SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #42

May 29, 2015

A powerful force for improving cyber hygiene is emerging as insurance companies take an increasingly tough line in computer crime cases, perhaps because they are getting sick of paying out large sums for avoidable incidents - particularly over something as obvious as insecure FTP access, or late patching. See the 3rd story under Top of the News this week.

Alan

---

TOP OF THE NEWS

Senate Fails to Pass PATRIOT Act Reauthorization; House Passes USA Freedom Act
Data Thieves Steal Taxpayer Information Through IRS Get Transcript Application
Insurance Company Suing Healthcare Company to Recoup Breach Payout

THE REST OF THE WEEK'S NEWS

Grabit Malware Targets Small- and Medium-Sized Organizations
Google Identity Platform Aims to Improve App Security
Moose Router Worm
Apple Working on Fix for iOS Vulnerability that Can be Exploited to Crash iPhones
Locker Ransomware Waits for Instructions to Launch
Android Ransomware
Skype in Belgian Court Over Refusal to Allow Wiretap
A Closer Look at Claims of Hacking Commercial Aircraft

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By RSA *****************************
Cloud and mobile are forcing organizations to look for new ways to secure and govern access. Shut down rogue access with RSA Via(TM) - RSA's Next Generation Smart Identity solution that protects from the endpoint to the cloud. Watch the webcast to see how Via Lifecycle, Governance & Access provides secure access to SaaS & on-premise applications. http://www.sans.org/info/178035
***************************************************************************

TRAINING UPDATE


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -ICS Security Training Houston | Houston, TX | June 1-5, 2015 | 5 courses.
http://www.sans.org/u/3gH


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Dublin, Minneapolis, Delhi, and Milan all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

House Passes USA Freedom Act (May 26 & 27, 2015)

The US House of Representative has passed the USA Freedom Act, which reauthorizes PATRIOT ACT provisions set to expire at the end of the month with some changes. The changes to would still allow law enforcement access to mobile communications metadata, but would require that the telecommunications providers retain it and law enforcement seek the data with warrants.
-http://www.theregister.co.uk/2015/05/27/us_senate_freedom_nsa_laws/
-http://www.scmagazine.com/usa-freedom-act-and-section-215-extension-fail-in-sena
te/article/416741/
The Patriot Act may be dead forever
-http://www.thedailybeast.com/articles/2015/05/28/the-patriot-act-may-be-dead-for
-good.html

Data Thieves Steal Taxpayer Information Through IRS Get Transcript Application (May 26, 2015)

The US Internal Revenue Service (IES) has acknowledged that information thieves managed to steal personally identifiable information of more than 100,000 taxpayers through the agency's Get Transcript online service. It seems that the thieves possessed enough information from other sources prior to the attack to use the service.
-http://www.darkreading.com/attacks-breaches/irs-breach-exposes-100000-taxpayers-
tax-returns-other-data/d/d-id/1320566?
-http://www.wired.com/2015/05/hackers-hit-irs-access-100000-taxpayers-files/
-http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html?r
ef=technology
-http://www.computerworld.com/article/2926351/security/thieves-stole-data-on-1000
00-taxpayers-via-irs-app.html
IRS:
-http://www.irs.gov/uac/Newsroom/IRS-Statement-on-the-Get-Transcript-Application

Insurance Company Suing Healthcare Company to Recoup Breach Payout (May 28, 2015)

The Columbia Casualty Company is suing Cottage Healthcare Systems to recover US $4.1 million it paid to Cottage patients after data thieves stole 32,500 patient records. Columbia maintains that that Cottage did not meet the minimum security standards for its network, which violated the policy it held with Columbia. Among the problems noted in the lawsuit are failure to change default settings on security devices and not patching within 3 days of patches' release.
-http://www.theregister.co.uk/2015/05/28/cottage_healthcare_system_sued/

---

**************************** SPONSORED LINKS ******************************
1) The Tor network is rising in popularity as infrastructure for malicious Web activity and as a vector for cyber attacks. Live demo and briefing--using threat intelligence to monitor Tor exit nodes for better defense--with Dr. Christopher Ahlberg, Co-founder and CEO of Recorded Future, on June 3, 1pm ET. http://www.sans.org/info/178040

2) In conjunction with the ICS - Houston training event, SANS is pleased to offer the 3rd Annual Industrial Control Systems Security Briefing, providing the opportunity to engage in dialog around ICS Security and learn about key solution capabilities. Event is free to Oil & Gas constituents as well as ICS -Houston training event students. http://www.sans.org/info/178045

3) What security/data protection technology is your org using in the cloud environment? Take survey, enter to win $400 Amazon Gift Card. http://www.sans.org/info/178050
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Grabit Malware Targets Small- and Medium-Sized Organizations (May 28 & 29, 2015)

