SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #54

July 14, 2015

TOP OF THE NEWS

OPM Director Resigns
China's Cyber Security Law

THE REST OF THE WEEK'S NEWS

Adobe Will Patch More Flash Flaws Found in Leaked Hacking Team Code
Community Service Hours for Teen Involved in Spamhaus Attack
Hacking Team Says Not All Code was Compromised
Facebook CSO Calls for End to Flash
Land Rover Recall Due to Software Flaw
Espionage Group Exploiting Java Zero-Day
Fighting Back Against Bloatware
Guilty Plea in DNSChanger Case

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By RSA *****************************
Expert Panel Webcast: Maximize Your Endpoint Security Strategy with the Right Technology Wednesday, July 22, 2015: 8:00 am PT/11:00 am ET/3:00 pm GMT Join a panel of practitioners and analysts who will share how you can protect your organization's endpoints with confidence and increase the effectiveness of your security team. LEARN MORE: http://www.sans.org/info/178877
***************************************************************************

TRAINING UPDATE


- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -- Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz


- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


- -- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
46 courses
http://www.sans.org/u/5ZT


- -- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -- Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Minneapolis, Delhi, Milan, Amsterdam, and Seoul all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

OPM Director Resigns (July 10, 2015)

Office of Personnel Management (OPM) Director Katherine Archuleta has resigned in the wake of a massive breach at the agency that affected millions of people. The compromised data included information people had submitted on lengthy forms required for background checks.
-http://www.forbes.com/sites/katevinton/2015/07/10/opm-director-katherine-archule
ta-resigns-after-federal-data-breach-affects-25-million-americans/
-http://www.computerworld.com/article/2946840/cybercrime-hacking/opm-director-ste
ps-down-in-wake-of-unprecedented-data-breach.html
-http://www.theregister.co.uk/2015/07/10/opm_boss_hands_in_resignation_over_massi
ve_security_failures/
[Editor's Note (Pescatore): The sad fact in the federal government is that it is easier to punish a department head than a CIO. As Verizon and other breach investigation reports invariably point out, the majority of breaches could have been prevented by basic "security hygiene" - a la the Critical Security Controls. Most of the failures in configuration management, patching and privilege management are IT operations failures that many CIOs allow to continue and at best try to spackle over with "security." The CIO at Target was the first fired after their breach - I'd really like to see more focus on the IT operations side at government agencies as Federal CIO Tony Scott's rapid cybersecurity review proceeds.
(Paller): John is correct, in part. For fair accountability in this case and to actually change behavior in the right way, one other person (in addition to the CIO) needs to be fired and two others need to be demoted. The other firing is the security audit director on OPM's Inspector General's staff for auditing the wrong things. This is a critical action. Without it, IGs will continue to drive federal cybersecurity into the toilet. The two people who need demoting and retraining are (1) the current CISO at OPM who appears to lack the technical skills to implement effective defense, discovery, containment and recovery, and (2) the OMB executive who has failed for half a decade to ensure agencies measure the right things. Competent IGs could have gone on and measured the wrong (OMB metrics) as well as the right things, but this OMB official tied one of the IG's hands behind his/her back. ]

China's Cyber Security Law (July 12 & 13, 2015)

A new draft law in China would give the government the authority to shut down Internet access during major "social security incidents." The law would also require technology companies to ensure protection of user data. People would be required to register for services with their real names, and companies would be required to store user data within the country.
-http://qz.com/450381/china-wants-the-internet-to-boost-the-economy-but-fears-it-
will-threaten-national-security/
-http://arstechnica.co.uk/tech-policy/2015/07/chinas-new-internet-law-formalises-
stricter-censorship-surveillance-powers/
-http://www.theregister.co.uk/2015/07/13/china_cyber_security_law/
-http://chinalawtranslate.com/cybersecuritydraft/?lang=en
[Editor's Note (Pescatore): Compared to the US approach, the provisions mostly fall into two broad categories (1) Laws/regulations/executive orders the US already has in place; and (2) things (like the Internet "kill switch," no anonymity, all info flow to government, etc.) that have been proposed but rejected as taking the "Inter" out of the "Internet" - the "airplane would never crash if they didn't fly" area. I think the best way to read this is that it is China saying, "If you don't do all these things we recommend, you better figure out a way to secure them because this is what we exploit." ]

