SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #14

February 20, 2015

TOP OF THE NEWS

Cyber Attack Risk Requires $1 Billion Insurance Coverage, Per Company
Lenovo Laptops Shipped with Adware and Persistent Vulnerability
State Department Cannot Get The Hackers Out

THE REST OF THE WEEK'S NEWS

TurboTax Blocks Filing of State Returns Not Linked to Federal Returns
Many Companies Still Not Focusing on Cyber Security
JPMorgan Chase is Hiring Ex-Military Specialists to Help with Cyber Security
Attribution for Equation is a Distraction
UK Parliament Wants Government to Classify Broadband as Utility
How the Justice Dept. and DHS Manage Agency Mobile Devices Taken Abroad
Microsoft to Add HTTP Strict Transport Security to Internet Explorer
Core Infrastructure Initiative Aims to Improve Open Source Security
BlackShades RAT Mastermind Pleads Guilty in US Court
Suspect in Heartland Breach Extradited to US, Pleads Not Guilty to All Charges

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By HP ******************************
Less than half of IT organizations have confidence in the security of the software that runs their businesses and only 11 percent are confident they know which applications are at risk. These survey results detail key Software Security Assurance (SSA) findings. Read it to learn how SSA works and how others are implementing SSA programs to protect their business.
http://www.sans.org/info/174972
***************************************************************************

TRAINING UPDATE


- -SANS Scottsdale 2015 | Scottsdale, AZ | February 16-February 21, 2015 | 7 courses. Bonus evening presentations include APT: It is Time to Act, and Privileged Domain Account Protection: How to Limit Credentials Exposure
http://www.sans.org/u/18r


- -10th Annual ICS Security Summit | Orlando, FL | Feb. 23 - March 2, 2015 | At the ICS summit you will learn what is the nature of ICS-focused threats & implications of targeted attacks, what is not working and what are the paths (options) to build your program around. In addition Kim Zetter, Author, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, to keynote. Come prepared to learn about the recent onset of ICS-focused attacks and how you need to hone your skills to defend our critical infrastructure systems. Plus 6 top-rated ICS courses.
http://www.sans.org/u/Vx


- -DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/u/VH


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It.
http://www.sans.org/u/Wq


- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Cyber Attack Risk Requires $1 Billion Insurance Coverage, Per Company (February 19, 2015)

Companies will need as much as $1bn in cyber insurance coverage as the costs of hacking attacks mount, but some businesses are struggling to secure even a tenth of that. US retailer Target said in November that the price tag for the data breach that affected up to 110m of its customers had reached $248m.
-http://www.ft.com/cms/s/0/61880f7a-b3a7-11e4-a6c1-00144feab7de.html#axzz3SINJLPh
L

Lenovo Laptops Shipped with Adware and Persistent Vulnerability (February 19, 2015)

Lenovo has been shipping laptops loaded with Superfish, adware designed to steal Internet traffic. Superfish is designed to "help users find and discover products visually." It also injects ads into web pages. Superfish hijacks encrypted web sessions, and could easily be misused to conduct man-in-the-middle attacks. Lenovo has stopped including Superfish on its new machines.
-http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-a
dware-that-breaks-https-connections/
-http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/
-http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mit
m-proxy/
-http://www.bbc.com/news/technology-31533028
-http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/
-http://news.lenovo.com/article_display.cfm?article_id=1929
[Editor's Note (Ullrich): "Adware" is putting it lightly. This may be better described as an "encryption backdoor". The problem is that even while Lenovo claims to have stopped using this system, the rogue certificate authority will remain trusted and with the private key recovered, anybody using an affected Lenovo laptop is now at risk of man-in-the-middle attacks. ]

State Department Cannot Get The Hackers Out (February 20, 2015)

