SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #9

February 03, 2015

TOP OF THE NEWS

BMW Fixes Software Flaw that Affected 2.2 Million Cars
US Army Shares Dshell on GitHub Adobe Will Patch Third Flash Vulnerability in Two Weeks

THE REST OF THE WEEK'S NEWS

E-Gov Cyber Division Will Oversee Dot-Gov Network Security
Obama's 2016 Budget Proposal Includes US $14 Billion for Cyber Security
UK Information Commissioner's Office Can Now Conduct Data Security Audits on NHS
Apple iOS Updated to Version 8.1.3
Verizon to Let Cookies Crumble
ZeroAccess Botnet Operating Again
Ghost Flaw may Also be Exploitable Through WordPress, Other PHP Apps

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Bit9 + Carbon Black ******************
Compromise is inevitable! Learn about the solutions you can put in place to plan for the breach. Download the free eGuide: Breach Preparation: Plan for the Inevitability of Compromise.
http://www.sans.org/info/174232
***************************************************************************

TRAINING UPDATE


-Cyber Threat Intelligence Summit | Washington, DC | February 2- 9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/event/cyber-threat-intelligence-summit-2015


-10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/event/ics-security-summit-2015


-DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/event/dfir2015


-SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/event/munich-2015


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/event/secure-canberra-2015


-SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/event/northern-virginia-2015


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2015


-Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening (www.sans.org/vlive) courses available!


-Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


-Looking for training in your own community?
http://www.sans.org/community/


-Save on OnDemand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangalore, Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

***************************************************************************

---

TOP OF THE NEWS

BMW Fixes Software Flaw that Affected 2.2 Million Cars (February 2, 2015)

BMW has remotely fixed a vulnerability in software used in some of its cars that could have been exploited to open the vehicles' doors using a mobile phone. The software, ConnectedDrive, uses an on-board SIM card and manages door locks, air conditioning, and traffic updates, but not brakes or steering. The patch encrypts data from the car with HTTPS.
-http://www.bbc.com/news/technology-31093065
-http://www.theregister.co.uk/2015/02/02/645k_too_much_for_a_wraith_then_just_hac
k_its_doors_open/
-http://www.forbes.com/sites/thomasbrewster/2015/02/02/bmw-door-hacking/
[Editor's Note (Honan): While this patch was innocuous it does raise bigger questions about how we manage patches to critical devices such as cars, alarm systems, health monitoring devices, that are connected to the Internet. Blindly patching devices with the latest updates may not prove to be the most sensible approach, having your PC crash during an update is an entirely difference beast than having your car crash during an update.
(Murray): This is the kind of gross error of omission that one can expect when programmers, rather than engineers, build infrastructure. It demonstrates the necessity of failure mode analysis. It is the kind of omission that the FTC Guidance might hope to address. It is also the kind of problem that we can expect if we employ a programming "late discovery and patch" strategy rather than an engineering "do it right the first time" approach. Note that the difficult to secure functionality, that the programmer includes to facilitate late patching of his errors and omissions, will greatly increase the attack surface and vulnerability of the infrastructure. Are we to trust the same programmer to design the patch function as makes this kind of error in the base product? ]

US Army Shares Dshell on GitHub (February 2, 2015)

The US Army Research Lab has posted a forensic network analysis tool to GitHub, an open software repository. The Army has used the tool for five years, and hopes that its release will encourage developers to contribute new modules.
-http://www.siliconrepublic.com/enterprise/item/40457-us-army-gives-people-access
/
-http://gcn.com/articles/2015/02/02/arl-dshell.aspx
[Editor's Note (Honan): Kudos to the US Army for sharing this tool, hopefully this will lead to other organisations following suit and sharing their own tools. ]

Adobe Will Patch Third Flash Vulnerability in Two Weeks (February 2, 2015)

Adobe has released an advisory about yet another flaw in Flash Player. This is the third flaw discovered in Flash in less than three weeks. Adobe plans to have a patch for this most recent vulnerability available within the next week. This one is being actively exploited through advertisements. It affects Flash for Windows systems running Internet Explorer or Firefox browsers.
-http://www.darkreading.com/new-adobe-flash-0-day-used-in-malvertising-campaign/d
/d-id/1318900?
-http://www.scmagazine.com/adobe-warns-flash-users-of-zero-day-vulnerability/arti
cle/395957/
-http://www.theregister.co.uk/2015/02/02/flash_0day_patch_not_another_one/
-http://www.v3.co.uk/v3-uk/news/2393223/adobe-rushes-to-patch-third-zero-day-flas
h-player-flaw
-http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers
-new-adobe-flash-zero-day-exploit-used-in-malvertisements/
[Editor's Note (Murray): Historically broken Flash has now replaced browsers as the most persistent vulnerability on the desktop. It is no longer adequate simply to expect consumers to patch it faithfully. Apple has demonstrated that it is possible, not to mention safer, to live without it. ]

