SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #69

September 04, 2015

TOP OF THE NEWS

State Dept. Wants Cybersecurity Playbooks
US Justice Department Tightens Stingray Rules

THE REST OF THE WEEK'S NEWS

Chrome Updated to Version 45
Former Tesla Employee Arrested for Allegedly Breaking Into Boss's eMail
Chrysler Criticized for Mailing USBs to Patch Car Computers
Dumping the RC4 Cryptographic Standard
Baby Monitors Not Secure
Sony Reaches Settlement with Former Employees
Android Ransomware Communicates Through XMPP
Shifu Trojan Targeting Japanese Banks
More Wireless Router Vulnerabilities

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Splunk ***************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/179930

***************************************************************************

TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --Data Breach Investigation Summit | Dallas, TX | September 21-26, 2015 | Data Breach Investigation Summit and Training Dallas. TX September 21-26 4 courses
http://www.sans.org/u/7QM

- --SANS Baltimore 2015| Baltimore, MD | September 21-26, 2015 | 4 courses
http://www.sans.org/u/7tq

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR

- --SANS Tysons Corner 2015 | Tysons Corner, VA | October 12-17, 2015 | 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | October 5-17, 2015 | 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore, Singapore | October 12-24, 2015 | 8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

State Dept. Wants Cybersecurity Playbooks (September 3, 2015)

The US State Department is seeking information from industry experts to develop cybersecurity playbooks - "to clearly guide both offensive cyber operations and responses to cyberattacks." The agency is offering a one-year paid contract for playbooks "suitable to provide clear direction and guidance for actionable information security operation activities." Proposals will be accepted until September 11, 2015.
-http://www.nextgov.com/cybersecurity/2015/09/state-department-wants-compile-cybe
rsecurity-playbooks/120251/?oref=ng-channeltopstory
-https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=3d2610
56605769776902aa83210a9d81&_cview=0
[Editor's Note (Paller): The most important characteristic of a playbook - - in fact the one thing that determines its value - is a set of reliable and measurable indicators of performance on a key success factor. IOW if the playbook works, what is the measurable security improvement that we get. Substantial amounts of money have been wasted paying federal contractors to deliver their "methodologies" when they have no reliable evidence that the implementation actually reduces risk. A hint for the contracting officers at State - if the bidder cannot demonstrate that their proposed playbook has been implemented at scale and is reliably delivering measurable improvements on key success factors, say "thank you" and walk away. A parallel effort is being undertaken by a consortium of large silicon valley tech companies that are using key success factors like "percent of vulnerabilities corrected on time," "percent of all intrusions detected within 24 hours" and similar ones. State should have equally solid measures of success. (Pescatore): Odd to see State Department mention "offensive cyber operations," but they only mention it once and not at all in the list of "playbooks" they are contemplating - which is a good thing. They are using the term "playbook" much more broadly than typical use in incident response or compromise hunting. They have chosen a good list of areas that align with and extend the Critical Security Controls. In light of recent events, State Department should probably add "Bring Your Own Device/Choose Your Own IT" to the list... ]

US Justice Department Tightens Stingray Rules (September 3, 2015)

The US Justice Department (DOJ) has published a new policy regarding its use of cell-site simulator devices commonly known as Stingrays. Government agents will need to obtain a warrant before using the technology to locate mobile devices. They will be prohibited from gathering communication content, including pictures, and must regularly purge the data they do collect.
-http://thehill.com/policy/national-security/252730-doj-will-demand-warrants-for-
cell-spying-tech
-http://www.computerworld.com/article/2980325/data-privacy/doj-tightens-policies-
on-use-of-simulated-cells-for-surveillance.html
-http://www.wired.com/2015/09/feds-need-warrant-spy-stingrays-now/
-http://arstechnica.com/tech-policy/2015/09/fbi-dea-and-others-will-now-have-to-g
et-a-warrant-to-use-stingrays/
DOJ Policy Guidance:
-https://www.documentcloud.org/documents/2332879-doj-cell-site-simulator-policy-9
-3-15.html