Three months after the State Department confirmed hackers breached its unclassified email system, the government still hasn't been able to evict them from the department's network, even with help from the NSA and FBI. In continuing skirmishes, the possibly Russia-based hackers counter moves by the defender by tweaking their tools.
-http://www.wsj.com/articles/three-months-later-state-department-hasnt-rooted-out
-hackers-1424391453

---

**************************** SPONSORED LINKS ******************************
1) Critical Controls Security Briefing Wednesday, March 04 at 8:30 AM EDT in the DC Area, with John Pescatore and Tony Sager. http://www.sans.org/info/174977

2) Free Financial Services Cybersecurity Trends And Challenges Briefing. Friday, March 6 in NYC. A unique opportunity to engage in dialogue around cybersecurity issues specific to the Finance Industry. http://www.sans.org/info/174982

3) Palo Alto Networks Ignite Conference brings security professionals together to get their toughest security challenges solved through hands-on and interactive sessions. http://www.sans.org/info/174987
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

TurboTax Blocks Filing of State Returns Not Linked to Federal Returns (February 17, 2015)

TurboTax maker Intuit attributes the recent spike in fraudulent electronic state tax returns to the US Internal Revenue Service's (IRS's) improved detection of fraudulent returns at the federal level. TurboTax suspended state tax filings earlier in February because of the high number of reports of fraud; some states have seen a rise in fraudulent tax returns of 3,700 percent. While the IRS has been sharing information about fraudulent returns with state revenue departments, in all but four states, residents may file "unlinked" state returns, meaning they may file a state return without filing a federal return at the same time. TurboTax now blocks users from filing unlinked returns with its software.
-http://krebsonsecurity.com/2015/02/the-rise-in-state-tax-refund-fraud/
[Editor's Note (Northcutt): In a sense this is related to the NewsBites article of companies not paying attention to security. Intuit, the company that sells TurboTax is struggling financially, but their bright spot is sales of their Software As A Service, (SAAS) products, especially QuickBooks, but also TurboTax. Too many security problems and they could lose trust:
-http://www.bloomberg.com/news/articles/2015-02-19/intuit-s-online-subscribers-ri
se-as-users-shift-to-web-software]

Many Companies Still Not Focusing on Cyber Security (February 19, 2015)

Although it would seem likely that incidents like the Target and Sony breaches would prompt organizations to take their own cyber security more seriously, results from two separate surveys indicate that there appears to be "a disconnect ... between the security function and senior leadership at many companies." A survey from Raytheon asked 1,006 CIOs, CISOs, and other technology executives about practices at their companies. Seventy-eight percent said their boards had not been briefed about cyber security strategy within the past 12 months. A PricewaterhouseCoopers (PwC) survey conducted last year found that less than 42 percent of responding companies' boards actively participate in security strategy. However, a forthcoming IDC survey of 269 security professionals found that most said their organizations have recently begun paying closer attention to their security postures.
-http://www.csmonitor.com/World/Passcode/2015/0219/After-high-profile-hacks-many-
companies-still-nonchalant-about-cybersecurity
[Editor's Note (Pescatore): I don't think it makes sense to equate "focusing on security" with "boards of directors actively participating in security strategy." The companies that are *most* focused on security need the *least* board involvement, just the way companies that are the *most* focused on quality or operational excellence or service to the customer need the *least* board involvement. Boards of directors are most actively involved in mergers and acquisitions and 75% of those have negative results...
(Honan): With the dependence businesses now have on the data processed and stored on ICT systems, boards need to realise cyber security risks are just as important as any other business and operational risks that face their companies. ]

JPMorgan Chase is Hiring Ex-Military Specialists to Help with Cyber Security (February 19, 2015)

In the wake of a significant attack last year, JPMorgan Chase is taking steps to improve its cyber security posture. The financial institution has hired former military officers to oversee its cyber security team. To make it easier to find these employees, JPMorgan Chase built a security services facility near NSA headquarters.
-http://thehill.com/policy/cybersecurity/233188-jpmorgan-beefs-up-cybersecurity-w
ith-ex-military-officers
-http://www.bloomberg.com/news/articles/2015-02-19/jpmorgan-hires-cyberwarriors-t
o-repel-data-thieves-foreign-powers

