SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #87

November 06, 2015

TOP OF THE NEWS

US Military Contract for Lethal Cyberweaponry
Who Responds to Significant Cyber Incidents?
US Government Agencies Earn Poor Grades on Initial FITARA Report Card

THE REST OF THE WEEK'S NEWS

Microsoft May Block SHA-1 in mid-2016
Cox Communications Settles FCC Charges
UK Draft Investigatory Powers Bill
OMB Provides Definition of Major Cyberincident
Firefox 42
Google's Project Zero Pushes Samsung to Fix Flaws
Another TalkTalk Arrest
XcodeGhost Tweaked to Target iOS 9
MPAA Shuts Down Sites Offering Pirated Content
New Bill Would Require Law Enforcement to Obtain Warrants Prior to Stingray Use

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Sophos Inc. *************************
For an endpoint solution to be effective it must be easy to deploy and maintain. Some solutions can be so complex to implement that features are either easily misconfigured or not used at all. Experts compare the usability of leading endpoint solutions. Find out who lands on top.
Learn more: http://www.sans.org/info/181342
***************************************************************************

TRAINING UPDATE


- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured.
36 courses
http://www.sans.org/u/7Qx


- --SANS Sydney 2015 | Sydney, Australia | November 9-21, 2015 |

6 courses.
http://www.sans.org/u/9bN


- --SANS London 2015 | London, UK | November 14-23, 2015 |
15 courses.
http://www.sans.org/u/9bX


- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 |
8 courses.
http://www.sans.org/u/9c7


- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 |
7 courses.
http://www.sans.org/u/9ch


- --Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!


- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy Plus Ft. Lauderdale, Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live:

http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Military Contract for Lethal Cyberweaponry (November 4, 2015)

A US Cyber Command project with a budget of US $460 million will seek contractors to develop lethal cyberweapons - code capable of inflicting damages on infrastructure and on people.
-http://www.nextgov.com/cybersecurity/2015/11/lethal-virtual-weapons-real/123417/
?oref=ng-channelriver
[Editor's Note (Assante): When considering historic incidents, cyber action feels clean, especially when viewed in isolation. War fighting is dirty by its very nature and should be assumed to cast its ugliness to the practical use of cyber weapons whether supporting traditional kinetic operations or particularly when the cyber payload becomes the spear. ]

Who Responds to Significant Cyber Incidents? (November 4, 2015)

If the US were to be the target of a significant cyber attack that threatened the country's infrastructure and people's lives, it is unclear whether the response would be led by the Department of Homeland Security (DHS) or the Defense Department (DoD).
-http://www.nextgov.com/cybersecurity/2015/11/whos-really-charge-if-massive-cyber
attack-strikes-us/123404/?oref=ng-channeltopstory
[Editor's Note (Assante): This discussion appears murky and complex when considering traditional IT cyber attacks. More clarity would follow a material cyber-to-physical incident performed by a foreign power. The military is the right choice if the incident comes in the form of an attack originating off our shores with little possibility of a confident, timely pursuit and capture of the responsible parties. To assume the incident itself was isolated and contained to the single act would be irresponsible. In this case, a capable threat that demonstrated their intent would have to be blocked and ultimately rendered incapable of further action.
(Murray): According to testimony
-http://www.c-span.org/video/?400223-1/hearing-future-warfare
given to a Senate committee by Gen. Keith Alexander (US Army, Ret.) the issue is settled. ]

US Government Agencies Earn Poor Grades on Initial FITARA Report Card (November 4, 2015)

