SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #80

October 13, 2015

TOP OF THE NEWS

Tallinn Manual 2.0
DoE to Fund Power Grid Cybersecurity Projects

THE REST OF THE WEEK'S NEWS

E-Trade Notifying 31,000 Customers of Breach
Dow Jones Acknowledges Data Breach
White House Will Not Demand Back Doors for Access to Encrypted Data
Back Doors Are Not Necessary to Circumvent Encryption
Southwest Customer Service System Experiences Technical Problems
Legislators: Move Security Clearance Data Away from OPM
Netgear Will Issue Firmware Update to Fix Router Vulnerability
Recommendations for Improving Cybersecurity Education
Apple Pulls Some Ad- and Content-Blocking Apps Over Privacy Concerns
Mozilla Will Drop Most NPAPI Plug-ins in Firefox by End of 2016
Adobe to Patch Acrobat and Reader
South Korea Subway System Cyberattack May Have Come from North Korea

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Blue Coat Systems, Inc. *****************

Expose Advanced Threats Cloaked in SSL: Malware hiding in SSL/TLS has become an urgent priority for security executives. It's time for a better approach to manage encrypted traffic. Read "Enterprise Traffic Management for Dummies," a new e-book brought to you by Blue Coat.
http://www.sans.org/info/180707

**************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Tysons Corner 2015 | Tysons Corner, VA | Oct. 12-17| 8 courses
http://www.sans.org/u/7R6

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community? Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus San Diego, Tokyo, Sydney, Cape Town, and Dallas all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

- Tallinn Manual 2.0 (October 12, 2015)

Legal experts are drafting updates to the Tallinn Manual, a document that spells out how international law applies to cyberspace conflict. The Tallinn Manual 2.0 will address peacetime international law, including metadata collection and other issues. The Tallinn Manual 2.0 is expected to be released in late 2016.
-http://www.theregister.co.uk/2015/10/12/cyberwar_lawyers_mull_metadata_snooping_
rules/
[Editor's Note (Murray): The Tallinn Manual and a lot of luck may keep us out of war. A "Red Phone" might be helpful. Never forget the legend of Solar Sunrise. While it may well be apocryphal, the legend has it that the Air Force came within an hour of launching a bomber against a proxy in Iraq in retaliation for hacking by two California teenagers. ]

DoE to Fund Power Grid Cybersecurity Projects (October 9 and 12, 2015)

The US Department of Energy (DoE) will spend more than US $34 million to establish two research projects that will focus on protecting the country's power grid from cyberthreats. The projects will be based at the University of Arkansas and the University of Illinois.
-http://www.nbcnews.com/tech/security/feds-fund-research-centers-protect-power-gr
id-cyberattacks-n443241
-http://www.energy.gov/articles/energy-department-invests-over-34-million-improve
-protection-nation-s-energy-infrastructure
[Editor's Note (Murray): The fact that the public utilities are regulated monopolies, rather than competitive enterprises, and regulated by the several states, rather than the Federal government, may have contributed to inadequate security in the industry. Federal funds may serve to ameliorate this problem. ]

---

************************** SPONSORED LINKS ********************************
1) Free eBook Download: Next-Generation Endpoint Security for Dummies: http://www.sans.org/info/180712

2) Learn how EMC uses real-time threat intelligence to help defend against phishing and leaked credentials, and to monitor emerging threat actors. Webinar hosted by Recorded Future, on October 14 at 1:00 PM ET: http://www.sans.org/info/180717

3) Attend the SANS And CIS Critical Security Controls Breakfast Briefing at the Capital Hilton, Washington, DC. Free to Federal Government and Contractors: http://www.sans.org/info/180532 . Need to attend remotely? http://www.sans.org/info/180537
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

E-Trade Notifying 31,000 Customers of Breach (October 9, 2015)

E-Trade has notified approximately 31,000 customers that their personal information may have been compromised in a 2013 breach. E-Trade said it appears that the attackers accessed email and physical address information, but not sensitive account information. The company launched an internal investigation after learning of the breach, but at the time did not believe that customer data were affected.
-https://www.washingtonpost.com/news/the-switch/wp/2015/10/09/e-trade-notifies-31
000-customers-that-their-contact-info-may-have-been-breached-in-2013-hack/

Dow Jones Acknowledges Data Breach (October 9, 10, and 12, 2015)

