SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #37

May 09, 2014

TOP OF THE NEWS

Now is the Time to Address Security in the Internet of Things
Microsoft's May Security Update Will Not Include Fixes for XP
Microsoft's XP Fix Draws Criticism

THE REST OF THE WEEK'S NEWS

New York Hospitals Pay US $4.8 Million Fine for HIPAA Violation
OMB Says Agencies' FISMA Compliance is Improving
Orange France Breach Affects 1.3 Million Customers
House Committee Approves Bill That Would End NSA Bulk Data Collection
Microsoft's Security Intelligence Report for Second Half of 2013
Former NSA Head Defends Keeping Some Software Vulnerabilities Secret
Apple Publishes Legal Process Guidelines for US Law Enforcement
Wyndham Faces Lawsuit By Shareholder
Ransomware Hitting Androids
Former Navy SysAdmin Charged for Breaking Into Multiple Government Systems

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By Bit9 ****************************
Data security has become the No. 1 priority for many retailers in 2014. Want to learn how your company can implement strategies to protect against costly data breaches? Find out 10 ways you can achieve this goal while maintaining required PCI compliance. Download This Check List Today! http://www.sans.org/info/158827
***************************************************************************

TRAINING UPDATE


-- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
http://www.sans.org/info/154465


-- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
http://www.sans.org/event/sans-security-west-2014


-- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, ND June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
http://www.sans.org/event/secure-europe-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Now is the Time to Address Security in the Internet of Things (May 4, 2014)

As our world becomes increasingly Internet-connected, the threat of serious, harmful attacks will increase. Rather than wait until something bad happens to add security as an afterthought, security needs to be part of the development process of devices that will be Internet-connected, such as cars, televisions, appliances, and traffic control systems.
-http://news.softpedia.com/news/Everything-Can-Be-Hacked-It-s-Just-a-Matter-of-Ti
me-Until-Things-Get-More-Serious-440322.shtml
[Editor's Note (Murray): My concern is not so much that developers will fail to protect the function of their device as that they will include all kinds of gratuitous functionality that can be co-opted to attack other things. Think of a device with Windows and a little tiny application on top. Nice people do not attach weak systems to the Internet. A restrictive policy, e.g., closing all ports not essential to the function of the device, is just not that difficult for a single application system. However, it is antithetical to the geek culture of bells, whistles, and "dancing pigs."
(Northcutt): The problem of course is it always comes down to a battle of who has the most, (and most desirable), features. History will repeat.
-http://www.sans.edu/research/security-musings/article/northcutt-why-mgt512]

Microsoft's May Security Update Will Not Include Fixes for XP (May 8, 2014)

According to Microsoft's advance notification for next week's scheduled security updates, the company will issue eight bulletins to address flaws in Windows, Internet Explorer (IE), .NET Framework, Microsoft Server Software, and Productivity Software. Two of the bulletins slated for release on May 13 are rated critical. Four of the bulletins scheduled for release address flaws in Windows 8.1. For users to be able to automatically receive those updates, they must apply Windows 8.1 Update. None of the bulletins will provide fixes for issues in Windows XP or Office 2003; both were retired last month.
-http://www.zdnet.com/no-windows-xp-office-2003-patches-in-may-patch-tuesday-7000
029255/
-http://www.computerworld.com/s/article/9248207/Tick_tock_Windows_8.1_users_face_
patch_ban_as_Microsoft_sets_next_week_s_updates?taxonomyId=17
-https://technet.microsoft.com/library/security/ms14-may

Microsoft's XP Fix Draws Criticism (May 7, 2014)

Microsoft generated buzz last week when it issued an out-of-band fix to address a critical flaw in IE that was being actively exploited and included a patch for XP. Some felt that providing a fix for XP after the operating system's retirement date might cause users to wait even longer before migrating to a new OS. Others felt that it was the right thing to do because the flaw was so serious and XP had been retired so recently.
-http://www.computerworld.com/s/article/9248167/Microsoft_seeds_doubt_by_erasing_
XP_line_in_the_sand?taxonomyId=17

