SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #26

April 03, 2015

Healthcare data at greater risk! The FBI issued a PIN (Private Industry Notification) last year saying that defenses and resilience in healthcare are not up to the standards of other industries and "increased intrusions are likely." They were right. Stolen personal health data are now available, at 20 times the price of good credit card records. The leaders of the health care cybersecurity community are coming together for an intense "what works" working session on May 12/13 in Atlanta. CISOs and other experts who have found sensible pathways through the maze will be sharing lessons they learned. If you have anything to do with healthcare security, this is probably the one meeting in 2015 on healthcare cybersecurity that is worth your time.
http://www.sans.org/event/nh-isac-healthcare-cybersecurity-summit
Alan

---

TOP OF THE NEWS

Federal CIOs Say Many IT Management Reporting Requirements Not Helpful
US Retailers Must Adopt Chip-Based Payment Card Technology by October or Assume Breach Liability
China Delays Stringent Requirements for Technology Used by Banks

THE REST OF THE WEEK'S NEWS

Man Must Pay GBP 1 Million or Face Additional Prison Time
Man Pleads Guilty in Game Code Theft
Laziok Trojan Targets Energy Companies
Executive Order Allows US to Impose Sanctions for Cyber Espionage
Sanction Order Raises Concerns About Attribution and Due Process
Some WordPress Site Visitors Redirected to Phony Pirate Bay Site Serving Malware
Chrome and Firefox to Stop Trusting Certificates from Chinese Certificate Authority
Google Takes Steps to Protect Chrome Users from Malicious Ad Injectors
Firefox 37 Includes Opportunistic Encryption

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Trend Micro Inc. **********************
Do people trust the security and privacy of IoT devices? Is convenience a good trade-off for their personal information? How much do people want for their personal information? Read the new study from Trend Micro and the Ponemon Institute to learn about how people feel about security and privacy and the IoT:
http://www.sans.org/info/176432
***************************************************************************

TRAINING UPDATE


- --SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- --Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- --SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- --SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 29 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- --Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- --SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses.
http://www.sans.org/u/2bG


- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Federal CIOs Say Many IT Management Reporting Requirements Not Helpful (April 2, 2015)

According to a Government Accountability Office (GAO) survey of CIOs at 24 of the largest US federal agencies, documentation and reporting requirements for IT management initiative are mostly busywork. The responses indicate that the CIOs feel nearly two-thirds of the requirements are not helpful for managing IT investments. An estimated US $150 million to US $308 million has been spent generating documentation for reports considered by the CIOs as unhelpful or somewhat helpful.
-http://www.nextgov.com/cio-briefing/2015/04/survey-cios-say-many-it-reform-repor
ting-requirements-just-busywork/109156/?oref=ng-HPtopstory
-http://www.gao.gov/assets/670/669434.pdf
[Editor's Note (Pescatore): OMB requires federal agencies to submit 36 separate reports, some quarterly, a few monthly or more frequently, and bunch of them annually. Twelve of the 36 are security related. Eight different reporting mechanisms are used. But, a bigger indicator of the problem is OMBs own statement that it requires this reporting for "improving the management, oversight, and transparency of the federal government's IT." There is no goal of improving IT effectiveness in delivering government services reliably, effectively and securely. OMB's ever growing reporting burden largely diverts federal security resources towards compiling and forwarding data vs. improving processes.
(Murray): We measure and report on ourselves so that we will know that we are effective, to guide improvement, and to demonstrate our value to our constituents. Others may require measurement and reporting to hold us accountable for efficient use of resources. We are not likely to appreciate the value of the latter. That said, IT in general, and IT security in particular, remain the most under measured functions in American enterprise and government. ]

US Retailers Must Adopt Chip-Based Payment Card Technology by October or Assume Breach Liability (April 2, 2015)

