SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVII - Issue #57
July 24, 2015
July 21, 2015, is likely to be remembered as the first day of the "era of cyber liability." Monday, the Seventh U.S. Circuit Court of Appeals in Chicago overturned a lower court dismissal of a case against Neiman Marcus, because, the court found, there is a "substantial risk" of harm to consumers from the data breach. See the first story in Top of the News.
TOP OF THE NEWS
The Era Of Cyber Liability: Appeals Court Overturns Neiman Marcus DismissalUS Legislators Want to Increase DHS's Cyber Authority
FBI Probes 'Hundreds' of China Spy Cases
THE REST OF THE WEEK'S NEWS
Hackers Take Remote Control of Jeep in Planned ExperimentLegislation Aims to Establish Automobile Cyber Security Standards
Cybersecurity Leadership
Luxury Automakers Bidding on Nokia Mapping Software
US Census Bureau Data Dump
Group Reveals Four IE Flaws in Windows Phone
OpenSSH Vulnerability Allows Brute Force Password Attack
WordPress Update Fixes 20 Vulnerabilities
Chrome 44 Fixes Vulnerabilities, Introduces a Glitch
Microsoft to Release Enterprise Security Tools
Five Charged in Bitcoin Scheme with Connections to JPMorgan Chase Attack
Tax Repercussions of Airline Miles Bug Bounty
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER************************ Sponsored By Splunk ****************************
No matter how effective you think your security technology is, attackers will find a way to penetrate your organization. Organizations must come to grips with the new cybersecurity realities. Learn how an analytics-based approach can help your team quickly determine the root cause of incidents in order to contain and remediate them.
http://www.sans.org/info/179197
***************************************************************************
TRAINING UPDATE
- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I
- -- Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N
- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz
- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO
-- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
49 courses
http://www.sans.org/u/5ZT
- -- Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!
- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- -- Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials - http://www.sans.org/u/Xy
Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
The Era Of Cyber Liability: Appeals Court Overturns Neiman Marcus Dismissal (July 23, 2015)
On Monday, July 20, the US Court of Appeals reinstated a liability case against Neiman Marcus for potential damage to consumers from the data breach that exposed data for 350,000 Neiman Marcus customers. The company acknowledged that at least 9,200 of those accounts were later used for fraud. This appears to be the first time an appeals court has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches.-http://blogs.wsj.com/cio/2015/07/23/appeals-court-revives-neiman-marcus-data-bre
ach-suit/
[Editor's Note (Paller): One likely consequence will be a demand among CEOs to get a definitive answers to the pair of questions they have been asking for nearly a decade: "What do I need to do to avoid liability, and how much is enough?" The growing consensus is that the minimum standard of due care will be measured around full and constantly monitored implementation of the basic "critical controls" published by NSA, the Australian ASD and the Center for Internet Security, because those are the only benchmarks that can demonstrate their controls stop attacks.
(Ullrich): One of the "hot topics" discussed pretty much everywhere I go to these days is cyber insurance. For buyers of cyber insurance, one of the big uncertainties is what the insurance needs to cover. Court cases like this will work out in the end what liability a business is exposed to (and that it needs to protect itself from). ]
US Legislators Want to Increase DHS's Cyber Authority (July 22 & 23, 2015)
US legislators have introduced a bill that would give the Department of Homeland Security (DHS) a greater role in overseeing the cyber security of federal agencies. The FISMA Reform Act would give DHS the authority to conduct risk assessments on federal networks and use defensive measures without the permission of an agency.-http://www.scmagazine.com/senators-introduce-bill-to-expand-dhs-oversight-of-fed
eral-gov-domain/article/428227/
-http://www.nextgov.com/cybersecurity/2015/07/senators-want-give-dhs-new-cybercom
-powers-thwart-civilian-agency-hacks/118368/?oref=ng-HPtopstory
-http://media.scmagazine.com/documents/137/272387111-fisma-reform-2015_34087.pdf
[Editor's Note (Pescatore): I don't think DHS has shown the competency, capability or capacity on the operational side of cybersecurity to fulfill such a role. There is a really, really big difference between "conducting risk assessments" and implementing "defensive measures without the permission of an agency." The biggest security shortcomings at government agencies start with asset and configuration management and vulnerability visibility/remediation - which is what the DHS CDM program that began in 2013 was supposed to improve, but has barely gotten moving yet.
