SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #28

April 10, 2015

Behind This Week's News: Is There Hope For Cybersecurity Information Sharing?

On Tuesday, NewsBites led with a story about Phyllis Schneck's explanation of the U.S. Department of Homeland Security's difficulties, so far, in enabling effective information sharing. Shawn Henry, who built the globe's most effective international 'actionable' information sharing program when he was the top cyber cop at the FBI, had this to say about what it takes for information sharing to succeed: "The concerns of US companies, on the heels of Snowden and other revelations, are completely understandable. Phyllis's assessment is absolutely correct. Until companies can trust the USG, they will be reluctant to share. There are a couple of issues to consider here. First, companies need to know WHAT to share. This is not about 'information sharing', but rather 'tactical intelligence sharing.' That is, companies need to share intelligence that is of value and can be 'actioned', and it must relate to emerging threats and to adversary tactics, techniques, and procedures. Clearly defining the need and the task is imperative. Secondly, companies need to know the IMPACT of their sharing. If they go through the time and energy of culling out relevant data, they must understand what the USG will do with it, and have confidence that it is making a difference and not just an exercise in futility. Finally, companies need to know what they'll get back from the USG. The commercial sector looks for 'return on investment,' and this is one area where they will seek a clear response."

Alan

PS The British government's Information Exchanges are prime examples of information sharing programs that works. And they work for the three reasons that Shawn Henry lists above.

---

TOP OF THE NEWS

Critical Infrastructure Systems are Often Targets of Destructive Cyber Attacks
White House Data Breach
AT&T to Pay US $25 Million Settlement Over Call Center Data Breaches

THE REST OF THE WEEK'S NEWS

Apple Updates Available for OS X, iOS
Drug Pump Vulnerability Could be Exploited to Alter Dosage Limits
Google Pulls Deceptive Extension from Online Store
Beebone Botnet Takedown
FBI Urges Users to Patch WordPress Plug-ins
Financial Regulator Says Wall Street Needs to Oversee Third-Party Security
Mozilla Disables Opportunistic Encryption in Firefox Due to Security Issue
US Drug Enforcement Agency Collected Call Metadata for More Than 20 Years
Documents Show NY Police Did Not Obtain Warrants for Stingray Use

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By SANS ****************************
Healthcare Cybersecurity Summit & Training in Atlanta - May 12-13. Discussing some of the biggest concerns the industry is facing: incident response, software security best practices, in-bound phishing emails, mobile security ecosystem controls, behavior-based authentication capabilities for pharmas, providers, payers and consumers and more. Plus, SEC401, SEC504, & Health Care Security Essentials courses. http://www.sans.org/u/33t
***************************************************************************

TRAINING UPDATE


- --Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- --SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- --Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- --SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- --SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- --SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- --SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses.
http://www.sans.org/u/3hl


- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Critical Infrastructure Systems are Often Targets of Destructive Cyber Attacks (April 7, 2015)

According to a survey conducted by the Organization of American States, destructive attacks happen more often than expected at organizations that operate elements of national critical infrastructure in both North and South America. While 60 percent of the 575 responding organizations said that they had detected attacks that tried to steal data, 54 percent said that they had detected attacks that attempted to manipulate equipment. The organizations also reported attempts to delete files and to shut down networks.
-http://www.reuters.com/article/2015/04/07/us-cybersecurity-americas-idUSKBN0MY06
Z20150407
[Editor's Note (McBride): It is good news that the OAS is trying to collaborate around this issue. However, the survey and the article about it do not effectively differentiate between attacks affecting *the organizations* that operate critical infrastructure and attacks that affect *the actual critical infrastructure* they operate. ]

White House Data Breach (April 8, 2015)

Attackers breached an unclassified White House computer system last fall. A Kremlin spokesperson has denied allegations that Russia is responsible for the attack. US legislators have requested a briefing on the incident.
-http://www.nextgov.com/cybersecurity/2015/04/lawmakers-wants-briefing-russian-ha
ck-white-house/109582/?oref=ng-channeltopstory
-http://www.eweek.com/security/russia-implicated-in-white-house-email-hack.html
-http://www.darkreading.com/attacks-breaches/russian-hackers-breached-white-house
-via-us-state-department-/d/d-id/1319828?
-http://thehill.com/policy/cybersecurity/238281-white-house-hackers-accessed-sens
itive-not-confidential-data
-http://www.bloomberg.com/news/articles/2015-04-08/russia-didn-t-carry-out-white-
house-computer-hack-peskov-says

AT&T to Pay US $25 Million Settlement Over Call Center Data Breaches (April 8 & 9, 2015)

