Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #16

February 27, 2015


The third SANS CyberTalent Fair will be held May 14-15, 2015. It enables companies to market themselves as leaders in cybersecurity, engage qualified candidates in a unique virtual setting, and more. The first two career fairs connected 6,700 total candidates with 27 impressive employers (e.g. JP Morgan Chase, Palantir, Solutionary, CBS, NBC, Juniper, PwC, Accenture, NSA, Mayo Clinic and more). The May 2015 CyberTalent Fair is open to any employer who has cyber vacancies and all interested jobseekers. Contact mshuftan@sans.org or visit https://app.brazenconnect.com/events/SANS-cybertalent-fair to sign up.

TOP OF THE NEWS

FCC Passes Net Neutrality Rules
Anthem Says Database Breach Affected 78.8 Million Records
FBI is Close to Identifying Anthem Attack Culprit
China Removes Tech Companies from Approved for Government Use List

THE REST OF THE WEEK'S NEWS

Firefox 36 Addresses Critical Flaws, Adds Support for HTTP2
WordPress Slimstat Plug-in Vulnerability
Gemalto Admits Breach, Says SIM-card Encryption Keys Not Stolen
RAMNIT Botnet Taken Down
UK's Information Commissioner's Office Fines Travel Insurance Company Over Breach
Senator Questions Stingray Use
Feds Offer US $3 Million Reward for Gameover ZeuS Botnet Admin
Breach Detection Time is Decreasing

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************** Sponsored By SANS *****************************
Join SANS on March 4th at a Free Critical Security Controls briefing in the DC area. This half-day event provides an update on the Controls effort, will highlight new mappings to other security frameworks, and will provide a unique opportunity to engage in dialog around the Controls. Learn about key solution capabilities/customer success stories.
https://www.sans.org/vendor/event/critical-controls-security-briefing-washington
-dc-mar2015.
This event will also be simulcast live and archived for later viewing. Register at http://www.sans.org/info/174742
***************************************************************************

TRAINING UPDATE


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


- -SANS Northern Virginia 2015 | Reston, VA | March 23-March 7, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- - - -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- - - -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!


- - - -Multi-week Live SANS training Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- - - -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- - - -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

FCC Passes Net Neutrality Rules (February 26, 2015)

The US Federal Communications Commission (FCC) has passed net neutrality rules, which include reclassifying broadband as a telecommunications service; prohibiting broadband providers from throttling or speeding up connections for a fee; and prohibiting providers from making paid prioritization deals. The US Telecommunications Industry Association said to expect legal action from broadband providers.
-http://www.csmonitor.com/Innovation/2015/0226/Net-neutrality-is-finally-real.-Wi
ll-you-notice

-http://www.scmagazine.com/in-historic-vote-fcc-approves-strong-net-neutrality-ru
les/article/400486/

-http://www.bbc.com/news/technology-31638528
[Editor's Note (Murray): I wish that I could join the celebration. This is a great victory for the slogan at the expense of good public policy and innovation. "If you like the Internet you have, you can keep it." You better like it because you will keep it. ]

Anthem Says Database Breach Affected 78.8 Million Records (February 24, 2015)

Anthem now says that the breach of its database affected 78.8 million records. Of those, 14 million are incomplete, meaning they lack sufficient information to link them to members
-http://www.computerworld.com/article/2888267/anthems-now-says-788m-were-affected
-by-breach.html

Numbers broken down by state based on information available:
-http://www.scmagazine.com/victims-of-the-anthem-breach-stretch-across-multiple-s
tates/article/400489/

[Editor's Note (Murray): The Anthem Breach is now the record breach, eclipsing even eBay. Both of these breaches are far more damaging than credit card breaches because they expose the victims to both application fraud and identity theft. Anthem has been marginally more generous in the remedy that they offer to their victims, offering to pay for services to help victims repair their credit after damage. Neither offered to pay for monitoring of credit bureau activity, the early warning system. Anthem suggested that victims might wish to pay ($15/month) for such services themselves. While one understands why Anthem might not want to pay for such services, one wonders why the credit bureaus should be allowed to charge us so much to tell us when they sell data about us. One cannot opt out of the credit bureau databases and changing health insurance carriers is not as simple as not doing business with eBay. ]

FBI is Close to Identifying Anthem Attack Culprit (February 24, 2015)

The FBI says that it is "close" to identifying the parties responsible for the Anthem breach, but will not disclose the information until it is "absolutely sure."
-http://www.zdnet.com/article/fbi-offers-3m-for-cybercriminal-amid-hunt-for-gover
ment-backed-hackers/

-http://www.bloomberg.com/news/articles/2015-02-24/fbi-is-close-to-finding-hacker
s-in-anthem-health-care-data-theft

