SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #45

June 09, 2015

TOP OF THE NEWS

House Funding Bill Limits Surveillance
California Legislation Would Require Warrants to Search Digital Devices
US Government Sites to Adopt HTTPS

THE REST OF THE WEEK'S NEWS

More Serious Vulnerabilities in Drug Infusion Pumps
Medical Device Vulnerabilities Used to Gain Access to Hospital Data
US Army Takes Defaced Website Offline
MalumPOS Malware
Universities Adopt Two-Factor Authentication
Eataly Acknowledges Breach at New York Market
US Military Weapons Code Security Problems
Legislators Urge FBI to Abandon Demand for Backdoors in Encryption

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec **************************
Avoid Failure - A Case for Incident Response
It's not a question of if, but when your organization will suffer a security incident. This is the new reality. Join this webcast to hear Symantec and leading analyst Forrester Research provide insights on the importance of incident management.
http://www.sans.org/info/178242

***************************************************************************

TRAINING UPDATE


- -SANSFIRE 2015 | Baltimore, MD | June 13-20, 2015 | 44 courses plus 18 bonus evening sessions lead by Internet Storm Center (ISC) handlers, including The State of the Takedown: Disrupting Online Cybercrime; Continuous Monitoring and Real-World Analysis; Unconventional Linux Incident Response; and "Network Security as Counterinsurgency" Replacing the Art of War with FM 3-24.
http://www.sans.org/u/3hl


- -SANS Rocky Mountain 2015 | Denver, CO | June 22-27, 2015 | 8 courses. Bonus evening sessions include Jailbreak/Root Workshop for Mobile Devices and The 13 Absolute Truths of Security.
http://www.sans.org/u/3h1


- -SANS Pen Test Berlin 2015 | Berlin, Germany | June 22-27, 2015 | 6 courses.
http://www.sans.org/u/3gW


- -Cyber Defense Canberra 2015 | Canberra, Australia | June 29-July 11, 2015 | 8 courses.
http://www.sans.org/u/3hg


- -DFIR Summit & Training | Austin, TX | July 7-14, 2015 | 7 courses including the NEW FOR578, 2 Nights of NetWars challenges, @Night talks and two Summit days with James Dunn, Global Investigative & Forensic Services, Sony Pictures Entertainment to keynote!
http://www.sans.org/u/53t


- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Minneapolis, Delhi, and Milan all in the next 90 days.


For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

House Funding Bill Limits Surveillance (June 4, 2015)

The House has passed a Commerce, Justice, and Science funding bill that would restrict government communications surveillance. One of the bill's provisions would prohibit funding for efforts to require companies to incorporate back doors to help law enforcement access encrypted information. Another provision prohibits funding the use of Stingray technology.
-http://fcw.com/articles/2015/06/04/cjs-funding-bill.aspx
[Editor's Note (Northcutt): This is a bit of a sleeper story, but it has import. It is a sweeping piece of legislation. Most of it is focused on reducing the degree the US spies on its citizens. However it also affects the next Census. The Census does not seem like a big deal until we recognize that it controls the allocation of food stamps, school lunches, school breakfasts, and Head Start. Being able to skew that data would give a community, state or region an advantage. If you are part of the one in six in the US struggling with hunger you would be motivated to move the dial:
-http://www.civilrights.org/census/your-community/funding.html
-http://www.feedingamerica.org/hunger-in-america/]

California Legislation Would Require Warrants to Search Digital Devices (June 3, 2015)

State legislators in California have approved a bill that would require law enforcement officers there to obtain warrants or wiretap orders before searching devices such as laptops and smartphones, and before accessing data stored on remote servers. The governor vetoed a similar measure two years ago. The new bill includes exceptions for instances in which the requirement would jeopardize public protection, when law enforcements believes there is imminent danger of death or serious injury, and when device owners consent to a search.
-http://touch.latimes.com/#section/-1/article/p2p-83694329/

US Government Sites to Adopt HTTPS (June 8, 2015)

According to a blog post from the White House, all US federal websites will support HTTPS by the end of 2016. Federal CIO Tony Scott cautions that while HTTPS "guarantees the integrity of the connection between two systems," it does not protect the systems themselves.
-http://thehill.com/policy/cybersecurity/244346-all-federal-websites-to-support-e
ncrypted-browsing
[Editor's Note (Ullrich): That should have happened years ago. This article is less a sign of progress than an indicator of how far behind the federal government is in protecting its vast data collections. (Pescatore, Paller): Honestly, while more encrypted transport is better than less, we can't see how HTTPS could possibly make any rational Top 10 list of security steps government agencies need to take to better protect against attacks. SSL isn't free; ubiquitous SSL requires investment in processing capacity and secure key life cycle management. Government priorities are confused. If they invest in this first, critical government agency security improvements such as knowing what is on their network, patching, limiting privileges, making phishing harder, etc. will not get addressed first, and they should be first. ]

---

**************************** SPONSORED LINKS ******************************
|1) Download the free eBook: Cracking the Endpoint - Insider Tips for Endpoint Security. http://www.sans.org/info/178247

2) Recorded Future analysis identified employee credential exposures for at least 44% of Fortune 500 and 49% of FT 500 Europe companies, putting each organization at risk for a cyber attack. Attend this exclusive webinar to learn more: http://www.sans.org/info/178252

3) Be Sure Not To Miss: What the US Government Breach Tells us About the State of Security: Wednesday, June 10 at 11:00 AM EDT (15:00:00 UTC) with Johannes Ullrich and Tim Jarrett. http://www.sans.org/info/178257
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

More Serious Vulnerabilities in Drug Infusion Pumps (June 8, 2015)

