SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #75

September 25, 2015

TOP OF THE NEWS

Rules for Cyber Warfare?
Apple Removes Infected Apps from App Store
Malware on Apps in Google Play Store
WordPress Sites Infected with Malware

THE REST OF THE WEEK'S NEWS

DHS CISO Says Employees Who Fall for Phishing Should Lose SecurityClearances
Symantec Fires Employees Over Release of Phony Google Certificate
D-Link Inadvertently Publishes Security Key
Google Will Disable Support for SSLv3 and RC4
Indian Government's Draft Encryption Policy Faces Criticism
Adobe Patches Flash
Volkswagen Software Programmed to Cheat on Emissions Tests
AT+T Sues Former Employees for Participation in Scheme to Unlock Phones
Twitter t.co Will Move to HTTPS Next Month
California County Announces Cell-Site Simulator Use Policy
Most Rail Lines Will Not Meet Train Safety Technology Deadline

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Sophos, Inc. *************************

Dance like no one's watching. Encrypt like everyone is! You know you have sensitive data, but what's the best way to go about protecting it? To help you get started we've put together a straightforward encryption guide that you don't need an Enigma machine to decipher. Download Whitepaper: http://www.sans.org/info/180332

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --Data Breach Investigation Summit | Dallas, TX | September 21-26, 2015 | Data Breach Investigation Summit and Training Dallas. TX September 21-26 4 courses
http://www.sans.org/u/7QM

- --SANS Baltimore 2015| Baltimore, MD | Sept. 21-26 |4 courses
http://www.sans.org/u/7tq

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR

- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | Oct. 5-17| 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Rules for Cyber Warfare? (September 18, 2015)

Speaking at a cybersecurity summit last week, US Defense Department CIO Terry Halvorsen voiced the need for international "rules of engagement" for cyber warfare. At a recent House Intelligence Committee meeting, Representative Jim Himes (D-Connecticut) said, "We don't know what constitutes an act of war, ... what the line is between crime and warfare." He called for "the establishment of some rules of the road internationally on how warfare and crime is conducted in the cyber realm." It is unclear who would be responsible for establishing those rules.
-http://thehill.com/policy/cybersecurity/254206-dod-official-calls-for-cyber-rule
s-of-engagement

Apple Removes Infected Apps from App Store (September 20 and 21, 2015)

Apple has acknowledged that malware known as XCodeGhost was found on at least 39 apps sold in its official App Store. The infected apps were created with a malicious version of Apple's XCode software developer toolkit that was made available on third-party servers. The altered XCode program generated a warning that it was "damaged" and should be moved to the trash; developers would have had to ignore that warning. Apple is working with developers to make sure they are using a clean version of XCode. Apple has begun the process of removing the infected apps from its store.
-http://techcrunch.com/2015/09/21/apple-confirms-malware-infected-apps-found-and-
removed-from-its-chinese-app-store/
-http://www.zdnet.com/article/apple-combats-cyberattack-begins-ios-app-store-scru
b/
-http://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicious-xcode
ghost-apps-haunt-app-store/
-https://www.washingtonpost.com/news/the-switch/wp/2015/09/21/apples-app-store-wa
s-infected-with-malware-from-china/
-http://www.csmonitor.com/Technology/2015/0921/Hackers-embed-malicious-code-in-Ap
ple-apps-from-China
-http://www.zdnet.com/article/how-malware-finally-infected-apple-ios-apps-xcodegh
ost/
-http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39
-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/
[Guest Editor Comment (Lee Neely, Lawrence Livermore): This malware made it into the Apple App store due to social engineering of developers, and a shortfall of Apple's code review process. When you own the compiler/IDE, you own the apps created with it. To date, there are no reports of Apple using their "big brother" like capability of uninstalling the malicious applications from devices in the field. Developers are releasing updated, clean versions of their apps. The best fix, if one of your apps is listed, is to uninstall it. Apps that have not been updated and are removed from the app store, will not be uninstalled.
-http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/
-http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modi
fies-xcode-infects-apple-ios-apps-and-hits-app-store/
-http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-ca
n-phish-passwords-and-open-urls-though-infected-apps/
-http://drops.wooyun.org/papers/9024
-http://philipcao.com/2015/09/19/malware-xcodeghost-infects-39-ios-apps-including
-wechat-affecting-hundreds-of-millions-of-users/
(Pescatore): This item, and the Google Play malware item that follows, point out that (a) whitelists (which is what app stores are) are far from perfect but (b) boy, they are phenomenally effective in exponentially reducing the actual damage from malicious apps and (c) when done *well* they do *not* interfere with legitimate business and users *do not* constantly complain. (Honan): It is concerning that so many developers included code from untrusted and unverified sources. This is a good example why implementing Secure coding practises is so important in companies and includes controls over what third party apps and code can be included in your own code. ]

