Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #61

August 07, 2015

TOP OF THE NEWS

American Airlines and Sabre Corp. Reportedly Suffer Breaches
'State Actor' Blamed for DoD eMail Attack
Intel Architecture Flaw Lets Attackers Install Rootkits

THE REST OF THE WEEK'S NEWS

Tesla Patches Model S Software Vulnerabilities
OS X Flaw is Being Actively Exploited
Another WordPress Update
Appeals Court Says Warrant Required for Cell Location Data
Security Flaws in ZigBee Wireless Standard
China to Establish Police Presence at Major Internet Companies
(Some) Android (Users) to Get Monthly Updates
Prison Time for Tutor Who Stole Teachers' Login Credentials and Altered Grades
Windows 10 Security and Privacy Issues

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


**************************** Sponsored By HP *****************************
In case you missed it: Protecting Third Party Applications with RASP Thursday, July 30 at 1:00 PM EDT (17:00:00 UTC) featuring Eric Johnson and Cindy Blake.
http://www.sans.org/info/179427
***************************************************************************

TRAINING UPDATE


- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I


- -- Security Awareness Summit & Training | Philadelphia | August 17-25 |
5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N


- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 |
13 courses
http://www.sans.org/u/5Zz


- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 |
8 courses
http://www.sans.org/u/5ZO


- -- SANS Network Security 2015| Las Vegas, NV | September 12-21, 2015 |
49 courses
http://www.sans.org/u/5ZT


- -- Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!


- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- -- Save on OnDemand training (30 full courses) - See samples at OnDemand
Specials - http://www.sans.org/u/Xy
Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

American Airlines and Sabre Corp. Reportedly Suffer Breaches (August 7, 2015)

American Airlines and airline and hotel reservation processor Sabre Corp. have both been victims of recent data breaches. The group responsible for the attacks is believed to be the same one that infiltrated networks at US health insurance companies and the Office of Personnel Management (OPM).
-http://www.bloomberg.com/news/articles/2015-08-07/american-airlines-sabre-said-t
o-be-hit-in-hacks-backed-by-china

'State Actor' Blamed for DoD eMail Attack (August 6, 2015)

Emerging reports are saying that attackers working on behalf of a nation state launched a spear phishing attack that forced the US Department of Defense to shut down the Pentagon's Joint Chiefs of Staff unclassified email system. 4,000 workers use the affected servers.
-http://www.nextgov.com/cybersecurity/2015/08/reports-russia-hacked-pentagons-joi
nt-staff-email/118939/?oref=ng-channeltopstory

-http://www.theregister.co.uk/2015/08/06/pentagon_email_hacked/
-http://www.computerworld.com/article/2960806/malware-vulnerabilities/joint-chief
s-of-staff-emails-targeted-by-russian-hackers.html

[Editor's Note (Murray): These reports are confusing and incomplete. They are also inconsistent with the security measures (e.g., strong authentication, lockdown) that one would expect on such a system after the White House and State Department compromises. The MSNBC report, which I am watching as I write, says "little data was compromised." On the other hand the report was silent on how many systems were compromised. Multiple compromised systems is consistent with the system being down for weeks.
(Honan): The reporting around this attack highlights how weak we are at defending, detecting, and attributing cyber-attacks. The attack ranges from being a "spear phishing", to being "a new and different vulnerability," or the result of a "sophisticated cyberattack". While the Department of Defence said it is not sure who is behind the attack speculation ranges from it being Russia, to China, or to another "state actor". Maybe if we focused more time and energy on how these attacks happened and how to prevent them in the first place, identifying who is behind them would be easier and more credible.
(Pescatore): I would hope that DoD networks and email systems were built *expecting* attacks from "state actors" since we have only a Department of Defense to be there to protect us against "state actors." ]

Intel Architecture Flaw Lets Attackers Install Rootkits (August 6, 2015)

A design flaw in Intel chips that has been present for nearly 20 years could be exploited to install a rootkit in computers' firmware. Once installed, the rootkit would be undetectable. The feature was added to the x86 architecture in 1997.
-http://www.computerworld.com/article/2962325/computer-processors/design-flaw-in-
intel-chips-opens-door-to-rootkits.html

[Editor's Note (Assante): Firmware forensic capabilities are becoming necessary. How many incident response procedures include extracting firmware from suspect computers to conduct a diff against original or updated firmware? Or the analysis of trace kernel time stamps looking for firmware changes correlating with other activity? In the age of targeted attacks it is important that enterprise response teams hone skills to go deeper into the computing infrastructure.
(Murray): This is a widespread implementation-induced vulnerability; however, the fundamental vulnerability remains user programmability. It is difficult to remedy. Hopefully, the security software community will be able to recognize any exploit code specific to this control, though the reports suggest that recognizing compromised systems will be more difficult. We seem to be further than ever from trustworthy computers. Ironically, at least for the moment, (iOS, and to a lesser extent Android) mobile computers are more trustworthy than desktops.
(Pescatore): There is a long-standing truism in IT security: the infrastructure can never fully protect the infrastructure. This is one example of why the Intel acquiring McAfee was *not* a game changer in fighting malware. ]


