SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #24

March 27, 2015

TOP OF THE NEWS

US House Committee Introduces Threat Information Sharing Bill
NJ School District Recovers From Ransomware Attack

THE REST OF THE WEEK'S NEWS

Federal Reserve Bank of NY Creates Dedicated Cyber Security Threat Team
Insurers Doing Business in NY State Notified of New Cyber Security Requirements
Hotel Wi-Fi Router Firmware Vulnerability
UCSS Cyber Quests Registration Open
Malvertising Campaign
Neverquest/Vawtrak Trojan Used in Attacks on Canadian Banks
California Privacy Bill Moves Out of Committee
Rewards Offered for Two Indicted in Carding Scheme
Android Flaw Allows Attackers to Modify or Replace Apps

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Sophos ******************************
Time for better Endpoint Protection? If your current Endpoint solution doesn't deliver the protection, performance and usability you need, then it's time to switch. Check out these top five reasons to switch to better endpoint protection.
http://www.sans.org/info/176077
***************************************************************************

TRAINING UPDATE


-SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


-SANS Secure Canberra 2015 | Canberra, Australia | March 16 - 28, 2015 5 courses.
http://www.sans.org/u/W1


-Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


-SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


-SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


-Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 5 Courses: SEC401, SEC504, MGT512, MGT414 & Health Care Security Essentials
http://www.sans.org/u/2is


-SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses.
http://www.sans.org/u/2bG


-Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


-Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


-Looking for training in your own community?
Community - http://www.sans.org/u/Xj


-Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

NJ School District Recovers From Ransomware Attack (March 25, 2015)

A New Jersey school district's network was held hostage by ransomware. Those behind the attack demanded 500 Bitcoins ($126,400) for full restoration. While students, teachers, and staff were inconvenienced by not being able to access their files for several days, eventually most files were restored from the network's backup system, and servers are being put back online after being scrubbed of malware. Student data were unaffected as they are stored elsewhere. The New Jersey State Police and the FBI are investigating.
-http://www.theregister.co.uk/2015/03/25/school_ransomware/
-http://www.scmagazine.com/swedesboro-woolwich-school-district-network-infected-b
y-ransomware/article/405434/
[Editor's Note (Murray): Backup works; it is the security measure of last resort. However, if it is visible to the file system, it is also visible to the "ransomware."
(Honan): A nice example of how basic security tasks, in this case good backups, can help remediate from a security incident. I bet the school management is happy the investment in its backup just saved it $126,400 ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eGuide: An IT Auditor's Guide to Security Controls & Risk Compliance: http://www.sans.org/info/176082

2) In case you missed it! How SANS Critical Security Controls Lead to PCI DSS Quick Wins - with John Pescatore and Chris Strand. They discuss how to simultaneously address SANS best practices and PCI DSS requirements, leading to a compliant and more secure position. http://www.sans.org/info/176087

3) Analyst Webcast: Enabling Enterprise Mobility With Security From The Ground Up - Tuesday, March 31 at 1:00 PM EDT (17:00:00 UTC) with Lee Neely and Cheryl Tang. http://www.sans.org/info/176092
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Federal Reserve Bank of NY Creates Dedicated Cyber Security Threat Team (March 24, 25 & 26, 2015)

The Federal Reserve Bank of New York has established a team dedicated to "strengthening and improving
[the organization's ]
overall supervisory approach to cyber security." In a speech at the OpRisk North America Annual Conference, the New York Fed's head of supervision Sarah Dahlgren said the team will "establish a risk-based cybersecurity assessment framework, based on best practices in the field, as well as exploring additional standards." Dahlgren also noted that "cybersecurity should be on everyone's list
[of things that keep them awake at night and that it ]
is not ... just for the Information Technology staff or the CIO to address."
-http://www.bloomberg.com/news/articles/2015-03-24/new-york-fed-forms-team-focuse
d-on-cybersecurity-threats
-http://www.bis.org/review/r150325b.htm
[Editor's Note (Murray): Let us hope that someone will tell Ms. Dahlgren about the Center for Internet Security's 20 Critical Security Controls. ]

Insurers Doing Business in NY State Notified of New Cyber Security Requirements (March 26, 2015)

The superintendent of the New York State Department of Financial Services has notified insurers doing business in that state that they have until April 27 to inform regulators of their efforts to protect data from cyber attacks. In the letter, Benjamin Lawsky writes. "The department intends to schedule IT/cybersecurity examinations after conducting a comprehensive risk assessment of each institution." The new requirements affect approximately 160 insurers.
-http://www.bloomberg.com/news/articles/2015-03-26/new-york-to-investigate-insure
rs-cybersecurity-work-after-hacks

Hotel Wi-Fi Router Firmware Vulnerability (March 26, 2015)

The routers used by many hotel chains for their Wi-Fi networks have a vulnerability that put guests at risk of malware infection and data theft. The flaw in the authentication firmware of InnGate routers from Singapore-based ANTlabs allows intruders to gain access to the router's root file system. The flaw could be exploited to load malware onto guests' computers, monitor and harvest data sent over the network, and allow access to the hotel's card key system.
-http://www.wired.com/2015/03/big-vulnerability-hotel-wi-fi-router-puts-guests-ri
sk/
[Editor's Note (Murray): One assumes that our readers understand that wireless LANs, in general, and hotel LANs in particular, are to be treated as hostile and that that VPNs are indicated. Unfortunately, some hotels either resist VPNs or charge a premium for allowing them. ]

