SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #62

August 11, 2015

TOP OF THE NEWS

NBC News: Chinese Spies Reading US Officials' eMail
US Dept. of Health and Human Services Breaches - Is Anyone Accountable?
Modem Attack Allows for Persistent Malware

THE REST OF THE WEEK'S NEWS

Another Android Flaw Gives Apps Elevated Privileges
HTC Handsets Store Fingerprint Data Unencrypted
Carphone Warehouse Breach
Gas Pump Honeypots
Ubiquiti Loses Millions in Wire Transfer Fraud Scheme
Mozilla Releases Emergency Fix for Firefox Zero-Day
Chrysler Knew of Vulnerability for More than a Year

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Sophos, Inc. ************************

NEW Whitepaper: Server Application Whitelisting. Sophisticated attacks on corporate servers must be deflected with powerful security. It doesn't have to be a challenge to find the solution that suits your needs. Find out how Application Whitelisting can keep advanced and unknown threats from reaching servers, without being complex and costly to implement. Learn More:
http://www.sans.org/info/179447

***************************************************************************
TRAINING UPDATE

- -- SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I

- -- Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N

- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 | 13 courses
http://www.sans.org/u/5Zz

- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 | 8 courses
http://www.sans.org/u/5ZO

- -- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- -- Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy
Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************

---

TOP OF THE NEWS

NBC News: Chinese Spies Reading US Officials' eMail (August 10, 2015)

According to an NBC News report, Chinese spies have been reading private emails belonging to US officials. The practice has been going on for more than five years. The spies compromised the targets' personal email accounts, but because the government accounts were more secure, they were not infiltrated.
-http://www.nbcnews.com/news/us-news/china-read-emails-top-us-officials-n406046
-http://thehill.com/policy/cybersecurity/250703-chinese-hackers-stealing-private-
emails-of-top-us-officials
-http://www.nextgov.com/cybersecurity/2015/08/report-chinas-spies-read-top-us-off
icials-private-emails/118994/?oref=ng-channeltopstory

US Dept. of Health and Human Services Breaches (August 7, 2015)

According to a report from the House Energy & Commerce Committee, at least five divisions of the US Department of Health and Human Services (HHS) have experienced data security breaches over the past three years.
-http://thehill.com/policy/cybersecurity/250543-hhs-hacked-five-times-in-three-ye
ars
-http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files
/114/Analysis/20150806HHSinformationsecurityreport.pdf
[Editor's Note (Paller): The HHS CIO and his boss and his boss's boss all knew intimately of the major security weaknesses years ago (following a damaging - but undisclosed - breach) and they nearly fixed them. But when the top executives turned their focus on other challenges, the CIO, with the complicity of the HHS IG, fell back to spending millions of dollars writing reports that "admired the security problems" rather than fixing them. Will the House Committee staff demand accountability this time? Without career limiting accountability, federal cybersecurity problems will fester and grow. ]

Modem Attack Allows for Persistent Malware (August 9, 2015)

At a demonstration at the DefCon security conference in Las Vegas, researchers demonstrated how they could install malware on certain LTE/3G modems that are built in to some laptops and tablets that would persist even after operating system reinstalls. The problem is due to an insecure firmware update process.
-http://www.computerworld.com/article/2968274/security/internal-lte3g-modems-can-
be-hacked-to-help-malware-survive-os-reinstalls.html
[Editor's Note (Murray): This modem is a "thing," an appliance. It is intended to connect to the Internet making it part of "Internet of Things (IoT)." In fact, the function of this device is to act as a node in both public networks. As far as we know, it does what it is intended to do. However, it contains a maintenance mechanism that can be used to compromise it. We are receiving weekly reports of such appliances. "Late change mechanisms" are proving to be a fruitful space for "researchers" and other hackers. Given the falling cost of such appliances and the lack of care given to their quality and maintenance, we can expect to see both a loss of public confidence in the devices and their collection into bot-nets,
"Nice people do not attach weak systems to the public networks." Securing appliances, i.e., single-application purpose-built devices, should not be as difficult as securing operating systems, unless of course one includes a COTS operating system to facilitate late changes. ]

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Breach Preparation - Plan for the Inevitability of Compromise: http://www.sans.org/info/179452

2) Live Webinar: Asurion's Privileged Identity Management Journey. Learn best practices for protecting and monitoring super user accounts. Sign-up now: http://www.sans.org/info/179467

3) Use Maltego to exploit cyber threat intelligence from Web sources, to gain deeper insight into threats. Live demonstration webinar with Recorded Future on Wednesday, August 19 at 1:00 PM ET. Register now: http://www.sans.org/info/179462
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Another Android Flaw Gives Apps Elevated Privileges (August 10, 2015)

Close on the heels of Stagefright, another vulnerability has been found to affect Android devices. A flaw in the OpenSSLX509Certificate class allows apps to elevate privileges, allowing them to snoop on vulnerable devices, install malware, and cause other problems. More than half of Android handsets are believed to be vulnerable.
-http://www.theregister.co.uk/2015/08/10/another_android_flaw_hitting_55_percent_
handsets/
[Editor's Note (Ullrich): Implementing proper certificate authentication is difficult. This flaw is particularly hard to "fix" as it affects dozens of programs created by various companies. It is not something I expect Google to just patch via an Android update, unless Google is willing to break affected software. ]

HTC Handsets Store Fingerprint Data Unencrypted (August 10, 2015)

