SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #41

May 26, 2015

Those who attended SANSFIRE in past years know it offers one of the richest, most in-depth and up-to-date programs of expert security presentations in the world, and the presentations are included at no cost for the 1,000 students who attend SANS courses at SANSFIRE. The presenters are mostly Internet Storm Center handlers; they staff the early warning system for cyber attacks.

SANSFIRE starts in 3 weeks.
http://www.sans.org/event/sansfire-2015

---

TOP OF THE NEWS

Senate Blocks PATRIOT Act Reauthorization
San Bernardino Sheriff's Office Used Stingray 300 Times Without Warrant
Intelligence Agencies Planned to Place Spyware on Smartphones

THE REST OF THE WEEK'S NEWS

Attack Uses Cross-Site Request Forgery to Compromise DNS Servers on Routers
Section 215 Powers Did Not Contribute to Major FBI Cases
eBay Working on Fix for Flaw That Could be Exploited to Execute Malicious Code
DDoS Attack Hits University of London Computer Centre
Astoria Tool Reduces Number of Vulnerable Tor Connections
Pacific Gas & Electric Improved SCADA Following Pipeline Explosion
Medical Management LLC Breach Affects Patients in at Least Three States

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec ***************************
Cybercrime: New Tricks of the Trade Knowing how cybercriminals are threatening security is the first step to securing your information-and your company's goals. From social media vulnerabilities to digital extortion, the 2015 Symantec(TM) Internet Security Threat Report leverages an unparalleled amount of data and is the resource you need to quickly uncover digital threats. http://www.sans.org/info/177920
***************************************************************************

TRAINING UPDATE


- -ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses.
http://www.sans.org/u/3gH


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Dublin, Minneapolis, Delhi, and Milan all in the next 90 days.


For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Senate Blocks PATRIOT Act Reauthorization (May 23, 2015)

In a 57-42 vote last week, the US Senate blocked reauthorization of the USA PATRIOT Act, which is set to expire at the end of this month.
-http://www.scmagazine.com/news-alert-senate-blocks-usa-patriot-act-reauthorizati
on/article/416488/
-http://www.npr.org/2015/05/23/408927009/senate-blocks-patriot-act-extension

San Bernardino Sheriff's Office Used Stingray 300 Times Without Warrant (May 24, 2015)

The San Bernardino (California) County's Sheriff's Department has used cell-site simulator technology more than 300 times in a two-year period without obtaining a warrant. Information obtained through a public records request includes a pen register and tape and trace order application, which county lawyers incorrectly referred to as a warrant application.
-http://arstechnica.com/tech-policy/2015/05/county-sheriff-has-used-stingray-over
-300-times-with-no-warrant/

Intelligence Agencies Planned to Place Spyware on Smartphones (May 21 & 22, 2015)

Five Eyes intelligence agencies - those from Canada, the US, the UK Australia, and New Zealand - discovered a vulnerability in UC Browser as part of a plan to intercept data stream between mobile application stores and smartphones. The agencies formed a group called the Network Tradecraft Advancement Team to explore ways to put spyware on targets' smartphones. There is some concern that the vulnerability the agencies found in UC Browser was leaking data and that the issue was not made public.
-http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-im
plant-spyware-1.3076546
-http://www.eweek.com/security/spy-agencies-target-links-to-google-mobile-app-sto
res-reports-claim.html
[Editor's Note (Pescatore): This was an example of a targeted intelligence operation, which is a good thing. However, while the UC Browser is not widely used in the "Five Eyes" countries, the lack of disclosure points out yet again why having intelligence agencies responsible for defense (along with offense in cyber) doesn't lead to stronger defense. ]

---

**************************** SPONSORED LINKS ******************************
1) The Tor network is rising in popularity as infrastructure for malicious Web activity and as a vector for cyber attacks. Using threat intelligence to monitor Tor exit nodes and defend yourself better--webcast with Dr. Christopher Ahlberg, Co-founder and CEO of Recorded Future, on June 3, 1pm ET. http://www.sans.org/info/177925

2) At the 3rd Annual Industrial Control Systems Security Briefing learn about key solution capabilities. Event is free to Oil & Gas constituents as well as ICS -Houston training event students. http://www.sans.org/info/177930

3) What are the biggest challenges to data center and cloud security? Take Survey - Enter to Win a $400 Amazon Gift Card! http://www.sans.org/info/177935
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Attack Uses Cross-Site Request Forgery to Compromise DNS Servers on Routers (May 25, 2015)

Researchers have observed a web attack tool that aims to replace the Domain Name System (DNS) servers on routers with rogue DNS servers. Thus would allow the attackers to intercept traffic, spoof websites, return manipulated search queries, and inject ads of their choosing. A "drive-by attack" was found to be redirecting Internet users to an exploit kit that aims to compromise routers. The "drive-by attacks" used code that determined which router models Google Chrome users were using and then replace the DNS servers on those routers with their own malicious ones. Even if routers are not set up to be remotely administrated, they can be compromised through what is known as a cross-site request forgery.
-http://www.computerworld.com/article/2925580/cybercrime-hacking/large-scale-atta
ck-uses-browsers-to-hijack-routers.html
[Editor's Note (Pescatore): This attack has been around since 2008, the exploit kit even looks for the old vulnerabilities. Home routers aren't easy to update and manufacturers and ISPs are negligent in never warning or prompting their customers to do software updates. (Northcutt): The venerable Cross-Site Request Forgery (CSRF) attack meets the Internet of Things requiring the crooks to use Big Data techniques. In this case, (mostly) home and small business routers. Veracode has a good discussion on CSRF. The problem seems to be worst on D-Link/TP-Link routers, but I am guessing the bad guys intend to compile a huge database that can be used to leverage new security holes in home routers. Until they have a large enough database to support a targeted campaign such as "Bank of XYZ users with XYZ-Link home routers" the bad guys are limited in the damage they can cause. Even then they would have to direct the intended victims through a proxy to acquire their login page image and if the bank customer uses two factor authentication such as an SMS message code BEFORE putting in their password it seems to be more trouble than its worth:
-http://www.veracode.com/security/csrf
-http://www.zdnet.com/article/the-internet-of-things-and-big-data-unlocking-the-p
ower/
-http://www.pcworld.com/article/2889992/dlink-remote-access-vulnerabilities-remai
n-unpatched.html
-http://www.pcworld.com/article/2104380/attack-campaign-compromises-300000-home-r
outers-alters-dns-settings.html
-https://twofactorauth.org]

