SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #18

March 06, 2015

CISSP exam revision goes live April 15. ISC2 made solid changes to the exam, and we have just completed testing the official SANS course revision, with impressive results. One of the highest rated teachers in cybersecurity (Jonathan Ham) will be teaching the new course at SANS 2015 in Orlando in a few weeks. If you are going to try to pass the new exam, Jonathan's class is both the most effective and most enjoyable pathway. And Orlando is great!
Info: http://www.sans.org/event/sans-2015/course/sans-plus-s-training-program-cissp-ce
rtification-exam

---

TOP OF THE NEWS

Attacks on US Federal Networks Increased in 2014
Law Firms to Launch Threat Data Sharing Forum
Anthem Refused OPM Audit Scans

THE REST OF THE WEEK'S NEWS

Detecting Suspicious Domains
Google Updates Chrome to Version 41
FTC to Look at Cross-Device Tracking
Mandarin Oriental Breach
GAO Finds Weaknesses in US Air Traffic Control Systems
D-Link Releasing Firmware Updates
GoDaddy Sites Being Used in Domain Shadowing Attacks
Freak Flaw
Washington State Hospital Sues Bank Over Fraudulent ACH Transactions
Correction: Anthem Breach Remedies

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************
Solving Increased Data Backup and Recovery With ever-increasing amounts of data, whether driven by datacenter evolution or just plain growth, there is a definite need for better solutions in today's enterprise data centers. Join Symantec Senior Marketing Manager Michael Krutikov on Wednesday, March 11th to learn how to solve for the increased amount of data while obtaining operational efficiency that delivers success for IT and ROI for an organization.
http://www.sans.org/info/175507
***************************************************************************

TRAINING UPDATE


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- -SANS Munich 2015 | Munich, Germany | February 23-March 7, 2015 6 courses.
http://www.sans.org/u/VR


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


- -SANS Northern Virginia 2015 | Reston, VA | March 9-March 14, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- - -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- - -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- - -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- - -Looking for training in your own community? Community - http://www.sans.org/u/Xj


- - -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Attacks on US Federal Networks Increased in 2014 (March 4, 2015)

According to a report from the Office of Management and Budget (OMB), there were 70,000 reported cyber security incidents involving federal systems in 2014, a 15 percent increase over the figure for 2013. Some of the increase can be attributed to improved monitoring. Ninety-two percent of federal agencies now have implemented continuous monitoring; last year, the figure was 81 percent. Nearly half of the incidents could have been prevented if strong authentication measures had been implemented.
-http://thehill.com/policy/cybersecurity/234601-cyberattacks-on-government-hit-re
cord-high

Law Firms to Launch Threat Data Sharing Forum (March 5, 2015)

International law firms will launch a forum to help them share cyber threat information. The system is expected to launch this spring with between six and 12 member firms. The forum is being established as a branch of the Financial Services Information Sharing and Analysis Center and will have access to some of that organization's data as well.
-http://thehill.com/policy/cybersecurity/234722-law-firms-to-share-info-about-cyb
er-threats

Anthem Refused OPM Audit Scans (March 5, 2015)

Anthem refused to allow the US Office of Personnel Management's Office of the Inspector General (OIG) to conduct scans for a security audit after the breach of its systems. Anthem did undergo an audit in September 2013; it refused the scans at that time as well, but allowed a more general audit.
-http://www.darkreading.com/anthem-refuses-to-let-inspector-general-conduct-full-
security-audit/d/d-id/1319365?
-http://www.govinfosecurity.com/anthem-refuses-full-security-audit-a-7980
[Editor's Note (Ullrich): There are many reasons to refuse a scan. Most of them are not valid. What companies will have to realize is that an authorized scan conducted by a professional and skilled penetration tester will always be less risky then the scan the bad guys are running on your systems all day. ]

---

**************************** SPONSORED LINKS ******************************
1) The Intersection of Enterprise SaaS Adoption and Information Security. Tuesday, March 10 at 1:00 PM EDT (17:00:00 UTC) with Danelle Au. http://www.sans.org/info/175512

2) Level Up Your Security Strategy with Cyber Threat Intelligence. Wednesday, March 11 at 1:00 PM EDT (17:00:00 UTC) with Joe Schreiber and Dave Shackleford. http://www.sans.org/info/175517

3) Defending against advanced targeted threats with the SANS Critical Controls. Thursday, March 26 at 11:00 AM EST (15:00:00 UTC) with Andrew Avanessian and John Pescatore. http://www.sans.org/info/175522
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Detecting Suspicious Domains (March 5, 2015)

