SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #38

May 15, 2015

Six cool things learned at the Healthcare Security Summit this week:

I have not been a fan of ISACs (other than the Multi-State ISAC, FS-ISAC and the aerospace program) but upon learning what happens inside the NH-ISAC I was persuaded it is a powerful force for enabling member organizations to develop better security programs than others in their industry, and that's how most senior executives hope to evaluate their CISOs. Here are 6 things the NH-ISAC folks learned and shared at this week's Summit:

1. Precisely how attackers penetrate health care data systems (how physical attackers get through secure doorways, too).
2. How to gain board level approval for major security initiatives.
3. What actually works among the tools that vendors are promoting.
4. How certain attacks said to be targeted only to health care organizations actually hit several other large organizations and why that enabled better sharing of indicators of compromise.
5.The value of having world-class forensics experts inside the health care community (rather than in commercial firms selling services to the community) and sharing what they are discovering.
6. How to optimize third-party governance. Bonus: Why the NH-ISAC members had indicators of compromise for the Anthem attack long before any other health care organizations. (http://www.nhisac.org/)
Alan

---

TOP OF THE NEWS

May's Patch Tuesday
House Passes Bill That Would End Some NSA Data Collection Practices

THE REST OF THE WEEK'S NEWS

Additional Vulnerabilities Found in Medical Infusion Pumps
Google Requires Windows and Mac Extensions to be Hosted on Chrome Store
Microsoft Stops Chinese Group from Using TechNet Site for Attacks
Thieves Steal Funds Through Starbucks Mobile App
Venom Vulnerability Affects Virtualization Software
Home Routers Used in DDoS Botnets
Mozilla Updates Firefox to Version 38
Russian Cyber Crime Group Planned to Attack US Financial Institutions

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By ObserveIT ************************
Super User or Super Threat? ObserveIT webcast, May 21st 11:00am EDT - We trust admins with direct access to our company's most sensitive data, but are we doing enough to ensure data security and compliance at the same time? Join this webcast to learn how to identify and manage the privileged user activities you need to be aware of to improve your data security program - including which users are remotely accessing your systems, deleting files, running risky system calls and changing permissions.
http://www.sans.org/info/177712
***************************************************************************

TRAINING UPDATE


- --SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 9 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- --ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses.
http://www.sans.org/u/3gH


- --SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- --SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- ---SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- ---Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Dublin, Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

May's Patch Tuesday (May 12, 2015)

On Tuesday, May 12, Microsoft issued 13 security bulletins to address a total of 46 flaws in Windows, Internet Explorer (IE), Office and other products. Three of the bulletins are rated critical. Adobe has also released updates for several of its products, including Flash Player, Adobe Air, Reader, and Acrobat. Internet Storm Center:
-https://isc.sans.edu/forums/diary/May+2015+Microsoft+Patch+Tuesday+Summary/19685
/
-http://www.zdnet.com/article/may-2015-patch-tuesday/
-http://www.computerworld.com/article/2922035/application-security/critical-updat
es-to-ie-and-office-for-may-patch-tuesday.html
-http://www.computerworld.com/article/2922114/security/microsoft-fixes-46-flaws-i
n-windows-ie-office-other-products.html
-http://krebsonsecurity.com/2015/05/adobe-microsoft-push-critical-security-fixes-
7/
-https://technet.microsoft.com/en-us/library/security/MS15-MAY

House Passes Bill That Would End Some NSA Data Collection Practices (May 13 & 14, 2015)

The US House of Representatives has passed the USA Freedom Act, which would stop the National Security Agency's (NSA's) bulk data collection of cell phone communication data. The bill, which passed by a substantial margin, would require telecommunications companies to retain the data and for the NSA to obtain orders from the Foreign Intelligence Surveillance Court to access it, NSA would also be required to use specific search terms to narrow the scope of the records sought. The bill now goes to the Senate.
-http://www.wired.com/2015/05/house-passes-usa-freedom-act/
-http://www.bbc.com/news/world-us-canada-32732258
[Editor's Note (Pescatore): Something closer to the Freedom Act than to the original section 215 wording is probably a good place for this to end up. There are definitely intelligence benefits to the "see everything" approach but there is also a societal risk. The risk/reward equation always gets adjusted over time. ]

