SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #17

March 03, 2015

TOP OF THE NEWS

Pharming Attack Targeting Brazilian Home Router Users
Payment Cards for Sale on Underground Sites Suggests Natural Grocers' Breach
ACLU Obtains Warrant Revealing FBI Knew Stingray Disrupted Devices Near Target

THE REST OF THE WEEK'S NEWS

Dutch Semi-Conductor Company Admits Breach
Mozilla Updates Firefox to Remove Superfish Certificate
Bitdefender to Patch Certificate Flaw
Fix for Xen Flaws May Require Reboot
Uber Data Breach Affects 50,000 Drivers
Anthem Breach Affected Some Non-Anthem Customers
Experts Skeptical that President's Information Sharing Plan Will Reduce Breaches
NIST's Risk Management for Replication Devices

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By SANS *****************************
Join SANS on March 4th at a FREE Critical Security Controls briefing in the DC area. This half-day event provides an update on the Controls effort, will highlight new mappings to other security frameworks, and will provide a unique opportunity to engage in dialog around the Controls. Learn about key solution capabilities/customer success stories. This event will also be simulcast live and archived for later viewing. Register for the LIVE event at: http://www.sans.org/info/175257
***************************************************************************

TRAINING UPDATE


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


-SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-SANS Northern Virginia 2015 | Reston, VA | March 9-March 14, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


-Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Pharming Attack Targeting Brazilian Home Router Users (February 26, 2015)

Attackers are targeting Brazilian Internet users, spying on web traffic by exploiting vulnerabilities in home routers. The attackers use the flaws to gain access to the administrator console, where they can change the routers' DNS settings. The attack can be used to force users to visit sites they do not intend to visit and to conduct man-in-the-middle attacks. In this case, the attackers sent targets malicious links that, when clicked, takes users to a server that launches cross-site request forgery attacks. This sort of attack is often conducted over networks, which makes the email vector unusual.
-http://www.computerworld.com/article/2889841/hackers-exploit-router-flaws-in-unu
sual-pharming-attack.html

Payment Cards for Sale on Underground Sites Suggests Natural Grocers' Breach (March 2, 2015)

Payment cards used at Natural Grocers' stores across the country have been found for sale on underground sites, suggesting that the company's system suffered a security breach. Natural Grocers is investigating and has hired an outside forensics company.
-http://krebsonsecurity.com/2015/03/natural-grocers-investigating-card-breach/

ACLU Obtains Warrant Revealing FBI Knew Stingray Disrupted Devices Near Target (March 1, 2015)

The US Justice Department has maintained that the secrecy surrounding stingray cell phone surveillance technology was necessary to prevent criminals from figuring out how to elude its reach. However, the American Civil Liberties Union (ACLU) recently obtained a warrant application for stingray use and found that the FBI has knows that stingrays can disrupt cellular service for all phones and mobile devices in the vicinity of the targeted device that use the same network.
-http://www.wired.com/2015/03/feds-admit-stingrays-can-disrupt-cell-service-bysta
nders/
-http://www.wired.com/wp-content/uploads/2015/02/Stingray-pen-register-order-and-
application.pdf

---

**************************** SPONSORED LINKS ******************************
1) FREE Financial Services Cybersecurity Trends And Challenges Briefing. Friday, March 6 in NYC. A unique opportunity to engage in dialogue around cybersecurity issues specific to the Finance Industry. http://www.sans.org/info/174832

2) Level Up Your Security Strategy with Cyber Threat Intelligence Wednesday, March 11 at 1:00 PM EDT (17:00:00 UTC) with Joe Schreiber and Dave Shackleford. http://www.sans.org/info/175267

3) Webcast: Wednesday, March 4th at 1:00 PM EST with Alissa Torres: Increase IR Response & Detect Attackers More Accurately and Efficiently http://www.sans.org/info/175272
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Dutch Semi-Conductor Company Admits Breach (March 1 & 2, 2015)

