SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #82
October 14, 2014
Help us find the unsung heroes of cybersecurity - inside your own organization - so others can learn from them: Three weeks remaining to nominate people and teams for the 2014 Security Difference Makers Awards to be presented at SANS CDI in Washington DC on 2013. If you know folks who deserve recognition for making meaningful progress in cybersecurity either by increasing security levels or by using security controls and processes to enable new business issues, send your nominations to email@example.com by 3 November. Full details on how to nominate at http://www.sans.org/cyber-innovation-awards
TOP OF THE NEWSDropbox Says Account Credentials Taken from Other Services
US Manufacturing Company Under Attack for Months
White House Considering Options for Cyber Security Legislation
THE REST OF THE WEEK'S NEWSVulnerable Code in CyanogenMod Android Build
Kmart Discloses Breach
Dairy Queen Acknowledges Breach
Oracle to Address 150+ Vulnerabilities
Judge Dismisses Ulbricht's Motion to Suppress Evidence
Malicious Android App Steals Data
HP Will Revoke Certificate Inadvertently Used to Sign Malware
Locked Shields Cyber War Simulation
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
************************* Sponsored By Symantec ************************
Symantec Webcast: How not to be Dumb with a Smart Phone, Oct. 16 Join Symantec and learn the security risks of a smart phone, the latest mobile scams; and simple, practical steps to keeping yourself and your organization safe while using a mobile device.
--SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 48 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
--Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
--SANS London 2014 | London, UK | November 15-24, 2014 17 courses. Bonus evening presentation include Stop Giving the Offence an Unfair Advantage; Everything They Told Me About Security Was Wrong; and Incident Handling in the Enterprise.
--Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
--Cyber Defense Initiative 2014 | Washington, DC | Dec 10-19, 2014 | 30 courses. Bonus evening presentations include Gone in 60 Minutes: Have You Patched Your System Today?; A Night of Crypto; and NetWars Tournament of Champions.
--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
--Multi-week Live SANS training
--Looking for training in your own community?
--Save on On-Demand training (30 full courses) - See samples at
Plus Dubai, Sydney, Tokyo, and Muscat all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
Dropbox Says Account Credentials Taken from Other Services (October 13, 2014)Several Pastebin posts claim to contain hundreds of sets of login credentials for Dropbox. A note accompanying the posts claims that credentials for nearly seven million accounts were compromised. Some sets have been confirmed as authentic. Dropbox appears to have reset access credentials for all accounts in the posts. Dropbox has issued a statement saying that they were not compromised, and the posted information was taken from other services.
[Editors' Note (Murray, Honan): If DropBox is correct, then those at risk are only those who have used the same password across multiple online accounts (You know who you are!). Dropbox customers should use Dropbox's strong authentication option. All Internet users should prefer online services that offer strong authentication. ]
US Manufacturing Company Under Attack for Months (October 10, 2014)In a quarterly newsletter, the US Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team disclosed that a US manufacturing company experienced a cyber attack that lasted several months. The organization has not been identified, but "is a conglomeration of multiple companies acquired in recent years," which increased the number of network connections.
[Editor's Note (Assante): Complexity serves the attacker's purpose by providing ample opportunity to achieve a freedom of movement. This is one example where the US Government can send the message of 'do as I do' by reducing Internet connections in a deliberate and planned fashion. Security professionals understand the importance of "knowing thyself" and reducing complexity to gain greater efficiency and proper segmentation.
(Honan): I recently had an interesting conversation with a CISO for a similarly large organisation. He pointed out that while the advice to identify all your assets so you can secure them is good advice, for many companies of similar size and larger the sheer number of company acquisitions, mergers, and de-couplings makes this a very difficult task. This makes it more important that Boards are aware of cyber risks for their organisations so security considerations are identified early in every business venture. We no longer need to include security as part of every project, it needs to be ingrained into every move a business makes.
(Henry): When I was at the FBI our agents often knocked on the door of major companies to advise them of an intrusion, and most had no idea they'd been breached. After evaluation, many realized they'd been victimized months or even years prior. Some of those instances were absolutely based on mergers and acquisitions. When you take over a network, you are potentially assuming a substantial. liability. Most of us would never purchase a home without doing a termite check. Why wouldn't we do a similar evaluation on the networks we're acquiring? ]
White House Considering Options for Cyber Security Legislation (October 9, 2014)White House Cybersecurity Coordinator Michael Daniel says that instead of trying to push a single, comprehensive cyber security bill through the legislature, the administration will instead focus on supporting a series of smaller bills that will address the necessary issues. The administration would like to see legislation that paves the way for the Department of Homeland Security (DHS) to work more closely with private companies to protect their systems from attacks as well as clarifying how government agencies work together and with DHS.