---

*************************** SPONSORED LINKS ******************************
1) Malware: Finding the Evil in the Haystack - RSA Webcast February 11 at 11:00 am ET. Learn more: http://www.sans.org/info/174237

2) Wrapping Up The GHOST: Lessons Learned From The Ghost Vulnerability Friday, February 06 at 1:00 PM EDT (18:00:00 UTC) Johannes Ullrich and Chris Wysopal. http://www.sans.org/info/174212

3) A Security Geek's Guide to SAP: Thursday, February 12 at 1:00 PM EST (18:00:00 UTC) with Alex Horan. http://www.sans.org/info/174222
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

E-Gov Cyber Division Will Oversee Dot-Gov Network Security (February 2, 2015)

A new White House cyber security squad will make sure that agencies notify people whose information has been compromised in breaches. The E-gov Cyber division, which will be part of the Office of Management and Budget (OMB), will also create new policy as needed to address emerging threats as the legislative and technological landscapes change.
-http://www.nextgov.com/cybersecurity/2015/02/white-house-debuts-dot-gov-cyber-en
forcement-squad/104313/?oref=ng-HPtopstory
[Editor's Note (Pescatore): The US government focusing more on increasing the security of the US government is a good thing. However, in years past OMB tended to come out with crisis-driven "over the transom" policy directive memos, an approach that definitely did *not* and never will lead to improvements in security at federal agencies. I'd like to see OMN focus more on initiatives like SecureBuy to use federal purchasing power to drive more secure products and services, and on updating guidance to Inspectors General to reduce the FISMA compliance focus from reporting to security improvements.
(Henry): A "nationwide requirement that hacked private firms inform affected customers about a breach within 30 days" is false comfort for the public. The vast majority of breaches relate to intellectual property, R&D, critical infrastructure, and the like. This prolongs the perception that this issue is about credit card numbers. The real risk is the impact on economic and national security, not someone's identity being stolen, and the government is not talking about that substantively. ]

Obama's 2016 Budget Proposal Includes US $14 Billion for Cyber Security (February 2 & 3, 2015)

President Obama's 2016 budget proposal asks for US $14 billion to improve protection of government and private networks from attacks. The budget seeks the funds for additional intrusion detection and prevention ability, increased information sharing between the public and private sectors, and improved attack response.
-http://www.cnet.com/news/obama-adds-14b-to-budget-for-stepped-up-cybersecurity/
-http://in.reuters.com/article/2015/02/02/usa-budget-cybersecurity-idINL1N0VC2EA2
0150202
[Editor's Note (Pescatore): This is about a 10% increase compared to the FY 2015 budget. Since the President's Federal IT budget request asks for $86B, this means cybersecurity spending is at a whopping 16% of IT spending, more than twice the average of private industry. However, there are a lot of "cats and dogs" that get counted towards cybersecurity in the federal budget, and much of the growth seems to be in those areas. The DHS Continuous Diagnostics and Mitigation program is highlighted and it would be good to see that program increase its impact of federal security levels.
(Henry): "While the president was light on details during the State of the Union, he's now outlined his goals for cybersecurity reform in his Comprehensive National Cybersecurity Initiative." Really? This CNCI initiative was approved by President Bush and funded by the US Congress in 2008; President Obama reaffirmed his support for the CNCI in 2009 after Melissa Hathaway completed the Cyberspace Policy Review. For this to be characterized as the president NOW "outlining his goals" is somewhat misleading, since these "goals" have been in place for seven YEARS. Does anyone have a sense of urgency here? ]

UK Information Commissioner's Office Can Now Conduct Data Security Audits on NHS (February 2, 2015)

The UK's Information Commissioner's Office (ICO) now has the authority to conduct data protection audits at NHS (National Health Service) organizations. The new power took effect on February 1, 2015. ICO has fined NHS organizations GBP 1.3 million (US $1.95 million) for data security problems over the past three years.
-http://www.v3.co.uk/v3-uk/news/2393124/nhs-faces-compulsory-data-protection-audi
ts-from-ico
-http://healthcare.governmentcomputing.com/news/ico-given-expanded-health-data-au
dit-powers-4502028
-http://www.computing.co.uk/ctg/news/2393121/ico-granted-new-powers-to-audit-nhs-
organisations-for-data-protection

