SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #46

June 10, 2014

TOP OF THE NEWS

Some Countries' Governments Have Unfettered Access to Vodafone Data
FAA Orders Boeing to Implement Cyber Security Measures to Protect 737s
Bank Appreciative of Canadian Teens' Identification of ATM Weakness

THE REST OF THE WEEK'S NEWS

Russian Authorities Arrest Two Suspected of Apple Ransomware Attack
Cyber Security Solutions Approached From Multi-Disciplinary Perspective
Dropbox Phishing Scheme Uses Ransomware to Extract Bitcoin Payments
New Hampshire Town Will Not Pay Cryptowall Ransom
Android Ransomware
UK Cyber Essentials Program Encourages Companies to Apply Basic Security Controls
Report Says Financial Institutions Need to Share Threat Intelligence
GAO Report Calls on DHS to Address Port Security
SmartTV Flaw

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************
Solve Your Biggest Backup and Recovery Challenges Register now for Symantec's live streaming event to find out how to solve your biggest backup challenges, recover anything in minutes, get faster backups, and take advantage of an easy to use solution that protects your virtual and physical environments. See Backup Exec 2014 in action. Register Now. http://www.sans.org/info/161345
***************************************************************************

TRAINING UPDATE


--SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
http://www.sans.org/event/rocky-mountain-2014


--SANSFIRE 2014 Baltimore, MD June 21-30, 2014 42 courses. Bonus evening presentations include Avoiding Cyberterrosism Threats Inside Electrical Substations; Security Awareness Metrics: Measuring Human Behavior; and penetration Testing Corporate Mobile Applications and BYOD Environments.
http://www.sans.org/event/sansfire-2014


--SANS Capital City 2014 Washington, DC July 7-12, 2014 7 courses. Bonus evening presentations include Weaponizing Digital Currency; Incident Response and Forensics in the Cloud; and Who's Watching the Watchers?
http://www.sans.org/event/capital-city-2014


--SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
http://www.sans.org/event/pentest-berlin-2014


--SANS London Summer 2014 London, UK July 14-21, 2014 5 courses.
http://www.sans.org/event/london-summer-2014


--Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


--Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


--Looking for training in your own community?
http://www.sans.org/community/


--Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus and Nashville, Bangkok, and Tallinn all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Some Countries' Governments Have Unfettered Access to Vodafone Data (June 6, 2014)

In a transparency report released last week, international telecommunications company Vodafone said that several national governments have direct access to communications that travel through the company's network. In most countries, governments need warrants to access the information, but in six unnamed countries, law enforcement has direct access to the data. Vodafone received data requests from 29 countries during the yearlong period covered by the report, but did not provide a breakdown by country, in part because laws in some countries prohibit the disclosure of such surveillance.
-http://www.wired.com/2014/06/vodafone-transparency-report/
-http://www.bbc.com/news/business-27732743
-http://www.nbcnews.com/tech/security/vodafone-report-details-extent-government-s
nooping-n124996

FAA Orders Boeing to Implement Cyber Security Measures to Protect 737s (June 6, 2014)

The US Federal Aviation Administration has ordered aircraft manufacturer Boeing to make changes to technology on its late-model 737 planes to protect them from cyber attacks. The order specifically notes concern about "a novel or unusual design feature associated with the passenger service computer systems to the airplane systems and data networks" that could be exploited to cause "intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems and networks critical to the safety and maintenance of the airplane." A Boeing spokesperson says the order addresses actions that the company had already undertaken or plans to implement.
-http://www.usatoday.com/story/news/nation/2014/06/06/faa-boeing-737/10066247/
-http://www.bizjournals.com/wichita/blog/2014/06/faa-tells-boeing-to-guard-agains
t-737-hacks.html
-https://www.federalregister.gov/articles/2014/06/06/2014-13245/special-condition
s-the-boeing-company-models-737-700--700c--800--900er--7--8-and--9-series-airpla
nes

Bank Appreciative of Canadian Teens' Identification of ATM Weakness (June 8 & 9, 2014)

Two Canadian teenagers who found an ATM operator's manual online tried using the information they found on a supermarket ATM over their school lunch hour. The ninth graders were surprised to find that a common default password provided them operator access to the machine. They boys went straight to a local branch of the Bank of Montreal, where at first staff members did not believe their claims. The two asked permission to go back and get proof; documentation printouts convinced employees that their claims were serious. The bank manager provided the boys with a note to their school, excusing their lateness "due to assisting BMO with security."
-http://arstechnica.com/security/2014/06/kids-with-operators-manual-alert-bank-of
ficials-we-hacked-your-atm/
-http://www.torontosun.com/2014/06/08/two-14-year-old-code-crackers-hack-winnipeg
-atm
-http://www.huffingtonpost.ca/2014/06/09/bmo-atm-hacked_n_5473217.html
[Editor's Note (Northcutt): Ah yeah, the ol default-password-on-the-money-dispensing-machine trick. One day someone is going to create a list of default passwords and we will be forced to change them. Oh yeah, they already have:
-http://www.defaultpassword.com
-http://www.exploit-db.com/google-dorks/]

