SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #20

March 13, 2015

TOP OF THE NEWS

ICS-CERT Monitor Quarterly Report - Phishing Reigns Supreme
Notice of Special Rapid Hiring Authority for Federal Cyber Security
FCC Releases Net Neutrality Rules

THE REST OF THE WEEK'S NEWS

US Treasury Sharing Threat Data with Banks
Superfish Removed from 250,000 Windows Machines
FREAK Still Affects Some Cloud Services
Microsoft Patch Tuesday
Adobe Updates Flash Player
Dropbox SDK for Android Exfiltration Flaw
UK ISPs Take Another Tack to Block the Pirate Bay
VICEPASS Malware Targets Home Routers
Dutch Court Strikes Down Data Retention Law
Apple Updates for iOS and OS X
OpenSSL Audit

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By FireEye **************************
Cybersecurity Collaboration: Leveraging a Trusted Partner:
Tuesday, March 24 at 1:00 PM EST (17:00:00 UTC. Join FireEye Chief Security Strategist - Enterprise Forensics, Josh Goldfarb, as he explores the current state of cybersecurity and the new threat landscape, the failure of traditional defense models in the face of a new adversary, and the value of an Adaptive Defense strategy and working with a trusted partner.
http://www.sans.org/info/175717
***************************************************************************

TRAINING UPDATE


- -SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- -SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


- -SANS Northern Virginia 2015 | Reston, VA | March 9-March 14, 2015 12 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; and Debunking the Complex password Myth.
http://www.sans.org/u/Wg


- -Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- - -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- - -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- - -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- - -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- - -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

ICS-CERT Monitor Quarterly Report - Phishing Reigns Supreme (March 12, 2015)

According to a quarterly report from the US Industrial Control System Computer Emergency Response Team (ICS-CERT), industrial control systems were targets of cyber attacks at least 245 times in the 12-month period between October 1, 2013 and September 30, 2014. Seventy-nine of the incidents involved companies in the energy sector. Sixty-five of the incidents involved attacks that managed to gain access to ICS manufacturer systems. Of the known vectors of attack, 42 of the incidents were attributed to directly to phishing attacks, while the attack vector could not be identified for the other 94.
-http://www.v3.co.uk/v3-uk/news/2399334/us-industrial-control-systems-attacked-24
5-times-in-12-months
-https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep20
14-Feb2015.pdf

Notice of Special Rapid Hiring Authority for Federal Cyber Security (March 5, 2015)

The US federal government Office of Personnel Management (OPM) for excepted service for up to 3,000 positions requiring "unique cyber security skills."
-https://www.federalregister.gov/articles/2015/03/05/2015-05185/excepted-service
[Editor's Note (Northcutt): Everyone in the business says the same thing when they read this. "Where are they going to find them?" Everyone is competing for the same people. And there is the problem of provable skills. Whoever is taking the lead on this truly important initiative has their hands full, and the authority expires December 31, 2015. ]

FCC Releases Net Neutrality Rules (March 12, 2015)

Documents from the US Federal Communications Commission (FCC) show that the commission is going to treat broadband as a public utility, which means it will be subject to more stringent regulation. The document indicates that the FCC will determine what is deemed acceptable in a case-by-case basis.
-http://www.nytimes.com/2015/03/13/technology/fcc-releases-net-neutrality-rules.h
tml
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/12/here-are-all-400-pa
ges-of-the-fccs-net-neutrality-rules/
-http://www.siliconrepublic.com/comms/item/41119-net-neutrality-document/
-http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0312/FCC-15-24A1.
pdf

---

**************************** SPONSORED LINKS ******************************
1) Combat Advanced Malware - Download the Free White Paper: Advancing Threat Hunting. http://www.sans.org/info/175722

2) Use Maltego to exploit cyber threat intelligence from open Web sources (OSINT) more effectively. Live demonstration webinar with Recorded Future on Thursday, March 19 at 12:00 PM ET. Register now: http://www.sans.org/info/175727

3) ICS Security Survey: Help SANS Assess Security Trends -- Enter to Win a $400 Amazon Gift Card. http://www.sans.org/info/175732
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Treasury Sharing Threat Data with Banks (March 12, 2014)

The US Treasury Department has started sharing cyber threat data with banks through an automated system, which uses a language called STIX (Structures Threat Information Expression or Exchange).
-http://www.nextgov.com/cybersecurity/2015/03/treasury-begins-automating-cyber-ti
p-sharing-banks/107382/?oref=ng-channelriver

