SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #90

November 17, 2015

TOP OF THE NEWS

Conficker Found on Police Body Cameras
Airport Temporarily Shuts Down Due to Windows 3.1 Failure

THE REST OF THE WEEK'S NEWS

FireEye Says Watering Hole Attacks Uses Web Analytics
Microsoft Update Fixes BitLocker Bypass Vulnerability
T-Mobile Fixes Flaw in MetroPCS Payment Website
Android Gmail App Flaw Allows Spoofing
Chrome for Android Zero-Day
Gmail Will Warn Recipients of Unencrypted Messages
Eight-Month Sentence for DDoS Attacks
Inaudible Sounds Being Used to Track Users Across Multiple Devices
National Defense Authorization Act Mandates Cyber War Games
Pentagon Tightening Policy on Links in eMail

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Symantec *************************

Symantec is focused on ensuring you have the ability to Uncover and Respond to Cyber Threats across your endpoints, Email and the Network. Use this quick and easy resource to gather information on Threat Protection from Symantec. http://www.sans.org/info/180577

**************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Cape Town, Dallas, Brussels, Scottsdale, Munich, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Conficker Found on Police Body Cameras (November 14, 2015)

There are reports that malware known as Conficker has been found on police body cameras supplied by Martel Electronics. When the cameras were connected to computers, Conficker immediately tried to infect the machines. Once it had infected a machine, it tried to spread to other machines on the same network. Conficker was first detected n late 2008.
-http://arstechnica.com/security/2015/11/police-body-cams-found-pre-installed-wit
h-notorious-conficker-worm/
-http://www.theregister.co.uk/2015/11/14/remember_conficker_its_back_and_its_infe
cting_police_body_cams/
-http://www.zdnet.com/article/crooks-use-old-school-conficker-virus-to-infect-pol
ice-body-cams/
[Editor's Comment (Pescatore): Just the way you would suspend or ban a supplier if you found their product contained lead or asbestos, same logic should apply when a supplier ships software contaminated with well known "toxins". (Ullrich): Conficker is about 6 years old. Having malware that is included in every single anti-virus engine that was updated sometimes in the last 5 years infect these devices is probably just the tip of the iceberg when it comes to the security and reliability of these devices. ]

Airport Temporarily Shuts Down Due to Windows 3.1 Failure (November 13 and 16, 2015)

Earlier this month, Paris's Orly Airport shut down temporarily, unable to operate in foggy weather after a system running the Windows 3.1 operating system failed. The system, known as DECOR, provides pilots with Runway Visual Range (RVR) data; when visibility is poor, the information communicated by DECOR is essential. The secretary general of France's UNSA-IESSA air traffic controller union noted that they there are "only three specialists who can deal with DECOR-related issues."
-http://arstechnica.com/information-technology/2015/11/failed-windows-3-1-system-
blamed-for-taking-out-paris-airport/
-http://www.zdnet.com/article/a-23-year-old-windows-3-1-system-failure-crashed-pa
ris-airport/
-http://www.pcmag.com/article2/0,2817,2495103,00.asp
[Editor's Comment (Pescatore): There is an old phrase "It is hard to update the plane while the plane is flying." The aviation world has a long history of using old technology long past what is generally regarded as its useful life - there are often valid business reasons for doing so, but the costs of avoiding self-inflicted denial of service have to be included in the tradeoffs. (Ullrich): This is a very typical use case for legacy systems. Currently if you find a Windows 9x or older system, you are likely looking at a system that is critical to the organization or even has life/safety impact. These are exactly the systems that nobody dares to upgrade as they may fail as a result. But instead, they are failing due to outdated software and hardware. ]

---

************************** SPONSORED LINKS ********************************
1) Learn more about Blue Coats Innovation for the Cloud Generation: http://www.sans.org/info/181692

2) Don't Miss: Mitigating the point of sale data breach threat: Strategies to put into place now. Wednesday, November 18 at 3:00 PM EST (20:00:00 UTC) featuring Christopher Strand, Sr. Director of Compliance for Bit9. http://www.sans.org/info/181697

