SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #47
June 13, 2014
TOP OF THE NEWSFCC Chairman Urges Private Companies to Take Responsibility for Cyber Security
PF Chang's Investigating Data Breach
New Framework to Test UK Financial Institutions' Cyber Security
CrowdStrike Identifies Another Chinese Espionage Group
THE REST OF THE WEEK'S NEWSACLU Map Shows States Where Law Enforcement Has Stingray Technology
Man Admits to Stealing eMail Credentials and Fraudulent Activity
Reports of TweetDeck Attack Greatly Exaggerated
Feedly Refuses to Pay Ransom to Stop DDoS Attacks
Federal Appeals Court Says Police Need Warrants to Access Cell Phone Location Data
Target Hires First CISO
Android Changes App Update Permissions Change Notification
Microsoft Challenging Warrant Seeking Records Stored on Server in Ireland
Microsoft and Adobe Security Updates
Mozilla Updates Firefox to Version 30
Clandestine Fox Group Strikes Again
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
************************* Sponsored By Symantec **************************
Solve Your Biggest Backup and Recovery Challenges Register now for Symantec's live streaming event to find out how to solve your biggest backup challenges, recover anything in minutes, get faster backups, and take advantage of an easy to use solution that protects your virtual and physical environments. See Backup Exec 2014 in action. Register Now. http://www.sans.org/info/161530
--SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
--SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
--SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
--Multi-week Live SANS training
--Looking for training in your own community?
- - --Save on On-Demand training (30 full courses) - See samples at
Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
FCC Chairman Urges Private Companies to Take Responsibility for Cyber Security (June 12, 2014)FCC chairman Tom Wheeler said private sector companies must do better than current efforts that have been pushed forward by established voluntary frameworks. Wheeler said, "the network ecosystem must step up to assume new responsibility and market accountability for managing cyber risks." If there is not measurable improvement, Wheeler did not rule out the possibility of calling for government regulations. The FCC plans to check whether companies have implemented the framework recommendations, which were developed in 2011, and whether or not they have been effective. The FCC will also look into better ways to help companies share information about cyber threats.
[Editor's Note (Pescatore): I would have hoped that back in 2011 the FCC would have started tracking whether ISPs were actually acting on their own voluntary recommendations for ISP "Code of Conduct" to reduce the volume of well-known threats ISPs routinely deliver to their paying customers. There does *not* seem to have been much progress, other than yet another report from the Communications Security, Reliability and Interoperability Council working group every March. Amazing that the carriers can move quickly to close deals with Netflix for higher payments for faster transport, but move very sloooowly when it comes to delivering fewer attack bits to their paying consumer customers.
(Murray): The Chairman has a point. We are far behind the necessary level of security and the level that cheap technology enables. We really do need to move private sector security to a whole new level. We know what to do; we lack the courage. Perhaps a goad will compensate. ]
PF Chang's Investigating Data Breach (June 10 & 12, 2014)US restaurant chain PF Chang's says it is in contact with law enforcement agencies regarding reports that attackers stole customer payment card data from the company's systems. Several days ago, thousands of recently stolen credit card numbers and their associated information were offered for sale in an underground forum known for trading in such things. The breach affects cards used at several different locations, suggesting that the attackers breached the company's point-of-sale network, much like the attacks on Target and Sally Beauty.
[Editor's Note (Pescatore): Restaurant chains are at the intersection of two attack trends: (1) attacks going after Point of Sale systems; and (2) attacks going after common software used across franchises. ]
New Framework to Test UK Banks' Cyber Security (June 10, 2014)A vulnerability testing framework launched by the Bank of England, CBEST will offer "a controlled, bespoke, intelligence-led penetration test against financial institutions' critical systems." The customized penetration tests will be developed with information gathered by the government and security companies. Financial organizations will have the opportunity to consult with experts to help them strengthen their security weaknesses.
[Editor's Note (Pescatore): Raising the bar on what can be called a "penetration test" is a good thing, but a lot of what is proposed here is really trying to turn pen testing into more audit-like engagements, with requiring enterprise maturity assessments and multiple documents, etc. Especially in the financial industry, more pages of audit results in cut-and-paste standardized formats will have zero correlation to increased security. The most valuable pen test engagements seem to involve more "bespoked-ness" not less.
(Henry): The idea of pentesters assuming the adversaries' tactics, techniques, and procedures rather than merely probing the perimeter of the network is an innovative concept. If you're interested in stopping sophisticated attackers, why not test your defensive and Incident Response capabilities against those very "actors"? (portrayed, of course, by trusted vendors working in coordination with your organization.)