(Murray): Recent studies (e.g.,
-https://info.veracode.com/state-of-software-security-report-volume6.html)
and breaches have demonstrated that government remains the "soft underbelly" of our "cyber defense." While government operates only ten percent of the IT infrastructure, its inability to put its house in order diminishes its ability to lead.
(Henry): The Comprehensive National Cybersecurity Initiative (CNCI) was authorized and FUNDED in 2007, specifically to address the cybersecurity needs of US government networks. Time and again I hear of some US strategy or policy, like this one, as if it's a new initiative or idea. The CNCI had a component to update FISMA and enable DHS to oversee/protect all USG civilian networks: EIGHT YEARS AGO. Yet here we sit, suffering from the results of the OPM breach, as if it was some unforeseen catastrophe we could do nothing about. Unacceptable... ]
FBI Probes 'Hundreds' of China Spy Cases (July 23, 2015)
Economic espionage against hundreds of US companies is being carried out by China, the FBI reported. Russia is also conducting economic espionage against U.S. companies. The rare public naming of China and Russia reflects the FBI's concern that U.S. corporate executives may not be aware of the scope of the threat they are facing.-http://www.thedailybeast.com/articles/2015/07/23/fbi-probes-hundreds-of-china-sp
y-cases.html
[Editor's Note (Murray): Historically, most enterprises have not considered that threat sources directed at them would enjoy the resources of a nation state. That has changed. If your business holds intellectual property (e.g., business plans, designs, processes, methods), of your own or others, that might be useful to a competitor (or a potential partner in China), your threat assumption must include industrial espionage by a nation state on behalf of a potential competitor. This assumption will lead to a higher risk assessment and an appropriate security response. ]
**************************** SPONSORED LINKS ******************************
1) Tracking and Observation-How-To and What To Watch For Wednesday, July 29 at 1:00 PM EDT (17:00:00 UTC) with J. Michael Butler, Jason Trost, and special moderator Stephen Northcutt. http://www.sans.org/info/179202
2) Protecting Third Party Applications with RASP. Thursday, July 30 at 1:00 PM EDT (17:00:00 UTC) with Eric Johnson and Cindy Blake. http://www.sans.org/info/179207
3) The Return of the Malicious Macro, and the Economics of Cybercrime Thursday, August 13 at 1:00 PM EDT (17:00:00 UTC) with Jerry Shenk and Patrick Wheeler. http://www.sans.org/info/179212
***************************************************************************
THE REST OF THE WEEK'S NEWS
Hackers Take Remote Control of Jeep in Planned Experiment (July 21, 2015)
Hackers demonstrated an attack against a Jeep Cherokee that took control complete of the car, from the annoying - blasting air conditioning and switching the radio station; to the dangerous - cutting the transmission and disabling the brakes. The hackers accessed the functions through the car's entertainment system.-http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
-http://www.darkreading.com/attacks-breaches/car-hacking-shifts-into-high-gear/d/
d-id/1321445?
[Editor's Note (Pescatore): The auto manufacturers have been talking the security talk since 2002 or so when OnStar first came on GM and GM partner (like Subaru and Volkswagen, others) cars, but it has been obvious the past few years that it was just talk. Which leads to legislators "helping" as the next news item points out.
(Ullrich): While this is certainly a "cool hack", the ethics of doing these tests in live traffic (and as the reporter points out causing dangerous traffic slow downs) is highly questionable. A test on a closed track would have been as telling.
