SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #10

February 06, 2015

TOP OF THE NEWS

Anthem Notifying Customers Eight Days After Breach Detected
Cyber Espionage Campaign Targets iOS Devices
FCC Chairman to Propose Strong Net Neutrality Rules

THE REST OF THE WEEK'S NEWS

US Legislators Aim to Update Data Search and Interception Laws
House Bill Aims to Ban Backdoor Requirements in Technology
Scan Results Indicate Ghost Still in Many Business Applications
Ulbricht Guilty on All Counts in Silk Road Case
Siemens Releases Updates to Fix Ruggedcom WIN Firmware Vulnerabilities
Adobe Updates Flash, Again
Three Apps Laced with Malicious Adware Pulled from Google Play Store
Vulnerability in Internet Explorer

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*************************** Sponsored By LogRhythm ***********************
LogRhythm's next-gen security intelligence platform identifies high-impact threats and neutralizes them before they can result in a material breach. It uniquely unifies SIEM, log management, and network and endpoint forensics with advanced security analytics, to provide the most complete cyber threat lifecycle management and the ideal foundation for today's security operations. Download the Whitepaper:
http://www.sans.org/info/174487
***************************************************************************

TRAINING UPDATE


-Cyber Threat Intelligence Summit | Washington, DC | February 2- 9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/u/Vn


-10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/u/Vx


-DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/u/VH


-SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/u/Wq


-Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!


-Multi-week Live SANS training

Mentor - http://www.sans.org/u/X4

Contact mentor@sans.org


-Looking for training in your own community?

Community - http://www.sans.org/u/Xj


-Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Anthem Notifying Customers Eight Days After Breach Detected (February 4 & 5, 2015)

US health insurance company Anthem has acknowledged a breach of one of its systems that compromised customer and employee data. Anthem began notifying affected customers just eight days after the breach. The company has also notified the FBI and has hired Mandiant to investigate. Mandiant said that the attack was conducted through custom backdoors, suggesting that the company was the target of an "advanced attack."
-http://www.scmagazine.com/anthem-brings-in-mandiant-to-investigate-resolve-breac
h/article/396749/
-http://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-im
pact-millions/
-http://www.wired.com/2015/02/breach-health-insurer-exposes-sensitive-data-millio
ns-patients/
-http://www.computerworld.com/article/2879649/health-insurer-anthem-discloses-cus
tomer-and-employee-data-breach.html
-http://www.darkreading.com/risk/a-mere-eight-days-after-breach-anthem-healthcare
-notifies-customers-/d/d-id/1318979?
-http://www.anthemfacts.com
[Editor's Note (Pescatore): Focus on what vulnerabilities were exploited to breach Anthem, not who launched the attack. So far, it looks like the common combination of exploiting well known vulnerabilities with a targeted phishing attack at the front end. When Critical Security Controls are not in place or are disabled or mismanaged, advanced targeted attacks do *not* need to be very "advanced."
(Ullrich): To focus on the good news: Anthem detected the breach internally, without requiring notification by an external entity. They also noticed the breach quickly and may have prevented the attacker from ever using the data.
(Murray): Well, there is finally a breach to rival eBay. Anthem will likely draw a bye from the media as has eBay. The media does not seem to worry as much about identity theft as credit card fraud. Anthem has stressed that no health information has been compromised, hoping to avoid the draconian penalties under HIPAA. Fortunately for all of us there is a limit to the number of identities one can exploit. Consumers should be warned against the kinds of telephone scams that will seek to exploit this information.
(Honan): As with previous major breaches the how the breach happened is the more important lesson for most people, rather than the who conducted the attack. Let law enforcement worry about who is behind the attack and hopefully put them behind bars, let those of us responsible for protecting our networks focus more on the how the attack happened and put in the appropriate controls to prevent it. ]

FCC Chairman to Propose Strong Net Neutrality Rules (February 4, 2015)

US Federal Communications Commission (FCC) chairman Tom Wheeler says he will propose that cable Internet companies be reclassified as common carriers, which would subject them to additional government regulation. Wheeler says the move will "preserve the Internet as an open platform for innovation and free expression."
-http://www.wired.com/2015/02/fcc-chairman-wheeler-net-neutrality
-http://www.csmonitor.com/Innovation/2015/0204/FCC-chairman-proposes-strong-net-n
eutrality-rules
[Editor's Note (Northcutt): I read the wired article earlier today. I suppose the overwhelming majority of us are not in a position to do much about this, but we ought to be informed. The New Yorker piece is also a pretty good read:
-http://www.newyorker.com/news/news-desk/net-neutrality-shows-democracy-can-work
(Murray): Shades of Vietnam. Wheeler proposes to destroy the Internet to save it. Regulating the Internet under this eighty year old law, designed to regulate a legal monopoly, will stifle competition, innovation, and investment. To do so on the basis of anticipated abuse, without ever knowing whether competition and public opinion would have been a more effective and efficient way to accomplish the same objective, is the worst kind of government over reach. This policy is not recommended by the amount of populist support it has. "Net neutrality" is a slogan, not a policy. ]