---

**************************** SPONSORED LINKS ******************************
1) Download the eBook: Mitigate the Endpoint Security Challenges Created by Ubiquitous Digital Patient Data. http://www.sans.org/info/178882

2) Webinar: How Can User Activity Monitoring Help Your Organization's Data Security, Forensic Investigations, and Internal Audits? http://www.sans.org/info/178887

3) Wednesday is the final day to participate in the 2015 SANS Cloud Security Survey. Thank you for your valuable input! Results webcast is scheduled for Sep. 23 -- mark your calendars! http://www.sans.org/info/178892
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Adobe Will Patch More Flash Flaws Found in Leaked Hacking Team Code (July 13, 2015)

Adobe says it will patch two additional security flaws in its Flash Player that were disclosed in documents that were stolen from the Hacking Team and then leaked. Adobe has already pushed out one fix for a Flash vulnerability found in the leaked data.
-http://krebsonsecurity.com/2015/07/third-hacking-team-flash-zero-day-found/
-http://www.eweek.com/security/adobe-to-patch-two-more-zero-day-flaws-in-flash.ht
ml
-http://www.cnet.com/news/adobe-promises-patch-for-latest-wave-of-critical-hackin
g-team-zero-day-exploits/
-http://www.zdnet.com/article/two-further-critical-flash-zero-days-appear-from-ha
cking-team-breach/
-http://www.scmagazine.com/researchers-report-flash-player-zero-day-bugs-after-ha
cking-team-leaks/article/426131/
[Editor's Note (Honan): Given that Adobe Flash has proven time and time again to be a preferred vector of attach for criminals and others this guide from Brian Krebs on how to set up your browser not to run Flash automatically is worth a read
-http://krebsonsecurity.com/2013/03/help-keep-threats-at-bay-with-click-to-play/
Of course the ideal would be to disable Flash entirely. ]

Community Service Hours for Teen Involved in Spamhaus Attack (July 10 & 13, 2015)

A judge in the UK has sentenced a teenager to 240 hours of community service for his role in distributed denial-of-service (DDoS) attacks launched against Spamhaus in 2013. Seth Nolan McDonagh was arrested in April 2013. Authorities discovered a bank account containing GBP 70,000 (US $108,400) and a cache of payment card data from accounts at German financial institutions.
-http://www.bbc.com/news/technology-33480257
-http://www.v3.co.uk/v3-uk/news/2417383/uk-teen-sentenced-over-spamhaus-attacks
[Editor's Note (Honan): Time and time again we see courts give lenient sentences to criminals caught hacking and disrupting systems mainly due to the age of the criminal. While this is frustrating for all those involved in prosecuting the case and indeed also for the victims, it also highlights how fragile and insecure our Internet infrastructures are. Maybe it's time to introduce a "if you're not taller than this line you cannot get on the ride " scheme similar to those seen at funfairs for companies to ensure their systems are secure before operating on the Internet. ]

Hacking Team Says Not All Code was Compromised (July 13, 2015)

Surveillance software company Hacking Team, which recently experienced a breach and significant data theft, has announced that it will release a new version of its product that contains "elements of
[its ]
source code not compromised in this attack."
-http://arstechnica.com/security/2015/07/hacking-team-remains-defiant-touts-new-v
ersion-of-spyware-suite/

Facebook CSO Calls for End to Flash (June 13, 2015)

Facebook's new chief security officer has said, via Twitter, that it's time for Flash to go. Alex Stamos tweeted, "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day." Stamos became Facebook's CSO in June after less than a year as CISO at Yahoo. Steve Jobs called for an end to Flash in 2010.
-http://www.zdnet.com/article/facebook-security-alex-stamos-flash-should-die/
-http://www.cnet.com/news/gone-in-a-flash-facebook-says-adobes-plug-in-is-a-secur
ity-risk-no-longer-worth-taking/

