SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #63

August 14, 2015

TOP OF THE NEWS

Proposed Cyber Security Requirements for US Government Contractors
VW Hid Security Flaw For Two Years
Lenovo Installs Unremovable Unwanted Software

THE REST OF THE WEEK'S NEWS

Stagefright Update Needs Fixing
Cisco Network Gear is Being Hijacked
Apple Issues Updates
Charges from Insider Trading Info Stealing
Firefox 40 Supports Windows 10, Enhances Security
Online Trust Alliance Develop IoT Security Guidelines
August's Security Updates
ATM Skimmer Reads Chipped Cards

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec **************************

How are Cybercriminals Threatening Security? Highlights from the 2015 Internet Security Threat Report: Tuesday, August 18 at 3:00 PM EDT (19:00:00 UTC) with David Hoelzer, Don Maclean, and Robert Myles who will drill-down into some of the finer points of these "Key Findings" and offer solutions to combat these various cyber threats. http://www.sans.org/info/179632

*************************************************************************** TRAINING UPDATE

- -- SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- -- Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566.
http://www.sans.org/u/53I

- -- Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact.
http://www.sans.org/u/53N

- -- SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 | 13 courses
http://www.sans.org/u/5Zz

- -- SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 | 8 courses
http://www.sans.org/u/5ZO

- -- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- -- Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- -- Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy
Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************

---

TOP OF THE NEWS

Proposed Cyber Security Requirements for US Government Contractors (August 11, 2015)

The US Office of Management and Budget (OMB) has issued proposed cyber security rules for federal government contractors. The new rules would establish baseline security requirements and oblige contractors to disclose breaches to authorities. The draft rules would also allow the Department of Homeland Security (DHS) to establish monitoring programs on contractors' systems if they are not abiding by the rules. OMB is accepting public comment on the draft document through September 10, 2015.
-http://www.nextgov.com/cybersecurity/2015/08/white-house-details-draft-contracto
r-data-breach-rules/119039/?oref=ng-channelriver
-http://thehill.com/policy/cybersecurity/250869-white-house-issues-cybersecurity-
rules-for-contractors
-https://policy.cio.gov

VW Hid Security Flaw For Two Years (August 14, 2015)

Researchers say VW spent years trying to use the courts to suppress information about a vulnerability that allows keyless car theft. Affects VW luxury lines including Audi, Porsche, Bentley and Lamborghini, as well as Fiats, Hondas, Volvos and some Maserati models. There's no quick fix for the problem - the RFID chips in the keys and transponders inside the cars must be replaced, incurring significant labor costs. A paper will presented this week detailing the vulnerability.
-http://bloom.bg/1fbadoJ

Lenovo Installs Unremovable Unwanted Software (August 12 & 13, 2015)

Lenovo has been using code in the firmware of some devices to make unwanted software persist even after users reinstall operating systems. Lenovo is exploiting Microsoft's Windows Platform Binary Table feature, which is built into Windows machines.
-http://www.v3.co.uk/v3-uk/news/2422015/lenovo-caught-installing-bloatware-again-
with-windows-bios-backdoor
-http://www.zdnet.com/article/lenovo-rootkit-ensured-its-software-could-not-be-de
leted/
[Editor's Note (Ullrich): While nothing new, this level of "vendor root kit" puts Lenovo in its own class of creepiness. Not only does the system come pre-installed with a set of vendor supplied tools, but it will also actively intercept attempts to install the operating system from scratch, a common practice among more security conscious users. Also note that a pre-pw0ned system like this could easily be weaponized later by installing additional software. ]

---

THE REST OF THE WEEK'S NEWS

Stagefright Update Needs Fixing (August 13, 2015)

The update for the Stagefright vulnerability that Google initially released has been found to be problematic. The flaw affects the roughly 950 million devices that run Android versions 2.2 through 5.1. Google has developed a fix for the faulty patch and has begun pushing it out to certain devices.
-http://www.theregister.co.uk/2015/08/13/stagefright_patch_needs_repatch/

Cisco Network Gear is Being Hijacked (August 13, 2015)

Cisco is warning customers that attackers are hijacking the networking gear with maliciously crafted ROMMON firmware images. The attack requires valid administrator credentials. The issue cannot be fixed with a patch, because admins need to be able to make legitimate ROMMON swaps.
-http://arstechnica.com/security/2015/08/attackers-are-hijacking-critical-network
ing-gear-from-cisco-company-warns/
-http://www.computerworld.com/article/2970938/security/cisco-warns-customers-abou
t-attacks-installing-rogue-firmware-on-networking-gear.html
-http://www.theregister.co.uk/2015/08/13/cisco_warning_malware_in_firmware/

Apple Issues Updates (August 13, 2015)

Apple has released multiple updates to address security issues in iOS, OS X Yosemite, Safari, and OS X Server. The newest version of iOS is now 8.4.1. The most up-to-date version of OS X Yosemite is now 10.10.5. The most current versions of Safari are 8.0.8, 7.1.8, and 6.2.8. And the newest version of OS X Server is 4.1.5.
-http://www.theregister.co.uk/2015/08/13/apple_patches/
-http://www.scmagazine.com/apple-releases-os-update-for-security-improvements/art
icle/432649/
-https://support.apple.com/en-us/HT205031
[Editor's Note (Ullrich): As usual, there isn't a lot of detail in Apple's advisory. But these are "must patch" issues. Some fix vulnerabilities in open source packages that have been disclosed (and exploited) for a while. ]