Dow Jones says that its systems were breached and that some personal information was exposed. The unauthorized access occurred between August 2012 and July 2015, when Dow Jones learned of the breach. The attackers accessed current and former subscriber information that could be used to make fraudulent solicitations. Payment card data for roughly 3,500 customers may have been compromised as well. Dow Jones publishes the Wall Street Journal.
-http://thehill.com/policy/cybersecurity/256647-dow-jones-breached-as-part-of-lar
ger-hacking-campaign
-http://www.wsj.com/articles/dow-jones-discloses-customer-data-breach-1444406517
-http://www.nbcnews.com/tech/security/dow-jones-says-hack-may-have-exposed-card-i
nfo-3-n441886
-http://www.scmagazine.com/dow-jones-co-breached-current-and-former-subscribers-c
ontacted/article/444422/
Letter:
-http://online.wsj.com/public/resources/documents/dowjonesletter.pdf
[Editor's Note (Murray): The length of time required to detect these breaches and the role played by third parties suggests that the breaches we know about are only the tip of an iceberg. ]

White House Will Not Demand Back Doors for Access to Encrypted Data (October 8, 9, and 10, 2015)

The White House has decided not to pursue policy urging technology companies to build backdoors into their encryption systems despite law enforcement and intelligence agencies' vocal assertions that the backdoors are necessary. They will still be able to pursue data with warrants.
-http://www.csmonitor.com/Technology/2015/1012/White-House-agrees-not-to-read-you
r-emails-kind-of
-http://techcrunch.com/2015/10/10/the-white-house-backs-down-on-phone-encryption/
?ncid=tcdaily
-http://www.computerworld.com/article/2991273/encryption/us-wont-seek-law-to-ban-
encryption.html
-http://www.scmagazine.com/companies-wont-be-legally-obligated-to-build-backdoors
-into-products/article/444300/
-http://arstechnica.com/tech-policy/2015/10/obama-administration-wont-seek-encryp
tion-backdoor-legislation/

Back Doors Are Not Necessary to Circumvent Encryption (October 12, 2015)

Andy Greenberg writes, "Encryption usually doesn't keep determined cops out of a target's private data. In fact, it only rarely comes into play at all." Of the 3,554 wiretaps reported in 2014, just 25, or 0.7 percent encountered encryption. And of those 25 cases, investigators were able to circumvent encryption 21 times.
-http://www.wired.com/2015/10/cops-dont-need-encryption-backdoor-to-hack-iphones/

Southwest Customer Service System Experiences Technical Problems (October 12, 2015)

Technical problems with Southwest Airlines' customer service system caused more than 800 flight delays on Sunday, October 11. The attack made it impossible to print boarding passes or check customers in electronically. Southwest said it has "stabilized" the issues, but passengers were likely to experience delays on Monday.
-http://thehill.com/policy/cybersecurity/256676-southwest-no-evidence-hackers-cau
sed-flight-delays
-http://www.reuters.com/article/2015/10/12/us-southwest-delays-idUSKCN0S512T20151
012
On website:
-http://www.swamedia.com/releases/technology-systems-performing-normally?l=en-US

Legislators: Move Security Clearance Data Away from OPM (October 9, 2015)

US Representatives Ted Lieu (D-California) and Steve Russell (R-Oklahoma) say that the Office of Personnel Management (OPM) should no longer be the repository for government security clearance data. In a letter to an Office of Management and Budget (OMB) official, Lieu and Russell wrote, "OPM, which is neither an intelligence agency nor a defense organization, ... was not designed to house and protect this sensitive data."
-http://www.nextgov.com/cybersecurity/2015/10/lawmakers-want-move-security-cleara
nce-data-opm-more-secure-location/122699/?oref=ng-channelriver
[Editor's Comment (Northcutt): OPM clearly is not suited to be the custodian of information that could even include deep implant spies. This is the right call:
-http://blog.rosssutton.com/blog/blast-past-big-explosion-white-oak/]

Netgear Will Issue Firmware Update to Fix Router Vulnerability (October 9 and 12, 2015)

A flaw affecting some Netgear routers can be exploited to alter the device's DNS settings and send browsing information to another address. The flaw can be exploited without login credentials. Netgear plans to release a firmware to fix the vulnerability on Wednesday, October 14, 2015. However, the fix will not be pushed out to the routers; users will be prompted to install it if and when they log into the router's admin settings, or if they have installed the Netgear genie app on their devices. The vulnerability was first disclosed in July.
-http://www.bbc.com/news/technology-34491583
-http://www.scmagazineuk.com/netgear-patch-delay-left-thousands-of-routers-under-
attack/article/444486/

Recommendations for Improving Cybersecurity Education (October 9, 2015)