---

**************************** SPONSORED LINKS ******************************
1) The Evolution of Network Security, and how Network Packet Brokers (NPBs) enable the Layered Security Era. Wednesday, May 20 at 3:00 PM EDT (19:00:00 UTC) with Icaro Vazquez and David Hoelzer. http://www.sans.org/info/177722

2) Protecting the Things, including the ones you already have (and don't know about). Monday, May 18 at 1:00 PM EDT (17:00:00 UTC) with Tom Byrnes and Johannes Ullrich. http://www.sans.org/info/177727

3) Securing the mobile workforce. Attend Webcast May 21 at 1 pm EDT for 2015 survey results. http://www.sans.org/info/177732
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Additional Vulnerabilities Found in Medical Infusion Pumps (May 14, 2015)

The US Department of Homeland Security's ICS-CERT has amended an advisory released last week regarding remotely exploitable security issues in drug infusion pumps; the new information is about additional vulnerabilities affecting the Hospira LifeCare PCA Infusion System. The US Food and Drug Administration (FDA) has added its voice to the warnings to help the information become more widely circulated.
-http://www.scmagazine.com/additional-bugs-plague-infusion-pumps-dhs-fda-say/arti
cle/414808/
-http://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedical
Products/ucm446828.htm
[Editor's Note (Murray): It is obvious that "information sharing" is still immature. We do not broadcast "intelligence" in hopes that it gets to those who can do something about the risk. The object is to get it, on a timely basis, only to those who must act. This implies that one must have identified those folks in advance. (The aviation industry continues to be the best example of how to do it.) In this particular case, broadcast of this information serves only to raise unnecessary anxiety among those who cannot do anything to reduce the risk. ]

Google Requires Windows and Mac Extensions to be Hosted on Chrome Store (May 14, 2015)

Google is taking aim at malicious browser extensions by requiring that they be hosted on the Chrome Web Store. All extensions for Windows must now be hosted on the site; extensions for OS X will face the same requirement starting in July.
-http://arstechnica.com/information-technology/2015/05/google-extends-chrome-malw
are-crackdown-to-windows-dev-channel-os-x/
[Editor's Note (Pescatore): Having App Store (essentially large whitelisting) mechanisms between all software and all devices is a good thing. Not the end of malware, but definitely raising the bar. Notice: actual users have never complained about whitelisting on their mobile devices - they actually prefer a world where there is *slightly* less choice in apps but *way more* safety in that apps don't blow up in their faces when they click on them. About the last place users *don't* have App Store safety is on their PCs at work... ]

Microsoft Stops Chinese Group from Using TechNet Site for Attacks (May 14, 2015)

Microsoft and FireEye have taken steps to prevent a group of Chinese cyber criminals known as APT17 from using the company's TechNet website in its attacks. The group took advantage of the TechNet site by creating accounts and making comments containing embedded commands that would tell infected computers what action to perform. This particular group of attackers tends to target defense contractors, law firms, technology and mining companies, and US government agencies.
-http://www.computerworld.com/article/2922503/malware-vulnerabilities/china-based
-hackers-used-microsofts-technet-for-attacks.html
-http://www.theregister.co.uk/2015/05/14/microsoft_technet_unwittingly_hosted_chi
nese_apt_botnet_node/
[Editor's Note (Pescatore): This type of mechanism (attackers using blog and other website comment fields to store payloads) has been in use for over 5 years. It makes detecting C&C communications more difficult and URL reputation lists much larger.
(Honan): Attackers using high profile and highly trafficked sites is nothing new, especially sites that allow user generated content. Using such sites enables attackers to hide their malicious traffic amongst normal traffic that would regularly be seen by security tools and personnel accessing such sites. This makes it more important that those running such sites have a very proactive security process to ensure their systems are not abused by attackers. ]

Thieves Steal Funds Through Starbucks Mobile App (May 11, 13 & 14, 2015)