**************************** SPONSORED LINKS ******************************
1) The Race to Detection: IR Trends, Tools and Processes That Close the Gap. Wednesday, August 12 at 1:00 PM EDT (17:00:00 UTC) with Alissa Torres and Jim Raine. http://www.sans.org/info/179432

2) The Return of the Malicious Macro, and the Economics of Cybercrime. Thursday, August 13 at 1:00 PM EDT (17:00:00 UTC) with Jerry Shenk and Patrick Wheeler. http://www.sans.org/info/179437

3) Security Analytics & Intelligence: What Has Changed This Year? Take 2015 Survey - Enter to Win $400 Amazon Gift Card http://www.sans.org/info/179442
***************************************************************************

THE REST OF THE WEEK'S NEWS

Tesla Patches Model S Software Vulnerabilities (August 6, 2015)

Tesla has released a software update to address half a dozen security issues in its Model S automobiles that could be exploited to taken control of the car's entertainment system and from there, take control of the vehicle itself. The attack does require physical access to the car.
-http://www.computerworld.com/article/2960802/security/tesla-patches-model-s-afte
r-researchers-hack-cars-software.html

-http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/
-http://www.cnet.com/news/tesla-model-s-owners-take-heart-hack-requires-physical-
access-to-cars-onboard-computer/

-http://www.bbc.com/news/technology-33802344
[Editor's Note (Murray): Part of this problem seems to be the sharing of a single display for the entertainment system and the automotive system, thus exposing the automotive network. ]

OS X Flaw is Being Actively Exploited (August 5 & 6, 2015)

Attackers have begun exploiting a vulnerability in Apple's OS X Yosemite to infect unpatched machines with adware. The flaw can be exploited to execute code with administrative rights. Apple plans to include a fix for the issue in its next update, OS X 10.10.5, which should be available in the next couple of weeks.
-http://www.cnet.com/news/apple-reportedly-set-to-patch-serious-security-bug-in-m
ac-os-x/

-http://www.computerworld.com/article/2959543/security/crooks-exploit-public-bug-
to-plant-adware-on-yosemite-macs.html

Another WordPress Update (August 6, 2015)

WordPress has released another update to address six vulnerabilities. Just two weeks ago, WordPress released version 4.2.3 to patch a vulnerability that could be exploited by a cross-site scripting attack. The newest update, version 4.2.4, addresses several security issues, including an SQL injection vulnerability.
-http://www.theregister.co.uk/2015/08/06/vulnerable_again_wordpress_issues_urgent
_patch/

-https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-rele
ase/

Appeals Court Says Warrant Required for Cell Location Data (August 5 & 6, 2015)

The Fourth US Circuit Court of Appeals has ruled that law enforcement must obtain a warrant prior to requesting cell phone location data from service providers. According to the decision, that information is protected under the Fourth Amendment.
-http://www.scmagazine.com/fourth-amendment-protects-cell-phone-location-informat
ion/article/431250/

-http://www.theregister.co.uk/2015/08/05/cell_phone_location_data_protected/

Security Flaws in ZigBee Wireless Standard (August 6, 2015)

Several flaws have been found in the ZigBee wireless security standard; they could be exploited to compromise vulnerable devices and take control of other devices on the same network. ZigBee is used in many IoT devices and in smart home networks.
-http://www.zdnet.com/article/critical-security-flaws-leave-connected-home-device
s-vulnerable/

-http://www.theregister.co.uk/2015/08/06/zigbee_insecurity_home_networking_oit/
[Editor's Note (Pescatore): One big difference in the "Internet of Things" is heterogeneity, both in devices/software and in protocols and communication standards. Zigbee, Bluetooth LE, WiFi, Thread/ Z-Wave - there is a long list of these at varying stages of maturity from a security perspective. The first step is having the ability to detect which of these wireless devices are active in your environment; we are a long way from them being secure. ]

China to Establish Police Presence at Major Internet Companies (August 5, 2015)