---

************************** Sponsored Links: ******************************
1) Retina Unlimited: The fastest, easiest way to identify and prioritize network, web, database and virtual vulnerabilities. Unlimited IPs only $1,200/year! http://www.sans.org/info/158832

2) Webcast: Going 'All In' for Protection and Compliance with the Critical Security Controls at Sun Country Airlines Wednesday, May 14 at 1:00 PM EDT with John Pescatore. http://www.sans.org/info/158837

3) Government IT Pros! Tell Us Your Wins and Misses with the Continuous Diagnostics and Mitigation Program by Taking This Survey: http://www.sans.org/info/158842
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

New York Hospitals Pay US $4.8 Million Fine for HIPAA Violation (May 8, 2014)

New York Presbyterian Hospital and Columbia University Medical center have paid US $4.8 million in a settlement with the US Department of Health and Human Services for violations of the Health Insurance Portability and Accountability Act (HIPAA). Patient data were unintentionally exposed when a doctor tried to deactivate a computer he personally owned from a network segment that held roughly 6,800 patients' lab results, medication data, and other sensitive information.
-http://www.computerworld.com/s/article/9248205/IT_malpractice_Doc_operates_on_se
rver_costs_hospitals_4.8M?taxonomyId=17
[Editor's Note (Pescatore): The incident happened almost 4 years ago, so given the average job tenure in IT, the guilty server admins are probably misconfiguring servers at new companies by now. But, so far this year HHS has levied almost $7M in fines for HIPAA violations. The Critical Security Controls are a good way to focus on the most important (and often easiest) steps to avoid such fines. ]

OMB Says Agencies' FISMA Compliance is Improving (May 7 & 8, 2014)

According to a report from the US Office of Management and Budget (OMB), federal agencies are doing a better job of meeting the requirements of the Federal Information Security Management Act (FISMA) than they have in past years. The report is based on agency self-assessments and shows that agencies met 81 percent of FOSMA requirements. Last year's figure was 73 percent. The report also addresses initiatives the government has undertaken to improve the security of its systems: protecting existing information and information systems; supporting the safe and secure adoption of emerging technology; and building a sophisticated information security workforce.
-http://www.scmagazine.com/federal-agencies-improve-security-fisma-report-says/ar
ticle/346206/
-http://www.govinfosecurity.com/omb-agencies-improving-security-a-6817
OMB Annual Report to Congress: FISMA:
-http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/fy_2013_fisma
_report_05.01.2014.pdf
[Editor's Note (Pescatore): The self-reported results are more optimistic than the Inspector General results. I'm especially suspicious of the spending figures, which would say that the Federal government is spending about 12% of its IT budget on security - well above industry average when many government agencies do very little transactional use of the Internet. However, we are definitely seeing the DHS CDM program start to increase the state of security monitoring at government agencies, and the FedRAMP program is actually leading industry in having public cloud services provide continuous security monitoring feeds. What we are *not* seeing is any real movement from Federal CIOs in improving the state of IT practices in configuration management, application quality, etc. ]

Orange France Breach Affects 1.3 Million Customers (May 7 & 8, 2014)

Orange France, the telecommunications company, has acknowledged that a data security breach compromised the personal information of 1.3 million of its customers. The data include names, email addresses, and dates of birth. Orange France has known about the breach since mid-April. While no financial information was compromised, Orange France's notification to its customers did caution them to be wary of possible phishing messages. The company suffered a breach in January of this year as well; that incident affected 800,000 customers.
-http://www.bbc.com/news/technology-27322946
-http://www.zdnet.com/orange-has-hack-deja-vu-1-3-million-customer-details-expose
d-7000029226/
-http://www.theregister.co.uk/2014/05/08/orange_france_hacked_13_million_seeing_r
ed/
-http://www.cnet.com/news/hackers-steal-personal-info-of-1-3m-orange-telco-custom
ers/

House Committee Approves Bill That Would End NSA Bulk Data Collection (May 7 & 8, 2014)

