SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #8

January 30, 2015

ICS Careers and Opportunities

An international consortium of ICS security professionals from oil & gas, electric power, and control system companies have reached an initial consensus on the 41 key roles in ICS security, the levels of knowledge/mastery required for various levels in the roles. Their work may turn out to be important in helping senior management understand the value of various roles and skills.

They plan to share the results with interested professionals at the SANS ICS Security Summit at the end of February in Orlando. (http://www.sans.org/event/ics-security-summit-2015)

If you work in the field and would like to see the initial lists and the consensus about where the key opportunity may lie, send Tim Conway a note (tconway@sans.org) with subject ICS roles and opportunities. He'll send you the latest roles/responsibilities matrix and ask you for input. All of those who provide substantive input will receive a draft of the initial consensus report. If you provide substantive input, he'll send you the worksheet that has X's in the cells based on the input from participating organizations.

---

TOP OF THE NEWS

FTC Publishes Report on Security and Privacy for Internet of Things
Tech Companies Balking at China's Security Requirements

THE REST OF THE WEEK'S NEWS

New Zeus Variant Targeting Canadian Banks
UK Government Disks Lost in the Mail Contain Sensitive Data
Malvertising Campaign Exploits Adobe Flash Vulnerability
Judge in Netherlands Allows Extradition to US of Suspect in Multiple Breaches
Users Urged to Patch Ghost Vulnerability in Linux glibc
House Subcommittee Hears Testimony on Data Breach Legislation
FCC Enforcement Advisory Says Blocking Personal Wi-Fi Hotspots Could be Fined
Apple Updates OS X Yosemite to Version 10.10.2

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Veracode ************************
Wrapping Up The GHOST: Lessons Learned From The Ghost Vulnerability - with Johannes Ullrich and Chris Wysopal. Friday, February 6 at 1:00pm EDT. In this presentation, we will explain what "Ghost" was all about, how to recognize vulnerable systems, and what can be done to mitigate risk. We will look beyond Ghost to explain how to quickly assess your exposure and build a comprehensive framework to address high priority vulnerabilities.
http://www.sans.org/info/174212
***************************************************************************

TRAINING UPDATE


- -Cyber Threat Intelligence Summit | Washington, DC | February 2- 9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


- -10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


- -DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/event/dfir2015


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/event/secure-canberra-2015


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2015


- -Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


- -Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -Looking for training in your own community?
http://www.sans.org/community/


- -Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Dubai, Bangalore, and Oslo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

FTC Publishes Report on Security and Privacy for Internet of Things (January 27 & 28, 2015)

The US Federal Trade Commission (FTC) has published a report to address security for the Internet of Things (IoT). The report, "The Internet of Things: Privacy and Security in a Connected World," provides guidance for companies that manufacture IoT devices on incorporating security and privacy into the development process.
-http://www.computerworld.com/article/2876236/ftc-wants-iot-vendors-to-safeguard-
privacy.html
-http://www.scmagazine.com/ftc-report-looks-at-expanding-threat-of-the-iot/articl
e/395034/
-http://media.scmagazine.com/documents/103/ftc_internet_of_things_25662.pdf
[Editor's Note (Murray): Weakening of the infrastructure should go on the list of concerns with, and perhaps ahead of, "privacy" and "harm to the consumer." In a world in which web servers sell for a dime, our strategy should be minimal function, purpose-built, owner control, firmware rather than software, "discard and replace" in preference to exploitable manage and patch. One does not need the capability to update the firmware on a three year old light bulb or router that can be replaced with a brighter, better, faster one for a third of its cost. One does not need for one's refrigerator to have the attack surface, not to say vulnerability, of a Windows laptop. ]

Tech Companies Balking at China's Security Requirements (January 28, 2015)

