SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #61
August 01, 2014
SANS Network Security 2014 (Las Vegas in October) just opened for registrations and you can save $400 by registering in the next 4 weeks. This is the conference where classes fill up and are sold out. This time 40 of the most popular classes plus 6 impressive new ones:
-- SEC511: Continuous Monitoring and Security Operations with Eric Conrad
-- SEC760: Advanced Exploit Development for Pen Testers with Stephen Sims
-- FOR526: Memory Forensics In-Depth with Alissa Torres
-- FOR572: Advanced Network Forensics and Analysis with Philip Hagen
-- FOR585: Advanced Smartphone Forensics with Heather Mahalik
-- ICS410: ICS/SCADA Security Essentials with Graham Speake
TOP OF THE NEWSBadUSB Proof-of-Concept Tools Demonstrate Security Risks Inherent in USB Design
US-CERT Issues Warning About Backoff Point-of-Sale Malware
THE REST OF THE WEEK'S NEWSCIA Director Apologizes for Unauthorized Access of Senate Committee Computers
Judge Says Microsoft Must Turn Over eMails Stored on Server in Ireland
Attack on Tor Attempted to Strip Traffic Anonymization
DHS Wants Corporate Boards to Make Cyber Security a Priority
Researcher Finds Vulnerabilities in Antivirus Products
Canadian Government Points Finger at China for National Research Council Breach
House Passes Bills to Address Critical Infrastructure Security
House Bill Would Require Federal CIOs to Sign Off on Web Site Security
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
********************* Sponsored By Bit9 + Carbon Black *******************
XP End of Life is here - there are NO MORE security updates or critical patches available unless you pay for high cost support. How will you protect your organization? Keep your XP systems compliant and secure - without upgrading or paying for out-of-band support! Download the free eBook today.
- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
- --Cyber Defense Summit | Nashville, TN | August 13-20, 2014 Join Dr. Eric Cole at this premier Cyber Defense-focused event and learn how to implement best practices and proven techniques that will enable you to stay on top of today's threats and ahead of tomorrow's. Prevent --> Detect --> Respond... A Winning Formula for Cyber Defense! 7 courses.
- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.
- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
- - --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Nashville, Bangkok, Tallinn, and Hong Kong all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
BadUSB Proof-of-Concept Tools Demonstrate Security Risks Inherent in USB Design (July 31, 2014)While most people are aware that USB drives carry risks of spreading malware - don't let executable files run if you're not sure of the device's provenance - a more concerning security issue lies at their core. At the Black Hat security conference next week, researchers plan to present a demonstration of proof-of-concept malware that exploits the way USBs are designed. The malware can change DNS settings and be used to conduct man-in-the-middle attacks. The malware lies not in flash memory, but in the firmware, so it sticks around after the device's memory has been wiped. It is nearly impossible to detect firmware tampering because there is no trusted basis for comparison and no code signing.
[Editor's Note (Murray): USB stands for "universal serial bus." The key words are "bus" and "universal." It is a very powerful and fundamental extension of the computer. Anything attached to it, is part of the computer. We did not need this presentation to tell us that. Neither should it come as a surprise that Moore's Law applies to the things that can attach to it. When I was small, and first left the house by myself, my mother told me never to take USBs from strangers. When I was a little older, my daddy told me never to put my USB in someone else's machine. When my sister went out, she was told never to let anyone put their USB in her machine. It was called "practicing safe computing" or "good hygiene." Fortunately for us, most, but not all, of the USB ports and devices in the world are sterile. This is a large fundamental vulnerability with a relatively small threat; a low risk. ]
US-CERT Issues Warning About Backoff Point-of-Sale Malware (July 31, 2014)A joint advisory from the US Department of Homeland Security (DHS) and the Secret Service warns that attackers are exploiting publicly available remote access tools to infect retailers' point-of-sale systems with malware known as Backoff. The attackers use scanning tools to detect retail systems that use remote desktop applications. The advisory offers suggestions for protecting systems from such attacks, including limiting the number of users and workstations with remote access capabilities, and locking accounts after a specified number of bad login attempts.
