SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #81

October 16, 2015

TOP OF THE NEWS

Cyber Insurance Rates To Skyrocket
Adobe Warns of Flash Zero-Day; a Patch Will be Available Next Week
Vovnenko Extradited to Face Charges Related to Botnet Operation

THE REST OF THE WEEK'S NEWS

British Crime Report Shows Increase in Cyber Crime More Than Makes up for Overall Crime Decrease
DHS Computer "Glitch" Causes Delays at Some Airports
WordPress Akismet Plug-in Vulnerability
Former Software Company Executive Sued for Cyberattacks on Clients
Microsoft and Adobe Patch Tuesday: October
Experts Lay Out Security Plan for Wi-Fi Routers in Letter to FCC
US Naval Academy Teaching Celestial Navigation
Google Releases Chrome 46
Zero-Day Vulnerability in Magento Magmi Plug-in
Some IRS Servers are Still Running Windows Server 2003
Dridex Botnet Takedown
American Library Association Opposes Cybersecurity Information Sharing Act

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk ****************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180747

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 |8 courses
http://www.sans.org/u/7tK

- --SANS Cyber Defense San Diego 2015 | San Diego, CA | October 19-24, 2015 | 7 courses.
http://www.sans.org/u/9bt

- --SANS Tokyo Autumn 2015 | Tokyo, Japan | October 19-31, 2015 | 5 courses.
http://www.sans.org/u/9bD

- --SANS Sydney 2015 | Sydney, Australia | November 9-21, 2015 | 6 courses.
http://www.sans.org/u/9bN

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Cyber Insurance Rates To Skyrocket (Oct. 12, 2015)

Following a wave of attacks, insurers have massively increased cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover. Insurers are also raising deductibles and in some cases limiting the amount of coverage.
-http://uk.reuters.com/article/2015/10/12/uk-cybersecurity-insurance-insight-idUK
KCN0S609S20151012

Adobe Warns of Flash Zero-Day; a Patch Will be Available Next Week (October 14 and 15, 2015)

Adobe has acknowledged that there is an unpatched flaw in Flash that is being actively exploited. The acknowledgment comes one day after Adobe's monthly security update; the issue was not addressed in that update. The flaw affects Flash version 19.0.0.207 and earlier for Windows, Mac, and Linux. Adobe plans to issue an emergency patch for the flaw next week.
-http://www.darkreading.com/attacks-breaches/pawn-storm-flashes-a-new-flash-zero-
day/d/d-id/1322670?
-http://www.cnet.com/news/another-security-flaw-affects-all-versions-of-adobe-fla
sh/
-http://www.theregister.co.uk/2015/10/15/adobe_patch_for_critical_flash_flaw/
-http://www.scmagazine.com/adobe-issues-advisory-for-flash-vulnerability-targetin
g-government-agencies/article/445181/
-http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-
adobe-flash/
-http://www.zdnet.com/article/all-flash-versions-vulnerable-to-remote-control-att
ack-until-next-week/
[Editor's Note (Murray): It is not simply that Flash has many implementation-induced vulnerabilities, not merely that it has frequent patches, there is no "there" there. It is that its risk exceeds any residual value that it might ever have had. Managing this risk is beyond the capabilities of Adobe. The resources of others consumed trying to deal with it exceeds the value of Adobe. It appears to be beyond the ability of the entire industry to deal with it. We seem to be unable to manage it and too feckless to get rid of it. Only Steve Jobs had the courage to act on what we all know. ]

Vovnenko Extradited to Face Charges Related to Botnet Operation (October 13, 2015)

The Department of Justice (DoJ) has extradited a Ukrainian man from Italy to the US to face charges of wire fraud conspiracy, unauthorized computer access, and aggravated identity theft related to the operation of a botnet. Sergey Vovnenko allegedly operated a botnet that was used to break into computers and steal payment card information. Vovnenko is also allegedly responsible for threatening journalist Brian Krebs and attempting to frame him for drug possession. The charges Vovnenko is currently facing are not related to his interactions with Krebs.
-http://www.nbcnews.com/tech/security/ukranian-man-accused-using-army-infected-co
mputers-steal-data-n443986
-http://www.theregister.co.uk/2015/10/13/ukrainian_botnet_herder_faces_43_yrs/
-http://krebsonsecurity.com/2015/10/hacker-who-sent-me-heroin-faces-charges-in-u-
s/
-http://www.justice.gov/usao-nj/pr/operator-botnet-and-elite-international-hackin
g-forums-extradited-italy-face-hacking
[Editor's Note (Murray): Don't mess with Brian Krebs. ]