The US House Judiciary Committee has approved a bill that would put an end to the NSA's wholesale collection of phone call metadata. In a unanimous vote, the committee passed a measure that imposes more stringent requirements for government intelligence phone data requests. The bill requires the government to obtain data collection approval from the Foreign Intelligence Surveillance Court (FISC) on a case-by-case basis. The bill now goes before the full House.
-http://www.zdnet.com/us-house-committee-votes-to-end-nsas-bulk-metadata-collecti
on-program-7000029227/
-http://www.washingtonpost.com/blogs/the-switch/wp/2014/05/07/a-house-committee-h
as-voted-unanimously-to-rein-in-the-nsa/
-http://arstechnica.com/tech-policy/2014/05/house-committee-axes-nsa-bulk-phone-m
etadata-collection/

Microsoft's Security Intelligence Report for Second Half of 2013 (May 7 & 8, 2014)

According to the Microsoft Security Intelligence Report, users are increasingly facing threats from deceptive downloads, in which malware is bundled with legitimate content and applications, and ransomware. For example, the number of attacks using ransomware known as Reveton doubled over the past year. The report says that Microsoft's Malware removal Tool cleaned 17.8 systems per 1,000 scanned during the last quarter of 2013; in the third quarter, that figure was 5.6 per 1,000. The increase is attributed to Microsoft's addition of signatures for two ransomware programs.
-http://www.eweek.com/security/microsoft-security-report-shows-most-malware-infec
ts-by-deception.html
-http://www.v3.co.uk/v3-uk/news/2343781/reveton-ransomware-levels-double-as-hacke
rs-evolve-attack-strategies
-http://www.scmagazine.com/microsoft-reveals-trio-of-threats-that-plagued-windows
-users-in-q4/article/345983/
-http://www.darkreading.com/vulnerabilities---threats/microsoft-deception-dominat
es-windows-attacks/d/d-id/1251104?
[Editor's Note (Murray): Business and Government should install only management authorized software, obtained from trusted sources, in tamper-evident "packaging." Increasingly we must look to vendors to maintain software throughout its life to extend function, correct errors, and address implementation-induced vulnerabilities. We should choose vendors, in part, on how well they do this. ]

Former NSA Head Defends Keeping Some Software Vulnerabilities Secret (May 7, 2014)

In an interview published in The Australian Financial Review, former NSA chief General Keith Alexander defended the agency's practice of acquiring information about software vulnerabilities and keeping them secret for its own use. The NSA has met with criticism for this practice because not patching known flaws makes the Internet less secure for everyone else, not just suspected terrorists. Alexander said that the NSA does disclose some of the flaws it obtains so they can be fixed by vendors, and that it uses those it does keep secret more for defensive purposes than for offensive purposes.
-http://www.wired.com/2014/05/alexander-defends-use-of-zero-days/
-http://www.cnet.com/news/former-nsa-director-speaks-out-on-spying-stuxnet-defens
e/
[Editor's Note (Pescatore): Back in 1972, civilized countries signed the Biological Weapons Convention, which outlawed the production, stockpiling and use of deadly biological agents - what we now call "weapons of mass destruction." I imagine that before that treaty keeping antidotes to such chemical agents secret was common practice in defense departments, because widespread knowledge of how to reduce vulnerability would impede the use of those WMDs. We'll get to that same point with software vulnerabilities - it will just take longer if the defensive mission continues to be run by the offensive side of the cybersecurity government agencies. ]

Apple Publishes Legal Process Guidelines for US Law Enforcement (May 7 & 8, 2014)

Apple has published guidelines for how it will accept requests for user data from US law enforcement agencies. All subpoenas must be served on the company directly, and they must contain all information the applicant is seeking.
-http://arstechnica.com/apple/2014/05/new-guidelines-outline-what-iphone-data-app
le-can-give-to-police/
-http://www.v3.co.uk/v3-uk/news/2343694/apple-publishes-rules-on-law-enforcement-
data-requests
-http://www.cnet.com/news/apple-releases-guidelines-for-law-enforcement-data-requ
ests/
-http://www.apple.com/legal/more-resources/law-enforcement/

Wyndham Faces Lawsuit By Shareholder (May 7, 2014)