Vendors are unhappy with the Chinese government's requirements that products sold to financial institutions in that country include "management ports" in hardware and allow the government complete access to all software and firmware source code. The requirement is part of China's "cyber security vetting process." The US Chamber of Commerce and others have called the new rules "intrusive."
-http://arstechnica.com/tech-policy/2015/01/it-vendors-cry-foul-at-new-chinese-se
curity-rules-requiring-built-in-backdoors/
-http://www.bbc.com/news/technology-31039227
-http://www.scmagazine.com/us-firms-push-back-against-chinese-cybersecurity-polic
ies/article/395281/
[Editor's Note (Honan): Given the calls from US and UK governments in support of backdoors into security products it will be interesting to see their reaction to these demands from China. ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eGuide: 5 Steps to Reduce the Complexity of PCI Assessments: http://www.sans.org/info/174217

2) A Security Geek's Guide to SAP: Thursday, February 12 at 1:00 PM EST (18:00:00 UTC) with Alex Horan. http://www.sans.org/info/174222

3) The survey results are in! Big Data: Identifying Major Threats and Removing Security and Compliance Barriers -- Webcast on Tuesday, February 24 at 1:00 PM EDT. Register: http://www.sans.org/info/174227
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

New Zeus Variant Targeting Canadian Banks (January 29, 2015)

A new variant of Zeus malware is targeting banks in Canada. It is spreading through exploit kits and through email claiming to be Air Canada invoices. Once it gains purchase in a computer, the malware injects phony web pages to steal account access information, payment card numbers, and driver's license and Social Insurance numbers.
-http://www.scmagazine.com/zeus-variant-targeting-banks-spread-by-social-engineer
ing-exploit-kits/article/395326/

UK Government Disks Lost in the Mail Contain Sensitive Data (January 29, 2015)

The UK government has acknowledged that two computer disks containing sensitive information related to high-profile judicial inquiries have been lost in the post.
-http://www.v3.co.uk/v3-uk/news/2392722/government-admits-losing-disks-containing
-data-on-three-police-inquiries
-http://www.theguardian.com/uk-news/2015/jan/29/file-mark-duggan-police-shooting-
lost-post
[Editor's Note (Honan): It is worrying to note that it is unclear whether the lost disks were encrypted or not. Disks, USB keys, and other portable data storage devices will go missing or be lost which is why its important to enforce encryption across all such devices in the event sensitive data is stored on them. ]

Malvertising Campaign Exploits Adobe Flash Vulnerability (January 29, 2015)

A popular adult website has been hit with a malicious advertising campaign that exploits a recently patched flaw in Adobe Flash Player. The site has about 500 million viewers a month. The malicious ad served the Bedep Trojan to site visitors whose computers were vulnerable.
-http://www.theregister.co.uk/2015/01/29/top_smut_site_contracts_flash_0day_infec
tion/
-http://www.ibtimes.co.uk/adult-website-xhamster-puts-visitors-serious-risk-infec
tion-by-bedep-malware-1485603
-https://blog.malwarebytes.org/exploits-2/2015/01/top-adult-site-xhamster-involve
d-in-large-malvertising-campaign/

Judge in Netherlands Allows Extradition to US of Suspect in Multiple Breaches (January 28 & 29, 2015)

A judge in the Netherlands has ruled that Vladimir Drinkman can be extradited to the US to face charges related to numerous network security breaches, including those at Heartland Payment Systems, Citibank, and the Nasdaq stock exchange. Drinkman and others are also suspected of working with Albert Gonzalez, the man currently serving a prison term for masterminding the TJX breach.
-http://arstechnica.com/tech-policy/2015/01/dutch-judge-allows-alleged-sophistica
ted-russian-hacker-to-be-sent-to-us/
-http://www.scmagazine.com/dutch-judge-oks-alleged-russian-hacker-extradition-to-
us/article/394983/
July 2013 Indictment:
-https://www.documentcloud.org/documents/1511087-gov-uscourts-njd-292129-56-0.htm
l
[Editor's Note (Henry): This is good news for law enforcement. The cooperation and collaboration of foreign law enforcement partners and judicial systems is critical to successfully investigate, prosecute, and deter international cyber criminals who believe they are anonymous to the law. Unfortunately, results like these are few and far between. ]

Users Urged to Patch Ghost Vulnerability in Linux glibc (January 28, 2015)

