SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #89

November 13, 2015

TOP OF THE NEWS

Facebook Transparency Report
How To Address Vulnerabilities in Medical Devices
Bill Would Require DoD to Assess Cybersecurity of All Major Weapons Systems
Thirty-one UK Students Compete and Complete World-Class Cyber Academy

THE REST OF THE WEEK'S NEWS

UK/US Financial Sector Cybersecurity Exercise
Tor Claims Government Paid University to Uncover Users' IP Addresses
Java Library Flaw
Microsoft Patches Causing Problems
Patch Tuesday for Microsoft and Adobe
ProtonMail Recovers From Week of DDoS Attacks
Indictments in JPMorgan Chase Breach Point to Massive Cybercrime Operation
No More Chrome Updates for Outdated Operating Systems
Free Tool Decrypts Files Encrypted by Linux.Encoder.1 Ransomware
The 'Real' Hacker in the LA Times Case Has Never Been Charged

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************** Sponsored By Trend Micro Inc. ***********************

Trend Micro Forward-looking Threat Research shares its deep understanding of the underground world of Bulletproof hosting services in a recent report published by our researcher.
http://www.sans.org/info/181672

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Cape Town, Dallas, Las Vegas, Brussels, and New Orleans all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Facebook Transparency Report (November 11 and 12, 2015)

During the first half of 2015, governments requested Facebook account data more than 41,000 times, according to the company's most recent transparency report. During that same period in 2014, the figure was just over 35,000. Nearly half of the requests came from US law enforcement. Facebook provided requested data on 80 percent of those cases.
-http://www.csmonitor.com/Technology/2015/1112/Governments-around-the-world-deman
d-more-user-data-from-Facebook
-http://www.nbcnews.com/tech/social-media/facebook-says-governments-are-making-mo
re-requests-user-data-n461706
Facebook Report:
-https://govtrequests.facebook.com

How To Address Vulnerabilities in Medical Devices (November 2015)

When vulnerability researchers Billy Rios found vulnerabilities in an infusion pump used in hospitals, he contacted the US Department of Homeland Security's ICS-CERT, which notified the Food and Drug Administration (FDA), which in turn notified the manufacturer, but nothing happened until he provided DHS and the FDA with proof-of-concept code demonstrating the risks the devices posed. The FDA issued an advisory recommending that the pumps not be used, but no one was under any obligation to fix the devices that were already in use. Trying to assign responsibility for mitigating these issues has been difficult, and Rios has concluded that the only way to make changes is to put pressure directly on the manufacturers.
-http://www.bloomberg.com/features/2015-hospital-hack/
[Editor's Note (Pescatore and Paller) We'd like to see the Healthcare ISAC take an active role in using the buying power of its members to apply market forces and drive device manufacturer's to higher levels of security in their product. Making products safer through industry-wide cooperation using joint buying power is the highest value ISACs can provide. ]

Bill Would Require DoD to Assess Cybersecurity of All Major Weapons Systems (November 11, 2015)

The 2016 National Defense Authorization Act will require the Pentagon to test all major weapons systems for cyber weaknesses. The Defense Department (DoD) will be required to brief legislators on progress quarterly, with the goal of having all assessments complete by 2019. Within six months after the bill passes, DoD must compile a list of all identified systems by name and the estimated cost of the assessment for each. The tests should not duplicate tests already underway. As they find weaknesses, DoD must also draw up mitigation plans. The initiative has a US $200 million cap for 2016.
-http://www.nextgov.com/cybersecurity/2015/11/congress-demands-200-million-antivi
rus-scan-connected-weapons/123615/?oref=ng-channeltopstory
[Editor's Note (Pescatore): DoD has enormous buying power; this could be a great thing - if it quickly leads to all procurements requiring vendors to provide results of application level vulnerability testing. If this applies to VA and DoD medical centers, it fits nicely with the medical device security item above. But, if it turns into a $200M inventory and mitigation plan effort, that by itself leads to zero increase in security - it is the action part that actually improves security. ]

