SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVI - Issue #34
April 29, 2014
TOP OF THE NEWSFBI Warns Healthcare Industry of Cyber Security Risks
Medical Devices Lack Adequate Security
DHS Hamstrings Itself in Quest to Hire Top Cyber Security Talent
THE REST OF THE WEEK'S NEWSUS-CERT and Microsoft Issue Warn of Critical Flaw in Internet Explorer
DOE Issues Cyber Security Procurement Language Guidance for Energy Sector
Adobe Updates Flash Player to Fix Critical Flaw
AOL Says User Data Were Stolen
Apache Issues Update for Struts to Fix Problem with Earlier Update
Nine Sentenced for Roles in Barclays Thefts
Stanford's New Password Policy
US Supreme Court to Review Two Cases Involving Warrantless Cell Phone Searches
Court Denies Phone Company's Request to Withhold Customer Data from NSA
Federal Magistrates Taking a Stand Against Over-Broad Searches
STORM CENTER TECH CORNERSTORM CENTER TECH CORNER
************************* Sponsored By Symantec **************************
Symantec Webcast: Social and Mobile Scams - Protect Yourself
Con artists are alive and well and practicing on the internet. Human nature hasn't changed but technology has. And today's fraudsters have used social media and mobile application to put new twists on old scams. Join this webcast, May 14, to see examples of the latest cons, frauds and flimflams invading social media and attacking mobile users. Learn what you can do to protect against the latest scams.
- -- Security Leadership Summit, April 30th and May 1st, in Boston. CISOs and leading SANS experts discuss key security topics and emerging trends. Bonus: choose from four classes (May 2nd - 6th) including Security Leadership, Implementing the Critical Security Controls, ICS/SCADA Security Essentials, and Security Bootcamp.
- -- SANS Security West San Diego, CA May 8-17, 2014 30 courses. Keynote sessions: Emerging Security Trends: Crossing the Chasm to Protecting a "Choose Your Own IT" World; and Will the Real Next Generation Security Please Stand Up?
- -- SANS Rocky Mountain 2014 Denver, CO June 9-14, 2014 8 courses. Bonus evening presentations include Continuous Ownage; Why You Need Continuous Monitoring; and APT: It is Time to Act.
- --SANS Secure Europe 2014 Amsterdam, Netherlands May 10-24, 2014 11 courses.
- --SANS Pen Test Berlin Berlin, Germany June 15-21, 2014 6 courses. Bonus evening session: Pwn a Drone Hacking Challenge.
- --Can't travel? SANS offers LIVE online instruction. Day (www.sans.org/simulcast) and Evening courses (www.sans.org/vlive) available!
- --Multi-week Live SANS training
- --Looking for training in your own community?
- --Save on On-Demand training (30 full courses) - See samples at
Plus Austin, Malaysia, London, and Bangkok all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
TOP OF THE NEWS
FBI Warns Healthcare Industry of Cyber Security Risks (April 23 & 24, 2014)The FBI has issued two private industry notices (PINs) to the healthcare sector, warning that cyber attacks against devices and systems in that industry are likely to increase. The transition to electronic health records (EHRs), weak security, and the value of medical data on black market are all indicators that the number of attacks will rise. Healthcare is lagging behind other sectors in cyber security.
[Editor's Note (Assante): Okay so no failure to warn here but are we warning the right people? Who actually suffers the consequences of successful attacks and who is held responsible for failure to act upon specific warnings? Can I get a tax or insurance credit for bringing my own security tools the next time I find myself in a medical treatment facility? ]
Medical Devices Lack Adequate Security (April 25, 2014)A study of medical equipment at a chain of health care facilities in the Midwest found drug infusion pumps that could be remotely controlled to alter dosages; Bluetooth enabled defibrillators that could be manipulated to deliver or prevent shocks; and electronic medical records with inadequate protections, leaving them vulnerable to alteration and theft. Many devices lacked access authentication requirements, and many had weak or hardcoded passwords. Of particular concern were embedded web services that let devices communicate with each other and deliver data to electronic medical records.
