SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #30

April 17, 2015

TOP OF THE NEWS

GAO Report Urges FAA to Address Wi-Fi Security Concerns
Flaws Addressed on Patch Tuesday Being Actively Exploited
Verizon Data Breach Investigations Report Says Mobile Malware Not Important - Yet
Dell Report Notes Increase in Attacks Against Industrial Control Systems

THE REST OF THE WEEK'S NEWS

China Suspends Stringent Tech Rules
Think Tank Says Iran Gathering Information About US Grid
ICO Investigated Law Firms Over Reported Breaches
Windows HTTP Protocol Stack Flaw is Being Actively Exploited
Target Reaches Settlement With MasterCard Over Breach
Advanced Persistent Threat (APT) Wars
Millions of Health Records Compromised Over Past Four Years
Veterans Affairs Contractors Violated Security Practices

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk **************************
Have you implemented the SANS Top 20 Critical Security Controls? This time-proven, "what works" list of 20 controls can be used to minimize security risks to enterprise systems and the critical data they maintain. Learn how Splunk software can provide new insights to verify, execute and support requirements for the SANS Top 20 CSC.
http://www.sans.org/info/176822
***************************************************************************

TRAINING UPDATE


- --Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- --SANS 2015 | Orlando, FL | April 11-April 18, 2015 45 courses. Bonus evening presentations include Understanding the Offense to Build a Better Defense; and The Law of Offensive Countermeasures, Active Defense, or Whatever You Wanna Call It plus a major Expo
http://www.sans.org/u/Wq


- --Security Operations Center (SOC) Summit | Washington, DC | April 24 - May 1, 2015 | Join chairmen Dr. Eric Cole and Jim Goddard as well as others who have faced similar challenges in increasing their enterprise's situational awareness and monitoring as well as responding to threats. 4 courses including the NEW SEC511 Continuous Monitoring and Security Operations course
http://www.sans.org/u/1ro


- --SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- --SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- --SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- --SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- --Looking for training in your own community? Community - http://www.sans.org/u/Xj


- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus London, Bahrain, and Melbourne all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

GAO Report Urges FAA to Address Wi-Fi Security Concerns (April 14, 15 & 16, 2015)

According to a report from the US Government Accountability Office (GAO), on certain aircraft, passenger Wi-Fi networks use the same networks as the plane's avionics systems, putting the aircraft at risk of attacks from passengers and even from people on the ground. The report, titled "FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen," was requested by the House Transportation and Infrastructure Committee.
-http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/
-http://arstechnica.com/security/2015/04/in-flight-wi-fi-is-direct-link-to-hacker
s/
-http://www.siliconrepublic.com/enterprise/item/41610-us-government-fears-airline
/
-http://www.scmagazine.com/gao-issues-report-on-faa-practices/article/409315/
-http://www.v3.co.uk/v3-uk/news/2404323/modern-aircraft-could-be-hacked-via-onboa
rd-wifi-systems
-http://www.computerworld.com/article/2909527/us-sounds-alarm-on-hacking-of-passe
nger-jets-air-traffic-control.html
[Editor's Note (Honan): This Forbes article argues that many of the findings in the GAO report are misleading or incorrect.
-http://www.forbes.com/sites/thomasbrewster/2015/04/16/us-government-flight-secur
ity-claims-fallacious/
(Paller): The Forbes article asserts that GAO's report "was put together by people who didn't understand how modern aircraft actually work." I would normally reject that type of argument as light-weight whining, but in GAO's case I would be making an error. GAO staffers have demonstrated repeatedly that they do not understand how attacks and networks and operating systems work - at the deep technical level. That means their reports have been forcing government agencies to spend money in precisely the wrong ways - so much so that a close analysis will show that GAO is culpable in enabling the deep and pervasive cyber penetration that has occurred across many elements of the federal government. GAO staffers blame OMB's regulations for their errors when they are called to account. Isn't it time for GAO leadership to take a hard look at the damage caused by its findings and the people they have making those findings? ]

Dell Report Notes Increase in Attacks Against Industrial Control Systems (April 15, 2015)