Most US government agencies have not done well in implementing the Federal Information Technology Acquisition Reform Act (FITARA) requirements. According to a report card from the House Oversight and Government Reform Committee, agencies averaged a "D." The grades are being viewed as "an initial assessment" to identify areas that need attention and improvement. The four categories on which the agencies were graded are data center consolidation; IT portfolio review savings; incremental development; and risk assessment transparency.
-http://www.nextgov.com/cio-briefing/2015/11/what-congress-hopes-agencies-learn-f
ailing-fitara-grades/123439/
-http://www.nextgov.com/cio-briefing/2015/11/most-agencies-earn-ds-scorecard-trac
king-it-reform/123397/?oref=ng-HPtopstory
[Editor's Note (Murray): So much for the argument that the government's buying power could be used to influence the security of products and services in the market place.
(Paller): Murray is wrong. FITARA is a powerful force that could easily enable federal agencies to use their buying power to get more value for the taxpayer - specifically in cybersecurity - at lower cost. The law's effectiveness is being hobbled by assessors - both in OMB and in Congress -- who are looking in the wrong places. "What gets watched gets done." And what is being watched is not what needs to be done. ]

---

************************** SPONSORED LINKS ********************************
1) Responder PRO, reverse engineer malware & analyze behaviors of in-memory code. Try it free today: http://www.sans.org/info/181347

2) Don't Miss: A New Paradigm of Monitoring and Response. Friday, November 13 at 1:00 PM EST (18:00:00 UTC) featuring Dave Shackleford and Ashok Sankar. http://www.sans.org/info/181352

3) Think Like an Attacker: What You Must Know About Targeted Attack Techniques. Tuesday, November 17 at 3:00 PM EST (20:00:00 UTC) with John Pescatore and Peter Nguyen. http://www.sans.org/info/181357
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft May Block SHA-1 in mid-2016 (November 5, 2015)

Microsoft is now considering blocking the SHA-1 algorithm as soon as June 2016. Mozilla has already said that it would begin blocking SHA-1 as of July 1, 2016. Microsoft initially said that Windows would end support for SHA-1 on January 1, 2017.
-http://www.computerworld.com/article/3001681/security/microsoft-follows-mozilla-
in-considering-early-ban-on-sha-1-certificates.html
[Editor's Note (Ullrich): According to the Microsoft Technet page on the subject, server-authentication certificates will still allow for SHA-1 until 1/1/2017. Code signing certificates however will support SHA-1 only until 1/1/2016. Currently, certificate authorities no longer generate SHA-1 signed certificates, so all recently issued certificates should be fine. But make sure you also have installed updated intermediate certificates. Another issue is that with ever increasing certificate requirements, older embedded web servers will no longer be able to support valid certificates. Given that actual attacks currently being launched against SSL usually rely on simple man in the middle with self signed certificates, it remains to be seen whether the forced hardening of SSL against rather difficult and rare attacks will improve or weaken security overall.
(Pescatore): Earlier is better, so good decision by Microsoft even though it may cause short term inconvenience.
(Northcutt): A bit late to the forced upgrade party, but there is a real world impact. Users of older versions of Windows, including phone, will be increasingly isolated ... unable to access web sites. ]

Cox Communications Settles FCC Charges (November 5, 2015)

Cox Communications will pay nearly US $600,000 to settle Federal Communications Commission (FCC) charges regarding a breach that exposed customer data. The incident occurred in August 2014 and compromised addresses, driver's license numbers, and partial Social Security numbers (SSNs). The FCC said that Cox did not provide adequate security for the data and that the company did not notify the commission after learning of the breach.
-http://thehill.com/policy/technology/259332-cox-settles-with-fcc-over-customer-p
rivacy-breach
-http://www.theregister.co.uk/2015/11/06/fcc_cox_data_breach/
[Editor's Note (Pescatore): This is the first such enforcement action by the FCC, joining the SEC in following the lead of the FTC and using existing legislation and staff to drive companies to higher levels of privacy and security. Voluntary improvements that have been discussed by CSRIC working groups in this area for close to 5 years have made little visible progress - perhaps a few enforcement actions will invigorate those efforts. ]

UK Draft Investigatory Powers Bill (November 4 & 5, 2015)

