SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #83

October 23, 2015

TOP OF THE NEWS

China's Military to Unify Cyber Warfare Operations
TalkTalk Cyber-Attack: Website Hit By 'Significant' Breach
Federal IT Acquisition and Security Policy Revision

THE REST OF THE WEEK'S NEWS

DHS and DoJ Stingray Use Testimony
Bill's Approval Marks Progress Toward Safe Harbor Alternative
Apple Updates Multiple Products
House Committee Hears Testimony on Automobile Cybersecurity Bill
New Flaws in Network Time Protocol
Sony Settles (Some Claims) Over Breach
Germany's Data Retention Law Requires Info to be Stored on Air-Gapped Servers
Critical Oracle Update
High School Students Arrested in Connection with Grade Altering Scheme
Mozilla May Drop SHA-1 on July 1, 2016

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Sophos *****************************

WHITEPAPER: Small and medium sized businesses are a growing target for hackers. But with traditional IT security solutions designed for larger organizations, it's often difficult and costly for SMBs to secure against these threats. Download this whitepaper and see how cloud-based endpoint security is a simpler, better solution for your organization.
Learn More: http://www.sans.org/info/181047

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Tokyo Autumn 2015 | Tokyo, Japan | October 19-31, 2015 | 5 courses.
http://www.sans.org/u/9bD

- --SANS Sydney 2015 | Sydney, Australia | November 9-21, 2015 | 6 courses.
http://www.sans.org/u/9bN

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community? Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

China's Military to Unify Cyber Warfare Operations (October 22, 2015)

As part of China's plan to modernize its military, the cyber warfare units, which are now located in various units and ministries, will likely be moved to a unified command. Such a move would indicate that cyberattacks would become a part of military engagement.
-http://www.bloomberg.com/news/articles/2015-10-22/china-military-chiefs-seek-to-
unify-cyber-warfare-operations
[Editor's Note (Assante): This move provides an opportunity as a unified command to support the development of a central capability while better organizing and controlling theater-focused campaigns. But, there are many incentives to hold onto older concepts of the People's Army, which would maintain a capability serving unit commanders and military owned R&D/industrial activities. China's context will certainly manifest a force structure and philosophy that should be expected to adopt some similarities but remain different from the US model. ]

TalkTalk Cyber-Attack: Website Hit By 'Significant' Breach (October 23, 2015)

Personal details of 4 million of its customers of British telco provider TalkTalk were impacted in a breach. Leaked details include users' names, addresses, bank details, and credit card information. It is unclear whether the breached data was encrypted or not.
-http://www.bbc.com/news/uk-34611857

Federal IT Acquisition and Security Policy Revision (October 21, 2015)

Federal Chief Information Officer (CIO) Tony Scott announced a significant revision of the Office of Management and Budget's (OMB) Circular A-130, which establishes policy for federal government agencies to purchase, manage, and secure IT systems. "The updated guidance aims to "ensure that the federal IT ecosystem operates more securely and more efficiently while saving tax dollars and serving the needs of the American people." OMB is seeking public comment on the draft; a final version is expected by December 2015.
-http://www.nextgov.com/cio-briefing/2015/10/omb-unveils-major-rewrite-federal-it
-policy/123005/?oref=ng-HPriver
-https://a130.cio.gov/a130/appendix3/
-https://ombegov.github.io/a130/Proposed%20A-130%20for%20Public%20Comment.pdf
[Editor's Note (Pescatore): It has been 15 years since A-130 was updated, so this is long, long overdue. This update does addresses issues like continuous monitoring and lists 17 "Specific Safeguarding Measures..." that have a lot in common with the Critical Security Controls - a good thing if used to guide auditors to prioritize their efforts and findings to make sure their areas are addressed well. However, those "Specific Measures," the NIST Framework and new Privacy Plan requirements are essentially just thrown in as "more stuff to do" for government CSOs and the focus on plans and documents is as high, if not higher, than ever. Much public comment and revision needed. ]

---

************************** SPONSORED LINKS ********************************
1) Threat Intelligence Briefing: Join SANS on November 5, 2015, in Golden Colorado for a half-day breakfast briefing on this critical topic. http://www.sans.org/info/181052 Not in the area? Attend via simulcast: http://www.sans.org/info/181057

2) Don't Miss: 2015 Cloud Security & Risk Benchmarks Report. Tuesday, November 03 at 1:00 PM EDT (18:00:00 UTC) featuring Brandon Cook of Skyhigh Networks. http://www.sans.org/info/181062