3) How to Detect and Respond to Specific Advanced Threats: Essential Use Cases with RSA Security Analytics. Wednesday, December 02 at 1:00 PM EST (18:00:00 UTC) with Robert M. Lee, Certified SANS Instructor and Travis Dye, Senior Systems Engineer, RSA. http://www.sans.org/info/181702
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

FireEye Says Watering Hole Attacks Uses Web Analytics (November 16, 2015)

FireEye has identified an attack that uses injected profiling and tracking scripts on websites frequented by business executives, diplomats, government officials, and academic researchers to gather information. The injected scripts do not carry a malicious payload, but they could help potential attackers identify targets and their software configurations. FireEye has dubbed the profiling script WITCHCOVEN.
-http://www.computerworld.com/article/3005270/malware-vulnerabilities/state-spons
ored-cyberspies-inject-victim-profiling-and-tracking-scripts-in-strategic-websit
es.html
-http://www.cbronline.com/news/cybersecurity/data/witchcoven-shows-dark-side-of-w
eb-analytics-4720508
-https://www2.fireeye.com/threat-intel-report-WITCHCOVEN.html

Microsoft Update Fixes BitLocker Bypass Vulnerability (November 16 and 17, 2015)

One of the patches Microsoft released last week fixes a flaw that could have been exploited to bypass the companys BitLocker disk encryption tool. BitLocker is a "baked" in feature of Windows Vista and later operating systems.
-http://www.zdnet.com/article/bitlocker-flaw-researchers-found-bypass-microsoft-d
isk-encryption/
-http://www.theregister.co.uk/2015/11/17/bitlocker_blackhat_ian_haken/

T-Mobile Fixes Flaw in MetroPCS Payment Website (November 16, 2015)

T-Mobile has fixed a vulnerability in the MetroPCS payment website that could have exposed customer account information. By using a Firefox plug-in to send an HTML request to the MetroPCS site with the target number, attackers could have accessed names, addresses, and phone model and serial numbers associated with the accounts. MetroPCS offers pre-paid wireless service is and a subsidiary of T-Mobile.
-http://www.theregister.co.uk/2015/11/16/metropcs_patches_hole_that_opened_10_mil
lion_user_creds_to_plunder/
-http://www.scmagazine.com/metropcs-payment-site-bug-left-millions-at-risk/articl
e/454131/

Android Gmail App Flaw Allows Spoofing (November 13 and 16, 2015)

A flaw in the Android Gmail app flaw could be exploited to spoof email. If a user changes their display name in the account settings using an extra quotation mark, a parsing flaw in the app renders the user's real name invisible. Google does not consider the issue to be a security flaw.
-http://www.zdnet.com/article/android-gmail-app-security-hole-lets-you-pretend-to
-be-anyone-online/
-http://motherboard.vice.com/en_au/read/gmail-android-app-bug-lets-you-send-email
s-pretending-to-be-someone-else

Chrome for Android Zero-Day (November 12, 13, and 16, 2015)

A flaw in Google's Chrome browser for Android could be exploited to take control of the mobile devices. The attack targets Chrome's JavaScript engine. When a device running Chrome is tricked into visiting a maliciously crafted webpage that installs an application designed to hijack the device.
-http://www.zdnet.com/article/chrome-zero-day-flaw-places-millions-of-smartphone-
users-at-risk/
-http://www.ibtimes.co.uk/google-chrome-exploit-targets-javascript-engine-let-att
ackers-hack-any-android-device-1528560
-http://www.theregister.co.uk/2015/11/12/mobile_pwn2own/

Gmail Will Warn Recipients of Unencrypted Messages (November 13, 2015)

Gmail will start notifying users when email in their inbox was sent over an unencrypted connection. The change will be rolled out over the next several months. Google hopes the practice will encourage the use of encryption and strong authentication.
-http://www.darkreading.com/endpoint/google-study-finds-email-security-a-mixed-ba
g/d/d-id/1323147?
-http://www.zdnet.com/article/gmail-to-warn-when-email-arrives-over-unencrypted-c
onnections/
-http://www.nbcnews.com/tech/security/google-warn-gmail-users-when-emails-arrive-
shady-connections-n463296