---

************************** Sponsored Links: ******************************
1) Advanced Threat Confidential White Paper: Top Lessons Learned From REAL Attacks! http://www.sans.org/info/161350

2) Webcast: Practical Threat Management and Incident Response for the Small- to Medium-Sized Enterprise. Friday, June 13 at 1:00 PM EDT (17:00:00 UTC) with Jake Williams and Patrick Bedwell. http://www.sans.org/info/161355

3) Provide input to the Critical Security Controls! Tell us your wins, misses and wish lists with the CSCs in this quick survey: http://bit.ly/2014CSCSurv. At the end of the survey, sign up for the paper and results webcast airing on September 9 webcast link: http://www.sans.org/info/160675
****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Russian Authorities Arrest Two Suspected of Apple Ransomware Attack (June 10, 2014)

Authorities in Russia have arrested two people in connection with a spate of attacks that held Apple devices for ransom. The suspects were nabbed when they withdrew a ransom payment from an ATM. People in Russia were being targeted in similar attacks shortly before news of similar Australian attacks emerged last month. The suspects allegedly harvested iCloud login credentials through a phishing site and used the access to lock the iPhones, iPads, and Mac computers through an iCloud feature that lets people locate their devices.
-http://www.smh.com.au/digital-life/consumer-security/hackers-suspected-of-holdin
g-apple-devices-to-ransom-detained-in-russia-20140609-zs2bm.html
-http://www.theguardian.com/technology/2014/jun/09/apple-icloud-ransomware-russia

Cyber Security Solutions Approached From Multi-Disciplinary Perspective (June 9, 2014)

Army Col. Gregory Conti director of Army Cyber Institute at US Military Academy West Point, is taking a multidisciplinary approach to protecting cyberspace for the military, the government, and the country. It can be unclear who has authority in various cyber attack situations: the military, the government, or industry. Conti says that coming to "real solutions
[will require ]
a combination of many disciplines."
-http://www.govinfosecurity.com/interviews/multidisciplinary-approach-to-infosec-
i-2335

Dropbox Phishing Scheme Uses Ransomware to Extract Bitcoin Payments (June 9, 2014)

A phishing scheme involving Dropbox infected as many as 350,000 computers with ransomware that has earned those running the operation more than US $70,000 in Bitcoins. The malware, known as CryptoWall, spreads through email messages directing recipients to Dropbox; if they download the indicated ZIP file and run the executable, the malware is loaded onto their machines. Users then receive messages saying that their files have been encrypted and demanding a Bitcoin ransom of US $500, which increases to US $1,000 if it is not paid within a few days.
-http://www.scmagazine.com/possibly-350k-ransomware-infections-70k-earned-in-drop
box-phishing-scheme/article/353559/
[Editor's Note (Murray): Of course, any file server would do as well as Dropbox. On the other hand, Dropbox adds spice to an otherwise "Dummy takes bait and gets owned" story. ]

New Hampshire Town Will Not Pay Cryptowall Ransom (June 7, 2014)

Durham, New Hampshire Town Manager Todd Selig said that the town has no intention of paying ransom to decrypt files taken hostage by Cryptowall malware. The police department system was reportedly infected after an officer opened what looked like a legitimate attachment. Cisco's Cloud Web Security service is blocking access to nearly 100 domains that appear linked to the Cryptowall malware. The attacks blocked by this action are being launched by advertisements on popular websites that lead site visitors to malware.
-http://arstechnica.com/security/2014/06/we-will-be-paying-no-ransom-vows-town-hi
t-by-cryptowall-ransom-malware/
-http://www.networkworld.com/article/2361001/security/malicious-advertisements-on
-major-websites-lead-to-ransomware.html
[Editor's Note (Murray): The success of such attacks requires that the perpetrator have "write" access to the data. Decades ago, when Donn Parker speculated about this attack, I thought it unlikely that anyone would have the necessary privileges. Security is hard and intuition does not serve well. The attack also requires that there be no backup, or that the perpetrator also has write access to it. Imagine that. In a world in which one can buy a terabyte of storage to put in one's pocket for $100, failure to have safe backup is inexcusable. ]

Android Ransomware (June 6, 2014)

Ransomware targeting Android devices encrypts pictures, documents and other content on the devices. Called Android/Simplocker, the malware displays a message telling users that their device has been locked because it was used to access illegal content. Simplocker requires payment in Ukrainian currency, instructing victims to pay 260 Hryvnia (US $22) to have their files unlocked.
-http://arstechnica.com/security/2014/06/warning-your-phone-is-locked-crypto-rans
omware-makes-its-debut-on-android/

UK Cyber Essentials Program Encourages Companies to Apply Basic Security Controls (June 6, 2014)

