SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #15

February 24, 2015

TOP OF THE NEWS

Gemalto Investigating Reports of SIM Card Encryption Key Thefts
State Department Replaced 30,000 Login Fobs After Network Intrusion
Alleged Cyber Criminal Will Not Give Up Encryption Keys

THE REST OF THE WEEK'S NEWS

Hewlett-Packard's 2015 Cyber Risk Report Says Companies Not Patching Properly
Samba Vulnerability Could Allow Remote Code Execution with Root Privileges
Chrome Will Warn Users When They Try to Visit Sketchy Sites
Norton and Symantec Updates Crash Internet Explorer
Medical Identity Theft on the Rise
Fishy Code Bundled on Lenovo Laptops Found in Other Programs
Lenovo Releases Superfish Removal Tool
Police Pay Ransomware Demand in Bitcoins

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ****************************
Symantec Webcast: Combat Advanced Cyber Attacks with Adversary and Threat Intelligence, Feb 26, 10am PT - The threat environment has become increasingly hostile. The volume of attacks has grown dramatically, along with the sophistication of attackers. Join Symantec to understand the role intelligence should play to more effectively identify, prioritize and protect against key threats to your environment.
http://www.sans.org/info/175002
***************************************************************************

TRAINING UPDATE


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


-DFIR Monterey 2015 | Monterey, CA | February 23-February 28, 2015 | 7 courses. Bonus evening presentations: Network Forensics: The Final Frontier (Until the Next One) and Power-up Your Malware Analysis with Forensics.
http://www.sans.org/u/VH


-SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


-Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- - -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- - -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!


- - -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- - -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- - -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Gemalto Investigating Reports of SIM Card Encryption Key Thefts (February 20, 2015)

SIM card maker Gemalto is looking into reports that government intelligence agents stole card encryption keys. According to information in documents released by Edward Snowden, the company's systems were infiltrated by US and UK intelligence agents in 2010 and 2011. Gemalto is headquartered in Amsterdam.
-http://www.scmagazine.com/gemalto-has-responded-to-claims-made-in-recent-snowden
-leaks/article/399439/
-http://www.cnet.com/news/sim-card-maker-gemalto-says-its-cards-are-secure-despit
e-hack/
[Editor's Note (Honan): This could raise major issues with all the phone carriers within the European Union. Under Article 4.2 of the EU ePrivacy Directive 2002 all telecoms providers operating within the European Union must "In case of a particular risk of a breach of the security of the network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved." ]

State Department Replaced 30,000 Login Fobs After Network Intrusion (February 20 & 23, 2015)

The US State Department revoked and replaced 30,000 network login fobs after an unclassified network at the agency was infiltrated. The fobs were replaced after attackers accessed an unclassified email network three months ago. There are still signs of unauthorized activity on that network.
-http://www.nextgov.com/cybersecurity/2015/02/state-trashed-30000-login-key-fobs-
after-hack/105762/?oref=ng-HPtopstory
-http://gcn.com/articles/2015/02/23/state-dept-hack.aspx

Alleged Cyber Criminal Will Not Give Up Encryption Keys (February 20, 2015)

A British man accused of breaching systems at NASA, the FBI, and the US Federal Reserve is refusing to surrender cryptographic keys that would allow authorities in the UK to access devices seized after his October 2013 arrest. Lauri Love is facing charges in three federal districts in the US. He is planning to petition a UK court to compel the National Crime Agency (NCA) to return the computers and data storage devices.
-http://arstechnica.com/tech-policy/2015/02/accused-british-hacker-wanted-for-cri
mes-in-us-wont-give-up-crypto-keys/
-http://www.bbc.com/news/uk-england-suffolk-31544346
[Editor's Note (Murray): Lots of luck. One cannot be compelled to make self-incriminating records; having made them, one may not legitimately hide them from lawful inquiry. This is only one of the limits to the effectiveness of encryption. ]