Land Rover Vehicles Recalled Over Software Flaw (July 13, 2015)

Land Rover is recalling more than 65,000 cars to fix a software issue that can be exploited to unlatch vehicle doors. The issue lies in the software that controls the cars' keyless entry. Some drivers have reported that doors have opened while the car was moving.
-http://www.npr.org/sections/thetwo-way/2015/07/13/422613026/land-rover-recalls-t
housands-of-vehicles-over-unlatching-doors
-http://www.bbc.com/news/technology-33506486

Espionage Group Exploiting Java Zero-Day (July 13, 2015)

An espionage group is using an unpatched Java vulnerability to launch attacks against a US defense organization and the armed forces of an unnamed country. The attack exploits a flaw in the most recent version of the Java runtime environment, Java 8 Update 45. The vulnerability does not affect Java versions 6 and 7. Trend Micro reports that this is the first known Java zero-day exploit since 2013. Users are urged to disable Java until a fix is available.
-http://blog.trendmicro.com/pawn-storm-first-java-zero-day-attack-in-two-years-ta
rgets-nato-us-defense-organizations/
-http://www.computerworld.com/article/2947216/security/cyberespionage-group-pawn-
storm-uses-exploit-for-unpatched-java-flaw.html
-http://arstechnica.com/security/2015/07/two-new-flash-exploits-surface-from-hack
ing-team-combine-with-java-0-day/

Fighting Back Against Bloatware (July 12, 2015)

Consumers are taking a stand against bloatware, or unwanted software that gets put on devices. A German court has ruled that antivirus company Avira may continue to warn users that software bundled with downloads is "potentially unwanted." Freemium.com has filed an injunction seeking to stop the warnings, but the court sided with Avira. Lenovo has stopped using Superfish after public outcry, and Samsung has changed its ways after a Chinese consumer group filed a lawsuit challenging the company's practice of preloading devices with unwanted software.
-http://www.eweek.com/security/legal-battles-could-trim-down-bloatware.html
[Editor's Note (Pescatore): Need this public outcry to continue, especially from enterprises making major PC/tablet/smartphone buys. Imagine if furniture manufacturers tried you sell you business furniture that was plastered with advertising decals like NASCAR racecars; wouldn't your procurement people push back? ]

Guilty Plea in DNSChanger Case (July 8 & 10, 2015)

An Estonian man has pleaded guilty in a New York court to charges of wire fraud and computer intrusion. Vladimir Tsastsin and his accomplices spread malware that infected more than four million machines worldwide. The malware, known as DNSChanger, altered DNS settings on the infected PCs; there were versions of the malware for Windows and for Mac. The malware replaced ads in browsers with ads that generated revenue for a particular company.
-http://krebsonsecurity.com/2015/07/cybercrime-kingpin-pleads-guilty/
-http://www.justice.gov/usao-sdny/pr/estonian-national-pleads-guilty-manhattan-fe
deral-court-charges-arising-massive-cyber

---

STORM CENTER TECH CORNER

Jump List Files are OLE Files
-https://isc.sans.edu/forums/diary/Jump+List+Files+Are+OLE+Files/19911/

Java 0-Day
-http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-tre
nd-micro-discovers-new-java-zero-day-exploit/

Cloudminr Breach
-https://threatpost.com/cloudminr-hack-exposes-data-on-80000-bitcoin-miners/11374
7

PHP Fixes MySQL Backronym Vulnerability
-https://bugs.php.net/bug.php?id=69669

Trend Micro Threat Intelligence Manage Vulnerabilities
-https://blogs.securiteam.com/index.php/archives/2502

More Adobe 0-Days From Hacking Team
-https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
-https://github.com/hackedteam?tab=repositories
-https://wikileaks.org/hackingteam/emails/emailid/45441

Android App Steals Facebook Credentials
-http://blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/
-http://www.welivesecurity.com/2015/07/09/apps-google-play-steal-facebook-credent
ials/

Open Source Projects At Risk
-https://www.coreinfrastructure.org/sites/cii/files/pages/files/pub_ida_lf_cii_07
0915.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager ad final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/