SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #77

October 02, 2015

There is far too much reported in the news about security failures -
it's time to see what we can learn from the successes. John Pescatore's
"2015 Difference Makers in Cybersecurity" awards are now open for
nominations. The invitation is at end of this newsletter.

---

TOP OF THE NEWS

US EMV Implementation is Chip-and-Signature, Not Chip-and-PIN
CIA Pulled Staff from Beijing After OPM Breach

THE REST OF THE WEEK'S NEWS

Patreon Data Leaked
Two New Stagefright Vulnerabilities
T-Mobile Customer Data Compromised in Experian Breach
Thai Single Gateway Plan Criticized
Virginia State Troopers Test Their Cars' Cybersecurity
Apple Releases Updates for OS X, iOS, and Safari
Dyreza Trojan Now Targets Industrial Supply Chain
Critical WinRAR Flaw Affects 500 Million Users
Prison Sentence for Distributing Citadel Malware
Unexpected Windows 7 Update Was Accidentally Published Test
Trump Hotels Suffer Breach

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

NOMINATIONS OPEN FOR 2015 CYBER DIFFERENCE MAKERS AWARDS

NOMINATIONS OPEN FOR 2015 CYBER DIFFERENCE MAKERS AWARDS

---

************************ Sponsored By BitSight ****************************

What Works for Fannie Mae's CISO to Assess/Monitor Third Party Cybersecurity with BitSight. Wednesday, October 07 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore and Christopher Porter. During this SANS What Works webinar, the CISO at Fannie Mae will detail his experience using Bit sight's service to assess the cybersecurity level of third party business partners and vendors, as well as using BitSight for ongoing monitoring of externally visible signs of lapses in security levels. http://www.sans.org/info/180507

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR

- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | Oct. 5-17| 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus San Diego, Tokyo, Sydney, Cape Town, and Dallas all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US EMV Implementation is Chip-and-Signature, Not Chip-and-PIN (September 30, 2015)

As of October 1, 2015, US retailers were supposed to have adopted technology that allows them to accept chip-and-PIN payment cards. The technology, also known as EMV (for EuroPay, MasterCard, Visa), aims to provide stronger security for payment card transactions. However, what has been implemented in the US is chip-and-signature instead of chip-and-PIN. Not requiring cardholders to enter a PIN to verify purchases diminishes the security of those transactions.
-http://www.wired.com/2015/09/big-security-fix-credit-cards-wont-stop-fraud/
-http://www.scmagazine.com/credit-card-security-takes-a-step-forward-today-with-e
mv-cards/article/442099/
-http://www.cnet.com/news/new-credit-cards-aim-to-protect-consumers-and-banks-fro
m-hackers/
[Editor's Note (Pescatore): The PIN part is really only a factor for lost or physically stolen cards vs. online theft/fraud. But, from a security perspective, it would have been much smarter to go the PIN route. The card brands tend to focus on the needs/demands of the card issuers and people never forget their signature and they do forget PINs - - the signature approach is lower cost for the card issuers since they won't have PIN resets to deal with. (Murray): The value of the PIN is exaggerated. The use of a PIN in Europe was necessary to compensate of the large percentage of offline transactions. A condition we do not share. Only the issuers know if the use of the PIN would resist fraudulent use of lost or stolen cards in the narrow window between the time the card was lost or stolen and the time it is reported lost or stolen. They are the ones making the decision and taking the risk. Note that the use of contact EMV is already slowing the transaction and will be resisted both by consumers and high transaction volume merchants. Let's not aggravate the problem.
-http://whmurray.blogspot.com/2015/05/chip-and-pin-compared-to-chip-and.html#link
s]

CIA Pulled Staff from Beijing After OPM Breach (September 29, & 30, & October 1, 2015)

During a Senate Armed Services Committee hearing earlier this week, Director of National Intelligence James Clapper told legislators that the CIA pulled staff from the US embassy in Beijing following the Office of Personnel Management (OPM) breach. Because the OPM database held clearance data for State Department employees but not CIA officers, analysis could determine that people whose data were not included could be identified as possible CIA agents. Clapper also characterized the OPM breach as "theft or espionage" and not an attack.
-https://www.washingtonpost.com/world/national-security/cia-pulled-officers-from-
beijing-after-breach-of-federal-personnel-records/2015/09/29/1f78943c-66d1-11e5-
9ef3-fde182507eac_story.html
-http://www.bbc.com/news/technology-34411726
-http://arstechnica.com/tech-policy/2015/09/cia-officers-pulled-from-china-becaus
e-of-opm-breach/