Technology being developed by OpenDNS aims to hasten detection of malicious websites and domains. The technology, called Natural Language Processing Rank (NLPRank), checks for suspicious site names. To reduce the incidence of false positives, it also checks to see if the domain is running on the same network that the organization it claims to be from actually uses.
-http://arstechnica.com/security/2015/03/system-catches-malware-sites-by-understa
nding-sneaky-domain-names/
-http://www.computerworld.com/article/2893599/opendns-trials-system-that-quickly-
detects-computer-crime.html
[Editor's Note (Northcutt): OpenDNS is a really cool operation and if you are not using it for your home network you should really consider it; this goes double if you are a parent. And NLPRANK is an idea whose time has come. The idea of registering domain names that are similar to valid and trustworthy names e.g. Micr0s0ft.com is not new. What is fairly new is the ability of attackers to prepare an attack, register these slightly-off domains, embed them in tiny urls, phishing links in emails, etc., and mop up the opportunities the people that succumb to the attack present them in a very short period of time. In manufacturing and quality control, people are very sensitive to cycle time. We need to apply that type of mindset in defensive cybersecurity:
-https://www.opendns.com/home-internet-security/
-http://www.isixsigma.com/dictionary/cycle-time/]

Google Updates Chrome to Version 41 (March 5, 2015)

Google has promoted Chrome 41 to the stable channel for Windows, Mac, and Linux. The newest version of the browser addresses more than 50 vulnerabilities.
-http://www.scmagazine.com/chrome-41-update-includes-51-security-fixes/article/40
1937/
-http://googlechromereleases.blogspot.com/2015/03/stable-channel-update.html

FTC to Look at Cross-Device Tracking (March 5, 2015)

The US Federal Trade Commission (FTC) will hold a workshop in the fall to examine cross-device tracking and how it affects consumers. Such events can indicate that the agency will follow up with reports and increased enforcement of privacy rules.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/05/the-ftc-wants-to-kn
ow-how-companies-are-tracking-you-across-computers-and-smartphones/
[Editors' Note (Murray/Paller): The FS/ISAC is the poster child for trusted intelligence sharing. It demonstrates that the "immunity from liability" provisions of the pending CISA (
-https://act.eff.org/action/stop-the-cybersecurity-information-sharing-bills)
legislation is not necessary for the purpose for which it is proposed. One wonders why it refuses to die? ]

Mandarin Oriental Breach (March 4 & 5, 2015)

The Mandarin Oriental hotel chain has confirmed a breach of its systems that compromised customer payment card information. The attack affected point-of-sale systems at 45 of the company's hotels.
-http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/
-http://www.bbc.com/news/technology-31753935
[Editor's Note (Murray): One more breach only confirms what we already know. THERE IS NOTHING LEFT TO HIDE. To the extent that our retail payment system relies upon the secrecy of credit card numbers for its security, it is permanently busted. In a world in which hundreds of millions of credit card numbers are known to have been breached and in which credit card numbers sell for dollars in white markets and pennies in black markets, merchants must assume that they are breached, consumers must assume that they are targets, and issuers must assume that a large percentage of charges presented to them are fraudulent. Help is at hand in form of real-time transaction confirmations and tokenization of the card number. Issuers must offer (many already do) near real time transaction confirmations. (Even my little three branch community bank offers this service.) Consumers must demand and opt-in to such notifications and reconcile the notifications that they get. AmEx reports that using such transaction notifications they are detecting fraudulent transactions within sixty seconds. Consumers must prefer proxies, like PayPal, Apple Pay, and the newly announced Samsung Pay and Android Pay (when available), that hide the credit card number from the merchant. Brands must offer and banks must use digital tokenization services like Visa Token Service that substitute a one-time Payment Authorization Number (PAN) for the credit card number. ]

GAO Finds Weaknesses in US Air Traffic Control Systems (March 2 & 4, 2015)

A report from the Government Accountability Office (GAO) found that while the Federal Aviation Administration (FAA) has implemented measures to protect its systems from attacks, "a significant number of weaknesses remain in the technical controls - including access controls, change controls, and patch management - that protect the confidentiality, integrity, and availability of its air traffic control systems."
-http://www.washingtonpost.com/local/trafficandcommuting/faa-computers-vulnerable
-to-hackers-gao-report-says/2015/03/02/388219ac-c119-11e4-9271-610273846239_stor
y.html
-http://net-security.org/secworld.php?id=18040
-http://www.gao.gov/assets/670/668169.pdf
[Editor's Note (Murray): Do not gloat over this report. Rather, pretend that it had been written about you; it might well have been. Be thankful that such reports as are written about you are not reported in the press. ]

D-Link Releasing Firmware Updates (March 4, 2015)

D-Link is releasing firmware updates to fix three vulnerabilities in its products that could be exploited remotely. The most concerning of the flaws could be exploited to change DNS settings. Along with the updates, D-Link offered recommendations to improve security, including disabling remote administrative access.
-http://www.theregister.co.uk/2015/03/04/dlink_removes_fingers_from_ears_preps_ma
ss_router_patch/
-http://www.scmagazine.com/d-link-issues-firmware-updates-to-address-router-vulne
rabilities/article/401707/

GoDaddy Sites Being Used in Domain Shadowing Attacks (March 4 & 5, 2015)