A new program called Cyber Essentials offers businesses in the UK the opportunity to obtain information security badges that let users know they have implemented certain security measures. The "Cyber Essentials" badge is granted to companies that have implemented five basic security controls: boundary firewalls and Internet gateways; secure configuration; access control; malware protection; and patch management. Later this year, companies will be able to achieve a "Cyber Essential Plus" badge, which is awarded based on the results of an annual independent audit. The program was developed with input from the British Standards Institution, the Information Assurance for SMEs Consortium, and the Information Security Forum and is funded by the UK government's National Cyber Security Program. The program has been criticized for being too general and the requirements for being too basic, but the program itself could prompt attention to IT security among C-level executives. It is also providing a baseline for what should be expected of all companies.
-http://www.govinfosecurity.com/uk-pitches-business-cyber-essentials-a-6924
[Editor's Note (Pescatore): The wording of the UK "Cyber Essentials" is too simplistic. Anyone with a firewall, AV software, a few policies around access control and who patches within 14 days can fill out a form and get a badge. It seemed like it was written for home users, not even small businesses. Even the lowest level PCI Self-Assessment Questionnaire requires higher levels of protection.
(Honan): While the program may be basic it should be seen as a welcome development. Similarly to having to be tax compliant to be able to sell to UK government bodies, companies will also know have to demonstrate they take cyber security seriously. Over time this should hopefully spread further down the supply chain. ]

Report Says Financial Institutions Need to Share Threat Intelligence (June 6, 2014)

The 2014 Annual Report of the US's Financial Stability Oversight Council (FSOC) says that financial institutions should make it a priority to share cyber intelligence. The report also calls on the Treasury Department to make sure that financial institutions and related and supporting organizations are implementing appropriate cyber security measures. FSOC was established in 2010 to "identify risks to the financial stability of the US ...
[and ]
to respond to emerging threats."
-http://www.govinfosecurity.com/fsoc-call-for-cybersecurity-action-a-6920
-http://www.treasury.gov/initiatives/fsoc/Documents/FSOC%202014%20Annual%20Report
.pdf
[Editor's Note (Honan): The Bank of England has recently launched their CBEST initiative to set up a programme of work to improve and test resilience of the UK financial infrastructure to cyber-attack. They have produced a number of excellent guidelines on various areas including a document on "Defining the qualities that participants should consider when selecting a threat intelligence provider"
-http://www.bankofengland.co.uk/financialstability/fsc/Pages/cbest.aspx
I recommend it to anyone responsible for information security. ]

GAO Report Calls on DHS to Address Port Security (June 6, 2014)

According to a report from the US General Accounting Office, The Department of Homeland Security (DHS) needs to do more to protect IT systems at the country's ports. The report, "Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity," found that maritime security plans did not address cyber threats.
-http://www.govinfosecurity.com/gao-questions-security-at-us-ports-a-6919
GAO Report:
-http://www.gao.gov/assets/670/663828.pdf
[Editor's Note (Murray): IT is used to operate all our infrastructure. It is a vulnerability shared by all of our critical infrastructure components. Those of us who understand IT best tend to focus on it while the managers of transportation, finance or other components tend to focus on those before IT. We should not be surprised that those responsible for "port security" worry first about ships and cargo. ]

SmartTV Flaw (June 6 & 9, 2014)

A vulnerability in many Smart TVs could be exploited to gain access to set owners' home networks. Called the Red Button attack because of its exploitation of the interactive features of the televisions normally accessed by a red button on the remote, it is basically a man-in-the-middle attack. It works by hiding malicious code in signals broadcast to the televisions. Compromised televisions could be used to post messages to social media accounts, launch attacks, and seek out other network-connected devices in homes. The attack would be hard to detect and hard to stop. It affects all Smart TVs that are compatible with the HbbTV (hybrid broadcast-broadband) standard, which is widely used in Europe and is making its way into the US market.
-http://www.forbes.com/sites/bruceupbin/2014/06/06/red-button-flaw-exposes-major-
vulnerability-in-millions-of-smart-tvs/
-http://www.bbc.com/news/technology-27761756
-http://iss.oy.ne.ro/Aether
[Editor's Note (Murray): Not so much a "flaw" as a feature. Flaws are easier to fix than features. That said, not all vulnerabilities are problems, not all problems are the same size. The ratio of the cost of this attack to the value of its success is likely to be higher than that of alternatives for quite some time. ]

---

STORM CENTER TECH CORNER

Crowdstrike Releases Detailed Report on Chinese APT Operations
-http://www.crowdstrike.com/blog/hat-tribution-pla-unit-61486/index.html

Apple Randomizes MAC Addresses in iOS 8 to hinder user tracking
-http://www.theregister.co.uk/2014/06/10/ios_wi_fi_mac_address_trick/

Microsoft Patch Tuesday Advance Notification
-https://technet.microsoft.com/library/security/ms14-jun

Microsoft Chooses to not apply hardening Windows 7 DLLs
-https://www.troopers.de/wp-content/uploads/2013/11/TROOPERS14-What_Happens_In_Wi
ndows_7_Stays_In_Windows_7-Marion_Marschalek+Joseph_Moti.pdf
-https://www.youtube.com/watch?v=s_7Cy2w2dCw#t=1598

eFax Phishing used to Spread Malware
-https://isc.sans.edu/forums/diary/efax+Spam+Containing+Malware/18225

Browser Timing Attacks Allow History Sniffing in Web Browsers
-http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/