---

************************** SPONSORED LINKS ********************************
1) Download the eGuide: Disrupting a Threat in Motion - 5 Steps to Advanced Threat Containment: http://www.sans.org/info/180752

2) Unauthorized file access and collaboration is the new data leakage challenge. Download EMA security report: http://www.sans.org/info/180757

3) Be Sure to Register for: What Works for Fannie Mae's Deputy CISO to Assess/Monitor Third Party Cybersecurity with BitSight. Tuesday, October 27 at 3:00 PM EDT (19:00:00 UTC) featuring John Pescatore and Christopher Porter. http://www.sans.org/info/180762
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS Computer "Glitch" Causes Delays at Some Airports (October 14 and 15, 2015)

What is being called a computer glitch on a Department of Homeland Security (DHS) system caused delays at airports across the US. The system causing the problems is used to check passengers moving through customs against terrorist watch lists. Officers processed passengers using alternative methods.
-https://www.washingtonpost.com/blogs/dr-gridlock/wp/2015/10/14/customs-and-borde
r-protection-system-computer-problems-cause-airport-delays/
-http://www.cbsnews.com/news/customs-computer-glitch-causing-airport-delays-acros
s-country/
-http://www.csmonitor.com/Technology/2015/1015/Computer-glitch-halts-Homeland-Sec
urity-checks-at-five-US-airports
[Editor's Note (Honan): It may be not much consolation for the those affected by this disruption but on the bright side at least the business continuity plan worked and the use of other options did not stop the processing of passengers. Of course as with all incidents, be the security or business continuity related, a review should be held to see how to improve the overall process. ]

WordPress Akismet Plug-in Vulnerability (October 15, 2015)

A flaw in the Akismet plug-in for WordPress could be exploited through a cross-site scripting attack. The vulnerability is fixed in the most recent version of Akismet, 3.1.5, versions since 2.5.0 are affected by the flaw. WordPress has arranged automatic updates for websites that are running vulnerable versions of the plug-in.
-http://www.scmagazine.com/stored-xss-bug-in-popular-akismet-plugin-puts-wordpres
s-sites-at-risk/article/447432/

Former Software Company Executive Sued for Cyberattacks on Clients (October 14 and 15, 2015)

Chris Hii, who was previously vice president of product development at software development company Skunkwerks Software, is being sued for breach of duty, conspiracy, and civil intimidation. He allegedly launched attacks against databases of several Skunkwerks clients. Hii was fired in December 2013. Skunkwerks, which is based in Vancouver, British Columbia, claims that the alleged attacks against client databases were timed to put pressure on the company's founders to cede control of a spin-off company where Hii worked after his Skunkwerks position was terminated.
-http://www.scmagazine.com/insider-sued-for-hacking-skunkwerks-software-clients/a
rticle/447419/
-http://www.vancouversun.com/technology/former+vancouver+tech+employee+accused+cy
ber+attack/11438357/story.html?__lsa=53a8-7b59
-http://www.cbc.ca/news/canada/british-columbia/cyber-attack-alleged-in-bc-suprem
e-court-lawsuit-1.3269383

Microsoft and Adobe Patch Tuesday: October (October 14, 2015)

On Tuesday, October 13, Microsoft released six security bulletins. Three of the bulletins are rated critical; they affect Windows and Internet Explorer. The remaining bulletins are rated important and address flaws in Windows, Edge, Office, and other products. Adobe released fixes for 13 security issues in Flash Player.
-http://www.computerworld.com/article/2992544/application-security/three-critical
-updates-mark-a-lighter-october-patch-tuesday.html
-http://krebsonsecurity.com/2015/10/adobe-microsoft-push-critical-security-fixes-
8/
-http://www.scmagazine.com/microsoft-begins-protecting-users-against-ransomware/a
rticle/445167/
-http://www.scmagazine.com/microsoft-fixes-critical-ie-vulnerabilities-other-bugs
-on-patch-tuesday/article/444887/
-http://www.v3.co.uk/v3-uk/news/2430447/patch-tuesday-microsoft-releases-six-secu
rity-bulletins-for-ie-edge-and-office
-http://www.v3.co.uk/v3-uk/news/2430399/adobe-releases-69-security-updates-for-fl
ash-player-acrobat-and-reader
-http://www.zdnet.com/article/13-reasons-why-flash-should-die-insecure-patch-tues
day/
-https://technet.microsoft.com/en-us/library/security/ms15-oct.aspx

