SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #78

October 06, 2015

TOP OF THE NEWS

European Court of Justice Rules US Safe Harbor Invalid
S+P Could Downgrade Banks with Inadequate Cybersecurity
Linux Botnet

THE REST OF THE WEEK'S NEWS

HTC Skeptical About Monthly Android Updates
Drones, Phones, and Wi-Fi Printers
YiSpecter Infects Both Jailbroken and Non-Jailbroken iOS Devices
Risk of Cyberattack on Nuclear Facilities is Growing
Outlook Mailserver Advanced Persistent Threat
DHS Confiscated California Mayor's Devices at Airport
US Defense Department Contractors Must Report Breaches
Vulnerability in WordPress Jetpack Plugin
Scottrade Breach
Benign Virus Protects Linux Routers

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ****************************

Symantec is focused on ensuring you have the ability to Uncover and Respond to Cyber Threats across your endpoints, Email and the Network. Use this quick and easy resource to gather information on Threat Protection from Symantec. http://www.sans.org/info/180577

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 |

Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR

- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | Oct. 5-17| 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus San Diego, Tokyo, Sydney, Cape Town, and Dallas all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

European Court of Justice rules US Safe Harbor invalid (October 6, 2015)

In a decision with widespread implications for the international transfer and processing of data - and the companies that provide these services - the European Court of Justice has ruled the EU-US Safe Harbour pact invalid. Experts are warning of massive disruption to international business.
-http://www.scmagazineuk.com/safe-harbour-ruled-invalid-by-european-court-of-just
ice/article/
-http://m.rte.ie/news/2015/1006/732665-safe-harbour-ecj/
[Editor's Note (Honan): This ruling means companies in the EU are in violation of EU Data Protection laws when transferring personal data to US companies, even if those companies are part of the US Safe Harbor program. It also means, should Microsoft lose their appeal regarding US law enforcement accessing a mailbox on one of their servers in Dublin, then US tech companies will have severe challenges in doing business in the EU. ]

S+P Could Downgrade Banks with Inadequate Cybersecurity (September 29, 2015)

Standard & Poor's (S+P) said it could downgrade banks that do not employ adequate cybersecurity measures even if the banks have not experienced a breach. Although S+P has not yet downgraded a bank over a breach, it could take action if the breach damaged the institution's reputation enough to lose customers and/or capital.
-http://ww2.cfo.com/cyber-security-technology/2015/09/banks-weak-cybersecurity-do
wngraded-sp/
-https://www.globalcreditportal.com/ratingsdirect/renderArticle.do?articleId=1455
510&SctArtId=343857&from=CM&nsl_code=LIME&sourceObjectId=9348447
&sourceRevId=2&fee_ind=N&exp_date=20250927-20:56:45
[Editor's Note (Pescatore): Not very meaningful if S&P downgrades only after a breach damages a bank's "reputation" and only after breaches. That will be like when S&P and others downgraded the banks *after* the last financial crash. ]

Linux Botnet (September 29, 2015)

The XOR DDoS botnet comprises infected Linux computers. The botnet targets education and gaming websites with traffic up to 150 gigabits per second. The majority of the targeted sites are in Asia. In some of the attacks, the IP address of the bot is spoofed to make it appear to be part of the targeted network.
-http://arstechnica.com/security/2015/09/botnet-preying-on-linux-computers-delive
rs-potent-ddos-attacks/

---

************************** SPONSORED LINKS ********************************
1) RSA Webcast: Active Incident Response Dos & don'ts of handling a security incident & more. http://www.sans.org/info/180582

2) Download the free eGuide: Breach Preparation - Plan for the Inevitability of Compromise: http://www.sans.org/info/180587

3) Did you know you can be alerted in real time about phishing campaigns against your company? See firsthand how it's possible during this free webinar featuring EMC and hosted by Recorded Future on Wednesday, October 14 at 1:00 PM ET: http://www.sans.org/info/180592
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

HTC Skeptical About Monthly Android Updates (October 5, 2015)

Following the initial disclosure of the Stagefright vulnerability earlier this summer, Google announced that it would make monthly Android security updates available for its Nexus phones. Samsung and LG have said they plan to provide regular Android updates, but HTC president Jason Mackenzie tweeted that it is "unrealistic for anyone to say guaranteed every month."
-http://www.zdnet.com/article/htc-says-monthly-stagefright-android-security-updat
es-are-unrealistic/
[Editor's Note (Pescatore): The carrier testing labs are the choke point for testing and validating updates for the devices on their network. Phones with lower market share are likely to wait longer; but the point is committing to "regular" updates, where regular means "near monthly" as Samsung and LG have said. The frequency of updates for all consumer devices (TVs, cars, phones, etc.) needs to start showing up on those Consumer Reports and other review matrices. ]