---

**************************** SPONSORED LINKS ******************************
1) What Works in Reducing Web Application Vulnerabilities: Using to WhiteHat Sentinel to Increase Application Security Before and After Production Deployment. Thursday, September 10 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore. http://www.sans.org/info/179935

2) Turn on the Lights! Case Studies of Malware in Memory: Tuesday, September 15 at 3:30 PM EDT (19:30:00 UTC) Tyler Halfpop. http://www.sans.org/info/179940

3) Threats in the Unknown: Applied intelligence-driven approaches to real-time threat detection. Thursday, September 17 at 1:00 PM EDT (17:00:00 UTC) with Jasper Graham. http://www.sans.org/info/179945
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Chrome Updated to Version 45 (September 3, 2015)

Google has updated its Chrome browser to version 45, addressing nearly 30 vulnerabilities. The latest version of Chrome is available for Windows, Mac, and Linux.
-http://www.zdnet.com/article/google-patches-29-vulnerabilities-in-latest-chrome-
release/
-http://www.zdnet.com/article/chrome-45-frees-up-memory-faster-reloads-most-recen
tly-used-content/

Former Tesla Employee Arrested for Allegedly Breaking Into Boss's eMail (September 3, 2015)

A man once employed by Tesla as a mechanical engineer could face up to six years in prison for allegedly breaking into his boss's email account and stealing information. Nima Kalbasi allegedly accessed the account, obtained employee evaluations and shared that information with others. Kalbasi also allegedly accessed a customer complaint report and posted it online. He was arrested in August and has been charged with felony computer intrusion.
-http://www.computerworld.com/article/2980361/technology-law-regulation/ex-tesla-
engineer-could-face-prison-for-email-hack.html

Chrysler Criticized for Mailing USBs to Patch Car Computers (September 3, 2015)

Chrysler has mailed out more than one million USBs, instructing customers to insert them into their car's computer to fix a series of vulnerabilities that could otherwise endanger their safety. While mailing the drives is the fastest way to get the fix to the greatest number of customers, critics say that it reinforces behavior that could be risky; users are often warned not to use USB drives distributed by strangers or found in a parking lot.
-http://www.wired.com/2015/09/chrysler-gets-flak-patching-hack-via-mailed-usb/

Dumping the RC4 Cryptographic Standard (September 2, 2015)

Microsoft, Google, and Mozilla have said that their browsers will no longer support the nearly 30-year-old RC4 cryptographic standard as of early 2016. Recent attacks have demonstrated that RC4 can be broken within days or even hours. The Internet Engineering Task Force banned its use in TLS negotiations earlier this year. RC4 was designed in 1987.
-http://www.scmagazine.com/aged-rc4-cipher-to-be-shunned-by-security-conscious-br
owsers/article/436521/
-http://www.informationweek.com/software/enterprise-applications/microsoft-google
-mozilla-abandon-rc4-cryptographic-standard/a/d-id/1322032

Baby Monitors Not Secure (September 2 & 3, 2015)

According to a study from Rapid7, several Internet-connected baby monitors lack basic security. Some of the monitors do not encrypt their data streams, and some use unchangeable administrator passwords, which are easy to obtain. Because the monitors are Internet-connected, once compromised, they could be used to jump to other devices on the same network.
-http://thehill.com/policy/cybersecurity/252545-study-some-web-connected-baby-mon
itors-vulnerable-to-hackers
-http://www.theregister.co.uk/2015/09/03/baby_monitors_insecure_internet_things/
-http://www.zdnet.com/article/security-vulnerability-flaw-internet-things-baby-mo
nitors/
-https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-a
nd-Vulnerabilities.pdf

Sony Reaches Settlement with Former Employees (September 2, 2015)

