SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #82

October 20, 2015

TOP OF THE NEWS

Attackers Breached Dow Jones and Other News Publications for Stock Tips
China Using Cyberattack Capabilities in South China Sea Territorial Disputes
Was CIA Director's eMail Breached?
Critical Security Controls Version 6.0 Released

THE REST OF THE WEEK'S NEWS

Apple Bans Apps Created with Advertising SDK That Collects Personal Data
DNA-Testing Company Refuses to Share Source Code
Germany Has Another Data Retention Law
Adobe Patches Flash Twice in One Week
US and EU Have Three Months to Develop Safe Harbor Alternative
US Charges Man with Stealing Military Personnel Data and Giving Them to Terrorists
Polish Police Arrest Man in Connection with Cyber Heist
US Navy Civilian Engineer Sentenced to Prison for Attempted Espionage
Cyber Espionage Targets Woods Hole Research Institute
House Committee Aims to Improve Automobile Cybersecurity
Lloyd's Banking Group Fixes Account Creation and Access Flaw
OPM Breach Database of Victims

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Symantec ***************************

Symantec is focused on ensuring you have the ability to Uncover and Respond to Cyber Threats across your endpoints, Email and the Network. Use this quick and easy resource to gather information on Threat Protection from Symantec.
http://www.sans.org/info/180577

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SOS: SANS October Singapore | Singapore | Oct. 12-24 | 8 courses
http://www.sans.org/u/7tK

- --SANS Cyber Defense San Diego 2015 | San Diego, CA | October 19-24, 2015 | 7 courses.
http://www.sans.org/u/9bt

- --SANS Tokyo Autumn 2015 | Tokyo, Japan | October 19-31, 2015 | 5 courses.
http://www.sans.org/u/9bD

- --SANS Sydney 2015 | Sydney, Australia | November 9-21, 2015 | 6 courses.
http://www.sans.org/u/9bN

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Attackers Breached Dow Jones and Other News Publications for Stock Tips (October 17, 2015)

According to a Bloomberg news story, Russian cyberattackers breached systems at Dow Jones & Co. and other news organizations to steal information that helped them make lucrative transactions in the stock market. The FBI, the Secret Service, and the Securities and Exchange Commission (SEC) launched an investigation into the breaches more than a year ago. Dow Jones has issued a statement in which they said they had "been unable to find evidence of any such investigation." The breach is considered by sources to be far more serious than the breach Dow Jones Disclosed last week.
-http://www.bloomberg.com/news/articles/2015-10-16/russian-hackers-of-dow-jones-s
aid-to-have-sought-trading-tips

China Using Cyberattack Capabilities in South China Sea Territorial Disputes (October 15, 2015)

China appears to be conducting cyberespionage to help advance its position in territorial disputes regarding the South China Sea. In July 2015, the website of the permanent Court of Arbitration in The Hague went offline; analysis indicates that the site was infected with malware in an attack that originated in China. The malware was designed to infect computers of site visitors.
-http://www.bloomberg.com/news/articles/2015-10-15/chinese-cyber-spies-fish-for-e
nemies-in-south-china-sea-dispute

Was CIA Director's eMail Breached? (October 19, 2015)

Authorities are looking into reports that someone broke into the email account of CIA Director John Brennan. The New York Post published an interview with a high school student who claims to have broken into Brennan's AOL email account and stolen files. The teenager claims he managed to trick Verizon into resetting Brennan's account password.
-http://thehill.com/policy/cybersecurity/257366-feds-investigating-whether-the-ci
a-heads-email-was-hacked
-http://www.theregister.co.uk/2015/10/19/cia_aol_hack/
-http://www.computerworld.com/article/2994451/cybercrime-hacking/stoner-high-scho
ol-kid-claims-to-have-hacked-cia-directors-email-account.html
-http://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-ema
il-tells-how-he-did-it/
-http://www.scmagazine.com/cia-director-brennans-personal-email-contained-sensiti
ve-info-hacker-says/article/447996/
-http://arstechnica.com/tech-policy/2015/10/hacker-releases-new-purported-persona
l-data-for-top-cia-dhs-officials/
[Editor's Note (Honan): This is a good example of why you need to monitor outgoing email from your corporate email server to see if users are forwarding sensitive data to personal email accounts. Many staff do this to allow them work more effectively and access their email from their own personal devices. However, it is essential you educate users of the risks in doing so and implement controls to detect such activity. ]

