SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #56

July 21, 2015

TOP OF THE NEWS

Internet of Things Security Dangerously Weak
US and Israel Will Share More Cyber Attack Information
UK High Court Rules Data Retention Act Unlawful

THE REST OF THE WEEK'S NEWS

Emergency Patch for Microsoft Font Driver
Eight-Year Sentence for Leaking Customer Data
Man Accused of Breaking into NASA and Other Systems Arrested Again
Infidelity Site Ashley Madison Breached
UCLA Health Breach
CVSPhoto.com Payment Card Data Compromised
More Online Photo Stores May be Affected
Ohio Inmate Had Prison System Login Credentials

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

EXTRA: SECURITY JOB DESCRIPTIONS INCREASINGLY CALL FOR GIAC CERTS

EXTRA: Security Job Descriptions Increasingly Call For GIAC Cert

---

************************ Sponsored By Sophos *****************************
WHITEPAPER: Adding Extra Security to Cloud Storage. Are your users uploading files to the cloud? Do they contain sensitive business data? Download this whitepaper and learn the right data protection strategy for your business to embrace the benefits of cloud based services. Learn more: http://www.sans.org/info/179012
***************************************************************************

TRAINING UPDATE


- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 |
Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -- Security Awareness Summit & Training | Philadelphia | August 17-25 |
5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz


- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


- -- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
49 courses
http://www.sans.org/u/5ZT


- -- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -- Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials - http://www.sans.org/u/Xy

Plus Minneapolis, Delhi, Milan, Amsterdam, and Seoul all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Internet of Things Security Dangerously Weak (July 18, 2015)

Refrigerators, automobiles, drug infusion pumps and other devices that are increasingly computerized are not being developed with security in mind. Many have no mechanism for receiving security patches. Security is not likely to become an issue for the manufacturers of these devices until the consequences of their lack of security prove dangerous. Demonstrations of the devices' vulnerabilities have focused on dangers to human lives. However, attackers are more likely to pursue a route that will return a profit. Researchers have already found botnets made up of devices that were being used to launch DDoS attacks or mine for cryptocurrencies.
-http://www.economist.com/news/science-and-technology/21657766-nascent-internet-t
hings-security-last-thing-peoples
[Editor's Note (Assante): What is not mentioned here is that these devices fall into the domain of embedded system security - one of our community's weak spots. It is unrealistic to expect engineering developers to do better than general purpose software developers. The article does illustrate that it will be much harder to deal with discovered vulnerabilities and compromises, as many devices lack over-the-air management. Welcome to the Internet of Unmanageable Mistakes!
(Ullrich): The SANS research mentioned in the article involved security camera DVRs made by Hikvision. These devices had a telnet server running by default, and no means to turn it off. The default password, which was not easy to change, was "12345". All intrusions we analyzed on these devices used this simple flaw. The attacker just logged in. Worse: These devices were then used to attack other internal hosts. Luckily, we found that Hikvision was responsive. After a couple of phone calls, they released a firmware update. Telnet is now disabled by default on these devices.
(Murray): The problem of securing application machines is much more tractable than that of securing operating systems and browsers. The security community knows how to do it. The risk is that the developers of "things" may not avail themselves of that knowledge.
(Paller): Surprisingly, most IOT vendors appear to be paying insufficient attention to security. It is surprising because those vendors won't be able to avoid liability for negligence in the way OS and app vendors have been able to do, because consumers may have no way to protect themselves from damage done by the IOT devices. ]

US and Israel Will Share More Cyber Attack Information (July 17 & 20, 2015)

US Department of Homeland Security Deputy Secretary Alejandro Mayorkas visited Israel and met with several officials, including Eviatar Matania, head of the Israel National Cyber Bureau. They "signed a joint statement reaffirming
[their countries' ]
commitment to promote cooperation and information sharing on cyber security and cyber research and development."
-http://thehill.com/policy/cybersecurity/248471-us-israel-reaffirm-cyber-ties
-http://www.timesofisrael.com/israel-us-commit-to-beef-up-cybersecurity-cooperati
on/
-http://www.dhs.gov/news/2015/07/17/readout-deputy-secretary-mayorkas-trip-israel

UK High Court Rules Data Retention Act Unlawful (July 17 & 20, 2015)

