SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #14

February 18, 2014

TOP OF THE NEWS

Health and Human Services IG to Examine Networked Medical Device Security
Mobile Apps Don't Detect Phony SSL Certificates
Thieves Use USB Sticks to Rob ATMs

THE REST OF THE WEEK'S NEWS

Security Update Planned for Duo Security WordPress Two-Factor Authentication Plugin
Flaw in Asus Routers is Being Exploited to Access Connected Drives
South Korean Financial Regulators Impose Penalties on Credit Card Companies After Data Breach
Kickstarter User Data Compromised
TheMoon Malware Targets Linksys Routers
VFW Website Used in Watering-Hole Attack
Forbes User Data Compromised
Tesco.com Customer Data Compromised

PESCATORE'S FIRST LOOKS

PESCATORE'S FIRST LOOKS

---

*********************** Sponsored By Symantec ****************************
Webcast: Recent Retail Breaches in the News - What Can You Learn? March 4 10:00 AM Pacific. At what points can an attack happen? What are the best practices for securing your devices? How can you protect your servers and endpoints? Gain insights from Symantec's Security Response Team on how targeted attacks are being perpetrated and how a properly configured endpoint can block even the most determined attackers.
http://www.sans.org/info/152107
***************************************************************************
TRAINING UPDATE


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- -- ICS Summit Orlando Lake Buena Vista, FL March 12-18, 2014 Come join us at the ICS/SCADA Security Orlando Summit where we will take a deep look at embedded system attack surfaces, discover what you can do to improve their security, and take away new tools that you can put to use right away! Summit led by Mike Assante - ex-CSO of NERC, plus 7 courses.
http://www.sans.org/event/north-american-ics-scada-summit-2014


- -- SANS Northern Virginia Reston, VA March 17-22, 2014 11 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Continuous Ownage: Why You Need Continuous Monitoring; and Real-World Risk - What Incident Responders Can Leverage from IT Operations.
http://www.sans.org/event/northern-virginia-2014


- -- SANS 2014 Orlando, FL April 5-14, 2014 42 courses. Bonus evening presentations include Effective Phishing that Employees Like; and The Law of Offensive Countermeasures. Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/sans-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014
- --Can't travel? SANS offers LIVE online instruction.
Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Canberra, Munich, Austin, and Malaysia all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Health and Human Services IG to Examine Networked Medical Device Security (February 10, 2014)

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) plans to take a close look at the security of certain medical devices. The review will be a part of a broader look at security issues in healthcare as laid out in the Fiscal Year 2014 HHS OIG Work Plan. The OIG wants to find out if hospitals have adequate security controls in place to safeguard patient information on networked medical devices, such as dialysis machines and medication dispensing systems. The OIG also plans to examine the security of the Affordable Care Act website and the security and privacy posture of organizations participating in the HITECH electronic health records program.
-http://www.govinfosecurity.com/oig-to-review-medical-device-security-a-6490
FY 2014 HHS OIG Work Plan:
-http://docs.ismgcorp.com/files/external/OIG-Work-Plan-2014.pdf
[Editor's Note (Assante): The explanation by officials of what is at stake dances around the most material issue. The loss of patient information is given as the consequence to avoid, this is of course a concern for patients, but the integrity of the information at its point of generation (a device) or processing by a health care specialist is paramount. I have personally relied upon the information-intensive healthcare system for life preserving treatment. Even with high integrity data there were near-miss mistakes in treatments. The loss of integrity of medical-device-generated data, in any kind of scale, would add to existing fears and further chip away at the confidence we place in our medical institutions.
(Pescatore): This would be a good area for the HHS IG auditors to use the Critical Security Controls as way to focus their efforts at these important, but very broad, efforts. In particular, a rapid investigation of just the ability of hospitals to even know how many medical devices are on their networks (Critical Security Control 1) would point out an enormous shortcoming. It would be nice to see some focus, with some rapid action on foundational issues - rather than yet another yearlong effort with a phonebook-sized report of deficiencies followed by a year of magazine-sized response memos. ]