Newly disclosed flaws in certain medical infusion pumps could, when used in concert with flaws disclosed earlier this year, be exploited to administer lethal doses of drugs. The flaws affect at least five models of pumps from Hospira. The earlier flaws could be exploited to modify libraries and raise drug dose limits. The new flaws could be exploited to alter firmware on the devices.
-http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/
-http://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilitie
s/
[Editor's Note (Ullrich): Keep on reading to the next story below about how these vulnerabilities are already being exploited. The sad part is how the manufacturers are not only negligent in selling devices with glaring vulnerabilities, but also how they refuse to address these problems in a timely manner. ]

Medical Device Vulnerabilities Used to Gain Access to Hospital Data (June 8, 2015)

Researchers have found evidence of at least three instances in which attackers seeking medical data infiltrated hospital systems through vulnerabilities in medical devices. The intruders used the access to move laterally within the hospitals' networks. Among the devices compromised are X-ray equipment and blood gas analyzers.
-http://www.darkreading.com/vulnerabilities---threats/hospital-medical-devices-us
ed-as-weapons-in-cyberattacks/d/d-id/1320751?
-http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-
hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html

US Army Takes Defaced Website Offline (June 8, 2015)

The US Army has taken its official website offline after attackers defaced it. The Army took down the site to make sure that no Army data were compromised.
-http://www.washingtonpost.com/blogs/the-switch/wp/2015/06/08/the-u-s-armys-main-
web-site-is-down-and-the-syrian-electronic-army-is-claiming-credit/
-http://www.bbc.com/news/world-us-canada-33058755
-http://www.cnet.com/news/us-army-website-offline-after-hack-by-syrian-electronic
-army/
-http://arstechnica.com/security/2015/06/us-army-website-defaced-by-syrian-electr
onic-army/

MalumPOS Malware (June 8, 2015)

Point-of-sale (POS) system malware known as MalumPOS can be configured to target nearly any POS system. MalumPOS, which is a RAM scraper, has recently been used in attacks on systems at hotels and other organizations running on Oracle MICROS.
-http://www.scmagazine.com/researchers-identify-malware-that-can-be-configured-to
-target-any-pos-evades-detection/article/419376/
-http://www.zdnet.com/article/malumpos-malware-targets-hotels-to-scrape-customer-
credit-cards/
-http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers
-malumpos-targets-hotels-and-other-us-industries/

Universities Adopt Two-Factor Authentication (June 5, 2015)

Following data security breaches at Boston University and the University of Iowa, both schools have adopted two-factor authentication. At both universities BU, a succession of phishing attacks attempted to get employees to revel their access credentials. (Please note that this story requires free registration)
-http://www.computerworld.com/article/2931843/security0/after-breaches-higher-ed-
schools-adopt-two-factor-authentication.html
[Editor's Note (Pescatore): It took the automotive industry about 35 years (1890 - 1925 or so) to require "what you have" (a key) to get into and start a car. It is time for the Internet to make that same leap. Of course, even cars are still single factor - and people leaving their keys in the ignition are one of the largest enablers for car thefts... Two factor authentication for login won't be perfect, but definitely raises the bar against phishing. ]

Eataly Acknowledges Breach at New York Market (June 5, 2015)

Italian food market Eataly has acknowledged that its New York City Retail Marketplace suffered a security breach; payment cards used at the market between January 16, 2015 and April 2, 2015, may have been compromised. Eataly says it does not store data on its systems, so the information must have been stolen in real time.
-http://www.scmagazine.com/mario-batalis-eately-compromised-in-cyber-attack/artic
le/419082/
Eataly Statement:
-https://www.eataly.com/SecurityIncident

US Military Weapons Code Security Problems (June 3, 2015)

US military weapons systems are vulnerable to attacks due in part to the millions of lines of code they contain. Because systems were proprietary, there was an assumption early on that cyber attacks would not be an issue. It would cost billions of dollars to "clean up" the code. Frank Kendall, undersecretary of Defense for acquisition, technology, and logistics has incorporated cyber security into his acquisition guidance.
-http://fcw.com/articles/2015/06/03/pentagon-weapons-vulnerable.aspx

Legislators Urge FBI to Abandon Demand for Backdoors in Encryption (June 1, 2015)

Two US legislators have written a letter to the FBI to express their disagreement with the agency's efforts to require technology companies to build back doors into encryption. Representatives Will Hurd (R-Texas) and Ted Lieu (D-California) urge the agency to "find alternative ways of addressing the challenges posed by the new technologies." The letter observes, "Any vulnerability to encryption or security technology that can be accessed by law enforcement is one that can be exploited by bad actors
[and that ]
demanding special access also opens the door for other governments with fewer civil liberties protections to demand similar backdoors."
-http://thehill.com/policy/cybersecurity/243640-house-members-urge-fbi-to-change-
troubling-encryption-stance
[Editor's Note (Weatherford): They already have a backdoor, it's called the Constitution. ]

---

STORM CENTER TECH CORNER

Wind Turbine Vulnerabilities
-https://ics-cert.us-cert.gov/advisories/ICSA-15-155-01

Checking for BACNet Devices Insider Corporate Networks
-https://isc.sans.edu/forums/diary/Checking+for+BACNet+devices+inside+corporate+n
etworks/19771/

Man Mugged For Bitcoin Wallet
-http://www.cnbc.com/id/102737187

Let's Encrypt Publishes Root Certificate and Intermediate Certificate
-https://letsencrypt.org/2015/06/04/isrg-ca-certs.html

REMnux 6 Released
-https://zeltser.com/remnux-v6-release-for-malware-analysis/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/