SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #60

August 04, 2015

One question I get often (and always enjoy) is "Where will Ed Skoudis be teaching his Penetration Testing course?" The answer has gotten easier because Ed (in pen testing), Mike Poor (intrusion detection), Eric Cole (security essentials), Lenny Zeltser (forensics and malware analysis) all teach at the 4 "national" information security conferences in Las Vegas, Washington, San Diego and Orlando. They are not alone; all 18 of the top-rated information security teachers in the country will be at Las Vegas next month teaching their most up-to-date, high-end security courses. See the list for SANS Network Security 2015 - Sept. 14-20 at http://www.sans.org/event/network-security-2015

Alan

---

TOP OF THE NEWS

FDA Warns Against Use of Hospira Infusion Pumps
BIND Flaw is Being Actively Exploited
Cisco Issues Patch for ASR Router Vulnerability

THE REST OF THE WEEK'S NEWS

Retaliation for OPM Attack?
NHTSA Investigating Car Cybersecurity
OnStar Releases Fix for RemoteLink App
Interpol Training Police on Darknet
US Government Cybersecurity Sprint
Mac Firmware Proof-of-Concept Malware
MtGox CEO Arrested
Air Force Contractor Sentenced for Data Theft
Bitdefender Customer Login Data Stolen
sCan You Learn to be a Hacker?

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By iSIGHT Partners *************************
E-BOOK: Threat Intelligence is the talk of InfoSec. The right solution can drive better strategic decisions, improve operations, strengthen existing defenses and support the hunt mission. Everyone now claims to offer threat intel - but there are huge differences. Educate yourself and filter the noise with this e-book - The Definitive Guide to Cyber Threat Intelligence.
http://www.sans.org/info/179342
***************************************************************************

TRAINING UPDATE


- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 |
Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -- Security Awareness Summit & Training | Philadelphia | August 17-25 |
5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz


- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


- -- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
49 courses
http://www.sans.org/u/5ZT


- -- Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!


- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -- Save on OnDemand training (30 full courses) - See samples at OnDemand


Specials - http://www.sans.org/u/Xy


Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

FDA Warns Against Use of Hospira Infusion Pumps (August 1 & 3, 2015)

The US Food and Drug Administration (FDA) is urging hospitals to stop using certain drug infusion pumps from Hospira. The devices could be accessed by unauthorized users through a hospital's network. The FTP and telnet ports on the devices are open and Port 8443 has a default login password. Once accessed, the pumps could be manipulated to alter drug dosages. One of the affected devices, the Hospira Simbiq Infusion Pump, has been discontinued, but is still in use at some medical facilities. Other affected devices include the Plum A+ Infusion System v.13.4 and earlier, and the Plum A+ Infusion System v. 13.6 and earlier. Hospira plans to issue updates.
-http://www.bbc.com/news/technology-33759428
-http://www.theregister.co.uk/2015/08/01/fda_hospitals_hospira_pump_hacks/
[Editor's Note: (Assante and Paller): Kudos to Billy Rios and the cadre of responsible security researchers! Their combined work is beginning to influence regulators and may help shape future design and testing practices. The recent Chrysler recall and now the FDA advisories, denote real movement in industries that have a regulatory authority. Responsible security researchers served as the catalyst for this movement.
(Murray): Note that the vulnerability is not in the implementation of the application but in the gratuitous inclusion of ("historically broken") ftp and Telnet (rather than SSH). Medical appliances should not be sold or used until they are sufficiently complete and stable that such (administration, late change, and bad code remediation) mechanisms are not needed. Perhaps the inclusion of such gratuitous functionality is the most significant vulnerability that we should anticipate in the "Internet of Things (IoT)."
(Northcutt): Industrial Control Systems consistently use inherently insecure protocols like telnet. I will be on an intravenous infusion for the next five weeks, but I took control of my healthcare and they are allowing me to self-administer it in-home. I am air-gapped; the medicine is pre-mixed; I just have to plug it into my PICC line. Yes, of course an attacker could still game the system that mixes the medicine, but it is harder. Security can never be about perfection; it must always be about making it harder.
-http://www.cse.wustl.edu/~jain/cse571-11/ftp/ics/]

BIND Flaw is Being Actively Exploited (August 3, 2015)

Attackers are exploiting a recently disclosed vulnerability that affects all versions of BIND DNS software. The flaw could be used to launch denial-of-service attacks and take down large sections of the Internet. A patch for the vulnerability was released last week.
-http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-could-h
amstring-huge-swaths-of-internet/
-http://www.computerworld.com/article/2955290/security/dns-server-attacks-begin-u
sing-bind-software-flaw.html

Cisco Issues Patch for ASR Router Vulnerability (July 31, 2015)

