SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #75
September 19, 2014
Eight places left in the 2014 Cybersecurity Press Fellowship program in which journalists attend intense SANS course on how hacking exploits work. Email firstname.lastname@example.org with name, publication, role, and level of experience.
TOP OF THE NEWSSenate Investigation Reveals China Broke Into Key Pentagon Networks
iOS 8 Prevents Apple From Accessing Device Data
Attackers Launched Cross-Site Scripting Attack on eBay Auction Page
THE REST OF THE WEEK'S NEWSEvolution Online Black Market Trades in Drugs, Account Credentials, and Health Data
Breached Healthcare.gov Test Server Was Still Using Default Password
USAF IT Strategy to Require Baked-In Cyber Security
Apple's "Warrant Canary" Disappears from Transparency Reports
Home Depot Breach Affected 56 Million Cards
Citadel Banking Trojan Now Being Used for Espionage
StingRay Maker Might Have Misled FCC About Device's Purpose
Managed Service Provider Apologizes for Breach That Compromised Goodwill Card Data
Adobe Releases Fixes for Reader and Acrobat
Microsoft Pulls Problematic Lync Update
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
******************** Sponsored By Bit9 + Carbon Black ********************
XP End of Life is old news, so why are so many organizations, especially in retail and healthcare, leaving themselves exposed? Premium support extensions are ending next month; Windows Server 2003 and XP-embedded EOL are on the horizon. Download our free eBook: XP End of Life for the Upgrade Latecomer to learn how to stay compliant and secure.
- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
- --SANS London 2014 | London, UK | November 15-24, 2014 17 courses.
- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Senate Investigation Reveals China Broke Into Key Pentagon Networks (September 17 & 18, 2014)Chinese government operatives infiltrated computer systems at US airlines and military contractors more than 20 times over the course of a year, according to a recently-declassified US Senate investigation report. In one instance, malware was uploaded to an airline's computers.
[Editor's Note (Pescatore): I read through the entire report, and while much was redacted, I could not find a single mention of *why* the attacks succeeded, or what vulnerabilities were exploited. Instead the focus is "the attacks came from China and no one told the government". I'll bet that over 80% of the breaches were due to simple, known vulnerabilities - which is what the Verizon Data Breach Investigation Report finds every year. Close the hole and it doesn't matter who the attacker is; they either don't get in or they get much noisier in their attempts. ]
iOS 8 Prevents Apple From Accessing Device Data (September 18, 2014)Apple says that the most recent version of its mobile operating system removes the company's ability to provide law enforcement with data from devices running iOS 8. Encryption used in this iteration of iOS prevents everyone expect the device's owner from accessing data stored on the device. Apple will still be able to turn over data stored elsewhere, such as in iCloud. However, while Apple may not have the ability to access those data, police could ostensibly retrieve the data from locked devices.
[Editor's Note (Pescatore): Apple is using privacy as a competitive feature against Google, since Google is driven by ad revenue that comes from selling advertisers information about and from their product and service users. That's not quite the same as competing on security, but it at least heads in the same general direction. From the law enforcement perspective, this removes an odd capability - imagine if national intelligence or law enforcement could go to companies that make safes and say "give me the combination to John P.'s safe." They can't - they have to get a court order to compel the owner to provide the combination. Phones, PCs, tablets, etc. should really be more like safes. From the user perspective, this only happens if you turn on the passcode feature - and if your forget your passcode, you will lose most of your data. So, you should back up to something - but if you back up to the cloud (such as iCloud) the government can compel the cloud service provider to hand over your data. And, Apple's iCloud (while recently improved) did not have a stellar security reputation. Bottom line: Apple's direction here is the right way to go but they need to make security as important a competitive feature as keeping information away from government.