Critical Security Controls Version 6.0 Released (October 14, 2015)

The consensus standard for high priority cyber security actions has just been updated. The Critical Security Controls are now the de facto standard for what to implement first when adopting either the NIST Framework or the ISO security standard.
-https://isc.sans.edu/forums/diary/CIS+Critical+Security+Controls+Version+60/2026
7/

---

************************** SPONSORED LINKS ********************************
1) Expose Advanced Threats Cloaked in SSL: Read "Enterprise Traffic Management for Dummies," by Blue Coat. http://www.sans.org/info/180802

2) Join John Pescatore, Director of Emerging Security Trends, SANS Institute and Reuven Harrison, CTO, Tufin to learn about effective security controls, standardization and automation in a world of growing complexity. http://www.sans.org/info/180807

3) Oct. 22 - Enhance your INFOSEC efforts with Active Beach Detection. 1 pm EDT Webcast and Free Whitepaper: http://www.sans.org/u/92w
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Bans Apps Created with Advertising SDK That Collects Personal Data (October 19, 2015)

Apple has identified and pulled more than 250 apps from its App Store because they were created using a third-party advertising SDK (software development kit) that harvests user data and sends them back to a remote server. The SDK in questions is "developed by Youmi, a mobile advertising provider
[and ]
uses private APIs to gather private information." The developers may not have been aware that the SDK included questionable functions.
-http://www.zdnet.com/article/apple-pulls-hundreds-of-ios-apps-using-private-sdk-
from-china-to-gather-user-data/
-http://www.nbcnews.com/tech/security/apple-bans-hundreds-apps-hid-chinese-spywar
e-n447236

DNA-Testing Company Refuses to Share Source Code (October 17 and 18, 2015)

The chief scientist and executive officer of a DNA testing company has refused to surrender the company's source code for examination. Criminal defense attorneys for a man convicted of murder on the basis of evidence analyzed by Cybergenetics want to review the company's procedures and techniques and determine if they are actually returning valid results. Several courts have sided with Cybergenetics that source code is proprietary and that to disclose it could put the company in the path of possible financial ruin. The case has been appealed to the US Supreme Court, which has not yet decided whether it will rule.
-http://arstechnica.com/tech-policy/2015/10/secret-source-code-pronounces-you-gui
lty-as-charged/

Germany Has Another Data Retention Law (October 16, 2015)

Legislators in Germany have passed a bill that requires telecommunications companies to retain customer metadata for up to 10 weeks and allow law enforcement access to the information. Two earlier laws regarding data retention were found to be unconstitutional. The newest law applies to ISPs, mobile, and fixed telecommunications operators.
-http://www.computerworld.com/article/2993500/data-privacy/germany-will-make-telc
os-share-customer-data-with-the-police.html

Adobe Patches Flash Twice in One Week (October 16 and 19, 2015)

On Friday, October 16, Adobe released an emergency patch for Flash Player to fix three vulnerabilities, one of which is being actively exploited. Adobe released an advisory for the flaw last week, just one day after the company released its scheduled update for Flash. Adobe managed to release the emergency patch sooner than it had predicted. The most current versions of Flash are now 19.0.0.226 for Windows and OS X and 11.2.202.540 for Linux.
-http://www.zdnet.com/article/adobe-releases-emergency-patch-for-flash-zero-day-f
law/
-http://www.eweek.com/security/adobe-is-quick-to-patch-latest-flash-zero-day-thre
at.html
-http://www.theregister.co.uk/2015/10/16/adobe_pushes_out_critical_flash_patch_fa
ster_than_expected/
-http://www.darkreading.com/vulnerabilities---threats/adobe-patches-pawn-storm-ze
ro-day-ahead-of-schedule-/d/d-id/1322688?
-http://www.scmagazine.com/adobe-addresses-latest-flash-player-zero-day-vulnerabi
lity/article/447679/
Flash Vulnerability Update
-https://helpx.adobe.com/security/products/flash-player/apsb15-27.html
-https://code.google.com/p/google-security-research/issues/detail?id=547

US and EU Have Three Months to Develop Safe Harbor Alternative (October 16 and 19, 2015)

