SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVI - Issue #71

September 05, 2014

TOP OF THE NEWS

Intruder Installs Malware on HealthCare.gov Server
Home Depot Investigating Reports of Payment Card Data Breach
Goodwill Acknowledges Customer Payment Card Data Compromised

THE REST OF THE WEEK'S NEWS

Second Healthcare Sector Cyber Security Exercise Scheduled to Start in October
Microsoft Will Issue Four Security Bulletins on September 9
NATO to Ratify Policy Adding Serious Cyber Attacks to Invoke Collective Defense Clause
Software Piracy Arrests
Verizon Fined for Customer Privacy Violations
Firefox 32 Includes Public Key Pinning to Enhance SSL Security
Apple Says iCloud Accounts Were Breached in Targeted Attack
Europol's Cyber Crime Task Force

PESCATORE FIRST LOOK: NUDE PICTURES AND ICLOUD

PESCATORE FIRST LOOK: NUDE PICTURES AND iCLOUD

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By SANS *****************************
Revelations about recent European infrastructure compromises involving ICS-capable malware is grabbing headlines. Cut through the speculation and take a deep look why our exposure is growing. Learn from leading researchers and practitioners how to safeguard your control systems from targeted attacks. Don't miss out on the SANS ICS Summit Amsterdam.
http://www.sans.org/info/166817
***************************************************************************

TRAINING UPDATE


- --SANS Network Security 2014 | Las Vegas, NV | October 19-27, 2014 Register and pay by September 17 and save $200. 46 courses. Bonus evening presentations include The Bot Inside the Machine; Real-time Monitoring in Industrial Control Systems; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/event/network-security-2014


- --SANS ICS Amsterdam 2014 | Amsterdam, Netherlands | September 21-27, 2014 3 courses. ICS/SCADA Summit and Training.
http://www.sans.org/event/sans-ics-amsterdam-2014


- --DFIR Prague 2014 | Prague, Czech Republic | September 29-October 11, 2014 11 courses. Bonus evening presentations include Sushi Grade Smartphone Forensics on a Ramen Noodle Budget; Everything They Told Me About Security was Wrong; and The Great Browser Schism: How to Analyze IE10 & IE11.
http://www.sans.org/event/dfir-prague-2014


- --Pen Test Hackfest Summit | Washington DC | November 13-20, 2014 100% dedicated Pen Test Training. The optimal place to take your next Pen Testing course allowing you to interact with our instructors who specialize in this area. Meet with other industry professionals who are focused on ethical hacking and vulnerability assessments. 5 courses | Expert Summit Talks | 3 nights of NetWars | Evening of CyberCity | Coin-a-palooza
http://www.sans.org/event/sans-pen-test-hackfest-2014/


- --SANS London 2014 | London, UK | November 15-24, 2014 16 courses.
http://www.sans.org/event/london-2014


- --Healthcare Cyber Security Summit | San Francisco, CA | Dec 3-10, 2014 | SANS and NH-ISAC have partnered creating this summit to discuss information sharing of cyber security intelligence specific to the health care industry to meet the ever growing need in securing health care. Hear from health care CIOs, CISOs and technology leaders who will share their lessons learned combined with 6 intensive training courses.
http://www.sans.org/event/healthcare-summit-2014/


- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Hong Kong, Sydney, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Intruder Installs Malware on HealthCare.gov Server (September 4, 2014)

Malware installed on a HealthCare.gov server used to test code is designed to launch denial-of-service attacks on websites; the attack appears not to have been an attempt to target the online healthcare marketplace. Such malware on a server would not make news if it were not part of such a high profile organization. The infection occurred in July and was detected on August 25 during a security scan.
-http://www.nextgov.com/cybersecurity/2014/09/heres-why-healthcaregov-hack-isnt-b
ig-deal/93206/?oref=ng-channeltopstory
-http://www.zdnet.com/healthcare-gov-test-server-hacked-7000033336/
-http://www.nbcnews.com/tech/security/healthcare-gov-site-suffers-hack-no-data-st
olen-officials-n196181
-http://www.theregister.co.uk/2014/09/05/healthcaregov_hacked/
[Editor's Note (Pescatore): The public info shows that a test server was exposed to the Internet when it had no need to be. Good example of a common pattern in Internet breaches: failure in Critical Security Control 19 (Secure Network Engineering) leading to a compromised server, which could have easily been hardened but wasn't - which is why segmentation/zoning (with security controls at the boundaries) is critical to prevent more and detect faster.
(Murray): It should come as no surprise that a system that has been operated for so much of its life in crisis mode includes insecure servers or that a politically unpopular system should come under attack. The lesson for the rest of us is to ensure that ALL of OUR servers are both locked down and monitored. ]

