SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #36

May 08, 2015

Top of the News starts with a CNN story about alleged extortion by a cybersecurity company in Pittsburgh that may have extorted money from victim companies' with the threat of telling the FTC about the "data breach," possibly causing the closure of a medical laboratory that was victimized and possibly affecting many more organizations. But the story may not be true as told.
Alan

---

TOP OF THE NEWS

Whistleblower Accuses Cybersecurity Company Tiversa of Extorting Clients
Federal Appeals Court Rules NSA Data Collection Not Authorized by Patriot Act
Cybercriminals Targeting Healthcare Data (Healthcare Cyber Summit Next Week)

THE REST OF THE WEEK'S NEWS

California County Calls Off Stingray Purchase
Safari Update
Medical Infusion Pump Vulnerability
More WordPress Vulnerabilities
CyberLock Lawyers Invoke DMCA to Halt Vulnerability Disclosure
IRS Cybercrime Unit
Superfish Responsible for Majority of Injected Ads on Google Sites
Lenovo Releases Patch for Software Flaws

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Trend Micro Inc. *********************

Trend Micro and the Organization of American States have published a new joint report on the Security of Critical Infrastructure in the Americas. View this webinar highlighting the reports key findings. http://www.sans.org/info/177487
***************************************************************************
TRAINING UPDATE

- -Healthcare Cybersecurity Summit & Training | Atlanta, GA | May 12-19 | Hear security experts from leading health care companies discuss proven approaches for securing and succeeding in the new health care environment. Meet leaders from the top health care organizations and see what really works in securing health care. Plus 3 Courses: SEC401, SEC504, & Health Care Security Essentials
http://www.sans.org/u/2is


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 6 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- --ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses.
http://www.sans.org/u/3gH


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 41 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- --SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Melbourne, Bangkok, and Dublin all in the next 90 days.


For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Whistleblower Accuses Cybersecurity Company Tiversa of Extorting Clients (May 8, 2015)

Richard Wallace, a former investigator for Tiversa claims Tiversa made up fake data breaches and then threatened to (and did) contact the FTC about the "data breach" that was "discovered" by Tiversa. If Wallace is describing the incident accurately, the FTC aggressively prosecuted a company based on "bogus evidence" and destroyed the company. Tiversa is a small cybersecurity consultancy based in Pittsburgh. Its board members include several highly-decorated experts in the security and privacy fields, including the retired four-star U.S. Army General Wesley K. Clark (formerly NATO's Supreme Allied Commander in Europe) and Larry Ponemon (founder of the Ponemon Institute, a pro-privacy think tank). U.S. Rep. Darrell Issa, chairman of the House Oversight Committee, demanded last year that the FTC look into allegations of "corporate blackmail" by Tiversa. In a letter to the FTC in December, Issa noted that Tiversa assisted the FTC on data leak investigations of "nearly 100 companies." Tiversa rejects the claims of fake data as "unsubstantiated."
-http://money.cnn.com/2015/05/07/technology/tiversa-labmd-ftc/
-http://www.businessinsider.com/a-whistleblower-claims-that-cybersecurity-firm-ti
versa-fakes-hacks-to-get-companies-to-pay-for-services-2015-5
[Editor's Note (Paller): Before you rush to judgment, consider that there is a possibility that the targeted firms did disclose their data to the public and Tiversa discovered the disclosure. On the other hand that may not have happened; we'll have to wait and see. There have been many major cases of extortion by actual criminals. A decade ago two Russians, Alexey Ivanov and Vasiliy Gorshkov, stole data from ecommerce sites that used Microsoft IIS, sold the data, then sent emails offering to consult with the victim and threatening public shaming and disclosure of all credit card numbers if they did not accept the offer. The FBI had an early win by setting up a sting and getting the two men to come to the US to "consult." Full story:
-http://www.csoonline.com/article/2118241/malware-cybercrime/alexey-ivanov-and-va
siliy-gorshkov--russian-hacker-roulette.html]

Federal Appeals Court Rules NSA Data Collection Not Authorized by Patriot Act (May 7, 2015)

A US Federal Appeals Court has found the National Security Agency's (NSA's) wholesale collection of cellphone communication metadata to be illegal. The court did not address the constitutionality of the practice, but instead said that the scope of the operation exceeds what Congress authorized in section 215 of the Patriot Act, which was passed in the wake of the September 11, 2001 attacks. The original case was brought by the American Civil Liberties Union (ACLU) and was dismissed by a lower court in 2013.
-http://www.wired.com/2015/05/breaking-news-federal-court-rules-nsa-bulk-data-col
lection-illegal/
-http://arstechnica.com/tech-policy/2015/05/phone-metadata-spying-not-authorized-
by-patriot-act-appeals-court-says/
-http://cdn.arstechnica.net/wp-content/uploads/2015/05/nsaruling.pdf