---

*************************** SPONSORED LINKS ******************************
1) A Security Geek's Guide to SAP: Thursday, February 12 at 1:00 PM EST (18:00:00 UTC) with Alex Horan. http://www.sans.org/info/174222

2) What Works: Increasing Vulnerability Management Effectiveness While Reducing Cost. Wednesday, February 18 at 1:00 PM EST (18:00:00 UTC) with John Pescatore. http://www.sans.org/info/174122

3) New Survey: Securing the Mobile Workforce -- Take Survey & Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/174492
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Legislators Aim to Update Data Search and Interception Laws (February 3, 4, & 5, 2015)

US legislators in both the House and the Senate have introduced the Electronic Communications Privacy Act Amendments Act of 2015, a bill aimed at bringing 1986's Electronic Communications Privacy Act (ECPA) up to date with current technology. If passed, it would require the government to obtain probable cause warrants before seeking digital communications content. The Online Communication and Geolocation Protection Act introduced in the House would require government agencies to obtain a probable cause warrant prior to intercepting electronic communications.
-http://www.leahy.senate.gov/download/hen15170
-http://www.scmagazine.com/amendments-to-1986-ecpa-would-require-warrants-court-o
rder/article/396493/
-http://www.nextgov.com/cybersecurity/2015/02/lawmakers-debut-bill-require-search
-warrants-email-snooping/104544/?oref=ng-channelriver
-http://www.scmagazine.com/bipartisan-effort-to-protect-electronic-communications
-revived-in-house/article/396254/
[Editor's Note (Ullrich): Nice provisions to require a warrant, but they wont mean anything if violations are not going to be punished. ]

House Bill Aims to Ban Backdoor Requirements in Technology (February 4, 2015)

The Secure Data Act introduced in the House would prohibit the government from mandating backdoors in technology products. The bill's supporters say that allowing the backdoors would pave the way for malicious actors to exploit the weakness.
-http://thehill.com/policy/cybersecurity/231745-house-reintroduces-bill-to-ban-te
ch-backdoors
[Editor's Note (Pescatore): Imagine if the government mandated "back doors" in vaults and safes. Or mandated that automobiles have governors that reduced speeds below what police cars are capable of. The Communications Assistance for Law Enforcement Act (CALEA) already requires telecommunications carriers to provide government access at that level, which for the past 20 years has proven to be a decent balance between privacy and law enforcement access. ]

Scan Results Indicate Ghost Still in Many Business Applications (February 5, 2015)

A scan conducted by Veracode through its cloud-based service found that 41 percent of applications that use GNU C Library (glibc) call the gethostbyname function, which has the buffer-overflow vulnerability known as Ghost.
-http://www.darkreading.com/vulnerabilities---threats/scan-finds-ghost-haunting-c
ritical-business-applications/d/d-id/1318975?

Ulbricht Guilty on All Counts in Silk Road Case (February 4 & 5, 2015)

A jury in New York has found Ross Ulbricht guilty of all charges that identify him as the mastermind of the online black market site known as Silk Road. Ulbricht's legal team plans to appeal the verdict.
-http://www.wired.com/2015/02/silk-road-ross-ulbricht-verdict/
-http://www.bbc.com/news/world-us-canada-31134938
-http://www.scmagazine.com/jury-finds-ross-ulbricht-guilty-of-all-charges/article
/396599/
-http://arstechnica.com/tech-policy/2015/02/ulbricht-guilty-in-silk-road-online-d
rug-trafficking-trial/
-http://www.computerworld.com/article/2880097/silk-road-case-ends-in-guilty-verdi
ct-for-ulbricht.html

Siemens Releases Updates to Fix Ruggedcom WIN Firmware Vulnerabilities (February 3 & 5, 2015)

The US Department of Homeland Security's (DHS's) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory warning of vulnerabilities in Siemens Ruggedcom WIN firmware. Siemens has released updates to address the security issues. The flaws could be remotely exploited if the affected services have network connections.
-https://ics-cert.us-cert.gov/advisories/ICSA-15-034-02
-http://www.theregister.co.uk/2015/02/05/siemens_sighs_scada_bugs_abound/
-http://www.computerworld.com/article/2880554/siemens-patches-critical-flaws-in-i
ndustrial-wireless-gear.html

Adobe Updates Flash, Again (February 4 & 5, 2015)

