Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #91

November 20, 2015

TOP OF THE NEWS

Major Java Flaw - Deserialization
Nasty Android Malware Allows Adware to Install Without User Permission
Adobe Fixes Flaws

THE REST OF THE WEEK'S NEWS

US House of Representatives Considering Law to Prohibit Swatting
CMU Statement About Tor Allegations
Three-Year Prison Sentence for Operating Piracy Site
Amazon Offering Two-Factor Authentication
EFF Seizes Malicious Website
Microsoft Cyber Defense Operations Center
Snowden on Privacy

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************* Sponsored By Splunk ****************************

Have you implemented the SANS Top 20 Critical Security Controls? This time-proven, "what works" list of 20 controls can be used to minimize security risks to enterprise systems and the critical data they maintain. Learn how Splunk software can provide new insights to verify, execute and support requirements for the SANS Top 20 CSC.
http://www.sans.org/info/181762

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS London 2015 | London, UK | November 14-23, 2015 | 15 courses.
http://www.sans.org/u/9bX

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Cape Town, Dallas, Brussels, Scottsdale, Munich, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

Major Java Flaw - Deserialization (November 19, 2015)

The Java deserialization vulnerability can be exploited to remotely take control of app servers. It affects all apps that accept serialized Java objects. The issue has been known for a while, but it has not attracted much attention because until now, there were no publicly available exploits for it. The problem is due to apps not validating or checking untrusted input prior to deserialization.
-http://www.darkreading.com/informationweek-home/why-the-java-deserialization-bug
-is-a-big-deal/d/d-id/1323237?

[Editor's Note (Ullrich): What makes this flaw so nasty is that it is not a flaw in Java itself, but instead a flaw in a widely used library. Inventorying which libraries are used by specific software is notoriously difficult. Several major enterprise software packages have been updated as a result. But the real challenge is internally written software, or custom software procured from third parties. ]

Nasty Android Malware Allows Adware to Install Without User Permission (November 19, 2015)

Malware known as Shedun hides in an app that masquerades as a legitimate Google Play app. Shedun tricks Android users into granting it control over the Android Accessibility Service. Once that permission is obtained, Shedun displays pop-up advertisements that install adware even when users decline or ignore the requests.
-http://www.theregister.co.uk/2015/11/20/shedun_adware/
-http://arstechnica.com/security/2015/11/android-adware-can-install-itself-even-w
hen-users-explicitly-reject-it/

[Editors Comment (Northcutt): This is an opportunity to improve the operating system. If Google Android cannot obey the user request they will find themselves on the junk heap. (Murray): Effectively validating inputs in our modern layered systems is difficult, particularly when the author of a program cannot know the environment in which it will run. However, ineffective validation of inputs is at the root of the most popular attacks. Developers who choose operating systems and development environments that do not implement strongly typed data, or other mechanisms to prevent systems from being contaminated by their data, must make effective data validation the cornerstone of computer security. ]

Adobe Fixes Flaws (November 17 and 18, 2015)

Adobe has released out-of-cycle security updates for vulnerabilities in ColdFusion application server, LiveCycle Data Services framework, and the Premier Clip iOS app. The hotfixes for ColdFusion address a pair of input validation issues. The fixes also include an updated version of the BlazeDS Java messaging protocol to address a server-side request forgery vulnerability. That same flaw is fixed in the update for LiveCycle.
-http://www.computerworld.com/article/3006276/security/adobe-patches-flaws-in-col
dfusion-livecycle-data-services-and-premiere-clip.html

-http://www.theregister.co.uk/2015/11/17/adobe_releases_outofband_security_patche
s_amazingly_not_for_flash/



************************** SPONSORED LINKS ********************************
1) Learn more about Blue Coat''s Innovation for the Cloud Generation: http://www.sans.org/info/181767

2) How to Detect and Respond to Specific Advanced Threats: Essential Use Cases with RSA Security Analytics. Wednesday, December 02 at 1:00 PM EST (18:00:00 UTC) featuring Robert M. Lee and Travis Dye, Senior Systems Engineer, RSA. http://www.sans.org/info/181772

3) SANS is seeking input from INFOSEC professionals on Endpoint Protection. Take the 2016 Survey and enter to Win $400 Amazon Gift Card. Results will be presented on March 17th. http://www.sans.org/info/181777
***************************************************************************

THE REST OF THE WEEK'S NEWS

US House of Representatives Considering Law to Prohibit Swatting (November 19, 2015)

A US legislator has introduced the Interstate Swatting Hoax Act, which would close a legal loophole in federal law "by prohibiting the use of the Internet telecommunications system to knowingly transmit false information with the intent to cause an emergency law enforcement response." Current federal law prohibits the use of the communications systems to falsely report a bomb threat or terrorist attack, but not other emergency situations.
-http://krebsonsecurity.com/2015/11/federal-legislation-targets-swatting-hoaxes/
-http://arstechnica.com/tech-policy/2015/11/interstate-swatting-hoax-act-introduc
ed-in-congress-to-close-legal-loopholes/

CMU Statement About Tor Allegations (November 18, 2015)

Carnegie Mellon University (CMU) has issued a statement regarding allegations that researchers at the school helped the FBI track and identify Tor users, and that CMU was paid $1 million for the work. The statement notes that the Software Engineering Institute, which is part of CMU, "is a federally funded research and development center,
[and CMU is occasionally ]
served subpoenas requesting information about research it has performed."
-http://www.theregister.co.uk/2015/11/19/tor_wars_cmu_says_fbi_came_not_with_cash
_but_a_subpoena/

