SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #55

July 17, 2015

Heads up: Two new courses have been getting unexpectedly large attendance (as large as our most popular, recently updated courses). As a courtesy to NewsBites readers, these are most likely to sell out early at SANS Network Security 2015.
New:
Continuous Monitoring and Security Ops (Conrad) (continually fills early) Windows Forensics Analysis (Lee)
Long-term favorites, recently updated:
Network Penetration Testing and Ethical Hacking (Skoudis) Security Essentials Boot Camp (Cole) Implementing and Auditing the Critical Security Controls (Tarala)
There are also 33 other long courses and 13 short courses at Network Security this year. You can save $400 on the long courses if you register by July 22.
More information: http://www.sans.org/event/network-security-2015

---

TOP OF THE NEWS

US Dept. of Interior IG Report Finds Thousands of Security Issues
Adobe's Flash Player is Increasingly Unpopular
United Awards Millions of Miles in Bug Bounties

THE REST OF THE WEEK'S NEWS

Siemens Patches Energy Automation Systems Vulnerability
Google Will Expand Safe Browsing
FBI Tor Uncloaking Method Questioned
More Than 70 Arrests Accompany Darkode Takedown
13-Year Sentence for Man Who Sold Credit Monitoring Records Data
Vulnerability in Internet Monitoring Tool Used by Schools
Microsoft, Oracle, and Adobe Release Fixes

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By FinalCode ***************************
Webcast: File Security 2.0: Collaboration Controls, Considerations and Technology? Tuesday, July 21 at 1:00 PM EDT (17:00:00 UTC. Join Barbara Filkins, SANS Senior Analyst, and Scott Gordon, Chief Operating Officer at FinalCode, as they examine options, considerations and technology to secure shared files within and outside the porous corporate network.
http://www.sans.org/info/178992
***************************************************************************

TRAINING UPDATE


- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -- Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N

- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4,
2015 |
13 courses
http://www.sans.org/u/5Zz


- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


- -- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
46 courses
http://www.sans.org/u/5ZT


- -- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!


- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -- Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials - http://www.sans.org/u/Xy

Plus Minneapolis, Delhi, Milan, Amsterdam, and Seoul all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Dept. of Interior IG Report Finds Thousands of Security Issues (July 16, 2015)

According to a report from the US Department of the Interior (DOI) Office of Inspector General, agency systems were found to have nearly 3,000 security issues. Some of the vulnerabilities could be exploited to jump from a compromised machine to internal agency networks. The DOI hosted the Office of Personnel Management (OPM) files that were stolen in the initial, infamous OPM breach.
-http://www.scmagazine.com/department-of-the-interior-system-riddled-with-critica
l-vulnerabilities/article/426902/
-http://www.nextgov.com/cybersecurity/2015/07/after-dodging-bullet-hit-opm-interi
or-owns-cyber-problem/117904/?oref=ng-HPtopstory
-http://www.doi.gov/oig/reports/upload/ISDINMOA00042014Public.pdf
[Editor's Note (Pescatore): The IG report lists three breaches at DOI in 2014 and, for each one, mentions that the extent of the breaches are "unknown." It also says "we found that the Department is unaware of the number of its publicly accessible IT systems or whether those systems are free from vulnerabilities." Oh, and there was no network segmentation... Pretty serious failures in basic security hygiene a la the Critical Security Controls. The only good news here: the IG report was one of the best I've seen - rather than start with the low impact but easy to audit areas (like the usual "80% of systems didn't have current Certification/Accreditation paperwork on file..." it essentially prioritized the findings along the lines of the Critical Security Controls. ]

Adobe's Flash Player is Increasingly Unpopular (July 14 & 15, 2015)

Mozilla blocked the Flash plug-in in its Firefox browser due to several unpatched security issues with the media player. Google has announced that the next stable release of its Chrome browser will "intelligently pause" certain Flash elements. System 76, which makes Ubuntu PCs, will no longer install Flash on its products, calling it dangerous and unnecessary. Adobe released an updated version of Flash Tuesday, July 14, to fix the two new flaws.
-http://www.eweek.com/blogs/security-watch/mozilla-blocks-flash-in-firefox-thanks
-to-unpatched-zero-days.html
-http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-due-to-u
npatched-0-day-vulnerabilities/
-http://arstechnica.com/information-technology/2015/07/ubuntu-pc-maker-system76-a
bandons-flash-says-its-too-dangerous/
-http://www.wired.com/2015/07/adobe-flash-player-die/
[Editor's Note (Pescatore): I think it is time that Flash goes the way of hydrogen blimps and leaded gasoline. Adobe acquired Flash with Macromedia over 10 years ago and, after a decade, still hasn't been able to make Flash into a safe product. Even if Adobe keeps selling Flash, it's time for web sites to stop using Flash.
(Murray): Steve Jobs warned us about Flash years ago but even Apple continues to support it. We cannot claim to be serious about securing the infrastructure while we continue to tolerate, let alone support, Flash. ]

