Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #85

October 30, 2015

TOP OF THE NEWS

Senate Passes CISA
Google Gives Symantec Certificate Health Ultimatum
Pentagon's Public/Private Cybersecurity Exchange Program is Expanding

THE REST OF THE WEEK'S NEWS

Malware Investigation Leads to Police Raids on Homes in Five European Countries
Adobe Patches Shockwave Vulnerability
ACLU Obtains 2008 Justice Dept. Stingray Guidelines
IRS Tells Senate Committee Stingray About Stingray Use
Study Finds Revoked Certificates Still in Use
New DMCA Exemptions Include Car Software and Some Medical Devices
ENISA Will Broaden IT Security Research
Connected Vehicle Communication Systems Present Privacy Concerns
US Army Needs Vulnerability Response Program

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************* Sponsored By Sophos *****************************

LIVE Webcast: Tis the Season for Cyber Crime: Keeping Yourself Safe this Holiday. With the peak holiday season fast approaching organizations can expect an accompanying spike in hacker activity. Now is the time to review your overall security plan and make sure your organization is not a prime target for advanced security threats.

Register Today: http://www.sans.org/info/181197

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Sydney 2015 | Sydney, Australia | November 9-21, 2015 | 6 courses.
http://www.sans.org/u/9bN

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

Senate Passes CISA (October 27 and 28, 2015)

The US Senate has passed the Cybersecurity Information Sharing Act (CISA) by a significant margin. The bill still must survive conference negotiation to reconcile the versions passed in each chamber before heading for the president's desk.
-http://www.theregister.co.uk/2015/10/28/senate_passes_cisa/
-http://thehill.com/policy/cybersecurity/258305-overnight-cybersecurity-senate-ov
erwhelmingly-passes-cybersecurity

-http://thehill.com/policy/cybersecurity/258387-hurdles-remain-for-major-cyber-bi
ll

[Editor's Note (Paller and Murray): This bill is not so much about enabling sharing as it is about immunity from liability. It should be called the AT&T/Verizon Protection Act. You are unlikely to see ANY security improvement from the bill. Members of Congress who foisted this on the American public as a security bill should be sued for malpractice. (Henry): I'm still very confused by all the talk about personally identifiable information. The government needs threat actor information - - Adversary tools, tactics, indicators of attack, etc. They can use this aggregate intelligence to do broad analysis and attribution, and to develop actions against those targeting the commercial sector. The private sector, likewise, needs the same type of intelligence so they can hunt on their networks for signs of Adversary activity, to detect and mitigate the threats. Nowhere does anyone need to share customer information or private data, or anything else that should concern consumers or lawmakers. The USG needs to identify what specific intelligence it needs, how it will be stored/used, and what the private sector can expect back. Only then can a formalized framework be established. ]

Google Gives Symantec Certificate Health Ultimatum (October 28, 2015)

Earlier this year, Symantec employees improperly released test certificates for Google domains. Google is now demanding that Symantec provide details of its certificate authority processes; if Symantec does not comply, Google says it will start warning users who visit sites that are protected with the company's certificates. Google says its own investigation revealed that more than the 23 test certificates were improperly issued. Google is demanding that Symantec provide more information about why initial report did not include the other improperly issued certificates; identify the steps it will take to prevent the improper release of certificates; and that as of June 1, 2016, all Symantec-issued certificates must support Certificate Transparency.
-http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-google-gi
ves-symantec-an-offer-it-cant-refuse/

-http://www.computerworld.com/article/2998970/encryption/google-threatens-action-
against-symantec-issued-certificates-following-botched-investigation.html

-http://www.scmagazine.com/google-publishes-blog-post-railing-symantec-over-misis
sued-certificates/article/450394/

[Editor's Note (Assante): What do you do when gatekeepers leave the door open? In these cases you rapidly re-examine your procedures to determine how mistakes are made and conduct remedial training. The security vendors differentiate themselves by selling 'responsiveness'. Time for some quick remediation like the marketing tag lines suggest. (Pescatore): This is a great idea. Users are the relying parties of certificates, mostly via browsers. Browser firms need to take steps to represent the users and drive up the quality of certificates, since the CAs have shown little desire to do so on their own. (Murray): The PKI for TLS is our first, and so far our only, PKI. It is infrastructure. It must be managed accordingly. There was never a de jure decision that the browser publishers should be the enforcers of discipline but, de facto, they are. A robust infrastructure requires that they exercise their authority and the rest of us must submit to it. ]

Pentagon's Public/Private Cybersecurity Exchange Program is Expanding (October 29, 2015)

