Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #84

October 27, 2015

TOP OF THE NEWS

Millennials Not Pursuing Cybersecurity Careers
CISA Vote Scheduled for Tuesday

THE REST OF THE WEEK'S NEWS

Teen Arrested in Connection with TalkTalk Attack
TalkTalk Customers Reporting Fraudulent Financial Transactions After Breach
Malware Pretends to be Browser
German Authorities Investigating Malware on Government Official's Personal Laptop
Closed-Circuit Camera Botnet
Microsoft Says Windows 10 Data Collection Will Help Improve User Experience
Russian Spies Allegedly Tried to Snoop on Crash Investigation
Audi Airbags Disabled in Proof-of-Concept Attack
Certificate Authorities Will Stop Issuing SHA1 Certificates as of January 1
Upgrade to Joomla 3.4.5
Joint Hearing on Grid Security

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************* Sponsored By Splunk *****************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/181107

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Sydney 2015 | Sydney, Australia | November 9-21, 2015 | 6 courses.
http://www.sans.org/u/9bN

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2 -
http://www.sans.org/u/Xy

Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

Millennials Not Pursuing Cybersecurity Careers (October 26, 2015)

Young adults ages 18- to 26 worldwide aren't flocking to the cybersecurity field due to lack of awareness of cybersecurity career opportunities, and young women are less interested and informed about the field than men.
-http://www.darkreading.com/operations/millennials-not-pursuing-cybersecurity-car
eers/d/d-id/1322834

CISA Vote Scheduled for Tuesday (October 26, 2015)

Legislators are poised to vote on the Cybersecurity Information Sharing Act (CISA) on Tuesday, October 27. The bill has faced opposition from technology companies, which say that it will give the government access to more data without improving cybersecurity.
-http://thehill.com/policy/cybersecurity/257904-week-ahead-cyber-bill-faces-final
-vote



************************** SPONSORED LINKS ********************************
1) Download the free eGuide: Patterns of Compromise & Intelligence-Driven Threat Detection: http://www.sans.org/info/181112

2) Bad threat intelligence raining on your parade? Learn how to clear up your cloud with real-time threat intelligence during this free webinar on November 17, 2015 at 1:00 PM ET: http://www.sans.org/info/181122

3) Don't Miss this Webcast: 2015 Cloud Security & Risk Benchmarks Report Tuesday, November 03 at 1:00 PM EST (18:00:00 UTC) featuring Brandon Cook and John Pescatore. http://www.sans.org/info/181127
***************************************************************************

THE REST OF THE WEEK'S NEWS

Teen Arrested in Connection with TalkTalk Attack (October 26, 2015)

On Monday, October 26, authorities arrested a 15-year-old boy in connection with the attack on TalkTalk. The teenager was arrested on suspicion of violating the Computer Misuse Act.
-http://www.theguardian.com/business/2015/oct/26/talktalk-cyber-attack-boy-15-arr
ested-in-northern-ireland

-http://www.bbc.com/news/uk-34643783
-http://thehill.com/policy/cybersecurity/258132-15-year-old-boy-arrested-in-massi
ve-talktalk-hack

[Editor's Note (Honan): If it turns out that this school boy was responsible for the attack against TalkTalk, it speaks volumes of the failure of our industry and profession that while we focus on nation state attackers, organised criminal gangs, and the latest zero-day vulnerabilities, our security defences are regularly breached by school children. We really need to re-assess what we do as professionals and vendors to secure our networks. There was also media coverage of experts citing the attack was the result of Russian Cyber Jihadists based on a posting on the Pastebin site. Thomas Fox Brewster from Forbes uses this to highlight the fallacy of many expert analyses in the wake of cyber attacks
-http://www.forbes.com/sites/thomasbrewster/2015/10/27/cyber-jihadism-stupidity/]

TalkTalk Customers Reporting Fraudulent Financial Transactions After Breach (October 23, 24, and 26, 2015)

While UK ISP TalkTalk maintains that data compromised in an attack disclosed last week was not enough to affect customer's financial accounts, some customers are reporting that their accounts have been emptied. The breach affected all of TalkTalk's four million customers. The attackers also reportedly asked for GBP 80,000 (US $123,000) ransom. The TalkTalk breach was first described as a distributed denial-of-service (DDoS) attack. The company later said that it had sustained an SQL injection attack as well.
-http://www.bbc.com/news/technology-34636308
-http://www.zdnet.com/article/the-talktalk-aftermath-social-engineering-and-empty
-bank-accounts/