Sony has arrived at a settlement with employees who sued the company after their personal information was stolen in a breach last year. The terms of the settlement were not disclosed, and a court must still approve it before it becomes official.
-http://www.cnet.com/news/sony-pictures-reaches-settlement-with-ex-employees-over
-hacking/

Android Ransomware Communicates Through XMPP (September 2, 2015)

Ransomware called Simplocker targets Android devices by pretending to be a legitimate version of Flash or of a video player in app stores. The malware encrypts the smartphone's contents. Some victims get a message telling them they must pay the NSA a fine if they want their files back. Simplocker uses Extensible Messaging and Presence Protocol (XMPP) to communicate with its creators; because the communication looks like normal instant messaging traffic, it is more difficult for security tools to detect.
-http://arstechnica.com/security/2015/09/android-ransomware-uses-xmpp-chat-to-cal
l-home-and-claims-its-from-nsa/

Shifu Trojan Targeting Japanese Banks (September 1 & 2, 2015)

A banking Trojan called Shifu pulls together tricks from several other pieces of malware. The malware is capable of stealing not only account usernames and passwords, but private certificates, and external authentication tokens as well. It can also steal funds from cryptocurrency wallets; information from smartcard readers attached to compromised devices; and if it detects that it has access to a pint-of-sale system, it can steal payment card data as well.
-http://www.darkreading.com/vulnerabilities---threats/new-shifu-banking-trojan-an
-uber-patchwork-of-malware-tools/d/d-id/1322039?
-http://www.scmagazine.com/shifu-trojan-now-striking-14-japanese-banks-ibm/articl
e/435918/

More Wireless Router Vulnerabilities (September 1 & 2, 2015)

CERT/CC has released a vulnerability note warning of multiple security issues in a Belkin wireless router. The flaws affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v.2 with firmware version 2.10.17 and possibly earlier. The vulnerabilities could be exploited to conduct man-in-the-middle attacks and cross-site request forgeries. There are currently no fixes available. Until updates are available, CERT/CC recommends that users restrict access and use strong passwords.
-http://www.kb.cert.org/vuls/id/201168
-http://www.scmagazine.com/belkin-wi-fi-routers-at-risk-from-multiple-vulnerabili
ties/article/436496/
-http://www.theregister.co.uk/2015/09/02/sohopeless_belkin_router_redirection_zer
o_day/

---

STORM CENTER TECH CORNER

Importing DShield Data into RTIR
-https://isc.sans.edu/forums/diary/Querying+the+DShield+API+from+RTIR/20113/

Browsers To Stop RC4 Support Early Next Year
-http://www.infoworld.com/article/2979527/security/google-mozilla-microsoft-brows
ers-dump-rc4-encryption.html

Android Malware Using XMPP
-http://blog.checkpoint.com/2015/08/31/global-xmpp-android-ransomware-campaign-hi
ts-tens-of-thousands-of-devices/

Securing The Human Newsletter: Two-Step Verification
-http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201509_en.pdf

Dr. Web Using "Fake Files" to Test Competitors
-http://krebsonsecurity.com/2015/09/like-kaspersky-russian-antivirus-firm-dr-web-
tested-rivals/

VICE Journalists Detained in Turkey For Use of Encryption
-http://www.aljazeera.com/news/2015/09/vice-news-fixer-arrested-encryption-softwa
re-150901200622345.html

Compression Bomb PNG File
-https://www.bamsoftware.com/hacks/deflate.html

How To Hack ...
-https://isc.sans.edu/forums/diary/How+to+hack/20093/

Xen DoS Attack on ARM
-http://xenbits.xen.org/xsa/advisory-141.html

Microsoft Backports User Tracking To Windows 7 and 8
-http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-window
s-7-and-8-systems/

New Malware Taking Advantage of Mac DYLD_PRINT_TO_FILE Vulnerability
-https://blog.malwarebytes.org/mac/2015/08/genieo-installer-tricks-keychain/

More Malware Preinstalled on Android Devices
-https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_Mob
ileMWR_Q2_2015_EN.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/