According to the 2015 Dell Security Annual Threat Report, attacks against Industrial Control Systems rose nearly fourfold last year. Most of those attacks were against systems in Finland, the UK, and the US. The report also noted an increase in HTTPS traffic last year. Dell says that may not be good news because it could be used to hide malware.
-http://www.computerworld.com.au/article/572668/attacks-against-scada-systems-soa
r/

Flaws Addressed on Patch Tuesday Being Actively Exploited (April 14 & 15, 2015)

On Tuesday, April 14, Microsoft, Adobe, and Oracle all issued security updates. Microsoft released 11 security bulletins to address a total of 29 issues in Windows, Office, and Internet Explorer (IE). At least one of the vulnerabilities is already being actively exploited. Four of the bulletins are rated critical. Adobe released an update for Flash Player that addresses nearly two dozen flaws; one of those is also being actively exploited. And Oracle issued an update for Java.
-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+April+2015/19577/
-http://www.computerworld.com/article/2909524/microsoft-releases-11-critical-upda
tes-and-fixes-critical-http-flaw.html
-http://www.computerworld.com/article/2909646/microsoft-patch-tuesday-the-patches
-keep-coming.html
-http://www.theregister.co.uk/2015/04/15/april_patch_tuesday/
-http://www.v3.co.uk/v3-uk/news/2404110/microsoft-patch-tuesday-release-brings-cr
itical-ie-windows-and-office-fixes
-http://www.scmagazine.com/microsoft-addresses-26-vulnerabilities-some-critical-o
n-patch-tuesday/article/409048/
-http://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/
-https://technet.microsoft.com/library/security/ms15-apr
-https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
-http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Verizon Data Breach Investigations Report Says Mobile Malware Not Important - Yet (April 14, 2015)

According to Verizon's 2015 Data Breach Investigations Report (DBIR), the threat landscape has not changed much since last year's report. The leading causes of data breaches last year include web application attacks, point-of-sale intrusions, cyber espionage, and crimeware. The report also says that the majority of mobile malware infections are adware and other annoyances rather than something truly malicious.
-http://www.eweek.com/security/verizon-data-breach-study-finds-little-change-in-a
ttack-patterns.html
-http://www.darkreading.com/attacks-breaches/verizon-dbir-mobile-devices-not-a-fa
ctor-in-real-world-attacks/d/d-id/1319905
-http://www.computerworld.com/article/2909519/web-app-attacks-pos-intrusions-and-
cyberespionage-top-causes-of-data-breaches.html
[Editor's Note (Honan): If you read only one security report this year, read the Verizon's 2015 Data Breach Investigations Report (DBIR). It provides good data and insights on incidents provided by many contributors around the world. Very valuable reading, especially if you are planning to attend the RSA Conference next week as it can enable you to cut through many of the vendors' claims. ]

---

**************************** SPONSORED LINKS ******************************
1) What Works Webcast: Using Palo Alto Networks Next Generation Firewalls to Increase Visibility into Threats and Reduce Threat Risks: Wednesday, May 13 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Lance Spencer. http://www.sans.org/info/176827

2) What IS and ISN'T working in Incident Response? Take 2015 Survey & Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/176832

3) Mark Your Calendar for 4/29 Webcast: Insider Threats and the Real Financial Impact to Orgs - A SANS Survey. http://www.sans.org/u/3fp
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

China Suspends Stringent Tech Rules (April 16, 2015)

China has temporarily suspended implementation of rules that would make it nearly impossible for foreign technology companies to offer products to the country's financial sector. The rules would require tech companies that sell to Chinese financial institutions to provide access to source code. Following a meeting with Chinese officials last month, US officials said that the rules would be suspended, but earlier this week, trade groups in Japan, Europe, and the US said the rules were still being enforced. A letter from the Chinese government letter makes the temporary change official.
-http://www.nytimes.com/2015/04/17/business/international/china-suspends-rules-on
-tech-companies-serving-banks.html
[Editor's Note (Northcutt): I thought this would be the case; some companies would simply cease to do business with China. It also leaves the IBM Apple agreement team to earn enterprise class business decision revenue subject to further scrutiny. Reportedly, they agreed to do this. Also, rumor has it China will demand back doors in some of the products:
-http://www.esecurityplanet.com/network-security/china-to-require-backdoors-in-fo
reign-hardware-software.html
">http://www.esecurityplanet.com/network-security/china-to-require-backdoors-in-fo
reign-hardware-software.html
-http://qz.com/332059/apple-is-reportedly-giving-the-chinese-government-access-to
-its-devices-for-a-security-assessment/
-http://www.osnews.com/story/28264/Report_Apple_gives_Chinese_government_access_t
o_source_code
-http://appleinsider.com/articles/15/01/28/china-to-demand-source-code-access-bac
kdoors-in-some-tech-products
-http://www.esecurityplanet.com/network-security/china-to-require-backdoors-in-fo
reign-hardware-software.html
">http://www.esecurityplanet.com/network-security/china-to-require-backdoors-in-fo
reign-hardware-software.html]

