SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #40

May 22, 2015

TOP OF THE NEWS

CareFirst BlueCross BlueShield Breach
Dating Site Hackers Expose Details Of Millions Of Users
Export License for Zero-Days

THE REST OF THE WEEK'S NEWS

Medical Device Security Guidance for Developers
mSpy Acknowledges Database Breach
Password Security Questions Easy to Guess
NetUSB Vulnerability Affects Routers and Internet of Things Devices
FCC Policy Means Broadband Providers Must Adhere to Stricter Privacy Rules
Android Factory Reset Does Not Always Clear Data
Logjam Flaw
Chrome 43 Promoted to Stable Channel
Airbus Warns of Software Flaws in Engine Electronic Control Units
St. Louis Federal Reserve DNS Servers Breached

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By WhiteHat Security ***********************
Don't risk it - Using a risk-based approach to increase the security of web apps and other IT assets. Thursday, May 28 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Demetrios Lazarikos. Discussion on how to transform application security with a business-focused approach to managing risk. Relevant to CISOs and security managers who are looking to establish proven processes for identifying, reducing and communicating application security risk levels.
http://www.sans.org/info/177900
***************************************************************************

TRAINING UPDATE


- -SANS Pen Test Austin 2015 | Austin, TX | May 18-May 23, 2015 9 courses. Evening sessions include The State of the Takedown: Disrupting Online Cybercrime; and Unconventional Linux Incident Response.
http://www.sans.org/u/2bG


- -ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses.
http://www.sans.org/u/3gH


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Dublin, Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

CareFirst BlueCross BlueShield Breach (May 21, 2015)

CareFirst BlueCross BlueShield has acknowledged that an attack on one of its databases compromised the personally identifiable information of 1.1 million customers. The attack resembles those perpetrated on Anthem and Premera. The affected data include names, birth dates, email addresses, and insurance identification numbers.
-http://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/
-http://www.computerworld.com/article/2925176/cybercrime-hacking/health-insurer-c
arefirst-says-2014-cyberattack-affected-11m.html
-http://www.darkreading.com/attacks-breaches/11-million-hit-in-another-bluecross-
blueshield-breach/d/d-id/1320513?
[Editor's Note (Murray): We have nothing left to hide. Only partly as the result of massive and repeated breaches of firms like eBay, Anthem and Target, all information about us is now for sale, often in bulk for pennies, in white and black markets. Security based upon shared secrets like credit card numbers, social security numbers, and passwords is no longer effective. Strong authentication can help but we need to rely on prompt notification of transactions and the white market sale of personal information. The former is now simply an essential practice already used by such firms as Amazon, American Express, some banks, and others; we need to demand it of all those with whom we do business. The latter will require legislative revocation of the privilege granted in law which allows credit bureaus and data brokers to charge the subjects of information that they sell about them for being notified of such sales. Fees as high as $15 per month are common and sufficiently high as to discourage the use of this control. (One salutary result of having one's information compromised in a breach is that the breached enterprise may pay that fee at least for a time. Thank you Anthem!) ]

Dating Site Hackers Expose Details Of Millions Of Users (May 23, 2015)

Adult FriendFinder's 3.9 million users' sexual preferences and personal details were compromised after a hacker posted stolen data. Details of users' sexual preferences - including whether they are gay or straight, and whether they are seeking extramarital affairs - has been compromised, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users' computers. The dating site bills itself as a "thriving sex community" where users can share sensitive sexual information.
-http://www.theguardian.com/lifeandstyle/2015/may/21/adult-friendfinder-dating-si
te-hackers-expose-users-millions

Export License for Zero-Days (May 21, 2015)

The US Department of Commerce has proposed changes to the Wassenaar Agreement, seeking to impose more stringent rules for the export of zero-day exploits to entities outside the country. The proposal would apply to intrusion software and other "dual-use" products.
-http://www.zdnet.com/article/us-clamps-down-on-zero-day-exploits-says-sales-shou
ld-require-an-export-license/
-http://www.theregister.co.uk/2015/05/20/us_export_controls_0days/
-http://www.computerworld.com/article/2925339/security/us-proposes-tighter-export
-rules-for-computer-security-tools.html
-https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf
[Editor's Note (Murray): I have never been happy with what passes for "responsible" disclosure of vulnerabilities and the publication of "proof of concept" exploitation code. The emergence of the black market in this information has aggravated what was already a security problem. That said, I am not sanguine about this proposal as a way to fix it.
(Northcutt): We have been here before; for a quick buck, start selling "Zero Day T-Shirts" so you can grab the trademark:
-http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States]

