SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #66

August 19, 2014

TOP OF THE NEWS

200 Hospitals Hit Affecting 4.5 Million Patients
Australian Legislation Would Give Intelligence Agency Broad Access to Computers
US Nuclear Regulatory Commission Computers Infiltrated

THE REST OF THE WEEK'S NEWS

Chinese Man Indicted in Military Aircraft Data Theft Scheme
Delaware Passes Legislation Grants Heirs Access to Digital Assets
Blog Names Unsecure Apps and Services
Apple Storing Some Chinese Users' iCloud Data on Servers in China
Pittsburgh FBI Cybersquad's Success Rewarded With Additional Agents
Microsoft Pulls Buggy Updates
Supermarket Chains Disclose Point-of-Sale Breaches
Five More People Indicted in Online Banking Theft Scheme
Android Reset Flaw Allows Data Recovery

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By Blue Coat Systems, Inc. *******************
SANS Analyst Webcast: Learn How to Prepare for Compromise with Efficient Response Tactics featuring Jacob Williams and John Vecchi Wed, Aug. 20 at 1 PM EDT:
http://www.sans.org/info/165982
***************************************************************************
TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by August 27 and save $400. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --SANS Virginia Beach 2014 | Virginia Beach, VA | August 18-29, 2014 10 courses. Bonus evening presentations include Closing the Door on Web Shells and Gone in 60 Minutes: Have You patched Your System Today?
http://www.sans.org/event/virginia-beach-2014


- --SANS Chicago 2014 | Chicago, IL | August 24-29, 2014 7 courses. Bonus evening presentations include The Security Impact of IPv6; Continuous Ownage: Why You Need Continuous Monitoring; and Infosec Rock Star: How to be a More Effective Security Professional.
http://www.sans.org/event/chicago-2014


- --Security Awareness Summit | Dallas, TX | Sept 8-16, 2014 Come learn from your peers on how to build Next Generation Security Awareness Programs. Hear from security awareness officers as they share lessons learned on how they took their awareness programs to the next level and how they measured the impact. Plus 5 courses.
http://www.sans.org/event/security-awareness-summit-and-training-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses.
http://www.sans.org/event/dfir-prague-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Bangkok, Tallinn, Hong Kong, and Sydney all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

200 Hospitals Hit Affecting 4.5 Million Patients (August 18, 2014)

Tennessee-based Community Health Systems (CHS) says that intruders accessed its system over a three-month period earlier this year, compromising patient names, addresses, and Social Security numbers (SSNs) of 4.5 million people. The company maintains that medical and financial information was not affected. CHS operates more than 200 hospitals in 29 US states. The company claims that the attacks emanated from China. Information in CHS's Securities and Exchange Commission (SEC) Form 8-K filing says that the intruders were attempting to obtain medical equipment device development information, but were thwarted in their efforts.
-http://www.darkreading.com/community-health-systems-breach-atypical-for-chinese-
hackers/d/d-id/1298095?
-http://www.bbc.com/news/technology-28838661
-http://bits.blogs.nytimes.com/2014/08/18/hack-of-community-health-systems-affect
s-4-5-million-patients/
-http://www.computerworld.com/s/article/9250464/About_4.5M_face_risk_of_ID_theft_
after_hospital_network_hacked?taxonomyId=17
-http://www.theregister.co.uk/2014/08/18/hospital_chain_claims_chinese_hackers_st
ole_45_million_user_details/
CHS SEC Filing:
-http://regmedia.co.uk/2014/08/18/community_health_systems_8k.pdf
[Editor's Note (Murray): 4.5 million seems like a lot but it is dwarfed by eBay's 140 million. Moreover, since CHS is in the healthcare industry, we can expect appropriate punishment. eBay has not even been embarrassed.
(Paller): Bill Murray is correct that 4.5 million is smaller than 140 million, but unwanted disclosure of personal medical information is the one area of information privacy that will draw widespread and continuing outrage from powerful people. The data taken in this attack was not medical, but the lack of effective cybersecurity in hospitals is well known by the black hat 'researchers' and cyber criminals. Multiple medical institutions have paid extortionists to keep their loss of data from being exposed; one health care information system was so full of holes that SANS' faculty member Ed Skoudis had to build in security before he could use it in the CyberCity simulator. Too many hospitals still consider cybersecurity primarily a compliance issue and have not forced their suppliers to bake in security, nor have they invested in staff who have the skills to protect from, identify, and respond quickly to attacks. The Health ISAC and SANS's Health Care Cyber Summit in San Francisco in December features pioneering hospital CIOs, CISOs and tech leaders who have faced these issues head on and who will share the lessons they learned, combined with intensive training courses that allow their technical staff to get up to speed quickly.
-http://www.sans.org/event/healthcare-summit-2014]

Australian Legislation Would Give Intelligence Agency Broad Access to Computers (August 18 & 19, 2014)

Legislation proposed by Australian attorney general George Brandis would broaden the Australian Security Intelligence Organisation's (ASIO) access to computers and networks. Some legal experts say that the law could be interpreted to give ASIO access to every Internet-connected computer. Civil liberties groups are also concerned about provisions that would criminalize journalists who receive and publish leaked documents.
-http://www.zdnet.com/au/new-powers-could-give-asio-a-warrant-for-the-entire-inte
rnet-7000032715/
-http://www.theguardian.com/world/2014/aug/18/counter-terrorism-proposals-greatly
-concerning-say-civil-liberties-groups
[Editor's Note (Murray): This bill is a terrible implementation of an infamous idea. It is so bad in so many ways that we can expect governments all over the world to copy it.]

