SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #92

November 24, 2015

TOP OF THE NEWS

GAO Report on Critical Infrastructure Threat Assessment and Mitigation
'Questionable' Digital Certificate on Some New Dell Laptops
Certification Manager Breach
Comcast's Approach to Piracy Warning Raises Privacy Questions

THE REST OF THE WEEK'S NEWS

TrendMicro Report on Chinese Cybercrime
Yahoo Admits to Blocking Access to eMail Over Ad Blockers
Chimera Ransomware
Starwood Acknowledges Breach
LinkedIn Fixes Flaw in Help Center Site Portal

---

************************ Sponsored By LogRhythm **************************

Scaling Big Data Analytics: SANS Review of LogRhythm 7 Analytics and Intelligence Upgrades. Friday, December 11 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Erick Ingleby. In this webcast, learn how LogRhythm reduces mean time to detect (MTTD) and mean time to response (MTTR) through machine-driven, real-time behavioral analytics, rapid forensic search and automated response.
http://www.sans.org/info/181817

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --Pen Test Hackfest Summit & Training | Alexandria, VA | Nov. 16-23, 2015 | 7 courses.
http://www.sans.org/u/9ch

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Cape Town, Dallas, Brussels, Scottsdale, Munich, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

GAO Report on Critical Infrastructure Threat Assessment and Mitigation (November 20, 2015)

According to a study from the US Government Accountability Office (GAO), most federal agencies responsible for oversight of elements of the country's critical infrastructure lack "a consistent way to gauge threats and security progress" for critical infrastructure systems. Providers of critical infrastructure need consistent metrics to assess cyber threats and track mitigation efforts.
-https://fcw.com/articles/2015/11/20/rockwell-gao-infrastructure.aspx
-http://www.scmagazine.com/critical-infrastructure-networks-lacking-in-performanc
e-metrics/article/455684/
-http://thehill.com/policy/cybersecurity/260963-feds-lack-method-to-grade-critica
l-infrastructure-cybersecurity
-http://www.gao.gov/products/GAO-16-79
[Editor's Note (Paller): DHS has radically underinvested in ICS security - - preferring to spend money "admiring the problem" rather than fixing it. The gentlest word that can be used to describe the behavior of the cybersecurity leaders at DHS is negligent. (Murray): There is a lot to digest here but my takeaway is that our dependence on a fragile infrastructure is not getting the attention that it deserves. If, as our leaders keep telling us, the threat of an attack is not "if" but "when," then timing is everything and time is running out. Even if one does not buy into the alarming threat assessment, the vulnerability is intolerable and the fix urgent. ]

'Questionable' Digital Certificate on Some New Dell Laptops (November 23 and 24, 2015)

Some Dell laptops and desktops have shipped with a pre-installed root certificate bundled with its cryptographic key. Criminals could potentially abuse the certificate to spy on users' encrypted browser traffic. Users reported that when they attempted to remove the certificate, it was automatically reinstalled the next time the machine was booted up. Dell has released a tool for removing the certificate permanently.
-http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-
signed-root-certificates/
-http://krebsonsecurity.com/2015/11/security-bug-in-dell-pcs-shipped-since-815/
-http://www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/
-http://www.theregister.co.uk/2015/11/23/dell_security_nightmare_gets_worse/
-http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certificate-fi
asco-provides-removal-tool/
[Editor's Note (Ullrich): Dell not only installed a rogue root certificate authority on laptops, but it also installed the secret key to go with it. The result is that everybody can now sign arbitrary certificates, and launch convincing man-in-the-middle attacks, on any Dell laptop with these certificates installed. Affected laptops essentially are no longer protected by TLS connections. This is a huge problem and you should remove these certificates as soon as possible. In order to remove the certificate, you will need to uninstall "Dell Foundation Services". If you just remove the certificate, "Dell Foundation Services" will reinstall it. It should be standard practice to wipe any system received from any manufacturer and reinstall the operating system from known good media. (Honan): It is high time manufacturers realized that the profits they gain from implementing such tools on their hardware do not justify the invasion of their customers' privacy and the undermining of their security. It is also a useful reminder for enterprise security auctioneers to ensure they have a formal process to ensure the security of their supply chain including that of the computers they purchase. (Ranum): The situation is especially egregious since the agencies that "own" cybersecurity appear to be mainly investing in offense rather than defense. The department of Glass Houses continues to invest in stone-throwing rather than infrastructure protection. Is it because defense is harder than offense, or is it simply not as much fun? Either way, the US Government's defensive strategy appears to be primarily: complain about China. That hasn't worked and won't work. Time to get busy actually building defensible networks. (Liston): The best analogy I've found when trying to explain this to people is to imagine a home builder installing the same lock, openable by the same key, on all of the front doors in every house in a subdivision. How does something like this get implemented? Who looks at something like this and thinks, "that's a good idea!"? ]