HTC, which makes smartphones, stored customer fingerprint data unencrypted in an easily accessible image file on the devices. Other Android smartphones, including one from Samsung, have been found to contain similar vulnerabilities.
-http://www.bbc.com/news/technology-33847307
-http://www.theregister.co.uk/2015/08/10/htc_caught_storing_fingerprints_as_world
readable_cleartext/
-http://thehill.com/policy/cybersecurity/250777-hackers-had-easy-access-to-smartp
hone-fingerprint-data
-http://arstechnica.com/security/2015/08/severe-weaknesses-in-android-handsets-co
uld-leak-user-fingerprints/
[Editor's Note (Murray): My photograph may reduce your cost of impersonating me, but not much. Biometrics rely upon the cost of counterfeiting, not the secrecy of the reference. ]

Carphone Warehouse Breach (August 8 & 10, 2015)

A breach of systems at Carphone Warehouse affected personal information of 2.5 million customers. As many as 90,000 of the subscribers' payment card data were compromised. The attack, which was discovered on August 5, employed a distributed denial-of-service (DDoS) attack as a distraction while the data were being stolen.
-http://www.theregister.co.uk/2015/08/08/carphone_warehouse_data_breach/
-http://www.telegraph.co.uk/finance/newsbysector/epic/cpw/11794521/Carphone-Wareh
ouse-hackers-used-traffic-bombardment-smokescreen.html

Gas Pump Honeypots (August 5, 8, & 10, 2015)

Honeypots that were designed to look like gas pump monitoring systems on the Internet have been targeted by distributed denial-of-service (DDoS) attacks and queried for data.
-http://asia.pcmag.com/software-reviews/4944/news/how-safe-are-gas-pumps-from-hac
kers
-http://www.wired.com/2015/08/internet-connected-gas-pumps-lure-hackers/
-http://www.darkreading.com/attacks-breaches/iranian-syrian-hackers-hit-gas-gauge
s-/d/d-id/1321615

Ubiquiti Loses Millions in Wire Transfer Fraud Scheme (August 7 & 9, 2015)

Wireless networking product provider Ubiquiti lost nearly $47 million to wire transfer fraud, according to the company's quarterly financial report. Ubiquiti says it has recovered just over US $8 million of the stolen funds. The attack did not involve a system breach, but instead used communications spoofing to initiate the fraudulent transactions.
-http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
-http://www.scmagazine.com/ubiquiti-networks-loses-millions-in-cyber-scam/article
/431755/
-http://www.theregister.co.uk/2015/08/09/ubiquiti_stung_by_email_spoofing_fraud/
[Editor's Note (Ullrich): This isn't a new issue, but it is good to see it recognized by a larger audience. There are two critical technical issues: (1) How users authenticate to e-mail and messaging systems. Using solid two factor implementations isn't always an option for mobile devices. (2) How e-mail configuration changes are monitored. Will you notice if a "forward" address is added, in particular if you are using a cloud based e-mail solution? Business processes may introduce additional fraud opportunities. How are payments approved and what is done to verify requests? Ubiquiti lost a lot of money directly as a result of the attack. Others hit by this attack may not have lost a lot of money, but still had to spend large amounts on responding to the incident, in particular to figure out how much data was lost with leaked emails and whether customers had to be notified. ]

Mozilla Releases Emergency Fix for Firefox Zero-Day (August 7, 2015)

Mozilla has issued an emergency fix to address a vulnerability in Firefox that is being actively exploited. The flaw is in the browser's embedded PDF reader and can be exploited to steal files stored on computers running vulnerable versions of Firefox. Users are urged to update to Firefox 39.0.3 and Firefox ESR 38.1.1.
-http://arstechnica.com/security/2015/08/0-day-attack-on-firefox-users-stole-pass
word-and-key-data-patch-now/
[Editor's Note (Northcutt): Some organizations favored Firefox because it seemed more secure. They are now vulnerable as end-points are compromised. Speed to repair is crucial. Mozilla makes repair pretty easy:
-https://support.mozilla.org/en-US/kb/update-firefox-latest-version]

Chrysler Knew of Vulnerability for More than a Year (August 4 & 5, 2015)

Fiat Chrysler knew about the vulnerability in computers used in some of its cars for 18 months before the story broke last month. The company said it knew as far back as January 2014 that some radio communications ports had been inadvertently left open. Fiat Chrysler and Harman International, which makes the Uconnect dashboard computers, are facing a possible class-action lawsuit over the matter.
-http://www.bloomberg.com/news/articles/2015-08-05/fiat-chrysler-hacking-risk-kep
t-from-regulators-for-18-months
-http://www.wired.com/2015/08/chrysler-harman-hit-class-action-complaint-jeep-hac
k/

---

STORM CENTER TECH CORNER

.com.com domain used in typo squatting: fake virus scams
-https://isc.sans.edu/forums/diary/COMCOM+Used+For+Malicious+Typo+Squatting/20019
/

Facebook User Enumeration via Phone Number
-https://www.linkedin.com/pulse/facebook-users-make-sure-your-mobile-phone-number
-mayur-agnihotri?published=t

"Man in the Cloud" Attacks
-https://www.blackhat.com/us-15/sponsored-sessions.html#man-in-the-cloud-attacks

Lockheed Martin Open Sources "Laika BOSS"
-http://www.lockheedmartin.com/us/what-we-do/information-technology/cybersecurity
/laika-boss.html

Firefox Update
-https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

Ubiquity Breach
-http://www.sec.gov/Archives/edgar/data/1511737/000157104915006288/t1501817_8k.ht
m

Injecting Malicious Upgrades with WSUS
-https://www.blackhat.com/docs/us-15/materials/us-15-Stone-WSUSpect-Compromising-
Windows-Enterprise-Via-Windows-Update-wp.pdf

SHA-3 Now Official Hashing Standard
-http://www.nist.gov/itl/csd/201508_sha3.cfm

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/