Superfish Removed from 250,000 Windows Machines (March 12, 2015)

Microsoft, along with Lenovo and other software manufacturers, has managed to scrub Superfish adware from 250,000 Windows-based PCs. According to Microsoft's security team, the daily number of Lenovo machines infected has dropped below 1,000; at its peak, Superfish had been found daily on 60,000 PCs.
-http://www.computerworld.com/article/2895882/joint-effort-guts-superfish.html

FREAK Still Affects Some Cloud Services (March 12, 2015)

Despite fixes from Apple and Microsoft this week, the FREAK vulnerability still affects more than 600 cloud services, according to an estimate from Skyhigh Networks. The company scanned its registry of more than 10,000 services.
-http://www.scmagazine.com/more-than-600-cloud-services-still-vulnerable-to-freak
-data-shows/article/403273/
[Editor's Note (Murray): This vulnerability has existed as long as the protocol but has been all but eliminated in weeks. The amount of special knowledge in the publicity has hardly altered the total cost of attack. Since UIDs and passwords sell in the black market for pennies, it is hard to imagine efficient exploitation of the vulnerability in the remaining time to fix it, on all but a vanishingly small number of sites. That a vulnerability has a clever name, or even that it involves TLS/SSL, does not imply that it represents a significant risk to the community. ]

(Honan): It appears that many Blackberry products are vulnerable to this attack to. Given that Blackberry tout their devices as being more secure than others, this is not good news in their battle to maintain survival
-https://threatpost.com/blackberry-warns-many-products-vulnerable-to-freak-attack
/111607]

Microsoft Patch Tuesday (March 10 & 12, 2015)

One of the updates Microsoft released on Tuesday, March 13, 2015, is causing a reboot loop for many Windows 7 users. Microsoft released 14 security bulletins in all to address security issues in Microsoft Windows, Exchange, Office, Microsoft Server Software, and Internet Explorer. Among the flaws addressed is the vulnerability known as FREAK, which can be exploited to intercept communications and downgrade encryption strength. Microsoft also issued a patch to fix a flaw exploited by Stuxnet that has incompletely patched in 2010.
-http://krebsonsecurity.com/2015/03/ms-update-3033929-causing-reboot-loop/
-http://www.computerworld.com/article/2895214/massive-microsoft-march-update.html
-http://arstechnica.com/information-technology/2015/03/patch-tuesday-patches-frea
k-universal-xss/
-https://technet.microsoft.com/en-us/library/security/dn903782.aspx
Internet Storm Center:
-https://isc.sans.edu/forums/diary/Microsoft+March+Patch+Tuesday/19445/

Adobe Updates Flash Player (March 12, 2015)

Adobe has released an update for its Flash Player that addresses at least 11 separate vulnerabilities. The most current version of Flash for Windows and Mac is now 17.0.0.134; Flash on Google Chrome and Internet Explorer on Windows 8.x should be updated automatically. Linux users are advised to update to version 11.2.202.451.
-http://krebsonsecurity.com/2015/03/adobe-flash-update-plugs-11-security-holes/
-http://www.theregister.co.uk/2015/03/12/adobe_kicks_out_flash_security_fix/
-http://www.scmagazine.com/adobe-issues-patches-addressing-11-vulnerabilities-in-
flash-player/article/403248/

Dropbox SDK for Android Exfiltration Flaw (March 11 & 12, 2015)

A vulnerability in the Dropbox Software Development Kit (SDK) for Android could be exploited to reroute saved data to a different account; files already stored on Dropbox servers would not be vulnerable. The flaw affects applications that use versions 1.5.4 and later of the SDK. IBM notified Dropbox of the flaw in December. The company acknowledged the report immediately, and issued a patch within four days.
-http://www.eweek.com/cloud/dropbox-sdk-flaw-could-allow-attackers-to-reroute-dat
a.html
-http://www.v3.co.uk/v3-uk/news/2399122/dropbox-sdk-bug-leaves-android-users-open
-to-attack
-http://www.computerworld.com/article/2895759/android-app-developers-should-updat
e-to-dropboxs-latest-sdk.html
-http://www.darkreading.com/droppedin-vuln-links-victims-androids-to-attackers-dr
opboxes/d/d-id/1319428?