Thieves are exploiting a weakness in Starbucks' mobile app to steal money from users' bank accounts. The app can be used to pay at the coffee stores' checkouts with smartphones and can also be set up to draw money from payment accounts to reload gift cards. The attackers have reportedly been breaking into Starbucks accounts to transfer money from bank accounts using the app's auto-reload function. Thieves need only the username and password to access the accounts. Starbucks says their system has not been breached, but that the attacks are the result of breaches of access credentials elsewhere and affect people who reuse that information on multiple sites. Consumer advocate Bob Sullivan urges users to disable the auto-reload function.
-https://bobsullivan.net
/cybercrime/identity-theft/exclusive-hackers-target-starbucks-mobile-users-steal-from-linked-credit-cards-without-knowing-account-number/#">
-https://bobsullivan.net
/cybercrime/identity-theft/exclusive-hackers-target-starb
ucks-mobile-users-steal-from-linked-credit-cards-without-knowing-account-number/
#
-http://www.siliconrepublic.com/enterprise/item/42033-starbucks-app-targeted-by/
-http://www.scmagazine.com/starbucks-customers-report-fraudulent-activity-on-acco
unts/article/414585/
[Editor's Note (Pescatore): This is not a vulnerability in the app, and disabling the auto reload function gains you **nothing**. This is yet another example of passwords being stolen and attackers using your password to access the app. That attacker will simply log on and turn auto reload on. Users need to think of *any* app that they tie a credit card to just as they think of PayPal or other payment apps - use a unique passphrase, not the same old password you use on dozens of other sites. Starbucks also needs to think like a payment system and update their fraud detection and prevention - the patterns of stored value card misuse were blatantly obvious on this one (to Starbucks, not necessarily to the attached credit card) yet few if any were notified by Starbucks.
(Murray): Do not share passwords across applications (difficult, but effective.) Tie apps to credit cards, not bank accounts. (Mine is tied to AmEx.) Set credit card to confirm all activity. (Since AmEx confirms all activity to my iPhone in near real-time, I would see any fraudulent charges. Bind such apps (those privileged to make in-app purchases) to the device.
(Northcutt): The first link in the story above is pretty good. I had not been aware of Bob Sullivan's work, but just subscribed to his mailing list to give it a try for a month or two:
-https://bobsullivan.net]

Venom Vulnerability Affects Virtualization Software (May 13 & 14, 2015)

A vulnerability in the open source QEMU hypervisor could be exploited to take control of all virtual machines on a server hosting multiple VMs. Security company CrowdStrike has named the flaw Venom, for Virtualized Environment Neglected Operations Manipulation. Fixes for the issue are available.
-http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-da
tacenters/
-http://www.zdnet.com/article/venom-the-anti-toxin-is-here/
-http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-th
reatens-cloud-providers-everywhere/
-http://www.darkreading.com/cloud/venom-zero-day-may-affect-thousands-of-cloud-vi
rtualization-products/d/d-id/1320389?
-http://www.v3.co.uk/v3-uk/news/2408506/venom-vulnerability-could-poison-virtuali
sation-platforms
[Editor's Note (Honan): However people may feel about the current trend to brand newly discovered vulnerabilities with names and logos, this vulnerability is an interesting case study in how co-ordinated disclosure can work effectively so that when the vulnerability was announced many affected vendors had fixes available.
(Murray): This vulnerability is years old. Publicity has raised the risk in the short run at least marginally; one hopes that it may reduce it in the long run. As is often the case, Graham Cluley at Sophos (my "Go to" guy) has a complete and useful analysis
-https://nakedsecurity.sophos.com/2015/05/14/the-venom-virtual-machine-escape-bug
-what-you-need-to-know/]

Home Routers Used in DDoS Botnets (May 13, 2015)

Thousands of routers used in homes and small businesses have been compromised and are being used in botnets to conduct distributed denial-of-service (DDoS). The exploit was made possible by router owners who did not change default administrative credentials. This particular attack targets routers from Ubiquiti. Most of the compromised routers are in Brazil and Thailand; the botnet command-and-control servers appear to be in China and the US.
-http://www.eweek.com/security/insecure-consumer-routers-compromised-to-form-self
-sustaining-botnet.html
-http://www.zdnet.com/article/ddos-botnet-makes-slaves-of-your-home-and-office-ro
uters/
-http://www.theregister.co.uk/2015/05/13/home_router_botnet/