3) A New Paradigm of Monitoring and Response. Friday, November 13 at 1:00 PM EDT (18:00:00 UTC) featuring Dave Shackleford and Ashok Sankar. http://www.sans.org/info/181067
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

DHS and DoJ Stingray Use Testimony (October 21, 2015)

Officials from the US Department of Homeland Security (DHS) and the Department of Justice (DoJ) testified before the House Committee on Government Oversight and Reform and Subcommittee of Information technology regarding their rules for using cell-site simulator technology commonly known as stingray. Agents will be required to obtain a warrant before using the surveillance tool, with some notable exceptions. The US Secret Service will have the authority to use cell-site simulators if there is a nonspecific threat to the president or any other individual they are protecting.
-http://www.nbcnews.com/tech/security/secret-service-gets-warrant-exemption-cellp
hone-tracking-n448911
-http://arstechnica.com/tech-policy/2015/10/dhs-now-needs-warrant-for-stingray-us
e-but-not-when-protecting-president/
-http://www.computerworld.com/article/2995926/security/dhs-testifies-on-stingray-
surveillance-use-new-cell-site-simulator-policy.html
-http://www.scmagazine.com/dhs-and-doj-firm-up-and-clarify-stingray-policies/arti
cle/448593/

Bill's Approval Marks Progress Toward Safe Harbor Alternative (October 21, 2015)

The US House of Representatives has passed the Judicial Redress Act, which would give foreigners data protection equal to that of US citizens. The bill's passage is a step toward enacting data protection for foreigners that could help the chances of the EU approving a replacement for the Safe Harbor agreement. The European Court of Justice recently invalidated the EU-US Safe Harbor agreement because it did not provide adequate privacy protection for EU citizens. The bill now goes to the Senate.
-http://www.computerworld.com/article/2995606/data-privacy/us-legislators-make-ne
w-safe-harbor-agreement-more-likely.html
-http://www.scmagazine.com/judicial-redress-act-passes-house-on-to-senate/article
/448585/
[Editor's Note (Honan): From the European perspective, this is an interesting and welcome move by the US. Until EU citizens' privacy rights regarding the storage of their personal data can be protected in the US to the same extent they are within the EU, it will be extremely difficult to agree on a revised Safe Harbor agreement. ]

Apple Updates Multiple Products (October 21 and 22, 2015)

Apple has updated its iOS mobile operating system to version 9.1. The update includes fixes for nearly 50 vulnerabilities. Apple has updated OS X El Capitan to version 10.11.1; iTunes to version 12.3.1; Safari to version 9.0.1; watchOS to version 2.0.1. Storm Center:
-https://isc.sans.edu/forums/diary/Apple+Releases+Updates+for+iOS+WatchOS+OS+X+Sa
fari+and+iTunes/20285/
-http://www.eweek.com/security/apple-updates-os-x-and-ios-to-patch-security-flaws
.html
-http://www.zdnet.com/article/apple-fixes-security-bugs-in-ios-9-1-kills-jailbrea
k/
-http://www.scmagazine.com/apple-addresses-bugs-in-os-x-ios-and-more/article/4488
86/

House Committee Hears Testimony on Automobile Cybersecurity Bill (October 21, 2015)

Federal regulators and automotive industry professionals told the US House Committee on Energy and Commerce that legislation being considered could have the opposite of its intended affect. If researchers face threats of steep fines for finding flaws in automobile computer systems, cars could become more vulnerable to cyberattacks.
-http://www.nextgov.com/cybersecurity/2015/10/feds-house-bill-could-make-cars-mor
e-vulnerable-hackers/123022/?oref=ng-dropdown
-http://www.scmagazine.com/automotive-execs-debate-measures-in-legislation-that-i
ncludes-a-ban-against-car-hacking/article/448571/

New Flaws in Network Time Protocol (October 21 and 22, 2015)

Researchers at Boston University have discovered vulnerabilities in the Network Time Protocol (NTP) could potentially be exploited to cause serious outages and snoop on encrypted traffic. NTP is used to make sure that computers' internal clocks are accurate. The connections between computers and NTP servers are usually not encrypted, which means the connection could be hijacked to reset clocks.
-http://www.darkreading.com/vulnerabilities---threats/undermining-security-by-att
acking-computer-clocks/d/d-id/1322800?
-http://www.theregister.co.uk/2015/10/22/malicious_time_source_can_poison_network
_time_protocol/
-http://arstechnica.com/security/2015/10/new-attacks-on-network-time-protocol-can
-defeat-https-and-create-chaos/
-http://www.zdnet.com/article/network-time-protocol-flaws-defy-https-cause-networ
k-chaos/
-http://www.cs.bu.edu/~goldbe/NTPattack.html

