SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #35

May 02, 2014

TOP OF THE NEWS

Study Shows More than 40 Percent of Identity Theft is Medical-Related
Target Will Adopt Chip-and-PIN Technology by 2015
Tony Sager: If Everything is Important, Nothing Gets Done
FBI May Keep Vulnerabilities Secret to Aid Investigations

THE REST OF THE WEEK'S NEWS

Microsoft Issues Emergency Fix for Critical IE Flaw, Throws in Patch for XP Also
Traffic Signal Sensors Transmit Data With No Authentication, No Encryption
License Plate Database Company Demands Secrecy From Law Enforcement
Tails Operating System Version 1.0 Released
Samsapo SMS Trojan Targets Russian Android Users
Mozilla Fixes Critical Flaws in Firefox and Other Products
Phishing Scheme Used VoIP to Steal Debit Card Data

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************************** Sponsored By Bit9 *************************
The Convergence of Security & Compliance: How do security and compliance gaps affect your organization? Learn how a single agent can provide visibility, detection, response and protection - all while automating and managing compliance! Close security gaps and ensure the security of your servers and endpoints today. Download The White Paper! http://www.sans.org/info/158377
***************************************************************************

TRAINING UPDATE


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, ND June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


- - --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Study Shows More than 40 Percent of Identity Theft is Medical-Related (April 30, 2014)

A survey recently released by the Identity Theft Resource Center found that 43 percent of all identity thefts reported in the US in 2013 were medical-related. Stolen medical identity information has been used to obtain treatment and prescription medicines; medical identity fraud also places incorrect information in the patients health records.
-http://www.studentdoctor.net/2014/04/the-rise-of-medical-identity-theft-in-healt
hcare/
[Editor's Note (Pescatore): Identity theft from medical information is often much more expensive for the person involved, as it is rarely as simple as changing a credit card number and watching credit report alerts.
(Murray): One might hope that the conversion to electronic systems might bring some order to our archaic and broken health care system. Such conversion is proceeding at such a pace that it may actually be losing ground. Perhaps our health care system is beyond repair. ]

Target Will Adopt Chip-and-PIN Technology by 2015 (April 29 & 30, 2014)

Target is working with MasterCard to implement chip-and-PIN technology into its REDcards. Target is making the change because chip-and-PIN, which is widely used outside the US, offers more security for financial transactions. The attackers who stole payment card information of an estimated 40 million Target customers obtained payment card information fairly easily from the cards' magnetic stripes. Chip-and-PIN cards are more difficult to replicate, and to use the information, attackers would need to know each card's associated PIN. Some merchants may be reluctant to adopt the new technology because requiring the PIN adds time to each transaction and because upgrading hardware and reissuing cards to support chip-and-PIN is costly. Target expects to spend US $100 million on the upgrade. Visa and MasterCard want US merchants to be ready to accept chip-and-PIN cards by October 2015.
-http://money.cnn.com/2014/04/30/technology/security/target-credit-card/index.htm
l
-http://www.computerworld.com/s/article/9248015/Target_looks_to_reassure_consumer
s_with_move_to_chip_and_pin
-http://www.theregister.co.uk/2014/04/29/target_finally_implements_chip_and_pin_c
ard_protections/
[Editor's Note (Pescatore): Moving to chip and PIN is certainly a good thing to do. It is also good for publicity and satisfying the Congressmen who harped on it. However, the other things Target is doing (and needs to do well) are way more important to prevent similar scale breaches.
(Murray): The purpose of the PIN is to resist fraudulent use of lost or stolen cards. The EMV standard provides for small PIN-less transactions to balance the cost of requiring the PIN against the cost of fraud. It is intended that this balance be negotiated between the card issuer and the merchant on an application-by-application basis. For example, one probably will not need a PIN or a signature to purchase a Happy Meal with an EMV card. A fundamental vulnerability is that information on the mag-stripe is vulnerable to fraudulent reuse. This problem does not go away when one adds a chip to a mag-stripe card. It is compensated for, only in part, by requiring the use of the chip when the card has one and the POS device is equipped to read it. For example, this control has been implemented by acquirer/processor First Data Corporation. ]