Think Tank Says Iran Gathering Information About US Grid (April 16, 2015)

According to a report from a Washington think tank, Iranian cyber attackers are looking for information online to identify systems that control elements of the US's critical infrastructure. The researchers say that current sanctions against Iran have not diminished its espionage and cyber warfare capability.
-http://www.thedailybeast.com/articles/2015/04/16/report-iranian-hackers-eye-u-s-
grid.html
[Editor's Note (Henry): Iran and China and Russian....oh my! This has been happening for years, by Iran, other nation states, and, increasingly, terrorist organizations. Adversaries will constantly look for vulnerabilities to exploit, and critical infrastructure is at the top of the list.
(McBride): I am happy to see Norse incorporate SCADA port information into its sensor nets and resulting analysis. However, it's no surprise that Iranians -- and those of other nationalities with interest in "cyber" - are examining what's on the Net. We would need more context to discern whether the activity highlighted on page 39 of the Norse report is really seeking out systems operating the grid. (Murray): There is no excuse for any of these controls to be visible to the public networks. They should be hidden behind VPNs and strong authentication. If the control itself does not support this, a $50 proxy will hide it from Iran and other prying eyes. ]

ICO Investigated Law Firms Over Reported Breaches (April 16, 2015)

According to data obtained through a Freedom of Information request, the UK's Information Commissioner's Office (ICO) investigated 173 law firms in that country regarding reports of Data Protection Act (DPA) breaches. Following a series of breaches, the Information Commissioner last summer issued a warning that law firms need to do more to make sure that client data are secure. In addition, the Law Society, a professional organization, issued a practice notice last year warning that using cloud services could violate the DPA.
-http://www.theregister.co.uk/2015/04/16/law_office_breaches_rife_foia/
[Editor's Note (Henry): Law Firms aggregate the most sensitive data from many of their clients...IP, Patent, Merger and Acquisitions, etc. Their networks historically have not been well protected, and law firms are increasingly suffering serious breaches in the US. This is an important area that needs to be addressed.
(Honan): Law firms and accountancy practises are prime targets for criminals. Not only do they contain a lot of personal data but many of these firms work on behalf of their corporate clients to help them file patents etc. So if your organization relies on these services of these firms make sure you check their security before criminals do. (Paller, piling on): Don't accept their assurances that their systems are protected. After the theft of "all of our clients' data" one managing partner told me he thought his IT folks were protecting the data just fine. "They assured me that was so." ]

Windows HTTP Protocol Stack Flaw is Being Actively Exploited (April 16, 2015)

The Internet Storm Center has raised its threat level to Yellow in response to a vulnerability in the Windows HTTP protocol stack that is being actively exploited to crash systems. The critical remote code execution flaw was fixed in the patch of updates Microsoft released earlier this week. It affects Windows 7, 8, and 8.1, Windows Server 2008 R2, 2012, and 2012R. The issue was addressed in MS15-034.
-http://www.darkreading.com/vulnerabilities---threats/microsoft-zero-day-bug-bein
g-exploited-in-the-wild/d/d-id/1319988?
-http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/
-http://www.computerworld.com/article/2910593/experts-boost-threat-level-call-for
-patching-critical-windows-bug-asap.html
-https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
[Editor's Note (Murray): Backwards compatibility and legacy code in Windows may yet be the death of us all. What part of "re-write" must we explain to Microsoft. ]

Target Reaches Settlement With MasterCard Over Breach (April 15 & 16, 2015)