Attribution for Equation is a Distraction (February 19, 2015)

Experts are saying that instead of trying to figure out who is responsible for the Equation malware campaign, the community should be focusing on how to defuse the threat and protect their systems. Although there has been speculation that Equation is the work of the NSA, the focus on attribution is a distraction, say some experts. A more productive approach would be for companies to determine where their primary concerns lie and build a strategy based on them.
-http://www.v3.co.uk/v3-uk/analysis/2396040/forget-whos-behind-equation-malware-j
ust-focus-on-the-threat

UK Parliament Wants Government to Classify Broadband as Utility (February 18 & 19, 2015)

In a report titled Make or Break: The UK's Digital Future, members of the UK's House of Lords call on the government to reclassify Internet access as a public utility, ensuring that it is available to all citizens. The report also notes that the UK is lagging behind other countries with regard to high-speed Internet access, which could have a negative effect on the country's international competitiveness.
-http://www.siliconrepublic.com/comms/item/40764-uk-parliament-s-call-to/
-http://arstechnica.com/business/2015/02/uk-parliament-calls-for-internet-to-be-c
lassified-as-a-public-utility/
-http://www.publications.parliament.uk/pa/ld201415/ldselect/lddigital/111/111.pdf
[Editor's Note (Pescatore): There was a great series of reports (actually, short books) by CNRI back in the 1990s on how electricity, telephone, water and railroad came to be considered utilities years ago and were then heavily regulated. Most of them have been mostly deregulated, anyway - but it was hard to make the case that Internet access met the definition of "utility" in any event. ]

How the Justice Dept. and DHS Manage Agency Mobile Devices Taken Abroad (February 18, 2015)

The US Justice Department (DOJ) and Department of Homeland Security (DHS) are both well aware of the risks posed by using wireless devices overseas. The FBI's standard position is to warn government and business travelers not to use hotel Wi-Fi while traveling. DHS restricts what employees can access on mobile devices while they are traveling, and they often quarantine the devices once the employees return. DOJ plans to implement before-and-after checks of mobile devices.
-http://www.nextgov.com/cybersecurity/2015/02/justice-dhs-quarantine-smartphones-
returning-abroad/105576/?oref=ng-HPtopstory
[Editor's Note (Pescatore): There are well documented cases of laptops being physically tampered with overseas, and it is very common for executives to be given "clean" laptops to take on travel to those countries and give them back to IT when they return. There are fewer cases of cell phone/smart phone tampering but I have talked with several organizations that believe SIM cards were surreptitiously swapped out and they give executives pre-paid "burner" cell phones for travel into those same countries now. ]

Microsoft to Add HTTP Strict Transport Security to Internet Explorer (February 18, 2015)

Microsoft plans to add HTTP Strict Transport Security to Internet Explorer (IE) with Windows 10. "The HSTS policy protects against variants of man-in-the-middle attacks than can strip TLS out of communications with a server, leaving the user vulnerable."
-http://www.computerworld.com/article/2885338/microsoft-adds-http-strict-transpor
t-security-support-to-internet-explorer.html
-http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-com
es-to-internet-explorer.aspx
[Editor's Note (Ullrich): If you haven't done so yet, please implement HTST for your SSL web servers. It is a pretty simple fix, and will prevent a number of man-in-the-middle attacks. Internet Explorer will for example no longer allow users to bypass SSL security warnings if HTST is in place. ]

Core Infrastructure Initiative Aims to Improve Open Source Security (February 18, 2015)

