SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #79

October 09, 2015

If you know women about to graduate from college who have good IT skills
and a strong interest in cyber, they might appreciate learning about the
scholarships in the first story.

---

TOP OF THE NEWS

Women's Cyber Talent Search Offers Scholarships For Advanced, Hands-OnTraining
FBI Urges Use of Two-Factor Authentication
US Authorities Name Chinese Companies that Benefitted from Espionage
China Arrests Hackers At US Request

THE REST OF THE WEEK'S NEWS

New California Law Requires Warrant to Use Stingray
Malwarebytes Says No Vulnerability Found in WinRAR
Cisco Disrupts Angler Exploit Kit Distribution
Moker Trojan Evades and Disables Security Measures
Uber Breach Investigation
LoopPay Breach
Matthew Keys Guilty of Helping Anonymous Access Tribune Computers
USPS Employees and Phishing
Huawei Will Not Patch Router Flaws
Boarding Pass Barcodes Hold Troves of Data

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Trend Micro Inc. ************************

Trend Micro Forward-Looking Threat Research publishes report examining the past 10 years of US data breaches.
http://www.sans.org/info/180687

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | Oct. 5-17| 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus San Diego, Tokyo, Sydney, Cape Town, and Dallas all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Women's Cyber Talent Search Offers Scholarships For Intensive Hands On Training (October 9, 2015)

As a step toward brining more talent into cybersecurity by closing the gender gap, the National Center for Women in Technology and SANS are providing more than $300,000 in scholarships for advanced hands-on training in the most sought-after skills. Women who demonstrate aptitude for and basic skills in cybersecurity are eligible. The admissions process is now open and qualifying exams are being held from today through October 30. Schedule and qualifying site:
-https://www.sans.org/cybertalent/immersion-academy/programs?#womens-academy
More on what is in the CyberAcademies
-http://www.sans.org/cybertalent/immersion-academy/

FBI Urges Use of Two-Factor Authentication (October 6, 2015)

The FBI is encouraging small- and medium-sized businesses and Internet users in general to use two-factor authentication to safeguard personal information. The FBI (did this) as part of this year's National Cyber Security Awareness Month. In a related story, a coalition of government agencies, technology companies, and security experts met in Washington, DC, earlier this week to discuss ways to move toward stronger, two-factor authentication.
-https://www.fbi.gov/news/news_blog/cyber-tip-protect-yourself-with-two-factor-au
thentication
-http://www.executivegov.com/2015/10/fbi-calls-on-businesses-online-users-to-adop
t-2-factor-authentication/
-http://www.dailydot.com/politics/two-factor-tuesday-passwords-cybersecurity/
[Editor's Note (Pescatore): All movement away from reusable passwords is movement towards higher (not perfect) security. The FIDO alliance that is pushing two-factor authentication has a long list of big consumer brands, like Google, Mastercard, Microsoft, Paypal, Visa on its board of directors. I'd love to see those companies make strong authentication the default and reusable passwords the harder to find "opt out" option - just like they all do for advertising and tracking purposes. (Ullrich): If you are regularly logging into a site that stores data you consider confidential (e-mails, financial sites ...) , and it doesn't use two-factor authentication, then please ask the operator of the site to implement it at least as an option. Implementing systems like Google Authenticator is very cheap ("free") and easy to do. While systems that require hardware tokens are better, even simple setups like Google Authenticator significantly raise the bar without inconveniencing the user too much. (Murray): (I miss no opportunity to say) All strong authentication is, by definition, at least "two factor." However, all two factor authentication is not "strong." Both by definition and for effectiveness, strong authentication must resist replay. There must be a "one time" component. See:
-http://tiny.cc/vsph4x]

US Authorities Name Chinese Companies that Benefitted from Espionage (October 8, 2015)

