber-challenge-field-whittled-down-to-seven-tea
ms-competing-for-4m-in-prizes/article/425623/
-http://www.darpa.mil/news-events/2015-07-08

Finnish Teen Gets Suspended Sentence for Numerous Cyber Crimes (July 8 & 9, 2015)

A Finnish teenager who has been found guilty of breaking into computer systems at the Massachusetts Institute of Technology (MIT) and Harvard University will not spend any time in jail. Julius Kivimaki was found guilty of hijacking email, blocking website traffic, and stealing payment card data. He was given a two-year suspended sentence. The teen was also allegedly involved with operating a botnet and conducting swatting attacks. The lenience of Kivimaki's sentence has been criticized for encouraging such behavior.
-http://www.csmonitor.com/Technology/2015/0709/Finnish-teen-convicted-of-50-000-h
acks-avoids-jail-time.-Why
-https://krebsonsecurity.com/2015/07/finnish-decision-is-win-for-internet-trolls/
-http://www.bbc.com/news/technology-33442419
-http://www.theregister.co.uk/2015/07/08/teen_lizard_squad_hacker_50000_offences_
walks_free/
[Editor's Note (Murray): Kevin Mitnick advertises his services on the page where Krebs reports on this "win for the trolls". Enough said?
(Honan): By issuing such lenient sentences the courts undermine the hard work done by law enforcement in catching these criminals, insult the victims of these crimes, and sends the wrong messages out to those who are thinking about getting involved in cybercrime. To add insult to injury this criminal will probably be hired by a security company and/or start giving talks on the security conferences circuit. As our personal and business lives are now more and more becoming dependent on technology society and the security industry need to send clear messages that this type of criminal behaviour is not acceptable. ]

Microsoft Windows 10 Support (July 8, 2015)

According to information posted to an investors' website, Microsoft will support Windows 10 at no cost for between two and four years. Earlier this year, Microsoft said that consumers and some business customers currently running Windows 7 and 8.1 would be able to upgrade to Windows 10 for one year after the new operating system's release, which is scheduled for the end of this month.
-http://www.computerworld.com/article/2945796/microsoft-windows/microsoft-to-prov
ide-free-upgrades-to-windows-10-for-2-to-4-years.html
[Editor's Note (Pescatore): This is all about revenue recognition for financial reporting vs. anything that impacts enterprises that use Windows. Windows 7 will be supported with patches through 2020 so no reason to hurry to update. After Windows 10 ships at the end of July, Microsoft will be offering more security patch and feature upgrade options - not just the old "Vulnerability Tuesday" approach. Mature IT operations have a chance to push patches out faster than once per month - - that should be the goal. But, everyone can stay on the old monthly way, too. ]

Experts Explain Why Backdoors in Encryption Won't Work (July 8, 2015)

In an effort to drive home the point that what US law enforcement is asking for is impossible, 15 experts in computer security have written a report, "Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications," explaining how the requests for backdoors in security products would weaken security for everyone. The authors of the report include Ross Anderson, Matt Blaze, Whit Diffie, Bruce Schneier, and Peter Neumann.
-http://www.zdnet.com/article/encryption-back-doors-for-cops-are-unworkable-will-
put-internet-security-at-risk-warn-experts/
-http://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us-and-brit
ish-government-access-to-encrypted-communication.html
[Editor's Note (Pescatore): We had this national debate in the 1990s: President Bush and incoming President Clinton were given the "Here are the horrible things criminals and terrorists are doing and using crypto to hide their tracks." National policy tried the export control and compromised "Clipper chip" approach and the same group of explained why that approach wouldn't work - and it did NOT work. Businesses have been harmed much more by the lack of strong stored data and transport encryption than bad guys have. The same is true now - actually, as the report points out, *more* true. ]

(Murray): I loved the tweet from Matthew Schwartz this week that Comey wants "secure backdoors, world peace, and a pony."
-http://whmurray.blogspot.com/2015/02/crypto-wars-redux.html
All that said, Congress will likely look for a "compromise." The right compromise is not a back door, however controlled, but one like the "Lotus Notes Compromise," authored by Ray Ozzie (not a subscriber to the report), that lowered the cost of attack to the (US) government (only) without compromising the vendors and service providers. It attached to the cryptogram, e.g., message or session, some part of the object key encrypted under a public key owned by NSA (or, alternatively, by a court officer). Such a system would enable NSA and its clients to access any message that they wanted to without enabling them to read every message that they want to, sufficient for investigation but not surveillance or even fishing expeditions.
-https://gigaom.com/2013/06/09/ray-ozzie-sounds-off-on-nsa-spygate/
-http://www.wired.com/2014/01/how-the-us-almost-killed-the-internet/]

