Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVI - Issue #53

July 04, 2014


Below "Top of the News" you'll find the current list of the eleven newest knowledge/skills sets that advanced security practitioners recognize they are missing.

TOP OF THE NEWS

Sophisticated Attacks Target Energy Companies
Grid Security Concerns
SEC Investigating Companies' Handling of Cyber Attacks

THE REST OF THE WEEK'S NEWS

Microsoft Security Updates Include Critical Fixes for Internet Explorer
Analysis of Leaked XKeyscore Source Code Shows NSA Targets Tor Users
HijackRAT Targets Banking Apps on Android Devices
Hedge Fund Attack Was Hypothetical
Thieves Targeting Brazilian Boletos Steal US $3.75 Billion in Two Years
Flaws in New Oracle Database "Data Redaction" Feature
ISPs File Complaint Against GCHQ Over Alleged Spying
FOIA Lawsuit Seeks Documentation of Intelligence Agency Flaw Stockpiling
Microsoft Apologizes for No-IP Domain Takeover

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


***************************************************************************
TRAINING UPDATE


- --SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


- --SANS San Francisco 2014 San Francisco, CA July 14-19, 2014 7 courses. Bonus evening presentations include Aligning Your Defenses with Today's Evolving Threats; and Malware Reloaded.
http://www.sans.org/event/san-francisco-2014


- --SANS Boston 2014 Boston, MA July 28-August 2, 2014 11 courses. Bonus evening presentations include APT: It is Time to Act; Continuous Ownage: Why You Need Continuous Monitoring; and The Bot Inside the Machine.
http://www.sans.org/event/boston-2014


- --SANS Virginia Beach 2014 Virginia Beach, VAAugust 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

TOP OF THE NEWS

Sophisticated Attacks Target Energy Companies (July 1, 2014)

A group of attackers known as Dragonfly or Energetic Bear have been targeting US and European energy companies. The targets include "strategically important" organizations, including grid operators, petroleum pipeline operators, and companies that generate electricity, according to Symantec. The group of attackers has been operational since 2011 and work from 9AM to 6PM , Monday through Friday. The regular schedule together with the group's "resources, size, and organization" suggest that the operation has government support, or is at least trying to sell its services to a government. The time zone is the same as that of eastern European countries, including Russia. The US Industrial Control System Computer Emergency Response Team (ICS-CERT) is urging critical infrastructure companies to check their systems for signs of intrusions.
-http://www.bloomberg.com/news/2014-06-30/symantec-warns-energetic-bear-hackers-t
hreaten-energy-firms.html

-http://www.zdnet.com/hacker-raid-on-energy-companies-for-secrets-raises-sabotage
-fears-7000031107/

-http://www.v3.co.uk/v3-uk/news/2353208/dragonfly-hackers-preparing-for-stuxnet-l
evel-strikes-on-critical-infrastructure

ICS-CERT Advisory:
-https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01

Grid Security Concerns (July 2, 2014)

Some experts are saying that the addition of wind farms, solar panels, and smart meters to the power grid add points at which attackers could infiltrate and attack the country's energy grid. There have been documented attacks on the power grid that damaged equipment, disrupted service, and required long term repairs. An Ernst & Young survey of 61 power and utility companies found that one-third report spending at least US $3 million a year on information security, which includes protecting systems from cyber attacks.
-http://www.bloomberg.com/news/2014-07-01/renewable-energy-s-expansion-exposing-g
rids-to-hacking.html

SEC Investigating Companies' Handling of Cyber Attacks (July 1, 2014)

The US Securities and Exchange Commission (SEC) has launched multiple investigations into companies regarding their handling and disclosure of cyber attacks. The investigations aim to find out whether the companies took adequate precautions with data and whether they informed their customers of the breach and its likely effects. Public companies are required to tell investors when there are events that materially affect share price.
-http://www.bloomberg.com/news/2014-07-02/hacked-companies-face-sec-scrutiny-over
-disclosure.html

******** Eleven Key Skills For Advanced Cybersecurity Practitioners ****** For people who already have solid skills in cybersecurity, these 11 courses are likely to be most effective in moving you to the next level of performance and making you more valuable to your employer or clients: * SEC511: Continuous Monitoring and Security Operations-
-http://www.sans.org/event/network-security-2014/course/continuous-monitoring-sec
urity-operations

* SEC566: Implementing and Auditing the Critical Security Controls-
-http://www.sans.org/event/network-security-2014/course/implementing-auditing-cri
tical-security-controls

* ICS410: ICS/SCADA Security Essentials-
-http://www.sans.org/event/network-security-2014/course/ics-scada-cyber-security-
essentials

* FOR526: Memory Forensics In-Depth-
-http://www.sans.org/event/network-security-2014/course/windows-memory-forensics-
in-depth