Sony Settles (Some Claims) Over Breach (October 20 and 21, 2015)

Sony will pay up to US $8 million to settle claims against the company over a breach that exposed employee information. The settlement calls for a maximum of US $10,000 per person affected for losses incurred due to identity theft; a maximum of US $1,000 per person for fraud protection services. US $3.5 million is earmarked for legal fees.
-http://www.nbcnews.com/tech/security/sony-hack-lawsuit-settlement-could-cost-com
pany-8-million-n447896
-http://www.bbc.com/news/business-34589710

Germany's Data Retention Law Requires Info to be Stored on Air-Gapped Servers (October 21, 2015)

A law recently passed by the German Bundestag (parliament) requires telecommunications companies to retain customer metadata for up to 10 weeks and make it accessible to law enforcement for certain investigations. Privacy measures included in the legislation mandate that the data must be encrypted, stored on air-gapped servers within Germany, and may be accessed only in the presence of two authorized individuals.
-http://arstechnica.com/tech-policy/2015/10/german-parliament-passes-new-comprehe
nsive-data-retention-law/
[Editor's Note (Pescatore): I guess the intent is to make telecomm customer metadata hard to access, which is a good thing. But, what happens after authorized individuals do access the data - do the requirements travel with the data so that government agencies have to store it as securely as the telecoms companies do? ]

Critical Oracle Update (October 21, 2015)

Oracle Critical Patch Update for October addresses more than 150 vulnerabilities, including 25 flaws in Java. Many are critical and fully exploitable.
-http://www.theregister.co.uk/2015/10/21/oracle_points_patching_firehose_at_154_v
ulnerabilities/
-http://www.computerworld.com/article/2996039/application-security/oracle-slams-d
oor-on-russian-cyberspies-who-hacked-nato-pcs-through-java.html
-http://krebsonsecurity.com/2015/10/flash-java-patches-fix-critical-holes/
-http://www.zdnet.com/article/oracles-critical-security-update-154-problems-fixed
-in-latest-patch/
-http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

High School Students Arrested in Connection with Grade Altering Scheme (October 21, 2015)

Three students from Commack High School in Suffolk County, NY, have been arrested for allegedly breaking into the school's computer system. They face a variety of charges including third degree computer tampering and computer trespass. The three students were allegedly involved in a scheme to alter grades.
-http://www.scmagazine.com/arrests-made-in-commack-high-school-hack/article/44828
3/

Mozilla May Drop SHA-1 on July 1, 2016 (October 20, 21, and 22, 2015)

Some certificate authorities continue to issue digital certificates signed with SHA-1 despite research that shows the hashing algorithm to be relatively easy to break. Mozilla, Google, and Microsoft have said they plan to have their browsers stop accepting SHA-1 certificates by 2017; Mozilla is considering moving that deadline up to July 1, 2016.
-http://www.zdnet.com/article/just-how-many-websites-are-vulnerable-because-of-sh
a-1/
-http://www.scmagazine.com/mozilla-may-reject-sha-1-certificates-six-months-early
/article/448659/
-http://www.theregister.co.uk/2015/10/22/mozilla_sha1_patch/
[Editor's Comment (Northcutt): Durn, there goes my last chance not to upgrade to a safer algorithm:
-https://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.htm
l]

---

STORM CENTER TECH CORNER

Browser Dependencies in XSS Testing
-https://isc.sans.edu/forums/diary/When+encoding+saves+the+day/20277/

Let's Encrypt Obtained Cross-Signed CA
-https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html

Western Digital "MyPassport" Encryption Bypass
-https://eprint.iacr.org/2015/1002.pdf

Magento Compromise and Neutrino Exploit Kit
-https://isc.sans.edu/forums/diary/Compromised+Magento+sites+led+to+Neutrino+expl
oit+kit/20287/

Malicious Code May Accelerate CPU Aging
-https://drive.google.com/file/d/0B9i8WqXLW451MTIyM2lqR1lpZ3M/view?pli=1

Tech Support Scams Targeting Apple Users
-https://blog.malwarebytes.org/fraud-scam/2015/10/tech-support-scammers-impersona
te-apple-technicians/

Critical Joomla Update Fixes SQL Injection Flaw
-https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.htm
l

Firefox Nightly Marks HTTP Login Forms as Insecure
-https://ma.ttias.be/firefox-nightly-starts-marking-login-forms-in-http-as-insecu
re/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/