Home Depot Investigating Reports of Payment Card Data Breach (September 2, 2014)

Home improvement retailer Home Depot has confirmed that it is working with its "banking partners and law enforcement to investigate" reports of a data breach. The company declined to comment further until the investigation is complete.
-http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
-http://www.darkreading.com/attacks-breaches/home-depot-the-latest-hack-victim/d/
d-id/1306898?
-http://www.scmagazine.com/home-depot-investigates-possible-payment-card-breach/a
rticle/369366/
-http://www.theregister.co.uk/2014/09/02/home_depot_investigating_if_its_the_late
st_victim_of_retail_hackers/
-http://www.bbc.com/news/technology-29044855
[Editor's Note (Pescatore): I think it should be pretty clear now: if you are using point of sale systems, thoroughly check all systems for compromise, and for shielding/mitigation of vulnerabilities. It is like that time of year in the spring (usually around the Academy Awards in the US) when the ants are going to start invading the house. You know they are coming - no sense waiting for damage before you act. ]

Goodwill Acknowledges Customer Payment Card Data Compromised (September 4, 2014)

Goodwill Industries International has disclosed that an attack on a third-party payment card processing vendor's system compromised Goodwill customer payment card data. The breach affected about 10 percent of the organization's stores. The compromises occurred between February 2013 and August 2014.
-http://www.scmagazine.com/goodwill-announces-breach-more-than-800k-payment-cards
-compromised/article/369837/
[Editor's Note (Murray): This is only one of a rash of such reports this week (e.g., Home Depot report). It seems more likely that these reports represent a change in the rate of successful attacks rather than a mere blip, a crisis, not business as usual. It is going to take months to years to achieve the necessary systemic repair of our broken retail payment system. In the meantime, all operators of retail point of sale systems must know that they are under attack, assume that they may already be compromised, and act accordingly (including strong authentication for privileged users, system lockdown, and monitoring for data exfiltration). Consumers who continue to use the system must be extremely vigilant in monitoring charges to their accounts. Issuers should anticipate an increase in requests for new cards. They should get on with issuing EMV cards, and consider EMV-only cards (separate mag-stripe cards for backward compatibility). We need to begin planning the next generation system based upon ubiquitous mobile computers. ]

---

**************************** SPONSORED LINKS ******************************
1) Speeding up the Investigation of Employee Policy Violations - Monday, September 15 at 1:00 PM EDT (17:00:00 UTC) with Jad Saliba (CTO), Jamie McQuaid (Forensics Consultant) and Rob Lee. http://www.sans.org/info/166822

2) Critical Security Controls survey results revealed in 9/9 Webcast at 1 pm EDT. Learn about the current state of CSC adoption & implementation. http://www.sans.org/info/166827

3) In Case You Missed It: Get Smart: Consuming Threat Intelligence to Advance your Cyber Security Program Thursday, September 04 at 2:00 PM EDT (18:00:00 UTC) with Harry Sverdlove and Dave Shackleford. http://www.sans.org/info/166832
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Second Healthcare Sector Cyber Security Exercise Scheduled to Start in October (September 4, 2014)

According to a press release from the Health Information Trust Alliance (HITRUST), the second cyber security exercise for the healthcare sector, CyberRX 2.0, will begin in October 2014. More than 750 healthcare organizations have signed up to take part in the cyber attack simulation exercise. The program has been expanded to offer three tiers of participation: Local/Basic, Regional/Mature, and National/Leading.
-http://www.scmagazine.com/healthcare-orgs-prepare-for-cyber-threat-readiness-tes
t/article/369826/
-http://hitrustalliance.net/content/uploads/2014/09/CyberRX-2-0_Press-Release_fin
al-for-wire.pdf
[Editor's comment: (Northcutt): This is a very good idea. These large scale tests help improve the system. There are multiple indicators we are going to face a large scale biological attack in the next few years:
-http://opencanada.org/wp-content/uploads/2011/05/SD-104-Holmes.pdf]

Microsoft Will Issue Four Security Bulletins on September 9 (September 4, 2014)

According to Microsoft, the company will issue four bulletins on Tuesday, September 9, to address vulnerabilities in Windows, Internet Explorer (IE), Microsoft .NET Framework, and Microsoft Lync Server. One of the bulletins is rated critical and will fix vulnerabilities in IE.
-http://www.zdnet.com/microsoft-to-patch-windows-ie-lync-server-next-week-7000033
324/
-https://technet.microsoft.com/library/security/ms14-sep