Drones, Phones, and Wi-Fi Printers (October 5, 2015)

Academic researchers at the Singapore University of Technology and Design have demonstrated that a technique companies can use to find out if they have unprotected Wi-Fi devices can also be exploited to conduct espionage. The demonstration involved a drone carrying a mobile phone on which two apps have been installed. One of the aps detects unprotected Wi-Fi printers and other devices. The other app does the same thing, but has a malicious portion - it uses the phone to establish a phony access point that mimics the printer and can thus intercept communications sent to the printer.
-http://www.wired.com/2015/10/drones-robot-vacuums-can-spy-office-printer/

YiSpecter Infects Both Jailbroken and Non-Jailbroken iOS Devices (October 5, 2015)

Malware known as YiSpecter infects iOS devices, deluging them with full-screen advertisements. YiSpecter has been found on both jailbroken and non-jailbroken iOS devices on China and Taiwan, and is reportedly capable of installing and launching apps on its own, replacing existing apps with ones it downloads, hijacking other apps' functionality to display ads, changing the device's default search engine, and uploading information about the device. Those infected with YiSpecter were tricked into downloading the malware in an offer for a "private version" of a defunct media player, QVOD, commonly associated with pornography.
-http://www.cnet.com/news/new-ios-malware-making-the-rounds-in-china-and-taiwan/
-http://www.informationweek.com/government/cybersecurity/yispecter-malware-threat
ens-iphone-owners/a/d-id/1322488
-http://www.scmagazine.com/updated-yispecter-malware-targets-non-jailbroken-ios-d
evices/article/443023/
-http://www.computerworld.com/article/2989111/apple-ios/chinese-hackers-put-ios-i
n-the-crosshairs-with-novel-attack-angles.html
-http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-a
ttacks-non-jailbroken-ios-devices-by-abusing-private-apis/#

Risk of Cyberattack on Nuclear Facilities is Growing (October 5, 2015)

According to a report from the Chatham House think tank, civilian nuclear plants are facing increased risks of cyberattacks. Among the reports findings: the assumption that all nuclear facilities are air-gapped is a myth; plants are using off-the-shelf software and are reluctant to apply patches because of the potential for downtime and other problems; employees at the plants are insufficiently trained.
-https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities
-understanding-risks
-http://www.scmagazine.com/cyber-danger-to-nuclear-power-plants-growing/article/4
43147/
-http://www.theregister.co.uk/2015/10/05/nuclear_plants_cyber_denial_man_in_the_m
iddle/
-http://www.bbc.com/news/technology-34423419
[Editor's Note (Assante): The report does a nice job of explaining why nuclear facility operators need to think differently about cybersecurity. The challenges cited here are not fully unique to the nuclear sector as the rapid onset of targeted attacks, intensity in their execution, and growing reliance on digital systems have caught many by surprise. Robert Michael Lee and I have just released a paper building on the kill-chain model to examine and help defend against material ICS attacks. Paper:
-https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cybe
r-kill-chain-36297]

Outlook Mailserver Advanced Persistent Threat (October 5, 2015)

Malware that targets Outlook Web Application servers is designed to/capable of stealing email passwords. The attack falls into the category of advanced persistent threat, because it remained on the server and harvested information over a period of several months.
-http://arstechnica.com/security/2015/10/new-outlook-mailserver-attack-steals-mas
sive-number-of-passwords/

DHS Confiscated California Mayor's Devices at Airport (October 2 and 4, 2015)

The US Department of Homeland Security (DHS) confiscated two laptops and a cellphone from the mayor of Stockton, California as he returned from a mayor's conference in China. Mayor Anthony Silva was not permitted to leave the airport until he provided passwords for each of the devices. The DHS agents did not "produce a search warrant or any court documents."
-http://arstechnica.com/tech-policy/2015/10/small-town-mayor-relinquishes-electro
nics-and-passwords-to-agents-at-sfo/
-http://www.sfgate.com/bayarea/article/Stockton-mayor-was-briefly-detained-on-ret
urn-6546419.php
[Editor's Note: (Northcutt): Nations have to have the ability to control what enters and leaves their borders. Democracy based states should try to be transparent about what they do to "we the people" and that appears to be lacking in this case. The big reminder for information security professionals is to provide our organization's international travelers with stripped down boxes for travel and to nuke them on return, (including BIOS reset if possible):
-http://its.unl.edu/bestpractices/international-travel
-http://www.vanderbilt.edu/exportcompliance/travel.php
-http://www.techrepublic.com/blog/it-security/preparing-a-business-laptop-for-ove
rseas-travel/
-http://www.computerweekly.com/feature/Top-five-data-security-travel-issues-Prote
ct-sensitive-information-on-business-trips]