Eight-Month Sentence for DDoS Attacks (November 13, 2015)

A UK man has been given an eight-month prison sentence for launching more than 300 distributed denial-of-service attacks (DDoS) in 2013. Ian Sullivan launched attacks against government sites, British Airways, and several banks.
-http://www.theregister.co.uk/2015/11/13/brit_gets_eight_months_for_ddos_spree/
-http://www.scmagazine.com/uk-man-headed-to-prison-for-ddos-attacks/article/45396
7/

Inaudible Sounds Being Used to Track Users Across Multiple Devices (November 13, 2015)

High-frequency sounds are being used to track people's behavior across multiple devices. The sounds, which are inaudible to humans, are embedded in television commercials and online advertisements. Tablets and smartphones detect the sounds. The US Federal Trade Commission (FTC) held a Cross-Device Tracking workshop on Monday, November 16, to address the issue.
-http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-soun
d-to-link-your-phone-tv-tablet-and-pc/
-https://www.ftc.gov/news-events/events-calendar/2015/11/cross-device-tracking
[Editor's Comment (Northcutt): For years I charged my iPhone with a USB cord connected to my Mac in the office over the garage. Now I have to teach myself to plug it in by the downstairs bedroom where there is no computer. What will they think of next? ]

National Defense Authorization Act Mandates Cyber War Games (November 12, 2015)

Congress has directed the US Cyber Command to conduct simulated cyber war games against Russia, China, Iran, and North Korea. The 2016 National Defense Authorization Act says the Joint Chiefs of Staff will conduct the exercises to assess the strategy, "assumptions, and capabilities of the US Cyber Command to carry out simulated war games."
-http://www.nextgov.com/cybersecurity/2015/11/cyber-war-games-against-china-iran-
and-n-korea-set-2016/123660/?oref=ng-channeltopstory
[Editor's Comment (Assante): Cyber focused exercises are a good idea but they should be augmented with cyber integrated into traditional large-scale military exercises. Exercises should consider both bolt from the blue scenarios and intensifying cyber intrusions, espionage, and implanting of more destructive or disruptive payloads as geopolitical events escalate. Simulated attacker objectives should be realistic and measured, for example, short-term disruption of power in specific areas to delay mobilization or demonstrate elements of our infrastructure are at risk. It would also be prudent to widen the set of cyber actors to include groups and causes or unknown actors as it is important to consider contributing organic actions and false flag attacks. ]

Pentagon Tightening Policy on Links in eMail (November 12, 2015)

In an effort to improve email security, the Pentagon will begin rendering links that arrive in email to .mil addresses unclickable. The policy aims to reduce the efficacy of phishing attacks. The change has already been rolled out to most of the .mil domain.
-https://fcw.com/articles/2015/11/12/dot-mil-blocks-links.aspx

---

STORM CENTER TECH CORNER

How To Analyze A Malicious Word Document
-https://isc.sans.edu/forums/diary/Analyze+of+a+malicious+Word+document+with+an+e
mbedded+payload/20377/

Let's Encrypt To Open Beta On December 3rd 2015
-https://letsencrypt.org/2015/11/12/public-beta-timing.html

libpng Vulnerability
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126#VulnChangeHistory
Div
-http://www.openwall.com/lists/oss-security/2015/11/12/2

Police Body Camera Comes With Conficker Pre-Installed
-http://www.goipower.com/?pageId=40

CloudFlare Offering Free DNSSEC
-https://www.cloudflare.com/dnssec/universal-dnssec/

Using Scapy as a Host Scanner
-https://isc.sans.edu/forums/diary/Scanning+tricks+with+scapy/20381/

Latest Windows 10 Update (1511) Removes ESet Antivirus
-http://support.eset.com/kb3733/

BadBarcode: Executing Arbitrary Command Via Barcode Scanners
-http://www.slideshare.net/PacSecJP/hyperchem-ma-badbarcode-en1109nocommentfinal

Lacking Disk Encryption Quality For Mobile Devices
-https://www.blackhat.com/eu-15/briefings.html#faux-disk-encryption-realities-of-
secure-storage-on-mobile-devices

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/