Malware on Apps in Google Play Store (September 21, 2015)

Malware hidden in a game has made its way into the Google Play store twice within the past few weeks. Each game had between 100,000 and half a million downloads. The malware hides in a game for Android called Brain Test. It manages to bypass Google Bouncer, the store's app vetting system. The first version of Brain Test was taken down on August 24; the second on September 15.
-http://www.scmagazine.com/advanced-malware-gets-into-google-play-store-twice-pos
sibly-1m-downloads/article/439803/

WordPress Sites Infected with Malware (September 17 and 18, 2015)

An attack against WordPress has compromised thousands of websites; the malware placed on those sites redirects site visitors to a page containing the Nuclear Exploit Kit. The kit scans the user's computer for unpatched flaws that it can exploit.
-http://www.zdnet.com/article/active-wordpress-malware-campaign-compromises-thous
ands-of-websites/
-http://arstechnica.com/security/2015/09/active-malware-campaign-uses-thousands-o
f-wordpress-sites-to-infect-visitors/

---

**************************** SPONSORED LINKS ******************************
1) Free Download - SANS Survey: Maturing and Specializing: Incident Response Capabilities Needed: Here you go! http://www.sans.org/info/180337

2) Dance like no one's watching. Encrypt like everyone is! http://www.sans.org/info/180342

3) Learn how to improve your incident response capabilities. Thursdays @11am ET. http://www.sans.org/info/180347
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS CISO Says Employees Who Fall for Phishing Should Lose Security Clearances (September 18 and 21, 2015)

US Department of Homeland Security CISO Paul Beckman says that employees who repeatedly fall for phishing attempts, whether real or orchestrated as a test, should lose their security clearances. He noted that people keep falling for the phishing attempts because there have been no negative consequences for them personally.
-http://arstechnica.com/security/2015/09/dhs-infosec-chief-we-should-pull-clearan
ce-of-feds-who-fail-phish-test/
-http://www.nextgov.com/cybersecurity/2015/09/if-you-fall-phishing-scam-should-yo
u-lose-your-security-clearance/121427/?oref=ng-HPtopstory
[Editor's Note (Pescatore): Assuming reasonable efforts have been made to reduce the amount of spam and obvious phishing that reaches the end user, and that some level of user education has been done, there should be consequences for repeat offenders. Losing Internet access might be a better first step for some but yanking access to classified systems is not a bad idea. ]

Symantec Fires Employees Over Release of Phony Google Certificate (September 21, 2015)

Symantec has fired several employees after phony Google certificates were issued as part of an internal testing process; at least one of those certificates has been used in the wild. The phony certificates were issued by the Certificate Authority (CA) Thawte, a Symantec subsidiary. They were issued for three Google domains, though they had not been requested. Google has blacklisted the certificates.
-http://www.v3.co.uk/v3-uk/news/2426850/symantec-fires-employees-for-issuing-rogu
e-google-security-certificates
-http://www.theregister.co.uk/2015/09/21/symantec_fires_workers_over_rogue_certs/
-http://arstechnica.com/security/2015/09/symantec-employees-fired-for-issuing-rog
ue-https-certificate-for-google/
-http://googleonlinesecurity.blogspot.ro/2015/09/improved-digital-certificate-sec
urity.html

D-Link Inadvertently Publishes Security Key (September 18 and 21, 2015)

Developers at D-Link published a private cryptography key. Anyone in possession of the key could use it to issue what would appear to be legitimate Windows software. The key was published in February and expired earlier this month, but "the key is accepted by Microsoft Windows code-signing requirements and appears to be accepted by Apple's OS X as well" giving criminals more months to use it to spread malware.
-http://arstechnica.com/security/2015/09/in-blunder-threatening-windows-users-d-l
ink-publishes-code-signing-key/
-http://www.scmagazineuk.com/leaked-d-link-security-key-allows-hackers-to-disguis
e-malware-as-legit/article/439664/

Google Will Disable Support for SSLv3 and RC4 (September 17 and 21, 2015)

