SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #58

July 28, 2015

TOP OF THE NEWS

Fiat Chrysler Recall
US Power Grid Vulnerable
Pakistan Bans Blackberry Enterprise Server

THE REST OF THE WEEK'S NEWS

Stagefright Vulnerabilities Affect Nearly All Android Devices
Malware Could Breach Air-Gap
NSA to Lose Access to Section 215 Data
Three Sentenced in DNS Changer Case
NIST Draft Guidance on Mobile Devices for Healthcare Organizations
HORNET Onion Router Network Faster Than Tor
Belgian Government Phishing Test Not Thought Through

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Splunk ****************************
No matter how effective you think your security technology is, attackers will find a way to penetrate your organization. Organizations must come to grips with the new cybersecurity realities. Learn how an analytics-based approach can help your team quickly determine the root cause of incidents in order to contain and remediate them.
http://www.sans.org/info/179197
***************************************************************************

TRAINING UPDATE


- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -- Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz


- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


- -- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
49 courses
http://www.sans.org/u/5ZT


- -- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -- Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Fiat Chrysler Recall (July 27, 2015)

Chrysler has issued a safety recall for 1.4 million vehicles following the publication of a story in which hackers were able to take control of a Jeep. Users have several choices for fixing the vulnerabilities. They can go to a Chrysler dealer and have the software updated; they can download the patch onto a USB drive and plug it into their vehicle; or they can choose to receive a USB drive in the mail from Chrysler that already has the fix on it. Some have criticized the USB from Chrysler option because it asks users to trust a USB drive they receive in the mail.
-http://www.v3.co.uk/v3-uk/news/2419372/fiat-chrysler-issues-software-update-for-
14-million-cars-amid-remote-hacking-concerns
-http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/
-http://www.zdnet.com/article/chryslers-response-to-car-hack-was-slow-and-incredi
bly-stupid/
-http://arstechnica.com/security/2015/07/fiat-chrysler-recalls-1-4-million-cars-o
ver-remote-hack-vulnerability/
[Editor's Note (Northcutt): The bad news just does not end. They are going to receive a massive fine, ($105M), and must offer to buy back Ram pickups.
-http://money.cnn.com/2015/07/26/news/companies/chrysler-105-million-fine/
-http://www.nbcnews.com/business/autos/fiat-chrysler-must-buy-back-hundreds-thous
ands-ram-pickups-n398911]

US Power Grid Vulnerable (July 24, 2015)

According to analysis of the US power grid compiled by USA Today, the country's power grid experiences more failures than those in other developed countries. The report was published earlier this year.
-http://www.inquisitr.com/2279678/power-grid-is-americas-biggest-weakness-new-rep
ort-conforms/
-http://www.usatoday.com/story/news/2015/03/24/power-grid-physical-and-cyber-atta
cks-concern-security-experts/24892471/
[Editor's Note (Assante): The analysis of common security incidents lacks context relative to the identified consequence of losing large sections of an electricity Interconnect. High numbers of events can be distracting or cover preparations for a coordinated and targeted attack. Utilities are investing in and exercising new methods to detect incidents of concern, but confusion remains on the number and extent of targeted cyber incidents compromising critical systems. The possibility of a targeted attack with consequences is rising but routine cyber probes and substation intrusions are not a leading indicator of pending disaster. Transmission system elements remain vulnerable to a number of potential high consequence incidents. ]

Pakistan Bans Blackberry Enterprise Server (July 27, 2015)

Pakistan's Ministry of the Interior has issued a notice to the Pakistan Telecommunication Authority (PTA) to order telecommunications companies that serve that country to stop access to BlackBerry Enterprise Services as of December 1, 2015. The directive was issued "for security reasons," according to a PTA spokesperson.
-http://www.theregister.co.uk/2015/07/27/pakistan_bans_blackberry_enterprise_serv
er/
-http://www.v3.co.uk/v3-uk/news/2419418/pakistan-cracks-down-on-blackberry-privac
y-services
-http://arstechnica.com/security/2015/07/pakistan-bans-blackberry-messaging-e-mai
l-for-security-reasons/

---

**************************** SPONSORED LINKS ******************************
1) Download the eBook: Cracking the Endpoint - Insider Tips for Endpoint Security. http://www.sans.org/info/179287

2) Protecting Third Party Applications with RASP. Thursday, July 30 at 1:00 PM EDT (17:00:00 UTC) with Eric Johnson and Cindy Blake. http://www.sans.org/info/179292

3) The Return of the Malicious Macro, and the Economics of Cybercrime. Thursday, August 13 at 1:00 PM EDT (17:00:00 UTC) with Jerry Shenk and Patrick Wheeler. http://www.sans.org/info/179297
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Stagefright Vulnerabilities Affect Nearly All Android Devices (July 27, 2015)