Thirty-one UK Students Compete and Complete World-Class Cyber Academy (November 11, 2015)

Thirty-one students have completed intensive, immersion training and passed the Global Information Assurance Certification (GIAC) certifications through SANS' UK Cyber Academy. The 31 students won a competition for full scholarships from among 25,000 candidates who applied online for a chance to participate in the eight-week Cyber Academy training program. The program was designed to find top talent, boost that talent through intensive hands-on training, and then allow UK's leading cybersecurity employers to compete - on the basis of jobs that actually make a difference - to recruit the talent.
-http://www.v3.co.uk/v3-uk/news/2434372/council-worker-and-lecturer-among-those-t
o-have-successfully-completed-sans-academy-cyber-security-course
-http://www.theregister.co.uk/2015/11/11/newcastle_parking_clerk_cybersecurity_ge
nius_sans_academy/
[Editor's Note (Paller): The highest scorer on the exams was a person who worked as a parking clerk, validating the concept that the pathway through which highly skilled people find great cybersecurity jobs must be improved through programs like the Cyber Academy. (Northcutt): This is a great story and while the parking fine clerk part of the story brings a smile to your face, keep in mind the other 30 graduates entering the work place mark a solution for the various shortage of cyber professionals articles that we all read. Yes, there is a shortage of cyber professionals that can leap tall buildings in a single bound and also have five years of experience, if it we can just state which job we need done, if we are willing to accept someone with training and aptitude, we can make progress:
-https://www.linkedin.com/pulse/cyber-security-workforce-shortage-stephen-northcu
tt?trk=pulse_spock-articles]

---

************************** SPONSORED LINKS ********************************
1) Learn more about Blue Coat's Innovation for the Cloud Generation: http://www.sans.org/info/181677

2) In case you missed it on November 3rd: 2015 Cloud Security & Risk Benchmarks Report, featuring Brandon Cook and John Pescatore. http://www.sans.org/info/181682

3) FREE eBook - Learn Top 10 Ways to 'Combat Insider Threats' http://www.sans.org/info/181687
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK/US Financial Sector Cybersecurity Exercise (November 12, 2015)

The UK and the US conducted a joint cybersecurity exercise this week to test the financial sector's response to a cyberattack. The simulation focused on information sharing, incident management, and communication with the public.
-http://www.nbcnews.com/tech/security/u-s-u-k-test-response-major-financial-cyber
attack-n462406

Tor Claims Government paid University to Uncover Users' IP Addresses (November 12, 2015)

According to the head of the Tor Project, the FBI paid researchers at Carnegie Mellon University US $1 million to identify users of the anonymizing network. Neither university officials nor the FBI have responded to the allegations, although a CMU spokesperson asked "to see the substantiation for their claim." In August 2014, CMU researchers were scheduled to give a talk on cracking Tor at the Black Hat conference, but the briefing was pulled from the schedule.
-http://arstechnica.com/tech-policy/2015/11/tor-director-fbi-paid-carnegie-mellon
-1m-to-break-tor-hand-over-ips/
-http://www.wired.com/2015/11/tor-says-feds-paid-carnegie-mellon-1m-to-help-unmas
k-users/
-http://www.theregister.co.uk/2015/11/12/fbi_paid_bounty_to_hack_tor_project/
-http://www.bbc.com/news/technology-34797188
Tor Statement:
-https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users
Black Hat Talk Cancellation Notice:
-https://www.blackhat.com/latestintel/07212014-a-schedule-update.html
[Editor's Comment (Northcutt): I will step up to out myself. I am stephen@sans.edu. I use TOR. I do not have secret plans to overthrow the US government or anything similar. I realize that Apple, Microsoft and Google are tracking my every Internet click. Please consider clicking on the link below and seeing how trackable your browser is. I use TOR for a bit of relief, a bit of privacy. I have included the link below, run it, think about the implications, use TOR. We need a referendum in the next election that the GOVT may not use tax payer funds to track us. Of the many presidential candidates is there ONE, that will actually think about us, we the people.
-https://panopticlick.eff.org]

