SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #59

July 31, 2015

TOP OF THE NEWS

Clearer, More Stringent Cybersecurity Rules for Government Contractors
French Television Broadcaster Still Feeling Fallout from April Cyberattack
Fix Available for Critical Vulnerability in BIND Servers

THE REST OF THE WEEK'S NEWS

US Dept. of Commerce to Revisit Wassenaar Export Rules
Senators Receive Millions of Faxes Protesting CISA
OnStar Vulnerability
Microsoft Releases Windows 10
Windows 10 Wi-Fi Sense Feature Shares Wi-Fi Passwords With Contacts
OPM Attackers May Have Also Breached United Airlines Network
Sophisticated Hammertoss Malware Gets Instructions From Twitter, Steganography
Suspicious Safari Updates

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

NORTHCUTT REPORTS

Northcutt reports

---

********************** Sponsored By AlienVault ***************************
It's Here: Gartner Magic Quadrant for SIEM 2015. Download Now: http://www.sans.org/info/179322
***************************************************************************

TRAINING UPDATE


- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 |
Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -- Security Awareness Summit & Training | Philadelphia | August 17-25 |
5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz


- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


- -- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
49 courses
http://www.sans.org/u/5ZT


- -- Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!


- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -- Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials - http://www.sans.org/u/Xy
Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Clearer, More Stringent Cybersecurity Rules for Government Contractors (July 30, 2015)

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment.
-http://thehill.com/policy/cybersecurity/249752-white-house-wants-consistent-cybe
r-rules-for-contractors
-https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-18747.pdf
[Editor's Note (Pescatore): Many government RFPs, and probably most of the large ones, include FISMA requirements. The issue is not the requirements; it is the lack of assessing whether the contractor actually meets the requirements - same as the problem at Government agencies. The White House should look at the FedRAMP program, which has a consistent, well-thought-out way of defining, and more importantly assessing, the security of cloud service providers who want to do business with the Federal Government. ]

French Television Broadcaster Still Feeling Fallout from April Cyberattack (July 30, 3015)

French television broadcast company TV5Monde suffered a major cyber attack in April. The attackers took control of the company's social media accounts and its 10 channels, which broadcast worldwide. TV5Monde regained the ability to broadcast some content fairly quickly, and regained control of its Facebook and Twitter accounts, but was not able to offer live broadcast for several more weeks. The company's CEO says it does not expect to resume its full broadcast lineup until October 2015. The company basically is without Internet, as it cannot connect its service to the Internet until it builds a safer system.
-http://www.scmagazine.com/tv5monde-in-chaos-as-data-breach-costs-roll-into-the-m
illions/article/429390/
[Editor's Note (Assante): High profile cyber attacks that successfully disrupt public facing services will likely result in regulatory directives aimed at preventing an immediate repeat. A major dilemma in response to an attack with consequences is being able to assure government authorities that the attacker was properly contained, removed, and cannot easily re-attack. Once you look beyond the cyber only aspect and focus on preventing impacts, governments have plenty of regulatory powers to apply (think OSHA, EPA, etc.) ]

Fix Available for Critical Vulnerability in BIND Servers (July 30, 2015)

A vulnerability in the BIND DNS protocol could be exploited to launch denial-of-service (DoS) attacks and take down large portions of the Internet. The issue lies in the way BIND handles certain queries regarding transaction key records. BIND operators have released updated versions to address the critical flaw.
-http://www.zdnet.com/article/remote-denial-of-service-vulnerability-exposes-bind
-servers/
-http://arstechnica.com/security/2015/07/major-flaw-could-let-lone-wolf-hacker-br
ing-down-huge-swath-of-internet/
-http://www.computerworld.com/article/2955005/security/critical-bind-denialofserv
ice-flaw-could-disrupt-large-portions-of-the-internet.html
[Editor's Note (Murray): BIND is such a critical part of the infrastructure that we are reluctant to touch it. This is a clear exception. ]

---

**************************** SPONSORED LINKS ******************************
1) The Value of Real-Time Pattern Recognition Wednesday, August 19 at 1:00 PM EDT (17:00:00 UTC) featuring Dave Shackleford and Michael Crouse. http://www.sans.org/info/179327

2) Secure the Endpoint to battle Cyberthreats Tuesday, August 04 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Kat Pelak. http://www.sans.org/info/179332

