SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #72

September 15, 2015

A nice opportunity to help the security community recognize unsung heroes of cybersecurity - inside your own organization - so others may learn from their successes. Please nominate people and teams for the 2015 Security Difference Makers Awards. They will be recognized on December 15 in Washington, DC. Pick people who deserve recognition for making meaningful progress in cybersecurity either by increasing security levels or by using security controls and processes to enable new business success. Send nominations to trends@sans.org. Deadline: October 9. Full details on how to nominate at http://www.sans.org/cyber-innovation-awards

Alan

---

TOP OF THE NEWS

OMB Draft Guidance on Federal Contractor Cybersecurity is Lenient and Vague (and Counterproductive)
FireEye Obtains Injunction to Prevent Disclosure of Vulnerability Details
Insurance Companies Could Help Companies Improve Cybersecurity

THE REST OF THE WEEK'S NEWS

US Voting Machine Woes
Intel Automotive Review Board
Yokogawa Releases Fixes for Flaws in Network Products
Defendants Will Pay US $30 Million to Settle Insider Trading Charges
Justice Department Shutters ShareBeast Filesharing Site
Federal Prosecutors Drop Espionage Charges Against Physics Professor
New Hampshire Library Suspends Tor Relay
CVS Confirms Online Photo Service Breach
Australian High School Students Allegedly Accessed Database and Changed Grades

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By Trend Micro Inc. *************************

Trend Micro and ClearSky researchers collaborated on an updated report of the Rocket Kitten threat actor group who has been targeting Middle Eastern targets in a likely political cyber espionage campaign. Read the details of how this campaign is playing out.
http://www.sans.org/info/180227

**************************************************************************

TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --Data Breach Investigation Summit | Dallas, TX | September 21-26, 2015 | Data Breach Investigation Summit and Training Dallas. TX September 21-26 4 courses
http://www.sans.org/u/7QM

- --SANS Baltimore 2015| Baltimore, MD | Sept. 21-26 |4 courses
http://www.sans.org/u/7tq

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR

- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | Oct. 5-17| 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

OMB Draft Guidance on Federal Contractor Cybersecurity is Lenient and Vague (and Counterproductive) (September 14, 2015)

The US Office of management and Budget's draft guidance on cybersecurity for federal contractors is facing criticism for being too lenient and too vague. In a letter responding to the draft, the US Chamber of Commerce wrote, "The guidance needs to be dynamic and not become an ossified checklist of requirements that fails to respond to actual threats." And the US Professional Services Council called the guidance "too little, too late, and too flexible."
-http://www.federaltimes.com/story/government/cybersecurity/2015/09/14/psc-cybers
ecurity-contract-guidance/72261358/
-http://thehill.com/policy/cybersecurity/253363-chamber-pushes-back-on-cyber-rule
s-for-contractors
-http://www.welivesecurity.com/2015/09/10/aggressive-android-ransomware-spreading
-in-the-usa/
[Editor's Note (Pescatore): The proposed OMB guidance largely tries to make federal contractors do security the way the government does it, vs. try to raise the bar for the security of the products and services the government buys. The CIO and CAO Councils should have looked at best practices in private industry for securing their supply chains vs. just trying to insert certification/accreditation-like terminology into contract language. (Paller): To force contractors to do the wrong thing (replicating the terrible FISMA/NIST/DOD C&A error that the Chairman of the Senate Homeland Security Committee called a complete waste) borders on criminal negligence and requires rapidly replacing the people responsible. ]

FireEye Obtains Injunction to Prevent Disclosure of Vulnerability Details (September 11, 2015)

Security firm FireEye has reportedly obtained an injunction preventing another security firm, ERNW, from disclosing information about five vulnerabilities in a FireEye product. Earlier this summer, FireEye learned that ERNW planned to release its findings about the flaws, which have since been patched. FireEye says it does not object to the vulnerabilities being disclosed, but felt that the ERNW report included details about the flaws that exposed FireEye intellectual property.
-http://www.wired.com/2015/09/fireeye-enrw-injunction-bizarre-twist-in-the-debate
-over-vulnerability-disclosures/
-http://www.scmagazine.com/fireeye-obtains-injunction-over-security-firms-vulnera
bility-disclosure/article/438201/
-http://arstechnica.com/security/2015/09/security-company-sues-to-bar-disclosure-
related-to-its-own-flaws/

Insurance Companies Could Help Companies Improve Cybersecurity (September 10, 2015)

