SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #22

March 20, 2015

A great program to help solve the advanced cyber skills shortage: Air Force veterans who excelled in the SANS Talent Exam are now at the halfway point in their intensive SANS training for careers in cybersecurity. Employers interested in hiring one of these outstanding US Air Force veterans are encouraged to contact Max Shuftan at mshuftan@sans.org. Additional information about the Academy is available at http://www.sans.org/cybertalent/immersion-academy.

Alan

---

TOP OF THE NEWS

Document Reveals China has Special Cyber War Units
OpenSSL Project Fixes 12 Security Issues
Committee Approves Request to Expand Judge's Warrant Authority for Digital Searches

THE REST OF THE WEEK'S NEWS

ISP-Provided ADSL Routers Have Directory Traversal Flaw
NYPD Officer Arrested for Allegedly Accessing Databases Without Authorization
D-Link Releases Patches for Flaws in Cameras and Wireless Range Extenders
Court Says Erie County (NY) Sheriff's Office Must Turn Over Stingray Documents
Premera Blue Cross Discloses Breach
OPM's Premera Audit Warned of Security Issues Weeks Before Breach
Windows 10 Will be Free Upgrade, and Will Support Biometric Authentication
Microsoft Revokes "Improperly Issued" Certificate
State Dept. System Back Online

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec ***************************
Symantec Webcast: Cloud Security - Top Fundamentals You Need to Know, March 24th at 10am PT -The cloud is forcing us to rethink security. The fact that information flows freely outside of the enterprise and back again means we need to consider how we secure that information. Join guest speaker Pete Lindstrom from IDC and Symantec for discussion on the fundamentals.
http://www.sans.org/info/176012
**************************************************************************

TRAINING UPDATE


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


-SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


-SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


-Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 5 Courses: SEC401, SEC504, MGT512, MGT414 & Health Care Security Essentials
http://www.sans.org/u/2is


-SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses.
http://www.sans.org/u/2bG


-Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


-Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


-Looking for training in your own community?
Community - http://www.sans.org/u/Xj


-Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Oslo, London, and Bahrain all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Document Reveals China has Special Cyber War Units (March 18, 2015)

Officials in China have long denied US allegations of cyber espionage. However, a publication from a high-level People's Liberation Army research institute indicates that China's military and intelligence organizations have units that focus on cyber war.
-http://www.thedailybeast.com/articles/2015/03/18/china-reveals-its-cyber-war-sec
rets.html
[Editor's Note (Murray): "Officials in the US have long denied Chinese allegations of 'cyber espionage.'" Welcome to the 21st Century where this is what nation states do. ]

OpenSSL Project Fixes 12 Security Issues (March 19, 2015)

The OpenSSL Project has released fixes to address a dozen flaws in the open source cryptographic protocol implementation. One of the vulnerabilities has been classified as high severity; it could be exploited to cause denial-of-service (DoS) conditions. Internet Storm Center:
-https://isc.sans.edu/forums/diary/OpenSSL+Patch+Released/19485/
-http://www.zdnet.com/article/you-need-to-apply-the-openssl-patches-today-not-tom
orrow/
-http://www.computerworld.com/article/2899482/openssl-fixes-serious-denial-of-ser
vice-bug-11-other-flaws.html
-http://www.scmagazine.com/openssl-project-patches-two-high-severity-vulnerabilit
ies/article/404487/
-https://www.openssl.org/news/secadv_20150319.txt
[Editor's Note (Pescatore): Good to see the Core Infrastructure Initiative focus and funding show some rapid concrete results. It will be good to see similar progress in other widely used open source code. (Murray): The "project" has made patches available. That does not "fix" the problem. ]

Committee Approves Request to Expand Judge's Warrant Authority for Digital Searches (March 17, 2015)

The US Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to modify a provision known as Rule 41 to give judges more flexibility in how they approve search warrants for electronic data. Prior to the change, judges had the authority to approve warrants only within the geographic boundaries of their districts. Now they can approve warrants for electronic searches of devices that are not physically within their judicial districts.
-http://www.nextgov.com/cybersecurity/2015/03/fbis-plan-expand-hacking-power-adva
nces-despite-privacy-fears/107685/?oref=ng-channelriver
-http://thehill.com/policy/cybersecurity/235910-fbis-hacking-request-gets-initial
-approval