(Ullrich): In its recent iOS 8 and Apple Pay announcements, Apple emphasized the privacy features as a differentiator to competing software and services. If successful, this could become a signal for others. This would however contradict academic studies that showed repeatedly that customers are not willing to pay for improved privacy. ]
Attackers Launched Cross-Site Scripting Attack on eBay Auction Page (September 17 & 18, 2014)Some eBay users were victims of an attack that caused some users who clicked on links on the site to be taken to duplicated, malicious pages where account access credentials were stolen. The attack affected users who were viewing certain iPhone auctions.
[Editor's Note (Ullrich): Cross-Site Scripting (XSS) isn't only hard to prevent, but also frequently underestimated. A XSS vulnerability gives an attacker full control over your page and the "victim" in most cases is the user of the page. ]
**************************** SPONSORED LINKS ******************************
1) Don't Miss: Security for the People: End-User Authentication Security on the Internet Tuesday, September 23 at 3:00 PM EDT (19:00:00 UTC) with Mark Stanislav and Paul Roberts. http://www.sans.org/info/167657
2) Beating the Status Quo: Reinforce Your Defense to Detect & Resolve Evolving Threats Wednesday, September 24 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Mohan Sadashiva. http://www.sans.org/info/167662
3) Don't Miss: Hardening Retail Security: Why and How to Prevent Breaches and Attacks - Thursday, September 25 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Erick Ingleby: http://www.sans.org/info/167667
THE REST OF THE WEEK'S NEWS
Evolution Online Black Market Trades in Drugs, Account Credentials, and Health Data (September 18, 2014)Since the takedown of the Silk Road online black marketplace, others have stepped in to take over its shady trades. One of those, Evolution Markets deals not only in drugs, but also stolen financial account credentials and medical records. The medical records appear to have been stolen from a life insurance company. Evolution is accessible only through Tor.
Breached Healthcare.gov Test Server Was Still Using Default Password (September 18, 2014)The Healthcare.gov test server breached earlier this summer was still using its default password. US-CERT Team Director Ann Barron-DiCamillo told the House Oversight and Government Reform Committee that the breach did not compromise any patient data "due to the segmentation of the network." The intruders used the access to harness the server's resources to launch attacks against other websites.
[Editor's Note (Murray): The Verizon Data Breach Incident Report (DBIR) documents that they are still implicated in a significant portion of breaches. The same report suggests that so are orphan systems. ]
USAF IT Strategy to Require Baked-In Cyber Security (September 15 & 17, 2014)Air Force Brig. Gen. Sarah Zabel says that USAF's revamped information technology strategy, aimed at protecting its equipment from cyber attacks, will require cyber security in every program from the start.
[Editor's Note (Pescatore): This is good to hear - "building security in" is always good to hear. But, the key is "building in" not "adding on earlier." Requiring all software vendors to provide evidence of secure development lifecycles, having acceptance criteria for all software include evidence of clean application security testing runs, all systems designed out of the box in "deny all except what is explicitly enabled" and many other well proven truisms give much more bang for the buck that trying to bolt on "Host Based Security Subsystems" onto PCs and servers running chaotically designed/developed apps.
(Honan): It will be interesting to see whether the size of the USAF IT budget will encourage vedors to make their products more secure. Hopefully other large government departments and corporates will take a similar approach to provide further pressure on vendors. ]
Apple's "Warrant Canary" Disappears from Transparency Reports (September 18, 2015)Apple's "warrant canary" - a statement in its transparency report that the company has never received an order from the US government under the Patriot Act - is conspicuously absent from the company's two most recent reports. The report for the first six months of 2014 does say that "Apple has not received any orders for bulk data."
Home Depot Breach Affected 56 Million Cards (September 18, 2014)Home Depot acknowledged that the breach of its point-of-sale systems affected an estimated 56 million payment cards. Is a press release, the company said that the attackers used "unique, custom-built malware." Additional information about the data breach at Home Depot suggests that it affects mainly cards used in self checkout lanes.
[Editor's Note (Pescatore): Lesson learned in these recent PoS attacks is why in the world aren't you using white listing on the PCs attached to payment devices? There is absolutely no business need to allow arbitrary software to run on tills/registers. One area the PCI regime could improve this: Reduce the DSS emphasis on antivirus software everywhere and focus more on whitelisting/application control on any computing device in the PoS chain.
