SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #12

February 13, 2015

TOP OF THE NEWS

ThreatExchange Lets Companies Share Cyberthreat Information
Dutch Government Websites Affected by DDoS Attack
Microsoft Patches 55 Flaws

THE REST OF THE WEEK'S NEWS

EU Parliament Blocks Mobile Outlook App
Facebook Fixes Flaw That Could Have Been Exploited to Delete Pictures
Apple Adds Two-factor Authentication to FaceTime and iMessage
FBI Investigating Fraudulent TurboTax State Returns
Smartphone Thefts Down After Kill Switch Implemented
NIST Seeking Comment on ICS Security Guide
Attackers Used Forbes Site in Watering Hole Attack
Federal Contract Administrator Investigating Possible Breach

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By LogRhythm *************************
Join SANS on March 4th at a Critical Security Controls briefing in the DC area. This half-day event provides an update on the Controls effort, will highlight new mappings to other security frameworks, and will provide a unique opportunity to engage in dialog around the Controls. Learn about key solution capabilities/customer success stories. http://www.sans.org/info/174762. This event will also be simulcast live and archived for later viewing. Register at https://www.sans.org/webcasts/99672
***************************************************************************

TRAINING UPDATE


-SANS Scottsdale 2015 | Scottsdale, AZ | February 16-February 21, 2015 | 7 courses. Bonus evening presentations include APT: It is Time to Act, and Privileged Domain Account Protection: How to Limit Credentials Exposure
http://www.sans.org/u/18r


-10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/u/Vx


-DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/u/VH


-SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/u/Wq


-Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!


-Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


-Looking for training in your own community?
Community - http://www.sans.org/u/Xj


-Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.


For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

*****************************************************************************

---

TOP OF THE NEWS

ThreatExchange Lets Companies Share Cyberthreat Information (February 11 & 12, 2015)

Cyberthreat specialists from several social media, including Facebook, Tumblr, and Pinterest, gathered to figure out a way to stop a botnet from spreading malware across the Internet. The Facebook team realized that they couldn't call meetings every time a security issue arose, so they developed ThreatExchange, a way for the companies' systems to communicate with one another in real time to share information.
-http://www.wired.com/2015/02/facebook-unveils-tool-sharing-data-malicious-botnet
s/
-http://www.v3.co.uk/v3-uk/news/2395141/facebook-builds-threatexchange-security-p
latform-with-help-from-twitter-and-yahoo
-http://www.washingtonpost.com/business/capitalbusiness/facebook-asks-companies-t
o-share-information-on-cyber-threats/2015/02/12/5be87bd8-b2dd-11e4-854b-a38d1348
6ba1_story.html
-http://www.zdnet.com/article/facebook-launches-threatexchange-can-information-sh
aring-thwart-cyberattacks/
[Editor's Note (Murray): Imagine! They did this without "immunity" from Congress.
(Ullrich) Great initiative. We need to automate these systems more. There are too many mailing lists and threat groups already and the response needs to happen faster. I hope that this effort will be able to leverage standards like STIX/TAXI to allow it to scale and integrate beyond this particular use case.
(Honan): It is great to see initiatives such as this take place and threat information being shared openly amongst companies. Of course the real test will be the quality of the information provided and the value it can bring to an organisation that subscribes to one, or many, of these platforms. The European Network and Information Security Agency (ENISA) published a very useful paper related to this topic "Standards and tools for exchange and processing of actionable information".
-https://www.enisa.europa.eu/activities/cert/support/actionable-information/stand
ards-and-tools-for-exchange-and-processing-of-actionable-information]

Dutch Government Websites Affected by DDoS Attack (February 12, 2015)

Government websites in the Netherlands were inaccessible for several hours earlier this week due to a distributed denial-of-service (DDoS) attack. Some private websites were also affected by the attack. The attack was launched against hosting provider Prolocation.
-http://www.bbc.com/news/technology-31440973
-http://www.theregister.co.uk/2015/02/12/dutch_gov_websites_ddos/
[Editor's Note (Honan): In today's threat environment there really is no excuse for companies not having a DDoS prevention service to protect their website(s). ]

Microsoft Patches 55 Flaws (February 10 & 11, 2015)

On Tuesday, February 11, Microsoft released nine security bulletins to address 55 flaws in Windows, Internet Explorer (IE), and other products. Microsoft announced last month that it would no longer be providing advance notification of the bulletins to the general public. Forty-one of the vulnerabilities patched are in IE. Among the other flaws fixed is a remote code execution flaw in Active Directory that took Microsoft a year to develop, and the issue is not patchable in Windows Server 2003.
-http://www.theregister.co.uk/2015/02/10/patch_tuesday_release_fixes_unprecedente
d_zeroday_design_flaw_in_windows/
-http://www.computerworld.com/article/2882620/three-critical-patches-for-microsof
t-and-six-updates-that-may-need-some-attention.html
-http://krebsonsecurity.com/2015/02/microsoft-pushes-patches-for-dozens-of-flaws/
-http://arstechnica.com/security/2015/02/15-year-old-bug-allows-malicious-code-ex
ecution-in-all-versions-of-windows/
-https://technet.microsoft.com/en-us/library/security/dn903782.aspx
[Editor's Note (Murray): Surely that is the last one; now we can all relax. That said, fixes to security infrastructure, e.g., Active Directory, should take priority.
(Ullrich): Sadly, Microsofts patch quality is not improving. Again, one patch failed to apply correctly if the user was not logged in as Administrator. Also note that the very important GPO patch is not fully affective until the respective configuration has been changed to enable the requirement for mutual authentication and integrity verification. ]