Section 215 Powers Did Not Contribute to Major FBI Cases (May 22, 2015)

According to a report from the US Justice Department's Inspector General, the FBI was unable to identify even one major case between 2007 and 2009 that had been solved thanks to the broad surveillance powers authorized by Section 215 of the USA PATRIOT Act. The FBI said the powers are useful when there is no other way to get the targeted information.
-http://www.zdnet.com/article/fbi-didnt-crack-a-single-terror-plot-with-patriot-a
ct-spying-powers/
-https://oig.justice.gov/reports/2015/o1505.pdf#page=1

eBay Working on Fix for Flaw That Could be Exploited to Execute Malicious Code (May 23, 2015)

eBay is working to provide a fix for a vulnerability that could be exploited to spread malware. The issue is similar to another flaw that has already been fixed. That vulnerability, known as a reflected file download flaw, could have been exploited to trick users into downloading and opening what appeared to be a legitimate file from an eBay domain.
-http://www.theregister.co.uk/2015/05/23/beware_forms_that_arent_ebay_hit_by_seri
ous_security_problem/

DDoS Attack Hits University of London Computer Centre (May 22 & 23, 2015)

A distributed denial-of-service (DDoS) attack caused the University of London Computer Centre (ULCC) to be unavailable for several hours on Thursday, May 21. Millions of students were unable to access ULCC's IT services, which proved especially frustrating coming so close to exam time. The ULCC's learning platform, Moodle, provides services to more than 300 educational institutions.
-http://www.computing.co.uk/ctg/news/2409906/university-of-london-computer-centre
-hit-by-cyber-attack
-http://www.theregister.co.uk/2015/05/22/university_of_london_ddos_attack/
-http://www.v3.co.uk/v3-uk/news/2409933/ulcc-ddos-attack-causes-it-meltdown-for-m
illions-of-students

Astoria Tool Reduces Number of Vulnerable Tor Connections (May 22, 2015)

Academic researchers in Israel and the US have developed a new Tor client aimed at thwarting intelligence agencies' traffic analysis of the Tor network. Dubbed Astoria, the tool reduces the percentage of vulnerable Tor connections from 58 percent of users to just 5.8 percent of users. Astoria plans to use a new relay-selection algorithm. Using traffic analysis for de-anonymizing efforts is a sophisticated endeavor, but intelligence agencies of large countries have the means.
-http://www.theregister.co.uk/2015/05/22/new_relay_selection_for_tor_to_spoil_spo
oks_fun/
-https://www.cl.cam.ac.uk/~sjm217/papers/oakland05torta.pdf
[Editor's Note (Murray): One should not bet one's life on the assumption that Tor has not been compromised by nation states. ]

Pacific Gas & Electric Improved SCADA Following Pipeline Explosion (May 22, 2015)

Pacific Gas and Electric (PG&E) has implemented 10 of the 12 safety recommendations made by the National Transportation Safety Board after the 2010 San Bruno pipeline explosion. PG&E's SCADA improvements have gone above and beyond NTSB's recommendations, allowing the organization "to move from an observe-and-respond approach to a predict-and-prevent approach."
-http://www.fierceenergy.com/story/pacific-gas-and-electric-nearly-done-ntsb-safe
ty-recommendations/2015-05-22

Medical Management LLC Breach Affects Patients in at Least Three States (May 15 & 22, 2015)

Grand View Health in Pennsylvania has issued a notice stating that a third party medical billing company, Medical Management, LLC (MML), has alerted them that a former employee copied patient data and may have shared them with other individuals. The breach affects hospitals in at least three states: Pennsylvania, New Jersey, and New York. MML is in the process of notifying affected individuals. The employee who allegedly took the data worked at MML from February 2013 to March 2015.
-https://www.gvh.org/notice-to-patients-of-privacy-incident/
[Editor's Note (Murray): Our traditional approach to security of personal data, based upon obscurity and good intentions has failed. We have nothing left to hide. It is time to move to a system based upon transparency and penalties. Tell me every time anyone accesses, uses, or sells your copy of my information; pay penalties when you fail. ]

---

STORM CENTER TECH CORNER

Minecraft Scareware Targeting Android Users
-http://www.welivesecurity.com/2015/05/22/scareware-fake-minecraft-apps-scare-hun
dreds-thousands-google-play/

Z-Way Home Automation Gateway Vulnerabilities
-http://randywestergren.com/z-way-home-automation-part-2-an-analysis-of-publicly-
vulnerable-gateways/

Carbanak C&C Servers Now Pointing to Russian FSB IP Space
-http://blog.trendmicro.com/trendlabs-security-intelligence/joke-or-blunder-carba
nak-cc-leads-to-russia-federal-security-service/

Adult Friend Finder Hacked
-https://teksecurityblog.com/blog/2015/04/13/hacked-how-safe-is-your-data-on-adul
t-social-sites/

Android Factory Reset Not Reliable
-http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/