Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #29

April 14, 2015


Windows Administrators Facing Career Threats From Cyber Attacks Windows administrators are learning they were misled about the effectiveness of Windows' "built in" security; increasingly they are being personally blamed for successful intrusions. Their claims that "attacks happen everywhere" don't seem to protect them. The more innovative among them are using a Microsoft tool that allows them to reduce the intrusions substantially by automating continuous monitoring and the Critical Security Controls. They learned the tool and technique, PowerShell scripting, together with advanced Windows security to deal with APT malware and hackers using the new SEC505 Windows Security course. Here's what students are saying about the new course: "If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!!" (Matthew Stoeckle, Nebraska Public Power District) "You will know and be confident how to enable Windows PKI after taking this course. I had no practical experience but plenty of theory. The instructor broke down the pros and cons of the whole process. Excellent!!" (Othello Swanston. DTRA-DOD)
More information: http://www.sans.org/course/securing-windows-with-powershell

TOP OF THE NEWS

Incredible: Hacked French Network Exposed Its Own Passwords During TV Interview
Carder Gets 12-Year Prison Sentence
Middle School Student Facing Felony Charge for Accessing School's Network

THE REST OF THE WEEK'S NEWS

Re-Direct to SMB Vulnerability Affects All Versions of Windows
Simda Botnet Takedown
Intel Report Focuses on Importance of Rapid Incident Detection and Response
Alleged Svpeng Creator Arrested in Russia
APT30 Espionage Campaign Has Been Operating Since 2005
"Great Cannon" Attack Tool Used in DDoS Attacks Against GreatFire and GitHub
US Bans Export of Intel Xeon Processors to China
Apple OS Updates Address Darwin Nuke Vulnerability

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************** Sponsored By HP ***************************
2015 State of Security Operations Report How does your security operations strategy stack up to the best? And what should you do to improve? This annual report assesses the capabilities of 87 SOCs worldwide. Read it to learn:
- - The latest trends in security defenses
- - The attributes of effective organizations
- - How companies have improved-or degraded-their capabilities Read the full report http://www.sans.org/info/176742
***************************************************************************

TRAINING UPDATE


--Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


--SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


--Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


--SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


--SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


--SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


--SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


--Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


--Looking for training in your own community?
Community - http://www.sans.org/u/Xj


--Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

Incredible: Hacked French Network Exposed Its Own Passwords During TV Interview (April 9, 2015)

In an interview about the satellite hack, TV5Monde reporter David Delos unwittingly revealed at least one password for the station's social media presence. He was filmed in front of a staffer's desk- showing sticky notes and taped index cards that were showed account usernames and passwords.
-http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-pa
sswords-during-tv-interview/

Carder Gets 12-Year Prison Sentence (April 9 & 10, 2015)

Jermaine Smith has been sentenced to more than 12 years in prison for his role in an online underground payment card fraud operation. In October 2014, Smith pleaded guilty to participation in a racketeer-influenced corrupt organization. Smith was also ordered to pay US $50.8 million restitution. Smith lived in New Jersey and sold counterfeit payment cards for the syndicate, which was operated from Russia.
-http://www.darkreading.com/attacks-breaches/member-of-organized-cybercrime-ring-
sentenced-to-150-months-in-prison-for-selling-stolen-and-counterfeit-credit-card
s/d/d-id/1319877

-http://www.scmagazine.com/prison-term-508-million-fine-for-cardersu-member/artic
le/408517/

-http://thehill.com/policy/cybersecurity/238377-credit-card-fraudster-gets-150-mo
nths

Middle School Student Facing Felony Charge for Accessing School's Network (April 13, 2015)

A 14-year-old middle school student in Florida is facing a felony charge for accessing his school's computer network and changing a teacher's wallpaper. The school district's sets passwords to teachers' last names. The student had previously been suspended for three days for accessing the system without authorization.
-http://www.computerworld.com/article/2909321/8th-grader-charged-with-felony-hack
ing-for-changing-teachers-digital-wallpaper.html

-http://arstechnica.com/security/2015/04/eighth-grader-charged-with-felony-for-sh
oulder-surfing-teachers-password/

[Editor's Note (Murray): We romanticize hacking at the expense of corrupting the best and the brightest of our young. Few of them are really hired by law enforcement, local government, and their victims. ]


**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Preparation - Plan for the Inevitability of Compromise. http://www.sans.org/info/176747

2) Six Steps to SIEM Success. Friday, April 17 at 1:00 PM EDT (17:00:00 UTC) with Tom D'Aquino, Security Engineer. http://www.sans.org/info/176752

3) Best Practices for Reducing Your Attack Surface: 5 Steps to Shrinking Your Window of Vulnerability. Thursday, April 16 at 1:00 PM EDT (17:00:00 UTC) with Michael Bruchanski. http://www.sans.org/info/176757
***************************************************************************

THE REST OF THE WEEK'S NEWS

Re-Direct to SMB Vulnerability Affects All Versions of Windows (April 13, 2015)

A flaw affecting all versions of Windows as well as products from more than 30 other software vendors allows attackers to steal encrypted login data from Windows PC users. The vulnerability, known as Re-Direct to SMB, could be used to launch a man-in-the-middle attack by tricking apps into authenticating with a malicious server.
-http://www.darkreading.com/endpoint/new-security-flaw-spans-all-versions-of-wind
ows/d/d-id/1319884?