Experts Lay Out Security Plan for Wi-Fi Routers in Letter to FCC (October 14, 2015)

In a letter to the US Federal Communications Commission (FCC), 260 Internet experts, including Vint Cerf, say that Wi-Fi router security is "dismal," but that the FCC's proposals for securing the routers will likely make the situation worse. The letter exhorts the FCC not to "prohibit changes of firmware to devices containing radio components, and furthermore advise against allowing non-updatable devices into the field." The letter goes on to lay out a different plan, recommending that the FCC mandate the use of open source code for the devices; that the devices' firmware updates are under owners' control; that vendors commit to a 45-day window for patching disclosed vulnerabilities for a five-year period from the device's release; and that non-compliance could result in FCC decertification of the products.
-http://www.computerworld.com/article/2993112/security/vint-cerf-and-260-experts-
give-fcc-a-plan-to-secure-wi-fi-routers.html
-http://www.zdnet.com/article/here-is-how-internet-experts-plan-to-fix-poor-secur
ity/
Letter:
-http://huchra.bufferbloat.net/~d/fcc_saner_software_practices.pdf
[Editor's Note (Pescatore): The FCC is trying to make sure that software changes don't cause WiFi radio frequency and power settings to go outside of what is allowed. That is a good thing - but to do so by saying "no one can update software in a WiFi device" is like the FCC trying to go back to the days where users couldn't even plug in their own telephones. I don't think open source has to be mandated, but the other recommendations are dead on. (Murray): Part of the problem is that so many routers have been implemented using flawed but unexamined "open source" code. ]

US Naval Academy Teaching Celestial Navigation (October 14, 2015)

The US Naval Academy in Annapolis, Maryland, is once again teaching celestial navigation to its students. Presently just a three-hour course, the everything-old-is-new-again curriculum was reintroduced as a backup for times when computerized navigation systems are not working or cannot be used for other reasons. Celestial navigation was last taught in 1998.
-http://www.theregister.co.uk/2015/10/14/fearing_hacking_us_navy_resumes_sextants
/
-https://www.washingtonpost.com/news/the-switch/wp/2015/10/14/cybersecurity-fears
-are-making-u-s-sailors-learn-to-navigate-by-the-stars-again/
[Editor's Note (Assante): The consideration is a good one, but twenty years ago I studied and practiced celestial navigation for weeks and it was reinforced by practice underway. Simple introduction to the topic is prudent but won't constitute a capability. This reconstitution of a fall-back demonstrates the implications of cyber dependence and threats we now collectively face. That type of thinking needs to be applied across the board to include how the Navy plans to design ships or how a critical safety function is engineered at a power plant. (Murray): We teach navigation, not celestial or GPS. We begin with dead reckoning and end with "never rely upon a single method or navigator. Celestial navigation is not simply knowledge but also skill and ability achieved and maintained through daily practice and peer review. If one is not using it continuously, for example to compensate for the limitations of dead reckoning and to check on GPS, it will not be of any use when GPS fails. The problem is not that GPS is vulnerable to failure but that it works all too well for us to practice the alternatives. ]

Google Releases Chrome 46 (October 14, 2015)

Google's most recent stable version of the Chrome browser addresses 24 security issues. Another change in Chrome 46 is that the browser will no longer display yellow warnings for pages that contain a mix of encrypted and unsecure content. The green "https" in Chrome 46's address field will still signify pages that are fully encrypted.
-http://www.zdnet.com/article/chrome-loosens-up-on-https-mixed-content-warning/
-http://www.scmagazine.com/google-releases-chrome-46-fixes-24-vulnerabilities/art
icle/445156/

Zero-Day Vulnerability in Magento Magmi Plug-in (October 14, 2015)

An unpatched vulnerability in the Magmi plug-in for the Magento ecommerce platform could be exploited to steal access credentials and take control of Magento databases. The flaw affects Magmi version 0.7.21 and earlier downloaded from SourceForge. Versions downloaded from GitHub do not appear to be vulnerable.
-http://www.scmagazine.com/zero-day-in-plug-in-for-popular-e-commerce-platform-co
uld-allow-an-attacker-to-steal-payment-card-info/article/445171/

Some IRS Servers are Still Running Windows Server 2003 (October 14, 2015)