Apple iOS Updated to Version 8.1.3 (February 2, 2015)

Apple has released an update for its mobile device operating system. iOS 8.1.3 fixes 33 security issues.
-http://www.scmagazine.com/ios-813-addresses-vulnerabilities-improves-performance
/article/395963/
-http://support.apple.com/en-us/HT204245

Verizon to Let Cookies Crumble (January 30 & February 1, 2015)

Verizon says it will let its customers opt out of having their online activity on smartphones and tablets tracked with so-called "unkillable" tracking identifier, also known as super cookies. Verizon began injecting unique identifying headers (UIDH) into all HTTP requests made to sites over its network. These cookies survived cookie deletions from browsers because they are inserted by carriers.
-http://arstechnica.com/information-technology/2015/02/verizon-will-now-let-users
-kill-previously-indestructible-tracking-code/
-http://www.theregister.co.uk/2015/01/30/verizon_uidh_super_cookie_killer/
-http://www.computerworld.com/article/2878301/verizon-to-allow-opt-out-from-mobil
e-supercookies.html
-http://www.csmonitor.com/Innovation/Horizons/2015/0130/Verizon-offers-silver-bul
let-for-immortal-supercookies
[Editor's Note (Murray): Having been caught with its hand in the jar, "Verizon to let cookies crumble." An "opt out" solution may not be enough to allow the greedy simian to free itself. ]

ZeroAccess Botnet Operating Again (January 29 & 30, 2015)

The ZeroAccess botnet, which was taken down in a cooperative effort between Microsoft and international law enforcement more than a year ago, appears to be active once again. The peer-to-peer botnet, also known as Sirefef, is being used in click fraud schemes. It has infected approximately 55,000 computers, far fewer that the nearly two million computers that had been infected prior to the December 2013 takedown.
-http://www.scmagazine.com/sirefef-has-reactivated-after-disruption-by-law-enforc
ement/article/395553/
-http://www.darkreading.com/zeroaccess-click-fraud-botnet-back-in-action-again/d/
d-id/1318865
-http://www.computerworld.com/article/2877923/the-zeroaccess-botnet-is-back-in-bu
siness.html
-http://www.zdnet.com/article/click-fraud-zeroaccess-botnet-rises-from-the-ashes/
[Editor's Note (Honan): While taking down botnets is similar to treating the symptoms rather than the disease, there is still value in such exercises. The intelligence gathered during the takedown may help identify those criminals behind such enterprises leading to arrests, at the very least they disrupt criminal activity and add additional costs onto the criminals. ]

Ghost Flaw may Also be Exploitable Through WordPress, Other PHP Apps (January 30, 2015)

The critical Ghost flaw in the Linux glibc library may be remotely exploited through WordPress and other PHP applications. The flaw was disclosed last week.
-http://arstechnica.com/security/2015/01/critical-ghost-bug-could-haunt-wordpress
-and-php-apps-too/
-http://www.computerworld.com/article/2877900/ghost-flaw-in-linux-can-be-exploite
d-through-wordpress-other-php-apps.html
SANS Webcast on Ghost, featuring Johannes Ullrich and Chris Wysopal: Friday, February 6, 2015 at 1pm EST Register:
-https://www.sans.org/webcasts/99642

---

STORM CENTER TECH CORNER

Atlassian HipChat Compromised
-https://blog.hipchat.com/2015/02/01/hipchat-security-notice-and-password-reset/

Skype Social Engineering Used to Compromise Syrian Opposition
-https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/r
pt-behind-the-syria-conflict.pdf

Internet Explorer 11 Cross Site Vulnerability
-http://www.deusen.co.uk/items/insider3show.3362009741042107/

Superbowl Spam
-https://isc.sans.edu/forums/diary/Beware+of+Phishing+and+Spam+Super+Bowl+Fans/19
261/

Better SSL Warnings
-https://isc.sans.edu/forums/diary/Improving+SSL+Warnings/19263/

Asset Inventories
-https://isc.sans.edu/forums/diary/Asset+Inventory+Do+you+have+yours/19265/

ZynOS (DLink and others) affected by unauthenticated DNS Server Change Flaw
-http://www.computerworld.com/article/2876292/dns-hijacking-flaw-affects-d-link-d
sl-router-possibly-other-devices.html

Facebook Malware Infects more then 110k users
-http://seclists.org/fulldisclosure/2015/Jan/131

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.