As of October 1, 2015, liability for payment card fraud will shift from card companies to retailers if the retailers have not upgraded their terminals to accept chip-based payment cards. The cards have been used in Europe for 10 years, but the US has been slow to adopt the technology, largely due to the associated costs that merchants will have to bear. The Target breach is what drove the industry to set a timeline for adopting the standard.
-http://www.computerworld.com/article/2905715/switch-to-new-chip-card-stirs-up-e-
payments-industry.html
[Editor's Note (Pescatore): Umm, since when has liability ever actually been with the credit card companies?? The card companies could have offered incentives for faster transition to chip and PIN years ago but since they were *not* bearing the cost of breaches, they never did so. Also, important to remember: chip-based cards are good for fighting point of sale attacks but are only part of the changes needed to effectively protect cardholder data in brick and mortar and online commerce.
(Paller): John is correct. The credit card companies earn about $0.75 for each fraudulent transaction. My estimate is that it adds up to $75 million each year. The cost of the fraud falls on the merchants who not only do not get paid for the goods they ship but also have to pay the credit card companies.
(Murray): Close but no cigar. Merchants whose equipment does not cover 75% of their transactions assume liability. There is a very complex set of reasons that the US has not converted, of which cost to merchants is only one small part. Cost to issuers, longer transaction times, third party acquirer/processors, and the fact that fraud will simply move from counterfeit cards to "card not present" activity are all part of the reluctance in the US. There is also the chicken and egg problem: which comes first, cards or terminals. Who invests first, issuers or merchants? At the time Europe moved, they did so because so much of their activity was off-line, leaving them vulnerable to fraudulent use of lost and stolen cards. The October 2015 timeline was set before the Target breach. While there is a timeline for merchants, there is still none for card issuers: issuers are issuing chip cards only as the old cards expire. ]

China Delays Stringent Requirements for Technology Used by Banks (March 30 & 31, 2015)

China is delaying the enforcement of rules that would restrict the country's use of bank technology in products made outside China unless vendors provide source code, submit to audits, and create backdoors in their products.
-http://www.scmagazine.com/china-delays-tech-requirements-seen-as-impeding-compet
ition/article/406492/
-http://thehill.com/policy/cybersecurity/237380-china-suspends-portion-of-controv
ersial-cyber-rules
-http://www.reuters.com/article/2015/03/31/usa-china-jacklew-idUSL3N0WW2TP2015033
1
[Editor's Note (Pescatore): The "provide source code, submit to audits" part is no different than what the UK required Huawei to do when BT chose Huawei in 2010 or so for the UK telecoms infrastructure upgrade. However, the "build in backdoors" part needs to be a deal-killer. However, in the US we do have the Communications Assistance to Law Enforcement Act (CALEA) since 1994 that requires telecoms manufacturers to provide monitoring points, which are at least "back windows" if not back doors.
(Murray): Security is a weak excuse for protectionism and protectionism is harder than it looks. While attractive to the ruling class, back doors in banking systems is a very bad idea. If they are "secure," they are not useful, if useful, not secure. ]

---

**************************** SPONSORED LINKS ******************************
1) Healthcare Cybersecurity Summit & Training, Atlanta, GA, May 12-13. Discussing some of the biggest concerns the industry is facing. sans.org/u/33t

2) In case you missed it on 3/24: Cybersecurity Collaboration: Leveraging a Trusted Partner with Joshua Goldfarb, VP, CTO of FireEye. http://www.sans.org/info/176442

3) Protecting Critical Infrastructure by Transforming Threat Intelligence into an Effective Defense. Thursday, April 09 at 3:00 PM EST (19:00:00 UTC) with Mike Assante and Mark Trump. http://www.sans.org/info/176447
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Man Must Pay GBP 1 Million or Face Additional Prison Time (April 2, 2015)

A man already in prison for conspiracy to defraud and launder funds obtained through a phishing scheme has been ordered to pay nearly GBP 1 million (US $1.48 million) or have four years added to his sentence. Rilwan Adesegun Oshodi is currently serving an eight-year sentence. He has six months to come up with the money.
-http://www.theregister.co.uk/2015/04/02/cybercrim_told_hand_over_1m_or_do_more_j
ail_time/

Man Pleads Guilty in Game Code Theft (April 2, 2015)

Austin Alcala has pleaded guilty to commit intrusion and criminal copyright infringement for his role in a scheme that stole information from game studios, including Microsoft, Valve, and Epic. Alcala and his co-conspirators stole documents, source code, and unreleased games. They also allegedly stole thousands of online gaming login credentials. The other three people involved have already pleaded guilty to various charges.
-http://www.scmagazine.com/hacking-ring-member-pleads-guilty-to-stealing-intellec
tual-property-data-of-microsoft-others/article/407124/
-http://www.theregister.co.uk/2015/04/02/teen_pleads_guilty_in_microsoft_and_valv
e_hacking_case/