The US Defense Department (DoD) has established a public/private exchange program for cybersecurity specialists. Pentagon CIO Terry Halvorsen said that they are "looking to industry to help ... solve some
[problems in ]
specific areas." The program is expanding to include specialists from 10 technology companies. Halvorsen spoke about his goals for the program at a Christian Science Monitor event in Washington, DC on Thursday.
-https://fcw.com/articles/2015/10/29/pentagon-cyber-exchanges.aspx
-http://www.bloomberg.com/news/articles/2015-10-29/pentagon-creates-cybersecurity
-exchange-program-with-industry

-http://www.csmonitor.com/World/Passcode/2015/1029/Pentagon-s-top-IT-official-My-
money-buys-Silicon-Valley-s-trust

[Editor's Note (Pescatore): This is a good program but it needs to lead to a lot of process change in the way DoD procures and manages IT systems. It is one thing for DoD people to learn how private industry does things, it is a whole 'nuther' thing to enable those DoD employees to do things differently when they get back. ]


************************** SPONSORED LINKS ********************************
1) Webcast: featuring Brandon Cook and John Pescatore: 2015 Cloud Security & Risk Benchmarks Report. Tuesday, November 03 at 1:00 PM EST (18:00:00 UTC). http://www.sans.org/info/181202

2) How to Detect System Compromise & Data Exfiltration with AlienVault USM. Friday, November 06 at 1:00 PM EST (18:00:00 UTC) featuring Tom DAquino, Security Engineer. http://www.sans.org/info/181207

3) Think Like an Attacker: What You Must Know About Targeted Attack Techniques Tuesday, November 17 at 3:00 PM EST (20:00:00 UTC) with John Pescatore and Peter Nguyen. http://www.sans.org/info/181212
***************************************************************************

THE REST OF THE WEEK'S NEWS

Malware Investigation Leads to Police Raids on Homes in Five European Countries (October 29, 2015)

Police in Germany, Belgium, Switzerland, France, and the UK raided a total of 13 homes as part of an investigation regarding a remote access Trojan (RAT) known as DroidJack. As its name suggests, DroidJack can be used to take control of the devices it infects and snoop on data traffic, eavesdrop on conversations, use the phone's camera and even send text messages.
-http://www.bbc.com/news/technology-34668337
-http://www.thelocal.de/20151029/police-join-eu-wide-raids-on-smartphone-hackers

Adobe Patches Shockwave Vulnerability (October 29, 2015)

Adobe has released a patch for Shockwave Player. The vulnerability the patch fixes could be exploited to infect Windows and Mac machines and execute code remotely. Users running Shockwave version 12.2.0.162 and earlier should upgrade to version 12.2.1.171.
-http://www.theregister.co.uk/2015/10/29/shocker_adobe_patches_critical_shockwave
_remote_hijack_hole/

-https://isc.sans.edu/forums/diary/Adobe+Release+Surprise+Shockwave+Player+Patch/
20307/

ACLU Obtains 2008 Justice Dept. Stingray Guidelines (October 28, 2015)

Documents recently obtained by the American Civil Liberties Union (ACLU) of Northern California through a Freedom of Information Act (FOIA) request confirm suspicions that some cell-site simulator devices are capable of recording the numbers of incoming and outgoing calls and of intercepting text and voice communication. The document, which is US Department of Justice (DoJ) guidelines from 2008 advising law enforcement about the technology's use, says that if devices being used are configured to intercept content of communications, agents should disable the function "unless interceptions have been authorized by a Title III order." (Title III allows law enforcement to intercept real time communications with a court order.) The guidelines advise law enforcement to refrain from referring the stingray by name and to instead call it a pen register/trap and trace device.
-http://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-
documents-confirm/

-https://www.aclunc.org/our-work/legal-docket/aclu-v-doj-stingrays
Document:
-https://www.aclunc.org/docs/20151027-crm_lye.pdf

IRS Tells Senate Committee Stingray About Stingray Use (October 28,2015)

US Internal Revenue Service (IRS) Commissioner John Koskinen told the Senate Finance Committee that the IRS uses cell-site simulator technology, often referred to as a stingray, only in criminal investigations. Koskinen said that they use stingrays only after obtaining a court order.
-http://arstechnica.com/tech-policy/2015/10/irs-tells-senate-we-only-use-our-stin
grays-with-court-orders/

Study Finds Revoked Certificates Still in Use (October 28, 2015)

A study about certificate revocation conducted by researchers at four major US universities and Akamai found that eight percent of public key certificates served by websites had been revoked. The problems can be traced to Certificate Authorities failing to distribute revocation lists effectively and browsers failing to check to see if certificates have been revoked.
-http://www.darkreading.com/risk/digital-certificate-security-fail/d/d-id/1322887
?