---

************************** Sponsored Links: ******************************
1) What Works: Increasing Vulnerability Management Effectiveness While Reducing Cost. Wednesday, February 18 at 1:00 PM EST (18:00:00 UTC) with John Pescatore. http://www.sans.org/info/174772

2) Continuous Diagnostics and Mitigation for Government Agencies: Is It Working? A SANS Survey Friday, February 20 at 1:00 PM EST (18:00:00 UTC) with Tony Sager, Tim Woods, Wallace Sann, Joshua Stegall and Kenneth Durbin. http://www.sans.org/info/174777

3) The survey results are in! Big Data: Identifying Major Threats and Removing Security and Compliance Barriers -- Webcast on Tuesday, February 24 at 1:00 PM EDT. Register: http://www.sans.org/info/174782
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

EU Parliament Blocks Mobile Outlook App (February 12, 2015)

The European Union (EU) Parliament has decided that politicians may not use the Microsoft mobile Outlook app due to security and privacy issues. The Parliament's IT department has told staff members to delete the app. The concern is that Outlook holds data and user credentials on servers in the cloud, beyond the Parliament's control. The University of Wisconsin has banned the app's use as well.
-http://www.theregister.co.uk/2015/02/12/eu_parliament_banning_outlook_app/
-http://www.techweekeurope.co.uk/mobility/mobile-apps/outlook-ios-android-app-161
694
[Editor's Note (Pescatore): Microsoft acquired this app from Acompli and seems to have rushed it to market. Because it stores login credentials externally Acompli bypasses ActiveSync and any ActiveSync security policies you have implemented. That alone is enough to block usage, but if something of that magnitude was overlooked there are likely other issues. Microsoft has said it is working on fixing the known vulnerabilities. ]

Facebook Fixes Flaw That Could Have Been Exploited to Delete Pictures (February 12, 2015)

Facebook responded quickly after being notified of a flaw in the site's Graph API that could have been exploited to delete other people's photos. The vulnerability was patched within two hours of the notification.
-http://www.zdnet.com/article/security-flaw-couldve-deleted-every-photo-on-facebo
ok/
-http://www.computerworld.com/article/2883735/facebook-fixes-flaw-that-could-have
-let-hackers-delete-photos.html
-http://www.theregister.co.uk/2015/02/13/facebook_bug_could_have_deleted_every_si
ngle_photo/

Apple Adds Two-factor Authentication to FaceTime and iMessage (February 12, 2015)

Apple is expanding its use of two-factor authentication to FaceTime and iMessage. Apple began offering two-factor authentication for iCloud last fall. iCloud users who have already enabled the two-factor option will automatically find themselves prompted for app-specific passwords which are generated on the AppleID management page.
-http://arstechnica.com/apple/2015/02/apple-extends-two-factor-authentication-to-
facetime-and-imessage/
-http://www.cnet.com/news/apple-beefs-up-imessage-facetime-login-security/
[Editor's Note (Pescatore): iTunes and the Apple App Store still aren't under the two factor authentication umbrella. Adding those would help increase the adoption - anything that gets home users moving off of reusable passwords helps them accept the same thing at work.
(Murray): I agree with John P. that whatever promotes the use of strong authentication is a good thing. However, I find the idea that "work" is waiting for "home" unprofessional and offensive. ]

FBI Investigating Fraudulent TurboTax State Returns (February 11 & 12, 2015)

The FBI is investigating reports that fraudulent state tax returns were submitted through Intuit's TurboTax software. Intuit briefly suspended filing state returns through TurboTax while it determined that its systems had not been breached and concluded that the information used to file the fraudulent claims was obtained elsewhere. The FBI is investigating to verify the validity of Intuit's assertion that the breach occurred elsewhere and to determine whether the issue affects federal returns as well.
-http://www.forbes.com/sites/robertwood/2015/02/12/turbotax-fraud-may-impact-fede
ral-returns-too-fbi-investigating/
-http://www.computerworld.com/article/2882990/fbi-probes-for-source-of-fraudulent
-turbotax-filing-spike.html
[Editor's Note (Murray): One would like to think that the role of the FBI would be to identify and arrest the perpetrators, rather than simply determine the method.
(Ullrich): Fraudulent Tax returns are a relatively easy way to "cash out" stolen social security numbers. But this type of fraud not only costs taxpayer's money, it also causes considerable pain to the impersonated victim as they may now not be able to file a return and receive a refund until jumping through additional hoops. Software like Turbo Tax just enables this fraud and makes it simpler to execute. ]

Smartphone Thefts Down After Kill Switch Implemented (February 11, 2015)