Tony Sager: If Everything is Important, Nothing Gets Done (May 1, 2014)

In his keynote address at the SANS Leadership Summit in Boston, Tony W. Sager, director of the SANS Innovation Center who spent more than 30 years with the NSA's Information Assurance Directorate, said that when it comes to cyber security, it is as important to know what to do as it is what not to do. In the 1970s and 80s, cyber security was the domain of government and was focused on a definable Cold War adversary. Now cyber security is everywhere and adversaries are much less definable. The profusion of tools and information available contribute to "the fog of more;" it's hard to know what tools and information to use, and how best to use them. One outcome of this was the SANS Top 20 Critical Security Controls, which gives organizations a good place to start making effective security decisions.
-http://www.csoonline.com/article/2150300/security-leadership/in-a-world-of-compl
exity-focus-on-the-basics.html
-http://searchsecurity.techtarget.com/news/2240219965/Good-information-security-l
eadership-demands-focus-on-shared-knowledge

FBI May Keep Vulnerabilities Secret to Aid Investigations (April 29 & 30, 2014)

The Obama administration allows the FBI and other agencies to keep secret certain software vulnerabilities to help them with investigations. Concerns about government agencies not disclosing flaws first arose when reports suggested that the NSA knew of the Heartbleed bug and had been exploiting it for some time before it was publicly disclosed. The NSA denied any prior knowledge of Heartbleed. If the NSA keeps flaws secret, it is to use them to attack adversaries' networks. The FBI, in contrast, might keep a flaw secret because they are keeping an eye on someone launching an attack and if the vulnerability being exploited were disclosed, the attacker would know that he was being watched.
-http://www.nextgov.com/cybersecurity/2014/04/feds-would-have-hard-time-keeping-z
ero-days-under-wraps/83479/?oref=ng-channeltopstory
-http://www.scmagazine.com/multiple-factors-influence-govt-decision-to-disclose-v
ulnerabilities/article/344857/
-http://www.theregister.co.uk/2014/04/30/white_house_to_world_we_dont_hoard_vulne
rabilities/
-http://www.bloomberg.com/news/2014-04-30/fbi-keeps-internet-flaws-secret-to-defe
nd-against-hackers.html
-http://www.govinfosecurity.com/white-house-policy-on-disclosing-cyberflaws-a-679
8

---

************************** Sponsored Links: ******************************
1) Webcast: The Application Blind-spot: Friday, May 09 at 1:00 PM EDT with Eric Schou. Attend this webcast to hear from HP security experts, as they articulate specific use case examples: http://www.sans.org/info/158382

2) Webcast: How Defense-In-Depth Helps Protect You From Unexpected Vulnerabilities Like Heartbleed. Thursday, May 22 at 1:00 PM EDT Jake Williams, SANS & Adam Goodman, Principal Security Architect at Duo Security. http://www.sans.org/info/158387

3) Attend the DFIR Summit 2014 in Austin, TX - June 3 - June 10. The Digital Forensics and Incident Response (DFIR) Summit & Training event combines hands-on DFIR classroom training with trending DFIR summit speakers together into ONE premier event. http://www.sans.org/info/158392
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft Issues Emergency Fix for Critical IE Flaw, Throws in Patch for XP Also (May 1, 2014)