Java Applications Vulnerable To Nine-Month-Old Exploit (November 11, 2015)

A vulnerability in the Apache Commons library for Java could be exploited to allow remote code execution. The library is used by default in Java application servers and other products. The issue lies in unsafe deserialization of Java objects; it was first disclosed in January 2015. Oracle has issued an alert detailing a temporary mitigation while a fix is being developed.
-http://www.computerworld.com/article/3004505/security/thousands-of-java-applicat
ions-vulnerable-to-nine-month-old-exploit.html
-http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.ht
ml

Microsoft Patches Causing Problems (November 11 and 12, 2015)

Windows users are reporting problems with some of the patches released on Tuesday, November 10. Some users have reported that one of the updates causes Outlook to crash. Microsoft has reissued a new version of the patch.
-http://www.zdnet.com/article/outlook-crashing-after-windows-security-updates-you
-are-not-alone/
-http://www.theregister.co.uk/2015/11/11/patch_tuesday_downloads_buggy_ms_patch/
[Editor's Note (Pescatore): Always a bad thing when this happens, as it both justifies slower patching by IT and also causes patches to be rolled back, which leaves openings for attackers. Microsoft had a problem years ago with sloppy patch QA, seemed to fix it but in the past year or so, quality does seem to be slipping. ]

Patch Tuesday for Microsoft and Adobe (November 11, 2015)

On Tuesday, November 10, Microsoft and Adobe released security updates. Microsoft issued a dozen security bulletins to address 54 vulnerabilities. Four of the bulletins are rated critical; they address flaws in Internet Explorer, Edge, the Windows Journal System, and Windows. Adobe released an update for its Flash Player to address 17 vulnerabilities, including several use-after-free issues.
-http://www.theregister.co.uk/2015/11/11/edge_explorer_flash_patches/
-http://krebsonsecurity.com/2015/11/critical-fixes-for-windows-adobe-flash-player
/
-http://www.scmagazine.com/patch-tuesday-adobe-addresses-17-critical-vulnerabilit
ies-in-flash/article/453050/
-http://www.scmagazine.com/patch-tuesday-microsoft-addresses-ie-and-edge-vulnerab
ilities/article/453047/
-http://www.computerworld.com/article/3004464/application-security/four-critical-
patches-for-november-patch-tuesday-update-core-windows-and-office-components.htm
l
-https://technet.microsoft.com/en-us/library/security/dn903782.aspx

ProtonMail Recovers From Week of DDoS Attacks (November 10, 2015)

Swiss encrypted email provider ProtonMail says it has recovered from a week of debilitating distributed denial-of-service (DDoS) attacks. The attacks started on November 3. ProtonMail paid a ransom of roughly US $6,000 in bitcoins to a group calling itself the Armada Collective, but the attacks persisted. ProtonMail concluded that it was being targeted by two separate entities. The second wave of attacks also took down the datacenter that houses the company's servers.
-http://arstechnica.com/security/2015/11/how-extorted-e-mail-provider-got-back-on
line-after-crippling-ddos-attack/

Indictments in JPMorgan Chase Breach Point to Massive Cybercrime Operation (November 10, 2015)

US Federal prosecutors have indicted three people in connection with a 2014 breach of systems at JPMorgan Chase that compromised 83 million accounts. The breach appears to be part of a "sprawling enterprise." Two of the suspects, Gery Shalon and Ziv Orenstein, were arrested in Israel in July 2015. The third, Joshua Samuel Aaron, remains at large.
-http://www.bloomberg.com/news/articles/2015-11-11/hackers-stay-step-ahead-of-ban
ks-with-lies-and-phony-pet-stores
-https://www.washingtonpost.com/news/the-switch/wp/2015/11/10/u-s-announces-crimi
nal-charges-in-massive-2014-jpmorgan-hack/
-http://www.scmagazine.com/trio-indicted-on-23-charges-for-chase-breach-financial
-hacking-scheme/article/453076/
-http://www.eweek.com/security/trio-indicted-in-massive-jpmorgan-hack.html
-http://www.justice.gov/usao-sdny/pr/attorney-general-and-manhattan-us-attorney-a
nnounce-charges-stemming-massive-network