---

************************** SPONSORED LINKS ********************************
1) Mitigate the Healthcare Endpoint Security Challenges - Read More: http://www.sans.org/info/180512

2) Master the Game of Who: Leveraging Network Intelligence and User Activity to Combat Insider Threats. Thursday, October 08 at 11:00 AM EDT (15:00:00 UTC) featuring Vince Berk, Mike Tierney, and Dr. Eric Cole as Moderator. http://www.sans.org/info/180517

3) Attend the SANS And CIS Critical Security Controls Breakfast Briefing at the Capital Hilton, Washington, DC. http://www.sans.org/info/180532 . Need to attend remotely http://www.sans.org/info/180537
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Patreon Data Leaked (October 1 & 2, 2015)

Attackers have broken into the Patreon crowd-funding donation website, stolen user data, and posted it to the Internet. The compromised data include encrypted passwords and donation records. The attackers also stole and posted source code.
-http://arstechnica.com/security/2015/10/gigabytes-of-user-data-from-hack-of-patr
eon-donations-site-dumped-online/
-http://arstechnica.com/security/2015/10/patreon-some-user-names-e-mail-and-maili
ng-addresses-stolen/
-http://www.theregister.co.uk/2015/10/02/patreon_attackers_drop_data_expose_users
/
[Editor's Note (Murray): It is not possible to expose an application to the Internet in such a way that it cannot be compromised at some cost to the attacker. That said, applications like eBay and Patreon that owe their very existence to the Internet must be held to a higher standard of security than those for which the Internet is merely incidental to their business strategy. ]

Two New Stagefright Vulnerabilities (October 1, 2015)

The person who disclosed the Stagefright vulnerability in July has found two more Stagefright-related vulnerabilities that affect as many as one billion Android users. The flaws are in the Android libutils library and in the libstagefright media library. The flaws, exploited together, could allow remote code execution on vulnerable devices when users preview music or videos.
-http://www.eweek.com/security/stagefright-2-exposes-another-billion-android-phon
es-to-risk.html
-http://www.cnet.com/news/every-android-device-vulnerable-to-newly-discovered-bug
s/
-http://www.theregister.co.uk/2015/10/01/stagefright_two_point_oh_android/
-http://www.computerworld.com/article/2988157/android/new-android-vulnerabilities
-put-over-a-billion-devices-at-risk-of-remote-hacking.html
-http://arstechnica.com/security/2015/10/a-billion-android-phones-are-vulnerable-
to-new-stagefright-bugs/

T-Mobile Customer Data Compromised in Experian Breach (October 1, 2015)

A breach of an Experian database affects 15 million US T-Mobile customers. Experian processes credit checks for T-Mobile customers. The compromised data include names and Social Security numbers (SSNs) but not financial account information. The breach affects data collected between September 1, 2013 and September 16, 2015.
-http://thehill.com/business-a-lobbying/255703-t-mobile-customers-exposed-in-brea
ch-of-15m-credit-agency-customers
-http://www.theregister.co.uk/2015/10/01/experian_tmobile_breach/
-http://www.wired.com/2015/10/hack-brief-hackers-steal-15m-t-mobile-customers-dat
a-experian/
[Editor's Note (Murray): There is nothing left to hide; the three major credit bureaus were the last bastion, and now they are breached. Data security must now move from secret credentials to strong authentication, out of band confirmation of all records, changes to them, and transactions based upon them, and non-repudiation of the confirmation. For some sensitive transactions, we will need to rely upon after-the-fact reconfirmation of the transaction. (Honan): In a move to highlight irony in this breach, T-Mobile is offering their customers 2 years free identify theft monitoring from Experian, the company that lost the customer information in the first place. ]

Thai Single Gateway Plan Criticized (October 1, 2015)

Thailand's government is facing public outcry over its plan to establish a single Internet gateway for the country. Opponents of the plan say it will slow down Internet service and could cause enormous problems if it were to fail. They also noted that it would likely discourage foreign companies from doing business in Thailand.
-http://www.zdnet.com/article/thai-government-faces-opposition-in-bid-to-build-si
ngle-internet-gateway/