Microsoft has released a fix for a critical flaw in Internet Explorer (IE) that is being actively exploited in limited, targeted attacks. The vulnerability affects all versions of IE. The patch will be pushed out through Automatic Updates. Users who do not have that feature enabled or who want to get their patches more quickly can run Windows Update. Microsoft made the decision to include XP among the platforms for which it fixes this flaw, which indicates how serious the issue is. The company made the decision to include a patch for XP it has been less than a month since support for the operating system ended. While some believe issuing a fix for XP will not encourage users to move to newer, more secure operating systems, Microsoft's decision is also seen as a commitment to security.
-http://www.zdnet.com/microsoft-issuing-fix-for-ie-zero-day-today-7000029001/
-http://www.nbcnews.com/tech/security/microsoft-issues-fix-major-internet-explore
r-bug-n94821
-http://arstechnica.com/security/2014/05/emergency-patch-for-critical-ie-0day-thr
ows-lifeline-to-xp-laggards-too/
-http://www.zdnet.com/microsoft-had-to-patch-windows-xp-7000029008/
-http://www.scmagazine.com/microsoft-releases-unscheduled-patch-for-ie-zero-day-x
p-users-get-fix-too/article/345157/
-http://www.darkreading.com/attacks-breaches/microsoft-issues-emergency-patch-for
-ie-covers-xp-/d/d-id/1235020?
-http://www.cnet.com/news/microsoft-fixes-big-ie-bug-on-windows-xp-even/
-http://www.govinfosecurity.com/microsoft-issues-internet-explorer-fix-a-6808
[Editor's Note (Pescatore): Microsoft made the right decision - security trumped revenue. Now, if a few other large companies who regularly push out patches that try to trick you to load toolbars or desktop software would only follow that lead... ]

Traffic Signal Sensors Transmit Data With No Authentication, No Encryption (May 1, 2014)

Some traffic light systems used in major US cities and in several other countries are vulnerable to attacks. The vulnerabilities lie not in the systems that control the lights, but in the magnetic sensors embedded in roads that transmit data to traffic centers. The data are sent wirelessly to access points and feeders, which pass them on to traffic signal controllers. The data transmissions are not encrypted and do not use authentication mechanisms. So while the systems cannot be directly manipulated to control the lights, they could conceivably be sent bad data that could cause traffic problems.
-http://arstechnica.com/security/2014/04/hacking-traffic-control-gear-could-cause
-gridlock-and-chaos/
-http://www.wired.co.uk/news/archive/2014-05/01/hacking-traffic-lights
[Editor's Note (Assante): It has always been interesting and challenging to develop support programs for technology that would be costly to reach, but those were the exceptions (ocean floor, under the ground, etc.). Paving with large numbers of magnetic sensors is an example of the new norm - technology that will deploy during the construction phase of infrastructure projects. Project stakeholders will need to plan for extended life cycles with a highly constrained ability to manage that type of technology. Heartbleed mitigation efforts have reminded us that some easy to forget but connected "things" will escape our mitigation efforts. ]

License Plate Database Company Demands Secrecy From Law Enforcement (May 1, 2014)

A US company that purportedly has the largest database of automobile license plate images requires law enforcement agencies that use its services to swear to keep the existence of the database a secret. Vigilant Solutions claims to have close to two billion records in its database, known as the National Vehicle Location Service (NVLS). Law enforcement agencies use the database for several purposes, including finding stolen cars and vehicles used in crimes, and locating kidnapping victims. The majority of the data stored in the NVLS belongs to people who have not committed a crime and are not under surveillance. Vigilant's requirements bring to mind those of the Harris Corporation, which manufactures and sells a product known as a stingray, which spoofs cell phone towers to trick suspects' phones into connecting to them so data can be gathered. In some cases, law enforcement agencies have used stingrays without a warrant because their interpretation of the non-disclosure agreement was that obtaining a warrant would violate that agreement.
-http://www.wired.com/2014/05/license-plate-tracking/

Tails Operating System Version 1.0 Released (April 30 & May 1, 2014)

After five years in development, the Debian-based operating system Tails has released its Version 1.0. Tails is a live OS, meaning that it boots from removable media instead of from a hard disk. All data travels through the Tor anonymizing network, and it uses encryption and other anonymizing tools to prevent censorship and snooping. Tails was reportedly the operating system that Edward Snowden used to maintain anonymity while communicating with journalists. Tails 1.0 is actually the 36th stable release since June 23, 2009, when what would become Tails was released under the name Amnesia. (Tails is an acronym for The Amnesiac Incognito Live System.)
-http://www.theregister.co.uk/2014/05/01/secure_os_tails_1_released/
-http://www.siliconrepublic.com/digital-life/item/36723-new-anonymous-desktop/
-http://www.cnet.com/news/anonymous-os-reportedly-favored-by-nsa-whistle-blower-e
dward-snowden-reaches-version-1-0/