---

**************************** SPONSORED LINKS ******************************
1) Combat Advanced Malware - Download the Free White Paper: Advancing Threat Hunting http://www.sans.org/info/176017

2) Jumpstarting the Critical Security Controls with Intelligent Asset Discovery.Wednesday, March 25 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Kevin Reilly. http://www.sans.org/info/176022

3) SANS Surveys: Share your knowledge and insights on these topics: Each survey will award a $400 Amazon Gift Card: SANS 2015 ICS Security Survey. Results webcast on June25. http://www.sans.org/info/176027. SANS 2015 Financial Sector Security Survey. Results webcast on June 23. http://www.sans.org/info/176032.
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

ISP-Provided ADSL Routers Have Directory Traversal Flaw (March 19, 2015)

A directory traversal vulnerability in more than 700,000 ADSL routers Internet service providers (ISPs) have provided to their customers could put those customers at risk of DND hijacking. The flaw has been known since 2011.
-http://www.computerworld.com/article/2899663/at-least-700k-routers-given-to-cust
omers-by-isps-can-be-hacked.html

NYPD Officer Arrested for Allegedly Accessing Databases Without Authorization (March 17 & 19, 2015)

A New York City Police Department officer has been arrested for allegedly breaking into restricted law enforcement databases to obtain personal information about people who had been involved in traffic accidents. Auxiliary Deputy Inspector Yehuda Katz allegedly called these people, pretending to be an attorney.
-http://www.scmagazine.com/nypd-officer-hacked-databases-to-get-info-on-accident-
victims/article/404250/
-http://www.fbi.gov/newyork/press-releases/2015/new-york-city-police-department-a
uxiliary-officer-charged-with-hacking-into-nypd-computer-and-fbi-database

D-Link Releases Patches for Flaws in Cameras and Wireless Range Extenders (March 18, 2015)

D-Link is releasing firmware patches to fix vulnerabilities in certain network cameras and wireless range extenders. D-Link issued fixes for flaws in its networking gear earlier this month.
-http://www.theregister.co.uk/2015/03/18/dlink_patches_yet_more_vulns/
-http://www.kb.cert.org/vuls/id/377348
[Editor's Note (Murray): I find it hard to believe that the owners of these "home appliances" will ever be aware of this vulnerability, much less replace firmware to fix it. The remedy should be a "recall," not a "patch." This is an early example of the problems of the "Internet of things." I am an advocate of doing it right early, as contrasted to late discovery and patch. That said, whichever way we go, we need a policy and a strategy to implement it. ]

Court Says Erie County (NY) Sheriff's Office Must Turn Over Stingray Documents (March 18, 2015)

A court in New York has ordered a county sheriff's office there to turn over documents about its use of stingray surveillance technology to the New York Civil Liberties Union (NYCLU). The ruling is the result of a Freedom of Information Act (FOIA) request NYCLU made last year. Among the documents the Erie County Sheriff's office must provide are unredacted purchase orders and the non-disclosure agreement. The judge's court order notes that in 2012, the FBI instructed the Erie County Sheriff's office to drop criminal charges rather than reveal anything about their stingray use.
-http://www.scmagazine.com/nyclu-wins-court-case-for-stingray-documents/article/4
04287/
-http://money.cnn.com/2015/03/18/technology/security/police-stingray-phone-tracke
r/index.html

Premera Blue Cross Discloses Breach (March 17 & 18, 2015)

Health care services provider Premera Blue Cross has acknowledged that a breach of its network may have compromised the medical and financial information of 11 million customers. The intruders initially gained access last May, but Premera did not learn about the breach until January 2015.
-http://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-m
edical-records/
-http://arstechnica.com/security/2015/03/premera-cyberattack-could-have-exposed-i
nformation-for-11-million-customers/
-http://www.eweek.com/security/health-insurance-provider-premera-discloses-data-b
reach.html
-http://premeraupdate.com
-http://www.opm.gov/our-inspector-general/reports/2014/audit-of-inoformation-syst
ems-general-and-application-controls-at-premera-blue-cross.pdf
[Editor's Note (Murray): Blue Cross customers should take advantage of the situation to get Blue Cross to pay for them to be notified when the credit bureaus and data brokers sell information about them. Congress needs to fix the law that permits the credit bureaus to charge us $15- per month for such notification. ]