UK Home Secretary Theresa May presented the Investigatory Powers Bill earlier this week. Both houses of Parliament will examine the draft legislation before developing a final version and voting on it. Among the draft bill's provisions are a requirement that Internet service providers (ISPs) retain users' browsing history data for one year, and increased powers for law enforcement to gain access to data.
-http://www.v3.co.uk/v3-uk/news/2433431/investigatory-powers-bill-everything-you-
need-to-know
-http://www.scmagazine.com/surveillance-bill--judicial-oversight-no-encryption-ba
n/article/451626/
-http://www.v3.co.uk/v3-uk/news/2433402/investigatory-powers-bill-set-to-overhaul
-uk-spying-laws
-http://arstechnica.com/tech-policy/2015/11/snoopers-charter-web-browsing-history
-stored-for-a-year-no-bans-on-encryption/
-http://www.zdnet.com/article/new-uk-spying-bill-forces-apple-google-to-decrypt-p
hones-tablets/
[Editor's Note (Honan): Its interesting to note the UK government will expect ISPs to securely protect users' internet browsing history. Given that the recent breach of the UK based ISP Talk Talk's customer database was allegedly done by school kids reportedly using an SQLi attack, the third breach in a year, this will raise some interesting challenges. ]

OMB Provides Definition of Major Cyberincident (November 4, 2015)

The White House included a definition of a major cyberincident in the annual guidance for agencies under the Federal Information Security Management Act (FISMA) from the Office of Management and Budget (OMB). For an incident to be deemed a major cyberincident, it must involve classified information; it must affect at least 10,000 users and is not recoverable; it causes an agency to be unable to provide critical service; and it involves modification, deletion, or exfiltration of data. Agencies are required to notify OMB of major cyberincidents within seven days.
-http://www.nextgov.com/cybersecurity/2015/11/heres-governments-new-definition-ma
jor-cyber-incident/123393/
-https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-03.pdf

Firefox 42 (November 4, 2015)

On Tuesday, November 3, Mozilla released Firefox 42, addressing 18 security issues, three of which are rated critical. The newest version of the browser also includes a feature called Private Browsing with Tracking Protection that prevents websites from tracking users with analytics software. The feature could cause some websites to appear broken.
-http://www.theregister.co.uk/2015/11/04/mozilla_patches_up_firefox_flaws/
-http://www.scmagazine.com/mozilla-releases-firefox-42-fixes-several-vulnerabilit
ies/article/451764/
-http://www.computerworld.com/article/3000989/web-browsers/firefox-42-mozilla-pri
vate-browsing-tracking-protection-itbwcw.html

Google's Project Zero Pushes Samsung to Fix Flaws (November 4, 2015)

Google's Project Zero found 11 vulnerabilities in Samsung's Galaxy S6 Edge smartphone. Eight of the flaws have been fixed. Google has a particular interest in Samsung phones' security because the devices run on Google's own Android operating system.
-http://www.csmonitor.com/Technology/2015/1104/Google-s-hackers-shame-Samsung-and
-others-into-fixing-security-flaws
[Editor's Note (Pescatore): Google is to Android phones as Microsoft was/is to Windows PCs, so Google being proactive about driving phone vendors to higher levels of security is a good thing. Imagine if Microsoft could have done something similar with Adobe years and years ago... ]

Another TalkTalk Arrest (November 4, 2015)

A fourth person believed to be connected to the TalkTalk breach has been arrested and released on bail. The breach was initially believed to affect as many as four million customers, but TalkTalk now says that the attackers stole 21,000 financial account numbers and 28,000 payment card numbers.
-http://www.zdnet.com/article/suspect-number-four-arrested-over-talktalk-hack-gra
nted-bail/

XcodeGhost Tweaked to Target iOS 9 (November 3 & 4, 2015)