Mobile Apps Don't Detect Phony SSL Certificates (February 14, 2014)

Phony SSL certificates currently being used pose a significant risk to people conducting online banking on smartphones. There appear to be dozens of the fake certificates allowing attackers possessing them to conduct man-in-the-middle attacks to steal data from users who believe they have legitimate connections to banks, shopping sites, and social networks. The certificates are not signed by trusted authorities, so major browsers will detect them, but users conducting banking and other transactions through apps and other non-browser software could be vulnerable.
-http://www.theregister.co.uk/2014/02/14/fake_ssl_cert_peril/
-http://arstechnica.com/security/2014/02/in-the-wild-phony-ssl-certificates-imper
sonating-google-facebook-and-itunes/
[Editor's Note (Pescatore): Way too many apps are getting published without working certification validation, often driven by using components like Amazon and PayPal merchant SDKs and many shopping cart objects that didn't validate. The Apple App Store and Google Play ought to put more focus on validating app and server side SSL hygiene before allowing such apps to be published.
(Ullrich): The problem isn't as much that these fake SSL certificates exist, but that mobile applications are fooled by them.
(Murray): One would hope that an app from one's bank would be able to establish a trusted connection to the bank. ]

Thieves Use USB Sticks to Rob ATMs (February 13, 2014)

An organized group of criminals used USB sticks to empty four ATMs of their cash. The thieves managed to open the machines to plug in the USB sticks, which contained malware that allowed the attackers to take control of the machines. Money mules then withdrew the cash. So far, just one person - a money mule - has been arrested. What makes this attack different from the majority of ATM thefts is that funds are stolen from the bank itself, not from individual accounts. The attacks occurred somewhere outside the US.
-http://www.darkreading.com/attacks-breaches/criminals-control-cash-out-banks-atm
-mac/240166070
[Editor's Note (Henry): As organizations continue to increase security in certain areas, adversaries will constantly seek out other attack vectors. While this occurred outside the United States, domestic institutions seem equally vulnerable to this technique and should take additional precautions to prevent physical access to their equipment.
(Murray): At one time ATMs were hardened devices, on bank premises, using proprietary purpose-built software, proprietary protocols and networks, operated and serviced by banks. Today ATMs are appliances, often on merchant premises, using commodity software running on Windows, over public protocols and networks, and operated and serviced by third parties. Moreover, dedicated ATM cards have been replaced by multi-use "check" (debit) and credit cards. The increase in attack surface, vulnerability, and successful attacks is dramatic but, perhaps, not surprising or disproportionate. ]

---

************************** Sponsored Links: ******************************
1) Live from New York! SANS presents: The SANS Financial Cybersecurity Trends and Challenges briefing. Join John Pescatore, Tony Sager and Alan Paller for this important event for the Financial Community. Set in the heart of the NY Financial District, this FREE breakfast briefing provides critical information on upcoming security trends, an end-user security panel on how your colleagues are dealing with threats, and information from sponsors on the future direction of their solutions. Join us! http://www.sans.org/info/151470

2) Webcast: The Critical Security Controls and the StealthWatch System. Thursday, February 20 at 1:00 PM EST featuring John Pescatore, SANS and Charles Herring, Sr. Systems Engineer, Lancope. http://www.sans.org/info/152112

3) Webcast - Cybersecuring DOD ICS Systems.Tuesday, March 4, 1:00pm EDT with Michael Chipley, PhD PMP LEED AP BD +C GICSP. http://www.sans.org/info/152117
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Security Update Planned for Duo Security WordPress Two-Factor Authentication Plugin (February 14 & 18, 2014)

Duo Security plans to release an update for its WordPress two-factor authentication plugin to address a vulnerability that could be used to bypass the security it is meant to provide. The problem exists in multisite deployments where the plugin is enabled on a site-by-site basis. The issue affects Duo WordPress plugin versions 1.8.1 and earlier.
-http://www.theregister.co.uk/2014/02/18/wordpress_2fa_bug_can_bypass_authenticat
ion/
-http://www.net-security.org/secworld.php?id=16361
-https://www.duosecurity.com/blog/wordpress-multisite-vulnerability-in-two-factor
-authentication

