SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #100

December 29, 2015

TOP OF THE NEWS

China's Counterterrorism Law
TSA May Stop Accepting Certain State-Issued IDs
VetSuccess Cyber Immersion Academy Closes CyberSkills Gap

THE REST OF THE WEEK'S NEWS

Adobe Updates Flash to Fix 19 Flaws
Voter Records Unprotected
Red Star OS: North Korea's Internal Operating System
Israeli Defense Official Dismissed Over Security Issues
TLS Certificate Changes
Steam Data Leak
Livestream Acknowledges Breach
Hyatt Hotels Says Malware Found on Payment Systems
Man Arrested for Allegedly Stealing Scripts for Unreleased Movies and Shows
Former Investment Company Advisor Sentenced for Unauthorized Data Access

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Splunk ***************************

Have you implemented the SANS Top 20 Critical Security Controls? This time-proven, "what works" list of 20 controls can be used to minimize security risks to enterprise systems and the critical data they maintain. Learn how Splunk software can provide new insights to verify, execute and support requirements for the SANS Top 20 CSC.
http://www.sans.org/info/182662

***************************************************************************

TRAINING UPDATE

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

China's Counterterrorism Law (December 28, 2015)

China's parliament has passed a law that requires companies doing business in that country to "provide technical support and assistance, including decryption, to police and national security authorities in prevention and investigation of terrorist activities." The law is a step back from an earlier draft, which would have required companies to provide the Chinese government with encryption codes.
-http://www.slate.com/blogs/the_slatest/2015/12/28/china_passes_controversial_new
_counterterrorism_law.html
[Editor's Note (Ullrich): Anti-Terror laws that give the "good guys" access to encryption backdoors, phone conversations and other private data are a great idea, if you are able to define "good guys". I am pretty sure the Chinese government considers itself a part of that group. ]

TSA May Stop Accepting Certain State-Issued IDs (December 28, 2015)

The US Department of Homeland Security (DHS) may soon start enforcing the Real ID Act, which requires states to comply with certain federal security standards when issuing identification cards. People from states with non-compliant systems may find themselves unable to board planes or enter federal buildings with their ID cards. Some of the states are not compliant due to active opposition to the law due to privacy concerns or prohibitive costs.
-http://www.nytimes.com/2015/12/29/business/tsa-moves-closer-to-rejecting-some-st
ate-drivers-licenses-for-travel.html
-http://arstechnica.com/tech-policy/2015/12/tsa-may-soon-stop-accepting-drivers-l
icenses-from-nine-states/
-http://www.dhs.gov/real-id-enforcement-brief
[Editor's Comment (Northcutt): My home state Washington is one of the states and I fly. But I also have a passport. Suggest you advise any family members in the states at risk to get a passport or a passport card. ]

VetSuccess Cyber Immersion Academy Closes CyberSkills Gap (December 24, 2015)

The SANS CyberTalent VetSuccess Immersion Academy starts in February 2016. The program gives military veterans who are entering civilian life a "fast track" training program to help them find private sector jobs with good pay. The academy is looking for transitioning military personnel with cyber and signal experience, although all veterans may apply. Those who complete the training will hold multiple Global Information Assurance Certifications (GIAC).
-http://chronicle.augusta.com/news/metro/2015-12-24/cyber-academy-aiding-transiti
oning-soldiers-begin-february?v=1450991550
[Editor's Note (Paller): We continue to highlight the VetSuccess program (and it's sister program searching for cyber-talented women), because it is the only program we have seen that has a good chance to begin closing the highly technical cyberskills gap. Its unique contribution is not the extraordinary hands-on immersion training and testing the candidates complete (others can also attend that same SANS training and earn the same certifications). Rather what makes this program newsworthy is that it chooses students using SANS CyberTalent testing battery that identifies the 10-15% of the candidates who are likely to become outstanding cyber defenders. IOW VetSuccess provides access to world class training for people whose innate talent makes it likely they will convert that training into extraordinary on-the-job success. More information: Contact Max at mshuftan@sans.org ]

---

************************** SPONSORED LINKS ********************************
1) Know Before You Go: Key AWS Security Considerations. Tuesday, January 12 at 1:00 PM EDT (18:00:00 UTC) with Dave Shackleford and Matt Keil. http://www.sans.org/info/182497

2) Infosec Pros: Are your threat hunting efforts beneficial? Tell us in the new SANS Survey & enter to win $400 Amazon Gift Card. Thanks and Happy Holidays!! http://www.sans.org/info/182502

3) Don't Miss: Why You Need Application Security: Thursday, January 28 at 1:00 PM EDT (18:00:00 UTC) with Johannes Ullrich. http://www.sans.org/info/182507
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Adobe Updates Flash to Fix 19 Flaws (December 28, 2015)