Cisco has released a fix for a vulnerability in its ASR 100 enterprise and service provider grade routers that could be exploited to cause denial-of-service conditions. The problem is caused by "improper processing of crafted, fragmented packets." There are currently no workarounds for the issue, so administrators are being urged to apply the patch.
-http://www.theregister.co.uk/2015/07/31/cisco_asr_1000_dos_hole/

---

**************************** SPONSORED LINKS ******************************
1) Download the White Paper: Why Are You Still Paying for Antivirus? There is a better way. http://www.sans.org/info/179347

2) Use Maltego to exploit cyber threat intelligence from Web sources, to gain deeper insight into threats. Live demonstration webinar with Recorded Future on Wednesday, August 19 at 1:00 PM ET. Register now: http://www.sans.org/info/179352

3) New Cloud Adoption & Risk Report: Real-world security stats based on usage data from 21M+ users. http://www.sans.org/info/179357
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Retaliation for OPM Attack? (July 31, 2015)

The US has decided that it is necessary to retaliate against China for stealing personal information from the Office of Personnel Management databases. The decision was made because the attack was so large. It has not been determined what form the response will take.
-http://mobile.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-
chinas-hacking.html?_r=2&referrer=
[Editor's Note (Murray): "Retaliation?" How about diplomacy? How about sending some Chinese diplomats home? The Air Force targeted a bomb in Solar Sunrise. This was an act of espionage, the kind of thing that we spend $60B per year on, not sabotage, certainly not an attack on our infrastructure, for which we have already threatened the use of force. One can regret that we were embarrassed and inconvenienced without starting a war, even a "cyber" war, over it. The problem with "retaliation" is that it leads to a futile cycle of escalation. The first principle of security is Proportionality. ]

NHTSA Investigating Car Cybersecurity (August 3, 2015)

The National Highway Traffic Safety Administration (NHTSA) is expanding its investigation into automobile cyber security concerns. Initially the agency was focusing on Chrysler, which last week issued a recall to fix a software issue in 1.4 million cars. Now NHTSA wants to find out what other car manufacturers may have used similar parts.
-http://thehill.com/policy/cybersecurity/250060-feds-widen-auto-hacking-investiga
tion
[Editor's Note (Pescatore): Last year, the NHTSA issued public notice of proposed rulemaking that would mandate that vehicle to vehicle communications in cars support "autonomous" vehicle control and safety functions. I hope this investigation will convince them to take that *off* the fast track until they have a way of assuring at least basic security hygiene is baked in, since it has been obvious that the automotive industry has not taken that approach.
(Honan): This is a prudent move by the NHTSA as indeed Chrysler are not the only cars vulnerable. Last week it was reported that security flaws were found in vehicles made by Skoda Auto, a subsidiary of Volkswagen. One also hopes that manufacturers of autonomous vehicles are taking on-board the lessons being learnt by traditional car manufacturers. ]

OnStar Releases Fix for RemoteLink App (July 31, 2015)

OnStar has issued a fix for its iOS RemoteLink app. The updated app is available in the App Store. Affected customers will be notified and the old version of the app decommissioned after that. GM initially addressed the issue with a fix on back-end servers, but that fix did not work to protect the iOS app.
-http://www.wired.com/2015/07/patch-gm-onstar-ios-app-avoid-wireless-car-hack/

Interpol Training Police on Darknet (August 2, 2015)

Interpol is training police officers from around the world to investigate Darknet crime. The participants took on roles of vendors, buyers, and administrators as they learned about Tor, underground bazaars like Silk Road, and cryptocurrencies. Interpol used a simulated Darknet during the training.
-http://www.zdnet.com/article/interpol-is-training-police-to-fight-crime-on-the-d
arknet/
[Editor's Note (Honan): Nice to see Interpol take this proactive step in better enabling law enforcement groups around the world to tackle cybercrime. I hope that the lessons being taught include the positive uses of anonymity tools like Tor and not focus solely on the abuse of these tools by criminals. ]

US Government Cybersecurity Sprint (July 31 & August 3, 2015)

The US Office of Management and Budget (OMB) ran a "Cybersecurity Sprint" in June, which aimed to improve the government cybersecurity posture. According to the report, 72 percent of government computer users can access networks only with a smart card.
-http://www.nextgov.com/cybersecurity/2015/07/white-house-details-cyber-sprint-pr
ogress-says-congress-needs-lift-spending-cuts-security-improvements/118792/?oref
=ng-HPtopstory
-http://www.scmagazine.com/white-house-updates-cybersecurity-sprint-results/artic
le/430303/
[Editors' Note (Pescatore and Murray): Usual warning that "security is not a sprint, it is a marathon..." *but* the government does need *more* security sprinting. First they have to make sure they are running towards the right finish line. Smart cards for strong authentication is a dead end approach - the federal government has tried mandating them for literally 20 years now! Compared to much less expensive, easier to use (Google's security key is one example) alternatives, smart cards are like requiring floppy disks as a second factor. ]