-http://thehill.com/policy/cybersecurity/238620-your-windows-computer-has-a-flaw
-http://www.forbes.com/sites/katevinton/2015/04/13/18-year-old-security-flaw-allo
ws-hackers-to-steal-credentials-from-all-versions-of-windows/

Simda Botnet Takedown (April 13, 2015)

Interpol, working together with Japan's Cyber Defense Institute and several technology companies, has taken down a botnet known as Simda. Interpol's Digital Crime Centre (IDCC) coordinated operations with local law enforcement to take down servers associated with the botnet in the US, Russia, Luxembourg, and Poland. The malware had infected an estimated 770,000 machines.
-http://www.v3.co.uk/v3-uk/news/2403672/interpol-frees-770-000-systems-from-simda
-botnet

-http://www.zdnet.com/article/servers-seized-in-global-simda-botnet-hit/
-http://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedo
wn/

Simda Check:
-https://checkip.kaspersky.com

Intel Report Focuses on Importance of Rapid Incident Detection and Response (April 13, 2015)

According to a report from Intel, organizations that respond to cyber attacks within an hour of their detection stand a better chance of retaining control of the situation. It can be difficult to know when an attack is starting because of "bottlenecks between security tools used to detect intrusions."
-http://fortune.com/2015/04/13/intel-security-hackers/

Alleged Svpeng Creator Arrested in Russia (April 13, 2015)

Russian authorities have arrested a man believed to be the creator of malware known as Svpeng, which is believed to have infected up to 350,000 Android-based devices in 2014. Four other people have been detained in connection with the case.
-http://www.forbes.com/sites/thomasbrewster/2015/04/13/alleged-nazi-android-fbi-r
ansomware-mastermind-arrested-in-russia/

-http://www.scmagazine.com/alleged-creator-of-svpeng-android-malware-arrested-in-
russia/article/408792/

APT30 Espionage Campaign Has Been Operating Since 2005 (April 12 & 13, 2015)

According to the FireEye Intelligence Report, an espionage campaign known as APT30, has been targeting governments and businesses for 10 years. APT30 is attributed to China, and also targets media organizations and journalists who cover information of interest to the Chinese government. FireEye says it has discovered the tools APT30 has used to steal information.
-http://www.zdnet.com/article/fireeye-claims-discovery-of-10-year-hack-campaign-b
y-china/

-http://www.theregister.co.uk/2015/04/13/chinese_state_sponsored_hackers_menace_s
e_asia_apt_30/

-http://www.computerworld.com/article/2907963/chinese-hacker-group-among-first-to
-target-networks-isolated-from-internet.html%20

-http://www.bloomberg.com/news/articles/2015-04-12/decade-long-cyber-spying-campa
ign-hacked-southeast-asia-targets%20

"Great Cannon" Attack Tool Used in DDoS Attacks Against GreatFire and GitHub (April 10 & 12, 2015)

The distributed denial-of-service (DDoS) attacks that targeted GreatFire and GitHub in March were likely launched by a Chinese attack tool called "Great Cannon." Initially, the attacks were thought to be the work of China's Great Firewall, but researchers at Citizen Lab say that "Great Cannon" is a new tool.
-http://www.eweek.com/security/china-unlimbers-great-cannon-to-block-web-content-
it-doesnt-like.html

-http://www.scmagazine.com/citizen-lab-says-great-cannon-tool-allowed-ddos-agains
t-github-greatfireorg/article/408522/

-http://www.forbes.com/sites/thomasbrewster/2015/04/10/china-great-cannon-can-be-
stopped-with-encryption/

-http://www.scmagazine.com/citizen-lab-says-great-cannon-tool-allowed-ddos-agains
t-github-greatfireorg/article/408522/

-http://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/
-http://www.theregister.co.uk/2015/04/10/china_great_cannon/
-https://citizenlab.org/2015/04/chinas-great-cannon/

US Bans Export of Intel Xeon Processors to China (April 10, 2015)

The US Department of Commerce has refused to grant Intel a license to export Xeon processors to China. The chips are intended for use in the Tianhe-2 supercomputer; the Department of Commerce maintains that China acted against US national security interest by using Tianhe-2 and other supercomputers for "nuclear explosive activities."
-http://www.computerworld.com/article/2908566/us-issues-bogus-unenforceable-ban-o
f-supercomputer-chips-for-china.html

-http://www.bbc.com/news/technology-32247532

Apple OS Updates Address Darwin Nuke Vulnerability (April 10, 2015)

Among the issues patched in Apple's most recent versions of iOS and OS X is a vulnerability that can be exploited for denial-of-service attacks. The flaw is known as the "Darwin Nuke" because it lies in the Darwin kernel. In certain conditions, attackers could use malformed IP packets to cause vulnerable devices to crash.
-http://www.darkreading.com/endpoint/apple-patches-darwin-nuke-other-security-fla
ws-with-new-os-releases/d/d-id/1319881

-http://www.scmagazine.com/darwin-nuke-vulnerability-allows-dos-in-os-x-1010-and-
ios-devices/article/408511/


STORM CENTER TECH CORNER

Ruby SSL Wildcard Certificate Validation Bug
-https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vuln
erability/

Amazon Web Services Worried About Careless Customers
-http://www.theregister.co.uk/2015/04/13/aws_security_sleepless_nights/

Reversing Belkin's WPS Algorithms
-http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/

Pastebin Used as C&C Channel
-https://isc.sans.edu/forums/diary/The+Kill+Chain+Now+With+Pastebin/19569/

TV5Monde Leaks Social Media Passwords in post-attack video
-https://twitter.com/pent0thal/status/586280487058022400

TV Station TV5Monde Crippled After Cyber Attack
-http://www.theguardian.com/world/2015/apr/09/french-tv-network-tv5monde-hijacked
-by-pro-isis-hackers

Apple Patches "Hidden Backdoor" in Yosemite
-https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileg
es-in-apple-os-x/

Personal Backup Drives Indexed By Google
-http://www.csoonline.com/article/2906137/cloud-security/lost-in-the-clouds-your-
private-data-has-been-indexed-by-google.html



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/