SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #11

February 10, 2015

We ran a webcast on Friday discussing lessons learned from the Ghost Vulnerability. The webcast was over subscribed, but for those who missed it live, you can watch the archived version at the website below.
https://www.sans.org/webcasts/wrapping-ghost-lessons-learned-ghost-vulnerability
-99642

---

TOP OF THE NEWS

Twitter's Transparency Report
Anthem Breach Leads NY Dept. of Financial Services to Plan Regular Security Assessments of Insurance Companies
Are Samsung Smart TVs Eavesdropping?

THE REST OF THE WEEK'S NEWS

Report Enumerates Security and Privacy Issues in Digitally Connected Cars
Apple Requires OS X Users to Update Flash
iOS 9 Will Aim to Improve Stability
DARPA Official Notes Increasing Attacks Against Military Systems
Man Admits to DDoS Attacks
Swatting Suspect Arrested
Turbo Tax Temporarily Halted State Filings Due to Possible Fraud

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Symantec **************************
Symantec Webcast: The Underground Economy of Cyber-Crime, Feb 12 at 10am PT - Join Symantec to get inside the inner workings of the cyber-criminal. Learn more about: common techniques used to build trust in the cyber-criminal community, by what means goods are bought and sold in the underground economy and what you can do to protect yourself and your organization.
http://www.sans.org/info/174692
***************************************************************************

TRAINING UPDATE


- -Cyber Threat Intelligence Summit | Washington, DC | February 2- 9, 2015 | Brian Krebs, renowned Data Breach and Cybersecurity journalist who first reported on the malware that later become known as Stuxnet and also broke the story on the Target and will keynote the CTI Summit. Adversaries leverage more knowledge about your organization than you have, learn how to flip those odds at the CTI Summit combined with 4 intensive DFIR courses.
http://www.sans.org/u/Vn


- -10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/u/Vx


- -DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/u/VH


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/u/Wq


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

*****************************************************************************

---

TOP OF THE NEWS

Twitter's Transparency Report (February 9, 2015)

Twitter's latest transparency report shows that government requests for data have increased, up 40 percent in just the last six months of 2014. The US, Russia, and Turkey appear to have made the most requests.
-http://www.zdnet.com/article/twitter-data-demands-up-40-percent-says-us-turkey-r
ussia-stand-out/
-http://www.cnet.com/news/twitter-calls-out-us-russia-turkey-in-latest-transparen
cy-report/
[Editor's note (Murray): The report shows that the US accounts for more than half of the requests and even more of the responses. It does not indicate what portion of the requests are warrants or National Security Letters. It does not indicate which are from local authorities and which are Federal. It states that Twitter informs the subject of the request unless forbidden to do so but does not suggest in what percentage of the requests it is silenced. It suggests that requests are growing rapidly. The number of requests to Twitter alone is greater than all requests a decade ago. ]

Anthem Breach Leads NY Dept. of Financial Services to Plan Regular Security Assessments of Insurance Companies (February 9, 2015)

The Anthem breach that was disclosed last week has prompted New York's Department of Financial Services to announce that it will conduct "regular, targeted assessments of cyber security preparedness at insurance companies." It says it plans to issue enhanced regulations for insurance companies, but did not provide specific examples. Anthem has said that the database holding non-medical data was not encrypted. However, some experts have said that encryption would not have prevented the data compromise effected by this particular attack.
-http://www.darkreading.com/anthem-breach-prompts-new-york-to-conduct-cybersecuri
ty-reviews-of-all-insurers/d/d-id/1319039
-http://www.scmagazine.com/anthem-breach-sparks-discourse-on-encryption/article/3
96989/
[Editor's note (Ullrich): Regulation of insurance companies should not be limited to the protection of personal data. While this is a headline grabbing incident, a much more severe threat comes from badly calculated risks due to manipulated data or from surveilling customers with vulnerable and constantly connected devices as some insurances now provide to be plugged into cars. ]

Are Samsung Smart TVs Eavesdropping? (February 8 & 9, 2015)