Mac Firmware Proof-of-Concept Malware (August 3, 2015)

Researchers plan to present proof-of-concept malware that infects Apple systems' firmware and persists even when users wipe the hard drive and reinstall OS X. The demonstration will also show how the malware, called Thunderstrike 2, can spread from MacBook to MacBook even if they are not networked.
-http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs
/
-http://www.computerworld.com/article/2955641/cybercrime-hacking/macs-can-be-remo
tely-infected-with-firmware-malware-that-remains-after-reformatting.html
[Editor's Note (Assante): This is deja vu for those working ICS security. Here is to hoping the late but heavy-weight arrival of general computing security spurs some positive movement in the firmware/hardware ecosystem. Keeping lights on and chemicals in safe places did not do it, but now we have real stakes as grandma's family photo collection is way too important to lose. ]

MtGox CEO Arrested (July 31 & August 1, 2015)

Police in Japan have arrested MtGox CEO Mark Karpeles over the loss of 650,000 bitcoins, worth US $387 million at the time of their disappearance in February 2014. Karpeles allegedly altered MtGox system data to inflate the company's assets. Initially 850,000 bitcoins were missing, but later 200,000 were "found" in a forgotten digital wallet. Karpeles has not been formally charged.
-http://arstechnica.com/tech-policy/2015/08/mt-gox-head-arrested-over-loss-of-650
000-bitcoins/
-http://www.bbc.com/news/world-asia-33745611

Air Force Contractor Sentenced for Data Theft (July 31, 2015)

A US District Judge in Florida has sentenced former US Air Force contractor Christopher R. Glenn to 10 years in prison for theft of classified documents and conspiracy. Glenn earlier pleaded guilty to willful retention of classified national defense information under Espionage Act; to computer intrusion under the Computer Fraud and Abuse Act; and conspiracy to commit naturalization fraud.
-http://www.theregister.co.uk/2015/08/03/sysadmin_jailed_10_years_stealing_classi
fied_usaf_docs/

Bitdefender Customer Login Data Stolen (July 31, 2015)

An attacker stole customer login information from a server belonging to anti-virus company Bitdefender. The affected server hosts cloud-based management dashboards for some Bitdefender clients. The data thief attempted to extort US $15,000 from the company, threatening to release the purloined information. The thief did post information related to three accounts, and reportedly has information for hundreds more. The attacker was able to access the server because it had accidentally been deployed with outdated software that contained a known vulnerability. Affected customer passwords have been reset.
-http://www.computerworld.com/article/2955512/security/hacker-steals-bitdefender-
customer-log-in-credentials-attempts-blackmail.html

Can You Learn to be a Hacker? (July 31, 2015)

Kim Guldberg writes,"You cannot be taught to become a hacker, but you can teach yourself." Guldberg describes his childhood spent disassembling broken battery-operated toys and crafting them into new devices; learning how to manipulate his first computer and printer.
-http://www.forbes.com/sites/quora/2015/07/31/how-do-hackers-learn-their-craft/

---

STORM CENTER TECH CORNER

SSH Scanning on Port 8080
-https://isc.sans.edu/forums/diary/Your+SSH+Server+On+Port+8080+Is+No+Longer+Hidd
en+Or+Safe/19995/

Donald Trump Website Defaced
-http://pastebin.com/QiBeec2L

Thunderstrike 2 Apple EFI Vulnerability
-http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs
/

Symantec Endpoint Protection Suite Vulnerabilities
-http://codewhitesec.blogspot.be/2015/07/symantec-endpoint-protection.html

Threatstop Sponsors Internet Storm Center Stormcast
-http://www.threatstop.com/?src=sanspodcast

Writing Better Security Policies
-https://isc.sans.edu/forums/diary/Your+Security+Policy+Is+So+Lame/19991/
-http://www.sans.org/security-resources/policies/

Fake Windows 10 Update
-http://blogs.cisco.com/security/talos/ctb-locker-win10

Bitdefender Breach
-http://www.forbes.com/sites/thomasbrewster/2015/07/31/bitdefender-hacked/

Vulnerabile Drug Infusion Pumps Should No Longer Be Used
-http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm

Dell BIOS Not Write Protected After Hybernate
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2890
-http://www.kb.cert.org/vuls/id/BLUU-9XXQ9L

NORTHCUTT Note:
A job posting for a Security Network Administrator with SANS/GIAC certifications in West Des Moines, Iowa. If you live in the area this may be something you want to look into:
-http://info.homesteaderslife.com/careers/security-and-network-administrator?
-http://www.wdm.iowa.gov]

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/