NATO to Ratify Policy Adding Serious Cyber Attacks to Invoke Collective Defense Clause (August 31 & September 3, 2014)

NATO (North Atlantic Treaty Organization) is close to ratifying a policy that would see all members responding to a cyber attack on any one member. The policy would include serious cyber attacks among actions that invoke the collective defense clause of Article V of the NATO treaty.
-http://arstechnica.com/security/2014/09/in-case-of-cyberattack-nato-members-read
y-to-pledge-mutual-defense/
-http://www.theregister.co.uk/2014/09/03/nato_article_v_mutual_defence_principle_
applies_to_cyberspace/
-http://www.nytimes.com/2014/09/01/world/europe/nato-set-to-ratify-pledge-on-join
t-defense-in-case-of-major-cyberattack.html?_r=1
[Editor's Note (Pescatore): I remember as a kid zoning out when the news would start talking about Strategic Arms Limitation Treaties and ICBM agreements, but every time a new dimension is added to warfare, the "civilized" countries have to work out the political aspects first- just the way every time a new technology hits, businesses should determine what the policy should be first. Of course, the "uncivilized" attackers generally don't wait. ]

Software Piracy Arrests (September 3, 2014)

Police in London, UK have arrested two people in connection with a software piracy ring. The unnamed men are suspected of selling pirated software from Microsoft, Adobe, and other companies over the Internet. The pair was arrested by the Police Intellectual Property Crime Unit (PIPCU), which has also recently arrested people for allegedly running illegal sporting-event streaming websites and proxy sites that allowed users to circumvent blocks on piracy websites.
-http://www.bbc.com/news/technology-29049369
[Editor's Note (Murray): Heard at a fraud roundtable yesterday: "Enough traps already. It is time for a big cat." ]

Verizon Fined for Customer Privacy Violations (September 3, 2014)

Verizon has agreed to pay US $7.4 million to settle charges Federal Communication Commission (FCC) that it used customer billing and location data in targeted marketing campaigns aimed at trying to sell them other Verizon services. Communications companies may do this if they first obtain customers' permission.
-http://money.cnn.com/2014/09/03/technology/mobile/verizon-fcc/index.html
-http://arstechnica.com/business/2014/09/verizon-pays-record-fine-for-violating-p
hone-customers-privacy-rights/

Firefox 32 Includes Public Key Pinning to Enhance SSL Security (September 3, 2014)

Mozilla has released the stable version of Firefox 32. The newest incarnation of the company's flagship browser now includes public key pinning in an effort to protect users from man-in-the-middle attacks. "Key pinning allows site operators to specify which certificate authorities (CAs) may issue valid certificates for them, rather than accepting any of the many CAs that are trusted."
-http://www.theregister.co.uk/2014/09/03/firefox_32_moves_to_kill_mitm_attacks/
-http://www.eweek.com/cloud/firefox-32-debuts-with-improved-ssl-security.html

Apple Says iCloud Accounts Were Breached in Targeted Attack (September 2, 2014)

Apple has acknowledged that several celebrities' iCloud accounts were compromised, but the company said it was done by guessing or stealing login credentials rather than breaching Apple's iCloud security. There was public speculation that the accounts had been breached using a recently disclosed exploit for Apple's Find My iPhone service, but Apple denies that was the case, saying that the breaches were the result of "a very targeted attack on user names, passwords, and security questions."
-http://www.bbc.com/news/technology-29039294
-http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-k
nows/a/d-id/1306923?
[Editor's Note (Pescatore): Apple's support for two factor authentication on iCloud is sadly incomplete. People who signed up for it assumed everything was protected but unfortunately it protected only log-in and purchasing. Apple seems to have a very muddled approach to security - see my First Look for a bit more.
(Murray): This is one more indication for at least offering users a strong authentication option and encouraging them to use it. That said, we can do a better job of resisting attacks against login. I continue to recommend the proposal of my colleague (at IBM), Peter Capek, to raise the cost of such attacks by slowing the login prompt after unsuccessful attempts. ]

Europol's Cyber Crime Task Force (September 1, 2014)