Samsung is warning customers who use their Smart TVs' voice activation feature that the device "listens" to what they say in its proximity and it may share that information with Samsung or with third parties. The practice is laid out in the devices' UK privacy policy. The sharing with third parties is so that the speech can be converted "to text or to the extent necessary to provide the Voice Recognition features."
-http://www.csmonitor.com/Innovation/2015/0209/Samsung-explains-why-its-SmartTV-r
ecords-private-conversations
-http://www.zdnet.com/article/samsung-smarttv-eavesdropping-flap-overblown/
-http://www.bbc.com/news/technology-31296188
-http://www.theregister.co.uk/2015/02/09/samsung_listens_in_to_everything_you_say
_to_your_smart_tellie/
-http://www.cnet.com/news/samsungs-warning-our-smart-tvs-record-your-living-room-
chatter/
-https://isc.sans.edu/forums/diary/Raising+the+Creep+Factor+in+License+Agreements
/19303/
[Editor's note (Murray): For the moment, most speech to text applications are using Internet based services. Speech to text is a "computational and data intensive" application. To characterize this as eavesdropping is mischievous, as though we did not have enough real things to worry about. (I have "hey siri" enabled on my iPhone; my TV wakes it up a half dozen times a day, usually when a talking head says "serious.")
(Ullrich): Note that this is not just Samsung. Other TV makers, most notably LG, have similar language in their EULAs, and have been caught in the past collecting data beyond what the EULA suggests. ]

---

************************** Sponsored Links: ******************************
1) Download the free eGuide: An IT Auditor's Guide to Security Controls & Risk Compliance: http://www.sans.org/info/174697

2) 10 Threat Intelligence Goals for Financial Institutions with Russ Pierce, CISSP, VP of Cyber Security and Threat Intelligence, Regions Financial Corporation. Recorded Future Webcast. Feb 11, 12:00pm ET. http://www.sans.org/info/174702

3) New Survey: Securing the Mobile Workforce -- Take Survey & Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/174492
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Report Enumerates Security and Privacy Issues in Digitally Connected Cars (February 9, 2015)

US Senator Edward Markey (D-Massachusetts) has released a report based on responses from automobile companies to a letter he sent more than a year ago asking how they use wireless technology and how they store and ensure the privacy of drivers' data. Most cars have wireless functionality, but protection of those systems is "inconsistent and haphazard." In many instances, car companies are gathering location data and transmitting them unsecurely.
-http://arstechnica.com/security/2015/02/senator-car-hacks-that-control-steering-
or-steal-driver-data-way-too-easy/
-http://www.computerworld.com/article/2881545/security-privacy-gaps-put-us-driver
s-at-risk.html
-http://www.scmagazine.com/senators-report-shows-troubling-security-privacy-risks
-for-drivers/article/397221/
-http://www.wired.com/2015/02/heres-full-senate-report-shaming-automakers-securit
y/
-http://www.informationweek.com/mobile/mobile-devices/smart-cars-vulnerable-to-se
curity-hacks-report-finds/a/d-id/1319031
Report:
-http://media.scmagazine.com/documents/106/carsecurity_26333.pdf
[Editor's note (Murray): For the moment, these are vulnerabilities with no threat and little motivation to create one. Interesting to "Chicken Little" for their novelty and to the media for sensation but that is about all. ]

Apple Requires OS X Users to Update Flash (February 9, 2015)

Apple is making OS X users update the version of Adobe Flash Player on their computers to address a trio of recently disclosed security issues. Outdated versions of Flash are being blocked in OS X.
-http://www.v3.co.uk/v3-uk/news/2394314/apple-pushes-flash-update-for-mac-os-x-fo
llowing-triple-zero-day-debacle
-http://www.theinquirer.net/inquirer/news/2394363/apple-blocks-old-versions-of-ad
obe-flash-player-after-more-zero-day-shenanigans
[Editor's note (Murray): While Apple's position relative to Flash is a little less accommodating than that of its competitors, "Requires" is a little strong. One must install the update only if one wishes to view Flash content. That is risky even with the update and should be discouraged. Given the track record of Flash, one can have little confidence that this update fixes the last, or even the next to last, vulnerability in it. ]

iOS 9 Will Aim to Improve Stability (February 9, 2015)

