SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #21

March 17, 2015

Tomorrow (March 18) is the last day to save $200 on registration for SANS2015 on the Disneyworld property in Orlando. Every year lots of students bring their families for the weekend before or during SANS. http://www.sans.org/event/sans-2015

---

TOP OF THE NEWS

U.S. State Department Email Goes Dark, Again
TeslaCrypt Targets Numerous File Types, Including Gaming Files
Virlock Ransomware

THE REST OF THE WEEK'S NEWS

Virginia Limits Retention Time for License Plate Reader Data
Facebook Report Details Government Data Requests
Yahoo Announces On-Demand Passwords, Releases Encryption Plugin Source Code for Review
Federal Investigators Say They Are Close to Identifying JPMorgan Chase Attackers
State Department Takes Steps to Improve its Network Security
UK Cyber Security Competition
Some British Telecom Traffic Routed Through Ukraine
Problematic Windows 7 Patch
DOJ Drops Charges Against NOAA Employee

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By Bit9 + Carbon Black **********************
Improve your Incident Response Process Download the free Securosis Report: Leveraging Threat Intelligence In Incident Response/Management. Proactively collect data at the endpoint while layering threat intelligence to customize detection, accelerate investigations and recover faster. Download Now: http://www.sans.org/info/175902
***************************************************************************

TRAINING UPDATE


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- -SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses.
http://www.sans.org/u/2bG


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

U.S. State Department Email Goes Dark, Again (March 16, 2015)

Only 120 days after taking its email system off line to clean up after a cyber attack, the U.S. State Department took its email system off line to clean up after another even more virulent cyber attack.
-http://thehill.com/policy/cybersecurity/224595-state-department-email-restored
-http://www.reuters.com/article/2015/03/13/us-cybersecurity-usa-idUSKBN0M92LE2015
0313
[Editor's Note (Paller): If Tony Blinken (State Department Deputy Secretary) wants to do more than give lip service to cybersecurity at his Department, he should have his CIO run iPOST again and see how far the individual divisions and embassy security status degraded since the State Department IT security folks decided they didn't actually need to monitor and mitigate vulnerabilities every day (when John Streufert left for DHS). The State Department used to be the model for effective mitigation and cyber hygiene. It can easily get back on top of its game; it has the tools in place. Does it have the leadership? ]

TeslaCrypt Targets Numerous File Types, Including Gaming Files (March 13 & 16, 2015)

Ransomware is now targeting online gamers. Malware known as TeslaCrypt targets more than 50 game-related files extensions and holds them for ransom. It also targets documents, pictures, and iTunes files.
-http://www.computerworld.com/article/2896408/gamers-targeted-by-teslacrypt-ranso
mware-1-000-to-decrypt-games-mods-steam.html
-http://www.scmagazine.com/bromium-labs-details-new-ransomware-campaign/article/4
03511/

Virlock Ransomware (March 13, 2015)

Virlock ransomware not only locks the screen of devices, but is also infects files on the devices. Virlock is polymorphic, meaning that it alters its code each time it runs so it is more difficult for security software to detect.
-http://www.v3.co.uk/v3-uk/news/2399602/hackers-developing-file-infecting-virlock
-ransomware-with-resurrection-powers
-http://www.darkreading.com/hackers-breaking-new-ground-with-ransomware/d/d-id/13
19475?
[Editor's Note (Murray): Users are reminded that "ransomware" will attack any data that is visible to the file system. This can include backup drives and cloud storage that are visible in the file system. ]

---

**************************** SPONSORED LINKS ******************************
1) Unraveling the Threat: Expanding Response Processes and Procedures Beyond the Moment of Discovery. Monday, March 23 at 3:00 PM EDT (19:00:00 UTC) with Ben Johnson. http://www.sans.org/info/175907

2) A risk-based approach to identification, impact estimation, and effective remediation of data breaches in web-based applications Wednesday, March 18 at 1:00 PM EST (17:00:00 UTC) with Dr. Eric Cole and Demetrios Lazarikos (Laz). http://www.sans.org/info/175912