Adobe has released Flash Player 16.0.0.305. The newest version of Flash includes a fix for a recently disclosed flaw that is already being actively exploited. The update is being pushed out to users who have enabled the auto-update feature. An update for manual download was expected to be available by Thursday, February 5.
-http://krebsonsecurity.com/2015/02/yet-another-flash-patch-fixes-zero-day-flaw/
-http://www.theregister.co.uk/2015/02/05/adobesighpatches_anothersighflash_zeroda
y_vulnerability/
-http://www.scmagazine.com/adobe-rolling-out-new-flash-player-version-includes-fi
x-for-latest-zero-day-bug/article/396491/
-http://www.computerworld.com/article/2879997/adobe-rolls-out-patches-for-latest-
flash-flaw.html
[Editor's Note (Ullrich): Waiting for the next 0-day to appear shortly. If you can live without Flash, you will live happier and safer (and maybe more productive as many online ads and videos use Flash.)
(Murray): Steve Jobs tried to warn us. According to Adobe there are 1.3 billion instances of Flash. It puts all those systems at risk. More significantly it puts the entire infrastructure at risk. According to a count by Brian Krebs, Adobe has published twenty fixes in to Flash in the past year. One can have no confidence at all that the latest update has fixed the last problem or even the next to last. At what point do we conclude that Flash cannot be "fixed," that it cannot be patched to the quality required of infrastructure? Another mitigation strategy is needed. MS asserts that its EMET tool would address about ninety percent of the attacks against Flash. However, it is not enabled by default, few consumers know about it, and enterprises will not enable it for fear that it MIGHT break some disorderly application or another. Instead they live with the CERTAINTY that systems can be corrupted by their data and Flash is a gaping hole in their systems. One despairs. ]

Three Apps Laced with Malicious Adware Pulled from Google Play Store (February 3 & 4, 2015)

Google has removed three apps that were found to contain malicious adware from the Google Play store. The apps have been downloaded millions of times. One is a solitaire game aimed at English-speaking users. The other two, which targeted Russian-speaking users, are an IQ test and a history app. The malicious activity begins 30 days after the app is installed. When users unlock their phones, ads are displayed telling them the devices are out of date, infected or otherwise at risk, and are directed to malicious sites.
-http://www.informationweek.com/mobile/mobile-applications/android-adware-raises-
google-play-security-concerns/a/d-id/1318957
-http://www.computerworld.com/article/2879509/scareware-found-hidden-in-google-pl
ay-apps-downloaded-by-millions.html
-http://arstechnica.com/security/2015/02/malicious-google-play-apps-may-have-hose
d-millions-of-android-handsets/
-http://www.zdnet.com/article/google-pulls-three-stealthy-adware-filled-apps-from
-play-store/
-http://www.eweek.com/security/three-adware-infected-android-apps-suspended-from-
google-play.html

Vulnerability in Internet Explorer (February 3 & 4, 2015)

Microsoft is developing a fix for a vulnerability in Internet Explorer (IE) that bypasses the Same-Origin Policy. The flaw could be exploited to steal access credentials or launch phishing attacks. The issue affects IE 11 on Windows 7 and Window 8.1.
-http://www.zdnet.com/article/severe-xss-flaw-in-fully-patched-microsoft-internet
-explorer-discovered/
-http://www.theregister.co.uk/2015/02/04/canary_watch/
-http://www.computerworld.com/article/2878967/dangerous-ie-flaw-opens-door-to-phi
shing-attacks.html
-http://arstechnica.com/security/2015/02/serious-bug-in-fully-patched-internet-ex
plorer-puts-user-credentials-at-risk/

---

STORM CENTER TECH CORNER

Increase in Probes of Tomcat Servers
-https://isc.sans.edu/forums/diary/Tomcat+security+Why+run+an+exploit+if+you+can+
just+log+in/19289/

WordPress Plugin FancyBox Patched
-http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.htm
l

Exploit for PHP Memory Corruption Bugs
-http://www.inulledmyself.com/2015/02/exploiting-memory-corruption-bugs-in.html

Detecting the Neutrino Exploit Kit
-https://isc.sans.edu/forums/diary/Exploit+Kit+Evolution+Neutrino/19283/

TP-Link Router Bruteforcing with Javascript
-http://www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html

How to Find Which Libraries A Program Uses
-https://isc.sans.edu/forums/diary/What+is+using+this+library/19275/

Another Network Forensic Tool for the Toolbox - Dshell
-https://isc.sans.edu/forums/diary/Another+Network+Forensic+Tool+for+the+Toolbox+
Dshell/19277/

Vulnerability in Stackoverflow HTML Sanitizer
-http://danlec.com/blog/hacking-stackoverflow-com-s-html-sanitizer

Exploring .git directory on Web Applications
-https://blog.netspi.com/dumping-git-data-from-misconfigured-web-servers/
-https://github.com/kost/dvcs-ripper

Sharepoint Security Analyzer
-https://securesharepointconfig.codeplex.com

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.