Deputy US Treasury Secretary Sarah Bloom Raskin said that insurance companies could encourage companies to improve their cybersecurity stance. While legislators are having a difficult time passing cybersecurity legislation, insurance companies could change the way companies think about cybersecurity through questions asked in the underwriting process. Companies would find the incentive to improve their security to obtain lower insurance rates.
-https://www.washingtonpost.com/world/national-security/insurance-requirements-ca
n-drive-stronger-cybersecurity-treasury-official-says/2015/09/10/823c923c-57e3-1
1e5-8bb1-b488d231bba2_story.html
[Editor's Note (Honan): Cybersecurity insurance will not prevent security breaches from happening, similar to how house insurance does not prevent fires or burglaries. Companies still need to ensure they select the appropriate levels of security for their business and not just to satisfy their insurance company requirements. The key value I see insurance companies bringing to information security is effective risk management methodologies and techniques. ]

---

**************************** SPONSORED LINKS ******************************
1) Free Download - SANS Survey: Maturing and Specializing: Incident Response Capabilities Needed: Here you go! http://www.sans.org/info/180232

2) Learn what it takes to build a successful threat intelligence program from real-world examples. Live webinar featuring Solutionary, a leading MSSP, on Wednesday, September 16 at 2:00 PM ET. Register now: http://www.sans.org/info/180237

3) Critical Security Controls Update: How to Keep Pace with Advanced Endpoint Threats. Wednesday, September 16 at 1:00 PM EDT (17:00:00 UTC) featuring John Pescatore and Hermes Bojaxhi. http://www.sans.org/info/180242
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US Voting Machine Woes (September 15, 2015)

The majority of US states use electronic voting systems that are at least 10 years old, according to a report from the Brennan Center for Justice at the New York University School of Law. Not only are the systems out of step with the latest technological advances, but there are also reports of equipment degradation and unreliability. Many of the machines are running versions of Windows XP, and some machine manufacturers are no longer in business.
-http://www.wired.com/2015/09/dismal-state-americas-decade-old-voting-machines/
[Editor's Comment (Northcutt): And this is a surprise because?
-http://www.npr.org/sections/itsallpolitics/2015/04/16/399986331/hacked-touchscre
en-voting-machine-raises-questions-about-election-security
-https://freedom-to-tinker.com/blog/jeremyepstein/decertifying-the-worst-voting-m
achine-in-the-us/
-http://www.reuters.com/article/2014/11/05/us-usa-elections-irregularities-idUSKB
N0IP06M20141105
-http://www.sanluisobispo.com/2015/09/14/3807301/voting-machine-study-finds-probl
ems.html
We have reported on this problem year after year in NewsBites. There is no limit to the amount of evidence that officials in trusted positions have ignored so they could err again and again when there was plenty of data saying we could not entrust democracy to flawed technology. If you know of serious researchers addressing this problem, will you introduce me? Stephen@sans.edu ]

Intel Automotive Review Board (September 14, 2015)

Intel is creating a task force to address cybersecurity issues in the automotive industry. The Automotive Security Review Board (ASRB) will comprise researchers from vendors from around the world who "will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cybersecurity solutions" to issues facing vehicle manufacturers and drivers.
-http://www.eweek.com/security/intel-announces-automotive-security-review-board.h
tml
-http://www.nbcnews.com/tech/security/intel-forms-panel-fight-against-car-hackers
-n427136

Yokogawa Releases Fixes for Flaws in Network Products (September 14, 2015)

Yokogawa has disclosed vulnerabilities that affect 21 of industrial networking products. According to an ICS-CERT advisory, Yokogawa has made "product revisions" available for its products that are affected by the stack-based buffer overflow vulnerabilities. The flaws could be exploited to create denial-of-service conditions.
-http://www.theregister.co.uk/2015/09/14/yokogawa_patches_widespread_scada_vulner
ability/
-http://www.yokogawa.com/dcs/security/ysar/dcs-ysar-index-en.htm
-http://www.yokogawa.com/dcs/security/ysar/YSAR-15-0003E.pdf
[Editor's Note (Cornelius): The statement "Industrial systems that are properly isolated from the Internet aren't at risk" simply isn't true. While it is true that a system which is isolated is not at risk to an attack launched directly from the internet, it is still susceptible to many other infection vectors such as compromised integrator laptops and removable media. Furthermore, perpetuating the belief that isolation alone is enough to protect these systems leads the asset owner/operator to the wrong conclusion that if their system is not connected to the internet, there is no need for them to patch. ]

Defendants Will Pay US $30 Million to Settle Insider Trading Charges (September 14, 2015)