Europol has launched the Joint Cybercrime Action Taskforce (J-CAT), which will work to coordinate international investigations in the fight against cyber crime.
-http://www.pcworld.com/article/2600880/europol-launches-international-cybercrime
-task-force.html
-https://www.europol.europa.eu/content/expert-international-cybercrime-taskforce-
launched-tackle-online-crime
[Editor's Note (Pescatore): Despite the hype about nation/state driven attacks, for most enterprises the most common and damaging form of attack will be by financially motivated criminals - which, of course, is true in the brick and mortar world, too. I've noticed in the US, the FBI and the Secret Service have started to come out of hibernation caused by the US putting too much emphasis on the DoD/Intelligence side of cybersecurity. I'm not familiar with EC3's track records but I like that their top guy said about this J-CAT task force: "It's not a talk shop, it's an operational entity." ]

---

PESCATORE FIRST LOOK: NUDE PICTURES AND ICLOUD

There's nothing like nude pictures of celebrities to raise the visibility of a security breach - the iCloud exposure is the latest to zoom up the Google Trend charts. The underlying problem appears to be that while Apple does offer two-factor authentication for logging into iClouds and for making iTunes purchases, that strong authentication did not extend to all areas of iCloud - not to backups, for example. So, attackers were able to exploit the usual weak password and weak password reset processes - using "What you know" questions in password-reset safeguards is pretty silly for people whose dog's mother's maiden name is actually known by millions of fans...

For years, Apple has done a good job making security a baked in feature to their products and services and not taking the "well, users hate security so we won't build it in." Now, earlier on Apple also benefited from simply being able to say "We are not Microsoft" and by having a small enough market share in PCs that the tip of the cybercrime spear was never really pointed at them. That has all changed in the smartphone and tablet markets, and in the cloud services integrated to them. Apple now really is like Microsoft in 2001 - the big dog in a market, with products and services that are the most direct path for vandals and cybercriminal to reach their targets.

Back in early 2002, then CEO Bill Gates recognized Microsoft had not taken security seriously and famously sent out a company-wide memo that really did change the focus of product managers and developers at Microsoft. It took a couple of years of Gates denying the problem, blaming the users, etc - but he had an epiphany and got past the denial phase.

Apple CEO Tim Cook's response to the iCloud exposure shows he is firmly entrenched in that denial phase - stating first that Apple wasn't at fault, but that they would now alert the users when someone accessed their info or changed their password and would work to "educate" the users more. Way down the stack came Apple focusing on expanding the coverage of two-factor authentication in iCloud, and being more proactive in convincing users to use two factor authentication.

There is an old saying that I just made up: "The fish swims the way the head points." While the days of technology CEO's issuing long, dense company-wide emails to change direction are probably gone, it would be nice to see Apple's CEO push out a few "#IoSSecurity JobOne" tweets or an Instagram picture of Apple product managers issuing the NoMoreReusablePasswords challenge by dumping buckets of hard apple cider on their own heads.

---

STORM CENTER TECH CORNER

Understanding the Value of UDP Port Scans
-https://isc.sans.edu/forums/diary/Identifying+Firewalls+from+the+Outside-In+Or+T
here+s+Gold+in+them+thar+UDP+ports+/18617

Brazilian Router Attacks
-https://securelist.com/blog/incidents/66358/web-based-attack-targeting-home-rout
ers-the-brazilian-way/

Free USB "Firewall" warns user of malicious USB devices
-http://www.heise.de/security/meldung/Kostenloses-G-Data-Tool-schuetzt-vor-BadUSB
-Angriffen-2329545.html

Dircrypt ransomware reverse engineered and cracked
-http://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf

"Fake" cell phone towers discovered with ability to eavesdrop
-http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-be-i
ntercepting-your-calls

Collection of Wordpress Plugin Vulnerabilities Released
-https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-1/

Code Execution with PHP mail()
-http://securitysucks.info/exploit-phps-mail-to-get-remote-code-execution/

"Death" of Internet Services
-https://isc.sans.edu/forums/diary/+Death+of+Internet+Services/18607

Stealing ATM Pin Codes with IR Camera
-https://www.youtube.com/watch?v=8Vc-69M-UWk

Unauthenticated rsync vulnerability in F5 Big IP
-http://www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_r
sync_access_to_Remote_Root_Code_Execution.pdf

Kaspersky Analysis "Backoff" PoS C&C Server Logs
-https://securelist.com/blog/research/66305/sinkholing-the-backoff-pos-trojan/

Continuing reports of UPNP used in DDoS Attacks
-https://isc.sans.edu/forums/diary/1900UDP+SSDP+Scanning+and+DDOS/18599

Change your default browser network wide in 5 simple steps
-https://isc.sans.edu/forums/diary/Dodging+Browser+Zero+Days+-+Changing+your+Org+
s+Default+Browser+Centrally/18601

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/