UK ISPs Take Another Tack to Block the Pirate Bay (March 11, 2015)

Internet service providers (ISPs) in the UK are now blocking websites that offer pirated content as well as those that serve as proxies for such sites and even sites that simply list the proxy sites. The reach of the court order has raised concerns about censorship.
-http://www.bbc.com/news/technology-31832137
-http://www.wired.co.uk/news/archive/2015-03/11/uk-isp-proxy-block

VICEPASS Malware Targets Home Routers (March 11, 2015)

Malware dubbed VICEPASS connects to home routers, scans for connected devices, and sends harvested information to a command-and-control server before it deletes itself. The malware appears to be infecting users who are tricked into visiting malicious sites that claim to offer Adobe Flash updates.
-http://www.scmagazine.com/malware-that-connects-to-home-routers-deletes-itself-w
ithout-a-trace/article/403050/
[Editor's Note (Murray): My all-time favorite bait message begins "Click here to update Adobe..." ]

Dutch Court Strikes Down Data Retention Law (March 11, 2015)

A Dutch district court has struck down a law that required telecommunications providers to retain customer data for six to 12 months. The law was initially enacted in 2009 to fulfill the EU directive on data retention, which the European Court of Justice struck down last spring.
-http://www.zdnet.com/article/dutch-court-suspends-mandatory-data-retention-legis
lation/
[Editor's Note (Honan): In related news Bulgaria has also revoked its Data Retention law
-http://www.theregister.co.uk/2015/03/13/bulgaria_nixes_metadata_law_paraguay_del
ays/
and today the European Commission announced it will not be looking to introduce a new directive to require telcos "to store the communications data of European Union citizens for security purposes". Of course individual member states may introduce their own national laws but there will be no requirement at the EU level to do so. ]

Apple Updates for iOS and OS X (March 10 & 11, 2015)

Apple has released security updates for iOS and OS X. Both include fixes for the FREAK vulnerability in SSL/TLS, which could be exploited to intercept communications and force a downgrade in encryption strength. Apple's Security Update 2015-002 addresses five vulnerabilities; Apple's iOS 8.2 addresses six vulnerabilities and includes Apple Watch capabilities.
-http://www.eweek.com/security/apple-patches-freak-fixes-other-vulnerabilities.ht
ml
-http://www.theregister.co.uk/2015/03/10/apple_ios_os_x_security_patches/
-http://www.scmagazine.com/apple-addresses-freak-flaw/article/403035/

OpenSSL Audit (March 10, 2015)

Researchers are set to begin an audit of OpenSSL. The audit is part of the Linux Foundation's Core Infrastructure Initiative, which was created to help improve the security and integrity of widely used open source software in the wake of the Heartbleed vulnerability.
-http://www.v3.co.uk/v3-uk/news/2398979/openssl-faces-major-audit-to-stop-future-
heartbleed-flaws-occurring
[Editor's Note (Murray): In the absence of a rigorous specification and auditable development procedures, procedures that contemplated such an audit, it will be much more expensive and far less revealing than one might hope. ]

---

STORM CENTER TECH CORNER

Blind SQL Injection Against WordPress SEO By Yoast
-https://isc.sans.edu/forums/diary/Blind+SQL+Injection+against+WordPress+SEO+by+Y
oast/19457

Blackberry Advisory regarding FREAK
-http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=8C8C9A0B46926
AAD1526DDFC5549005F?externalId=KB36811&sliceId=1&cmd=displayKC&docTy
pe=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewe
dDocsListHelperImpl

Mozilla Releases Masche Memory Scanning Tool
-https://blog.mozilla.org/security/2015/03/12/introducing-masche-memory-scanning-
for-server-security/

Google Service Interruption Due To BGP Failure
-http://www.bgpmon.net/what-caused-the-google-service-interruption/

Syslog Skeet Shooting: Targeting Real Problems in Event Logs
-https://isc.sans.edu/forums/diary/Syslog+Skeet+Shooting+Targetting+Real+Problems
+in+Event+Logs/19449/

Panda Virus Labels Itself as Malware
-http://www.pandasecurity.com/uk/homeusers/support/card?id=100045

Barbie is Listening to You Kids
-http://www.commercialfreechildhood.org/action/shut-down-hello-barbie

GnuPG Campaign Successful. 2nd Developer Hired
-https://www.gnupg.org/blog/20150310-gnupg-in-february.html

Threatglass
-https://isc.sans.edu/forums/diary/Threatglass+has+pcap+files+with+exploit+kit+ac
tivity/19433/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/