US Nuclear Regulatory Commission Computers Infiltrated (August 18, 2014)

Computers at the US Nuclear Regulatory Commission (NRC) were infiltrated several times in the past three years, according to the findings of an internal investigation. One attack was perpetrated through spear-phishing - an email message sent to just over 200 NRC employees attempted to get the recipients to provide their logon credentials. About a dozen employees clicked the provided link. A second spear phishing attack attempted to infect recipients' computers with malware. A third incident involved someone breaking into an employee's email account and sending malware to a handful of other employees. The NRC maintains information that adversaries would be interested in obtaining, including plant inventories of weapons-grade materials.
-http://www.nextgov.com/cybersecurity/2014/08/exclusive-nuke-regulator-hacked-sus
pected-foreign-powers/91643/?oref=ng-HPtopstory
-http://www.cnet.com/news/nuclear-commission-hacked-3-times-in-3-years/

---

**************************** SPONSORED LINKS ******************************
1) How to Detect System Compromise & Data Exfiltration Wednesday, September 03 at 1:00 PM EDT (17:00:00 UTC) with Tom DAquino. http://www.sans.org/info/165707

2) Drowning in Log and Event Information? Take this SANS survey and enter to win an iPad! http://www.sans.org/info/165987

3) What Does Security Analytics and Intelligence Mean to You? Take this SANS Survey and Enter to Win an iPad! http://www.sans.org/info/165992
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Chinese Man Indicted in Military Aircraft Data Theft Scheme (August 18, 2014)

Su Bin, a Chinese national, has been indicted for his alleged involvement in a scheme to steal sensitive military aircraft data. The indictment includes charges of unauthorized computer access and conspiracy to commit theft of trade secrets. Su allegedly attempted to sell stolen information about the aircraft to state-owned Chinese companies and other organizations. Su was arrested earlier this summer in Canada. Two alleged coconspirators have not been indicted.
-http://www.computerworld.com/s/article/9250448/Chinese_man_indicted_over_theft_o
f_Boeing_C_17_secrets?taxonomyId=17
Indictment:
-https://www.documentcloud.org/documents/1276138-su-bin-indictment.html

Delaware Passes Legislation Grants Heirs Access to Digital Assets (August 18, 2014)

The US state of Delaware has passed legislation giving a person's heirs the right to digital assets, such as social media accounts, in the event of incapacitation or death. The Fiduciary Access to Digital Assets and Digital Accounts Act, signed into law by Governor Jack Markell, allows a person's heirs to assume control of digital accounts and devices just as they would any physical assets and documents.
-http://arstechnica.com/tech-policy/2014/08/delaware-becomes-first-state-to-give-
heirs-broad-digital-assets-access/
[Editor's Note (Murray): We can expect this legislation to have embarrassing unintended consequences resulting in many reports here. Most of us should leave digital credentials and instructions for their use to our heirs. Heirs should use the powers granted them under this law with discretion and in consideration of what they might find. ]

Blog Names Unsecure Apps and Services (August 18, 2014)

A Tumblr blog called HTTP Shaming posts a list of apps and services that do not take sufficient measures to protect user data. The site's creator hopes that making this information known will prompt companies to encrypt data sent over wireless networks. The number of apps and services on the list currently stands at 19. If a case is deemed especially serious, it is not posted until the organization responsible for it is contacted so they can mitigate the problem.
-http://arstechnica.com/security/2014/08/new-website-aims-to-shame-apps-with-lax-
security/
-http://www.smh.com.au/it-pro/security-it/web-fights-back-against-poor-security-2
0140819-105quf.html
[Editor's Note (Murray): Public shaming has always been used as a means of social control. ]

Apple Storing Some Chinese Users' iCloud Data on Servers in China (August 17 & 18, 2014)

Apple has started storing some Chinese users' data on servers in that country. The servers are operated by China Telecom Corp., a state-run company. The data are encrypted, which means that China Telecom cannot access their contents. The decision to store data in China was made to improve service for Apple's iCloud services customers there.
-http://www.v3.co.uk/v3-uk/news/2360809/apple-stores-user-data-on-chinese-servers
-claims-it-will-improve-icloud-performance
-http://www.csmonitor.com/Innovation/Horizons/2014/0817/Apple-stores-user-data-in
-China.-What-does-it-mean-for-cybersecurity

Pittsburgh FBI Cybersquad's Success Rewarded With Additional Agents (August 17, 2014)