Samsapo SMS Trojan Targets Russian Android Users (April 30, 2014)

Samsapo is an SMS Trojan that targets Android devices spreads like a worm. It has been detected in attacks targeting Russian Android users. Samsapo has the capability to steal phone numbers and text messages and send them to a server designated by the attackers. It can also download more malware and block calls and alter alarm settings. Samsapo spreads through SMS messages that encourage recipients to click on a link that claims to be a photo. Once a device has been infected, it sends itself to people on the contact list.
-http://www.net-security.org/malware_news.php?id=2757
-http://www.scmagazine.com/possibly-the-first-android-worm-spreading-through-sms-
found-in-wild/article/344873/
-http://www.nbcnews.com/tech/security/worm-alert-russian-android-malware-spreads-
text-message-n94181

Mozilla Fixes Critical Flaws in Firefox and Other Products (April 30, 2014)

Mozilla has updated Firefox to version 29. The newest version of the browser addresses 15 flaws, six of which are deemed critical. Mozilla has also released updates to address critical flaws in Thunderbird and Seamonkey.
-http://www.scmagazine.com/firefox-29-fixes-several-critical-flaws-including-memo
ry-safety-bugs/article/344874/
">http://www.scmagazine.com/firefox-29-fixes-several-critical-flaws-including-memo
ry-safety-bugs/article/344874/
Mozilla Advisory:
-http://www.scmagazine.com/firefox-29-fixes-several-critical-flaws-including-memo
ry-safety-bugs/article/344874/
">http://www.scmagazine.com/firefox-29-fixes-several-critical-flaws-including-memo
ry-safety-bugs/article/344874/
[Editor's Note (Honan): For those berating Microsoft over vulnerabilities in Internet Explorer, this shows simply moving to an alternative browser does not mean you will be secure. ]

Phishing Scheme Used VoIP to Steal Debit Card Data (April 29 & 30, 2014)

In a new variation on phishing campaigns, thieves used text messages and VoIP (voice over Internet protocol) calls to steal debit card data from customers of a number of US financial institutions. The targeted bank customers received text messages telling them their debit card has been deactivated and were given a phone number to call to reactivate the card. The number sent them to an interactive voice response (IVR) system that asked for their debit card number and PIN.
-http://www.computerworld.com/s/article/9248027/Voice_phishing_scheme_lets_hacker
s_steal_personal_data_from_banks?taxonomyId=17
-http://www.scmagazine.com/phishing-campaign-uses-voip-to-target-dozens-of-banks-
steal-card-data/article/344674/

---

STORM CENTER TECH CORNER

Honeypot Detection Techniques
-https://isc.sans.edu/forums/diary/Busybox+Honeypot+Fingerprinting+and+a+new+DVR+
scanner/18055

F5 0-days
-http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.htm
l

Google Patches XSS Flaw in Search Appliance
-http://www.kb.cert.org/vuls/id/673313

UltraDNS DDoS Update
-http://blog.neustar.biz/neustar-insights/ultradns-ddos-attack-update/

Neustart UltraDNS DDoS
-https://isc.sans.edu/forums/diary/UltraDNS+DDOS/18051
-https://twitter.com/search?q=%23ultradns&src=typd

Websense Analyses Crash Reports to Narrow Down IE 0-day
-http://community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-177
6-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx

AOL Compromise used to send spam
-http://blog.aol.com/2014/04/28/aol-security-update/

Odd UDP Packets
-https://isc.sans.edu/forums/diary/Be+on+the+Lookout+Odd+DNS+Traffic+Possible+C+C
+Traffic/18047

iOS 7 no longer encrypts mail attachments
-http://www.andreas-kurtz.de/2014/04/what-apple-missed-to-fix-in-ios-711.html

Apple Developer Center Leaked Contact Information
-http://9to5mac.com/2014/04/28/apple-patches-another-major-security-hole-in-its-w
ebsite-that-allowed-access-to-all-developer-personal-information/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/