(Murray): Krebs suggests that the breach may have been focused on self-checkout. Home Depot customers should demand new account numbers. Home Depot should look to the example of UPSStore to learn how to report a breach. All merchants need to implement strong authentication on any remote access and lock down all register systems. Online merchants need to resist fraudulent use of credit card numbers (e.g., Verified by Visa, MasterCard SecureCode, PayPal, Apple Pay). The issuers must accelerate the issuance of EMV cards until a safer method comes along. The brands should give at least the same encouragement to contactless card readers as to EMV. The system is broken and there is a necessary role for everyone in fixing it, but leadership must come from the brands. ]
Citadel Banking Trojan Now Being Used for Espionage (September 17, 2014)Researchers have found a variant of malware known as Citadel that has been repurposed to steal sensitive information from petrochemical companies in the Middle East. Citadel was previously known for being used to steal online banking credentials through man-in-the-middle attacks.
[Editor's Note (Murray): One of the "Dirty Little Secrets" of enterprise security is that it is easy to escalate privileges and compromise systems. Level of trust is too high. Restrictive policies, strong authentication, and end-to-end encryption are now essential practices. ]
StingRay Maker Might Have Misled FCC About Device's Purpose (September 17, 2014)Included in the pages of emails that were part of the Harris Corporation's 2010 application for Federal Communications Commission (FCC) authorization for their cellular surveillance device known as StingRay is one message in which the company tells the FCC that StingRay "is only to provide ... law enforcement officials with authority to utilize this equipment in emergency situations." This appears to misrepresent how the devices are actually used by law enforcement.
[Editor's Note (Pescatore): It was a bit of a publicity stunt, but a vendor of secure cellphones recently drove Washington Post reporters around DC and found 18 IMSI catchers active in the area. The availability of such capabilities is increasing and becoming affordable by criminal groups, not just governments. The FCC has started the process of looking into this but the bottom line is that the market for secure cellphones is not large, but will grow. ]
Managed Service Provider Apologizes for Breach That Compromised Goodwill Card Data (September 16 & 17, 2014)Managed service provider C&K Systems has apologized for a breach in which intruders compromised customer payment card data at three organizations, including Goodwill. The breach was in C&K's "Hosted Managed Services Environment," which was affected "intermittently between February 10, 2013 and August 14, 2014." The attackers used "highly specialized point-of-sale (POS) malware ... that was undetectable by
security software systems until" earlier this month.
C&K Systems Statement:
[Editor's Note (Ullrich): If you look at your logs, and you don't find anything interesting, you are not looking at your logs. If you look at your logs for 18 months while you are compromised, then you are not looking at your logs at all. In many SOCs I have seen, "watching the logs" is done by the least qualified, most junior group of people if it is not outsourced. Without proper guidance and ongoing mentoring by more senior staff, they are not watching logs but instead they are watching the clock on the wall move to the end of their shift. ]
Adobe Releases Fixes for Reader and Acrobat (September 16, 2014)Adobe has released fixes for vulnerabilities in Reader and Acrobat. The patches were scheduled to be released last week but were delayed due to testing issues. The patches address eight flaws in version of the software for Mac and PC. Adobe released fixes for security issues in Flash and Air last week.
Adobe Security Bulletin:
Microsoft Pulls Problematic Lync Update (September 16, 2014)Microsoft has pulled a security update for Lync after users reported having trouble installing it. The bulletin that includes this fix is unusual because it does not list any vulnerabilities addressed and it does not have a severity rating.
STORM CENTER TECH CORNEReBay XSS Vulnerability abused in phishing attack
Apple Support Phishing
Background Search Spam
iOS 8 Update
OWASP Releases new Web App Testing Guide (Version 4.0)
New TLD Used in Phishing
FreeBSD Spoofed SYN DoS Vulnerability
Adobe Releases Delayed Reader/Acrobat Bulletin
Python Script allows Download of iCloud Backups
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/