Certification Manager Breach (November 23, 2015)

A breach of Pearson VUE's Credential Manager System compromised data belonging to "a limited set" of users. Pearson VUE is the certification manager for Cisco, Oracle, IBM.
-http://www.scmagazine.com/pearson-vue-acknowledges-breach-says-data-exposure-app
ears-limited/article/455566/
-http://www.theregister.co.uk/2015/11/23/pearson_vue_data_breach_pcm/
-http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape
rs/wp-prototype-nation.pdf
[Editor's Note (Paller): GIAC does not use the Pearson VUE Credential Manager system, and it appears as of this writing to be unaffected. ]

Comcast's Approach to Piracy Warning Raises Privacy Questions (November 23, 2015)

Comcast warns users when it appears to the company that the users are downloading copyrighted content. Comcast's alert methodology appears to resemble a man-in-the-middle attack. The company's practice of injecting code into unencrypted browser sessions, suggests "that Comcast is using
[deep packet inspection ]
on subscriber's Internet and/or proxying subscriber Internet when they want to send messages to subscribers."
-http://www.zdnet.com/article/comcast-injects-copyright-warnings-into-your-browse
r/
[Editor's Note (Ullrich): Over the last few years, ISPs have used more and more intrusive methods to inspect and modify HTTP traffic (for example the Verizon "super cookie" that is still being used, hotels injecting ads into web pages, and of course China's "red cannon" injecting malicious javascript). If you are looking for a New Years resolution for the internet, eliminating HTTP in favor of HTTPS may be one. With "Lets Encrypt" starting to become operational in a week, SSL certificates will be easy and cheap (free!) to obtain for even small personal websites. If you are looking for a more traditional approach, startssl.com offers free basic certificates already for years. While this is unlikely to result in a 100% solution, 80-90% may be enough for advertisers and others to give up on these practices. ]

---

************************** SPONSORED LINKS ********************************
1) Predicting Cyber Security Trends in 2016. Tuesday, December 15 at 11:00 AM EDT (16:00:00 UTC) featuring Tim (TK) Keanani, Chief Technology Officer at Lancope. http://www.sans.org/info/181822

2) SANS is seeking input from INFOSEC professionals on Endpoint Protection. Take the 2016 Survey and enter to Win $400 Amazon Gift Card. Results will be presented on March 17th. http://www.sans.org/info/181827

3) New whitepaper in the SANS Reading Room: Detecting a Targeted Data Breach with Ease: A SANS Product Review - Sponsored by LightCyber. http://www.sans.org/info/181832
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

TrendMicro Report on Chinese Cybercrime (November 23, 2015)

Trend Micro's report, Prototype Nation: The Chinese Cybercriminal Underground in 2015, describes "increased underground activity" and "the production and sale of new hardware like point-of-sale (PoS) and automated teller machine (ATM) skimmers." The report also notes the growth of stolen data search engines.
-http://www.darkreading.com/attacks-breaches/a-comprehensive-look-at-chinas-cyber
crime-culture/d/d-id/1323281?_mc=sm_dr
-http://www.pcworld.com/article/3008249/as-china-moves-to-payment-cards-cybercrim
inals-follow.html