[Editor's comment (Northcutt): Certificates are the cornerstone of eCommerce. If your organization engages in buying and selling over the Internet, this is an important topic. Despite concerns about the mathematics related to one of the hash algorithms used, the infrastructure is mostly sound from a technology perspective. The problems we face mostly come from poor management as this story points out.
-https://www.sans.org/reading-room/whitepapers/critical/business-case-tls-certifi
cate-enterprise-key-management-web-site-certificates-wrangling-36392

-https://www.sans.org/reading-room/whitepapers/analyst/critical-security-controls
-%20guidelines-ssl-tls-management-35995
]

New DMCA Exemptions Include Car Software and Some Medical Devices (October 27 and 28, 2015)

The Library of Congress has adopted new exemptions to the Digital Millennium Copyright Act (DMCA) provision that prohibits circumventing technology that controls access to copyrighted works. The new exemptions include vehicle software for the purposes of diagnosis, repair, or modification and certain networked medical devices.
-http://arstechnica.com/tech-policy/2015/10/us-regulators-grant-dmca-exemption-le
galizing-vehicle-software-tinkering/

-http://thehill.com/policy/technology/258237-copyright-exemption-handed-out-for-c
ar-security-research

-http://www.computerworld.com/article/2998937/healthcare-it/us-says-its-okay-to-h
ack-cars-and-medical-devices-sometimes.html

-http://www.theregister.co.uk/2015/10/28/new_better_dmca_rules/
-http://copyright.gov/1201/2015/fedreg-publicinspectionFR.pdf

ENISA Will Broaden IT Security Research (October 27 and 29, 2015)

The European Union's Agency for Network and Information Security (ENISA) says it will fund IT security research for vehicles, airports, and hospitals. ENISA will continue "its work on established priorities
[including ]
the pan-European cyber-security exercises, critical information infrastructure protection" and other initiatives.
-http://www.scmagazine.com/enisa-puts-smart-devices-and-iot-on-top-of-european-se
curity-agenda/article/450202/

-http://www.computerworld.com/article/2997790/security/eu-will-fund-car-hospital-
and-airport-it-security-research.html

-https://www.enisa.europa.eu/media/press-releases/enisa-work-programme-for-2016-a
dopted-agency-builds-on-successful-activities-and-broadens-scope-in-2018smart201
9-studies-and-iot-security

Connected Vehicle Communication Systems Present Privacy Concerns (October 27, 2015)

University researchers in the Netherlands and Germany have demonstrated that cars equipped with technology that allow them to communicate with each other and highway infrastructure, presumably to avoid collisions and jams, could be snooped on to track vehicles' locations. The US's National Highway Traffic and Safety Administration (NHTSA) is considering mandating the connected vehicle wireless communication protocol as son as 2017.
-http://www.wired.com/2015/10/cars-that-talk-to-each-other-are-much-easier-to-spy
-on/

US Army Needs Vulnerability Response Program (October 23 and 27, 2015)

According to an article in The Cyber Defense Review, many vulnerabilities in US Army software and networks are not reported because there is no centralized authority for disclosing vulnerabilities; there is no central entity that tracks issues from disclosure through remediation; and there is no government program that allows active assessments of system security. Army personnel are often reluctant to disclose vulnerabilities because the report could potentially be seen as a threat. The article's authors propose establishing the Army Vulnerability Response Program (AVRP) to address these issues.
-http://www.cyberdefensereview.org/2015/10/23/avrp/
-http://www.theregister.co.uk/2015/10/27/army_bug_bounties/
[Editor's Note (Assante): The success of a program like AVRP will rest on being able to identify connected and mission relevant systems while prioritizing vulnerabilities based on their importance and susceptibility. I am afraid many of these programs are climbing up hill right from the start as asset inventories are incomplete, software bundles can be complex and include undocumented third-party code, and technology is becoming so pervasive that it is camouflaged more effectively than the latest battle dress. ]

STORM CENTER TECH CORNER

Experimenting with International Domain Names and Mixed Languages
-http://www.example.xn--comindex-634g.jp

"x86 Considered Harmful"
-http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

Secunia Vulnerability Report
-https://secunia.com/resources/country-reports/introduction/

Wipmania.com IP to Country Lookup Service Used by Malware
-https://isc.sans.edu/forums/diary/Victim+of+its+own+success+and+abused+by+malwar
es/20311/

Practical Attacks Against 4G/LTE Networks
-http://arxiv.org/pdf/1510.07563v1.pdf

Android Applications With Taomike Monetization Library Steal SMS Messages
-http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-
library-steals-sms-messages/

CIRCL Releases Raspberry Pi Based "USB Cleaner"
-https://isc.sans.edu/forums/diary/USB+cleaning+device+for+the+masses/20315/

MySQL Servers Used in DDoS Attacks
-http://www.symantec.com/connect/blogs/mysql-servers-hijacked-malware-perform-ddo
s-attacks

Ciscos IOS and IOS XE SSH User Authentication Bypass
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
150923-sshpk

Symantec Updates Report over Unauthorized Google Certificates After Google Finds More of them
-https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_In
cident_Final_Report_20151029.pdf

Xen Virtual Machine Breakout Exploit
-https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/