(Murray): Penetration testing is not likely to highlight the fact that banks are not ensuring that transactions are properly authorized or that officers and other privileged employees are inadequately supervised. Banks are already doing a better job than most of addressing system and network vulnerabilities but not of addressing customer and employee risks. ]
CrowdStrike Identifies Another Chinese Espionage Group (June 9, 2014)The five members of China's People's Liberation Army who were indicted last month for allegedly breaking into systems of US companies and stealing sensitive information "are just the very tip of the iceberg," according to security company CrowdStrike co-founder George Kurtz. A report from CrowdStrike identifies another group in China that has conducted attacks aimed at stealing information from European, Japanese, and US governments, military contractors, and research and technology companies. This particular group has been infiltrating networks for at least seven years. Employees at the targeted companies, which have not been named, received emails with attached PDFs that claimed to be invitations to relevant conferences, but which actually infected their computers with malware, allowing the group to access the compromised machines and worm their way through the networks. US intelligence agencies are currently tracking activity of more than 20 such groups in China, according to current and former US officials.
************************** Sponsored Links: ******************************
1) Kill Malware with Intelligent sensors, a review of SANS network security survey, featuring Rob Vandenbrink Thursday, June 19, Special Time of 3 PM EDT http://www.sans.org/info/161435
2) Dave Shackleford reviews McAfee's Next Gen Firewall in detecting advanced evasion tools and more Friday, June 20 at 1 PM EDT http://www.sans.org/info/161440
3) Provide input to the Critical Security Controls! Tell us your wins, misses and wish lists with the CSCs in this quick survey: http://bit.ly/2014CSCSurv. At the end of the survey, sign up for the paper and results webcast airing on September 9 webcast link: http://www.sans.org/info/160675
4) The FedRAMP Program is seeking to hire a GS 13-14 management program analyst to provide overall program support including responding to agency requests, develop new practices and policies, and interact with information security personnel across cloud service providers, third party assessor organizations and federal agencies. Any interested candidates should send a cover letter, resume, and any additional information to email@example.com and firstname.lastname@example.org no later than June 30.
THE REST OF THE WEEK'S NEWS
ACLU Map Shows States Where Law Enforcement Has Stingray Technology (June 12, 2014)The American Civil Liberties Union (ACLU) has published a map showing which states' law enforcement agencies have cell site simulators. The controversial technology often identified as Stingray, which is actually the trademarked name of a specific device made by a Florida-based company, is confirmed to be owned by law enforcement agencies in 15 US states. Use of the technology in other states has been neither confirmed nor denied. The Harris Corporation, which manufactures Stingray, has required law enforcement agencies that purchase the technology to sign non-disclosure agreements, which prohibit the agencies from even discussing whether or not the have/use the devices and certainly from explaining them.
[Editor's note (Northcutt): Great point in the synopsis that not all cell phone Man In The Middle, (MITM), devices are manufactured by Harris. There are a growing variety of vendors selling these and since 2010, the plans to make one for less than two thousand dollars have been available. So, cell phone MITM is not just for governments anymore. If someone wants to simply intercept calls as opposed to MITM, (WARNING illegal in the US), a scanner, such as a Radio Shack Pro-2005 can do the job. I am surprised the market for encrypted cell phones isn't bigger, the technology is available at a reasonable price. But I guess people are getting used to the concept of a total loss of privacy:
Man Admits to Stealing eMail Credentials and Fraudulent Activity (June 10 & 12, 2014)Attackers were able to exploit weaknesses in systems at US government agencies to trick employees at the Environmental Protection Agency (EPA) and Census Bureau into revealing their email account access credentials. The attackers used the accounts to order nearly US $1 million worth of office supplies, which they sold online. One man has admitted to offenses related to the scheme; he faces up to 20 years in prison. Some government agencies have not implemented encryption and verification procedures on webpages and email, enabling this sort of attack.
[Editor's Note (Murray): Implementing "encryption and verification procedures on webpages and email" does not do much to address "social engineering." ]
Reports of TweetDeck Attack Greatly Exaggerated (June 11, 2014)A reported malware attack on TweetDeck appears to be nothing more than a vulnerability that could be exploited through cross-site scripting (XSS). A 19-year-old Austrian man says he stumbled upon the flaw while working on code for a heart-shaped symbol to tweet. When he realized what he had found, the man reported the issue to TweetDeck.
