SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #33

April 28, 2015

TOP OF THE NEWS

Security Investigative Journalists Growing Weary of Same Old Stories
US Defense Secretary Speaks About Cyber Strategy

THE REST OF THE WEEK'S NEWS

WordPress Patches Critical Flaw
SendGrid Provides Additional Information About Breach
Telerobotic Surgery Security Concerns
iOS Apps Using Outdated Networking Library
Building National Cyber Security Defense
Many Agency Breaches Could Have Been Prevented With Strong Authentication
Auditors Say Federal Thrift Investment Retirement Board Needs to Step Up Security Efforts
South Korea Says it Has Code Linking North Korea to Cyber Attacks
Technology Detects Malware on Medical Devices by Monitoring AC Power Consumption

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk *****************************
Have you implemented the SANS Top 20 Critical Security Controls? This time-proven, "what works" list of 20 controls can be used to minimize security risks to enterprise systems and the critical data they maintain.
Learn how Splunk software can provide new insights to verify, execute and support requirements for the SANS Top 20 CSC. http://www.sans.org/info/176822
***************************************************************************

TRAINING UPDATE


- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- -SANS Secure Europe 2015 | Amsterdam, Netherlands | May 5-May 25, 2015 10 courses.
http://www.sans.org/u/2bh


- -SANS Security West 2015 | San Diego, CA | May 11-May 12, 2015 30 courses. Bonus evening presentations include Emerging Trends in DFIR: Lightning Talks; and Enterprise PowerShell for Remote Security Assessment.
http://www.sans.org/u/1p8


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community? Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Melbourne, Bangkok, and Dublin all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Security Investigative Journalists Growing Weary of Same Old Stories (April 23 & 24, 2015)

Cyber security journalists on a panel at the RSA conference last week spoke about the glut of stories that no longer feel like news. Breaches occur daily, and some of the stories end up as mostly "advertising for security firms," according to New York Times journalist Nicole Perlroth. Joseph Menn, technology reporter for Reuters, and Brian Krebs (Krebs On Security) both noted that covering the same things again and again inures readers and reporters to issues that can actually be important, and that light stories get too much coverage.
-http://www.cbronline.com/news/cybersecurity/is-journalism-failing-cybersecurity-
4561203
-http://www.networkworld.com/article/2913742/security0/reporting-cybercrime-feels
-like-groundhog-day.html
[Editor's Note (Pescatore): Well, the same is true about all crime, as well as car crashes and plane crashes: it keeps happening and over 70% of the time lack of simple measures/basic hygiene is the root cause. Which is why the Critical Security Controls have been so meaningful. The telling quote from this session: "Perlroth said she sometimes jokes that after four years covering cyber security she sometimes feels like she is on the cop beat." Yup - covering cybercrime is pretty much like covering crime. ]

US Defense Secretary Speaks About Cyber Strategy (April 24, 2015)

US Defense Secretary Ashton Carter told an audience at Stanford University about his department's new cyber security strategy, saying that the Defense Department (DoD) needs to be more transparent about its cyber capabilities. The DoD's cyber strategy centers on deterrence and attribution. The strategy also includes guidelines about when it will use cyber attacks against other countries. Carter also noted the need for a stronger partnership with the tech industry.
-http://www.scmagazine.com/ash-carter-spoke-at-stanford-university/article/411392
/
-http://www.darkreading.com/attacks-breaches/defense-secretary-outlines-new-cyber
security-strategy-/d/d-id/1320147?
-http://www.theregister.co.uk/2015/04/24/pentagon_cyberwarfare_strategy/
-http://www.wired.com/2015/04/dods-new-transparent-policy-cybersecurity-still-opa
que/
DoD Cyber Strategy:
-http://www.defense.gov/home/features/2015/0415_cyber-strategy/Final_2015_DoD_CYB
ER_STRATEGY_for_web.pdf

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Detection - What You Need to Know: http://www.sans.org/info/177152

2) Patient healthcare data is under constant attack: Steps you can take to mitigate the problem. Wednesday, May 06 at 3:00 PM EDT (19:00:00 UTC) with Christopher Strand and Barbara Filkins. http://www.sans.org/info/177157

3) Mark Your Calendar for 4/29 Webcast at 2 PM EDT: Insider Threats and the Real Financial Impact to Orgs - A SANS Survey : http://www.sans.org/u/3fp
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

WordPress Patches Critical Flaw (April 27, 2015)

WordPress has released a critical update to fix a vulnerability in its content management system that could be exploited to hijack web admin accounts. An exploit for the vulnerability has been released. Attackers could embed malicious code in a comment. If the attacker has previously made an innocuous post that gets approved by a site administrator, the new comment containing the code would post automatically and the code would execute. The WordPress update brings the most current version to 4.2.1.
-http://www.zdnet.com/article/millions-of-wordpress-sites-vulnerable-to-hijacking
-after-zero-day-exploit-released/
-http://arstechnica.com/security/2015/04/27/just-released-wordpress-0day-makes-it
-easy-to-hijack-millions-of-websites/
-http://www.theregister.co.uk/2015/04/27/wordpress_zero_day_xss/
-http://klikki.fi/adv/wordpress2.html

SendGrid Provides Additional Information About Breach (April 27, 2015)

Email service SendGrid has released a new statement about a breach that occurred several months ago. Earlier this month, the SendGrid said that a breach compromised one customer account. Now the company says that additional information provided by investigators indicates that a breached employee account was used to access internal systems at least three times in February and March. The access obtained through the account was used to steal usernames, email addresses, and hashed passwords for customer and employee accounts.
-http://krebsonsecurity.com/2015/04/sendgrid-employee-account-hacked-used-to-stea
l-customer-credentials/

Telerobotic Surgery Security Concerns (April 24 & 27, 2015)