[Editor's Note (Assante): Sounds like the ICS problem first focused on 10 years ago, but worse, as these devices can be found in publicly accessible buildings and rely on wireless network connections. The attack surfaces of these devices are growing larger and are easier to get to with what appears to be an extended and less organized defense. ]
DHS Hamstrings Itself in Quest to Hire Top Cyber Security Talent (April 26, 2014)The US Department of Homeland Security (DHS) faces challenges in attracting and retaining top cyber security talent. A lengthy hiring process means applicants have to wait months to be hired. The agency does not offer compensation commensurate with salaries offered by private industry. DHS's own policies and procedures hamper its hiring ability. Much of what the agency does is not secret, but because the work is conducted in a classified facility, the work is classified as secret. If the non-secret work were to be declassified, the hiring process could take much less time. DHS also gives the most coveted jobs, such as forensics investigation and intrusion and detection engineers, to outside contractors.
[Editor's Comment (Northcutt): So if Reuters is correct, this is the Department of Homeland Insecurity (DHI); sad. ]
************************** Sponsored Links: ******************************
1) Security breaches in large enterprises make the headlines, but 55% of small and mid-size businesses have also experienced a data breach. And 60% of small businesses fail within six months of falling victim to a cyber attack. Download this eBook to learn more: http://www.sans.org/info/157900
2) Need to defeat APTs? Tony Sager Explains Where We're At With Live Threat Detection Automation Wednesday, April 30 - SPECIAL TIME 3 PM EDT http://www.sans.org/info/157905
3) New Analyst Paper in the SANS Reading Room John Pescatore's 2014 Trends Shaping Organizational Security http://www.sans.org/info/157910
THE REST OF THE WEEK'S NEWS
US-CERT and Microsoft Issue Warn of Critical Flaw in Internet Explorer (April 28, 2014)Microsoft has issued a security advisory warning of a critical flaw in Internet Explorer (IE) that is being exploited in limited, targeted attacks. The vulnerability affects IE versions 6 through 11. Microsoft recommends that users deploy the Enhanced Mitigation Experience Toolkit, which helps bolster the security of certain applications. The US Computer Emergency Readiness Team (US-CERT) has also issued a warning about the vulnerability and is urging anyone using Internet Explorer (IE) to switch to a different browser until Microsoft issues a fix for the flaw. Users still running Windows XP are at extreme risk because Microsoft will not be issuing updates to address the flaw in the retired operating system.
[Editor's Note (Pescatore): Most endpoint protection and IDS/IPS vendors have updates to detect known attacks, and there are several work arounds Microsoft suggests such as disabling Flash plug-in, EMET, etc. But, until systems are patched, good reason to stay off of IE browser - and good reason to accelerate moving off of Windows XP faster. For embedded systems, it's worth checking if some version of IE is in use for HTTP functions. ]
DOE Issues Cyber Security Procurement Language Guidance for Energy Sector (April 28, 2014)The US Department of Energy (DOE) has issued guidance for the energy industry to help organizations build effective cyber security protections into power delivery systems. The document offers specific language the organizations can use in the procurement process to ensure they get the products and services they need.
[Editor's Note (Asssante): This is a fantastic collaboration that has delivered an immediately applicable tool to utilities and suppliers. SANS was a part of the initial effort in the late 2000s that produced the first versions used across multiple ICS dependent sectors. The use of this document will help deliver more secure technologies if the buyer prioritizes these requirements throughout the process and the supplier is honest about what has been done in the past.
(Pescatore): Solid update to the 2009 version but there is not much that is specific to energy or control systems. The document is a thorough list of security requirements for pretty much any IT system and no mention of any specific issues around DNP, HMI, etc. or any other areas that are unique to control systems. ]
Adobe Updates Flash Player to Fix Critical Flaw (April 28, 2014)Adobe has released a patch for a flaw in Flash Player that is being actively exploited. There are fixes for multiple platforms. Windows users running Flash Player versions 13.0.0 182 and earlier need to update as do Mac users running versions 184.108.40.206 and earlier, and Linux users running versions 220.127.116.110 and earlier. While the detected attacks target Flash on Windows machines, the flaw could soon be more widely exploited. The fix will be automatically pushed out to users running IE 10 and 11 on Windows 8 and to users of the Chrome browser.
AOL Says User Data Were Stolen (April 28, 2014)AOL now says that the attackers who sent spoofed email that appeared to come from AOL addresses compromised account information of at least two percent of AOL users. Compromised data include email addresses, contact lists, encrypted passwords, and encrypted answers to security questions. AOL is urging all users to change their passwords and security questions.
