SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #65

August 21, 2015

TOP OF THE NEWS

China Arrests 15,000 in Fight Against Cyber Crime
Hackers Release Data on Ashley Madison CEO and Corporate Secrets
Ashley Madison Data Theft Affects More than 30 Million Accounts

THE REST OF THE WEEK'S NEWS

Another Guilty Plea in Spam Case
Software Reduces Cyber Bullying
iOS Quicksand Flaw Exposes Enterprise Credentials
Law Firms Form ISAO
Former State Dept. Employee Faces Cyberstalking Allegations
Emergency Patch for Internet Explorer
Getting Rid of Booter Services

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Trend Micro Inc. ***********************

Trend Micro has released a research paper titled The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems which takes a closer look at how and why supervisory control and data acquisition (SCADA) and ICS systems can be attractive and possibly profitable venues for attackers:
http://www.sans.org/info/179702

***************************************************************************
TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact. http://www.sans.org/u/53N

- --SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 | 13 courses
http://www.sans.org/u/5Zz

- --SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 | 8 courses
http://www.sans.org/u/5ZO

- -- SANS Baltimore 2015| Baltimore, MD | September 21-26, 2015 | 4 courses
http://www.sans.org/u/7tq

- -- SANS DFIR Prague 2015 | Prague, Czech Republic | October 5-17, 2015 | 11 courses
http://www.sans.org/u/7tF

- -- SOS: SANS October Singapore | Singapore, Singapore | October 12-24, 2015 | 8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************

---

TOP OF THE NEWS

China Arrests 15,000 in Fight Against Cyber Crime (August 19, 2015)

Law enforcement authorities in China have arrested 15,000 people suspected of involvement in cyber crimes. Part of the government's "Operation Clean Internet," the six-month campaign began last month with goals of eliminating cyber criminal gangs and improving security.
-http://money.cnn.com/2015/08/19/news/china-cybercrime-arrests/index.html

Thieves Release Data on Ashley Madison CEO and Corporate Secrets (August 21, 2015)

The Ashley Madison thieves released a second, larger cache of data that includes emails from CEO Noel Biderman and source code for the website and applications. The thieves apparently were responding to a statement by Biderman that implied the previously released data may not have been real. They released a statement saying, "Hey Noel, you can admit it's real now."
-http://www.theguardian.com/technology/2015/aug/20/hackers-new-ashley-madison-dat
a

Ashley Madison Data Theft Affects More than 30 Million Accounts (August 19 & 20, 2015)

The attack on the databases of the Ashley Madison relationship cheating website affects more people that was first acknowledged. A new release of stolen information includes not only customer account information, but also source code for the website and emails that are from the account of the company's CEO.
-http://arstechnica.com/security/2015/08/ashley-madison-hack-is-not-only-real-its
-worse-than-we-thought/
-http://www.forbes.com/sites/lisabrownlee/2015/08/20/second-new-alleged-ashley-ma
dison-data-dump-confirmed/?ss=Security
-http://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/

---

**************************** SPONSORED LINKS ******************************
1) What Works in Vulnerability Management: Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose Tuesday, September 08 at 1:00 PM EDT (17:00:00 UTC) featuring John Pescatore and Chris Prewitt. http://www.sans.org/info/179707

2) What Works in Reducing Web Application Vulnerabilities: Using to WhiteHat Sentinel to Increase Application Security Before and After Production Deployment Thursday, September 10 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Demetrios Lazarikos. http://www.sans.org/info/179712

3) SIEM-plifying Security Monitoring: Making Sense of Security Intelligence Friday, August 28 at 1:00 PM EDT (17:00:00 UTC) with Dave Shackleford and Thomas D'Aquino. http://www.sans.org/info/179717
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Another Guilty Plea in Spam Case (August 20, 2015)

A third man has pleaded guilty to charges stemming from a scheme in which routers in developing countries were compromised and used to send spam to mobile phones. The group allegedly made several thousand dollars a week.
-http://thehill.com/policy/cybersecurity/251580-doj-scores-third-guilty-plea-foll
owing-elite-hacking-forum-takedown

Software Reduces Cyber Bullying (August 20, 2015)

A Chicago teenager has created software that helps reduce cyber bullying. Trisha Prabhu's ReThink software scans messages for language that could be hurtful and asks users if they are sure they want to post the message. In a test she ran at her school, Prahbu found the warning to significantly reduce students' decisions to post harmful messages. ReThink is scheduled to launch soon as an add-on on multiple Internet platforms.
-http://www.csmonitor.com/Technology/2015/0820/How-one-teen-s-app-could-stop-cybe
rbullying-at-its-source
[Editor's Note (Northcutt): It is a really interesting notion, to stop and ask someone to think before hitting send. How many of us can recall a time we left an email in the draft folder, came back to it, and chose to delete it. I bet that would be all of us. I really liked the TedX Teen talk:
-https://www.youtube.com/watch?v=YkzwHuf6C2U]

iOS Quicksand Flaw Exposes Enterprise Credentials (August 20, 2015)