Flaw in Asus Routers is Being Exploited to Access Connected Drives (February 17, 2014)

A vulnerability in Asus routers could be exploited to access data stored on devices connected directly to the router through the USB port on the back. The flaw was disclosed in June 2013; at that time, Asus said it "was not an issue." Devices could be accessed even when users do not deliberately enable services to make hard drive contents available over the Internet. The Asus vulnerability has been exploited thus far by someone who placed text file warnings about the situation on the vulnerable drives. The Asus attack together with the Linksys worm suggests that attackers are starting to turn their attention to routers.
-http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-t
hanks-to-easily-exploited-flaw/
-http://www.techspot.com/news/55708-asus-routers-exploited-connected-drives-easil
y-accessed.html
[Editor's Note (Ullrich): The last couple of weeks have been bad for multiple types of routers/devices connected to public networks. Mass exploitation of Linksys, Synology, AVM's Fritzbox, and ASUS Routers, just to name the few that come to mind. Consumer level devices without the ability to receive automatic patching should probably not have the ability to be administered remotely. ]

South Korean Financial Regulators Impose Penalties on Credit Card Companies After Data Breach (February 16 & 17, 2014)

Three South Korean credit card companies have been fined and barred from issuing cards for three months after a Korea Credit Bureau temporary employee stole card details of at least 20 million people over a 14-month period and sold the information to telemarketers. The South Korean Financial Supervisory Commission said that KB Kookmin Bank, NH Nonghyup Card, and Lotte Card "neglected their legal duties of preventing any leakage of customer information." Each of the companies has each been fined six million won (US $5,660) and will not be permitted to issue new cards until May 16, 2014.
-http://www.zdnet.com/south-korean-credit-card-firms-suspended-over-data-breach-7
000026406/
-http://www.bbc.co.uk/news/business-26222283
[Editor's Note (Henry): It's not clear if there was obvious negligence on the part of any of the companies here, but imposing serious sanctions should be a deterrence to irresponsible behavior. The inability to issue new cards for a three month period will have a significant economic impact on each of these companies, and likely be the impetus for wide-scale review of security protocols and policies.
(Honan): It is great to see a financial regulator step up to the plate with regards to credit card breaches. I am willing to bet that companies in South Korea that process credit cards are paying more attention to credit card security as a result of these penalties than any PCI DSS assessment. ]

Kickstarter User Data Compromised (February 15, 16, & 17, 2014)

Crowd-funding site Kickstarter says that thieves stole user data. Kickstarter says that credit card data were not compromised, but usernames, email addresses, encrypted passwords and other data were accessed. Older Kickstarter passwords are encrypted with SHA-1, while newer passwords are encrypted with bcrypt.
-http://www.v3.co.uk/v3-uk/news/2329216/kickstarter-hit-by-hackers-as-usernames-a
nd-passwords-stolen
-http://news.cnet.com/8301-1009_3-57618976-83/kickstarter-hacked-user-data-stolen
/
-http://www.bbc.co.uk/news/business-26222113
-http://recode.net/2014/02/15/kickstarter-says-it-was-hacked/

TheMoon Malware Targets Linksys Routers (February 14 & 17, 2014)

A worm that has been dubbed TheMoon has been infecting certain Linksys routers. Now a proof-of-concept exploit for the vulnerability that worm exploits has been made public, as have technical details about the vulnerability itself.
-https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so
+far/17633
-http://www.computerworld.com/s/article/9246392/There_s_now_an_exploit_for_TheMoo
n_worm_targeting_Linksys_routers?taxonomyId=17
-http://www.theregister.co.uk/2014/02/17/linksys_vuln_confirmed_as_a_hnap1_bug/
-http://threatpost.com/moon-worm-spreading-on-linksys-home-and-smb-routers/104268
-http://www.computerworld.com/s/article/9246344/_The_Moon_worm_infects_Linksys_ro
uters?taxonomyId=17
[Editor's Not (Ullrich): We still don't know a lot about this worm. Just how it spreads. So far, we gained a bit more insight on its command and control (C&C) channel; but aside from that, the purpose of the worm isn't clear. ]