(Honan): Fiat Chrysler has just announced it is recalling 1.4 million cars to patch a security flaw in the software used in some of the in-car radio systems
-http://www.cnbc.com/2015/07/24/fiat-chrysler-recalling-14m-vehicles-amid-hacking
-defense.html
Car manufacturers will need to take a serious look at including software security in their manufacturing processes and also with their ongoing support and maintenance.
(Murray): This demonstration will exploit unnecessary, implementation-induced vulnerabilities with little or no threat. There are certainly easier ways to commit murder and mayhem. While we can only speculate on the risk in the future, automobile transportation is infrastructure. Infrastructure should resist easily anticipated abuse and misuse. Elimination of these vulnerabilities is a tractable problem in the necessary time frame. As we exploit cheap information technology as a component for building almost everything, all of our engineers need training in exploiting the strengths, and compensating for the limitations, of this novel material. (Similarly, so-called "software engineers" need to add the fundamental engineering course, Strength of Materials, to their curriculum.) "Researchers" can make a contribution by studying and documenting the strength of widely used programs and libraries. ]
Legislation Aims to Establish Automobile Cyber Security Standards (July 21, 2015)
US Senators plan to introduce legislation that would require cars sold in the country to meet certain cyber security standards. It calls for the National Highway Traffic Safety Administration and the Federal Trade Commission to establish those standards, which will include isolating critical systems from other parts of the vehicle's network. The bill also includes provisions for customer data protection and privacy.-http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/
Earlier this year, members of the US House Energy and Commerce Committee write to 17 car manufacturers and the National Highway Traffic Safety Administration to ask for information about how they plan to address cyber security concerns.
-http://energycommerce.house.gov/press-release/committee-leaders-seek-information
-auto-cybersecurity
[Editor's Note (Northcutt): I smell a dogfight in the making. Yes, it makes sense to have the car's drive-by-wire control system out of band from entertainment, communication and navigation. Yes, it is true that cars, like Americans, are putting on the pounds and the extra wiring to separate the networks, adds weight. Can't we just do this with a VLAN *cough*:
-http://www.cbsnews.com/news/cars-big-weight-gain-hurts-fuel-economy-study-says/
-http://www.scientificamerican.com/article/to-boost-gas-mileage-automakers-explor
e-lighter-cars/]
Cybersecurity Leadership (July 13, 2015)
The rapid growth of Internet connected devices and the security issues they bring means that the boards and C-level executives of organizations must be prepared to make informed decisions about security. The board needs to ask specific questions about an organization's' security approach and how they plan to deal with an attack. The CEO must understand the organization's security landscape and be able to answer those questions.-http://www.forbes.com/sites/frontline/2015/07/13/why-cybersecurity-leadership-mu
st-start-at-the-top/
[Editor's Note (Henry): This, to me, is the foundational piece of IT security. Many of the problems we see which result in a breach - unpatched systems, inattention to alerts, poor policy/strategy - are often indicative of a lack of leadership. There's no understanding of the risk, there's no sense of urgency, and there's no appreciation for the impact a breach can have on the organization. The leader sets the pace for the rest of the pack, and if there's a "laissez faire attitude" - - merely letting things take their course, rather than directing/guiding/LEADING - bad things are going to happen. ]
Automakers Consortium to Buy Nokia's HERE Mapping Software (July 23, 2015)
Several car makers, including Audi, BMW, Daimler, and Volkswagen, have made a successful bid to purchase Nokia's HERE mapping software, which will become an open platform. Daimler CEO Dieter Zetsche said his company is interested in building security into the system.-http://betanews.com/2015/07/23/nokias-here-maps-goes-to-bmw-daimler-and-volkswag