More than 200 organizations in the US have applications infected with XcodeGhost malware running on their networks. XcodeGhost is a maliciously crafted version of legitimate Apple app development software that had been made available on third-party sites in China. In addition, a new variant of the malware has been detected; XcodeGhost S is designed to target iOS 9.
-http://www.darkreading.com/attacks-breaches/xcodeghost-found-hiding-in-us-and-in
-apple-ios-9-apps/d/d-id/1322978?
-http://www.computerworld.com/article/3000917/mobile-security/many-us-enterprises
-still-run-xcodeghost-infected-apple-apps.html
-http://www.scmagazine.com/xcodeghost-has-been-spotted-in-us-enterprises-along-wi
th-a-new-variant-that-is-designed-to-infect-ios-9-systems/article/451639/
[Editor's Note (Murray): The normally closed iOS eco-system is open to enterprises specifically so that they can control the content of enterprise applications and devices. We now see how well that has worked. ]

MPAA Shuts Down Sites Offering Pirated Content (November 3, 2015)

The Motion Picture Association of America (MPAA) has shut down a version of Popcorn Time and YTS. The MPAA obtained an injunction in Canadian court against the operators of PopcornTime.io, and an interim injunction in a New Zealand Court against the operator of YTS.
-http://techcrunch.com/2015/11/03/mpaa-takes-down-pirating-group-and-popcorn-time
-fork/?ncid=tcdaily
-http://arstechnica.com/tech-policy/2015/11/mpaa-shuts-down-major-torrent-sites-i
ncluding-popcorn-time/
-http://www.forbes.com/sites/matthickey/2015/11/04/mpaa-takes-credit-for-shutteri
ng-major-netflix-competitor-replacements-already-online/

New Bill Would Require Law Enforcement to Obtain Warrants Prior to Stingray Use (November 3, 2015)

A new bill in US House of Representatives would require law enforcement to obtain warrants prior to using stingrays. The Cell-Site Simulator Act of 2015, also known as the Stingray Privacy Act, also requires transparency about the technology to be used by those seeking the warrant. The Justice Department has a policy in place requiring warrants for the surveillance technology's use; this bill aims to extend that requirement to law enforcement at all levels in the country.
-http://www.wired.com/2015/11/new-bill-would-force-cops-to-get-warrants-before-sp
ying-with-stingrays/

---

STORM CENTER TECH CORNER

Enhancing Pentesting Recon With nmap
-https://isc.sans.edu/forums/diary/Enhancing+pentesting+recon+with+nmap/20331/

Firefox 42 Released
-https://www.mozilla.org/en-US/security/advisories/

vBulletin Update and Forum Breach
-http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcem
ents_aa/4332166-security-patch-release-for-vbulletin-5-connect-versions-5-1-4-th
rough-5-1-9

Empirical Analysis of Email Delivery Security
-http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf

Looking for Researchers Performing Internet Wide Scans
-https://isc.sans.edu/forums/diary/Internet+Wide+Scanners+Wanted/20337/

Domain Suspension Notices Delivery CryptoWall 3.0
-https://isc.sans.edu/forums/diary/Malicious+spam+with+links+to+CryptoWall+30+Sub
ject+Domain+name+Suspension+Notice/20333/

XcodeGhost Still Active and Updated for iOS 9
-https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html

Cisco Mobility Services Engine Static Credential Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
151104-mse-cred

Microsoft Phasing Out SHA-1 Certificates for Code Signing as of January 1st 2016
-http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforce
ment-of-authenticode-code-signing-and-timestamping.aspx

Cryptowall 4.0 Released
-http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-f
eatures-such-as-encrypted-file-names/

New SANS ISC Feature: Threatfeeds and Map
-https://isc.sans.edu/threatmap.html

Removing Encryption For SQL Server Authentication
-http://blog.thinkst.com/2015/11/stripping-encryption-from-microsoft-sql.html

More Android Adware
-https://blog.lookout.com/blog/2015/11/04/trojanized-adware/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/