-http://thehill.com/policy/cybersecurity/233675-fbi-close-to-knowing-who-hit-anth
em

China Removes Tech Companies from Approved for Government Use List (February 26, 2015)

China has taken several high-profile US technology companies off its list of products approved for use by Chinese government agencies. The recently removed companies include Cisco, Apple, McAfee, and Citrix. The policy is seen as an attempt to boost Chinese use of its domestic technology, such as Huawei and ZTE.
-http://www.bbc.com/news/technology-31640539
[Editor's Note, (Northcutt): This decision from China could have a significant impact on our industry. Of course China may find out that making some of these devices and software is harder than it looks. People that have been in the industry a while may remember the-ill fated GOSIP effort, (FIPS PUB 146) or the directive requiring all DoD weapon systems software to be written in the ADA programming language.
(Honan): One of the demands from the Chinese government was for tech companies to surrender their encryption keys and subject their source code for inspection
-https://uk.finance.yahoo.com/news/china-draft-counterterror-law-strikes-12053808
5.html

Hopefully those calling for similar powers for Western governments will take heed of the impact these requirements will have for competitiveness and how it actually undermines security. ]


**************************** SPONSORED LINKS ******************************
1) Leverage Threat Intelligence for Incident Response - Download the free Securosis Report Now. http://www.sans.org/info/175082

2) Free Financial Services Cybersecurity Trends And Challenges Briefing. Friday, March 6 in NYC. A unique opportunity to engage in dialogue around cybersecurity issues specific to the Finance Industry. http://www.sans.org/info/174832

3) Securing the Mobile Workforce -- Take Survey & Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/175087
***************************************************************************

THE REST OF THE WEEK'S NEWS

Firefox 36 Addresses Critical Flaws, Adds Support for HTTP/2 (February 24, 25, & 26, 2015)

Mozilla has released Firefox 36, which includes fixes for 17 security issues. Three of the flaws are considered critical. The newest version of the browser also supports the HTTP/2 protocol.
-http://www.theregister.co.uk/2015/02/26/mozilla_swats_17_bugs_in_firefox_36/
-http://www.scmagazine.com/several-vulnerabilities-some-critical-addressed-in-fir
efox-36/article/400182/

-http://www.eweek.com/enterprise-apps/firefox-36-gains-http2-support-fixes-critic
al-vulnerabilities.html

WordPress Slimstat Plug-in Vulnerability (February 25 & 26, 2015)

A vulnerability affecting the WordPress WP-Slimstat plugin could be exploited through SQL injection attacks to steal data from vulnerable sites. The flaw affects Slimstat versions 3.9.5 and earlier. Users are urged to upgrade to version 3.9.6.
-http://www.theregister.co.uk/2015/02/26/plugin_puts_a_million_word_press_sites_a
t_risk_of_compromise/

-http://www.zdnet.com/article/over-1-million-wordpress-websites-at-risk-from-sql-
injection/

Gemalto Admits Breach, Says SIM-card Encryption Keys Not Stolen (February 25, 2015)

SIM-card maker Gemalto says that it appears that US and UK intelligence agencies did breach its systems, but denies that the cards' encryption keys were stolen. Gemalto says that after looking at the information released in the document, it is likely that two attacks that occurred in 2010 and 2011 were the work of the intelligence agencies. Gemalto says those attacks penetrated only portions of its networks that do not contain cryptographic keys information.
-http://www.wired.com/2015/02/gemalto-confirms-hacked-insists-nsa-didnt-get-crypt
o-keys/

-http://www.bbc.com/news/technology-31619907
[Editor's Note (Honan): Given that many other breaches have taken months to analyse I find it interesting that Gemalto have been able to state with confidence that they are sure their data has not been compromised, particularly given the alleged attackers. If true I certainly hope Gemalto will share their process with the community so we can all improve our incident response processes. ]

RAMNIT Botnet Taken Down (February 25, 2015)

Law enforcement agents across Europe have worked together to take down the RAMNIT botnet, which is believed to have infected 3.2 million computers around the world. The botnet's malware spreads through links in email; the botnet was used to steal money from bank accounts.
-http://www.theregister.co.uk/2015/02/25/europol_shuts_down_ramnit_botnet_hampshi
re/

-http://arstechnica.com/tech-policy/2015/02/europol-cracks-down-on-botnet-infecti
ng-3-2-million-computers/

-http://www.nbcnews.com/tech/security/europol-dismantles-ramnit-botnet-infected-m
illions-computers-n312966