Cybercriminals Targeting Healthcare Data (Cyber Summit Next Week) (May 7, 2015)

According a new study on Privacy and Security of Healthcare Data, criminal attacks have now passed insider negligence as the main cause of data loss and theft in the healthcare industry, which is not well prepared. With "some exceptions, ... healthcare providers either lack the resources, staff, or technical innovations to meet the changing cyber-threat environment." Half of the healthcare organizations surveyed said they had "little or no confidence" that they would be able to detect every data loss or theft. And nearly two-thirds of healthcare providers and affiliated businesses offer no protection services for patients whose data are stolen.
-http://www.darkreading.com/attacks-breaches/healthcare-data-breaches-from-cybera
ttacks-criminals-eclipse-employee-error-for-the-first-time/d/d-id/1320315
-http://www.nbcnews.com/tech/security/health-industry-cant-protect-your-records-h
ackers-report-n355401
[Editor's Note (Paller): The FBI has been privately telling CEOs of health care and health insurance firms that they are bing targeted. The attackers are succeeding because of a few key errors that health care companies are making. Make sure you get to Orlando on Tuesday when the National HealthCare ISAC (NH-ISAC) has its annual briefing on new developments in cybersecurity in healthcare. That's also where you may attend 3 very relevant hands-on SANS courses.
-http://www.sans.org/event/nh-isac-healthcare-cybersecurity-summit]

---

**************************** SPONSORED LINKS ******************************
1) WhatWorks: Using Palo Alto Networks Next Generation Firewalls to Increase Visibility into Threats and Reduce Threat Risks. Wednesday, May 13 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Lance Spence. http://www.sans.org/info/177492

2) The Evolution of Network Security, and how Network Packet Brokers (NPBs) enable the Layered Security Era: Wednesday, May 20 at 3:00 PM EDT (19:00:00 UTC) with Icaro Vazquez and David Hoelzer. http://www.sans.org/info/177497

3) Protecting the Things, Including the Ones You Already Have (and don't know about). Monday, May 18 at 1:00 PM EDT (17:00:00 UTC) with Tom Byrnes and Johannes Ullrich. http://www.sans.org/info/177407
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

California County Calls Off Stingray Purchase (May 7, 2015)

Officials in Santa Clara County (California) have said no to the acquisition of cell-site simulator technology known as Stingray. The purchase was initially approved earlier this year, but a lengthy negotiation found the county was unable to reach an agreement with Harris Corporation, the device manufacturer.
-http://arstechnica.com/tech-policy/2015/05/in-rare-move-silicon-valley-county-go
vt-kills-stingray-acquisition/
[Editor's Note (Honan): Before privacy advocates cheer this as a victory in their battle against the use of this technology, we should note that the deal fell through because commercial agreement could not be reached during the contact negotiations. ]

Safari Update (May 7, 2015)

Apple has issued security updates for its Safari browser to address memory corruption issues in WebKit. The updated versions of Safari are 8.0.6, 7.1.6, and 6.2.6.
-http://www.zdnet.com/article/apple-patches-multiple-security-bugs-in-safari/
-http://www.theregister.co.uk/2015/05/07/apple_swats_webkit_bugs_that_bit_it_on_s
afari/

Medical Infusion Pump Vulnerability (May 6 & 7, 2015)

The US Department of Homeland Security's (DHS's) ICS-CERT has issued an advisory about a security issue in a medical infusion pump distributed by Hospira. Versions 5.0 and earlier of the LifeCare PCA Infusion System contain an improper authorization flaw and inadequate data authenticity verification. It could allow unauthorized users to modify the pump's configuration. The problem lies in an unauthenticated Telnet port.
-http://www.theregister.co.uk/2015/05/07/infusion_pump_is_hackable/
-http://www.scmagazine.com/medical-device-vulnerable-to-remotely-exploitable-bugs
-prompts-advisory/article/413286/
-https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
-http://hextechsecurity.com/?p=123
[Editor's Note (Murray): Sparsely deployed application, significant implementation induced vulnerability, life threatening consequences, low threat, low risk. Appliance designers seem to focus on the integrity of the application but make obvious security mistakes. Often these errors are not in normal operation but in setup and configuration. ]