The Pittsburgh FBI cybersquad's successful work on several high profile cases has prompted the FBI to add agents so that the squad can take on more cases. According to Special Agent in Charge Scott S. Smith, the squad has created "a model approach to investigating and preventing cybercrime."
-http://www.stripes.com/news/us/premier-fbi-cybersquad-in-pittsburgh-to-add-agent
s-1.298698?
[Editor's Note (Pescatore): it would be a good thing to see more federal cybersecurity funding go to training and staffing national law enforcement, vs. continuing the trend to focus federal funding on the DoD/intelligence community Cybercommand type operations. ]

Microsoft Pulls Buggy Updates (August 16 & 17, 2014)

Microsoft is recommending that users uninstall a recent update after reports that it was causing the blue screen of death. The company has also pulled three other updates because they were also reportedly causing problems, including system crashes and fonts rendering incorrectly. ISC:
-https://isc.sans.edu/forums/diary/Issues+with+Microsoft+Updates/18545
-http://www.theregister.co.uk/2014/08/17/remond_cries_uninstall_in_the_wake_of_bl
ue_screens_of_death/
-http://www.computerworld.com/s/article/9250446/Microsoft_urges_customers_to_unin
stall_Blue_Screen_of_Death_update?taxonomyId=17
-http://www.zdnet.com/microsoft-pulls-updates-recommends-uninstall-7000032678/
-https://technet.microsoft.com/library/security/MS14-045
[Editor's Note (Pescatore): I don't have any hard data, but it seems like Microsoft has been recalling patches more frequently in the past two years than in the 5 years prior to that. One of the biggest impediments to increasing security is how long it takes IT to patch systems. Unreliable patches from major vendors just give IT operations more excuses to patch slowly or not at all, making easy pickings for attackers.
(Murray): This is the problem with automatic updates that everyone cautioned about when the idea was introduced. So far, the advantages seem to have trumped the problems by a wide margin. Many systems would never be patched were it not for automatic updates. ]

Supermarket Chains Disclose Point-of-Sale Breaches (August 15, 2014)

The Supervalu supermarket chain has disclosed that it was the target of a point-of-sale terminal attack affecting customers in more than 200 stores. The breach began as early as June 22 and ran through July 17. Another company, AB Acquisition LLC, says that it suffered a similar attack during the same time frame. The companies are working together on an investigation. Both companies operate stores under a variety of names in several states.
-http://krebsonsecurity.com/2014/08/why-so-many-card-breaches-a-qa/
-http://www.scmagazine.com/supervalu-ab-acquisition-announce-payment-card-breache
s-at-grocery-chains/article/366562/
-http://www.computerworld.com/s/article/9250402/Grocery_stores_in_multiple_states
_hit_by_data_breach?taxonomyId=17
[Editor's Note (Murray): It should now be apparent that the retail payment system is broken and that the industry is unwilling or unable to fix it. Consumers should now assume that their credit card numbers are routinely compromised and ask for new cards every three to six months. While they are about it, they should ask for EMV (Eurocard, MasterCard, Visa standard for "chip") cards. They should prefer American Express because American Express will actually give them an EMV card if they ask for it. Perhaps even more effective, American Express will send e-mail confirmations of large or "card not present" transactions. ]

Five More People Indicted in Online Banking Theft Scheme (August 15, 2014)

The FBI says that five people have been indicted in connection with a bank fraud scheme in which 17 other people have already been convicted in three other cases. The "scheme ... uses stolen identification information to gain online access to personal bank accounts." Reported losses from the scheme total millions of dollars.
-http://www.scmagazine.com/five-charged-for-roles-in-massive-bank-fraud-scheme/ar
ticle/366581/
-http://www.fbi.gov/miami/press-releases/2014/five-more-individuals-charged-in-cy
ber-crime-bank-fraud-scheme

Android Reset Flaw Allows Data Recovery (August 14 & 15, 2014)

Several Android devices, including the Tesco Hudl, are affected by a reset flaw that allows recovery of data that users may believe they have erased from the device. Three separate investigations, which were carried out with used devices purchased through eBay, came to the same conclusion.
-http://www.bbc.com/news/technology-28790583
-http://www.theregister.co.uk/2014/08/15/hudl_and_other_android_devices_have_data
_reset_flaw/

---

STORM CENTER TECH CORNER

2nd Part of the UDP behind NAT riddle
-https://isc.sans.edu/forums/diary/Part+2+Is+your+home+network+unwittingly+contri
buting+to+NTP+DDOS+attacks+/18549

Pro Syrian Malware on the Rise
-https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/

The dangers of UDP services behind NAT
-https://isc.sans.edu/forums/diary/Part+1+Is+your+home+network+unwittingly+contri
buting+to+NTP+DDOS+attacks+/18547

PHP CGI exploit with interesting reverse shell
-http://isc.sans.edu/forums/diary/Web+Server+Attack+Investigation+-+Installing+a+
Bot+and+Reverse+Shell+via+a+PHP+Vulnerability/18543

Smart Phone Gyroscope Sensitive Enough to Detect Speech
-http://crypto.stanford.edu/gyrophone/files/gyromic.pdf

Internet Wide Scan Finds Many Exposed VNC Servers
-http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/