OPM's Premera Audit Warned of Security Issues Weeks Before Breach (March 19, 2015)

Premera was warned about security issues in its IT systems shortly before the breach occurred. A routine audit reported in April 2014 advised that vulnerabilities should be fixed to avoid data compromise. The Office of Personnel Management (OPM) conducted the audit because Premera participates in the Federal Employee Health Benefits Program.
-http://www.scmagazine.com/auditors-told-premera-to-address-vulnerabilities-prior
-to-breach/article/404492/

Windows 10 Will be Free Upgrade, and Will Support Biometric Authentication (March 17 & 18, 2015)

Windows 10, which is expected to be available later this year, will be offered as a free upgrade to users running Windows 7, 8, and 8.1, even if the versions currently being run are pirated. Windows 10 will also support biometric authentication. Users will be able to authenticate with fingerprints and iris and facial scans. Users may opt -in to the feature, known as "Windows Hello."
-http://www.informationweek.com/software/operating-systems/windows-10-eliminates-
passwords/d/d-id/1319507
-http://www.zdnet.com/article/microsoft-to-add-enterprise-grade-biometric-securit
y-to-windows-10/
[Editor's Note (Pescatore): The biggest barrier to moving beyond reusable passwords has not really been user resistance to the idea, it has been the lack of "readers" built into the devices (like PCs, phones, tablets) that they use. Being forced into YATC (Yet Another Thing to Carry) like a SecurID card or an enormous Smart Card *and* a reader has been and always will be a deal killer. But all major mobile platforms support text messaging as a second factor *and* various forms of biometrics; users are starting to find their own value in moving beyond just a password. This does not solve the federated identity problem by any means, but can significantly raise the barrier against phishing. ]

Microsoft Revokes "Improperly Issued" Certificate (March 17, 2015)

Microsoft has revoked an "improperly issued" security certificate. The HTTPS certificate in question was originally issued for a Windows Live web address. It could be used to spoof content, launch phishing attacks, or conduct man-in-the-middle attacks. The issue affects all versions of Windows. Devices running Windows 8, Windows Phone 8, Windows Server 2012 and later should revoke the certificate automatically.
-http://www.zdnet.com/article/microsoft-blacklists-improperly-issued-ssl-certific
ate-affecting-all-versions-of-windows/
-http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-c
ould-allow-man-in-the-middle-hacks/
-https://technet.microsoft.com/en-us/library/security/3046310?f=255&MSPPError
=-2147217396

State Dept. System Back Online (March 17, 2015)

The US State Department has put its unclassified email network back online. The network was taken down for four days to scrub it of malware and improve its security. Attackers infiltrated the network last fall.
-http://www.nbcnews.com/news/us-news/state-department-unclassified-network-back-a
fter-four-days-x-n325221

---

STORM CENTER TECH CORNER

Who Develops Code for IT Support Scareware Websites
-https://isc.sans.edu/forums/diary/Who+Develops+Code+for+IT+Support+Scareware+Web
sites/19489/

Apple Yosemite Update
-https://support.apple.com/kb/HT204563

Invisible iOS Apps
-http://www.zdziarski.com/blog/?p=5072

iOS Screenlock PIN Bruteforcing
-http://blog.mdsec.co.uk/2015/03/bruteforcing-ios-screenlock.html

Apple Releases Safari 8.0.4
-https://support.apple.com/en-us/HT204560

TLS Server Scan Reveals Repeated Keys
-https://martinralbrecht.files.wordpress.com/2015/03/freak-scan1.pdf

Reminder: Dangers of Pass the Hash
-https://isc.sans.edu/forums/diary/Pass+the+hash/19479/

Converting PEID to YARA
-https://isc.sans.edu/forums/diary/From+PEiD+To+YARA/19473/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/