3) Defending against advanced targeted threats with the SANS Critical Controls. Thursday, March 26 at 11:00 AM EST (15:00:00 UTC) with Andrew Avanessian and John Pescatore. http://www.sans.org/info/175917
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Virginia Limits Retention Time for License Plate Reader Data (March 16, 2015)

Virginia's governor has signed legislation that limits the length of time law enforcement in that state may retain license plate reader data to seven days. While New Hampshire has banned license plate data collection altogether and Maine has set a 21-day retention limit, many other states have set no formal limits. The Virginia law allows the data to be retained more than seven days if they pertain to an active and ongoing criminal investigation. The law takes effect July 1, 2015.
-http://arstechnica.com/tech-policy/2015/03/virginia-passes-shortest-limit-in-us-
on-keeping-license-plate-reader-data/
[Editor's comment (Northcutt): Bully for Virginia. We are out of control with the collection of data on the populace. In no way am I saying the current USA is a police state, but we need to be careful not to become one:
-http://www.hermes-press.com/police_state.htm
-https://www.facebook.com/PoliceStateUSA]

Facebook Report Details Government Data Requests (March 16, 2015)

Facebook's Global Government Request Report shows that the overall number of requests the company received from governments worldwide increased slightly from the previous six months. The majority of the data requests were related to criminal cases. In the US, nearly 80 percent of requests were met with the release of some data. While requests from the US and German governments declined, the number of requests in the US may be higher than the figures indicate because Facebook did not include national security requests in its report. Facebook also notes that requests to restrict or take down content rose 11 percent over the previous six months.
-http://www.computerworld.com/article/2896781/government-requests-for-facebook-da
ta-continue-to-grow.html
-http://www.zdnet.com/article/facebook-still-cant-tell-you-if-its-being-silenced-
by-the-fbi/
-http://www.forbes.com/sites/parmyolson/2015/03/16/facebook-government-data-reque
sts-still-climbing/
-https://govtrequests.facebook.com

Yahoo Announces On-Demand Passwords, Releases Encryption Plugin Source Code for Review (March 15 & 16, 2015)

Yahoo has announced that it will let users log into their accounts with on-demand passwords sent as SMS messages to their mobile devices. The scheme is not the same as two-factor authentication, which Yahoo also offers. Yahoo also plans to release a plug-in that would enable end-to-end encryption for its email by the end of the year. The company has released the plug-in's source code for public review.
-http://www.cnet.com/news/yahoo-wants-to-let-you-forget-your-yahoo-password/
-http://www.darkreading.com/yahoos-one-time-passwords-have-security-experts-divid
ed/d/d-id/1319491?
-http://www.scmagazine.com/yahoo-makes-major-announcements-at-sxsw/article/403780
/
-http://www.computerworld.com/article/2896780/yahoo-puts-email-encryption-plugin-
source-code-up-for-review.html
-http://yahoo.tumblr.com/post/113708272894/a-new-simple-way-to-log-in
[Editor's Note (Murray): It is ironic that Yahoo, Google, Dropbox, PayPal, Twitter, and my three branch community bank all offer strong authentication to their external users while enterprises, including eBay and Anthem, continued to be breached for failure to use it for privileged insiders. ]

Federal Investigators Say They Are Close to Identifying JPMorgan Chase Attackers (March 15 & 16, 2015)

According to a report in the New York Times, US federal investigators say they are close to identifying those responsible for the attack on JPMorgan Chase systems and that they could be handing down indictments within the next few months. The statement indicates that at least some of those identified as possible suspects reside in countries with which the US has an extradition treaty.
-http://www.nytimes.com/2015/03/16/business/dealbook/authorities-closing-in-on-ha
ckers-who-stole-data-from-jpmorgan-chase.html?ref=technology&_r=0
-http://www.scmagazine.com/report-authorities-close-to-filing-charges-against-jpm
organ-hackers/article/403745/
-http://www.cnet.com/news/jpmorgan-hackers-gettable-as-investigators-close-in/

State Department Takes Steps to Improve its Network Security (March 13, 14, & 15, 2015)