United Awards Millions of Miles in Bug Bounties (July 14 & 16, 2015)

United Airlines has given away two million miles to people who found security flaws in the airline's website. Two people each received one million United miles as part of the company's bug bounty scheme, which was announced in May.
-https://www.washingtonpost.com/blogs/the-switch/wp/2015/07/16/why-united-airline
s-is-rewarding-hackers-with-millions-of-free-miles/
-http://www.bbc.com/news/technology-33552195
-http://www.theregister.co.uk/2015/07/16/united_airlines_bug_bounty_18m/
-http://www.zdnet.com/article/united-airlines-showers-air-miles-on-bug-bounty-res
earchers/
[Editors note (Northcutt): Very clever on United's part. It would be hard to spend a million miles:
-http://time.com/money/3896999/airline-miles-awards-consultants/
-http://www.wsj.com/articles/SB10001424052702304885404579548042629259758]

---

**************************** SPONSORED LINKS ******************************
1) APTs in ICS - Understanding and Preparing for the Rising Threat Landscape in Critical Infrastructure Wednesday, July 22 at 1:00 PM EDT (17:00:00 UTC) featuring Mike Assante and Del Rodillas. http://www.sans.org/info/178997

2) Tracking and Observation-How-To and What To Watch For Wednesday, July 29 at 1:00 PM EDT (17:00:00 UTC)with J. Michael Butler, Jason Trost, and special moderator Stephen Northcutt. http://www.sans.org/info/179002

3) How do organizations conduct continuous vulnerability assessment & remediation? Take the new Continuous Monitoring Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/179007
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Siemens Patches Energy Automation Systems Vulnerability (July 16, 2015)

Siemens recently patched a security flaw in its SICAM MIC that could have been exploited to take control of vulnerable devices. The SICAM MIC is a telecontrol system with an integrated web server; the authentication bypass vulnerability could be used to conduct administrative operations. The issue affects all versions of the firmware earlier than V2404.
-http://www.scmagazine.com/recently-patched-vulnerability-could-have-allowed-an-a
ttacker-to-gain-unauthorized-control-of-a-device/article/426899/
-http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advi
sory_ssa-632547.pdf

Google Will Expand Safe Browsing (July 16 & 17, 2016)

Google plans to expand its safe browsing feature to prevent unwanted software from downloading onto users' computers. The feature checks a database of links known to be affected by dodgy downloads. Google's safe browsing currently helps prevents code from installing through malware and suspected phishing attacks; the new version will aim to prevent piggybacked or bundled software.
-http://www.zdnet.com/article/google-expanding-safe-browsing-for-chrome-safari-fi
refox/
-http://www.theregister.co.uk/2015/07/17/google_safe_browsing/
[Editor's Note (Pescatore): Since the vast majority of Google's revenue comes from online advertising, Google is, and should be under extra scrutiny with respect to how it defines and blocks "unwanted" software, since most of that will come from their competitors. Google has a published and solid definition of how it defines "unwanted" that seems to have worked well so far in increasing security without crossing the line.
(Murray): Google promised us safe browsing when it announced Chrome only to discover that browsers are fundamentally insecure. Google can certainly deliver "safer" browsing, but "safe?" Browsing is risky activity. Of course, "white listing," "default/deny," or whatever you want to call a restrictive policy can help. However, whatever representations a browser publisher makes, I will continue to run NoScript and advise enterprise clients to run Invincea, bit9, or similar software, to lock down desktops that are used for browsing, and to isolate those systems from mission-critical applications. I will continue to prefer iOS for browsing. I will continue to expect browser publishers to issue weekly patches. ]

FBI Tor Uncloaking Method Questioned (July 15 & 16, 2015)

US federal agents used malware to unmask a Tor-protected site and break up child pornography rings. FBI seized a server running a Tor site, but allowed it to operate for two weeks while monitoring activity. It is not clear how the FBI used its Network Investigative Tool (NIT) to uncloak the Tor site. Information leaked after a breach of the Hacking Team's networks suggests that the US government had ties to that organization.
-http://arstechnica.com/tech-policy/2015/07/feds-bust-through-huge-tor-hidden-chi
ld-porn-site-using-questionable-malware/
-http://thehill.com/policy/cybersecurity/248264-did-the-fbi-have-illegal-ties-to-
a-controversial-hacking-firm
-http://www.zdnet.com/article/fbi-used-hacking-team-services-to-unmask-tor-user/

More Than 70 Arrests Accompany Darkode Takedown (July 15, 2015)