Authorities identified Chinese companies suspected of acquiring intellectual property stolen from US firms. They are Chinalco, an aluminum company; Baosteel, a steelmaker; and SNPTC, a nuclear power company. The US Department of Justice (DoJ) says the companies benefitted from information stolen from US energy and manufacturing companies in 2014.
-http://thehill.com/policy/cybersecurity/256330-us-authorities-name-chinese-firms
-involved-in-military-hacks
[Editor's Note (Assante) This narrative and accompanying analysis of ill-gotten benefit will bring life to earlier reports in 2011 to Congress about foreign spies stealing us economic secrets in cyberspace. Each case being highlighted was identified as at risk technologies and practices in the October 2011 report from the Office of the National Counterintelligence Executive (ONCIX). Intellectual Property goes beyond research to include basic manufacturing and maintenance practices as an example. It also draws a bulls eye on automation and industrial control systems where recipes and process information along with production data resides. (Henry): China will continue to penetrate western companies for intellectual property and R&D unless a clear deterrent is established. If the USG has identified three Chinese companies that benefited from stolen property, there should be a plan in place to hold those companies accountable. President Xi's promise not to hack for commercial gain is a good start; and he may actually adhere to his words after he sees what happens to three Chinese corporations who've illegally obtained valuable US information. ]

China Arrests Hackers at U.S. Request (October 9, 2015)

Two weeks before President Xi Jinping's state visit to Washington late last month, the Chinese government quietly arrested a handful of hackers at the urging of the U.S. government - an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions. The hackers had been identified by U.S. officials as having stolen commercial secrets from U.S. firms to be sold or passed along to Chinese state-run companies.
-https://www.washingtonpost.com/world/national-security/in-a-first-chinese-hacker
s-are-arrested-at-the-behest-of-the-us-government/2015/10/09/0a7b0e46-6778-11e5-
8325-a42b5a459b1e_story.html

---

************************** SPONSORED LINKS ********************************
1) Download the free eGuide: Breach Preparation - Plan for the Inevitability of Compromise: http://www.sans.org/info/180692

2) Did you know you can be alerted in real time about phishing campaigns against your company? See firsthand how it's possible during this free webinar featuring EMC and hosted by Recorded Future on Wednesday, October 14 at 1:00 PM ET: http://www.sans.org/info/180697

3) Don't Miss: Threats 2.0: Get Ahead of them with Advanced Analytics. Thursday, October 15 at 11:00 AM EDT (15:00:00 UTC) with John Pescatore and Greg Wessel. http://www.sans.org/info/180702
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

New California Law Requires Warrant to Use Stingray (October 8, 2015)

California Governor Jerry Brown has signed into law a bill that requires law enforcement to obtain a warrant prior to using cell-site simulators, often referred to as stingrays. The California Electronic Communications Privacy Act has been described as having a broad scope; it does not apply to specific technologies but instead aims to protect citizens' digital privacy.
-http://arstechnica.com/tech-policy/2015/10/california-governor-signs-new-law-man
dating-warrant-for-stingray-use/

Malwarebytes Says No Vulnerability Found in WinRAR (October 7 and 8, 2015)

Malwarebytes Head of Malware Intelligence Adam Kujawa says that they "jump
[ed ]
the gun" when they disclosed what they said was a vulnerability in WinRAR. What was initially seen as a vulnerability was in fact "simply a new attack vector that could mask itself as any executable." In an official security blog post, Kujawa apologized and clarified the issue.
-https://blog.malwarebytes.org/news/2015/10/redaction-winrar-vulnerability/
-http://www.scmagazine.com/malwarebytes-apologizes-for-jumping-the-the-gun-on-win
rar-vulnerability/article/443998/
-http://betanews.com/2015/10/08/malwarebytes-theres-no-winrar-vulnerability-were-
sorry/
[Editor's Note (Ullrich): This vulnerability is really all about executing untrusted code on a system. A self-extracting file is an executable, even if the user doesn't necessarily realize the fact. It is always possible to change the "wrapper" that is included to extract the file for malicious code. ]

Cisco Disrupts Angler Exploit Kit Activity (October 7 and 8, 2015)

