SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #7

January 27, 2015

TOP OF THE NEWS

Report: US Weapons Programs Vulnerable to Cyber Attacks
Adobe Releases Another Emergency Patch for Flash
China Blocks VPN Systems

THE REST OF THE WEEK'S NEWS

Attack Targets Businesses That Conduct Wire Transfers
Google Will Not Fix Flaw in Older Versions of Android OS
Court Dismisses LabMD's Challenge to FTC Breach Enforcement
CyberPatriot Finalist Teams Named
Malaysia Airlines Site Breach
Fix for Thunderstrike Flaw in Beta Version of OS X 10.10.2
Sony Says Some Critical Systems Won't Be Operational Until Next Month

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Symantec ************************
Symantec Webcast: The Underground Economy of Cyber-Crime, Feb 12 at 10am PT - Join Symantec to get inside the inner workings of the cyber-criminal. Learn more about: common techniques used to build trust in the cyber-criminal community, by what means goods are bought and sold in the underground economy and what you can do to protect yourself and your organization.
http://www.sans.org/info/174102
***************************************************************************

TRAINING UPDATE


- -Cyber Threat Intelligence Summit | Washington, DC | February 2- 9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- -10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- -DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/event/dfir2015


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/event/secure-canberra-2015


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2015


- -Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


- -Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -Looking for training in your own community?
http://www.sans.org/community/


- -Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Bangalore, and Oslo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

Report: US Weapons Programs Vulnerable to Cyber Attacks (January 20 & 26, 2015)

According to a report released by the US Defense Department's Director of Operational Test and Evaluation (DOT&E) Michael Gilmore on January 20, most of the country's weapons programs contain security flaws. Gilmore wrote, "The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most (Department of Defense) networks, and could be in a position to degrade important DOD missions when and if they chose to." Many of the security problems found during testing could have been addressed in the programs' development stage. Other issues include old, misconfigured, and unpatched software.
-http://www.scmagazine.com/report-most-us-weapons-programs-contain-significant-vu
lnerabilities/article/394499/
-http://www.nytimes.com/reuters/2015/01/20/technology/20reuters-cybersecurity-pen
tagon.html
[Editor's Note (Pescatore): One of the major recommendations was pretty straightforward: "Emphasize network defense fundamentals" - essentially citing many of the Critical Security Controls.
(Murray): One might think that it would be obvious that weapons systems should be purpose built, closed, and have a very high cost of attack. It isn't. This report suggests that we are not even addressing the "essentials," the "low hanging fruit." The IT culture of shoddy affects the military the same way as the rest of us. This should be a source of shame rather than mere concern. ]

Adobe Releases Another Emergency Patch for Flash (January 26, 2015)

Adobe has released a second emergency patch for Flash Player in less than a week. As does the patch released last week, this patch addresses a flaw that is being actively exploited by the Angler malware kit. The new fix is currently available only through the Flash auto-update utility, but is expected to be available for manual download later in the week.
-http://www.darkreading.com/adobe-fixes-second-flash-flaw-exploited-by-angler/d/d
-id/1318777?
-http://www.v3.co.uk/v3-uk/news/2391809/adobe-fixes-flash-flaw-in-windows-mac-and
-linux
-https://isc.sans.edu/forums/diary/Stealth+Update+for+Flash+from+Adobe/19229/
[Editor's Note (Murray): There are mitigations available to enterprises for the vulnerability represented by Flash. However, many of those running Flash have never made a conscious decision to do so, are not aware of the general vulnerability of using it, much less these special vulnerabilities, or know to mitigate them. ]

China Blocks VPN Systems (January 23 & 26, 2015)

China appears to have blocked several Virtual Private Network (VPN) systems in that country. The services allow users to circumvent censorship systems to visit blocked websites. The changes to China's state firewall that block VPN systems were said to have been carried out for safety reasons and to protect the country's "cyberspace sovereignty."
-http://www.bbc.com/news/technology-30982198
-http://www.nytimes.com/reuters/2015/01/23/technology/23reuters-china-internet-vp
n.html
[Editor's Note (Pescatore): This is really not much different than UK Prime Minister David Cameron saying "In our country, do we want to allow a means of communication between people which, even in extremists ... that we cannot read? No, we must not."
(Murray): Our readers should have no difficulty understanding that what are being blocked are popular proxy services within China that use tunnels to access sites beyond the Great Firewall of China. Use of these services range from innocent to politically sensitive. Blocking VPNs in the general case is much more difficult. Business travelers will continue to be able to use their VPN clients within China to access enterprise (or personal) VPN servers outside the firewall, at least for the present. This continues to be preferred to taking enterprise data into China on laptops. ]

---

**************************** SPONSORED LINKS ******************************
1) SANS WhatWorks: How VCU uses FireEye for Advanced Threat Detection and Prevention. Tuesday, February 10 at 1:00 PM EST (18:00:00 UTC) with John Pescatore and Dan Han. http://www.sans.org/info/174107

2) Avoid Making the Headlines. Protect Your Retail Business from Cyber Attacks. Wednesday, January 28 at 1:00 PM EST with Isabelle Dumont and Dave Shackleford. http://www.sans.org/info/173747

3) How is your application security program changing? Tell us in the 2015 Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/174112
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Attack Targets Businesses That Conduct Wire Transfers (January 23, 2015)