The European Union and the US have until the end of January 2016 to develop an alternative to the Safe Harbor agreement, which was invalidated by the European Union Court of Justice earlier this month. A letter from the Article 29 Working Party warns that if a solution is not reached within the next three months, legal action could be taken against companies that send European citizens' data to servers in the US.
-http://www.computerworld.com/article/2994854/security/privacy-watchdogs-give-eu-
us-three-months-to-negotiate-new-safe-harbor-deal.html
-http://thehill.com/policy/cybersecurity/257203-eu-regulators-give-us-eu-three-mo
nths-to-reach-new-privacy-agreement
-http://www.theregister.co.uk/2015/10/16/data_protection_authorities_set_january_
safe_harbor_deadline/
-http://ec.europa.eu/justice/data-protection/article-29/press-material/press-rele
ase/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf
For More on this complex issue, see:
-http://www.c-span.org/video/?328773-1/discussion-digital-privacy

US Charges Man with Stealing Military Personnel Data and Giving Them to Terrorists (October 16, 2015)

A Kosovan has been detained in Malaysia on a US provisional arrest warrant. Ardit Ferizi allegedly stole personal information of more than 1,300 members of the US military and passed it on to a member of the Islamic State. Ferizi will be extradited to the US.
-http://arstechnica.com/tech-policy/2015/10/us-charges-hacker-with-providing-isil
-info-on-us-military-personnel/
-http://www.cnet.com/news/hacker-arrested-for-allegedly-giving-data-on-us-militar
y-personnel-to-terror-group/
-http://www.theregister.co.uk/2015/10/16/kosovan_computer_science_student_ardit_f
erizi_arrested_isis_hacking_charges/
-http://www.darkreading.com/attacks-breaches/first-cyberterror-charges-doj-accuse
s-hacker-of-giving-military-pii-to-isis/d/d-id/1322691?
-http://www.scmagazine.com/malaysian-police-arrest-man-for-hacking-files-for-is/a
rticle/447692/
-https://www.washingtonpost.com/world/national-security/in-a-first-us-charges-a-s
uspect-with-terrorism-and-hacking/2015/10/15/463447a8-738b-11e5-8248-98e0f5a2e83
0_story.html
Complaint:
-http://media10.washingtonpost.com/generic/media/document_cloud/document/pdf/feri
zi_complaint_final.pdf

Polish Police Arrest Man in Connection with Cyber Heist (October 16, 2015)

Authorities in Poland have arrested a man who allegedly stole four million PLN (Polish zloty) (US $1.07 million) by breaking into a bank's computer system. He has been charged with computer fraud and money laundering.
-http://www.theregister.co.uk/2015/10/16/polish_alleged_hacker_detained/

US Navy Civilian Engineer Sentenced to Prison for Attempted Espionage (October 15 and 16, 2015)

A former civilian engineer for the US Navy has been sentenced to 11 years in prison for attempted espionage. Mostafa Ahmed Awwad shared schematics of a nuclear aircraft carrier with an FBI agent posing as an Egyptian intelligence officer. Court documents say that Awwad met with the agent and described his plan for copying documents from his computer without triggering a security alert. Awwad pleaded guilty to the charges on June 15, 2015.
-http://www.theregister.co.uk/2015/10/16/navy_engineer_attempted_espionage/
-http://www.justice.gov/opa/pr/navy-civilian-engineer-sentenced-11-years-attempte
d-espionage

Cyber Espionage Targets Woods Hole Research Institute (October 15, 2015)

The Woods Hole Oceanographic Institution in Massachusetts says its systems were the target of a cyberattack it believes originated in China. The compromised information includes institute data and email. Woods Hole conducts marine and oceanic research. It also does classified work for the US Defense Department (DoD), but those data are stored on a separate system that was not compromised. Woods Hole detected the breach in June and hired Mandiant to investigate.
-http://www.nbcnews.com/tech/security/woods-hole-oceanographic-institution-says-h
ack-linked-china-n446226

House Committee Aims to Improve Automobile Cybersecurity (October 15, 2015)

