SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVII - Issue #47
June 16, 2015
TOP OF THE NEWSWhite House Orders Immediate Adoption of Basic Security Measures
Increased Spending Not Improving US Government Cyber Security
THE REST OF THE WEEK'S NEWSLegislators to Question OPM Officials
OPM Breach Timeline and Analysis
LastPass Acknowledges Breach
MasterCard Expanding Use of Tokens
Snapchat Adopts Two-Factor Authentication
Malware Used Stolen Certificate to Infect Kaspersky Network
Microsoft Windows 10 Patching Schedule
Amazon Releases its First Transparency Report
Bundestag Network Breached
49 Arrested in Phishing Scheme Crackdown
************************ Sponsored By Symantec *************************
Avoid Failure - A Case for Incident Response - It's not a question of if, but when your organization will suffer a security incident. This is the new reality. Join this webcast to hear Symantec and leading analyst Forrester Research provide insights on the importance of incident management.
- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Minneapolis, Delhi, and Milan all in the next 90 days.
For a list of all upcoming events, on-line and live:
TOP OF THE NEWS
White House Orders Immediate Adoption of Basic Security Measures (June 12 & 13, 2015)Following the news of breaches of the OPM's networks that compromised security clearance data, the White House has ordered federal agencies to immediately adopt basic security practices. The required procedures include applying patches for critical flaws promptly; using anti-virus products and checking logs for attack indicators; deploying two-factor authentication; and strengthening controls for privileged users.
[Editor's Note (Pescatore): The DHS Continuing Diagnostics and Mitigation program was funded back in 2012 to address almost all of these issues but has largely disappeared into the government procurement Bermuda triangle.
(Weatherford): While one could express shock and very legitimately argue that basic hygiene actions such as patching vulnerabilities, restricting privileged user accounts, and increasing the use of multi-factor authentication are so fundamentally basic that they should already be routine procedures, I think this is a positive move by the Administration and lean to giving them credit. Like it or not, most people don't realize how bold a move this is and how difficult it will be to get federal agencies to comply. Agencies often ignore these kind of directives so the proof will be in whether agency heads are held accountable to the 30 day deadline and then more importantly, held accountable for a remediation schedule with equally strict timelines for addressing the gaps.
(Henry): Wow. With all due respect to my colleague and friend Mark Weatherford, we couldn't more diametrically opposed on this issue. I don't see how anyone, especially those who have worked on this issue in the government, could see this as "a positive move by the Administration and 'giving them credit.' This is a pure lack of leadership right from the top. There have been tens of BILLIONS of taxpayer dollars spent on information security in the past decade, and the White House is telling agencies now to patch systems and use AV? Are you kidding me? This is the most basic of directives, and what I'd expect a high school freshman studying information security to suggest. 'It's difficult to get federal agencies to comply? Agencies often ignore these kind of directives?' That's a leadership issue (or lack thereof.) Having a clear plan, a sense of URGENCY, and executive sponsorship that actually takes this seriously and holds people accountable is how it gets resolved. I won't even get into the inability to define redlines for our adversaries so they understand what the repercussions are for certain actions. The US is farther behind in this space today than it was in 2007, when the Comprehensive National Cybersecurity Initiative (CNCI) was signed, funded, and implemented, and we should be ashamed. ]
Increased Spending Not Improving US Government Cyber Security (June 10, 2015)Although the US federal government has increased spending on cyber security over the past few years, the government's systems continue to experience serious attacks, such as those lunched against networks at the Office of Personnel Management (OPM), the Internal Revenue Service (IRS), and the State Department. Some of the increase in cyber security events can be attributed to privacy violations, lost and stolen devices, and attempted break-ins, and better incident awareness and detection. A recent survey found that government agencies are having trouble keeping up with changing threats and that incident response times have not changed. Agencies are also hiring contractors who are not equipped to interpret the data generated by the security tools the agencies have in place.