A shareholder of Wyndham Worldwide Corporation has filed a lawsuit against the company, alleging that it failed to employ adequate security measures to protect customers' data and that as a result, more than 600,000 customers have had to maintain "constant vigilance of their financial and personal records." Wyndham is also facing a Federal Trade Commission (FTC) complaint regarding the series of breaches.
-http://www.scmagazine.com/shareholder-sues-wyndham-board-members-over-data-breac
hes/article/345989/
[Editor's Note (Pescatore): Target's fear of lawsuits seemed to detract from their focus on improving security. The FTC actions have tended to have much, much more meaningful positive impact on security practices that any similar lawsuits. ]

Ransomware Hitting Androids (May 6 & 7, 2014)

Ransomware is now targeting devices running the Android mobile operating system. The malware delivers a screen with a message that appears to come from a law enforcement agency, informing users that they have been caught viewing illegal content and that their devices will be blocked until they pay US $300. The current version of the malware does not actually lock up the devices, but the ransom screen pops up continually. Devices become infected when users visit certain pornography websites where they are asked to install an APK that claims to be a video player. To become infected, users must allow out-of-market apps and manually install the APK. Versions of the malware have also been detected in Germany, Italy, Poland, the UK, and the United Arab Emirates with messages customized for each country.
-http://www.scmagazine.com/ransomware-on-android-scares-users-with-govt-notices-a
sks-for-300/article/346005/
-http://arstechnica.com/security/2014/05/your-android-phone-viewed-illegal-porn-t
o-unlock-it-pay-a-300-fine/
-http://threatpost.com/cryptolocker-ransomware-moves-to-android/105937
[Editor's Note (Shpantzer): Part of Android's open ecosystem is the freedom to install apps from outside of the Google Play app store, which comes with obvious risks if you install random apps. ]

Former Navy SysAdmin Charged for Breaking Into Multiple Government Systems (May 5, 6 & 7, 2014)

A former Navy systems administrator is facing charges for allegedly breaking into government systems over the course of several months in 2012. Nicholas Paul Knight was working as a systems administrator on a Navy nuclear aircraft carrier when he was dismissed from the Navy for his alleged actions. Knight and Daniel Trenton Krueger, a community college student in Illinois, have been charged with conspiracy to hack into the US District Court for the Northern District of Oklahoma. Knight also allegedly tried to break into a Navy database. The two men and several other people allegedly gained access to several government systems, including one that belongs to the Department of Homeland Security's (DHS) Transportation Worker Identification system, which contains biometric data; and another at the US National Geospatial Intelligence Agency.
-http://www.wired.com/2014/05/navy-sysadmin-hacking/
-http://www.govinfosecurity.com/navy-systems-admin-faces-hacking-charge-a-6816
-http://www.justice.gov/usao/okn/news/2014/teamdigi7al0505.html
[Editor's Note (Shpantzer): Ponder for a moment the following words: "...he allegedly attempted to hack into a Naval database while at sea serving as a systems administrator in the nuclear reactor department aboard the U.S.S. Harry S. Truman." ]

---

STORM CENTER TECH CORNER

SNMP DoS uses Video Conferencing System to Amplify
-https://isc.sans.edu/forums/diary/SNMP+The+next+big+thing+in+DDoS+Attacks+/18089

ioActive Demonstrates Traffic Signal Wireless Vulnerability
-http://blog.ioactive.com/2014/04/hacking-us-and-uk-australia-france-etc.html

Samsung NX300 Camera Vulnerabilities
-http://op-co.de/blog/posts/hacking_the_nx300/

iOS Limited Lock Screen Bypass
-http://threatpost.com/passcode-bypass-bug-and-email-attachment-encryption-plague
-ios-7-1-1/105910

Semantically Opaque Interface IDs for IPv6
-http://tools.ietf.org/html/rfc7217

Changes to Web Standards
-https://isc.sans.edu/forums/diary/And+the+Web+it+keeps+Changing+Recent+security+
relevant+changes+to+Browsers+and+HTML+HTTP+Standards/18075

Dropbox Removing Referer Headers
-https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/