The US House Energy and Commerce Committee is discussing proposed legislation that would make hacking automobiles illegal. The proposal has raised concerns that such a provision would prevent flaws in cars' computer code from being fixed in a timely fashion. The person who found a vulnerability in GM's OnStar RemoteLink earlier this year told the committee that they need to be careful with the language of the bill, "because you will still have lots of bad guys who will continue to hack, and there will not be any researchers exposing vulnerabilities." The draft legislation would also impose a fine of US $5,000 a day for car manufacturers that do not have privacy policies.
-http://www.computerworld.com/article/2994278/data-privacy/congress-aims-to-regul
ate-car-privacy-make-hacks-illegal.html
-http://www.scmagazine.com/house-committee-seeks-to-outlaw-car-hacking/article/44
7710/
-https://www.washingtonpost.com/news/the-switch/wp/2015/10/19/lawmakers-want-to-f
ine-carmakers-5000-a-day-for-not-having-a-privacy-policy/
Committee Press Release:
-http://energycommerce.house.gov/press-release/committee-releases-draft-proposal-
keep-families-safe-road
Discussion Draft of Proposed Bill:
-http://docs.house.gov/meetings/IF/IF17/20151021/104070/BILLS-114pih-DiscussionDr
aftonVehicleandRoadwaySafety.pdf
[Editor's Comment (Northcutt): Thorny problem and it is bigger than just hacking. Cars will become the ultimate mobile device - hence Apple's interest. $5k a day is silly, the Toyota stuck accelerator settlement was $1.2B, GM accelerator was $900M and that is not enough to hurt them. If we are going to have safety in our cars and on our roadways, the financial penalties have to be serious enough that the automakers cannot ignore them.
-http://www.theverge.com/2015/10/19/9572623/apple-car-tim-cook-interview
-http://abcnews.go.com/Blotter/toyota-pay-12b-hiding-deadly-unintended-accelerati
on/story?id=22972214
-http://money.cnn.com/2015/09/17/news/companies/gm-recall-ignition-switch/]

Lloyd's Banking Group Fixes Account Creation and Access Flaw (October 15 and 16, 2015)

Lloyd's Banking Group has fixed a vulnerability that could have exposed the bank account information of thousands of people. The vulnerability would have allowed anyone armed with an accountholder's name, address, and birthdate to open an account at a different affiliated bank, then view all the other accounts associated with that name. Creating an account with the easily obtained information at either Halifax Bank or the Bank of Scotland would link to existing accounts at the other institution.
-http://www.scmagazine.com/lloyds-group-left-thousands-of-accounts-potentially-op
en-to-attack/article/447518/
-http://www.theregister.co.uk/2015/10/15/halifaxbankofscotland_security_hole/

OPM Breach Database of Victims (October 15 and 19, 2015)

The US Department of Defense (DoD) is proposing to create a temporary database of people whose personal information was stolen in the colossal Office of Personnel Management (OPM) breach. The purpose of the database will be to identify who is eligible for identity-theft protection services. The breach affected more than 21 million federal employees.
-http://www.nextgov.com/cybersecurity/2015/10/dod-create-database-opm-breach-vict
ims/122851/?oref=ng-channeltopstory
Breach victims will receive a generic notification letter that provides a PIN and tells them to go to a certain government website for help.
-http://www.nextgov.com/cybersecurity/2015/10/heres-how-opm-telling-hacked-feds-t
heir-data-was-stolen/122936/?oref=ng-dropdown
An OPM official says that because OPM has a mandate to share information both within and outside of the government, the systems containing security clearance data cannot be isolated from Internet.
-http://www.nextgov.com/cybersecurity/2015/10/opm-theres-no-way-isolate-backgroun
d-check-systems-net/122854/?oref=ng-channelriver

---

STORM CENTER TECH CORNER

Magento Web Application Exploits
-https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html

XEN to Release Security Patches
-http://xenbits.xen.org/xsa/

TCP Amplification for DDoS Attacks
-http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf

Using Entropy To Identify Files Missed by Crypto Ransomware
-https://isc.sans.edu/forums/diary/Ransomware+Entropy/20271/

Facebook to Warn Users of Nation State Attacks
-https://www.facebook.com/notes/facebook-security/notifications-for-targeted-atta
cks/10153092994615766

Yahoo Attempting to Eliminate Passwords
-http://yahoo.tumblr.com/post/131217400419/yahoo-account-key-signing-in-has-never
-been

Apple Removes Hundreds of Apps that Use Chinese Data Stealing SDK
-https://sourcedna.com/blog/20151018/ios-apps-using-private-apis.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/