More WordPress Vulnerabilities (May 7, 2015)

A vulnerability present in two WordPress plug-in could be exploited to take control of websites through cross-site scripting attacks. The flaw in the TwentyFifteen and JetPack plug-ins is being actively attacked. TwentyFifteen is installed by default. The issue lies in a file in a package called Genericons that used by both plug-ins. WordPress has pushed out a fix for the Genericons issue.
-http://www.eweek.com/security/wordpress-fixes-more-xss-flaws-with-automatic-upda
te.html
-http://www.theregister.co.uk/2015/05/07/wordpresss_xss_twenty_fifteen/
-http://www.computerworld.com/article/2919855/security/attackers-exploit-vulnerab
ilities-in-two-wordpress-plugins.html
-https://wordpress.org/news/2015/05/wordpress-4-2-2/

CyberLock Lawyers Invoke DMCA to Halt Vulnerability Disclosure (May 5 & 6, 2015)

Lawyers for electronic lock manufacturer CyberLock have sent two letters to individuals demanding that they refrain from disclosing information about vulnerabilities in the company's products. The letters, which invoke the Digital Millennium Copyright Act (DMCA), were sent after the recipients attempted to contact CyberLock to notify them about the security issues.
-http://www.wired.com/2015/05/lock-research-another-battle-brews-war-security-hol
es/
-http://www.scmagazine.com/ioactive-researcher-reveals-lock-flaws-prompts-attorne
y-response/article/413310/
-http://arstechnica.com/security/2015/05/lawyers-threaten-researcher-over-key-clo
ning-bug-in-high-security-lock/

IRS Cybercrime Unit (May 6, 2015)

The US Internal Revenue Service (IRS) has established a unit devoted to investigating cybercrime. It's primary focus will be identity theft cases, which have increased fourfold since 2011 and are often facilitated with computers.
-http://www.scmagazine.com/new-irs-unit-to-combat-growing-use-of-technology-in-fr
audulent-tax-returns/article/413279/
-http://www.zdnet.com/article/irs-sets-up-dedicated-cybercrime-unit-to-combat-ide
ntity-theft/
[Editor's Note (Pescatore): If the IRS required strong forms of authentication for tax returns, it could cut the fraud significantly. Imagine if instead of fixing the ignition switch problem, GM said "We are establishing a unit to investigate crashes due to failed ignition switches." ]

Superfish Responsible for Majority of Injected Ads on Google Sites (May 7, 2015)

A study conducted by Google and University of California Berkeley and Santa Barbara researchers found that at least five percent of browser visits to Google websites experience injected ads. Adware known as Superfish is responsible for the majority of the interference. The study examined more than 102 million Google page views between June and September 2014.
-http://www.computerworld.com/article/2919220/cybercrime-hacking/superfish-inject
s-ads-in-4-of-google-page-views.html
-https://cdn3.vox-cdn.com/uploads/chorus_asset/file/3673260/ad_injector_paper.0.p
df
[Editor's Note (Pescatore): I seem to see advertising on close to 100% of my visits to most websites, but the study points out that 5% of ads are injected without approval of the site owner. The study is clear about this diverting potential ad revenue from legitimate (those that do get site owner consent) ad networks and site owners, but not on the actual impact to end users, especially as compared to "malvertising" - malware served up by legitimate ad networks is a continuing problem that actually impacts the end user vs. just the revenue flow between site owners and advertising networks. ]

Lenovo Releases Patch for Software Flaws (May 6, 2015)

Chinese computer manufacturer Lenovo is urging users to install a patch to address a trio of security issues in its software update system that could be exploited to install malware or take control of vulnerable machines. Just a few months ago, Lenovo was facing criticism for pre-installing Superfish adware on its machines.
-http://www.theregister.co.uk/2015/05/06/lenovo_system_update/
-http://www.bbc.com/news/technology-32607618
-http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations
.pdf

---

STORM CENTER TECH CORNER

Critical Cisco UCS Central Software Patch
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
150506-ucsc

AVast False Positive
-https://forum.avast.com/index.php?topic=170705.45

Crypto Errors in Open Smart Grid Protocols
-https://eprint.iacr.org/2015/428

Using Cellular Voice Stream As Covert Channel For Smartphones
-http://arxiv.org/pdf/1504.05647v1.pdf

Searching scan.io DNS Data
-http://dnsdumpster.com

Netflix releases FIDO
-http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html

Rombertik Destructive Malware
-http://blogs.cisco.com/security/talos/rombertik

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/