Mozilla Updates Firefox to Version 38 (May 12, 2015)

Mozilla has updated Firefox to version 38. The update includes fixes for 13 security issues, five of which are considered critical. The previous major update for Firefox, released at the end of March, introduced a feature known as opportunistic encryption that was intended to encrypt communications that would normally not be protected. However, as implemented in Firefox 37, the feature was found to have security issues of its own and was later disabled in Firefox 37.0.1. It is not clear if the feature has been enabled in Firefox 38. Mozilla has disabled support for the RC4 cipher suite for encrypted TLS data. Because some sites still use RC4, Firefox includes a whitelist of supported sites for which it will be allowed.
-http://www.eweek.com/security/mozilla-firefox-38-gets-a-bakers-dozen-security-up
dates.html
-http://www.computerworld.com/article/2922032/web-browsers/mozilla-gags-but-suppo
rts-video-copy-protection-in-firefox-38.html

Russian Cyber Crime Group Planned to Attack US Financial Institutions

(May 13, 2015) According to US security company Root9B, Russian cyber criminals were planning to launch an attack against US banks, but the plans appear to have been abandoned after the plot was discovered. The planned attacks are believed to be the work of a Russian cyber crime group known as APT28, which is believed to have been active since at least 2007.
-http://thehill.com/policy/cybersecurity/241965-russian-hacking-group-was-set-to-
hit-us-banks
-http://www.scmagazine.com/cycyberespionage-group-apt28-expands-sights-beyond-gov
t-military-orgs/article/414586/
[Editor's Note (Pescatore): The headline should be "A Crime Group is Always Planning to Attack Every Financial Institution." Naming attack groups is kinda like the Weather Channel now naming every snowfall and soon every thunderstorm - do I really need to know that to stay dry?
(Henry): I won't comment on Root9B's analysis, which I don't concur with. To Mr. Pescatore's point, though, about "naming attack groups," and what I see as his continued mantra that "attribution doesn't matter." Quite frankly, it DOES. Knowing the name of the storm won't keep you dry, but it provides a way to organize all the data points, and enables different meteorologists to know what the other is referring to. Does it matter to you if it is a blizzard or a hurricane? Does the rate of wind speed, anticipated rainfall, timing and severity of the storm, etc. enable you to prepare? It SHOULD matter...because it will enable you to better prepare and to mitigate the consequences of the storm.
The same philosophy applies to IT Security. Knowing who is attacking you, what their tactics are, what their objectives are, etc. will allow you to look for them in your environment, prioritize your response, and mitigate the consequences of the attack (through more efficient and speedier detection of the attacks.) Intelligence allows you to "peer around the corner" to see what's coming. Today's completely connected environment, with aggressive and sophisticated adversaries from around the globe, requires us to change from purely defensive and reactive to "proactive." That is, knowing your adversary so you can hunt, identify, and defeat them within your network. "Defense in depth," while still important, will not work any longer. Sorry John...you better be be on the lookout for Pandas and Bears.... :) ]

---

STORM CENTER TECH CORNER

United Airlines Announces Bug Bounty Program
-http://www.united.com/web/en-US/content/contact/bugbounty.aspx

Cisco Patches for Telepreence TC and TE Software
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
150513-tc

APT Botnet Uses MSFT Technet Forum as C&C
-https://github.com/fireeye/iocs

No activation lock for Apple Watch
-http://www.theguardian.com/technology/2015/may/14/concerns-raised-over-apple-wat
ch-lack-of-theft-protection

Open Source PKI Management Software
-http://pki.io

VENOM Virtual Machine Escape
-http://venom.crowdstrike.com

Verizon Mobile API Leaks User Data
-http://randywestergren.com/multiple-vulnerabilities-in-verizons-fios-mobile-api-
exposing-customer-information/

SAP Vulnerabilities
-http://www.coresecurity.com/advisories/sap-lzclzh-compression-multiple-vulnerabi
lities

Angler EK Delivers Newish Crypto Ransomware
-https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushes+new+variant+of+ranso
mware/19681/

Recent Dridex Activity
-https://isc.sans.edu/forums/diary/Recent+Dridex+activity/19687/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/