en/
-http://www.forbes.com/sites/dougnewcomb/2015/07/22/why-german-automakers-want-to
-acquire-nokias-here-mapping-division/
-http://thehill.com/policy/technology/248934-exec-hacking-concerns-one-reason-mer
cedes-is-bidding-on-mapping-software
-http://www.cnet.com/news/car-consortiums-nokia-maps-bid-all-about-security-daiml
er-says/
US Census Bureau Data Dump (July 23, 2015)
Cyber activists have taken information from servers used by the US Census Bureau and made the data available online. The compromised data do not include citizens' census records, but instead they include information about Census Bureau employees, including email addresses, password hashes, and the IP addresses from which they last logged in. Much of the information was already accessible online.-http://www.theregister.co.uk/2015/07/23/us_census_bureau_hacked/
-http://www.nextgov.com/cybersecurity/threatwatch/2015/07/breach/2430/
[Editor's Note (Murray): When "activism" becomes a legitimate justification for covert attacks against society and its institutions, then the Rule of Law has been replaced with rule by school yard ethics. ]
Group Reveals Four IE Flaws in Windows Phone (July 23, 2015)
The Zero-Day Initiative Group has disclosed four critical flaws in Internet Explorer (IE) after Microsoft failed to produce fixes for them in the 120-day window the group has established. The remote code execution flaws could be exploited to take control of smart phones running IE.-http://www.theregister.co.uk/2015/07/23/four_ie_zero_days_revealed/
-http://arstechnica.com/security/2015/07/fully-patched-internet-explorer-menaced-
by-a-whopping-4-code-execution-bugs/
OpenSSH Vulnerability Allows Brute Force Password Attack (July 23, 2015)
A vulnerability in OpenSSH could be exploited with a brute force attack that could make up to 10,000 attempts to guess a password during the grace period. In its default configuration, OpenSSH allows six password entry attempts within two minutes before it severs the connection. The attack bypasses the limit. OpenSSH is software used for secure remote access to UNIX-based systems.-http://www.scmagazine.com/vulnerability-in-openssh-allows-for-brute-force-attack
/article/428175/
-http://www.theregister.co.uk/2015/07/23/openssh_brute_force_bug/
-http://www.computerworld.com/article/2951541/security/bug-exposes-openssh-server
s-to-bruteforce-password-guessing-attacks.html
WordPress Update Fixes 20 Vulnerabilities (July 23, 2015)
WordPress has released an update, WordPress 4.2.3, to address several vulnerabilities in the widely used blogging platform, including one that could be exploited in a cross-site scripting attack. Users with "contributor" or "author" access could use it to take control of vulnerable sites.-http://www.computerworld.com/article/2951771/security/wordpress-gets-a-patch-for
-critical-xss-flaw.html
-http://www.scmagazine.com/wordpress-423-released-addresses-critical-xss-vulnerab
ility/article/428182/
-http://www.zdnet.com/article/wordpress-users-urged-to-update-after-critical-bug-
found/
Chrome 44 Fixes Vulnerabilities, Introduces a Glitch (July 22 & 23, 2014)
Google Chrome version 44 has been promoted to the stable channel. While the newest version of the browser fixes 44 security flaws, it also introduces a troublesome issue that causes some sites without SSL to render improperly and other sites to fail to render at all, generating a "too many redirects" error message. Google is working on a fix that will be released as soon as it is deemed ready.-http://www.zdnet.com/article/brand-new-chrome-44-release-added-a-bug/
-http://www.scmagazine.com/chrome-44-promoted-to-stable-channel-includes-43-secur
ity-fixes/article/427810/
Microsoft to Release Enterprise Security Tools (July 22, 2015)
Microsoft plans to make its Advanced Threat Analytics (ATA) service "generally available" starting in August. ATA is designed to help companies block targeted attacks by identifying normal and anomalous network behavior.-http://www.computerworld.com/article/2951564/cloud-computing/microsoft-to-make-e
nterprise-security-tools-available.html