A report from the National Academy of Public Administration makes several recommendations for improving cybersecurity education. While nearly 200 US colleges and universities offer programs certified by the NSA as "centers of academic excellence" in cyber security, the government should do a better job of tracking how many of those graduates actually go on to take government jobs. The report, "Increasing the Effectiveness of the Federal Role in Cybersecurity Education" also recommends that CyberCorps Scholarship for Service, a scholarship program aimed at recruiting cybersecurity talent for federal government agencies, be expanded to include state and local government. The report also recommends increased hands-on and incident-based training.
-http://www.nextgov.com/cybersecurity/2015/10/governments-cyber-education-program
s-need-reboot/122713/?oref=ng-channeltopstory

Apple Pulls Some Ad- and Content-Blocking Apps Over Privacy Concerns (October 8, 9, 10, and 11, 2015)

Apple has removed several ad- and content-blocker apps from its App Store after they were found to install root certificates that could potentially be used by third parties to access user information. The root certificates could be used to monitor data, which "could be used to compromise SSL/TLS security solutions."
-http://www.informationweek.com/mobile/mobile-applications/apple-dumps-ad-blockin
g-apps-over-privacy-fears/a/d-id/1322587
-http://arstechnica.com/security/2015/10/apple-removes-several-apps-that-could-sp
y-on-encrypted-traffic/
-http://www.theregister.co.uk/2015/10/09/apple_borks_adblocking_app_over_privacy_
concerns/
-http://www.computerworld.com/article/2991254/mac-os-x/apple-removes-apps-from-st
ore-that-could-spy-on-data-traffic.html
-http://www.cnet.com/news/privacy-concerned-apple-deletes-several-apps-from-app-s
tore/
-http://www.eweek.com/security/apple-pulls-ad-blocking-apps-over-ssltls-security.
html

Mozilla Will Drop Most NPAPI Plug-ins in Firefox by End of 2016 (October 9, 2015)

Mozilla plans to end support for most NPAPI (Netscape Plug-in Application Programming Interface) plug-ins in Firefox by the end of next year. Firefox will continue to support Adobe Flash. Google stopped supporting NPAPI plug-ins win Chrome with version 45, which was released in September.
-http://www.computerworld.com/article/2991271/web-browsers/firefox-to-drop-old-te
ch-plug-ins-by-end-of-2016.html

Adobe to Patch Acrobat and Reader (October 9, 2015)

Adobe plans to release updates for Acrobat and Reader on Tuesday, October 13. In all, eight issues will be addressed. Fixes for Acrobat will affect Acrobat X, Acrobat XI, Acrobat DC, and Acrobat Reader DC. Fixes for Reader will be available for Reader X and Reader XI. The updates will be available for Windows and Mac systems.
-http://www.theregister.co.uk/2015/10/09/adobe_to_brick_eight_acrobat_reader_flaw
s_next_tuesday/
-https://helpx.adobe.com/security/products/acrobat/apsb15-24.html

South Korea Subway System Cyberattack May Have Come from North Korea (October 8, 2015)

According to a report from South Korea's intelligence service, an attack on computers at the Seoul Metro system from last year might have been the work of the North Korean government. Between March and July 2014, nearly 60 Seoul metro employee computers were compromised. The breach did not affect Seoul Metro's physical operations.
-https://news.vice.com/article/cyber-attack-on-south-korean-subway-system-could-b
e-a-sign-of-nastier-things-to-come

---

STORM CENTER TECH CORNER

SHA-1 Collision
-https://sites.google.com/site/itstheshappening/

GPG Update
-https://isc.sans.edu/forums/diary/GnuPG+GPG+219+release+announced/20235/
(my public key is included here:
-https://isc.sans.edu/PGPKEYS
use keyid 1DC4A57A)

Cisco Clientless VPN Portals Compromised
-http://www.volexity.com/blog/?p=179

Vulnerabilities in Kaspersky Internet Security
-https://code.google.com/p/google-security-research/issues/detail?id=564

Visualization Tools
-https://isc.sans.edu/forums/diary/Data+VisualizationWhat+is+your+Tool+of+Choice/
20239/

Apple Removes Apps that Install Root Certificates
-https://support.apple.com/en-au/HT205347
-http://www.imore.com/app-store-removes-root-certificate-based-ad-blockers-over-p
rivacy-concerns

"Rootfool" May be Used to Turn Off SIP On OX 10.11
-https://reverse.put.as/2015/10/12/rootfool-a-small-tool-to-dynamically-disable-a
nd-enable-sip-in-el-capitan/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/