VFW Website Used in Watering-Hole Attack (February 14, 2014)

Attackers compromised the US Veterans of Foreign Wars (VFW) website to exploit a zero-day vulnerability in Internet Explorer 10 (IE10) on the computers of site visitors. The attackers used JavaScript to add an IFRAME to the site's HTML code so that the malware would be loaded in the background, requiring no action from users.
-http://www.zdnet.com/new-internet-explorer-10-zero-day-exploit-targets-u-s-milit
ary-7000026354/
-http://www.scmagazine.com//attackers-compromise-us-veterans-site-to-serve-ie-zer
o-day-exploit/article/334157/
-http://www.informationweek.com/security/attacks-and-breaches/snowman-attack-camp
aign-targets-ie10-zero-day-bug/d/d-id/1113841
[Editor's Note (Ullrich): Yet another Microsoft Internet Explorer 0-day that can be avoided by installing Microsoft's free EMET tool. ]

Forbes User Data Compromised (February 14 & 17, 2014)

Vandals attacked the Forbes website, posting phony stories and stealing user email addresses and passwords. Forbes is urging users to change their passwords, even though the company says the stolen passwords were encrypted. The passwords are, in fact, salted and hashed. The attack affects anyone who has registered with Forbes.com. The company has alerted law enforcement.
-http://news.cnet.com/8301-1009_3-57618945-83/syrian-electronic-army-hacks-forbes
-steals-user-data/
-http://www.infosecurity-magazine.com/view/36971/the-syrian-electronic-army-hacke
d-forbes-and-dumped-1-million-credentials/
-http://www.theregister.co.uk/2014/02/17/sea_slurps_a_million_ids_from_forbes/
[Editor's Note (Northcutt): Without fail, this week I am going to add a character to every one of my online passwords. And there is only one that is 8 characters and it will be 10 before the sun sets. NewsBites can only report the breaches that have been announced, what about the ones that have not been detected? ]

Tesco.com Customer Data Compromised (February 13 & 14, 2014)

Supermarket chain Tesco has suspended more than 2,000 online customer accounts after data thieves posted associated passwords and other login details. The information appears to have been stolen from other websites, as it affects Tesco users whose username and password combinations were the same across multiple sites. The customers whose accounts were compromised reported that vouchers were stolen from their Tesco clubcard accounts. Tesco says it will replace the stolen vouchers.
-http://www.v3.co.uk/v3-uk/news/2328890/hackers-hit-more-than-2-000-tesco-custome
rs
-http://www.theregister.co.uk/2014/02/14/tesco_login_details_leaked/
-http://news.cnet.com/8301-1009_3-57618917-83/hackers-hit-tesco-as-over-2200-acco
unts-compromised/
-http://www.theguardian.com/technology/2014/feb/14/tesco-customer-accounts-suspen
ded-hacker-attack
-http://www.bbc.co.uk/news/technology-26171130

---

PESCATORE'S FIRST LOOKS

--What Will Microsoft's New CEO and the Return of Bill Gates Mean to Windows Security? SANS Director of Emerging Security Trends John Pescatore takes a look and largely focuses on if Microsoft will emphasize security at it tries to compete with the Apple Apps Store and Google Play app stores.
-http://www.sans.org/security-trends/2014/02/17/will-microsofts-new-ceo-and-the-s
orta-return-of-bill-gates-be-good-for-security/

--Bit9 Acquires Carbon Black Bit9 is an executable whitelisting company that was founded in 2003 and has now received a total of $120M in investment funding over that period. CarbonBlack is endpoint forensics software that came out of vulnerability and malware research firm Kyrus in 2011. Cost and complexity has resulted in both of these areas remaining niche on desktops, but application whitelisting on servers has shown strong growth, with little business disruption. Bit9 has said it will maintain the CarbonBlack brand and product, so growth will mostly be upselling CarbonBlack to the Bit9 installed base.

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/