Virginia State Troopers Test Their Cars' Cybersecurity (September 30, 2015)

An initiative in Virginia tested the cyber security of state trooper vehicles. The project is a joint effort of public and private entities. It found that even older vehicles that are not Internet-connected are susceptible to cyberattacks with some physical access to the car.
-http://www.darkreading.com/attacks-breaches/state-trooper-vehicles-hacked-/d/d-i
d/1322415?
[Editor's Comment (Pescatore): Cyber attacks are not the top risk if there is physical access to a police car. But if law enforcement fleets are buying vehicles with cellular data radios and connectivity built-in, they certainly should require vulnerability testing *before* they buy them. (Northcutt): This is a good article, well worth your time. One note: "The attacks would require some knowledge of the car model's electronics, he notes, so it's not an attack 'the average person' could pull off." But when criminals go after law enforcement infrastructure, they do not normally do it with average people. They hire people with knowledge of the cars. Recall the recent press about Apple accelerating their car program because cars are the ultimate mobile device as we see in the first link. (Kaprika, with the same observation, was involved in the research in the story):
-https://www.youtube.com/watch?v=gz-4Swyyl4M
-https://en.wikipedia.org/wiki/Apple_electric_car_project]

Apple Releases Updates for OS X, iOS, and Safari (September 30 & October 1, 2015)

Apple has issued updates for its desktop and mobile operating systems as well as its Safari browser. The update for OS X, El Capitan v.10.11 addresses scores of vulnerabilities. The update for iOS is version 9.0.2; it addresses a flaw in the previous update that allows access to contacts and photos from the lock screen. The Safari update, Safari 9, addresses 45 flaws.
-http://www.scmagazine.com/apple-releases-os-x-ios-safari-updates-multiple-bugs-a
ddressed/article/442595/
-http://www.theregister.co.uk/2015/09/30/apple_el_capitan_security/
-http://www.zdnet.com/article/new-ios-9-iphone-ipad-update-lands-with-lock-screen
-bypass-fix/

Dyreza Trojan Now Targets Industrial Supply Chain (September 30, 2015)

Dyreza, which first came to light as a banking Trojan, has expanded its scope of attack to include industrial supply chain. The most recently detected versions of the malware are designed to steal credentials for order fulfillment, warehousing, inventory management, and other supply chain services.
-http://www.computerworld.com/article/2987960/malware-vulnerabilities/dyreza-malw
are-steals-it-supply-chain-credentials.html

Critical WinRAR Flaw Affects 500 Million Users (September 30 & October 1, 2015)

A critical remote code execution vulnerability in the WinRAR file compression tool affects as many as half a billion users. The issue affects WinRAR v.5.2.1 and lies in the tool's SFX archive features. A patch is not yet available.
-http://www.computerworld.com/article/2987749/cybercrime-hacking/critical-flaw-pu
ts-500-million-winrar-users-at-risk-of-being-pwned-by-unzipping-a-file.html
-http://www.scmagazine.com/winrar-vulnerability-leaves-users-open-to-attack/artic
le/442083/
-http://www.v3.co.uk/v3-uk/news/2428326/winrar-critical-flaw-leaves-millions-open
-to-compressed-file-attacks
[Editor's Note (Murray): The risk is a function of the use of the mechanism rather than the number of copies. The workaround is to prefer other compression tools until a fix is available. This is simply another manifestation of an old problem that we have dealt with in other products. ]

Prison Sentence for Distributing Citadel Malware (September 30 & October 1, 2015)

Dmitry Belorossov was sentenced to four-and-a-half years in prison for his role in distributing the Citadel banking Trojan. He was also ordered to pay more than US $300,000 in restitution. Belorossov pleaded guilty in 2014 to conspiracy to commit computer fraud. Citadel was responsible for more than US $500 million in losses.
-http://www.v3.co.uk/v3-uk/news/2428446/citadel-hacker-gets-four-years-in-prison-
gbp300-000-fine-after-causing-usd500m-losses
-http://www.scmagazine.com/russian-man-gets-four-years-in-prison-for-distributing
-citadel/article/442108/
-http://www.theregister.co.uk/2015/09/30/rainerfox_sentenced/