-http://www.darkreading.com/attacks-breaches/attackers-demand-ranso
-http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitcoin/
-http://www.csmonitor.com/Technology/2015/1024/TalkTalk-ransom-demand-How-do-you-
sort-mischief-from-malice

Malware Pretends to be Browser (October 26, 2015)

Malware called eFast Browser pretends to be Google Chrome. The malware spreads by sneaking into software installers. It then manages to assume the role of default browser. eFast Browser steals user information, installs other malware, and displays pop-ups for malicious websites.
-http://www.scmagazine.com/new-strain-of-malware-attempts-to-entirely-replace-bro
wser/article/449311/

German Authorities Investigating Malware on Government Official's Personal Laptop (October 26, 2015)

Authorities in Germany are investigating reports that the laptop of a high-ranking German official was infected with espionage malware that has links to the US's National Security Agency (NSA) and its UK counterpart, the Government Communications Headquarters (GCHQ). The laptop in question is the personal property of the head of the German Federal Chancellery unit.
-http://arstechnica.com/tech-policy/2015/10/top-german-official-infected-by-highl
y-advanced-spy-trojan-with-nsa-ties/

Closed-Circuit Camera Botnet (October 26, 2015)

A botnet made up of nearly 1,000 closed-circuit television (CCTV) cameras has been detected. The devices were remotely accessible and had easily guessed or default passwords. The botnet was identified by Incapsula while investigating an attack on a client's system. The compromised cameras were all running a Unix utility bundle known as BusyBox.
-http://www.zdnet.com/article/cctv-cameras-worldwide-used-in-ddos-attacks/
-http://www.scmagazine.com/ddos-botnet-comprised-of-nearly-a-thousand-cctv-camera
s/article/449499/

[Editor's Note (Murray): Welcome to the Internet of Things. Even if most appliances are resistant to compromise or misuse, there will always be enough that are insecure as to represent a risk to the Internet that will be difficult to mitigate. ]

Microsoft Says Windows 10 Data Collection Will Help Improve User Experience (October 23, 2015)

Windows 10 requires that users allow collection of data about how their devices are being used, such as when the OS crashes, because the information will help improve the OS. Users who set up Windows 10 manually can opt out of having most personal data collected, but the mandatory tracking features collect information that Microsoft is calling telemetry data that "have to do with the health of the system, and are not personal information or are not related to privacy."
-http://www.computerworld.com/article/2996504/data-privacy/microsoft-doesnt-see-w
indows-10s-mandatory-data-collection-as-a-privacy-risk.html

Russian Spies Allegedly Tried to Snoop on Crash Investigation (October 23, 2015)

Trend Micro says that Russian spies, believed to be part of a group known as Pawn Storm, allegedly attempted to infiltrate computer systems to try to find information about the investigation into Malaysia Airlines flight 17, which crashed in July 2014 en route from Amsterdam to Kuala Lumpur. An investigation conducted by the Dutch, Malaysian, Australian, Belgian, and Ukrainian authorities and led by the Dutch Safety Board concluded that the plane had been struck by a warhead launched from a Russian-built Buk surface-to-air missile system. According to Trend Micro, the Russian spies set up fake SFTP and VPN servers mimicking those of the Dutch Safety Board.
-http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh
17-investigation-team/

-http://www.computerworld.com/article/2995963/security/russian-cyberspies-targete
d-the-mh17-crash-investigation.html

-http://www.scmagazine.com/trend-micro-details-new-pawn-storm-attacks-and-efforts
/article/449176/

Dutch Safety Board Report:
-http://cdn.onderzoeksraad.nl/documents/report-mh17-crash-en.pdf

Audi Airbags Disabled in Proof-of-Concept Attack (October 23, 2015)

Researchers in Hungary exploited a vulnerability in third-party software to disable airbags in an Audi TT automobile. The attack can disable airbags and other functions while presenting false readouts so the driver is unaware of the problem. The attack works only if a USB drive containing malicious code is plugged into the vehicle, or if a mechanic's computer is infected with malicious code.
-http://www.theregister.co.uk/2015/10/23/hackers_pop_mechanics_laptops_to_silentl
y_disable_car_airbags/