---

**************************** SPONSORED LINKS ******************************
1) Securing the mobile workforce. Attend Webcast May 21 at 1 pm EDT for 2015 survey results. http://www.sans.org/info/177905

2) What are the biggest challenges to data center and cloud security? Take Survey - Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/177910

3) What IS and ISN'T working in Incident Response? Take 2015 Survey & Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/177915
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Medical Device Security Guidance for Developers (May 21, 2015)

A paper titled "Building Code for Medical Device Software Security," offers guidance for developers. The purpose of the document "is not to assure that future medical devices can resist every imaginable attack, but rather to establish a consensus among experts ... on a reasonable model code for the industry to apply."
-http://www.scmagazine.com/guidance-meant-to-reduce-the-risk-of-malicious-attacks
-on-medical-devices/article/416163/
-http://cybersecurity.ieee.org/images/files/images/pdf/building-code-for-medica-d
evice-software-security.pdf

mSpy Acknowledges Database Breach (May 21, 2015)

mSpy, a company that sells software that people can use to spy on others, has admitted that attackers broke into its systems and stole data. mSpy had initially denied allegations that its systems were breached. The company says that the breach affects 80,000 customers, not the 400,000 reported in earlier stories.
-http://www.bbc.com/news/technology-32826678

Password Security Questions Easy to Guess (May 21, 2015)

Google's analysis of hundreds of millions of password security questions found that it would be easy for people intent on gaining access to someone's account to do so. Guesses yielded correct results a surprising amount of the time. Google says that instead of adding more questions, but to update account information to provide a phone number or secondary email address to help prevent accounts from being taken over.
-http://abcnews.go.com/Technology/google-reveals-problem-password-security-questi
ons/story?id=31204819
-http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive
/43783.pdf
[Editor's Note (Pescatore): As the Starbucks stored value card incident recently pointed out, just adding a phone number or email address contact to a password is useless if you can change the phone number/email address by just knowing the password - phished or guessed passwords are used to change the phone number/email address. Need to require two-factor auth to change any one of the factors.
(Murray): The proper use of challenge-response can be an effective factor in strong authentication schemes. However, both my own observation and Google's research suggest that it is poorly understood and used. Many implementations use too few, poorly chosen, challenges too often. I like Google's implementation of strong authentication using one-time passwords sent out of band to phone numbers of the user's choice; I am not sure that we need challenge-response. However, I am not yet ready to remove it from my tool-kit because of poor implementations. It remains particularly useful for authenticating telephone callers to support and customer service lines. ]

NetUSB Vulnerability Affects Routers and Internet of Things Devices (May 20 & 21, 2015)

An unchecked input flaw in the NetUSB device sharing service could be exploited to execute code remotely or cause denial-of-service conditions. The issue affects several routers from numerous vendors, including TP-Link, D-Link, and Trendnet, as well as from ZyXEL Communications and Netgear, which have said that they plan to release patches for the issue in the coming months.
-http://www.computerworld.com/article/2925046/network-hardware-solutions/netgear-
and-zyxel-confirm-netusb-flaw.html
-http://arstechnica.com/security/2015/05/90s-style-security-flaw-puts-millions-of
-routers-at-risk/
-http://www.zdnet.com/article/netusb-flaw-leaves-millions-of-routers-iot-devices-
vulnerable-to-hacking/
[Editor's Note (Murray): One infers that these hardware vendors used software from a common source without sufficient reason to trust that code. ]

FCC Policy Means Broadband Providers Must Adhere to Stricter Privacy Rules (May 21, 2015)

The US Federal Communications Commission (FCC) is notifying Internet providers to let them know that they are now subject to stringent privacy regulations. These regulations are attributed to the FCC's net neutrality rules. Broadband providers are subject to the same rules that protect landline phone service customer data. The providers cannot share customer information with other entities without express permission from the customer.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/21/the-fcc-warns-inter
net-providers-theyre-on-the-hook-now-for-user-privacy/

Android Factory Reset Does Not Always Clear Data (May 21, 2015)

Researchers at Cambridge University have found that as many as 500 million Android phones contain a security issue that could expose data even after the factory reset option is run. The researchers were able to recover data, including login credentials, text messages, and emails, from supposedly wiped devices
-http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-cryp
to-and-login-keys-ripe-for-picking/

Logjam Flaw (May 19 & 20, 2015)