-http://www.v3.co.uk/v3-uk/news/2419030/microsoft-releases-advanced-threat-analyt
ics-to-bolster-cyber-security
-http://www.zdnet.com/article/microsoft-to-deliver-advanced-threat-analytics-cybe
rsecurity-product-in-august/
[Editor's Note (Murray: In our complex enterprise networks, Security is a hard problem. It is not a criticism of either Microsoft or IT management to say that appreciating, much less understanding and applying, all of Microsoft's security controls and products requires time and diligence. ]
Five Charged in Bitcoin Scheme with Connections to JPMorgan Chase Attack (July 21 & 22, 2015)
Five people have been charged in connection with a pump-and-dump scheme and Bitcoin money laundering, which may be linked to the data breach that hit the systems of JPMorgan Chase last summer. Four of the people have been arrested; a fifth suspect remains at large.-http://www.theregister.co.uk/2015/07/22/jpmorgan_hack_alleged_perps_charged/
-http://www.computerworld.com/article/2951215/legal/5-arrested-in-jpmorgan-hackin
g-case.html
-http://www.v3.co.uk/v3-uk/news/2418828/fbi-arrests-four-over-bitcoin-scam-with-l
inks-to-jp-morgan-hack
-http://arstechnica.com/tech-policy/2015/07/4-men-reportedly-arrested-in-relation
-to-jpmorgan-chase-hack/
Tax Repercussions of Airline Miles Bug Bounty
In last Friday's NewsBites, (Volume XVII - Issue #55), we ran a story about United Airlines giving away two million miles to people as part of the company's bug bounty scheme, which was announced in May. A reader replied with the following information: The company will probably issue 1099-MISC forms for the 1 million miles, probably at about 2 cents a mile. It is likely to be treated as compensation, or as a prize winning. Either way, that will be the surprise and slap on the backside around April 15 next year to those two people. The good news is that miles earned by flying are not taxable, but treated more as a rebate. Finally, if you have never heard of the "Pudding guy", it is a fun read:-http://www.forbes.com/sites/kellyphillipserb/2014/08/28/tax-court-sides-with-irs
-in-tax-treatment-of-frequent-flyer-miles-issued-by-citibank/
-https://www.bogleheads.org/forum/viewtopic.php?t=88189
-https://en.wikipedia.org/wiki/David_Phillips_(entrepreneur)
STORM CENTER TECH CORNER
Four 0-Days Affecting Internet Explorer Mobile Released-https://isc.sans.edu/forums/diary/Some+more+0days+from+ZDI/19953/
Virtual Machine Side Channel Attacks Leak Crypto Keys
-http://blog.trailofbits.com/2015/07/21/hardware-side-channels-in-the-cloud/
Drupal / Wordpress Updates
-https://wordpress.org/news/2015/07/wordpress-4-2-3/
-https://www.drupal.org/node/2537860
Userhelper / libuser Allow Privilege Escalation
-http://www.openwall.com/lists/oss-security/2015/07/23/16
AV Comperatives Release Mac Anti Virus Test Results
-http://www.av-comparatives.org/mac-security-reviews/
Bartalex malspam pushing Pony/Dyre
-https://isc.sans.edu/forums/diary/Bartalex+malspam+pushing+PonyDyre/19947/
Lottery IT Security Director Rigs Lottery
-http://www.desmoinesregister.com/story/news/crime-and-courts/2015/07/20/hot-lott
o-verdict/30411901/
Pump and Dump Spammers Linked to JP Morgan Breach Arrested
-http://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-charges-agai
nst-three-defendants-multimillion-dollar
-http://www.usatoday.com/story/money/2015/07/21/jpmorgan-chase-hack-arrests-israe
l-florida/30469203/
Wireless Car Hacking
-http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Fake Tech Support Scammers hit UK iOS Users
-http://www.actionfraud.police.uk/news/fake-apple-ios-crash-report-city-of-london
-police-takedown-numbers-associated-with-the-recent-ios-scam-jul15
Privilege Escalation in OS X
-https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html
Stephen Northcutt reports the SANS is looking for a job applicant in the Atlanta area that can work remotely with one or more of the: GSEC, GCIA, GCIH, GPEN, GWAPT, GCFE, GREM, GSSP (Java or .NET). The posting URL is here:
-https://isc.sans.edu/jobs/1facfa003354c4f148fb189a90d5b94f7f927fa1
Other jobs that include GIAC as a preferred certification can be found here:
-https://isc.sans.edu/jobs/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/