Triple Outages Not Attacks (July 8 & 9, 2015)

On Wednesday, July 8, United Airlines, the New York Stock Exchange (NYSE), and WSJ.com each experienced computer problems that led to grounded flights, halted trading, and an unavailable website, respectively. United and the WSJ (Wall Street Journal) resumed normal operations within hours. The NYSE resumed trading four hours after trading stopped. Unnamed sources pointed to a faulty software update as the cause for the NYSE problem. Experts say that a coordinated attack is not likely because the incidents were very different.
-http://arstechnica.com/security/2015/07/simultaneous-downing-of-ny-stock-exchang
e-united-and-wsj-com-rattle-nerves/
-http://www.v3.co.uk/v3-uk/news/2417108/united-airlines-and-nyse-hit-by-major-it-
glitches-but-cyber-attacks-ruled-out
-http://money.cnn.com/2015/07/08/technology/united-nyse-wsj-down/index.html
[Editor's Note (Murray): The investigators mantra is "There is no such thing as a coincidence." It may not be "true," but more often than not it leads to the "truth." That said, it was a very bad day for change management, risk management, and IT management in general. The trading system proved to be more resilient than we might have hoped while United Airlines proved to be much less so.
(Honan): A good example of the first rule of incident response, never attribute to malicious that which can be attributed to error.
(Northcutt): All three cases were incidents and had significant impact. I know, I was on a United Airlines Express 6395 Nashville -> Chicago (ORD) plane that had taxied to the TARMAC when they stopped operations. Fortunately we had already boarded so we were minimally impacted, but a lot of people had their flights canceled. The stock markets are already ill at ease with the whole Greece thing and I am sure many a trader wanted to trade. Human error or malicious intent is one of the early steps in incident response. Considering the economic impact of these benign incidents, it would be a good idea for organizations to invest a bit of time reviewing critical controls 1 and 2, (inventory of all hardware and software). And then develop a checklist to work backwards from the fault to have a better chance of accurately making the human error/malicious intent call. Why is that so important? Each of these organizations that suffered a glitch have competition. If they impact their customers and then later have to disclose they did not detect the fact they were hacked they will probably lose some business, or worse, the government may feel obligated to help them:
-https://www.sans.org/media/critical-security-controls/CSC-5.pdf]

Apple Updates Operating Systems (July 1, 2015)

Apple has released updated versions of its operating systems. The newest version of the company's mobile operating system, iOS 8.4, and Mac operating system, OS X 10.10.4, includes fixes for at least 20 flaws, including the issue known as Logjam.
-http://www.cnet.com/news/apple-patches-security-flaws-with-new-versions-of-ios-o
s-x/
-http://www.scmagazine.com/new-os-x-and-ios-releases-fix-several-vulnerabilities/
article/424208/
-http://www.zdnet.com/article/apple-patches-dozens-of-security-flaws-in-ios-8-4-o
s-x-10-10-4/
-http://www.eweek.com/security/apple-fixes-os-x-and-ios-flaws-ahead-of-new-releas
es.html

---

STORM CENTER TECH CORNER

Detecting Randomness
-https://isc.sans.edu/forums/diary/Detecting+Random+Finding+Algorithmically+chose
n+DNS+names+DGA/19893/

Cisco ASA VPN DoS Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
141008-asa

Systems with Lagging SSL Support
-https://isc.sans.edu/forums/diary/SSL+SSL+Where+Art+Thou+SSL/19887/

Ford Recall
-https://media.ford.com/content/fordmedia/fna/us/en/news/2015/07/02/ford-issues-s
afety-compliance-recall-in-north-america.html

TLS 1.3: Client Puzzles
-http://www.ietf.org/id/draft-nygren-tls-client-puzzles-00.txt

German "Patriot" Air Defense System Hacked
-http://www.behoerden-spiegel.de/icc/Internet/sub/c6a/c6a5fa87-cb16-e41b-ab31-9b2
7b988f2ee,,,aaaaaaaa-aaaa-aaaa-bbbb-000000000003&uMen=1f75009d-e07d-f011-4e6
4-494f59a5fb42.htm
English:
-http://www.thelocal.de/20150707/german-missiles-taken-over-by-hackers

XSSposed Bug Bounty
-https://www.xssposed.org/about/

Argentinian Researcher Arrested Over E-Voting Flaws
-https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&am
p;hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.telam.com.ar%2Fnotas%2F201506%2F1105
12-a-diez-dias-de-los-comicios-portenos-descubren-filtraciones-de-seguridad-en-e
l-sistema-de-voto-electronico.html&edit-text=

Breaking out of Restriected iPads
-https://www.offensivebits.com/?p=33

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/