3) The Return of the Malicious Macro, and the Economics of Cybercrime Thursday, August 13 at 1:00 PM EDT (17:00:00 UTC) with Jerry Shenk and Patrick Wheeler. http://www.sans.org/info/179337
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Dept. of Commerce to Revisit Wassenaar Export Rules (July 30, 2015)

A US Department of Commerce spokesperson said that the government plans to revise export controls on hacking tools after members of the information security community spoke out against the government's first iteration of the rules, required by the Wassenaar Arrangement. The rules are aimed at restricting the export of cyber tools that could be used for malicious purposes. Security experts have said that the rules would have a chilling effect on research.
-http://www.theregister.co.uk/2015/07/30/us_to_rethink_wassenaar/
[Editor's Note (Murray): These bureaucratic agreements have the force of law. They are generally honored and enforced in a haphazard, not too arbitrary, manner. This only adds to the intended "chilling effect." In the case of software traffic in the Internet, this is further aggravated by opaque routing that does not recognize borders. ]

Senators Receive Millions of Faxes Protesting CISA (July 30, 2015)

Opponents of legislation in the US Senate may have stalled a vote on the bill that aims to improve cyber threat information sharing between private companies and the government. Legislators were hoping to vote on The Cybersecurity Information Sharing Act (CISA) prior to the summer recess, which begins on August 10. A privacy advocacy group, Fight for the Future, sent more than six million faxes to Senate members protesting the proposed legislation.
-http://www.computerworld.com/article/2954547/security/opponents-focus-on-defeati
ng-cisa-cyberthreat-info-sharing-bill.html
-http://www.scmagazine.com/privacy-advocacy-group-sends-61-million-faxes-to-senat
e-to-protest-cisa/article/429616/
[Editor's Note (Pescatore): Millions of faxes, really? Probably a nice boost for the declining fax paper industry. Focusing on information sharing legislation while the vast majority of breaches are enabled by lack of simple security hygiene is like washing your car when the engine makes funny noises - it gives the feeling of action but is not remotely related to the actual problem. ]

OnStar Vulnerability (July 30, 2015)

A device called OwnStar was designed to demonstrate that the OnStar mobile service in GM vehicles is vulnerable to attacks. OwnStar is able to unlock, remotely start, and track GM vehicles that have the OnStar service. The vulnerability is in the application, not in the hardware in the vehicles.
-http://arstechnica.com/security/2015/07/ownstar-researcher-hijacks-remote-access
-to-onstar/

Microsoft Releases Windows 10 (July 29, 2015)

Microsoft has released its newest operating system, Windows 10. The company is offering a 90-day free trial for users who are unsure whether or not they want to upgrade from older versions of Windows. Users running Windows 7 and Windows 8.1 may upgrade to Windows 10 within the next year at no cost.
-http://www.cnet.com/news/microsoft-launches-free-90-day-trial-version-of-windows
-10/
[Editor's Note (Pescatore): For anyone on Windows 7 there are the usual good reasons for *not* rushing to move to Windows 10. There are more security features but just as many new "sharing" features (like WiFi Sense, below) and new code that needs to be field tested to see whether Windows 10 really is a security upgrade. ]

Windows 10 Wi-Fi Sense Feature Shares Wi-Fi Passwords With Contacts (July 30, 2015)

One of the new features of Microsoft's newest operating system is that Windows 10 will automatically share an encrypted version of your Wi-Fi network password with contacts in Outlook and Skype unless users specifically opt out. The password will not be disclosed, but the sharing mechanism will allow those contacts to use your Wi-Fi network if they are in the area. The Express settings for installation enable this feature by default. Some say that the feature is not as scary as people would like to think it is.
-http://krebsonsecurity.com/2015/07/windows-10-shares-your-wi-fi-with-contacts/
-http://www.v3.co.uk/v3-uk/news/2420003/windows-10-wifi-sense-feature-faces-secur
ity-backlash
-http://www.zdnet.com/article/no-windows-10s-wi-fi-sense-feature-is-not-a-securit
y-risk/
[Editor's Note: (Pescatore): This should be a default off feature, requiring opt-in.
(Northcutt): What really hurts is that Windows 10 was billed as a security enhancement. According to CNN, "You can also opt your network out of Wi-Fi Sense entirely by adding the phrase "_optout" to the end of your Wi-Fi network's name."
-http://money.cnn.com/2015/07/30/technology/windows10-wifi-sense/
(Murray): This feature is part of a more general trend to make WiFi more available and accessible. As one who is often a guest in other people's homes, it is one that I can appreciate. I often find that, while I am welcome to use the WiFi, my host does not know the password. The risk of the feature is mitigated in part by the equally general trend toward the use of SSL by default. ]