[Editor's Note (Pescatore): The same is largely true in private industry: within any vertical industry, the ones who spend the most on security are rarely the most secure by any metric. The success stories tend to be where IT and governance deficiencies were fixed (better configuration management, more rapid patching, better privilege control for IT admins, secure app development cycles, better processes for exceptions, etc.) which actually *reduce* security spending. The federal government CIO side of things has largely ignored this area completely and the audit/Inspector General side continues to follow suit. ]
**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Cracking the Endpoint - Insider Tips for Endpoint Security. http://www.sans.org/info/178382
2) Trend Micro and the OAS report on cyber security of critical infrastructure within the Americas. http://www.sans.org/info/178387
3) SANS 2nd Financial Sector Security Survey: Tuesday, June 23 at 1:00 PM EDT (17:00:00 UTC) with G. Mark Hardy, John Pescatore (moderator), Patrick Bedwell, James Carder, Rakesh Shah, and Ann Sun. Register and attend the webcast to be among the first to receive the associated whitepaper. http://www.sans.org/info/178392
THE REST OF THE WEEK'S NEWS
Legislators to Question OPM Officials (June 15, 2015)On Tuesday, June 16, Office of Personnel Management (OPM) Director Katherine Archuleta and OPM Chief Information Officer Donna Seymour will appear before the House Oversight and Government Reform Committee. The purpose of the hearing is "to provide
Members an opportunity to gain information on the nature and extent of the ... OPM data breach."
Brian Krebs: OPM Breach Timeline and Analysis (June 15, 2015)Brian Krebs has created a thorough timeline of the breaches at OPM and at other entities, including Anthem and CareFirst Blue Cross, and offers an analysis of the situation.
LastPass Acknowledges Breach (June 15, 2015)Online password storage company LastPass is asking users to change their master passwords following a breach of the company's network. The attack occurred on Friday, June 12. The master passwords are encrypted, and LastPass uses "per user salts, which means an attacker would have to attempt to crack each encrypted master password individually."
MasterCard Expanding Use of Tokens (June 15, 2015)MasterCard will support the use of tokens for store-branded payment cards and e-commerce transactions. The plan will allow retailers to accept many types of mobile payments. Retailers will also be able to store payment card information with tokens.
[Editor's Note (Pescatore): This, and the Snapchat item that follows, illustrate a continuing trend that enterprise users are increasingly using strong authentication for consumer grade services, but at work are still using passwords. CISOs should jump at the chance to reduce the use of reusable passwords, jump on this trend. ]
Snapchat Adopts Two-Factor Authentication (June 15, 2015)Snapchat will now send text message verifications to users when they log in from a new device. The service will not be on by default; users can enable the function by turning on Login Verification in the Settings menu.
Malware Used Stolen Certificate to Infect Kaspersky Network (June 15, 2015)The Duqu 2.0 malware code that managed to gain purchase in Kaspersky Labs' systems made its way onto the machines using a stolen digital certificate signed by Foxconn, a Chinese electronics company. Foxconn's root certificate was issued by VeriSign.
Microsoft Windows 10 Patching Schedule (June 13, 2015)Windows 10 will have several different update options. Current Branch updates will likely be the most frequent and are primarily for consumers. Current Branch for Business will come about four months after the Current Branch, so Microsoft can get the glitches out before releasing the Business versions. Customers who opt for the Current Branch for Business must deploy the new builds within eight months of their release or they will cease receiving updates.
[Editor's Note (Pescatore): Windows 7 support doesn't end until January 2020, and Windows 10 adoption is likely to be slow in enterprises. So, not much of an issue in the near term, but one key thing to keep in mind: if you are buying any kind of appliance with Windows 10 inside, make sure the vendor is required to support all MSFT patches within that 8 month window worst case, ideally in the 4 month window when business patches will be released. ]
Amazon Releases its First Transparency Report (June 12, 13, 14, & 15 2015)Trailing other tech companies by months if not years, Amazon has released its first transparency report. Between January 1 and May 31, 2015, Amazon indicated that it received 813 subpoenas and provided all requested information in 542 of them; it also received 25 search warrants and provided all requested information for 13 of them. Amazon also received 132 requests from foreign governments and provided all requested information for 108.
Amazon Transparency Report:
Bundestag Network Breached (June 12, 2015)Computers at the Germany's lower house of Parliament, the Bundestag, were infected by malware that allowed attackers to steal information. According to reports, the infection is so severe that the entire network may need to be rebuilt. One politician has noted that the "attack reveals that the Interior Ministry has completely missed out on establishing a functioning cyber defense."
49 Arrested in Phishing Scheme Crackdown (June 10 & 12, 2015)Law enforcement agents in Europe have arrested 49 suspects in connection with a phishing scheme that stole millions of Euros from people's bank accounts. The suspects were arrested in Spain, Poland, and Italy. Authorities in the UK, Belgium, and Georgia also helped with the investigation, which was dubbed Operation Triangle.
dnstwist typo squatting tester
Microsoft Labeling Ask.com Toolbar as Unwanted Software
Cisco SSL and IPv6 Patch
BIOS Vulnerabilities and Patch Management
JSONP Exploited in Waterhole Attacks
D-Link Smartplug Vulnerabilities
PHP Bug in escapeshellarg
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/