No More Chrome Updates for Outdated Operating Systems (November 10, 2015)

Google announced that it will stop providing updates for its Chrome browser tailored to Windows XP, Windows Vista, and Mac OS 10.6, 10.7, and 10.8. The last update for the unsupported operating systems will be released in April 2016.
-http://www.computerworld.com/article/3004014/web-browsers/google-cuts-off-chrome
-updates-on-windows-xp-and-vista.html
-http://money.cnn.com/2015/11/11/technology/chrome-xp-vista/index.html
-http://arstechnica.com/gadgets/2015/11/chrome-to-end-support-for-windows-xp-vist
a-and-os-x-10-8-on-april-2016/
-http://www.zdnet.com/article/google-ending-chrome-support-for-windows-xp-vista-i
n-april/

Free Tool Decrypts Files Encrypted by Linux.Encoder.1 Ransomware (November 10 and 12, 2015)

Researchers have developed a way to decrypt files that were encrypted with ransomware called Linux.Encoder.1, which, as its name suggests, targets Linux servers. The free decryption tool, available from Bitdefender, takes advantage of a flaw in the way the malware implements encryption.
-http://www.computerworld.com/article/3003461/security/first-linux-ransomware-pro
gram-cracked-for-now.html
-http://www.theregister.co.uk/2015/11/12/cures_for_ransomware_linux_cryptowall/

The "Real" Hacker in the LA Times Case Has Never Been Charged (November 10, 2015)

Although authorities know the identity of the person who actually may have broken into the website of the Los Angeles Times in 2010, that individual has not been charged. Instead, prosecutors focused their efforts on Matthew Keys, former deputy social media editor for Reuters, who was found guilty of conspiracy in the breach for providing the intruders with website login credentials.
-http://www.wired.com/2015/11/matthew-keys-case-feds-know-who-the-real-hacker-sha
rpie-is/

---

STORM CENTER TECH CORNER

Microsoft Patch Tuesday Updates
-https://isc.sans.edu/forums/diary/November+2015+Microsoft+Patch+Tuesday/20359/

Adobe Flash Player Update
-https://helpx.adobe.com/security/products/flash-player/apsb15-28.html

KB3097877 (MS15-115) Causing Login Issues and Problems With Outlook
-https://social.technet.microsoft.com/Forums/windows/en-US/336eae75-b5f4-41ea-bd2
b-5f0248585a66/blank-screen-after-pressing-ctrlaltdel-for-login-after-windows-up
dates-no-way-of-logging-in-on?forum=w7itpronetworking

Oracle Releases Security Alert For Java Deserialization Vulnerabiliy in WebLogic Server
-http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.ht
ml

iOS and Android Malware Stealing Instagram Passwords
-https://twitter.com/PeppersoftDev/status/664066647360151552

Symentec Endpoint Protection Elevation of Privilege Vulnerability Fixed
-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit
y_advisory&pvid=security_advisory&year=2015&suid=20151109_00

Linux Ransomware Key Analysis
-http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-
encryption-key/

Cisco Cloud Web Security (Scansafe) DNS Hijack
-https://isc.sans.edu/forums/diary/Cisco+Cloud+Web+Security+DNS+Hijack/20371/

Microsoft Re-Issues KB3097877
-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+followup+KB3097877+rei
ssued/20367/

Samsung Galaxy S6 Baseband Chip Exploit
-http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1

Volatility 2.5 Released
-http://www.volatilityfoundation.org/#!25/c1f29

DoS Vulnerabilty Patch for HyperV
-https://technet.microsoft.com/library/security/3108638.aspx

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/