Cyber criminals are using GoDaddy-registered websites to launch attacks. The technique is called domain shadowing, and involves breaking into GoDaddy accounts and setting up fake subdomains from which users are redirected to malicious sites. Domain shadowing allows the attackers to evade detection through blacklisting.
-http://thehill.com/policy/cybersecurity/234588-godaddy-used-as-tool-for-cyber-at
tacks
-http://www.theregister.co.uk/2015/03/05/worlds_nastiest_exploit_kit_just_got_nas
tier/
[Editor's Note (Ullrich): We have seen this technique all the way back to 2010 (e.g.
-https://isc.sans.edu/diary/What%27s+In+A+Name%3F/11770)
used for spam. If you haven't done so, make sure you setup a system to monitor your DNS zone continuously and completely. It is not sufficient to check for altered NS records, or altered replies for your most common hostnames (www.company.com, mail.company.com). In addition, it is critical to verify that no records were ADDED to your zone. At least check for changes to the zone's serial number, but attackers may not update it as they don't need 100% reliable lookups. ]

Freak Flaw (March 3, 4, & 5, 2015)

The FREAK vulnerability affects both the Secure Sockets Layer (SSL) and Transport layer Security (TLS) protocols in Apple's Safari browser, Google's Android browser, and in Windows. It can be exploited to "downgrade ...the cipher suites used in an SSL/TLS connection" and intercept traffic between clients and servers. The issue has its roots in 20-year-old US encryption export restrictions, which saw the weaker algorithms used in products that were exported from the US.
-http://www.cnet.com/news/windows-vulnerable-to-freak-encryption-flaw-too/
-http://arstechnica.com/security/2015/03/stop-the-presses-https-crippling-freak-b
ug-affects-windows-after-all/
-http://www.eweek.com/security/freak-attacks-ssltls-security-putting-apple-androi
d-users-at-risk.html
-http://www.computerworld.com/article/2892592/serious-freak-flaw-could-undermine-
the-webs-encryption.html
-http://www.scmagazine.com/freak-vulnerability-can-be-exploited-to-cause-weak-enc
ryption/article/401691/
-http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-devices-
cripples-https-crypto-protection/
[Editor's Note (Ullrich): Great example of what happens when governments get involved in weakening cryptography to enable surveillance. Microsoft's schannel SSL library is vulnerable as well. On the other hand, this bug isn't quite as critical as many make it appear. At least on the server side, these ciphers have been disabled in default configurations for a long time. No need to panic; patch as patches become available. ]

Washington State Hospital Sues Bank Over Fraudulent ACH Transactions (March 3, 2015)

A Washington state hospital (Chelan County Hospital No. 1) is suing Bank of America to recoup more than US $1 million the hospital lost in fraudulent transactions. In April 2013, thieves infiltrated the hospital's payroll account and added phony employees. Then they ran three unauthorized automated clearinghouse (ACH) payroll payments, stealing the funds from the hospital's coffers. Bank of America managed to retrieve US $400,000. The hospital's complaint alleges that someone on the Chelan County Treasurer's staff noticed something was not right and alerted the bank. A bank employee called the office to see whether a pending transfer request was authorized. An employee immediately said that it was not authorized, but the bank still allowed it to be processed.
-http://krebsonsecurity.com/2015/03/hospital-sues-bank-of-america-over-million-do
llar-cyberheist/
[Editor's Note (Murray): This report is what the Hospital alleges happened. The value of a trial to us is that its finding of fact is the closest that we will ever come to knowing what really happened. That said, I continue to believe that banks have the fundamental responsibility to ensure that transactions are properly authorized. ]

Correction: Anthem Breach Remedies In the Tuesday, March 3 edition of NewsBites, we incorrectly described remedies Anthem is offering to customers whose data were compromised in the breach. Anthem is automatically providing all affected customers with two years of reactive ID repair; customers may choose to enroll in a proactive ID monitoring service as well. Both are offered at no cost to Anthem customers.
-https://www.anthemfacts.com

---

STORM CENTER TECH CORNER

Latest Cryptowall Version Uses .chm Attachments
-https://isc.sans.edu/forums/diary/Cryptowall+again/19427/

XML Files Used to Deliver Word Macros Past Mail Filters
-https://isc.sans.edu/forums/diary/XML+A+New+Vector+For+An+Old+Trick/19423/

How Are ANY Queries Processed By Recursive And Authoritative DNS Servers
-https://isc.sans.edu/forums/diary/XML+A+New+Vector+For+An+Old+Trick/19423/

Capturing Packets in Windows With netsh vs. Wireshark
-https://isc.sans.edu/forums/diary/No+Wireshark+No+TCPDump+No+Problem/19409/

Java Update For OS X Includes Ask.com Adware
-http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-
for-macs/

PHPMoAdmin Vulnerability
-https://github.com/MongoDB-Rox/phpMoAdmin-MongoDB-Admin-Tool-for-PHP/issues/9

GoPro Camera Exposes Configuration Details Including WiFi Passwords
-http://secureornot.blogspot.de/2015/03/gopro-update-mechanism-exposes-multiple.h
tml

Free Amazon and Walmart Giftcard Malware
-http://www.adaptivemobile.com/blog/worm-gazon-want-gift-card-get-malware

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/