Laziok Trojan Targets Energy Companies (April 1, 2015)

The Laziok Trojan, which is currently being used in attacks against energy company systems, exploits a known vulnerability in Windows that was patched in 2012. The majority of targets are in the Middle East. Laziok is being used as a reconnaissance tool, gathering information about the infected system and sending it back to the attackers. It can also place data stealing programs on the computers.
-http://www.darkreading.com/laziok-trojan-exploits-three-year-old-windows-flaw-/d
/d-id/1319736?
-http://www.computerworld.com/article/2904020/new-malware-used-to-attack-energy-c
ompanies.html

Executive Order Allows US to Impose Sanctions for Cyber Espionage and Destructive Attacks (April 1, 2015)

President Obama has signed an executive order establishing economic sanctions that can be levied against foreign entities that conduct digital espionage and intellectual property theft against US organizations. Sanctions may be imposed for actions that harm "national security, foreign policy, economic health, or financial stability of the United States."
-http://www.csmonitor.com/Technology/2015/0401/Obama-signs-order-creating-new-cyb
er-sanctions-program
-http://www.nextgov.com/cybersecurity/2015/04/obama-declares-cyberattacks-nationa
l-emergency/109003/?oref=ng-channeltopstory
-http://thehill.com/policy/cybersecurity/237581-obama-declares-cyberattacks-a-nat
ional-emergency
-http://www.eweek.com/security/obama-signs-executive-order-for-cyber-security-san
ctions.html
-http://www.wired.com/2015/04/new-obama-order-allows-sanctions-foreign-hackers/
-http://www.treasury.gov/resource-center/sanctions/Programs/Documents/cyber_eo.pd
f

Sanction Order Raises Concerns About Attribution and Due Process (April 2, 2015)

The cyber sanctions raise concerns about due process for those who believe they have been wrongly accused and about how agencies will determine who is responsible for those attacks in the first place.
-http://www.computerworld.com/article/2905295/obama-cyberattacker-sanctions-raise
-due-process-attribution-concerns.html
-https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-
what-you-need-know
[Editor's Note (Northcutt): +1, attribution approaches being an impossible problem. There are too many opportunities to set someone else up. On the other hand, if you just want an excuse to invade a country or wipe out a group, this works perfectly:
-http://www.economist.com/news/international/21567886-america-leading-way-develop
ing-doctrines-cyber-warfare-other-countries-may
-http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=7260&am
p;context=jclc
-http://www.infosecisland.com/blogview/14235-Attribution-Problems-Hinder-US-Cyber
war-Strategy.html
-http://www.techrepublic.com/blog/it-security/cyberwarfare-characteristics-and-ch
allenges/
-http://faculty.nps.edu/ncrowe/3%20-%20Rowe%20chapter%20070214.htm]

Some WordPress Site Visitors Redirected to Phony Pirate Bay Site Serving Malware (April 1 & 2, 2015)

Some WordPress sites have been injected with a malicious iFrame that redirect site visitors to a phony Pirate Pay site, which serves the Nuclear exploit kit. The fake Pirate Bay site infects users' computers with a banking Trojan if the users are running outdated versions of Flash.
-http://www.theregister.co.uk/2015/04/01/fake_pirate_bay_malware_scam/

Chrome and Firefox to Stop Trusting Certificates from Chinese Certificate Authority (April 1 & 2, 2015)

Both Google Chrome and Mozilla Firefox will no longer trust certificates issued by the China Internet Network Information Center (CNNIC). Last month, an intermediate certificate authority issued unauthorized digital certificates for several Google domains. The intermediate certificate was issued by CNNIC.
-http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certif
icate-authority-for-breach-of-trust/
-http://www.zdnet.com/article/google-banishes-chinas-main-digital-certificate-aut
hority-cnnic/
-http://www.theregister.co.uk/2015/04/02/google_furious_dodgy_chinese_certs_cnnic
_chrome_warning/
-http://www.theregister.co.uk/2015/04/02/mozilla_revokes_cnnic_cert_trust/
-http://www.computerworld.com/article/2905282/googles-cert-sanction-may-hamper-br
owsing-trigger-china-retaliation.html
-http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate
-security.html
[Editor's Note (Pescatore): I think it is a good thing for Certificate Authorities to be fully audited and re-certified after they make egregious mistakes or are compromised in ways that jeopardize security. However, two issues (1) The process needs to be fair - US-based CAs that issue certificates in error or fraudulently need to be treated the same way; (2) The bigger issue: this is a case of a US-based for profit company and an open source company essentially making Internet governance decisions on their own. What happens when the Qihoo browser claims Google did something wrong and decides not to trust Google? If the CA/Browser forum continues to be ineffective, some sort of broader Internet governance body like ICANN, W3C etc. needs to define some acceptable processes. ]