Charges from Insider Trading Info Stealing (August 12, 2015)

The US Securities and Exchange Commission (SEC) has charged 32 people in connection with a scheme involving stolen press releases and illegal stock trades. The attackers stole the not-yet-published releases and made them available on servers to which certain stock traders had access. The traders were able to make illegally informed decisions about their transactions, earning more than US $100 million. Nine of the people facing SEC charges are facing charges from the Department of Justice.
-http://www.eweek.com/security/feds-accuse-9-of-using-stolen-press-releases-to-ma
ke-100-million.html
-http://www.zdnet.com/article/hackers-charged-after-pocketing-100m-from-stolen-ma
terial/
-http://www.zdnet.com/article/32-hackers-traders-charged-for-cashing-in-on-stolen
-press-releases/
-http://www.computerworld.com/article/2970179/cybercrime-hacking/sec-charges-32-i
n-press-release-hacking-stock-trading-scheme.html
[Editor's Note (Northcutt): This seems to fall into the category of something happened, I am not sure what. The idea of a "confidential" press release is a head scratcher for me. It would be best to rely on the DOJ release instead of a reporters' rehash:
-http://www.justice.gov/usao-nj/pr/nine-people-charged-largest-known-computer-hac
king-and-securities-fraud-scheme]

Firefox 40 Supports Windows 10, Enhances Security (August 12, 2015)

Mozilla has released Firefox 40. The newest version of the browser includes support for Windows 10 in addition to addressing security issues. Add-ons that Mozilla has not signed will display warnings. Future versions of Firefox will disable add-ons that are not signed by Mozilla.
-http://www.scmagazine.com/firefox-40-comes-with-fixes-for-several-bugs-new-secur
ity-features/article/432431/
-http://www.forbes.com/sites/tonybradley/2015/08/12/mozilla-launches-firefox-40-e
ngineered-for-windows-10/

Online Trust Alliance Develop IoT Security Guidelines (August 11 & 12, 2015)

The Online Trust Alliance (OTA), whose members include Microsoft, Symantec, and Verisign, say that the manufacturers of smart home devices and other Internet-connected products that make up the Internet of Things (IoT) are not paying attention to the need to build in security. They have issued suggested guidelines for manufacturers, developers, and retailers, and are inviting public comment.
-http://www.theregister.co.uk/2015/08/12/iot_security_is_rubbish_says_iot_vendor_
collective/
-http://www.zdnet.com/article/lax-iot-security-smart-tvs-and-wearables-are-paving
-the-way-for-massive-privacy-breaches/
-http://www.cnet.com/news/internet-of-things-device-security-degrades-over-time/

August's Security Updates (August 11, 2015)

Adobe has issued updates for its Flash Player to address 34 vulnerabilities. Adobe's Flash update for July addressed 36 flaws. Microsoft's monthly update includes fixes for four critical flaws, some of which affect Windows 10.
-http://krebsonsecurity.com/2015/08/adobe-ms-push-patches-oracle-drops-drama/
-http://www.eweek.com/blogs/security-watch/adobe-patches-34-more-bugs-in-flash.ht
ml
-http://www.darkreading.com/vulnerabilities---threats/windows-10-gets-patch-tuesd
ay-treatment-with-4-critical-bugs-fixed/d/d-id/1321729?
-https://technet.microsoft.com/en-us/library/security/ms15-aug.aspx

ATM Skimmer Reads Chipped Cards (August 11, 2015)

Fraudsters have managed to develop a device that can skim information from chip-enabled payment cards. The devices were detected on machines in Mexico and have been dubbed "shimmers," because they act as shims between the STM and the card's chip.
-http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/

---

STORM CENTER TECH CORNER

Cisco Advisory About iOS Firmware Attacks
-http://tools.cisco.com/security/center/viewAlert.x?alertId=40411

Enumerating Windows Service Accounts
-https://isc.sans.edu/forums/diary/Windows+Service+Accounts+Why+Theyre+Evil+and+W
hy+Pentesters+Love+them/20029/

Apple App Store Store XSS Vulnerability
-https://isc.sans.edu/forums/diary/Yes+Virginia+Stored+XSSs+Do+Exist/20033/

Lenovo Installed Vulnerable Software in BIOS
-http://news.lenovo.com/article_display.cfm?article_id=2013

Cloudflare Outage
-https://www.cloudflarestatus.com/incidents/3r1fydg29dqy

Car Telematic SMS Vulnerability
-https://www.usenix.org/system/files/conference/woot15/woot15-paper-foster.pdf

More Android Vulnerabilities
-https://www.usenix.org/conference/woot15/workshop-program/presentation/peles

Microsoft Patch Tuesday
-https://isc.sans.edu/forums/diary/August+2015+Microsoft+Patch+Tuesday/20023/

Adobe Flash Player Update
-https://isc.sans.edu/forums/diary/More+patch+tuesday+adobe+released+security+upd
ate+for+adobe+flash+player/20025/

Oracle CISO Blog Post
-http://motherboard.vice.com/read/oracles-cybersecurity-czar-we-can-find-our-own-
bugs-thanks

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/