Unexpected Windows 7 Update Was Accidentally Published Test (September 30, 2015)

A suspicious update was inadvertently pushed out to Windows 7 users' computers on Wednesday, September 30. The unexpected update was part of a test gone awry. The text and links appeared suspicious, and some wondered if the Windows Update system had been compromised. A Microsoft spokesperson said, "We incorrectly published a test update and are in the process of removing it."
-http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-wind
ows-update-delivered-worldwide/
-http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update
-patch/
-http://www.theregister.co.uk/2015/09/30/windows_update_glitch/
[Editor's Note (Pescatore): I hope the testing was part of Microsoft making sure it is ready for moving to more frequent security patch pushing with Windows 10 - and that the glitch caused Microsoft to really focus on making sure the entire update chain is secure. ]

Trump Hotels Suffer Breach (September 29 & 30, & October 1 2015) The Trump Hotel

Collection has acknowledged that a security breach compromised customers' payment card information at seven of the chain's hotels. The breach affects customers who used cards at the hotels between May 19, 2014, and June 2, 2015.
-http://www.nbcnews.com/tech/security/trump-hotels-confirm-hack-exposed-customer-
credit-card-info-n436501
-http://thehill.com/policy/cybersecurity/255592-hackers-strike-trump-hotels
-http://www.theregister.co.uk/2015/09/29/trump_confirms_carders_raided_las_vegas_
hotel_point_of_sale_systems/
-https://www.trumphotelcollection.com/data-security-notice

---

STORM CENTER TECH CORNER

Reverse Analysis of Malicious DLLs
-https://isc.sans.edu/forums/diary/Tricks+for+DLL+analysis/20195/

XOR DDoS Botnet
-https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015
-xor-ddos-attacks-linux-botnet-malware-removal-ddos-mitigation-yara-snort.html

Privilege Escalation Vulnerabilities in TrueCrypt
-https://twitter.com/tiraniddo/status/648293501050986496

The Inside Story Behind MS08-067
-http://blogs.technet.com/b/johnla/archive/2015/09/26/the-inside-story-behind-ms0
8-067.aspx

Shodan Lists 68,000 Exposed Medical Devices
-http://www.irongeek.com/i.php?page=videos%2Fderbycon5%2Fbreak-me14-medical-devic
es-pwnage-and-honeypots-scott-erven-mark-collao

Microsoft Publishes Test Update By Mistake
-https://isc.sans.edu/forums/diary/Mistakenlydeployed+test+patch+leads+to+suspici
ous+Windows+update/20201/

Cyber Insurance Fails to Pay After Business E-Mail Compromise
-http://www.networkworld.com/article/2984989/security/cyber-insurance-rejects-cla
im-after-bitpay-lost-1-8-million-in-phishing-attack.html

Apple Updates (iOS 9.0.2, OS X El Capitan, Safari 9)
-https://support.apple.com/en-us/HT201222

Dr. Web hit by Arson Attack After ATM Skimmer Expose
-https://antifraud.drweb.com/atm_trojs/drweb/?lng=en

New Android libstagefright Vulnerability
-https://blog.zimperium.com/zimperium-zlabs-is-raising-the-volume-new-vulnerabili
ty-processing-mp3mp4-media/

VMware vCenter/ESXi Patch
-https://www.7elements.co.uk/resources/technical-advisories/cve-2015-2342-vmware-
vcenter-remote-code-execution/

Chinese Uber Accounts Compromised
-https://www.hackread.com/uber-accounts-used-in-china

Apple OS X Gatekeep Weakness
-https://www.virusbtn.com/conference/vb2015/abstracts/LM6.xml

---

NOMINATIONS OPEN FOR 2015 CYBER DIFFERENCE MAKERS AWARDS

NOMINATIONS OPEN FOR CYBER DIFFERENCE MAKERS AWARDS There is no shortage of publicity around failures in security - constant headlines detailing breaches and vulnerabilities at companies and government agencies. However, what you never hear about are the many organizations who aren't in the news because their security team has found ways to meet business and mission needs while protecting customer and business data from attackers. The SANS Difference Makers awards highlight those creative and hard working security professionals and teams that do just that. Nominations are open for the 2015 SANS Difference Maker's awards - details at
-https://www.sans.org/cyber-innovation-awards/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/