[Editor's Note (Honan): Kudos to Europol's Cybercrime Centre and others involved in this takedown. As many have pointed out, taking down a botnet merely disrupts the operations of the criminals behind it and without arresting the criminals operating the botnet it may resurface again in the near future. However, actions like these can gather lots of solid intelligence leading to arrests and sends a clear message to criminals that law enforcement will continue to focus on detecting, disrupting, and hopefully detaining those behind such actions. ]

UK's Information Commissioner's Office Fines Travel Insurance Company Over Breach (February 25, 2015)

The UK Information Commissioner's Office (ICO) has fined travel insurance company Staysure GBP 175,000 (US $270,000) for lax website security that resulted in 100,000 payment cards being compromised. Of those, about 5,000 were used fraudulently. The breach occurred in October 2013. The ICO's ensuing investigation focused on Staysure's lack of effective IT update policies in place at the time. Staysure says it has improved its security posture.
-http://www.v3.co.uk/v3-uk/news/2396987/ico-fines-travel-insurance-firm-gbp175-00
0-for-website-hack

[Editor's Note (Murray): "GBP 175,000?" Really? They paid their lawyers more than that. ]

Senator Questions Stingray Use (February 25, 2015)

US Senator Bill Nelson (D-Florida) is asking why the Federal Communications Commission (FCC) approved the use of cell phone surveillance technology commonly referred to as StingRay. The technology is used to track people's activity, often without obtaining a court order. StingRay is used by a dozen US government agencies, the military, and by state agencies in 20 states and the District of Columbia. The number is likely higher, because the technology's use is often kept hidden.
-http://www.computerworld.com/article/2889315/sen-nelson-questions-use-of-stingra
ys-for-phone-surveillance.html

Feds Offer US $3 Million Reward for Gameover ZeuS Botnet Admin (February 24 & 25, 2015)

The FBI and the US State Department are offering a US $3 million reward for information leading to the arrest and/or conviction of Evgeniy Mikhailovich Bogachev, who allegedly stole more than US $100 million through the Gameover ZeuS botnet. Bogachev was also allegedly involved in distributing Cryptolocker ransomware. Bogachev remains at large and is believed to be in Russia.
-http://www.theregister.co.uk/2015/02/25/us_offers_3_meeelion_reward_for_gameover
_zeus_botnet_admin/

-http://arstechnica.com/tech-policy/2015/02/us-offers-3-million-reward-for-captur
e-of-gameover-zeus-botnet-admin/

-http://www.darkreading.com/vulnerabilities---threats/fbi-offers-$3-million-rewar
d-for-info-on-whereabouts-of-gameoverzeus-botnet-operator/d/d-id/1319212?

-http://www.computerworld.com/article/2888437/feds-offer-3m-reward-for-gameover-z
eus-botnet-suspect.html

Breach Detection Time is Decreasing (February 24, 2015)

According to FireEye, the time it takes for breaches to be detected is dropping. The median time for breach detection was 205 days in 2014, down from 229 days in 2013 and 243 days in 2012. Less than one-third of breaches were detected by the organizations themselves. The FBI has been notifying companies of activity suggesting that their systems have been compromised.
-http://www.eweek.com/security/breach-detection-time-is-dropping-fireeye-finds.ht
ml


STORM CENTER TECH CORNER

HTTP/2 and Firefox 36
-https://www.mozilla.org/en-US/firefox/36.0/releasenotes/
-https://tools.ietf.org/html/draft-ietf-httpbis-http2-17

Comparing 2014 Vulnerability Statistics Between Operating Systems
-http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-20
14/

Jetty Web Server Request Leak
-http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-
of-shared-buffers-in-je.html

Gemalto Claims SIM Keys Not Leaked
-http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investig
ations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx

Lizard Squad Redirects Lenovo.com Domain
-http://www.theregister.co.uk/2015/02/25/lenovo_hacked_lizard_squad/

Slimstat Wordpress Plugin SQL Injection Vulnerability
-http://blog.sucuri.net/2015/02/security-advisory-wp-slimstat-3-9-5-and-lower.htm
l

Tracking Hacked Websites Using ShodanHQ
-https://blog.shodan.io/tracking-hacked-websites/

PrivDog bites SSL Security
-http://www.kb.cert.org/vuls/id/366544

Samba Vulnerability
-https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

Visa to Use Tokenization in Australia
-http://visa.com.au/aboutvisa/research/include/Tokenisation_Why_Australia_Why_Now
_FINAL.pdf

Copy.com Used to Distribute Cryptolocker
-https://isc.sans.edu/forums/diary/Copycom+Used+to+Distribute+Crypto+Ransomware/1
9371/

11 ways to track your moves
-https://isc.sans.edu/forums/diary/11+Ways+To+Track+Your+Moves+When+Using+a+Web+B
rowser/19369/



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/