Google plans to disable support for Secure Sockets Layer version 3 (SSLv3) and Rivest Cipher 4 (RC4). Google will start by disabling the SSLv3 and RC4 on its front-end servers, and eventually remove support for them from its products.
-http://www.scmagazine.com/google-phasing-out-support-for-sslv3-rc4/article/43979
9/
-http://googleonlinesecurity.blogspot.com/2015/09/disabling-sslv3-and-rc4.html
[Editor's Comment (Pescatore): While this may cause some minor disruption, the security gain is worth it. The IETF has said "stop using SSL 3 and RC4, it is long past time to do so. (Northcutt): Yayy Google. Disablessl3 is your one stop shop for doing just that:
-http://disablessl3.com]

Indian Government's Draft Encryption Policy Faces Criticism (September 20 and 21, 2015)

India's government's proposed National Encryption Policy would require companies using encryption there to keep data in plain text for 90 days. Companies outside of India that use encryption and want to do business in the country would have to provide the government with the cryptographic software, testing suites, and documentation for approval. Pranesh Prakash, policy director for the Centre for Internet & Society in Bengaluru, called the draft policy a "bad idea conceived by people who do not understand encryption." Public comment on the draft closes on October 16, 2015.
-http://www.theregister.co.uk/2015/09/21/indias_proposed_rules_on_encryption/
-http://timesofindia.indiatimes.com/tech/tech-news/Draft-National-Encryption-Poli
cy-put-up-online-for-public-comment-experts-worried/articleshow/49029863.cms?

Adobe Patches Flash (September 21, 2015)

Adobe has released updates for its Flash Player browser plug-in to address 23 vulnerabilities. Eighteen of the flaws could be exploited to execute malicious code on vulnerable systems. Windows and Mac users should update to Flash Player version 19.0.0.185; Linux users should update to Flash Player version 11.2.202.521. Google and Microsoft will automatically push out updates for the plug-in in Chrome, Microsoft Edge, and Internet Explorer 10 and 11.
-http://krebsonsecurity.com/2015/09/adobe-flash-patch-plus-shockwave-shocker/
-http://www.computerworld.com/article/2985152/application-security/adobe-updates-
flash-player-to-patch-23-flaws.html

Volkswagen Software Programmed to Cheat on Emissions Tests (September 18, 19, and 20, 2015)

Volkswagen has admitted that diesel vehicles sold in the US contained software that altered engine behavior during emissions tests. The "defeat device" enables full pollution controls during official emissions tests, but pulls back on the controls during regular driving. While not running in emissions mode, the vehicles emit between 10 and 40 times the legal limits of pollutants. The US Environmental Protection Agency (EPA) made the allegations last week and said that Volkswagen faces up to US $18 billion in fines. The EPA will order Volkswagen to recall 500,000 diesel-powered vehicles, including some Audis, but the recall will not be ordered until Volkswagen develops a plan for fixing the problem.
-https://bobsullivan.net/cybercrime/privacy/volkswagen-software-tricked-emissions
-tests-feds-say-hacking-of-customers-is-the-real-problem/
-http://www.wired.com/2015/09/epa-opposes-rules-couldve-exposed-vws-cheating/
-http://www.bloomberg.com/news/articles/2015-09-20/vw-orders-investigation-into-d
eception-on-u-s-diesel-emissions
-http://arstechnica.com/tech-policy/2015/09/vw-scandal-highlights-irony-of-epa-op
position-to-vehicle-software-tinkering/
-http://www.nytimes.com/2015/09/22/business/the-wrath-of-volkswagens-drivers.html
-http://www.economist.com/news/business/21665198-recall-half-million-diesel-cars-
will-prove-expensive-and-damaging-already-tricky
[Editor's Note (Assante): Computers don't deceive, people do. This is a great analog lesson for ICS security stakeholders. The computer in the vehicle was programmed to recognize specific conditions, and after doing so, re-configure pre-designed set points to achieve a desired effect (in this case meet emission standards). Attackers can implant or modify/take advantage of sensing and/or logic to determine when to act or flip back to known good setting if being queried or tested. Trusting a computer in an ICS that may have been compromised can be irresponsible. This is a very real dilemma for ICS owners and begs having access to the necessary skills to investigate intrusions. (Pescatore): In the physical world, most gas/petrol pumps are tested for accuracy - when they say a gallon/liter was pumped, did they really deliver that? Volkswagen's cheating shows that their needs to be much better testing of a lot of software that touches consumer and environmental areas. ]

AT+T Sues Former Employees for Participation in Scheme to Unlock Phones (September 18 and 21, 2015)