The US State Department shut down portions of its network over the weekend in its efforts to improve security. The State Department disclosed late last year that intruders had infiltrated its network; the attack is believed to be related to the attack on the White House network. But as recently as last month, the State Department has said that it has been unable to rid its systems of the intruders' presence. The action taken over the weekend aimed to rid the system of malware.
-http://www.scmagazine.com/state-dept-takes-down-parts-of-network-to-harden-secur
ity/article/403608/
-http://www.cnet.com/news/state-department-takes-network-offline-for-security-scr
ub/
-http://www.nbcnews.com/tech/security/state-department-shuts-down-part-computer-n
etwork-clean-malware-n323271
[Editor's Note (Murray): Ensuring that a large enterprise network is not compromised is so difficult that even the NSA operates on the assumption that there are hostile systems on their network. ]

UK Cyber Security Competition (March 12, 14, & 16, 2015)

This year's Cyber Security Challenge UK was held on March 12 & 13 aboard the HMS Belfast in London. Competitors were faced with the challenge of regaining control of naval weapons that had been commandeered by fictitious bad guys. The winner of the competition is 21-year-old student Adam Tonks, who bested 41 other competitors.
-http://cybersecuritychallenge.org.uk/21-year-old-student-crowned-uk-cyber-securi
ty-champion/
-http://www.computerweekly.com/news/2240242328/Cirencester-student-wins-Cyber-Sec
urity-Challenge-UK
-http://arstechnica.com/security/2015/03/a-cyber-war-staged-in-central-london/
-http://www.bbc.co.uk/newsbeat/31856831

Some British Telecom Traffic Routed Through Ukraine (March 13, 2015)

The Internet traffic of 167 British Telecom customers appears to have been routed through servers in Ukraine. The unexplained digital detour could have been exploited to snoop on or tamper with the traffic. Among the organizations affected is the UK's Atomic Weapons Establishment.
-http://arstechnica.com/security/2015/03/mysterious-snafu-hijacks-uk-nukes-makers
-traffic-through-ukraine/

Problematic Windows 7 Patch (March 13, 2015)

In October 2014, Microsoft pulled a patch for Windows 7 that was causing problems for some users. Microsoft released a reworked version of the patch last week, but some users have been reporting that the new patch causes continuous reboots.
-http://www.theregister.co.uk/2015/03/13/microsoft_reborks_latest_windows_7_patch
/

DOJ Drops Charges Against NOAA Employee (March 12 & 16, 2015)

The US Justice Department has dropped an indictment against Xiafen Chen, a hydrologist who had worked at the National Oceanic and Atmospheric Administration (NOAA). According to the indictment, Chen was allegedly accessing a database containing information about the nation's dams without authorization and downloaded data, possibly intending to share that information with a Chinese government official. NOAA is now considering whether or not to reinstate Chen, who was suspended without pay last fall.
-http://www.nextgov.com/cybersecurity/2015/03/unpaid-suspension-federal-hydrologi
st-once-accused-illegal-army-downloads-under-review/107553/?oref=ng-channeltopst
ory
-http://www.scmagazine.com/charges-against-xiafen-chen-dropped/article/403047/

---

STORM CENTER TECH CORNER

OpenSSL Patch Pre-Announcement
-https://mta.openssl.org/pipermail/openssl-announce/2015-March/000020.html

Old Safari Private Browsing Bug Still Not Fixed in Latest Beta
-http://appleinsider.com/articles/15/03/13/years-old-safari-private-browsing-bug-
saves-url-of-every-page-visited-remains-unfixed

Risks of SSL Interception
-http://www.cert.org/blogs/certcc/post.cfm?EntryID=221

Virtual Machine Detection in VBA
-https://isc.sans.edu/forums/diary/Maldoc+VBA+SandboxVirtualization+Detection/194
65/

Yahoo End-to-End E-mail Encryption Plugin
-http://yahoo.tumblr.com/post/113708033335/user-focused-security-end-to-end-encry
ption

Windows 10 May Include Peer-to-Peer Updates
-http://n4gm.com/wp-content/uploads/2015/03/windows10-p2p-update.jpg?1d04b1

Google Leaked Private WHOIS Data
-http://blogs.cisco.com/security/talos/whoisdisclosure

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/