Adobe has released updated versions of Flash Player to address 19 vulnerabilities, one of which is being actively exploited. That vulnerability was reported by Huawei's IT security department, leading to speculation that the company may have detected attacks through the flaw on its own systems. New versions of Flash are available for Windows, OS X, Linux, and Chrome OS.
-http://www.theregister.co.uk/2015/12/28/adobe_flash_security_update/
-http://krebsonsecurity.com/2015/12/flash-player-patch-fixes-0-day-18-other-flaws
/
[Editor's Note (Ullrich): This patch was supposed to be released in January (note the "16" indicating that this is the first 2016"). Adobe accelerated the release of this patch because one of the vulnerabilities has been seen in attacks already, apparently against Huawei. ]
Internet Storm Center's New Year's resolution #1 is not to patch Flash, but to uninstall it.
-https://isc.sans.edu/forums/diary/New+Years+Resolutions/20545/

Voter Records Unprotected (December 28, 2015)

A database containing personally identifiable information of 191 million voters has been discovered. The database is misconfigured, making it accessible online to anyone. The compromised information includes names, addresses, dates of birth, and voting history dating back to 2000. It has not yet been determined to whom the database belongs. Vickery also discovered unprotected databases belonging to Sanrio and MacKeeper.
-http://www.wired.com/2015/12/reams-of-us-voter-info-appear-to-be-just-sitting-on
line/
-http://thehill.com/policy/cybersecurity/264297-report-191m-voter-records-exposed
-publicly-online
-http://www.cnet.com/news/massive-trove-of-voters-election-data-discovered-on-web
/
-http://www.theregister.co.uk/2015/12/28/security_researcher_spots_191_millionrec
ord_us_voter_database_online/
[Editor's Note (Ullrich): Note that the file contains about 191 million records, but there are only around 140 million registered voters in the US. This may be the result of double counting, or the fact that the data included not just voter registration records, but also records from other sources. For many states (for example here in Florida), this data is public and already easily obtained online. ]

Red Star OS: North Korea's Internal Operating System (December 28, 2015)

North Korea has its own internal operating system that employs unique encryption to prevent foreign entities from spying on Internet communications in that country. North Korea does not connect to the Internet in the rest of the world. Information about the operating system, known as Red Star OS, was presented at the Chaos Communication Congress (CCC) in Hamburg, Germany, earlier this week. Analysis of the system indicates that it can track documents offline.
-http://www.bbc.com/news/world-asia-35188570
-http://thehill.com/policy/cybersecurity/264340-north-korea-uses-unique-encryptio
n-method

Israeli Defense Official Dismissed Over Security Issues (December 27 and 28, 2015)

Israeli head of missile defense Yair Ramati was dismissed for a "grave breach of information security." Although Israel's Defense Ministry did not release additional information about Ramati's dismissal, news sources in the country said that he had stored confidential information on his personal laptop.
-http://www.theguardian.com/world/2015/dec/28/israel-armed-forces-shocked-dismiss
al-missile-defence-chief-yair-ramati
-http://www.scmagazine.com/israeli-missile-defense-chief-dismissed-for-breach-of-
security-protocol/article/461884/
-http://www.haaretz.com/israel-news/.premium-1.694121

TLS Certificate Changes (December 27, 2015)

Staring January 1, 2016, websites needing TLS certificates will be able to obtain only SHA-2 signed certificates. Some users could face problems because older versions of browsers do not support SHA-2. The decision to stop issuing SHA-1 signed certificates was made because the algorithm was found to be unsecure. This past year, the maximum term of validity for a TLS certificate was reduced from 60 months to 39 months.
-http://www.eweek.com/security/ca-council-to-improve-internet-certificate-securit
y-in-2016.html
[Editor's Note (Ullrich): Some efforts, led by Facebook and Cloudflare, allow web servers to offer weaker SHA-1 signed certificates if the browser does not support more modern hashing algorithms. According to Facebook, about 7% of its users still use browsers that do not support anything beyond SHA-1. Facebook open sourced the code it wrote to support this fallback scheme. ]

Steam Data Leak (December 25 and 26, 2015)

Last week, online gaming platform Steam was found to be exposing users' information. Users have reported finding themselves logged into others' accounts, where they were able to view profile settings, PayPal account information, and portions of bank account numbers. The issue was first reported on December 25. Steam shut down temporarily while deploying a fix. The problem appears to have been caused by configuration changes.
-http://www.theregister.co.uk/2015/12/25/steam_snafu/
-http://www.technewstoday.com/27902-steam-caching-issue-valve-is-silent/