Google Takes Steps to Protect Chrome Users from Malicious Ad Injectors (April 1 & 2, 2015)

Following the results of a study that found more than one-third of extensions for Google's Chrome browser were classified as malware, Google has banished the malicious extensions and taken steps to ensure that new and updated extensions can not harm users' computers. Google does not ban ad injectors from the Chrome Web Store, but extensions that have them must clearly state what they do.
-http://arstechnica.com/security/2015/04/google-kills-200-ad-injecting-chrome-ext
ensions-says-many-are-malware/
-http://www.v3.co.uk/v3-uk/news/2402663/google-polishes-chrome-to-deal-with-malic
ious-ad-injectors
-http://www.informationweek.com/mobile/mobile-devices/google-ad-injectors-affect-
1-in-20-visitors/d/d-id/1319734
-http://googleonlinesecurity.blogspot.ro/2015/03/out-with-unwanted-ad-injectors.h
tml
[Editor's Note (Pescatore): Google makes a lot of money from ads, so not surprising they don't want to completely remove ad injectors from the Chrome Store. But Google's # 1 principal is "Focus on the user and all else will follow." I think a focus on the user would result in taking more than this reactive approach to the problems of malvertising.
(Murray): Browsers remain the Achilles Heel of the desktop. "Extensions" are part of the problem but browsers are vulnerable because they are both open and feature rich. At its announcement Chrome was touted as being secure by design. In practice, it has proven to be as vulnerable as all its competitors. ]

Firefox 37 Includes Opportunistic Encryption (March 31 & April 1, 2015)

The newest version of Mozilla's Firefox browser, version 37.0, not only includes fixes for 13 security issues, but also introduces a feature known as opportunistic encryption, which can encrypt connections when servers do not support HTTPS.
-http://arstechnica.com/security/2015/04/new-firefox-version-says-might-as-well-t
o-encrypting-all-web-traffic/
-http://www.eweek.com/security/firefox-37-debuts-with-opportunistic-encryption-se
curity-fixes.html
-http://bitsup.blogspot.de/2015/03/opportunistic-encryption-for-firefox.html
[Editor's Note (Murray): The advantage is that server-side implementation is easier than TLS but it remains to be seen whether or not it is an obstacle. ]

---

STORM CENTER TECH CORNER

1 in 20 of the Top Domains Have Zone Transfers Enabled
-https://www.internetwache.org/axfr-scan-der-alexa-top-1-million-29-03-2015/

Removal of Admin Rights Critical In Mitigating Microsoft Windows Exploits
-http://learn.avecto.com/ms-vulnerabilities-report-14#download-defendpoint-form

Little Change in Online Behavior Following Snowden Revelations
-http://www.pewinternet.org/2015/03/16/americans-privacy-strategies-post-snowden/
pj_2015-03-05_privacy-strategies-courts_01/

Critical Vulnerabilities in JSON Web Token Libraries
-https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-lib
raries/

Updated Angler Traffic Patterns
-https://isc.sans.edu/forums/diary/Angler+Exploit+Kit+Recent+Traffic+Patterns/195
37/

Updated Rig Traffic Patterns
-https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+Changes+Traffic+Patterns/19533
/

Verizon Allows Opt Out for "Super Cookies"
-http://www.verizonwireless.com/support/unique-identifier-header-faqs/

Google Fixes YouTube Authentication Bypass in API
-http://kamil.hism.ru/posts/about-vrg-and-delete-any-youtube-video-issue.html

More Details about Chinese Firewall as Attack Tool
-http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-t
he-Side-Attack-on-GitHub

Cryptocurrency Blockchains Could Be Used as Command and Control Channel
-http://techspective.net/2015/03/30/security-researchers-identify-malware-threat-
to-virtual-currencies/

Lebanese APT Malware
-https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/