* SEC561: Intense Hands-On Penetration Testing-
-http://www.sans.org/event/network-security-2014/course/hands-on-penetration-skil
l-development

* FOR572: Advanced Network Forensics and Analysis-
-http://www.sans.org/event/network-security-2014/course/advanced-network-forensic
s-analysis

* FOR585: Advanced Smartphone Forensics-
-http://www.sans.org/event/network-security-2014/course/advanced-smartphone-mobil
e-device-forensics

* SEC579: Virtualization and Private Cloud Security-
-http://www.sans.org/event/network-security-2014/course/virtualization-private-cl
oud-security

* SEC575: Mobile Device Security and Ethical Hacking-
-http://www.sans.org/event/network-security-2014/course/mobile-device-security-et
hical-hacking

* SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking-
-http://www.sans.org/event/network-security-2014/course/advanced-penetration-test
ing-exploits-ethical-hacking

* SEC760: Advanced Exploit Development for Penetration Testers-
-http://www.sans.org/event/network-security-2014/course/advance-exploit-developme
nt-pentetration-testers


THE REST OF THE WEEK'S NEWS

Microsoft Security Updates Include Critical Fixes for Internet Explorer (July 3, 2014)

Microsoft plans to release six security bulletins on Tuesday, July 8, to address vulnerabilities in Windows, Internet Explorer (IE), and Microsoft Server Software. Two of the bulletins are rated critical; one of those addresses issues in IE. Users running Windows 7 who have not installed an April fix for IE11 will not receive updates for the browser.
-http://www.computerworld.com/s/article/9249552/Microsoft_slates_critical_IE_Wind
ows_patches_for_Tuesday?taxonomyId=17

-http://www.theregister.co.uk/2014/07/03/patch_tuesday_coming_up_and_servers_are_
getting_a_bumper_dose/

-https://technet.microsoft.com/library/security/ms14-jul

Analysis of Leaked XKeyscore Source Code Shows NSA Targets Tor Users (July 3, 2014)

Analysis of source code in a program used by the NSA to snoop on Internet communications suggests that people outside the US who use online privacy and anonymization services are likely to have had their IP addressed collected. The source code is for a program called XKeyscore. The analysis indicates that people who search for tools like Tor will get labeled as extremists. XKeyscore also conducts deep packet inspection on messages sent through Tor. The code was analyzed by German public broadcaster ARD, which did not say how the code was obtained.
-http://arstechnica.com/tech-policy/2014/07/report-rare-leaked-nsa-source-code-re
veals-tor-servers-targeted/

-http://www.wired.com/2014/07/nsa-targets-users-of-privacy-services/
-http://www.cnet.com/news/nsa-likely-targets-anybody-whos-tor-curious/
[Editor's Note (Murray): In his recently published novel, Sting of the Drone, Richard Clarke implied that NSA has compromised the anonymizers. They have to be a prime target. ]

HijackRAT Targets Banking Apps on Android Devices (July 3, 2014)

A remote access Trojan (RAT) known as HijackRAT infects Android devices and steals mobile banking information using a variety of tactics, including disabling antivirus programs. Once the malware has been installed on a device, the uninstall feature is disabled. HijackRAT currently targets eight Korean mobile banking applications.
-http://www.scmagazine.com/sneaky-android-rat-disables-required-anti-virus-apps-t
o-steal-banking-info/article/359412/

-http://www.theregister.co.uk/2014/07/03/android_nasty_packs_multiple_tricks/

Hedge Fund Attack Was Hypothetical (July 3, 2014)

The recent report of a cyber attack on an unnamed hedge fund has been revealed to be false. In an interview several weeks ago with CNBC reporters, an employee of British security company BAE Systems Applied Intelligence told CNBC reporters a story about a cyber attack on a hedge fund that was presented as a "client case study" rather than an "illustrative scenario."
-http://www.forbes.com/sites/katevinton/2014/07/03/report-of-unnamed-hedge-fund-b
reach-proves-false/

-http://www.theregister.co.uk/2014/07/03/bae_retracts_hedge_fund_hack_allegation/

Thieves Targeting Brazilian Boletos Steal US $3.75 Billion in Two Years (July 2 & 3, 2014)

According to a report from RSA, thieves using a man-in-the-browser attack targeting Boletos - Brazilian money orders - have stolen US $3.75 billion since 2012. Boleto Bancario is second only to credit cards in frequency of use for payment in Brazil. The Boleto malware infects machines running Windows and intercepts electronic Boletos and modifies the designated destination of funds. The scheme affects at least 34 different Brazilian banks.
-http://www.zdnet.com/rsa-brazils-boleto-malware-stole-nearly-4-billion-in-two-ye
ars-7000031197/

-http://www.scmagazine.com/brazilian-bolware-gang-targeted-375b-in-transactions-r
sa-finds/article/359083/