Certificate Authorities Will Stop Issuing SHA1 Certificates as of January 1 (October 23, 2015)

As of midnight January 1, 2016, certificate authorities will cease issuing SHA1 digital certificates. The decision was made in light of research indicating that SHA1 could be cracked by the end of this year. The certificate authorities will instead issue SHA2 certificates. However, a significant portion of users will face problems accessing familiar sites because their browsers or their devices are incompatible with SHA2. About 75 percent of SSL-encrypted websites are already using SHA2 certificates.
-http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-st
randed/

[Editor's Note (Northcutt): It has already started happening at the browser level. I found out when I could not get to my financial site. The GIAC Advisory board was a huge help in troubleshooting. For more information see:
-https://www.linkedin.com/pulse/your-enterprise-uses-https-read-my-chrome-browser
-wont-northcutt
]

Upgrade to Joomla 3.4.5 (October 22 and 23, 2015)

A flaw in Joomla could be exploited to take control of websites using vulnerable versions of the content management software. The issue affects all websites using Joomla versions 3.2 and newer. Joomla has released an update to address the SQL-injection vulnerability last week; the most current version is now 3.4.5.
-http://www.computerworld.com/article/2996526/security/joomla-patches-serious-sql
i-flaw.html

-http://arstechnica.com/security/2015/10/joomla-bug-puts-millions-of-websites-at-
risk-of-remote-takeover-hacks/

Joint Hearing on Grid Security (October 21, 2015)

On Wednesday, October 21, two subcommittees of the House Science, Space, and Technology Committee held a joint hearing on the US power grid preparedness for cyber security incidents. In testimony, Bennett Gaines, CIO at FirstEnergy Service Company, said that the industry needs to implement a system that would allow members to share real-time information about cyber attacks with each other and with the government. Gaines's concern is that "the information
[those in the industry ]
get from the government is not timely."
-http://thehill.com/policy/cybersecurity/257643-house-probes-cyber-threats-to-pow
er-grid

-https://science.house.gov/legislation/hearings/subcommittee-energy-and-subcommit
tee-research-and-technology-hearing

[Editor's Note (Murray): The issue is that the utilities do not even know what connections that they have to the public networks, much less have adequate control over them. This is aggravated by automatic remedies for component failures built into the grid. Said another way, it is vulnerability and consequences, not threat, that are the significant risk factors in power generation and distribution. Of course, that is not to say that an ISAC would not be efficient, only that it is not the priority. Waiting until one can measure threat is called 'hope," not a sound strategy for such a sensitive infrastructure. ]

STORM CENTER TECH CORNER

Dridex Botnet is Back
-https://isc.sans.edu/forums/diary/Botnets+spreading+Dridex+still+active/20295/

Hacking a Mechanics Laptop to Disable Airbags
-http://www.hit.bme.hu/~buttyan/publications/carhacking-Hacktivity-2015.pdf

Malicious Advertisements on ebay.de
-https://blog.malwarebytes.org/malvertising-2/2015/10/kampagnen-malvertising-camp
aign-goes-after-german-users/

Unicode-range Used to Leak Web Page Content via CSS
-http://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html

Charity Website Typosquatting to Spread Fake Anti-Malware Support
-https://isc.sans.edu/forums/diary/Typo+Squatting+Charities+for+Fake+Tech+Support
+Schemes/20299/

Organized Crime Manipulates Chip Equipped Credit Cards
-http://eprint.iacr.org/2015/963.pdf

Number of VPNs Vulnerable to "Weak DH" attack likely overestimated
-https://nohats.ca/wordpress/blog/2015/10/17/66-of-vpns-are-not-in-fact-broken/

What should companies do after a wide-scale data breach?
-http://www.net-security.org/article.php?id=2402

Fitbit devices can be hacked via Bluetooth, claims security researcher
-http://www.theinquirer.net/inquirer/news/2431587/fitbit-devices-can-be-hacked-vi
a-bluetooth-claims-security-researcher

Joomla 3.4.5 patches critical SQLi vulnerability
-http://thehackernews.com/2015/10/joomla-security.html


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/