Dutch computer chip company ASML has acknowledged that its systems were breached. According to a statement, ASML detected the breach shortly after it occurred.
-http://www.theregister.co.uk/2015/03/02/asml_hack_china_semiconductor/
-http://www.dutchnews.nl/news/archives/2015/03/chip-machinery-maker-asml-confirms
-hack-nothing-of-value-compromised/
[Editor's Note (Honan): Given the news of this breach and last week's news about the alleged hack by NSA/GCHQ against SIM manufacturer Gemalto I would hope that all chip manufacturers are taken salutary lessons and reviewing their own security to ensure their systems are secure. We should use every security breach as a lesson on how to improve our security, even if the breach did not occur in our own organisations. ]

Mozilla Updates Firefox to Remove Superfish Certificate (March 2, 2015)

A Firefox update released on Friday, February 27, scrubs the Superfish self-signed certificate from the browser. Mozilla released the hotfix to detect whether Superfish has been removed from browsers; if it has been removed, the certificate is removed as well. If Superfish is still installed, the certificate is left in place, as removing it would prevent users from accessing HTTPS websites.
-http://www.computerworld.com/article/2890404/mozilla-scrubs-superfish-certificat
e-from-firefox.html
[Editor's Note (Pescatore): Just like unleaded gas costs more than "leaded" gas when we learned lead was bad for us, we need an option to pay a bit more for "un-bloated" PCs, if that will be the only way for the PC industry to stop installing this stuff. Reports say Lenovo made $250K by installing Superfish - heck, if someone can raise $55,000 on Kickstarter for potato salad, maybe a crowdfunding campaign to incent PC-makers to stop? Of course, the growth of IOS and Android tablets market share should be incentive enough...
(Northcutt): This has to be one of the hardest cyber-security decisions anyone could make. I am sure someone will criticizes the Mozilla team for their choice. I simply stand in the background: clap, clap, clap, bully on you for making the call. Every month that goes by I see the similarity of cyber-security and the medical field. Primum non nocere.
(Honan): It is worth noting that Lenovo, who were at the centre of the superfish debacle last week, have issued a statement saying they will no longer include any adware or bloatware with new PCs
-http://news.lenovo.com/article_display.cfm?article_id=1934
. Hopefully, many other manufacturers will follow their example. ]

Bitdefender to Patch Certificate Flaw (March 1, 2015)

Bitdefender says it will release fixes for several of its products to address a flaw that allows revoked certificates to be replaced with legitimate certificates. The affected Bitdefender products replace HTTPS certificates and checks that the certificate is for the appropriate site and that it has not expired, but does not check certificate revocation status.
-http://www.theregister.co.uk/2015/03/01/bitdefender_bit_trip_slaps_valid_on_revo
ked_certs/

Fix for Xen Flaws May Require Reboot (February 28, 2015)

Flaws in the open source Xen virtualization hypervisor could be exploited and cloud companies need to take action quickly to apply patches and reboot systems before the Xen Project releases details of the vulnerabilities on March 10. Amazon and Rackspace say they will have to reboot some servers. Amazon says that while its newer hardware can be live updated, some of the older hardware will need to be rebooted to effectively apply the patches. Rackspace has acknowledged that it will need to reboot some of its servers as well, which may result in downtime for customers using that service.
-http://www.theregister.co.uk/2015/02/28/new_xen_vuln_causes_cloud_reboot/

Uber Data Breach Affects 50,000 Drivers (February 27 & 28, 2015)

A breach of a database at Uber has compromised personal data of approximately 50,000 of the company's drivers. The affected information includes names and driver's license numbers. The incident allegedly occurred in May 2014 and was discovered in September. Uber has filed a "John Doe" lawsuit in an attempt to obtain information leading to the identification of the culprit.
-http://www.zdnet.com/article/uber-admits-database-breach-putting-driver-data-at-
risk/
-http://arstechnica.com/business/2015/02/50000-uber-driver-names-license-plate-nu
mbers-exposed-in-a-data-breach/
-http://www.computerworld.com/article/2890493/breach-exposes-personal-data-on-500
00-uber-drivers.html
-http://www.scmagazine.com/news-alert-uber-says-info-on-50k-drivers-exposed-files
-suit/article/400810/
Uber Statement:
-http://blog.uber.com/2-27-15