Nearly all Android smartphones contain remote code execution vulnerabilities that could be exploited simply by sending the device a maliciously crafted text message. The vulnerabilities lie in Stagefright, an Android component that is used in playing, recording, and processing multimedia files. Google has developed a fix for the issue, but because the wireless carriers and device manufacturers must also take action, it is unknown if and when the devices will be patched.
-https://isc.sans.edu/forums/diary/Android+Stagefright+multimedia+viewer+prone+to
+remote+exploitation/19965/
-http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijack
ed-by-malicious-text-messages/
-http://www.darkreading.com/vulnerabilities---threats/stagefright-android-bug-hea
rtbleed-for-mobile-but-harder-to-patch/d/d-id/1321477?
-http://www.forbes.com/sites/andygreenberg/2011/08/05/android-app-turns-smartphon
es-into-mobile-hacking-machines/
-http://www.computerworld.com/article/2953019/security/most-android-phones-can-be
-hacked-with-a-simple-mms-message-or-multimedia-file.html
-http://www.cnet.com/news/most-android-phones-can-be-hacked-with-one-text/

Malware Could Breach Air-Gap (July 27, 2015)

Researchers will present a paper at the USENIX Security Symposium next month in which they describe malware designed to infiltrate air-gapped computers. The attack would require malware to be on both the air-gapped computer and the device capable of intercepting RF signals.
-http://www.scmagazine.com/israeli-researchers-create-new-malware-and-rootkit/art
icle/428789/
-http://www.wired.com/2015/07/researchers-hack-air-gapped-computer-simple-cell-ph
one/

NSA to Lose Access to Section 215 Data (July 27, 2015)

According to an announcement from the Office of the Director of National Intelligence, the National Security Agency (NSA) will start to purge data collected under its Section 215 surveillance program that expires later this year. NSA analysts will no longer be permitted to search the database after November 29, 2015. Technicians will be able to access the database for three additional months for the purpose of comparing what they had collected before to what is permitted under the new system.
-http://www.nextgov.com/defense/2015/07/nsa-purge-database-phone-records-collecte
d-under-mass-surveillance/118635/?oref=ng-HPriver
-http://www.nytimes.com/2015/07/28/us/politics/nsa-will-not-be-allowed-to-keep-ol
d-phone-records.html

Three Sentenced in DNS Changer Case (July 24, 2015)

A US District judge in New York has sentenced three men to prison for their roles in a scheme that infected more then four million computers around the world with malware. The malware changed the computers' DNS settings so that users were redirected to specific websites. Two other people involved in the scheme have already received sentences, one is awaiting sentencing, and one alleged member of the group is still at large.
-http://www.theregister.co.uk/2015/07/24/3_estonians_in_slammer_for_pwning_4_mill
ion_computers_worldwide/

NIST Draft Guidance on Mobile Devices for Healthcare Organizations (July 24, 2015)

The US National Institute of Standards and Technology (NIST) has released draft guidance for health care providers regarding the use of mobile devices to access and transfer sensitive data. NIST is accepting public comments on the document through September 25, 2015.
-http://www.computerworld.com/article/2951831/healthcare-it/feds-look-to-bolster-
security-for-mobile-devices-used-in-health-care.html
-https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices

HORNET Onion Router Network Faster Than Tor (July 24, 2015)

Researchers say they have developed a faster anonymizing onion router. While Tor is widely used to circumvent censorship, it is slow. The researchers' new anonymization network, dubbed HORNET (High-speed Onion Routing at the NETwork layer) is described in a recently published paper.
-http://arstechnica.com/information-technology/2015/07/researchers-claim-theyve-d
eveloped-a-better-faster-tor/

Belgian Government Phishing Test Not Thought Through (July 22, 2015)

A regional government in Belgium ran a phishing test on its employees but forgot to inform high-speed train operator Thalys that it was using the company's name in the message. The phishing email said that the recipient had booked an expensive trip abroad and that nearly 20,000 Euros would be charged to their payment card unless they cancelled the trip within three days. The email instructed recipients to send their card information to Thalys. Employees began calling Thalys to complain; some employees also contacted police.
-http://www.networkworld.com/article/2951514/security/belgian-government-phishing
-test-goes-offtrack.html

---

STORM CENTER TECH CORNER

Angler's Best Friends
-https://isc.sans.edu/forums/diary/Anglers+best+friends/19959/

Android MMS Media Library Exploit
-http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

Windows 10 Support for Intel Real Sense
-https://software.intel.com/en-us/blogs/2015/03/19/realsense-sdk-and-camera-setup
-on-windows-10

Valve Software Password Reset Vulnerability
-https://threatpost.com/valve-patches-password-reset-vulnerability-in-steam/11397
6

Is Patching in 2 Days Possible?
-https://isc.sans.edu/forums/diary/Patching+in+2+days+tell+him+hes+dreaming/19957
/

NHTSA Orders Fiat/Chrysler Recall of Vulnerable Vehicles
-http://www-odi.nhtsa.dot.gov/owners/SearchCurrentMonthRecall#

New Version of Google Chrome
-http://googlechromereleases.blogspot.co.uk/2015/07/stable-channel-update_21.html
?m=1

Malicous Images Can Affect Cars
-http://www.bbc.com/news/technology-33622298

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/