-http://www.nbcnews.com/tech/security/brazilian-bolware-bandits-bank-billions-cyb
er-fraud-n146936

RSA Report:
-https://blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research
-July-2-FINALr2.pdf

[Editor's Note (Murray): Am I the only one who finds it highly unlikely that this much money could go missing, in so short a time, from so few, and victims were not screaming? ]

Flaws in New Oracle Database "Data Redaction" Feature (July 2, 2014)

Renowned security expert David Litchfield has found a vulnerability in a new feature of Oracle databases that was intended to improve data security. The feature, known as data redaction, allows database administrators to edit out or mask data in SQL query results so users see only what they are authorized to see. Litchfield says the feature can be circumvented in several ways. He notified Oracle about the flaws in November 2013, and the company is working on a patch. Litchfield will present details of his findings at the Black Hat USA conference in August.
-http://www.darkreading.com/application-security/database-security/researcher-fin
ds-flaws-in-key-oracle-security-feature/d/d-id/1279078?

ISPs File Complaint Against GCHQ Over Alleged Spying (July 2, 2014)

Seven Internet service providers have filed a complaint against GCHQ regarding allegations that the British intelligence agency broke into their networks to conduct surveillance. The complaint filed with the Investigatory Powers Tribunal calls for GCHQ to stop targeting system administrators to gain access to networks. The complaint was prompted by reports that GCHQ had targeted employees of Belgacom to gain access to the telecommunications company's network. They were allegedly targeted not because they posed any sort of security threat, but because they were administrators for a network that intelligence wanted to infiltrate.
-http://www.wired.com/2014/07/gchq-illegal-spying/

FOIA Lawsuit Seeks Documentation of Intelligence Agency Flaw Stockpiling (July 1 & 2, 2014)

The Electronic Frontier Foundation (EFF) has filed a Freedom of Information Act (FOIA) lawsuit for information about US intelligence agencies' stockpiling of security flaws. Specifically, the request seeks information about how intelligence agencies decide which flaws to disclose and which to keep secret. The privacy rights group is concerned that the flaws, which have not been patched by software vendors, could pose a threat to users.
-http://www.theregister.co.uk/2014/07/02/eff_sues_nsa_over_agencys_policy_of_hoar
ding_zeroday_flaws/

-http://www.computerworld.com/s/article/9249507/EFF_sues_the_NSA_to_disclose_use_
of_software_security_flaws?taxonomyId=17

Microsoft Apologizes for No-IP Domain Takeover (July 1 & 2, 2014)

Microsoft has apologized for disruptions caused by its takedown of several No-IP domains. Microsoft had been granted a temporary restraining order by a Nevada judge to take control of 23 No-IP domains because those domains were being used to install malware on users' computers surreptitiously. The plan was for Microsoft to filter out the malicious subdomains and let the legitimate ones resolve correctly. However, virtually all No-IP users were without service for a period of time. Microsoft acknowledged that it had made a technical error and says that the problem has been fixed. No-IP is a dynamic domain hosting service. Microsoft's takedown action did reportedly disrupt a significant number of attacks.
-http://arstechnica.com/security/2014/07/order-restored-to-universe-as-microsoft-
surrenders-confiscated-no-ip-domains/

-http://www.theregister.co.uk/2014/07/01/sorry_chaps_microsoft_unborks_legitimate
_noip_users_domains/

-http://www.zdnet.com/microsofts-no-ip-seizure-hit-syrian-electronic-army-hard-70
00031160/

-http://www.computerworld.com/s/article/9249509/Microsoft_admits_technical_error_
in_IP_takeover_but_No_IP_still_down?taxonomyId=17

-http://www.computerworld.com/s/article/9249543/No_IP_regains_control_of_some_dom
ains_wrested_by_Microsoft?taxonomyId=17

Editor's Note (Ullrich): Now may be a good time to define how to better deal with domain take downs, and what kind of abuse turn-around-time to expect from services like No-IP, search engines and hosting providers. Just as an example, a malicious link spammed via Microsoft's own Bing search engine, which was reported on Tuesday, is still up and running as #1 result for the targeted keyword. (see
-https://isc.sans.edu/forums/diary/Simple+Javascript+Extortion+Scheme+Advertised+
via+Bing/18337).
]

STORM CENTER TECH CORNER

Javascript Ransom Ware use
-https://isc.sans.edu/forums/diary/Simple+Javascript+Extortion+Scheme+Advertised+
via+Bing/18337

Cisco Unified Communications Domain Manager Update
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
140702-cucdm

OpenSSL Releases Roadmap
-https://www.openssl.org/about/roadmap.html

Iraq Related Malware uses no-ip.com hostnames
-http://intelcrawler.com/news-20

Credit Card Processing in 700 Words or Less
-https://isc.sans.edu/forums/diary/Credit+Card+Processing+in+700+Words+or+Less/18
341



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/