The Chinese government plans to put "network security offices" staffed by police at large Internet companies in that country. The goal is to "catch criminal behavior online at the earliest possible point." There is some suspicion that the plan is also part of the country's efforts to censor what people in that country can view on the Internet.
-http://www.cnet.com/news/chinese-police-to-set-up-shop-at-major-web-companies/
Http://www.computerworld.com/article/2956681/security/china-to-plant-internet-police-in-top-online-firms.html Http://www.wired.co.uk/news/archive/2015-08/05/china-cyber-security-police-in-internet-headquarters
[Editor's Note (Pescatore): Sort of sounds like a human-powered "backdoor" government approach. Instead of relying on technology mandates for government monitoring as most western countries do, physically put people there. Seems hard to believe this approach is scalable, any more than China's try at prohibiting encryption use was years ago. On the other hand, when you have 1.4 billion citizens, using actual people doesn't present as much of a scalability problem... ]

(Some) Android (Users) to Get Monthly Updates (August 5, 2015)

Google and companies that manufacture Android devices are distributing a fix for the critical Stagefright vulnerability. Android users have usually not received security updates in a timely manner; now Google, Samsung, and LG now say they will issue monthly security updates for Android devices.
-http://www.computerworld.com/article/2960512/security/android-device-makers-prom
ise-monthly-security-fixes.html

-http://www.theregister.co.uk/2015/08/05/android_software_update/
-http://arstechnica.com/security/2015/08/google-pushes-update-for-critical-androi
d-bug-but-wont-say-if-its-fixed/

[Editor's Note (Pescatore): Monthly is better than randomly to never, but since the Android ecosystem seems to have no problem continuously pushing out advertising, it really needs to prioritize continuous security updates equally.
(Northcutt): A member of the GIAC Advisory Board posted that security company Zimperium has released a StageFright Proof of Concept attack. His blogpost describes how to change the default behavior of Android phones to reduce the risk a bit until your phone manufacturer releases a fix.
-https://www.linkedin.com/pulse/you-have-android-phone-read-pass-stephen-northcut
t?trk=hp-feed-article-title-publish
]

Prison Time for Tutor Who Stole Teachers' Login Credentials and Altered Grades (August 5, 2015)

Timothy Lance Lai pleaded guilty to computer fraud and burglary earlier this week. Lai put keystroke loggers on computers belonging to teachers at Corona del Mar High School in California where he tutored students. He used the information to steal login credentials, change students' grades, and look at tests. Lai has been sentenced to one year in prison.
-http://arstechnica.com/tech-policy/2015/08/tutor-who-helped-students-cheat-by-ke
ylogging-teachers-gets-1-year-in-prison/

Windows 10 Security and Privacy Issues (August 3 & 5, 2015)

Windows 10 collects a significant amount of data from users. The privacy policy is described in the operating system's privacy statement, but users often agree to Terms of Service Agreements without actually reading the text. These articles describe some of the ways user data is gathered and used, and provide recommendations for changing settings to protect privacy.
-http://www.wired.com/2015/08/windows-10-security-settings-need-know/
-http://www.slate.com/articles/technology/bitwise/2015/08/windows_10_privacy_prob
lems_here_s_how_bad_they_are_and_how_to_plug_them.single.html

[Editor's Note (Pescatore): Since Microsoft has joined the "updates are free, we will get revenue from selling information about users" bandwagon with Google, Facebook, etc., Windows 10 does try to sneak a lot of info leakage into the default settings. Enterprise pressure on Microsoft is needed to get these changed to opt-ins before enterprise migration. ]

STORM CENTER TECH CORNER

Sigcheck and Virustotal-search
-https://isc.sans.edu/forums/diary/Sigcheck+and+virustotalsearch/20009/

Tesla S Hack
-http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

Hacking Garage Door Openers
-http://arstechnica.com/security/2015/08/meet-rolljam-the-30-device-that-jimmies-
car-and-garage-doors/

Android Certificate Collisions
-http://blog.checkpoint.com/2015/08/06/certifigate/

Nuclear Exploit Kit Traffic Patterns
-https://isc.sans.edu/forums/diary/Nuclear+EK+traffic+patterns+in+August+2015/200
01/

ICANN Breach
-https://www.icann.org/news/announcement-2015-08-05-en

Android Moving to Monthly Updates
-http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html?m=1

Wordpress Update
-https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-rele
ase/

SSH Client Public Key Disclosure
-https://blog.filippo.io/ssh-whoami-filippo-io/

Yahoo Malvertising
-https://blog.malwarebytes.org/malvertising-2/2015/08/large-malvertising-campaign
-takes-on-yahoo/

HTML5 Battery Status API
-http://eprint.iacr.org/2015/616.pdf

OS X Privilege Exploit Bug Used in the Wild
-https://blog.malwarebytes.org/mac/2015/08/dyld_print_to_file-exploit-found-in-th
e-wild/



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/