Yahoo Admits to Blocking Access to eMail Over Ad Blockers (November 23, 2015)

Yahoo has acknowledged that it is testing a "product experience" that prevents some users from viewing their email messages. The problem can be fixed if those users turn off their ad blockers. Some users reported receiving pop-up messages asking them to disable their ad blockers before being permitted to view the contents of their inbox.
-https://www.washingtonpost.com/news/the-switch/wp/2015/11/23/yahoo-escalates-the
-war-on-ad-blockers-by-keeping-people-out-of-their-own-e-mail/
-http://www.bbc.com/news/technology-34899575
[Editor's Note (Ullrich) If you are using Yahoo e-mail and you didn't pay for it, you are the product... if you want privacy, or if you don't like ads, you need to pay for it. (Honan): This is an interesting and different slant on the cost of security. Websites are losing ad revenue due to users employing ad blockers. In many cases these ad blockers are being used to prevent malicious adverts infecting the user's computer. In the real world the cost of a retailer to attract customers to their store is to ensure the customers will be safe in that store and not robbed or molested by criminals. Likewise website owners and advertising network companies need to review how they can guarantee the privacy and security of their customers to their websites. (Liston): Ok, Yahoo is offering a free service, and they can place whatever restrictions on its use they want. However, it's high time that sites that depend on ad revenue realize that ad-blocking isn't just an "experience" issue for consumers - it's a security issue. ]

Chimera Ransomware (November 22, 2015)

Ransomware known as Chimera uses the BitMessage peer-to-peer (P2P) system to communicate with its command-and-control servers. This format makes it more difficult for investigators searching for the Chimera's servers.
-http://www.eweek.com/security/chimera-ransomware-uses-peer-to-peer-for-decryptio
n.html

Starwood Acknowledges Breach (November 20, 21, and 23, 2015)

Attackers infected point-of-sale systems at more than 50 Starwood hotels with malware that allowed them to steal payment card information. Starwood has published a list of properties that were affected by the breach.
-https://www.washingtonpost.com/news/the-switch/wp/2015/11/20/starwood-hotels-war
ns-of-credit-card-breaches-at-more-than-50-locations/
-http://www.zdnet.com/article/starwood-hotels-fall-prey-to-point-of-sale-malware/
-http://krebsonsecurity.com/2015/11/starwood-hotels-warns-of-credit-card-breach/
-http://www.scmagazine.com/starwood-hotels-hit-with-pos-malware/article/455395/
-http://www.cnet.com/news/customers-at-sheraton-westin-other-hotels-hit-by-data-s
tealing-hack-attack/
Starwood Notice:
-http://www.starwoodhotels.com/html/HTML_Blocks/Corporate/Confidential/Letter.htm
List of affected properties:
-http://www.starwoodhotels.com/Media/PDF/Corporate/Hotel_List.pdf

LinkedIn Fixes Flaw in Help Center Site Portal (November 20, 2015)

LinkedIn has fixed a vulnerability in its help center portal that could have been exploited to spread malware through a cross-site scripting (XSS) attack. LinkedIn repaired the hole within hours of being notified.
-http://www.scmagazine.com/linkedin-fixes-persistent-xss-vulnerability/article/45
5407/
-https://threatpost.com/linkedin-fixes-persistent-xss-vulnerability/115417/

OpenDNS Research Used to Predict Threats
-https://labs.opendns.com/2015/11/19/sprank-and-ip-space-monitoring/

Social Engineering Trick to Convince Users to Enable Macros
-https://isc.sans.edu/forums/diary/Maldoc+Social+Engineering+Trick/20401/

ZigBee Exploits Against Home Automation
-http://cognosec.com/zigbee_exploited_8F_Ca9.pdf

BizCN gate actor sends CryptoWall 4.0
-https://isc.sans.edu/forums/diary/BizCN+gate+actor+sends+CryptoWall+40/20409/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/