---

**************************** SPONSORED LINKS ******************************
1) Palo Alto Networks Ignite Conference brings security professionals together to get their toughest security challenges solved through hands-on and interactive sessions. http://www.sans.org/info/174987

2) Critical Controls Security Briefing Wednesday, March 04 at 8:30 AM EDT in the DC Area, with John Pescatore and Tony Sager.http://www.sans.org/info/174977

3) Free Financial Services Cybersecurity Trends And Challenges Briefing. Friday, March 6 in NYC. A unique opportunity to engage in dialogue around cybersecurity issues specific to the Finance Industry. http://www.sans.org/info/174982
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Hewlett-Packard's 2015 Cyber Risk Report Says Companies Not Patching Properly (February 23, 2015)

Hewlett-Packard's 2015 Cyber Risk Report, released on February 23, found that nearly 45 percent of breaches could be attributed to vulnerabilities for which patches have been available for two or more years. Of those unpatched flaws, server misconfigurations topped the list.
-http://www.eweek.com/security/lack-of-patching-remains-a-top-security-risk-hp-re
port-finds.html
-http://www.scmagazine.com/report-shows-organizations-dont-properly-patch-systems
-networks/article/399708/
[Editor's Note (Pescatore): Every threat/incident survey shows year after year that the majority of breaches (including most of the headline grabbers) were enabled by misconfigured servers and PCs - lack of execution on Critical Security Controls 1-4. Spending more on faster incident detection and response only makes sense *after* you've addressed the root cause security hygiene problems. If you live in a balsa wood house, more smoke detectors isn't the starting point...
(Honan): Time and time again we see reports from vendors like HP citing basic security principles as being the root cause for many breaches. It is not the zero day vulnerabilities or nation state levels of attacks we need to focus on but the basic infosec hygiene. The SANS Critical Controls are an excellent start
-https://www.sans.org/critical-security-controls/]

Samba Vulnerability Could Allow Remote Code Execution with Root Privileges (February 24, 2015)

A critical flaw in Samba could be exploited to allow remote code execution with root privileges. Samba is open source software that facilitates Linux/Windows compatibility. The vulnerability lies in the smbd file server daemon. Patches for the issue are available from the Samba Project.
-http://www.theregister.co.uk/2015/02/24/samba_remote_execution_vuln/

Chrome Will Warn Users When They Try to Visit Sketchy Sites (February 23 & 24, 2015)

Google's Chrome browser will warn users when they try to visit sites that may harm their computers through surreptitiously changing the browser's home page or placing certain ads on pages. The warning will appear before the domain is displayed. Google is also taking steps to minimize the presence of deceptive sites in search results.
-http://www.theregister.co.uk/2015/02/24/google_looks_to_scrape_away_scumwear/
-http://www.computerworld.com/article/2887972/chrome-warns-users-of-devious-softw
are-that-could-impact-googles-business.html
[Editor's Note (Pescatore): In general, it is a good thing to see Google continue to raise the bar in make browsing safer, especially anything to do with changing browser settings or installing plug-ins. However, imagine if your Samsung TV was making decisions about what commercials it should show you because Samsung was really in the advertising business. There is a "Net Neutrality" kind of slippery slope here when the largest advertising seller (Google) makes decisions about advertising. We need some industry agreed upon business practices here.
(Murray): The browser continues to be the second biggest vulnerability on the desktop, second only to the user. The desktop is the biggest vulnerability on both enterprise and public networks. ]

Norton and Symantec Updates Crash Internet Explorer (February 21 & 23, 2015)

Several Norton and Symantec security products have been found to crash 32-bit versions on Internet Explorer (IE). The issue arose after updates to the security programs. Users have been advised to run Norton LiveUpdate again to address the issue.
-http://www.scmagazine.com/faulty-norton-security-update-leads-to-internet-explor
er-crash/article/399692/
-http://www.theregister.co.uk/2015/02/21/norton_antivirus_update_kills_internet_e
xplorer/
-https://support.norton.com/sp/en/us/home/current/solutions/v108623038_EndUserPro
file_en_us?inid=hho_supp_supp_iecrashes