A sandbox violation vulnerability known as Quicksand in Apple's iOS mobile operating system affect all mobile device management (MDM) clients as well as apps that use the managed app configuration setting. The issue is that enterprise credentials are being stored in an unprotected directory. The issue is fixed in the most recent version of iOS, 8.4.1, but the update has not yet been widely applied.
-http://www.scmagazine.com/sandbox-violation-in-apples-ios-affects-mdm-users-coul
d-enable-breaches/article/433917/
-http://www.theregister.co.uk/2015/08/21/apple_ios_mdm_vuln/

Law Firms Form ISAO (August 20, 2015)

US law firms have created the Legal Services Information Sharing and Analysis Organization (LS-ISAO). The financial industry's Financial Services Information Sharing and Analysis Center (FS-ISAC) is "providing LS-ISAO the infrastructure to disseminate and receive cybersecurity threat and vulnerability information."
-http://www.darkreading.com/perimeter/law-firms-form-their-own-threat-intel-shari
ng-group/d/d-id/1321846?

Former State Dept. Employee Faces Cyberstalking Allegations (August 20, 2015)

A former US State Department civilian employee allegedly broke into email, photo storage, and photo sharing accounts of female college students while employed at the US Embassy in London, UK. He then allegedly blackmailed the women, threatening to send their intimate photos to people they knew if the women did not send him more graphic pictures and videos.
-http://www.nextgov.com/cybersecurity/2015/08/state-employee-allegedly-cyberstalk
ed-hundreds-coeds-embassy-computer/119280/?oref=ng-dropdown

Emergency Patch for Internet Explorer (August 18 & 19, 2015)

Microsoft has released an emergency patch to resolve a vulnerability in Internet Explorer (IE) that is being actively exploited. The flaw allows attackers to gain access to vulnerable machines with the same rights as the compromised user's account. The flaw, which affects all currently supported desktop versions of IE, lies in the way IE stores objects in memory.
-http://www.eweek.com/security/microsoft-patches-critical-ie-flaw-affecting-windo
ws.html
-http://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/
-http://www.v3.co.uk/v3-uk/news/2422664/microsoft-releases-critical-out-of-band-s
ecurity-fix-for-internet-explorer
-https://technet.microsoft.com/library/security/MS15-093

Getting Rid of Booter Services (August 17 & 19, 2015)

PayPal and researchers have combined their efforts to take down accounts used in "booter" and "stresser" services, which charge people to "boot" others from online games or overwhelm websites with traffic. With help from researchers, PayPal has been able to identify the accounts used by these services and freeze them.
-http://krebsonsecurity.com/2015/08/stress-testing-the-booter-services-financiall
y/
-http://www.bbc.com/news/technology-31603930

---

STORM CENTER TECH CORNER

Symantec Cloud Endpoint Protection Conflict with MS15-084
-https://isc.sans.edu/forums/diary/Microsoft+patch+tuesday+problem+with+Symantec+
Cloud+Endpoint+protection/20037/

Android Multitasking Flaw
-https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-ren-
chuangang.pdf

Windows Relay Attack For Non-Local Systems
-http://www.csoonline.com/article/2966120/security/researchers-find-way-to-steal-
windows-active-directory-credentials-from-the-internet.html#tk.rss_all

Akamai State of The Internet
-https://www.stateoftheinternet.com

Outsourcing Critical Infrastructure
-https://isc.sans.edu/forums/diary/Outsourcing+critical+infrastructure+such+as+DN
S/20057/
Actor Switching from Angler EK to Neutrino
-https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neu
trino/20059/

Operations and Security of Owncloud
-https://www.thierfreund.de/operations-and-security-of-owncloud/

Belkin F9K1111 Router Firmware Analysis
-http://blog.vectranetworks.com/blog/belkin-analysis

Pentesting Active Directory: CrackMapExec
-https://github.com/byt3bl33d3r/CrackMapExec

Reversing Binaries: BinNavi
-https://github.com/google/binnavi

Special Microsoft Internet Explorer Patch
-https://isc.sans.edu/forums/diary/Microsoft+Security+Bulletin+MS15093+Critical+O
OB+Internet+Explorer+RCE/20053/

More Android Media Handling Bugs
-http://blog.trendmicro.com/trendlabs-security-intelligence/mediaserver-takes-ano
ther-hit-with-latest-android-vulnerability/

Bittorent Could Be Used for DDoS Attacks
-https://www.usenix.org/conference/woot15/workshop-program/presentation/p2p-file-
sharing-hell-exploiting-bittorrent

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/