-http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-breaking-re
search/

CMU Statement:
-https://www.cmu.edu/news/stories/archives/2015/november/media-statement.html

Three-Year Prison Sentence for Operating Piracy Site (November 18, 2015)

A federal judge has sentenced Rocky Ouprasith to three years in prison for operating a website that offered pirated music. Ouprasith pleaded guilty to criminal copyright infringement. He has also been ordered to pay US $100,000 in restitution.
-http://arstechnica.com/tech-policy/2015/11/us-piracy-cyberlocker-operator-gets-3
-years-in-prison-must-pay-100k/

-http://cdn.arstechnica.net/wp-content/uploads/2015/11/rockystatementoffacts.pdf
-http://cdn.arstechnica.net/wp-content/uploads/2015/11/rockysentence.pdf

Amazon Offering Two-Factor Authentication (November 18, 2015)

Amazon is now offering two-factor authentication to enhance account security. Amazon did not announce that the feature was available, but users can opt in through their account settings.
-http://www.cnet.com/news/amazon-offers-stronger-protection-for-your-account/
[Editor's Note (Pescatore): There's no doubt about it: two factor authentication (2FA) is annoying; but so is looking both ways before you cross the street. ATM machines have required us to use 2FA forever - time for computer use to evolve to the same. Not a panacea, but a huge bar raiser. (Murray): Amazon has been high on my list (with American Express and Fidelity) of enterprises that I have wanted to offer strong authentication to me as a customer. (As an "Internet Enterprise" use of it internally is mandatory.) It is timely now as Amazon expands its business as a hosting provider (AWSW) and an e-commerce check-out proxy. Amazon's implementation is similar to Google's, easy to set up following the instructions in the C|Net article (which undersells the mechanism.) but otherwise not easy to find. (Honan): It is great to see consumer focused services introduced additional security controls to protect their customers' accounts, this will hopefully heighten awareness amongst those users who will expect, or at least be more open, to similar controls introduced into the workplace. ]

EFF Seizes Malicious Website (November 18, 2015)

The Electronic Frontier Foundation (EFF) has been granted control of a website that pretended to be affiliated with EFF and was spreading malware. The site, EletronicFrontierFoundation.org, is believed to have been run by Russian cybercriminals. The EFF launched a uniform dispute resolution process (EDRP) complaint with the United Nations (UN) agency World Intellectual Property Organization (WIPO), which issued a judgment giving control of the site to the EFF.
-http://www.scmagazine.com/eff-seizes-deceptive-website-used-for-high-level-phish
ing-attacks/article/454698/

-http://www.theregister.co.uk/2015/11/18/eff_malware_domain/
-http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2015-1628

Microsoft Cyber Defense Operations Center (November 17 and 18, 2015)

Microsoft is establishing a Cyber Defense Operations Center, a "state-of-the-art facility
[that ]
brings together security response experts from across the company to help protect, detect, and respond to threats in real-time."
-http://www.eweek.com/security/microsoft-opens-cyber-defense-operations-center.ht
ml

-http://www.darkreading.com/endpoint/microsoft-invests-$1-billion-in-holistic-sec
urity-strategy/d/d-id/1323170

-http://www.nbcnews.com/tech/security/microsoft-ceo-announces-cyber-defense-opera
tions-center-n464946

-http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-fi
rst-cloud-first-world/

Snowden on Privacy (November 12, 2015)

In interview conducted in person, Edward Snowden talks with Micah Lee about basic security practices everyone should adopt (encryption, password managers, and two-factor authentication); the value of Tor; and what developers can do to help thwart surveillance.
-https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-
privacy/


STORM CENTER TECH CORNER

Two tools used widely by infosec people have been recently upgraded: - - Wireshark 2.0.0 (
-https://www.wireshark.org/docs/relnotes/wireshark-2.0.0.html)
- - Nmap 7 (
-https://nmap.org/7/)

Automatic MIME attachments triage
-https://isc.sans.edu/forums/diary/Automatic+MIME+attachments+triage/20385/

Adobe Releases Security Hotfix for Clodfusion 10 and 11
-https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html

Active Exploitation of Recent vBulletin Flaws
-http://www.symantec.com/connect/fr/blogs/patch-now-cybercriminals-are-actively-s
earching-servers-running-vulnerable-versions-vbulletin

strongSwan Authentication Bypass Vulnerability
-https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-(cve-2015-80
23).html

Google to Warn Users of Un-Encrypted E-Mail
-https://threatpost.com/google-to-warn-recipients-of-unencrypted-gmail-messages/1
15379/

Help Wanted: Testers for pfsense DShield Client
-https://isc.sans.edu/forums/diary/Help+Wanted+Please+help+test+our+experimental+
PFSense+Client/20389/

Stealing LastPass Credentials From Infected Systems
-http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/

dnscat Now Supports Crypto
-https://blog.skullsecurity.org/2015/dnscat2-now-with-crypto

Malware Use of Steganography for C&C
-https://www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight
-Advances-In-Malware-Covert-Communication-Channels.pdf

First Beta of NTPsec Released
-https://www.ntpsec.org

When Hunting BeEf, Yara Rules
-https://isc.sans.edu/forums/diary/When+Hunting+BeEF+Yara+rules/20395/

SilverPush Unmasked
-https://github.com/MAVProxyUser/SilverPushUnmasked

Amazon Starts Offering 2-Factor Authentication
-https://www.amazon.com/a/settings/approval
-https://twofactorauth.org

HoneyPy Honeypot
-https://github.com/foospidy/HoneyPy/blob/master/README.md

Arris Cable Modem Backdoor
-https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/