Tens of thousands of HTTPS domains contain a vulnerability in the transport layer security protocol that the sites use to establish encrypted communications with users. The Logjam vulnerability can be exploited to access and modify data traveling through encrypted connections. The problem can be traced to export restrictions the US government imposed twenty years ago.
-http://www.zdnet.com/article/logjam-security-flaw-leaves-tens-of-thousands-of-ht
tps-websites-vulnerable/
-http://www.wired.com/2015/05/new-critical-encryption-bug-affects-thousands-sites
/
-http://www.darkreading.com/vulnerabilities---threats/logjam-encryption-flaw-thre
atens-secure-communications-on-web/d/d-id/1320511?
-http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of
-thousands-of-web-and-mail-servers/
-https://weakdh.org

Chrome 43 Promoted to Stable Channel (May 20 & 21, 2015)

On Tuesday, May 19, Google moved Chrome 43 to the stable channel. The newest stable version of Chrome includes fixes for 37 security flaws, six of which were given "high" security ratings. Chrome 43 is available for Windows, Mac, and Linux.
-http://www.scmagazine.com/chrome-43-patches-37-vulnerabilities/article/415884/
-http://www.ibtimes.co.uk/google-chrome-43-stable-channel-web-browser-available-d
ownload-supports-online-music-composition-1502289
[Editor's Note (Pescatore): Seems like it has been a long time since I heard "The {Chrome, Firefox, IE} update broke this app," which is a good thing since it enables faster, or even continuous patching - once IT gets over thinking there is still any good reason everything has to be on an identical version/image. ]

Airbus Warns of Software Flaws in Engine Electronic Control Units (May 19 & 20, 2015)

The crash of a military plane in Spain earlier this month may have been the result of buggy software. The Airbus A400M aircraft crashed after an unsuccessful emergency landing during a test flight. The software issue may have caused three of the four engines on the plane in Spain to shut down; all four crew members aboard were killed. Airbus has notified its customers to warn them to do "specific checks of the Electronic Control Units on each of the aircraft's engines."
-http://www.bbc.com/news/technology-32810273
-http://www.theregister.co.uk/2015/05/20/airbus_warns_of_a400m_software_bug/
-http://arstechnica.com/information-technology/2015/05/airbus-investigates-engine
-software-as-cause-of-troop-transport-crash/
Airbus Statement:
-http://airbusdefenceandspace.com/newsroom/news-and-features/statement-regarding-
alert-operator-transmission-aot-to-a400m-operators/

St. Louis Federal Reserve DNS Servers Breached (May 18 & 20, 2015)

Attackers hijacked the domain name servers of the St. Louis Federal Reserve so that site visitors were redirected to malicious web pages. The computers of people who visited the phony pages may have been infected with malware, and their access credentials may have been stolen. The attack was detected on April 24. The DNS provider has not been identified.
-http://www.computerworld.com/article/2923845/security/st-louis-federal-reserve-f
orces-password-change-after-dns-attack.html
-http://krebsonsecurity.com/2015/05/st-louis-federal-reserve-suffers-dns-breach/
[Editor's Note (Pescatore): This looks like the Fed's Domain Name registrar, eNom, was compromised. Back in 2008/2009 there was a flurry of attacks against registrars and ICANN kicked off some initiatives looking to improve the consistency of security across the ever growing list of registrars, but I'm not sure anything has actually changed yet. ]

---

STORM CENTER TECH CORNER

Ransomware Response Kit
-https://bitbucket.org/jadacyrus/ransomwareremovalkit/overview

"Ersatz Passwords"
-https://www.meshekah.com/research/publications_files/tr_ersatz_passwords.pdf

Exploit Kit Delivers Necurs
-https://isc.sans.edu/forums/diary/Exploit+kits+delivering+Necurs/19719/

Latest eFax Malspam
-https://isc.sans.edu/forums/diary/UpatreDyre+malspam+Subject+eFax+message+from+u
nknown/19713/

Trojaned Version of PuTTY SSH Client
-http://www.symantec.com/connect/blogs/check-your-sources-trojanized-open-source-
ssh-software-used-steal-information

Electronic Billboard Hacking
-http://www.wsbtv.com/news/news/local/fbi-investigating-after-pornographic-image-
appears/nmGJr/

False Positive: DNS Queries for settings-win.data.microsoft.com
-https://isc.sans.edu/forums/diary/False+Positive+settingswindatamicrosoftcom+res
olving+to+Microsoft+Blackhole+IP/19711/

IoT Roundup: Apple Watch Patches and Honeypot Summary
-https://isc.sans.edu/forums/diary/IoT+roundup+Apple+Watch+Patches+Router+Vulnera
bilities/19709/

iOS 8.3 Security Guide
-https://www.apple.com/business/docs/iOS_Security_Guide.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/