US law enforcement has taken down a crime ring known as Darkode. Operation Shrouded Horizon, cooperative effort involving the FBI, the US Justice Department, and law enforcement agencies in nearly 20 countries around the globe, managed to seize and shut down the servers of the online forum where criminals traded in malware, and stolen payment card data and account access credentials. More than 70 people have been arrested in the US, Europe, Asia and the Middle East.
-http://www.cnet.com/news/darkode-goes-dark-police-shut-down-infamous-cybercrime-
marketplace/
-http://krebsonsecurity.com/2015/07/the-darkode-cybercrime-forum-up-close/
-http://www.wired.com/2015/07/dozens-nabbed-takedown-cybercrime-forum-darkode/
[Editor's Note (Honan): Kudos to all involved in this takedown. It is encouraging to see the increasing number of takedowns and international cooperation. A good example to demonstrate the power of information sharing. ]

13-Year Sentence for Man Who Sold Credit Monitoring Records Data (July 14 & 15, 2015)

A US federal judge has sentenced Hieu Minh Ngo to 13 years in prison for his role in a data breach of a credit monitoring company that exposed personally identifiable information for 200 million accounts. He was found guilty of charges that included wire fraud and identity fraud. Ngo pretended to be a private investigator and tricked Court Ventures into allowing him to access a database of personal information, which he then sold.
-http://www.computerworld.com/article/2948219/data-security/vietnamese-man-gets-1
3-years-for-massive-id-theft-scheme.html
-http://krebsonsecurity.com/2015/07/id-theft-service-proprietor-gets-13-years/
-http://www.justice.gov/opa/pr/vietnamese-national-sentenced-13-years-prison-oper
ating-massive-international-hacking-and
[Editor's Note (Murray): Criminals continue to believe that computer crime is rarely successfully prosecuted. We change that perception one prosecution at a time. ]

Vulnerability in Internet Monitoring Tool Used by Schools (July 14, 2015)

A tool used by many schools in the UK to monitor students' Internet use contains vulnerabilities that could expose students' personal information. Impero Education Pro monitors and limits what students view on the Internet. A flaw in Impero's encryption protocol could be exploited to gain access to computers running the software, allowing an attacker to run software and access data held on compromised systems.
-http://www.theguardian.com/technology/2015/jul/14/security-flaw-found-in-school-
internet-monitoring-software

Microsoft, Oracle, and Adobe Release Fixes (July 14, 2015)

Microsoft: Microsoft has released 14 security bulletins to address nearly 60 security flaws in its products. Microsoft has also stopped support for its antivirus for Windows XP.
-http://www.computerworld.com/article/2947756/application-security/huge-july-patc
h-update-with-critical-update-to-ie-and-windows.html
-https://technet.microsoft.com/library/security/ms15-Jul
-http://www.v3.co.uk/v3-uk/news/2417794/windows-xp-even-more-insecure-as-microsof
t-ends-anti-virus-support
-http://krebsonsecurity.com/2015/07/adobe-ms-oracle-push-critical-security-fixes/
Oracle: Oracle has released updates that address nearly 200 security flaws in a variety of products, including a vulnerability in Java that was being actively exploited.
-http://www.theregister.co.uk/2015/07/16/oracle_java_patch/
-http://www.computerworld.com/article/2947760/security/oracle-fixes-zeroday-java-
flaw-and-over-190-other-vulnerabilities.html
-http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Adobe: Adobe has updated its Flash player to fix a pair of vulnerabilities that were disclosed in documents stolen from the Hacking team.
-http://www.theregister.co.uk/2015/07/14/adobe_flash_patch_tuesday/

---

STORM CENTER TECH CORNER

After Flash, what will exploit kits focus on next?
-https://dev-isc.sans.edu/forums/diary/After+Flash+what+will+exploit+kits+focus+o
n+next/19879/

Firefox Unblocks Flash
-https://addons.mozilla.org/en-US/firefox/blocked/p946

F-Secure reports rise in Flash Exploits
-https://www.f-secure.com/weblog/archives/00002819.html

Apple Blocks older Flash/Java Versions
-https://support.apple.com/en-us/HT202681
-https://support.apple.com/en-us/HT202678?

Exploit Mitigations Included in Flash 18.0.0.209
-http://googleprojectzero.blogspot.com/2015/07/significant-flash-exploit-mitigati
ons_16.html

NY Times Collecting Local IP Addresses from Clients
-https://webrtchacks.com/dear-ny-times/

TOTOLINK Router Vulnerabilities
-https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK
-products.html

NSA Releases Security Configuration Tool
-https://github.com/NationalSecurityAgency/SIMP

Walmart Canada Photocentre Breach
-http://www.theglobeandmail.com/report-on-business/walmart-looks-into-possible-cr
edit-card-data-breach/article25422632/

Proxygambit (more advanced ProxyHam) Released
-http://samy.pl/proxygambit/

Why to Stop Using RC4
-http://www.rc4nomore.com

Adobe Updates
-https://isc.sans.edu/forums/diary/Adobe+Updates+Flash+Player+Shockwave+and+PDF+R
eader/19917/

Java Update
-http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html

Microsoft Patch Tuesday
-https://isc.sans.edu/forums/diary/July+2015+Microsoft+Patch+Tuesday/19919/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/