OPM Attackers May Have Also Breached United Airlines Network (July 29 & 30, 2015)

United Airlines has neither confirmed nor denied a report that a breach of its networks earlier this year allowed intruders to access flight manifests. The group allegedly responsible for the breach is rumored to be the same group responsible for the breaches of the OPM and Anthem networks.
-http://www.bloomberg.com/news/articles/2015-07-29/china-tied-hackers-that-hit-u-
s-said-to-breach-united-airlines
-http://www.cnet.com/news/lifes-a-breach-reported-attack-on-united-airlines-shows
-everyone-has-valuable-data-to-protect/
-http://www.v3.co.uk/v3-uk/news/2420068/reported-united-airlines-hack-could-be-wo
rk-of-opm-chinese-hackers
-http://www.eweek.com/security/report-ties-alleged-united-airlines-breach-to-atta
cks-on-opm.html

Sophisticated Hammertoss Malware Gets Instructions From Twitter, Steganography (July 29, 2015)

Newly detected malware dubbed Hammertoss mimics user behavior to evade detection. Hammertoss was detected by FireEye, which believes it is being used by Russian hackers. Hammertoss checks Twitter, where is gets instructions. From there, it accesses Github to retrieve an image, which has code steganographically hidden in it. That encoded information tells Hammertoss when and where to exfiltrate data stolen from the infected computer.
-http://www.bbc.com/news/technology-33702678
-http://www.cnet.com/news/hammertoss-extra-sneaky-malware-acts-just-like-you/
-http://www.scmagazine.com/apt29-group-tactics-profiled-by-fireeye/article/429298
/

Suspicious Safari Updates (July 29, 2015)

Malwarebytes found that some shady websites are telling visitors that their versions of Safari are out of date and offering updates. The sketchy updates actually install MacKeeper and ZipCloud. The update did install a newer version of Safari, but did not install browser extensions. The "update" also managed to change the default home pages and search engines in Chrome and Firefox.
-http://www.scmagazine.com/fake-safari-update-leads-to-potentially-unwanted-insta
llations/article/429296/
-https://blog.malwarebytes.org/fraud-scam/2015/07/fake-safari-update-installs-mac
keeper-zipcloud/

---

STORM CENTER TECH CORNER

Javascript ZIP archives used for Malspam
-https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives
+of+javascript+files/19973/

Brinks Smart Safe Vulnerability
-http://www.bishopfox.com/blog/2015/07/on-the-brink-of-a-robbery/

XEN/Qemu Exploit in ATAPI (CDROM) commands allows for VM escape
-http://seclists.org/oss-sec/2015/q3/212

Waterplant Honeynet (German only)
-http://www.tuev-sued.de/tuev-sued-konzern/presse/pressemeldungen/potenzielle-ang
reifer-sind-ueberall

Tracking Point Smart Rifle Vulnerability
-https://threatpost.com/researchers-manipulate-rifles-precision-targeting-system/
114028

Keyboard Privacy Extension for Chrome
-https://chrome.google.com/webstore/detail/keyboard-privacy
-https://paul.reviews/behavioral-profiling-the-password-you-cant-change

United Airlines Compromise
-https://www.washingtonpost.com/news/the-switch/wp/2015/07/29/why-would-chinese-h
ackers-would-want-to-go-after-an-airline/

Bind Patches DoS Flaw
-https://kb.isc.org/article/AA-01272

BIND ISC Vulnerability Details
-https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-
can-cause-named-to-exit-with-a-require-assertion-failure/

Using "R" From the Commandline
-https://isc.sans.edu/forums/diary/Tech+tip+Invoke+a+system+command+in+R/19979/

Android DoS Vulnerability
-http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers
-vulnerability-that-renders-android-devices-silent/

---

NORTHCUTT REPORTS

Northcutt reports: General Dynamics Information Technology is looking for a secret squirrel position. Preference given to applicants that hold the GIAC GSEC, GCIH, GPEN certifications.
-https://isc.sans.edu/jobs/cfea35dcbcd0bb2646bef1f002d21abf8efae857

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/