The UK's High Court has ruled that the Data Retention and Investigative Powers Act (DRIPA) is unlawful. The act was found to be "inconsistent with European Union law." Parliament took just four days to pass the act, which became law a year ago. The Court found that DRIPA did not sufficiently restrict access to data. The government plans to appeal the verdict.
-http://www.cnet.com/news/uk-dripa-data-retention-scheme-deemed-unlawful-by-high-
court/
-http://www.theregister.co.uk/2015/07/17/government_appeals_court_nixing_dripa_su
rveillance_law/

---

**************************** SPONSORED LINKS ******************************
1) Download the eBook: Cracking the Endpoint - Insider Tips for Endpoint Security. http://www.sans.org/info/179017

2) Webinar: Preventing Insider Threats with User Activity Monitoring - Sign-up Now! http://www.sans.org/info/179022

3) How do organizations conduct continuous vulnerability assessment & remediation? Take the new Continuous Monitoring Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/179007
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Emergency Patch for Microsoft Font Driver (July 20, 2015)

Microsoft has pushed out an emergency patch for a remote code execution vulnerability that affects all supported versions of Windows. The flaw lies in the Windows Adobe Type Manager Library. It was discovered in the documents that were stolen from Hacking Team and then leaked.
-https://isc.sans.edu/forums/diary/Special+Microsoft+Bulletin+Patching+Remote+Cod
e+Execution+Flaw+in+OpenType+Font+Drivers/19941/
-http://www.theregister.co.uk/2015/07/20/windows_microsoft_emergency_patch/
-http://www.computerworld.com/article/2949589/malware-vulnerabilities/microsoft-p
atches-windows-zero-day-found-in-hacking-teams-leaked-docs.html
-http://www.scmagazine.com/microsoft-updates-address-opentype-font-driver-vulnera
bility/article/427424/
-https://technet.microsoft.com/library/security/MS15-078
[Editor's Note (Ullrich): This patch replaces MS15-077, which was released just last week as part of patch Tuesday, which patched a vulnerability that was being actively exploited. The vulnerability patched by MS15-078 was made public as part of the data leaked from Hacking Team, and several of the Hacking Team exploits have already been spotted in the wild. ]

Eight-Year Sentence for Leaking Customer Data (July 20, 2015)

A UK man has been sentenced to eight years in jail for leaking or posting personal information of 100,000 people to the Internet. Andrew Skelton was formerly an internal auditor at the Morrisons supermarket chain and had access to employee data.
-http://www.v3.co.uk/v3-uk/news/2418390/morrisons-auditor-jailed-for-eight-years-
after-leaking-data-on-100-000-employees
-http://www.bbc.com/news/uk-england-leeds-33566633

Man Accused of Breaking into NASA and Other Systems Arrested Again (July 17, 2015)

Lauri Love, the British man who was arrested in 2013 in connection with network intrusions at NASA, the Federal Reserve, the Environmental Protection Agency, and the Army, has been arrested again on an extradition warrant. Love was indicted in 2012 and 2013, which led to the initial arrest. He was released on bail and the bail was cancelled in late 2014. The new arrest comes "out of the blue" according to Love's lawyer.
-http://arstechnica.com/security/2015/07/uk-man-accused-of-hacking-spree-on-us-go
vernment-is-arrested-again/
-http://thehill.com/policy/cybersecurity/248295-alleged-us-government-hacker-arre
sted-again

Infidelity Site Ashley Madison Breached (July 19 & 20, 2015)

A website that has made its name facilitating affairs has experienced a breach that exposed customer information. Those claiming responsibility for the attack are threatening to release the information they took. The group is demanding that Ashley Madison shut down two of its websites. As many as 37 million people may be affected, even customers who paid for what the company called a "full delete." The purloined data includes answers to a sign-up questionnaire that included details of their sexual fantasies.
-http://www.computerworld.com/article/2949980/cybercrime-hacking/extramarital-aff
airs-may-not-have-been-secrets-even-before-ashley-madison-hack.html
-http://www.bbc.com/news/technology-33592594
-https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
-http://arstechnica.com/business/2015/07/cheaters-hook-up-site-ashley-madison-mak
es-account-deletion-confusing/
[Editor's Note (Pescatore): This is one of those "other houses just like ours burned up but we never checked our smoke detectors" kind of stories. A similar site, Adult Friend Finder, was compromised a few months earlier, and Ashley Madison's parent company was supposedly preparing for an IPO - if there was ever a time to pay more attention to security, this was it. ]