[Editor's Note (Pescatore): The common thread between this AOL compromise, the earlier Yahoo mail compromise, the Target breach *and* the Heartbleed vulnerability is the continued use of reusable passwords means continued vulnerability. Imagine if your ATM machine only required PIN entry and not insertion of your ATM card. AOL is conspicuously missing from the list of email providers offering two-factor authentication - see
Apache Issues Update for Struts to Fix Problem with Earlier Update (April 28, 2014)The Apache Software Foundation has updated its Struts framework to address a problem with an earlier fix that inadequately addressed the security issue. The Struts framework update released in March for a critical flaw in Struts 18.104.22.168 failed to block attacks in certain situations. Users are advised to update to Struts 22.214.171.124. The developers warned last week that the March update was incomplete and provided instructions for a manual workaround to be used until the newer update was made available. The update was released that same day. Struts is used for Java web application development.
Nine Sentenced for Roles in Barclays Thefts (April 24, 25, & 28, 2014)Tony Colston-Hayter has been sentenced to five and a half years in prison for orchestrating a GBP 1.25 million (US $2.1 million) theft from two branches of Barclays bank in April and July of 2013. Pretending to be tech support contract employees, Colston-Hayter and his accomplices placed keyboard video mouse (KVM) switches and wireless routers on computers in the targeted banks to gain access to the bank's internal system and steal the information they used to empty six bank accounts. Less than half of the funds have been recovered. Eight accomplices have also been sentenced; their punishments range from suspended sentences to eight years in prison. Three more people are slated to be sentenced in June.
Stanford's New Password Policy (April 25, 2014)Stanford University has implemented a new password policy. Users will be permitted to have extremely long (20 characters or more) passwords and not be subject to character complexity requirements: using upper- and lower-case letters, numbers, and symbols. Short (eight character) passwords must fulfill the all complexity requirements. The requirements drop at 12, 16, and 20 characters. All passwords will be vetted to ensure that they are not common or too weak.
[Editor's Note (Murray): Length or complexity requirements add bits; more bits resist brute force attacks. We are not seeing brute force attacks. More bits also decrease usability. We are seeing key stroke logging malware with replay. Bits do not resist replay attacks. We need strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), not longer passwords. Google, Twitter, DropBox, and PayPal all get this and offer good examples.
(Northcutt): And one keystroke logger can get them all, 12, 16, 20, 200,000 character passwords. We have known that passwords are not a satisfactory solution for over 20 years. It is a safe bet that 99% of the students, faculty, and staff at Stanford have cell phones that can receive SMS messages which means they could implement SMS-based two factor authentication. That would be a serious step at actually improving security instead of pretending. ]
US Supreme Court to Review Two Cases Involving Warrantless Cell Phone Searches (April 27, 2014)The US Supreme Court is slated to review two cases regarding warrantless searches of cell phones by law enforcement. In both cases, information found on the phones linked the suspects to criminal activity that was not the original basis for their arrests. In one case, the First US Circuit Court of Appeals overturned a warrantless search of a cell phone that was found on the person of a man arrested in Boston. That court agreed that the search violated the Fourth Amendment. In the second case, law enforcement officers in California searched a cell phone twice without a warrant. The man's conviction was upheld on appeal.
Court Denies Phone Company's Request to Withhold Customer Data from NSA (April 25, 2014)The Foreign Intelligence Surveillance Court (FISC) denied a phone company's request not to be required to provide customer call data to the NSA. The unnamed phone company asked the court to vacate a current order in light of Federal District Court Judge Richard J. Leon's December ruling that the NSA's bulk data collection program likely violated the Fourth Amendment.
Federal Magistrates Taking a Stand Against Over-Broad Searches (April 24, 2014)A small group of federal magistrate judges seeks to check federal law enforcement's overly broad data gathering and retention powers. Some federal magistrate judges are denying overly broad electronic evidence requests because they violate citizens' constitutional rights. DC Magistrate Judge John. M. Facciola demands focused searches and also demands that collected data that are not relevant to an investigation be returned or destroyed.
STORM CENTER TECH CORNERUbuntu Lock Screen Bypass
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/