Feedly Refuses to Pay Ransom to Stop DDoS Attacks (June 11 & 12, 2014)Distributed denial-of-service attacks have taken down cloud-based services including news aggregator Feedly, note taking service Evernote, and music-streaming service Deezer. Feedly said that it was contacted by people claiming to be responsible for the attack demanding payment to make it stop. The company did not comply, and managed to resume operations. The attackers persisted in their attack on Feedly, launching a second salvo on Thursday, June 12; Feedly was restored about four hours after the attack began. Evernote and Deezer are up and running as usual.
[Editor's Note (Pescatore): Good for you, Feedly - as long as you are taking the money you saved in forgoing the extortion payment and applying some of it to better DDoS mitigation. ]
Federal Appeals Court Says Police Need Warrants to Access Cell Phone Location Data (June 11, 2014)A federal appeals court in Florida has ruled that law enforcement officials must obtain warrants to access phone location data from cell phone towers. The decision says, in part, "cell site location information is within the subscriber's reasonable expectation of privacy," and to gain access to that information without a warrant violates the Fourth Amendment.
Target Hires First CISO (June 11, 2014)Target has hired a chief information security officer (CISO), the first in the company's history. Brad Malorino was named Target Senior Vice President and CISO. Malorino was CISO at General Electric, and more recently, chief information security and information technology risk officer at General Motors. The aftermath of the massive Target breach last year saw the resignation of former Target CEO Gregg Steinhafel and the firing of its former CIO Beth Jacobsen.
[Editor's Note (Henry): Hiring a CISO is a great step, though I question the chain of command. Having a CISO report to the CIO is the digital equivalent of having the auditor report to the CFO. The CIO in a corporation is responsible for delivering capabilities throughout the organization in an effective and efficient way, and I believe this reporting structure presents an inherent conflict which could impact security. I would much rather see the CISO in a company report to the CSO or the CRO, who have a very different mission and perspective.
(Pescatore): Imagine if a company had a financial scandal and the headline's said "After Financial Mess, Company X Hires First CFO" ]
Android Changes App Update Permissions Change Notification (June 11, 2014)A change in the way automatically updated Android apps inform users about changes in permissions could put users at risk of having their information shared, or allowing their device to send SMS messages from apps without their knowledge. Formerly, apps displayed any permission changes when they updated automatically. Now, permission changes are not displayed if users have previously allowed a permission in the same category.
Microsoft Challenging Warrant Seeking Records Stored on Server in Ireland (June 11, 2014)Microsoft is challenging a search warrant from the US government seeking data stored overseas. The government wants access to email messages stored on machines in a data center in Ireland. Microsoft maintains that data stored on servers in Ireland are subject to the laws of that country, not those of the US.
[Editor's Note (Pescatore): All those off-shore (well, off-shore to most) financial havens could see a booming business in hosting data centers. ]
Microsoft and Adobe Security Updates (June 10 & 11, 2014)Microsoft has released seven security bulletins to address a total of 66 vulnerabilities in Word, Office, Internet Explorer (IE), and Lync. The IE bulletin accounts for 59 of the flaws and affects IE versions 8 through 11. Adobe has released security updates updates for Flash Player and Air.
Adobe Flash Bulletin:
Mozilla Updates Firefox to Version 30 (June 11, 2014)Mozilla has released Firefox 30, a browser update that addresses seven security issues, five of them critical. Mozilla urges users to update their browsers as soon as possible. Firefox 29 was released six weeks ago.
[Editor's Note (Murray): Browsers are the Achilles Heel of personal computers and of the Internet. It does not appear to be getting any better and there is not much to choose among them on the basis of security. ]
Clandestine Fox Group Strikes Again (June 10 & 11, 2014)A group behind a malware campaign dubbed Operation Clandestine Fox is exploiting a critical flaw in Internet Explorer (IE) to spread malware through contacts made through social media sites. The shift to social media came after Microsoft released a patch for the flaw last month. This time, the attacker approached the target, an energy company employee, through social media, learning as much as possible about the company before sending a malware-laced resume.
STORM CENTER TECH CORNERLinkedIn Apparently Uses IP Addresses to Find Connections
Metasploit Module for Recent OpenSSL Vulnerability
Wireshark Update and 1.8 EOL
Shadowserver Hosts Cryptolocker Checker
"Lights Out" server remote control feature still widely vulnerable.
iOS 7 Lock Screen Bypass allows access to last used App
Enumerating valid GMail Addresses
Attackers are Looking for Exposed Secret Keys
Cryptowall Taking the Spotlight from Cryptolocker
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/