Half of the servers at the US Internal Revenue Service (IRS) are running Windows Server 2003, which Microsoft no longer supports. The IRS is paying Microsoft an undisclosed sum to continue to support and patch those servers. The information comes from a report from the Treasury Inspector General for Tax Administration (TIGTA), which was focused in part on the agency's US $139 million upgrade program. The report found that the IRS "has not adequately planned for the Windows server upgrade."
-http://www.theregister.co.uk/2015/10/14/half_irs_servers_still_running_win_2003/
-https://www.treasury.gov/tigta/auditreports/2015reports/201520073fr.html#windows
[Editor's Mote (Pescatore): The report notes that the IRS also still has 10% of its PCs running Windows XP, but it can't update those because it can't find them. The US Government's byzantine procurement processes do make what should be routine upgrades harder than they have to be, but the IRS seems to have started late, moved slowly and ignored many widely learned lessons that other government agencies seemed to grok. ]

Dridex Botnet Takedown (October 14, 2015)

In a cooperative effort with authorities in the UK and Europe, the FBI has taken down the Dridex botnet. Dridex has been responsible for losses of more than GBP 20 million (US $31 million) in the UK and US $10 million in the US. A man believed to be connected with Dridex was arrested in Cyprus in August; the Department of Justice (DoJ) is seeking his extradition to face charges in the US.
-http://www.scmagazine.com/dridex-botnet-disrupted-in-global-effort-us-charges-mo
ldovan-man/article/445180/
-http://www.darkreading.com/attacks-breaches/dridex-takedown-might-show-evidence-
of-good-guys-gains/d/d-id/1322658?
-http://www.theregister.co.uk/2015/10/14/dridex_botnet_takedown/
-http://www.computerworld.com/article/2992580/security/us-uk-disrupt-dridex-botne
t-which-targeted-online-banking.html
-http://money.cnn.com/2015/10/13/technology/dridex-botnet/index.html
-http://www.zdnet.com/article/fbi-and-uk-cops-smash-dridex-a-high-stakes-bank-rai
ding-botnet/
-http://www.bbc.com/news/technology-34527439
-http://www.cnet.com/news/hackers-siphon-off-31-million-from-british-bank-account
s/

American Library Association Opposes Cybersecurity Information Sharing Act (October 14, 2015)

American Library Association (ALA) president Sari Feldman is urging legislators to oppose the Cybersecurity Information Sharing Act (CISA) because it could be used to allow the government to snoop on people who use library computers. The provisions for removing sensitive information before the government shares data with intelligence agencies have been criticized as inadequate. Feldman noted, "When librarians oppose a bill with 'information sharing' in its name you can be sure that the bill is decidedly more than advertised."
-http://thehill.com/policy/cybersecurity/256956-cyber-bill-could-let-government-s
py-on-library-users-advocate-warns
The Computer & Communications Industry Association (CCIA) also opposes CISA.
-http://thehill.com/policy/cybersecurity/257029-major-tech-group-opposes-cyber-bi
ll

---

STORM CENTER TECH CORNER

Microsoft Patches
-https://isc.sans.edu/forums/diary/October+2015+Microsoft+Patch+Tuesday/20245/

Adobe Bulletin
-https://isc.sans.edu/forums/diary/Adobe+Updates+Acrobat+and+Adobe+Reader/20247/

Netgear Patch
-http://kb.netgear.com/app/answers/detail/a_id/29959

Yesterday's Flash Patch Not Effective Against Today's Exploit
-https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

Latest Exploit Kit Developments
-https://isc.sans.edu/forums/diary/Exploit+kit+roundup+Less+Angler+more+Nuclear/2
0255/

AV Phone Scam via Fake BSOD Web Pages
-https://isc.sans.edu/forums/diary/AV+Phone+Scan+via+Fake+BSOD+Web+Pages/20251/

Microsoft Fixes Two Problems with Live.com Document Sharing
-http://intothesymmetry.blogspot.ie/2015/10/on-oauth-token-hijacks-for-fun-and.ht
ml

Bugat/Dridex Botnet Takedown and Arrest
-http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-di
sabled

Ongoing Flash Vulnerability Issues
-https://isc.sans.edu/forums/diary/Ongoing+Flash+Vulnerabilities/20259/

Android Patch Problems
-http://androidvulnerabilities.org

McAfee Hidden Data Economy Report
-http://www.mcafee.com/us/resources/reports/rp-hidden-data-economy.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/