Cisco has taken steps to help thwart activity of the Angler exploit kit. Cisco used a variety of methods to identify Angler servers. They contacted network operator Limestone, which hosted nearly 150 Angler proxy servers; Limestone took the malicious servers down.
-http://www.eweek.com/security/cisco-disrupts-30-million-angler-exploit-ring.html
-http://www.v3.co.uk/v3-uk/news/2429601/cisco-dismantles-usd30m-angler-exploit-ha
cking-operation
-http://www.zdnet.com/article/cisco-disrupts-30-million-browser-plug-in-hacking-o
peration/

Moker Trojan Evades and Disables Security Measures (October 8, 2015)

Malware known as Moker is capable of evading and disabling security measures, gaining system privileges, taking screenshots, logging keystrokes, and exfiltrating data. Moker is being described as an Advanced Persistent Threat (APT) with the characteristics of a Remote Access Trojan (RAT). It has been detected on only one network.
-http://www.theregister.co.uk/2015/10/08/monker_rat/
-http://www.scmagazine.com/new-moker-malware-can-alter-security-measures/article/
443729/

Uber Breach Investigation (October 8, 2015)

Uber is investigating the breach of a database that contains information about the company's drivers. A report from Reuters says that one suspect is Uber rival Lyft. Uber inadvertently posted the database key on a GitHub page before the breach. When Uber realized what had happened, it sent a subpoena to GitHub demanding information about people who visited that particular page during the period the key was visible. Someone using an IP address associated with Lyft's Chief Technical Officer accessed the page. However, that IP address is not the same as the one used in the attack on Uber's database.
-http://www.scmagazine.com/uber-connecting-the-dots-between-lyft-cto-and-drivers-
database-breach-report-says/article/444006/
-http://www.reuters.com/article/2015/10/08/us-uber-tech-lyft-hacking-exclusive-id
USKCN0S20D420151008
[Editor's Note (Murray): Uber, like eBay and other companies that are based on the Internet, needs to be held to a higher standard of security than companies that are mere users. ]

LoopPay Breach (October 7 and 8, 2015)

Attackers recently breached servers at Samsung subsidiary LoopPay, but Samsung says that its mobile payment service, Samsung Pay, was not affected. Samsung acquired LoopPay earlier this year to help set up Samsung Pay. The servers that were breached are used for LoopPay office printing, filesharing, and email. Samsung says the attackers may have been trying to steal LoopPay's magnetic secure transmission (MST). That technology was Samsung's primary reason for acquiring LoopPay.
-http://www.theregister.co.uk/2015/10/08/looppay_breach_samsung_pay_hackers_codos
o_china/
-http://www.bloomberg.com/news/articles/2015-10-08/samsung-says-payments-data-una
ffected-by-looppay-hacking-attack
-http://www.cnet.com/news/samsung-says-customer-payment-data-not-affected-by-hack
-attack/
-http://www.pcworld.com/article/2990476/security/hackers-who-targeted-samsung-pay
-may-be-looking-to-track-individuals.html
[Editor's Note (Ullrich): Even though the target was a payment service, the goal of the attack was not to steal funds or user data. Instead, the attackers found intellectual property on how the service works more interesting and valuable to take. ]

Matthew Keys Guilty of Helping Anonymous Access Tribune Computers (October 7 and 8, 2015)

A former deputy social media editor for Reuters has been found guilty of conspiracy to damage a protected computer, transmitting malicious code, and attempted transmission of malicious code for helping the Anonymous collective access servers at Tribune Media Co. Matthew Keys helped the hackers gain access to the Los Angeles Times website, where they altered content. Keys plans to appeal the verdict.
-http://www.latimes.com/local/lanow/la-me-ln-matthew-keys-convicted-hacking-la-ti
mes-20151007-story.html
-http://www.nbcnews.com/tech/security/journalist-matthew-keys-found-guilty-aiding
-anonymous-news-hack-n440581
-http://thehill.com/policy/cybersecurity/256340-journalist-convicted-of-aiding-lo
s-angeles-times-hackers
-http://www.computerworld.com/article/2990491/cybercrime-hacking/journalist-convi
cted-of-helping-anonymous-hack-the-la-times.html