AT+T is suing former three former customer support employees, alleging that they placed software on the company's networks that allowed people to unlock their phones. The scheme unlocked hundreds of thousands of phones between April and September 2013. The lawsuit also names Swift Unlocks, a company that unlocks phones for a fee, and developers who wrote the code.
-http://www.zdnet.com/article/at-t-files-lawsuit-against-former-employees-for-ins
talling-malware-illegally-unlocking-phones/
-http://www.computerworld.com/article/2984863/smartphones/att-malware-secretly-un
locked-hundreds-of-thousands-of-phones.html
-http://www.cnet.com/news/at-t-sales-reps-accused-of-scheming-to-unlock-phones/
-http://arstechnica.com/tech-policy/2015/09/att-accuses-employees-of-using-malwar
e-to-mass-unlock-phones/
Complaint:
-https://assets.documentcloud.org/documents/2427279/at-amp-t-unlock-lawsuit.pdf

Twitter t.co Will Move to HTTPS Next Month (September 18, 2015)

Starting on October 1, Twitter will use HTTPS URLs. The new practice will apply to new t.co links only.
-http://www.scmagazine.com/twitters-tco-shifts-to-https-in-october-new-links-only
/article/439506/
-https://twittercommunity.com/t/moving-t-co-to-https-only-for-new-links/52380

California County Announces Cell-Site Simulator Use Policy (September 15 and 18, 2016)

The Sacramento County Sheriff's Department says it will obtain "judicial authorization" before using cell-site simulator technology often referred to as a Stingray. The SCSD's policy also automatically seals the applications for judicial authorization and calls for collected data to be purged after each use of the technology. Earlier this month, the US Department of Justice (DoJ) unveiled its policy regarding the technology, which requires law enforcement officials within its agencies to obtain a warrant prior to its use. The DoJ's policy does not affect other federal, state, or local law enforcement agencies.
-http://arstechnica.com/tech-policy/2015/09/sheriff-well-get-judicial-approval-no
t-a-warrant-when-using-stingray/
-http://www.sacsheriff.com/media/Release.aspx?id=1397

Most Rail Lines Will Not Meet Train Safety Technology Deadline (September 17, 2015)

Technology that may have prevented last spring's Amtrak derailment near Philadelphia is available, but most rail operators are unlikely to meet a December 31, 2015 deadline to deploy it. Positive train control (PTC) helps regulate train speeds based on a train's location and information from PCT equipment installed on or near the tracks. Just five railroads are on track to meet the end-of-year deadline. Most will miss it by at least a year, and some by as long as five years.
-https://www.washingtonpost.com/news/the-switch/wp/2015/09/17/the-country-is-horr
ibly-behind-on-train-safety-gao-finds/

---

STORM CENTER TECH CORNER

A Day in The Live of a Pentester
-https://isc.sans.edu/forums/diary/A+day+in+the+life+of+a+pentester+or+is+my+job+
is+too+sexy+for+me/20157/

Bugzilla Bug Exposes Private Vulnerabilties
-https://www.bugzilla.org/security/4.2.14/

More Cloud Sidechannel Attacks
-https://eprint.iacr.org/2015/898

Why is it hard to secure a phone's lock screen?
-http://blog.martin-graesslin.com/blog/2015/09/lock-screen-security-of-phones/

Malware Cheats At Poker
-http://www.welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats
-at-poker/

Updated Version of testssl.sh
-https://isc.sans.edu/forums/diary/Using+testsslsh/20167/

Restricting Adobe PDF Reader to not Open non-PDF Attachments
-https://isc.sans.edu/forums/diary/Dont+launch+that+file+Adobe+Reader/20163/

Symantec Employee Fired Over Issuing Fake Google Certificate
-http://www.symantec.com/connect/blogs/tough-day-leaders
-http://googleonlinesecurity.blogspot.com/2015/09/improved-digital-certificate-se
curity.html

AT&T Files Lawsuites Against Employees for Installing Malware
-http://www.zdnet.com/article/at-t-files-lawsuit-against-former-employees-for-ins
talling-malware-illegally-unlocking-phones/

Apple Watch Update
-https://support.apple.com/en-us/HT205213

Adobe Flash Player Security Advisory
-https://helpx.adobe.com/security/products/flash-player/apsb15-23.html

Health Data Exposed On Amazon's Cloud Serivce
-http://www.theregister.co.uk/2015/09/21/amazon_medical_gaffe/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/