UCSS Cyber Quests Registration Open (March 25, 2015)

Registration for the US Cyber Challenge (USCC) Cyber Quests competition is now open. Cyber Quests is the qualifying round for USCC Cyber Camps, which take place in the summer. Cyber Quests in an online competition that will run between April 8 and April 23.
-http://www.udel.edu/udaily/2015/mar/cyber-quests-032515.html
Cyber Quests registration site:
-http://uscc.cyberquests.org

Malvertising Campaign (March 25, 2015)

Researchers at Malwarebytes say that a malvertising campaign affecting the websites of New York Daily News and other organizations redirected users to the Hanjuan Exploit Kit. Users did not have to take any action aside from visiting the targeted websites to be redirected to the exploit kit.
-http://www.scmagazine.com/hanjuan-exploit-kit-leveraged-in-malvertising-campaign
/article/405455/

Neverquest/Vawtrak Trojan Used in Attacks on Canadian Banks (March 25, 2015)

A Trojan known as Neverquest or Vawtrak has been used in attacks against at least 15 financial institutions in Canada. The malware has the ability to capture videos and screenshots and to conduct man-in-the-middle attacks against people conducting online banking transactions. The malware spreads in several ways, including drive-by downloads and malvertising. The Trojan's command-and-control server appears to be in Russia.
-http://www.scmagazine.com/fraudsters-use-neverquest-trojan-to-target-canadian-ba
nks/article/405415/
-http://www.infosecurity-magazine.com/news/vawtrak-is-back-and-stronger-than/

California Privacy Bill Moves Out of Committee (March 25, 2015)

A bill in the California state legislature that would require warrants to access all digital data has moved out of committee. The California Electronic Communications Privacy Act (CalECPA) aims to protect citizens' privacy. Earlier versions of the bill have twice been vetoed by the governor.
-http://arstechnica.com/tech-policy/2015/03/california-bill-requires-warrant-for-
stingray-use/
[Editor's Note (Northcutt): The ACLU has an incomplete, but interesting map of the states where law enforcement uses cellular site simulators:
-https://www.aclu.org/maps/stingray-tracking-devices-whos-got-them]

Rewards Offered for Two Indicted in Carding Scheme (March 26, 2015)

The US government is offering a significant reward for information leading to the arrest or conviction of two people who have been indicted for their alleged roles in a carding scheme. The State Department is offering a reward of up to US $2 million in Roman Olegovitch Zolotarev's case, and up to US $1 million in Konstantin Lopatin's.
-http://www.computerworld.com/article/2902759/us-offers-rewards-for-fugitive-russ
ian-hackers.html
[Editor's Note (Honan): A nice example of how old world techniques, reward money, can be used to tackle online threat actors.
(Northcutt): The U.S. Immigration and Customs Enforcement (ICE) website says the Carder.su organization did harm in excess of 50 million dollars:
-https://www.ice.gov/most-wanted/zolotarev-roman-olegovich
Here is the State Department post with the reward offer:
-http://www.state.gov/j/inl/tocrewards/c66447.htm
According to Wired magazine, Russia is telling cyber criminals not to leave the country else they may get kidnapped:
-http://www.wired.co.uk/news/archive/2013-09/04/stay-in-russia]

Android Flaw Allows Attackers to Modify or Replace Apps (March 24 & 25, 2015)

A security flaw in the Android operating system could be exploited to remotely take over vulnerable devices. Attackers could take advantage of the flaw to replace or modify known and trusted apps so that they are malicious. The attack works only at third-party app stores, not the Google Play store.
-http://thehill.com/policy/cybersecurity/236836-android-flaw-could-expose-half-of
-all-users
-http://arstechnica.com/security/2015/03/android-hijacking-bug-may-allow-attacler
s-to-install-password-stealers/
-http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-v
ulnerability-could-expose-android-users-to-malware/#

---

STORM CENTER TECH CORNER

ANTLabs InnGate Unauthenticated rsync server
-http://blog.cylance.com//spear-team-cve-2015-0932

Samsung Going to Offer Iris Scanning in Future Mobile Devices
-http://www.sri.com/newsroom/press-releases/sri-international-offer-iris-biometri
c-embedded-products-mobile-b2b

Multiple Cisco Advisories
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
150325-ani

AFNetworking Library SSL Vulnerability
-http://blog.mindedsecurity.com/2015/03/ssl-mitm-attack-in-afnetworking-251-do.ht
ml

Certificate Pinning
-https://isc.sans.edu/forums/diary/Pinup+on+your+Smartphone/19513/

Elastichoney
-http://jordan-wright.github.io/blog/2015/03/23/introducing-elastichoney-an-elast
icsearch-honeypot/

British Telecom Users Affected by VoIP Fraud
-http://www.theregister.co.uk/2015/03/25/bt_home_hub_fraud_sip_voip_calls/

Repurposing Logs
-https://isc.sans.edu/forums/diary/Repurposing+Logs/19503/

Old Vulnerable Flash Applets Still Deployed And Need to be Recompiled
-http://blog.nibblesec.org/2015/03/the-old-is-new-again-cve-2011-2461-is.html

Wind Turbine Web Admin Vulnerability
-https://www.auscert.org.au/22297

Google Finds Fake Google/Gmail SSL Certificates
-http://googleonlinesecurity.blogspot.de/2015/03/maintaining-digital-certificate-
security.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/