USPS Employees and Phishing (October 7, 2015)

Just months after US Postal Service employee data were compromised with the help of a phishing attack, 25 percent of a sample of USPS employees fell prey to a compliance and awareness phishing security exercise. Just seven percent of employees who received the suspicious email reported it to the USPS Computer Incident Response Team, which is a requirement. Most of the employees who received the test email had not completed their annual security awareness training.
-http://www.nextgov.com/cybersecurity/2015/10/after-usps-phishing-hack-audit-show
s-postal-workers-still-click-links/122639/?oref=ng-HPtopstorys
[Editor's Comment (Ullrich): A 7% reporting rate isn't bad, and even if only 2.5% instead of 25% would have fallen for the phish, the attack would still have been successful. If you don't want users to click on links, then please strip them from e-mails at your receiving mail server. It is impossible for a user to distinguish a well crafted phishing email from a legitimate email. (Paller): To stop phishing from causing damage, security training helps, but it should be matched with technical defenses that have proven effective - particularly application white listing. (Northcutt): Most studies list social engineering attacks, (usually phishing), as either the number one or two attack vector:
-https://gallery.technet.microsoft.com/Fixing-the-1-Problem-in-2e58ac4a]

Huawei Will Not Patch Router Flaws (October 7, 2015)

Huawei says it will not fix a number of vulnerabilities in certain routers because the devices are no longer supported. One of the routers, the B260a, is still routinely provided to users by Internet companies in South America and Africa.
-http://www.zdnet.com/article/huawei-routers-riddled-with-security-flaws-will-not
-be-patched/
[Editor's Note (Ullrich): Huawei is in line with nearly all other router makers with its policy. Sadly, once a router is "End of Life", no more patches will be published even if a large number of routers are still in use. ]

Boarding Pass Barcodes Hold Troves of Data (October 6, 2015)

Information encoded in boarding pass bar codes includes names, frequent flyer numbers, record locator numbers, as well as an associated phone number and the name of the person who booked the flight. The information could be used to gain access to a traveler's frequent flyer account.
-http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/
[Editor's Note (Ullrich): Actually not that much data. It could be worse... On the other hand, after explaining that the data on the boarding pass is "confidential", the article goes on to encourage readers to upload boarding pass images to a website. Odd... ]

---

STORM CENTER TECH CORNER

Security Awareness Through Proverbs
-https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+Through+Proverb
s/20219/

Google Router Found In Second Hand Shop (in German)
-http://www.heise.de/security/artikel/Analysiert-Google-Interna-im-Second-Hand-Sh
op-2837379.html

Cisco Shuts Down Profitable Ransomware Operation
-http://talosintel.com/angler-exposed/

Abusing Voice Controlled Cell Phones via Radio Waves
-https://www.hackinparis.com/sites/hackinparis.com/files/lopes_esteves_kasmi_you_
dont_hear_me.pdf

Do Extortionists Get Paid?
-https://isc.sans.edu/forums/diary/Do+Extortionists+Get+Paid/20223/

Various Flaws in Huawei LTE Modems
-http://blog.ptsecurity.com/2015/10/positive-technologies-experts-detect.html

Verizon Expands Use of Super-Cookie To Former AOL Users
-https://www.verizon.com/about/privacy/adprograms/

Commerce Department Requests Update of Safe Harbor Framework
-https://www.commerce.gov/news/press-releases/2015/10/statement-us-secretary-comm
erce-penny-pritzker-european-court-justice

Malspam Delivering Password Stealer via Word Macros
-https://isc.sans.edu/forums/diary/Malicious+spam+with+Word+document/20225/

CloudPiercer Uncovers IP Addresses Of Servers Protected Proxies
-https://cloudpiercer.org

Looppay Compromise
-http://www.nytimes.com/2015/10/08/technology/chinese-hackers-breached-looppay-a-
contributor-to-samsung-pay.html?_r=1

Amazon Cloud IP Address Reuse Problems
-http://www.bishopfox.com/blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domai
ns/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/