Researchers at the University of Washington departments of Electrical Engineering and Computer Science and Engineering have published a paper describing how they found vulnerabilities in devices used to perform remote surgery. Despite annual increases of 20 percent in sales of telerobotic surgery equipment, security from attacks has not been a top concern in their development. The researchers found that attackers could potentially disrupt and even hijack the surgery equipment. Because the communications might need to occur in extreme conditions, secure Internet connections are not a given.
-http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-s
urgical-robot/
-http://www.computerworld.com/article/2914741/cybercrime-hacking/researchers-hija
ck-teleoperated-surgical-robot-remote-surgery-hacking-threats.html
[Editor's Note (Pescatore): The FDA has been slooowly ramping up the attention in pays to cybersecurity in medical device certification, but if you picked one area to focus on for some "quick wins" this is it. ]

iOS Apps Using Outdated Networking Library (April 24 & 27, 2015)

About 25,000 iOS apps are using an old version of a networking library that could expose data in transit. The issue lies in Secure Sockets Layer (SSL) code on the AFNetworking library. Developers are being urged to update their apps.
-http://www.zdnet.com/article/thousands-of-ios-apps-left-open-to-snooping-thanks-
to-ssl-bug/
-http://arstechnica.com/security/2015/04/24/critical-https-bug-may-open-25000-ios
-apps-to-eavesdropping-attacks/

Building National Cyber Security Defense (April 26, 2015)

David Pogue's April 26 segment on CBS Sunday Morning looks at the need for the US to develop strong defense against cyber attacks. Pogue's story includes Alabama high school students who took first place in the Air Force Association's National Cyber Patriot Competition; and Ed Skoudis describing CyberCity, which allows people developing cyber defense skills to defend a city that runs on the actual equipment a city would use.
-http://www.cbsnews.com/news/strengthening-the-nations-defense-against-hackers/

Many Agency Breaches Could Have Been Prevented With Strong Authentication (April 24, 2015)

According to the Office of Management and Budget's (OMB's) annual Federal Information Security management Act (FISMA) report to Congress for 2014, 52 percent of cyber security incidents at US government agencies in FY 2014 involved weak authentication. That figure did decrease from FY 2013, when 65 percent of incidents were related to weak authentication. Excluding the Defense Department, just 41 percent of civilian CFO Act agencies have employed strong authentication as defined in the FISMA report.
-http://www.nextgov.com/emerging-tech/emerging-tech-blog/2015/04/agencies-often-l
ack-strong-authentication-and-its-big-problem/111076/?oref=ng-channelriver
[Editor's Note (Pescatore): The federal government has sort of trapped itself with the unwieldy smart card/PIV card approach, while consumers are slowly moving to lighter weight (but effective) approaches like text message challenges and major consumer players like Google introduce simple USB "keys" for their consumer users. ]

Auditors Say Federal Thrift Investment Retirement Board Needs to Step Up Security Efforts (April 20 & 24, 2015)

According to federal auditors, the Federal Retirement Thrift Investment Board (FRTIB) is not progressing quickly enough with efforts to protect the data it stores. The auditors say that while some issues have been identified for years, FRTIB has not yet fixed them. The problem with appears to be a penetration test. While FRTIB has no problem with an external test, the auditors want to perform "credentialed penetration testing," which simulates possible insider threats, and requires that the testers have access to the system.
-http://www.federalnewsradio.com/241/3844819/TSP-board-defends-delays-in-cyber-fi
xes
-http://www.govexec.com/pay-benefits/2015/04/tsp-participants-could-be-vulnerable
-hackers-auditors-say/110575/

South Korea Says it Has Code Linking North Korea to Cyber Attacks (April 23, 2015)

Investigators in South Korea say they have obtained the actual code used in attacks against the country's banks, media outlets, and nuclear operator, allegedly by North Korea. The attacks on the banks and media outlets occurred in 2013, affecting 48,000 computers; they wiped the machines' hard disks. The attack on the nuclear operator occurred in December 2014; the intruders attempted to steal blueprints, personnel data, and other information. The codes used in the attack bear strong similarities to those known to be used by North Korea, according to South Korean authorities. North Korea has denied the allegations.
-http://edition.cnn.com/2015/04/22/asia/koreas-cyber-hacking/index.html?eref=edit
ion
-http://thehill.com/policy/cybersecurity/239864-south-korea-pyongyang-behind-code
-used-in-banking-cyberattacks

Technology Detects Malware on Medical Devices by Monitoring AC Power Consumption (April 27, 2015)

Two large, unnamed US hospitals will pilot the use of technology that monitors AC power consumption to detect malware on their equipment. The monitoring platform, known as WattsUpDoc, employs power consumption side-channel analysis, which is more often used to gather information about users, but in this case is being used "to spy on malware."
-http://www.theregister.co.uk/2015/04/27/us_hospitals_to_treat_medical_device_mal
ware_with_ac_power_probes/
[Editor's Note (Pescatore): There may be instances where this makes sense, but instrumenting the power cord/receptacle of every medical device to detect unusual communications over the network seems very expensive and unscalable compared to monitoring the network traffic of many/all devices. ]

---

STORM CENTER TECH CORNER

Magento Vulnerability Exploited
-https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild
.html

Yubico Neo Vulnerability
-https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html

Fiesta Exploit Kit
-https://isc.sans.edu/forums/diary/Actor+using+Fiesta+exploit+kit/19631/

Teslacrypt Decrypter
-http://blogs.cisco.com/security/talos/teslacrypt

Quantum Insert Attack
-http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/

Android wpa_supplicant heap buffer overflow
-http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19

Geolocation Browsers Using the Browser Cache
-http://www.comp.nus.edu.sg/~jiayaoqi/publications/geo_inference.pßdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/