A new strain of malware dubbed Grabit targets small- and medium-sized companies in media, education, nanotechnology, and other sectors. Grabit has stolen thousands of documents since the attack campaign began in February 2015.
-http://www.theregister.co.uk/2015/05/29/grabit_smb_campiagn/
-http://www.darkreading.com/endpoint/small-to-mid-sized-organizations-targeted-by
-grabit-cyberspies/d/d-id/1320613

Google Identity Platform Aims to Improve App Security (May 28, 2015)

The Google Identity Platform aims to help developers create apps that protect users' privacy and security. The platform is a set of tools that allows developers to add password management, identity authentication, and single sign-in across related apps and websites.
-http://www.cnet.com/news/google-beefs-up-user-identity-safety-net-for-apps/

Moose Router Worm (May 27 & 28, 2015)

A worm known as Moose is targeting Linux home routers. Moose tries to take control of routers by brute-force guessing of passwords. When Moose succeeds in compromising a router, it harvests access credentials for social media accounts and uses the accounts to boost numbers of followers and viewers.
-http://www.bbc.com/news/technology-32915997
-http://www.darkreading.com/perimeter/moose-malware-uses-linux-routers-for-social
-network-fraud/d/d-id/1320583
-http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.p
df

Apple Working on Fix for iOS Vulnerability that Can be Exploited to Crash iPhones (May 27 & 28, 2015)

A security flaw in Apple's iOS could be exploited to crash and reboot iPhones with malicious text messages that include a precise string of characters. The attack is currently being used as a prank and while annoying - the phone turns off and needs to be rebooted - it does not corrupt any data or cause other harm. Apple is working on a fix for the problem, which resides in in iMessage.
-http://www.zdnet.com/article/apple-working-on-fix-for-bug-that-crashes-iphones-w
ith-a-text-message/
-http://www.theregister.co.uk/2015/05/27/text_message_unicode_ios_osx_vulnerabili
ty/
-http://www.wired.com/2015/05/hack-brief-theres-new-iphone-text-message-attack/

Locker Ransomware Waits for Instructions to Launch (May 27, 2015)

Ransomware known as Locker has a feature that allows it to remain dormant until activated by attackers. It is estimated that some of the infected computers became infected several months before the attack was launched on Monday, May 25. Once activated, Locker encrypted files on infected computers, demanding 0.1 Bitcoin to restore users' access to data.
-http://www.scmagazine.com/alert-warns-it-managers-of-locker-ransomware/article/4
16995/

Android Ransomware (May 26, 2015)

Ransomware targeting users of Android devices pretends to be an update for Adobe Flash Player. Once the user clicks on the phony update, the malware displays what appears to be a warning from the FBI about the user's viewing of online pornography. The warning includes phony screenshots of what appears to be an incriminating browsing history.
-http://www.theregister.co.uk/2015/05/26/android_ransomware_mobile_scam_fbi/

Skype in Belgian Court Over Refusal to Allow Wiretap (May 26 & 28, 2015)

A Belgian court has summoned Skype to appear to answer for its refusal to allow authorities to tap suspects Skype communications as part of a criminal investigation. The question at the heart of the case is whether Skype, a VoIP service owned by Microsoft, can be treated as a telecommunications operator in Belgium.
-http://www.irishtimes.com/business/technology/skype-put-on-hold-until-belgian-co
urt-makes-call-on-internet-telephony-1.2228423
-http://www.nasdaq.com/article/belgian-court-summons-skype-over-refusal-to-allow-
wiretaps--update-20150526-01008

A Closer Look at Claims of Hacking Commercial Aircraft (May 26, 2015)

Chris Roberts made headlines recently when an FBI agent revealed that Roberts claimed he was able to access a plane's network during a flight and cause a slight change in the aircraft's course. This article examines the claims and the likelihood of their veracity.
-http://www.wired.com/2015/05/possible-passengers-hack-commercial-aircraft/

---

STORM CENTER TECH CORNER

Angler Exploit Kit Pushing CryptoWall 3.0
-https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
/

Oracle Peoplesoft Password Reset Weakness
-http://conference.hitb.org/hitbsecconf2015ams/sessions/oracle-peoplesoft-applica
tions-are-under-attack/

Synology Command Injection Vulnerability
-https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_
synology_photo_station.html

Made to Order Crypto Ransomware
-https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us

Microsoft Will Consider Search Protection Malicious
-http://blogs.technet.com/b/mmpc/archive/2015/05/26/detection-changes-search-prot
ection-code.aspx

Javascript Bot Client Control via Twitter
-https://github.com/Plazmaz/JSBN

Possible Wordpress Botnet C&C: errorcontent.com
-https://isc.sans.edu/forums/diary/Possible+Wordpress+Botnet+CC+errorcontentcom/1
9733/

CSRF Used To Attack Home Routers
-http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/