Medical Identity Theft on the Rise (February 23, 2015)

According to a study from the Ponemon Institute, medical identity theft increased by 22 percent in 2014. An estimated 2.3 million adults in the US and their close family members have had their medical information stolen. The study does not include data from the Anthem breach, which was only recently disclosed.
-http://www.nbcnews.com/tech/security/stolen-identity-2-3-million-americans-suffe
r-medical-id-theft-n311006
[Editor's Note (Murray): I find Ponemon reports very useful and I try to ignore media coverage of them. I am counting on Krebs to tell us about the exploitation of the Anthem data. That said, application and identity fraud are more difficult to associate with specific breaches than credit card fraud. ]

Fishy Code Bundled on Lenovo Laptops Found in Other Programs (February 20 & 22, 2015)

Malicious code in the Superfish adware that came bundled on certain Lenovo laptops has been found in at least a dozen apps. Superfish uses a certain software development kit (SDK) to intercept HTTPS traffic. That same SDK has been detected in other programs, including several parental control software products.
-http://arstechnica.com/security/2015/02/ssl-busting-code-that-threatened-lenovo-
users-found-in-a-dozen-more-apps/
-http://www.cio.com/article/2887294/superfish-security-flaw-also-exists-in-other-
apps-nonlenovo-systems.html
[Editor's Note (Murray): This probably does not represent a risk to enterprises: few deploy new systems with the code that goes on systems sold to computers. Needless to say this practice died in the sunlight. Lenovo has published code for repairing their systems and promised not to do it anymore. It seems highly unlikely that consumers who bought these rogue systems will ever know or fix them. ]

Lenovo Releases Superfish Removal Tool (February 21, 2015)

Lenovo has released a tool that removes the malicious adware known as Superfish that cane pre-installed on some of its laptops. Lenovo also says it is working with McAfee and Microsoft to automatically quarantine or remove Superfish and the certificate from computers of users who do not know about the issue. McAfee and Microsoft products come factory installed on Lenovo devices; the security community has been calling on Lenovo and others to stop the practice of adding "bloatware."
-http://www.computerworld.com/article/2887136/lenovo-releases-tool-to-purge-super
fish-crapware.html
-http://www.v3.co.uk/v3-uk/news/2396432/microsoft-and-mcafee-move-to-gut-superfis
h-from-lenovo-laptops

Police Pay Ransomware Demand in Bitcoins (February 21, 2015)

A suburban Chicago police department paid US $500 in bitcoins to cyber criminals who locked up the department's computer system with ransomware. Last month, someone in the department opened an email containing Cryptoware malware.
-http://arstechnica.com/tech-policy/2015/02/suburban-chicago-cops-pay-up-500-in-b
itcoins-after-latest-ransomware-scheme/
[Editor's Note (Murray): In a world of cheap hardware, we must isolate high risk applications like e-mail and browsing from mission critical applications. ]

---

STORM CENTER TECH CORNER

Battery usage to trace phones
-http://arxiv.org/pdf/1502.03182v1.pdf

Fonts to trace users
-http://fontfeed.com/archives/google-webfonts-the-spy-inside/
older article:
-http://www.itbusiness.ca/news/44120/44120

Debian Tracking Binaries Back to Source
-https://twitter.com/micahflee/status/569606357239750656/photo/1

Cisco IPv6 DoS Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
150220-ipv6

Applying DShield Top 20 Using Palo Alto Network Firewall
-https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Al
to+Networks+Firewall/19365/

Symantec AV + TrueCrypt = BSOD
-http://community.norton.com/en/forums/long-story-norton-bsod-me-when-i-use-truec
rypt

Typo3 Vulnerability
-https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-201
5-001/

RC4 Removed from TLS
-https://tools.ietf.org/html/rfc7465
-http://threatpost.com/yes-your-car-wash-is-on-facebook/111148

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/