Linux Foundation Executive Director Jim Zemlin told an audience at the Linux Foundation's Collaboration Summit that the open source community needs to do a better job of addressing security. The foundation's Core Infrastructure Initiative (CII), created in response to the Heartbleed vulnerability, aims to do just that. Zemlin says that while the default approach to security has been to address each issue as it arises, he would like to see a shift toward taking steps to decrease the likelihood serious problems in the first place.
-http://www.theregister.co.uk/2015/02/18/zemlin_talks_core_infrastructrure_initia
tive/
[Editor's Note (Ullrich): What many people don't realize is how much commercial software relies on these free components to provide basic security services. Funding open source security, and funding it well, will help everybody, not just the open source community. ]

BlackShades RAT Mastermind Pleads Guilty in US Court (February 18, 2015)

A Swedish man has pleaded guilty in US federal court to a list of charges including distribution of malicious software, access device fraud, and identity theft. Alex Yucel was the mastermind of a group that distributed the BlackShades Remote Access Trojan (RAT), which was used to break in to more than half a million computers. BlackShades gave attackers remote control of infected machines and allowed them to harvest information like passwords and personal files, and to record keystrokes. Last spring, US and European law enforcement authorities arrested roughly 100 people in connection with BlackShades activity.
-http://www.nbcnews.com/tech/security/accused-blackshades-mastermind-alex-yucel-p
leads-guilty-hacking-n308441
-http://www.bloomberg.com/news/articles/2015-02-18/blackshades-co-creator-yucel-p
leads-guilty-in-malware-probe

Suspect in Heartland Breach Extradited to US, Pleads Not Guilty to All Charges (February 17 & 18, 2015)

A Russian man who allegedly had a significant role in the attacks on Heartland Payment Systems and other businesses has been extradited to the US to face charges. Vladimir Drinkman has pleaded not guilty to 11 counts described in an indictment. One other person is in custody in connection with the attacks; several other suspects remain at large. The group stole information about at least 160 million payment card accounts.
-http://www.eweek.com/security/doj-charges-suspect-in-largest-known-data-breach.h
tml
-http://www.forbes.com/sites/katevinton/2015/02/17/vladimir-drinkman-pleads-not-g
uilty-in-160-million-credit-card-hacking-case/
-http://www.computerworld.com/article/2885453/russian-extradited-to-us-for-hacks-
that-stole-160m-credit-card-numbers.html
-http://www.darkreading.com/russian-hacker-who-hit-heartland-nasdaq-extradited-to
-us/d/d-id/1319140?
-http://www.justice.gov/opa/pr/russian-national-charged-largest-known-data-breach
-prosecution-extradited-united-states
-http://www.justice.gov/sites/default/files/opa/press-releases/attachments/2015/0
2/18/drinkman_vladimir_et_al_indictment_comp.pdf

---

STORM CENTER TECH CORNER

More VBA Macros and Tax Scams
-https://isc.sans.edu/forums/diary/Fast+analysis+of+a+Tax+Scam/19355/

SIM Cards Compromised by Intelligence Agencies
-https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

Mobile Malware Disabled Off Button
-http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

Analyzing Office Macros
-https://isc.sans.edu/forums/diary/Macros+Really/19349/

Rate limiting to mitigate DNS DDoS attacks
-https://isc.sans.edu/forums/diary/DNSbased+DDoS/19351/

NetGear "Genie" SOAP Interface Vulnerability
-https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR

Kippo Improvements
-http://www.micheloosterhof.com/kippo-modifications/

Bitcoin Exchanges Breached
-https://www.cavirtex.com/news

oclHashcat Update and Building a Brute Forcing Rig
-https://isc.sans.edu/forums/diary/oclHashcat+133+Released/19339/

Windows 10 To Include FIDO Support
-http://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-co
ming-to-windows-10/

Shodan Duplicate SSH Key Study
-https://blog.shodan.io/duplicate-ssh-keys-everywhere/

FreeBSD Weak Random Numbers
-https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html

Samsung Smart TV Traffic Analyzed
-http://www.pentestpartners.com/blog/is-your-samsung-tv-listening-to-you/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/