The US Federal Communications Commission (FCC) has reached a settlement with AT&T for data breaches that compromised customer information at call centers in Mexico, Colombia, and the Philippines. The telecommunications company will pay US $25 million. The incidents, which occurred in 2013 and 2014, affected 280,000 people. Some of the call center employees used their access to systems to steal information that could be used to request codes to unlock stolen phones. AT&T has stopped doing business with the call centers in question.
-http://arstechnica.com/tech-policy/2015/04/att-fined-25-million-after-call-cente
r-employees-stole-customers-data/
-http://www.scmagazine.com/att-fined-by-fcc-for-breaches-in-three-call-centers/ar
ticle/408114/
-http://www.bbc.com/news/technology-32232604
-http://www.fcc.gov/document/att-pay-25m-settle-investigation-three-data-breaches
-0

---

**************************** SPONSORED LINKS ******************************
1) Threat Intelligence in an Active Cyber Defense, featuring Robert M. Lee, Co-Author of SANS FOR578 Cyber Threat Intelligence Course. Webcast on April 15th, hosted by Recorded Future: http://www.sans.org/info/176552

2) Six Steps to SIEM Success: Friday, April 17 at 1:00 PM EDT (17:00:00 UTC) with Tom D'Aquino, Security Engineer. http://www.sans.org/info/176557

3) Last Chance to Help SANS Assess Security Trends in ICS Security Survey -- Enter to Win a $400 Amazon Gift Card. http://www.sans.org/info/176562
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Updates Available for OS X, iOS (April 9, 2015)

Apple has released updates for its operating systems. The latest version of OS X (10.10.3) fixes a backdoor that could be exploited to gain root access. Apple has also released updates for iOS (8.3) to address more than 40 security issues.
-http://www.scmagazine.com/apple-releases-ios-83-with-multiple-security-fixes/art
icle/408286/
-http://arstechnica.com/security/2015/04/latest-version-of-os-x-closes-backdoor-l
ike-bug-that-gives-attackers-root/
-http://www.eweek.com/security/apple-patches-critical-backdoor-flaw-in-os-x-10.10
.3.html
-http://www.theregister.co.uk/2015/04/10/hacker_digs_up_os_x_root_backdoor/

Drug Pump Vulnerability Could be Exploited to Alter Dosage Limits (April 9, 2015)

Some drug-infusion pumps do not use authentication for internal drug libraries, which establish upper and lower limits for dosages. This means that anyone with access to the hospital's network could load a new library with changed limits. The actual dosage for each pump could not be changed, but because the upper and lower limits, a caregiver could accidentally set the pump to provide an incorrect dose. Other pumps examined last year were found to have web interfaces that could be used by attackers to change actual dosages.
-http://www.wired.com/2015/04/drug-pumps-security-flaw-lets-hackers-raise-dose-li
mits/

Google Pulls Deceptive Extension from Online Store (April 8 & 9, 2015)

Google has pulled a Chrome add-on from the online app store because the extension, called Webpage Screenshot, was found to be stealing users' data and sending them back to an IP address in the US. The malicious extension appears to have been downloaded more than 1.2 million times. The data-scraping capabilities are not included in the add-on as it appeared in the store; instead, a week after users downloaded it, it downloaded code from a cloud server that performed the questionable functions. The extension's terms of service did disclose that it collects a lot of data.
-http://arstechnica.com/security/2015/04/chrome-extension-collects-browsing-data-
uses-it-for-marketing/
-http://www.v3.co.uk/v3-uk/news/2403157/data-leaking-chrome-extension-puts-over-o
ne-million-web-users-at-risk
-http://www.scmagazine.com/webpage-screenshot-chrome-extension-found-to-be-malici
ous/article/408053/
-http://www.computerworld.com/article/2908357/google-yanks-chrome-add-on-that-scr
aped-data-from-12m-users.html

Beebone Botnet Takedown (April 9, 2015)

In a coordinated effort, Europol's European Cybercrime Centre, the Joint Cybercrime Action Taskforce, authorities in the Netherlands, the FBI, and private security companies took down the Beebone botnet. The malware is difficult to detect due to polymorphic downloader software that updates many times every day.
-http://arstechnica.com/security/2015/04/us-european-police-take-down-highly-elus
ive-botnet-known-as-beebone/
-http://www.scmagazine.com/europol-and-fbi-collaborate-to-remove-botnet/article/4
08297/
-http://www.v3.co.uk/v3-uk/news/2403346/europol-intel-and-kaspersky-round-on-the-
beebone-botnet
-http://www.darkreading.com/endpoint/beebone-botnet-taken-down-by-another-securit
y-team-up/d/d-id/1319856?