[Editor's Note (Murray): The Verizon Data Breach Incident Report (DBIR) has been giving similar advice for years. Only this year did it begin to recommend strong authentication. In a world in which mobile computers are ubiquitous, strong authentication is cheap but remains resisted. ]
**************************** SPONSORED LINKS ******************************
1) Ghost In The Supply Chain: How Advanced Attackers Exploit Vulnerabilities In Your Supply Chain Wednesday, August 13 at 1:00 PM EDT (17:00:00 UTC) with James Lyne and Paul Roberts. http://www.sans.org/info/165157
2) You may have the best security, but compromises still happen. Learn how to be prepared in webcast featuring SANS analyst Jacob Williams, Wednesday, August 20 at 1 PM EDT http://www.sans.org/info/165162
3) Detect and Block Advanced Targeted Threats and Foreign Espionage and Protect Your Trade Secrets: A SANS WhatWorks webinar Featuring Fidelis XPS. Tuesday, August 12 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore. http://www.sans.org/info/165172
THE REST OF THE WEEK'S NEWS
CIA Director Apologizes for Unauthorized Access of Senate Committee Computers (July 31, 2014)CIA Director John Brennan has apologized to the Senate Intelligence Committee for improperly accessing Senate computers during the Senate's investigation into Bush-era interrogation practices. Brennan called the action "inconsistent with the common understanding" between the agency and Senate overseers. Earlier this year, Brennan denied that the CIA had accessed the computers.
Judge Says Microsoft Must Turn Over eMails Stored on Server in Ireland (July 31, 2014)A US District Judge in New York has ordered Microsoft to turn over email records stored on a company server in Ireland to US authorities. US District Judge Loretta Preska wrote that "it is a question of control, not a question of the location of that information." Privacy laws in Europe are stronger than those in the US.
Attack on TOR Attempted to Strip Traffic Anonymization (July 30, 2014)The TOR Project has issued an advisory about malicious relays being used to launch an attack on the TOR network that persisted for five months and may have revealed identifying information about the network's users. The TOR Project says it stopped the attack on July 4. The attack appears to have been designed to unmask TOR users' identities. It is possible that the attack was launched by researchers at Carnegie Mellon University, who recently cancelled a talk they planned to give at the Black Hat security conference at the behest of CMU lawyers. The TOR Project also said that anyone who used the service or operated the service during that time "should assume they were affected."
TOR Project Advisory:
[Editor's Note (Murray): Like breaking crypto, breaking TOR is expensive, but given government's resources and determination, it would be foolish to bet one's life that they cannot do it. They know the protocol better than anyone and they own some of the routers. ]
DHS Wants Corporate Boards to Make Cyber Security a Priority (July 30, 2014)A high-level official at the US Department of Homeland Security (DHS) is urging companies to make cyber security policy a top priority for the board of directors. Andrew Ozment, DHS assistant secretary for the Office of Cybersecurity and Communications, supports principles laid out in the "NACD Directors' Handbook on Cyber-Risk Oversight," which will be available on the US-CERT website.
[Editor's Note (Pescatore): I just posted some thoughts on what cybersecurity questions boards and CEOs should ask CIOs and CSOs, based on the lessons learned from GM's ignition switch fiasco. See
Researcher Finds Vulnerabilities in Antivirus Products (July 29 & 30, 2014)A researcher in Singapore examined antivirus products and found remotely exploitable flaws in 14 of them. Analysis accompanying the results indicates that many antivirus products pose security risks by requiring broad privileges, not signing updates, and delivering updates over HTTP.
Canadian Government Points Finger at China for National Research Council Breach (July 29 & 30, 2014)The Canadian government says that attacks on the country's National Research Council were conducted by "a highly sophisticated Chinese state-sponsored actor." The breach was investigated and confirmed by Canadian intelligence agency, the Communications Security Establishment. The National Research Council's computers have been isolated from the Canadian government network.
House Passes Bills to Address Critical Infrastructure Security (July 29, 2014)The US House of Representatives has approved legislation aimed at improving the cyber security of companies that operate elements of the country's critical infrastructure. One of the bills would create public-private partnerships. Another bill focuses on improving critical infrastructure security technology, and a third bill is aimed at building DHS's cyber work force.
House Bill Would Require Federal CIOs to Sign Off on Web Site Security (July 29, 2014)A bill passed by the House of Representatives would require federal websites that retain personally identifiable information to be certified as secure by an agency chief information officer. New sites would have to obtain CIO approval before going live. Sites that are already live and were launched after October 1, 2013 would have to obtain the approval within 90 days of the bill's passage.
[Editor's Note (Pescatore): Since any federal system that handles personally identifiable information already has to go through a certification and accreditation effort and be signed off by the Delegated Approval Authority, this bill is meaningless. It has a very lightweight definition of web site security, vs. requiring an increase in rigor of assuring web site software has no vulnerabilities before going on to production websites. ]
STORM CENTER TECH CORNERUsing a Raspberry Pi as a Honeypot
Microsoft Releases EMET 5.0
Apple scammed out of $300k due to credit card processing flaw
Symantec Endpoint Protection Privilege Escalation Exploit
Oxygen Forensics Makes use of iOS File Relay Service to Extract Data
HP Investigates "Internet of Things" devices and finds plenty of Vulnerablities
Android Fake ID Vulnerability
iPhone Instagram side jacking vulnerability
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/