[Editor's Note (Murray): We should prefer the strategy of a number of focused bills to an omnibus bill. Such bills will be easier for legislators to draft and understand. They will be more likely to achieve the intended result while reducing the risk of unintended consequences, both inherent and feared, in all such legislation. ]
**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know. http://www.sans.org/info/169352
2) Data Center Server Security - Hear Results of Survey and Receive Whitepaper 10/29 at 1pm ET http://www.sans.org/info/169357
3) The Top 3 Threats to Retail IT Security and How You Can Defend your Data - Tuesday, October 21 at 3:30 PM EDT with Dave Shackleford, Brian Nuszkowski and Josh Daymont. http://www.sans.org/info/169362
THE REST OF THE WEEK'S NEWS
Vulnerable Code in CyanogenMod Android Build (October 13, 2014)Android users running the CyanogenMod build may find their devices vulnerable to man-in-the-middle (MitM) attacks. The issue lies in re-used sample code for certificate in Java 1.5 parsing that in 2012 was reported to contain SSL vulnerabilities. Other developers have used the code as well.
Kmart Discloses Breach (October 13, 2014)Kmart has acknowledged that customers' payment card data were compromised in a breach that affected cash registers at 1,200 stores. The malware was detected on October 9 and had been active for more than a month. Kmart's president said that the malware has been removed from the company's systems.
Dairy Queen Acknowledges Breach (October 10, 2014)Dairy Queen has disclosed that a data security breach affected nearly 400 of its stores across the US. The attackers reportedly managed to get the account credentials of a third-party vendor that allowed them access to the Dairy Queen store systems, which were then infected with malware known as Backoff.
[Editor's Note (Murray): All merchants and retailers are at high risk and should be looking for evidence of compromise. Consumers should request EMV ("chip") cards, stop using accounts where the card issuer fails to comply with the request, prefer merchants who are equipped to accept such cards, and reconcile online accounts at least weekly and all accounts upon receipt of statements. Digital wallets, using one time digital tokens in lieu of credit card numbers in the clear, from Google, Square, Apple et. al. on mobile computers are on the horizon (Apple Pay should be available within a week) and none too soon. ]
Oracle to Address 150+ Vulnerabilities (October 12 & 13, 2014)This month, Oracle's quarterly security updates will coincide with Microsoft's and Adobe's monthly fixes. On Tuesday, October 14, Oracle will release fixes for 155 security issues in 44 products. Of those, 25 will address flaws in Java SE. Microsoft plans to issue nine security bulletins, three of which are rated critical, and Adobe will release updates for Flash.
Judge Dismisses Ulbricht's Motion to Suppress Evidence (October 10 & 12, 2014)US District Judge Katherine Forrest has dismissed a defense motion to suppress evidence against Silk Road defendant Ross Ulbricht. Ulbricht's legal team maintained that the US government had used illegal means to gain access to Silk Road servers and therefore any evidence they had gathered should be disallowed because their client's Fourth Amendment rights had been violated. Judge Forrest made it clear that this case is about Ulbricht and not the FBI's investigative methods; even if they had broken into the servers illegally, Ulbricht has not provided sufficient demonstration that the servers belong to him and therefore cannot allege Fourth Amendment violations.
Malicious Android App Steals Data (October 10, 2014)An Android app that appears to be a simple game is actually malware capable of recording audio with infected devices, as well as stealing messages and device data, gaining root privileges. Gomal may be spreading through unofficial app stores. The malware will steal email from the Good for Enterprise app. Good for Enterprise developer, Good Technology, says that Gomal is a proof-of-concept app presented at Black Hat 2013.
HP Will Revoke Certificate Inadvertently Used to Sign Malware (October 9 & 10, 2014)On October 21, HP will revoke a digital certificate that was found to have been used to sign malware. The certificate was originally issued to sign software that came with HP products. The revocation could cause support issued for customers using older HP products.
Locked Shields Cyber War Simulation (October 10, 2014)The Locked Shields cyber war simulation is "a technical cyber defense exercise" that ran from May 20-24, 2014, that drew nearly 300 participants from 17 countries. This year's event was staged in May in Tallinn, Estonia; participating teams worked from their home countries. The scenario involved attacks against a fictional country that the participating teams helped to defend. Teams received points for quick detection, effective defense, and system resilience. Among the areas that proved most challenging to participants were filtering and detecting malicious activity over IPv6 networks and sharing useful information with other Blue Teams.
STORM CENTER TECH CORNERNCSAM: When Breach Notifications Look Worse then some Phishing Emails.
Snapchat Image Archive Surfaces
CSAM: Be Wary of False Beacons
Decrypting Snapchat Images
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/