FBI Urges Users to Patch WordPress Plug-ins (April 8, 2015)

The FBI has issued a warning to WordPress users that if they do not update their plug-ins for the content management system, they could find their sites compromised by extremist groups.
-http://www.zdnet.com/article/fbi-expect-isis-hacks-if-you-dont-patch-wordpress-p
lugins/
-http://www.eweek.com/blogs/security-watch/fbi-warns-that-wordpress-faces-terrori
st-attack-risk.html
-http://www.scmagazine.com/isil-sympathizers-defacing-wordpress-websites-fbi-says
/article/408040/

Financial Regulator Says Wall Street Needs to Oversee Third-Party Security (April 8, 2015)

New York State superintendent of financial services Benjamin M. Lawsky has told banks in that state that they must take greater steps to ensure that their partners are operating securely. Of 40 financial institutions surveyed, just one-third require outside vendors to notify them of network breaches. Fewer than half said they conducted regular inspections of their vendors' operations. Lawsky's office is developing guidelines for financial institutions.
-http://www.nytimes.com/2015/04/09/business/dealbook/wall-st-is-told-to-tighten-d
igital-security-of-partners.html
[Editor's Note (Murray): One is reminded of Y2K. We will never know whether mutual peer reviews were essential or a giant kerfluffle. We do know that they were expensive and may have diverted resources from more direct remedies. ]

Mozilla Disables Opportunistic Encryption in Firefox Due to Security Issue (April 7 & 8, 2015)

Mozilla has disabled the opportunistic encryption feature introduced in the most recent version of Firefox (37) because it contained a vulnerability that could have been exploited to allow malicious sites to circumvent HTTPS protection. Mozilla has issued an update, Firefox 37.0.1 that disables the feature.
-http://www.zdnet.com/article/mozilla-pushes-out-fix-for-firefox-opportunistic-en
cryption-flaw/
-http://arstechnica.com/security/2015/04/firefox-disables-opportunistic-encryptio
n-to-fix-https-crippling-bug/
-http://www.scmagazine.com/firefox-update-fixes-opportunistic-encryption-bug/arti
cle/407807/
-http://www.theregister.co.uk/2015/04/07/mozilla_crypto_encryption_snafu_pull/

US Drug Enforcement Agency Collected Call Metadata for More Than 20 Years (April 7 & 8, 2015)

The US Drug Enforcement Agency (DEA) amassed a database of phone call metadata from all calls made from the US to countries that the DEA had identified as being linked to drug trafficking between 1992 and 2013. AT the program's peak, it harvested metadata from calls made to 116 countries. The program stopped after the leak that disclosed the NSA's own database, which was a separate program. The Electronic Frontier Foundation, representing the Human Rights Watch advocacy group, is suing the DEA to make sure the program does not start up again, and that all records pertaining to Human Rights Watch that were illegally collected be expunged from all government systems.
-http://www.usatoday.com/story/news/2015/04/07/dea-bulk-telephone-surveillance-op
eration/70808616/
-http://www.computerworld.com/article/2907179/dea-sued-for-snooping-on-internatio
nal-phone-calls.html
-http://arstechnica.com/tech-policy/2015/04/if-you-called-anyone-overseas-from-19
92-2013-the-dea-probably-knew-about-it/s

Documents Show NY Police Did Not Obtain Warrants for Stingray Use (April 7, 2015)

The New York Civil Liberties Union has published documents it obtained from the Erie County, NY, Sheriff's Office that disclose the department's use of stingray mobile device surveillance technology. The county sheriff last year said that his department only used stingray under judicial review, but the documents show that the office used stingray 47 times but obtained a court order, not a warrant, only once. The Sheriff's Office had signed a gag order with the FBI that directed it to keep stingray use secret, and the FBI had the right to step in and ask that cases be dismissed rather than disclose use.
-http://www.wired.com/2015/04/ny-cops-used-stingray-spy-tool-46-times-without-war
rant/

---

STORM CENTER TECH CORNER

TV Station TV5Monde Crippled After Cyber Attack
-http://www.theguardian.com/world/2015/apr/09/french-tv-network-tv5monde-hijacked
-by-pro-isis-hackers

Apple Patches "Hidden Backdoor" in Yosemite
-https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileg
es-in-apple-os-x/

Personal Backup Drives Indexed By Google
-http://www.csoonline.com/article/2906137/cloud-security/lost-in-the-clouds-your-
private-data-has-been-indexed-by-google.html

Apple Security Updates
-https://support.apple.com/en-us/HT201222

Google Expired Certificate Authority
-http://www.securityweek.com/google-lets-smtp-certificate-expire

SHA1 Signed SSL Certificates Will No Loger Be Trusted by Chrome in 2016
-https://blog.filippo.io/the-unofficial-chrome-sha1-faq/

NTP Vulnerabilities
-http://www.kb.cert.org/vuls/id/374268

Severe Vulnerabilities in Anonbox Tor Router
-https://reclaim-your-privacy.com/wiki/Anonabox_Analysis

Firefox Update Deactivates Opportunistic Encryption
-https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/

3 out of 4 Large Organizations Still Vulnerable to Heartbleed
-https://www.venafi.com/assets/pdf/wp/Hearts-Continue-to-Bleed-Research-Report.pd
f

Chrome Crashes Over Overly Long URLs
-https://github.com/jlblatt/AwSnap

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/