Engineers working on iOS 9 are focusing on improving the mobile operating system's functionality rather than on adding new features. Users have reported issues with earlier updates, so the company is aiming to fix bugs, and improve its stability and performance.
-http://9to5mac.com/2015/02/09/apples-ios-9-to-have-huge-stability-and-optimizati
on-focus-after-years-of-feature-additions/
">http://9to5mac.com/2015/02/09/apples-ios-9-to-have-huge-stability-and-optimizati
on-focus-after-years-of-feature-additions/
-http://www.csmonitor.com/Innovation/2015/0209/Apple-s-iOS-9-will-fix-old-feature
s-not-debut-new-ones-report
[Editor's note (Northcutt): I think this is a really smart idea. If I know how to use 10% of the features of my Mac it is a good day indeed. At the same time, one of the first things Kathy and I are going to do when we get back to Washington state is drive down and spend some time at the Mac store Genius bar. We have a number issues on both Macs we need some help with:
-http://9to5mac.com/2015/02/09/apples-ios-9-to-have-huge-stability-and-optimizati
on-focus-after-years-of-feature-additions/
">http://9to5mac.com/2015/02/09/apples-ios-9-to-have-huge-stability-and-optimizati
on-focus-after-years-of-feature-additions/
-http://www.macrumors.com/2015/02/09/ios-9-stability-optimization-focus/]

DARPA Official Notes Increasing Attacks Against Military Systems (February 8, 2015)

DARPA Director of the Information Innovation office Dan Kaufman told the US television news magazine 60 Minutes that cyber attacks against US military systems are increasing in number and in sophistication.
-http://thehill.com/policy/cybersecurity/232122-darpa-official-cyberattacks-again
st-us-military-dramatically-increasing

Man Admits to DDoS Attacks (February 6 & 9, 2015)

A UK man has admitted to launching distributed denial-of-service (DDoS) attacks against numerous websites in 2013. The affected sites included banks, crime reporting websites, and social services websites. No sensitive data were compromised in the attacks, but the sites were inaccessible for periods of time.
-http://www.computerweekly.com/news/2240239889/UK-cyber-attacker-faces-jail-for-t
argeting-public-services-sites
-http://www.cbronline.com/news/security/anonymous-linked-hacker-admits-to-ddos-of
-public-services-4507312

Swatting Suspect Arrested (February 7 & 9, 2015)

Authorities in the US have arrested a man alleged to have taken part in a "swatting" attack in July 2014. Brandon Wilson was arrested last week in Nevada. An extradition hearing was scheduled for Monday, February 9, to determine whether he would be sent to Illinois to face charges there.
-http://arstechnica.com/tech-policy/2015/02/alleged-swatting-prankster-famed-god-
arrested-in-las-vegas/
-http://www.bbc.com/news/technology-31299287

Turbo Tax Temporarily Halted State Filings Due to Possible Fraud (February 6 & 7, 2015)

Late last week, Intuit temporarily halted state income tax filings through its Turbo Tax software after evidence of fraud came to light. Some customers reported logging in only to find that a return in their name had already been filed. Tax authorities in 19 states reported high numbers of fraudulent returns. The company determined that its systems had not been breached and that the information used to complete the fraudulent returns was obtained somewhere else, and state return filings were resumed. Federal filings were not affected.
-http://www.cnet.com/news/turbotax-back-to-full-speed-after-fraud-concerns/
-http://www.theregister.co.uk/2015/02/07/intuit_halts_turbotax_filings_after_stat
es_spot_mass_tax_fraud_scheme/
-http://www.computerworld.com/article/2880765/intuit-stops-turbotax-e-filing-of-s
tate-returns-after-fraudulent-filing-spikes.html
-http://krebsonsecurity.com/2015/02/citing-tax-fraud-spike-turbotax-suspends-stat
e-e-filings/
-https://isc.sans.edu/forums/diary/Anthem+TurboTax+and+How+Things+Fit+Together+So
metimes/19299/

---

STORM CENTER TECH CORNER

Cryptolocker and Disaster Recovery: It is not just about backups
-https://isc.sans.edu/forums/diary/Backups+are+part+of+the+overall+business+conti
nuity+and+disaster+recovery+plan/19309/

Report of British Air Traffic Control Outage
-http://www.caa.co.uk/docs/2942/v3%200%20Interim%20Report%20-%20NATS%20System%20F
ailure%2012%20December%202014.pdf

Firmware Reverse Analysis
-http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html

Netflix Going to Open Source More Security Tools
-https://ia801509.us.archive.org/5/items/shmoocon-2015-videos-playlist/The%20Joy%
20of%20Intelligent%20Proactive%20Security%20%5BSC2015%5D.mp4

Anthem Spam
-http://abcnews.go.com/Technology/wireStory/anthem-warns-phishing-emails-massive-
hack-28780111

Web Based Analyzer to Identify Windows Binary Security Features
-https://labs.nccgroup.com/NCCGroupWindowsBinaryAnalyzer/

Bypassing Security Features With Information Disclosure Vulnerabilities
-https://rh0dev.github.io/blog/2015/fun-with-info-leaks/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.