Livestream Acknowledges Breach (December 24, 2015)

Livestream has notified users of a breach, saying that an "unauthorized person may have accesses our customer account database." As a precaution, Livestream is requiring all users to reset their passwords.
-http://www.theregister.co.uk/2015/12/24/livestream_fesses_up_to_hack/
-http://www.zdnet.com/article/online-broadcaster-livestream-suffers-possible-data
base-breach/

Hyatt Hotels Says Malware Found on Payment Systems (December 23 and 24, 2015)

Add Hyatt to the list of hotels that has found malware on its payment systems. Hyatt disclosed the breach on December 23, 2015, but did not say how many of its properties were affected. The malware is designed to steal payment card information. Hyatt has called in an outside company to investigate.
-http://krebsonsecurity.com/2015/12/malware-driven-card-breach-at-hyatt-hotels/
-http://www.nbcnews.com/tech/security/hyatt-hotels-notifies-customers-malware-fou
nd-payment-systems-n485351
-http://www.bbc.com/news/technology-35175263
-http://thehill.com/policy/cybersecurity/264182-hyatt-hotels-hit-by-hackers
-http://www.hyatt.com/protectingourcustomers/

Man Arrested for Allegedly Stealing Scripts for Unreleased Movies and Shows (December 23, 2015)

US authorities have arrested a man in connection with the theft of television and movie scripts and private photographs of celebrities. Alonzo Knowles allegedly attempted to sell the items to an undercover agent. He allegedly stole the items by obtaining account passwords through phishing and by infecting their computers with malware capable of harvesting account credentials.
-http://www.theregister.co.uk/2015/12/23/hollywood_hacker/
-http://www.justice.gov/usao-sdny/file/801706/download
-http://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-charges-agai
nst-bahamas-man-unlawfully-accessing-0

Former Investment Company Advisor Sentenced for Unauthorized Data Access (December 22 and 23, 2015)

Former Morgan Stanley financial advisor Galen Marsh was sentenced to three years probation and ordered to pay US $600,000 in restitution for accessing confidential client data without authorization. Marsh uploaded the data to a server at his home.
-http://www.scmagazine.com/morgan-stanley-adviser-sentenced-for-hacking-firms-net
work/article/461465/
-https://www.fbi.gov/newyork/press-releases/2015/former-morgan-stanley-financial-
adviser-sentenced-in-manhattan-federal-court-for-illegally-accessing-confidentia
l-client-information

---

STORM CENTER TECH CORNER

The Internet Storm Center and DShield depend on users submitting logs to give us an accurate picture of current attack activity. Last year, we added a number of new ways to submit logs. For example, you can submit logs from pfSense firewalls, or use Cowrie as well as Kippo Honeypots. In particular home user firewall logs are valuable. If you would like to submit logs, but haven't yet, please participate in our survey to help us find out how we can get more users to submit logs:
-https://dshield.typeform.com/to/t5g9K8

Discovering Libraries and Dependencies
-https://isc.sans.edu/forums/diary/Libraries+and+Dependencies+It+Really+is+Turtle
s+All+The+Way+Down/20533/

Malfunctioning Malware
-https://isc.sans.edu/forums/diary/Malfunctioning+Malware/20537/

Steam (Valve) Mixing Up User Accounts
-https://twitter.com/SteamDB/status/680490823226671104
-http://www.pcgamer.com/warning-steam-is-revealing-private-account-information/

Xen Releases Security Bug Details Prematurely
-http://xenbits.xen.org/xsa/advisory-169.html

New Years Resolutions
-https://isc.sans.edu/forums/diary/New+Years+Resolutions/20545/

Adobe Flash/Air Updates
-https://helpx.adobe.com/security/products/flash-player/apsb16-01.html

Large Voter Registration Database Leaked
-http://www.databreaches.net/191-million-voters-personal-info-exposed-by-misconfi
gured-database/

CCC Congress
-https://events.ccc.de/congress/2015/wiki/Main_Page

Juniper Update
-https://isc.sans.edu/forums/diary/The+other+Juniper+vulnerability+CVE20157756/20
529/
-https://isc.sans.edu/forums/diary/First+Exploit+Attempts+For+Juniper+Backdoor+Ag
ainst+Honeypot/20525/

Oracle Ordered By FTC To Aid Consumers in Uninstalling Old Java Versions
-https://www.ftc.gov/system/files/documents/cases/151221oracleorder.pdf

GPS Bike Tracking Software Leads to Theft of Bike
-http://www.manchestereveningnews.co.uk/news/greater-manchester-news/strava-cycli
sts-targeted-warning-theft-10633987

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/