The FBI and the Internet Crime Complaint Center (IC3) have issued a warning about a spam scheme that netted the attackers more than US $200 million in the last three months of 2014. They are calling it the Business eMail Compromise (BEC). The scheme targets companies that conduct business with foreign suppliers and are accustomed to making wire transfer payments.
-http://www.eweek.com/security/spam-campaign-business-e-mail-compromise-pilfers-2
15-million.html
-http://www.ic3.gov/media/2015/150122.aspx

Google Will Not Fix Flaw in Older Versions of Android OS (January 24 & 26, 2015)

Google does not plan to fix a security issue in WebView in older versions of its Android operating system. The decision will affect about 60 percent of people using Android. The flaw is in the default web browser for Android 4.3 and previous versions of Android OS.
-http://www.zdnet.com/article/google-why-we-wont-patch-pre-kitkat-android-webview
/
-http://www.cnet.com/news/google-leaves-most-android-users-exposed-to-hackers/
[Editor's Note (Pescatore): Here is where Google shows its consumer DNA. Android 4.3 shipped in mid-2013, which in consumer/Internet years was over 10 years ago. However, in enterprise years that is only 1.5 years ago. If enterprises want to take advantage of consumer-driven IT, they will have to invest in security mitigation to deal with the differences in enterprise products and support vs. consumer/advertising supported technology. If mechanics used tools they bought at dollar stores, they would be replacing their tools much more often than when they buy them from Snap-on...
(Murray): Enterprise users of consumer software face special problems. They should have a strategy for doing so. The strategy should include a trusted source, avoiding version dependencies, staying current, and patching as necessary. That said Android(s) is a special case. Too many sources, too many versions, too many uses and copies. It is not really a product, so much as a collection of related products. These products may share vulnerabilities but may also have product specific problems. Best to treat each product rather than the class. Consider alternatives. ]

Court Dismisses LabMD's Challenge to FTC Breach Enforcement (January 22 & 26, 2015)

The 11th Circuit Court has dismissed a challenge from LabMD to the US Federal Trade Commission's (FTC's) authority to take enforcement action against the company for an alleged data breach.
-http://www.scmagazine.com/court-refuses-to-address-labmds-challenge-to-ftcs-enfo
rcement-authority/article/394388/
-http://www.natlawreview.com/article/11th-circuit-allows-ftc-data-breach-case-aga
inst-labmd-to-proceed
[Editor's Note (Pescatore): The FTC has done great work, without needing any new legislation, in going after companies that don't protect citizen information. This court decision didn't really dismiss LabMD's challenge completely - it really said LabMD has to exhaust all administrative remedies before asking the Court to act. I can guarantee that LabMD has already paid lawyers more to fight this action that it would have spent in just protecting customer information sufficiently in the first place. ]

CyberPatriot Finalist Teams Named (January 26, 2015)

Twenty-eight teams have been chosen to advance to the CyberPatriot National Finals Competition. The contest's seventh season final event will be held March 11-15, 2015, in Washington, DC. The finalists include teams from 15 US states and Canada. The competition began in October 2014 with more than 2,100 teams.
-http://www.prnewswire.com/news-releases/cyberpatriot-reveals-top-28-teams-advanc
ing-to-national-finals-competition-300025297.html

Malaysia Airlines Site Breach (January 26, 2015)

Malaysia Airlines has acknowledged that attackers breached its domain name system (DNS) which resulted in site visitors trying to access its website being redirected to a different website. The company says that its servers were not compromised. A group claiming responsibility for the attack refutes that claim, saying that they have compromised customer data.
-http://www.computerworld.com/article/2873569/malaysia-airlines-website-attacked-
big-data-dump-threatened.html
-http://www.bbc.com/news/world-asia-30978299

Fix for Thunderstrike Flaw in Beta Version of OS X 10.10.2 (January 24 & 26, 2015)

A fix for a vulnerability known as Thunderstrike is now available in a beta version of Apple's operating system. A fix for the flaw is likely to be available for general release soon.
-http://www.zdnet.com/article/apple-preparing-to-release-thunderstrike-patch/
-http://arstechnica.com/security/2015/01/apple-readies-fix-for-thunderstrike-boot
kit-exploit-in-next-os-x-release/

Sony Says Some Critical Systems Won't Be Operational Until Next Month (January 23, 2015)

Sony has disclosed that some of its critical systems remain offline after last year's attacks and that they will not likely be up and running until February. The disclosure was made in the company's regulatory filing in Japan.
-http://www.nbcnews.com/storyline/sony-hack/sony-hack-critical-systems-wont-be-ba
ck-online-until-february-n292126

---

STORM CENTER TECH CORNER

Finding Local IP Address Using Javascript
-https://github.com/diafygi/webrtc-ips

Free McAfee "Secure Browser"
-https://www.mcafeesecure.com/get-connect/

Trojans Used To Monetize Youtube Videos
-http://www.symantec.com/connect/fr/blogs/tubrosa-threat-drives-millions-views-sc
ammers-youtube-gaming-videos

PHP unserialize() problem fixed again
-https://bugs.php.net/bug.php?id=68710

Lizard Squad Used DDoS Service Customer Data To Hack Customers
-http://www.forbes.com/sites/thomasbrewster/2015/01/23/lizard-squad-rogue-leaks-d
dos-database/

Critical Vulnerability in Symantec Crticial System Protection
-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit
y_advisory&pvid=security_advisory&year=&suid=20150119_00

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.