UCLA Health Breach (July 17, 2015)

UCLA Health has issued a statement acknowledging that a breach of its systems may have compromised personal information of as many as 4.5 million people. The patient information includes not only names and Social Security numbers (SSNs), but also test results, diagnoses, and other medical file data. This information was not encrypted. The breach was detected in early May; evidence suggests the attackers have had access to the system since September 2014. UCLA Health has contacted the FBI and an investigation is ongoing.
-http://www.forbes.com/sites/katevinton/2015/07/17/4-5-million-ucla-health-patien
ts-data-compromised-in-cyber-attack/
-http://www.zdnet.com/article/ucla-health-hit-by-hack-millions-affected/
-https://www.uclahealth.org/Pages/Data-2015.aspx
[Editor's Note (Murray): It is ironic that health care is the least automated of all industries, at least in part in response to HIPAA's security requirements, but ranks just a little ahead of government in application security. (See
-https://info.veracode.com/state-of-software-security-report-volume6.html
) Even if more secure, these two industry sectors would still represent the greatest risk to the individual, at least in part because of the utility to criminals of the sensitive information that we must share with them. ]

CVSPhoto.com Payment Card Data Compromised (July 17, 2015)

US drugstore chain CVS is warning customers who have used its online photo printing service center that a third party company that manages payments for CVSPhoto.com may have experienced a security breach that compromised payment card data. CVS has temporarily shut down online and mobile access to the site. CVSphoto.com payments are processed independently of in-store and online CVS.com transactions.
-http://www.forbes.com/sites/katevinton/2015/07/17/cvs-investigates-credit-card-b
reach-at-its-online-photo-service/

More Online Photo Stores May be Affected (July 20, 2015)

In addition to CVSPhoto.com, several other photo center websites, including RiteAid, Costco, Sam's Club, and Tesco, have been taken offline. The third-party vendor, PNI Digital Media, says it "is investigating a potential credit card data issue."
-http://www.scmagazine.com/pni-digital-media-investigates-potential-credit-card-i
ssue-as-more-photo-center-websites-go-down/article/427406/

Ohio Inmate Had Prison System Login Credentials (July 16, 2015)

An Ohio prison inmate was found to be in possession of login credentials for the prison's computer system. A routine search revealed that the prisoner had a list of administrative user names and passwords. The Ohio State Highway Patrol is investigating.
-http://www.dispatch.com/content/stories/local/2015/07/16/ohio-inmate-password-br
each.html

---

STORM CENTER TECH CORNER

Hacking Team Exploits Used in Attacks
-https://threatpost.com/new-campaign-targeting-japanese-with-hackingteam-zero-day
/113848

Free Tool To Search for Hackingteam Malware
-https://www.rooksecurity.com/resources/downloads/

Details about Flash Type Confusion Bug
-http://googleprojectzero.blogspot.com/2015/07/one-perfect-bug-exploiting-type_20
.html

Boeing and Hacking Team Working on Wifi Attack Drone
-https://wikileaks.org/hackingteam/emails/emailid/33136

Using Autoruns and Processexplorer with Virustotal
-https://isc.sans.edu/forums/diary/Autoruns+and+VirusTotal/19933/
-https://isc.sans.edu/forums/diary/Process+Explorer+and+VirusTotal/19931/

Messages From Spoofed Skype Accounts
-http://community.skype.com/t5/Security-Privacy-Trust-and/Spoofed-message-from-co
ntact/td-p/4026578

Data Exposed by MongoDB
-https://blog.shodan.io/its-the-data-stupid/

RedstarOS Watermarks Documents
-http://www.insinuator.net/2015/07/redstar-os-watermarking/

Bypassing SSH Login Limit
-https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authentic
ation-brute-force-vulnerability-maxauthtries-bypass/

---

EXTRA: SECURITY JOB DESCRIPTIONS INCREASINGLY CALL FOR GIAC CERTS

Stephen Northcutt reports the Federal Reserve Bank is looking for a job applicant in the Atlanta area with one or more of the following: GCIH / GCIA / GPEN / GSEC or SSCP / CISA. The posting URL is here:
-https://frb.taleo.net/careersection/2/jobdetail.ftl?job=241566

Other jobs that include GIAC as a preferred certification can be found here:
-https://isc.sans.edu/jobs/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/