Target has agreed to pay MasterCard US $19 million. The funds are intended as compensation for costs incurred by replacing compromised cards and resolving fraudulent transactions that occurred as a result of the breach. The deal will become final if cardholders and shareholders approve it by May 20.
-http://www.theregister.co.uk/2015/04/16/target_settles_with_mastercard_for_us19_
million/
-http://www.cnet.com/news/target-settles-with-mastercard-for-19m-over-data-breach
/
-http://www.zdnet.com/article/target-mastercard-settle-over-data-breach/
-http://www.scmagazine.com/target-expected-to-reach-settlement-with-mastercard-fo
r-20-million/article/409302/
[Editor's Note (Murray): These reports are conflicting and unclear as to the conditions for approval. Cardholders have no interest in this agreement; Target has already settled with those representing cardholders. Only MasterCard and issuers need approve this deal, a sufficient number of issuers to cover 90% of accounts. Obviously Target would not want to enter into an agreement with issuers that did not cover most of its liability. It is in everyone's interest to get this settled. ]

Advanced Persistent Threat (APT) Wars (April 14 & 15s, 2015)

While investigating the operations of the Naikon advanced persistent threat (APT) group, researchers at Kaspersky discovered that one of the groups phishing emails had been sent to an email address belonging to another APT group. That group, Hellsing, sent a message back to Naikon, asking if the first message was legitimate. Naikon's response was poorly worded enough to let Hellsing know that they had been attacked, and so they retaliated by sending phishing emails to Naikon, possibly in an attempt to learn more about Naikon's operations.
-http://www.darkreading.com/attacks-breaches/apt-on-apt-action/d/d-id/1319931
-http://www.zdnet.com/article/the-apt-wars-hackers-raise-swords-and-charge-at-eac
h-other/
-http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-aft
er-attack-by-rival-apt-gang/
-http://www.v3.co.uk/v3-uk/news/2404214/hacking-groups-attack-each-other-in-apt-w
ars
[Editor's Note (Honan): We will continue to see online criminal gangs target each other to either hijack other gangs' infrastructure, shut down rival gangs, or simply to let people know who is boss, similar to how it happens in the physical world. ]

Millions of Health Records Compromised Over Past Four Years (April 15, 2015)

A study published in the Journal of the American Medical Association (JAMA) says that between 2010 and 2013, data breaches compromised more than 29 million health records. The information was drawn from a government database of breaches that included unencrypted health data. The researchers looked at 949 breaches that occurred during that period; they did not include incidents that affected fewer than 500 people.
-http://www.nbcnews.com/tech/security/health-data-breaches-29-million-u-s-records
-exposed-four-n342051
[Editor's Note (Murray): This report does not even cover the large number of records that remain on paper because of the perverse effects of HIPAA. These records are not covered by HIPAA and we may never know about breaches of these records. ]

Veterans Affairs Contractors Violated Security Practices (April 15, 2015)

According to a report from the VA Assistant Inspector for Investigations, contractors working for the Department of Veterans Affairs used their personal laptops to access the agency's network while they were abroad in China and India. The contractors used unencrypted laptops without VA required software and security settings.
-http://www.nextgov.com/cybersecurity/2015/04/inspector-va-teleworkers-breached-s
ecurity-china-and-india/110269/?oref=ng-channelriver

---

STORM CENTER TECH CORNER

HTTP.sys Vulnerability Update
-https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Co
de+Execution+PATCH+NOW/19583/

HTTP.sys Webcast
-https://www.sans.org/webcasts/isc-threat-update-20150416-100152

Teslacrypt Ransom Ware
-https://isc.sans.edu/forums/diary/Exploit+kits+still+pushing+Teslacrypt+ransomwa
re/19581/

Virginia Disqualifies Vulnerable Voting Machines
-https://threatpost.com/virginia-voting-machines-exposed-to-simple-potentially-el
ection-altering-hacks-since-2004/112297

HTTP.sys Vulnerability
-https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Co
de+Execution+PATCH+NOW/19583

Cisco Desktop Cache Cleaner Remote Execution Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
150415-csd

Google Chrome Phasing Out NPAPI, Affecting Java
-https://developer.chrome.com/extensions/npapi

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/