Authorities in three major cities say that kill switches on smartphones have noticeably reduced thefts of the devices. Apple added the feature in 2013, and since that time, iPhone thefts have dropped by 25 percent in New York, by 40 percent in San Francisco, and by 50 percent in London. Overall cellphone thefts in that period fell by 16 percent in New York, and 27 percent in San Francisco. The decline in thefts in London overall was 50 percent.
-http://www.csmonitor.com/Innovation/2015/0211/Cellphone-kill-switch-leads-to-sha
rp-declines-in-theft
-http://www.scmagazine.com/smartphone-thefts-decline-following-introduction-of-ki
ll-switch/article/397760/

NIST Seeking Comment on ICS Security Guide (February 11, 2015)

The National Institute of Standards and Technology (NIST) is seeking public comment on the final draft version of its Industrial Control Systems (ICS) security guide. This is final public review. Comments accepted through March 10, 2015.
-http://www.scmagazine.com/nist-requests-final-comments-on-ics-security-guide/art
icle/397751/
-http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf
[Editor's Note (Murray): My comment is the same as I have been giving, and they have been ignoring, for the last thirty years: write in the active voice. Bureaucrats are unable to do that because then someone might be held accountable.
(Assante): The addition of placing a sharp focus on safety for the framework for risk management decisions is important. The authors then use an example that sets security practices against safety concerns, but this is only one element of framing risk. The loss of integrity to unauthorized parties represents a very real safety concern, especially as some industrial environments are moving to integrated safety and control systems. Many would argue that sacrificing the availability of the control system to a safe shutdown is preferable if the control system was compromised resulting in unpredictable operating conditions. ]

Attackers Used Forbes Site in Watering Hole Attack (February 10 & 11, 2015)

Cyber attackers operating through China were reportedly able to launch attacks against US defense and financial companies last year by compromising the Forbes news site. The attackers exploited unpatched vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE) late last year. Specifically, the attackers infected a Flash widget on the Forbes site and used it to serve malicious code to specific site visitors. The allegations were made in a report from iSIGHT Partners and Invincea.
-http://www.scmagazine.com/forbescom-attackers-exploited-zero-days-in-flash-ie/ar
ticle/397985/
-http://www.cbronline.com/news/security/chinese-attack-forbes-to-target-us-defenc
e-and-finance-4509765
-http://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-us
es-forbescom-as-watering-hole-/d/d-id/1319059?
-http://www.eweek.com/security/cyber-spy-campaign-uses-forbes.com-to-hit-u.s.-bus
inesses.html
[Editor's Note (Murray): It is hard to blame Forbes for this; everyone used Flash then. On the other hand, users ought to be able to safely visit a Forbes site. It should now be obvious to the operators of similar sites that they should prefer html 5 to Flash. ]

Federal Contract Administrator Investigating Possible Breach (February 10, 2015)

The US Defense Contract Management Agency (DCMA) has taken several servers offline while it investigates a possible security breach. DCMA administers contracts for the US Department of Defense (DoD). A spokesperson said that the agency noticed suspicious activity on one of its public facing servers in late January.
-http://krebsonsecurity.com/2015/02/defense-contract-management-agency-probes-hac
k/
[Editor's Note (Murray): Do I understand correctly that they discovered this on their own, without relying upon a warning from Krebs like everyone else? ]

---

STORM CENTER TECH CORNER

Netatmo Weather Station Sends Clear Text WPA Password Back to Cloud
-https://isc.sans.edu/forums/diary/Did+You+Remove+That+Debug+Code+Netatmo+Weather
+Station+Sending+WPA+Passphrase+in+the+Clear/19327/

Configure Microsoft's UNC Hardened Access
-http://support.microsoft.com/kb/3000483

Virustotal to Add Whitelist
-http://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html

Google Project Zero Published POC For Flash Vulnerability CVE-2015-0318
-http://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.
html

PCI Did Not Kill HTTPS, Only SSL
-https://isc.sans.edu/forums/diary/Did+PCI+Just+Kill+ECommerce+By+Saying+SSL+is+N
ot+Sufficient+For+Payment+Info+spoiler+TLSSSL/19323/

Gas Station Sensors Attacked by Anonymous
-http://blog.trendmicro.com/trendlabs-security-intelligence/is-anonymous-attackin
g-internet-exposed-gas-pump-monitoring-systems-in-the-us/

Targeted Waterhole Attack via Forbes.com
-http://www.isightpartners.com/2015/02/codoso/
-http://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/

Google Play Store X-Frame-Options Gaps enable Android Remote Code Execution
-https://community.rapid7.com/community/metasploit/blog/2015/02/10/r7-2015-02-goo
gle-play-store-x-frame-options-xfo-gaps-enable-android-remote-code-execution-rce

Detect Mimikatz with Credential Canaries
-https://isc.sans.edu/forums/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/

Microsoft Patch Tuesday
-https://isc.sans.edu/forums/diary/Microsoft+Update+Advisory+for+February+2015/19
315/
-https://isc.sans.edu/forums/diary/Microsoft+Patches+appear+to+be+causing+problem
s/19317/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.