Anthem Breach Affected Some Non-Anthem Customers (February 27, 2015)

The Anthem data security breach reportedly affected some US federal employees who were not Anthem customers. Anthem has not said how many federal employees were affected by the breach.
-http://www.nextgov.com/cybersecurity/2015/02/anthem-healthcare-hack-snared-feder
al-employees-who-werent-anthem-customers/106260/?oref=ng-HPtopstory
[Editor's Note (Murray): In the light of the biggest breach in history, this does not increase the damage much. Anthem has been much less than generous in offering remedies to its compromised customers, i.e., if one can demonstrate that one's credit has been damaged or identity stolen, Anthem's contractor will help you repair your credit and reputation. This remedy operates late and puts the responsibility and most of the cost on the subscriber. Changing health care providers is much more difficult than closing one's eBay account and selling one's eBay stock. After the fact, neither remedy is very effective. ]

Experts Skeptical that President's Information Sharing Plan Will Reduce Breaches (February 25, 2015)

The majority of the CS Monitor's Passcode Influencers, a group composed of privacy and security experts, say that the White House's planned information sharing program will have no significant effect on the number of breaches. DEF CON Communications president Jeff Moss said that "information sharing allows better and faster band aids but doesn't address the core problem." In addition, Department of Homeland Security (DHS) officials say that offering liability protection for companies sharing threat intelligence will not provide the amount of information that will be of use in protecting the country's critical systems from attacks.
-http://www.csmonitor.com/World/Passcode/2015/0225/Influencers-Obama-s-info-shari
ng-plan-won-t-significantly-reduce-security-breaches
-http://www.federalnewsradio.com/473/3807872/Administrations-cyber-sharing-propos
al-a-policy-puzzle-not-a-panacea%20
[Editor's Note (Murray): As "net neutrality" was used to sell government regulation of the Internet, "threat information sharing" is being used to sell "immunity from liability" for enterprises. What's not to like? ]

NIST's Risk Management for Replication Devices (February 25, 2015)

The US National Institute of Standards and Technology (NIST) has released an internal report titled Risk Management for Replication Devices, which include copiers, printers, and scanners. Among the issues that need to be addressed are unchanged default passwords, data that are stored and transmitted without encryption, and unpatched or outdated operating systems and firmware.
-http://gcn.com/articles/2015/02/25/nist-replication-device-security.aspx?admgare
a=TC_SecCybersSec
[Editor's Note (Pescatore): With all the focus on data breaches via phishing and other direct attacks, it is a good time to check this area, especially the disposal of copiers and printers - and backup devices/servers. Another recommendation: when no one is talking about more traditional forms of attacks, that means it is a good time to review your physical security procedures and controls. In particular, when was the last time anyone reviewed your mail room/shipping dock security procedures? The US Postal Service has a good quick reference at
-https://about.usps.com/securing-the-mail/best-practices.htm]

---

STORM CENTER TECH CORNER

Lenovo Made $250k With Superfish
-http://www.forbes.com/sites/thomasbrewster/2015/02/27/lenovo-got-very-little-fro
m-superfish-deal/

Android Spotty Support for Full Disk Encryption
-http://www.theregister.co.uk/2015/03/02/google_encrypted_by_default/

ICANN gTLD Portal Privacy Problem
-https://www.icann.org/news/announcement-2015-03-01-en

Qualcomm Demos Ultrasonic Fingerprint Reader
-https://www.qualcomm.com/products/snapdragon/security/sense-id

Seagate NAS Remote Code Execution Vulnerability
-https://beyondbinary.io/advisory/seagate-nas-rce/

D-Link / Trendnet Vulnerabilities
-https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/