Two defendants will pay the US Securities and Exchange Commission (SEC) US $30 million to settle civil insider trading charges against them. The case involves a scheme in which business press releases stolen prior to their release were sold and the information used to make illegal, profitable trades. There are 30 other defendants named in the case.
-http://www.reuters.com/article/2015/09/14/us-cybersecurity-hacking-sec-settlemen
t-idUSKCN0RE1YE20150914
-http://www.computerworld.com/article/2983807/cybercrime-hacking/traders-pay-30m-
to-settle-newswire-hacking-case.html

Justice Department Shutters ShareBeast Filesharing Site (September 13 & 14, 2015)

The US government has shut down the ShareBeast filesharing service along with the albumjams website. The Department of Justice (DoJ) seized the domain on Friday, September 11. According to the FBI, ShareBeast was the largest US-based filesharing site.
-http://arstechnica.com/tech-policy/2015/09/sharebeast-the-largest-us-based-files
haring-service-has-its-domain-seized/
-http://www.scmagazine.com/doj-shuts-down-sharebeast-sister-site/article/438335/

Federal Prosecutors Drop Espionage Charges Against Physics Professor (September 11 & 12, 2015)

The US Justice Department has dropped charges against Temple University Physics department chairman Xi Xiaoxing. Xi was arrested earlier this year for allegedly sharing sensitive US technology with China. Months later, independent experts found that the plans that Xi had shared were not for the technology the DoJ believed they were for.
-http://mobile.nytimes.com/2015/09/12/us/politics/us-drops-charges-that-professor
-shared-technology-with-china.html?referrer&_r=0
-http://thehill.com/policy/technology/253485-feds-drop-espionage-charges-against-
physics-professor

New Hampshire Library Suspends Tor Relay (September 11, 2015)

The Kilton Public Library in Lebanon, New Hampshire library was selected as a pilot location for a Tor relay program organized by the Library Freedom project and The Tor Project. Shortly after the library announced its participation in the program, the US Department of Homeland Security (DHS) contacted the town's police department. When the police voiced concerns about Tor to the library board, they suspended the library's participation in the program. The board will vote on September 15 whether or not to restart participation.
-http://arstechnica.com/tech-policy/2015/09/first-library-to-support-anonymous-in
ternet-browsing-effort-stops-after-dhs-e-mail/
-https://www.eff.org/deeplinks/2015/09/library-suspends-tor-node-after-dhs-intimi
dation

CVS Confirms Online Photo Service Breach (September 11, 2015)

CVS has confirmed that the company that operates their online photo services website was breached, possibly compromising customer data. The website has been unavailable since mid-July. Other companies' sites were affected as well. The company at which systems were breached is PNI Digital Media.
-http://www.nbcnews.com/tech/security/cvs-alerts-photo-site-users-after-confirmin
g-july-data-breach-n426126

Australian High School Students Allegedly Accessed Database and Changed Grades (September 10 & 11, 2015)

Several Australian high school students allegedly accessed their school's computer system using a teacher's access credentials. The students, who attend Penrith High School New South Wales, allegedly changed their grades in a database.
-http://www.zdnet.com/article/western-sydney-students-access-department-computer-
system/
-http://www.dailymail.co.uk/news/article-3229485/Students-Sydney-school-hack-comp
uter-alter-HSC-grades.html

---

STORM CENTER TECH CORNER

Wordpress Plugin Playground
-https://isc.sans.edu/forums/diary/The+Wordpress+Plugins+Playground/20147

VWWorks Vulnerabilities
-http://www.slideshare.net/44Con/44con-london-attacking-vxworks-from-stone-age-to
-interstellar

Apple Addresses Privacy Concerns Around Hey Siri and Live Photos
-http://techcrunch.com/2015/09/11/apple-addresses-privacy-questions-about-hey-sir
i-and-live-photo-features/#.5rs2a1:OYAe

Tracking Bluetooth Skimmers In Mexico
-http://krebsonsecurity.com/2015/09/tracking-bluetooth-skimmers-in-mexico-part-ii
/

Feeding OSSEC Logs To DShield
-https://isc.sans.edu/forums/diary/Feeding+DShield+with+OSSEC+Logs/20141/

Low Patch Rate for Mobile Devices
-https://www.duosecurity.com/blog/identifying-bad-apples-getting-to-the-core-of-i
os-vulnerabilities

PW URL Spam and Certifiate Revocation for .pw domains
-http://www.symantec.com/connect/blogs/rise-pw-urls-spam-messages
-http://colin.keigher.ca/2015/09/geotrustsymantec-has-revoked-all-ssl.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/