Ghost, a newly disclosed buffer overflow vulnerability in Linux GNU C Library (glibc,) could be exploited to take control of a system without being authenticated. Patches are available for the vulnerability, and the US Computer Emergency Response Team (US-CERT) has issued a threat advisory urging users to patch systems as soon as they can. Some experts say that Ghost is not easy to exploit.
-http://www.theregister.co.uk/2015/01/28/ghost_linux_megavuln_analysis/
-http://www.darkreading.com/application-security/ghost-not-so-scary-after-all/d/d
-id/1318844?
-http://www.computerworld.com/article/2875782/ghost-linux-glibc-vulnerability-itb
wcw.html
-http://www.kb.cert.org/vuls/id/967332
-https://isc.sans.edu/forums/diary/New+Critical+GLibc+Vulnerability+CVE20150235+a
ka+GHOST/19237/
-https://www.youtube.com/watch?v=218JiCBpUTM

House Subcommittee Hears Testimony on Data Breach Legislation (January 28, 2015)

The US House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade heard testimony from tech company representatives, legal experts and others regarding what data breach legislation ought to look like. A trade association executive spoke of the need for federal legislation to establish a national standard for breach notification so companies do not have to navigate of the current patchwork of state laws. A law professor and scholar cautioned that "data breach legislation should be minimally preemptive
[of state laws ]
because multiple approaches are still needed to determine the best approach to data security and breach notification."
-http://www.scmagazine.com/testimony-before-legislators-outlines-elements-of-data
-breach-law/article/395045/

FCC Enforcement Advisory Says Blocking Personal Wi-Fi Hotspots Could be Fined (January 28, 2015)

The US Federal Communications Commission (FCC) has issued an enforcement advisory, clarifying its position on Wi-Fi blocking. The advisory is in response to a recent settlement the agency reached with Marriott International. That company was fined US $600,000 for blocking guests' personal hotspots at a resort and convention facility. The advisory says that "willful or malicious interference with Wi-Fi hotspots is illegal."
-http://www.scmagazine.com/fcc-warns-businesses-wi-fi-blocking-prohibited/article
/394998/
-http://www.cnbc.com/id/102375201#
-http://www.fcc.gov/document/warning-wi-fi-blocking-prohibited
[Editor's Note (Northcutt): Where do you draw the line? It clearly makes sense that a hotel blocking your personal wi-fi so they can force you to pay for hotel internet is just plain wrong. But what about virtual horse racing tracks in Vegas, what about disabling cell phones when the US Presidential motorcade is driving by to prevent bombs? We need rules of the road. Was it appropriate when the San Francisco Police department jammed phones to try to prevent a protest? I surely do not know, but someone needs to establish just and fair rules of the road:
-http://gawker.com/5830458/san-francisco-cops-jam-cell-phones-to-prevent-protest]

Apple Updates OS X Yosemite to Version 10.10.2 (January 27, 2015)

Apple has released OS X 10.10.2, the second major update for the operating system known as Yosemite. Beta versions of this update have been around since November 2014. The newest version of Yosemite reportedly addresses a number of Wi-Fi problems that had been reported with 10.10.1. It also includes a fix for the Thunderstrike vulnerability.
-http://arstechnica.com/apple/2015/01/apple-releases-os-x-10-10-2-with-a-pile-of-
security-privacy-and-wi-fi-fixes/
-http://www.zdnet.com/article/apple-releases-os-x-yosemite-10-10-2/

---

STORM CENTER TECH CORNER

ML External Entity Vulnerabilities
-https://isc.sans.edu/forums/diary/Blindly+confirming+XXE/19257/

"Ransomweb" encrypts web server database
-https://www.htbridge.com/blog/ransomweb_emerging_website_threat.html

Return of Zero Access Botnet
-http://www.secureworks.com/resources/blog/zeroaccess-botnet-resumes-click-fraud-
activity-after-six-month-break/

NFL Mobile App Privacy Blunders
-http://www.darkreading.com/nfl-mobile-sports-app-contains-super-bowl-sized-vulns
/d/d-id/1318802

Blackphone Text Messaging Flaw
-http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.html

Flash Player Update Now Available As Standalone Update
-https://isc.sans.edu/forums/diary/Adobe+Flash+Update+Available+for+CVE20150311+0
312/19249/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.