US Defense Department Contractors Must Report Breaches (October 2, 2015)

A new rule requires many US Department of Defense (DoD) contractors to report "cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system." The rule applies to the more than 100,000 contractors in the DoD's Defense Industrial Base information sharing network.
-http://thehill.com/policy/cybersecurity/255757-dod-now-requires-contractors-to-r
eport-cyber-breaches
-http://www.nbcnews.com/tech/security/defense-department-now-requires-contractors
-report-security-breaches-n437776
-https://www.federalregister.gov/articles/2015/10/02/2015-24296/department-of-def
ense-dod-defense-industrial-base-dib-cybersecurity-cs-activities#h-18
[Editor's Note (Pescatore): It doesn't sound like the breach information would be made public. Such bad publicity has shown to be a good thing in the long run - helps market forces make security more important to all. As a minimum, I hope breach information will be used in future DoD procurements as a management evaluation factor. ]

Vulnerability in WordPress Jetpack Plugin (October 2, 2015)

A flaw in the Jetpack plug-in for WordPress could be exploited with a cross-site scripting (XXS) attack. Jetpack versions 3.7 and older have the vulnerability; users are urged to update to versions 3.7.1 and 3.7.2.
-http://www.scmagazine.com/stored-xss-vulnerability-identified-in-jetpack-plugin-
for-wordpress/article/442865/
[Editor's Note: (Murray): "Flaw" should be read as "un-checked input." Checking inputs in modern multi-layer systems is difficult. For applications and infrastructure (e.g., Wordpress) facing the public networks, one should begin with the OWASP libraries and guidance.

Scottrade Breach (October 2, 2015)

Investment brokerage Scottrade suffered a data breach, but was not aware of the incident until the FBI informed the company in August. The FBI asked Scottrade to refrain from disclosing the breach until the agency completed its investigation. The breach occurred in late 2013 and early 2014 and affects 4.6 million customers.
-http://thehill.com/policy/cybersecurity/255816-scottrade-hack-affects-46-million
-customers
-http://www.theregister.co.uk/2015/10/02/scottrade_data_breach_46m_customers/
-http://www.computerworld.com/article/2989033/cyberattacks/scot-trade-didnt-know-
about-data-breach-until-feds-showed-up.html
-http://www.darkreading.com/risk/scottrade-breach-hit-46-million-customers-began-
2-years-ago/d/d-id/1322470?
-https://about.scottrade.com/updates/cybersecurity.html

Benign Virus Protects Linux Routers (October 2, 2015)

Linux routers infected with a virus known as Wifatch appear to be protected from other malware, according to Symantec. Unlike some botnet malware, which defends its infected devices, Wifatch seems to be only protecting and not using its position to launch attacks. Wifatch attempts to clean the routers of other malware and leaves a message on the router reminding the owner to change default passwords and to update the device's firmware.
-http://www.computerworld.com/article/2988656/network-security/a-viral-vigilante-
may-be-keeping-an-eye-on-your-home-router.html
-http://www.bbc.com/news/technology-34423414
-http://www.latimes.com/business/technology/la-fi-tn-wifatch-20151002-story.html
-http://www.symantec.com/connect/blogs/there-internet-things-vigilante-out-there

---

STORM CENTER TECH CORNER

Microsoft Publishing New Elliptic Key Crypto Algorithm
-http://eprint.iacr.org/2015/565.pdf

T-Mobile Changing Vendor for Credit Monitoring Service
-https://www.csid.com/t-mobile/

Google Pushes Monthly Android Update with Stagefright 2.0 Fix
-https://groups.google.com/forum/#!topic/android-security-updates/_Rm-lKnS2M8

Danish Bank Leaks Server Details in HTML Comments
-http://sijmen.ruwhof.net/weblog/584-how-i-could-hack-internet-bank-accounts-of-d
anish-largest-bank-in-a-few-minutes

Someone Hacked 10,000 Routers (Not Their Own) To Correct Security Flaw
-http://thehackernews.com/2015/10/hack-wifi-router.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/