SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #93

December 01, 2015

TOP OF THE NEWS

Dept. of Interior Networks Breached by Foreign Intelligence
VTech Breach Affects Five Million People
FBI Investigating Massive Account Credential Theft and Sale

THE REST OF THE WEEK'S NEWS

BlackBerry to Leave Pakistan Over Privacy Issues
FISC Names Friends of the Court
Amazon Password Reset
Microsoft Security Tools Remove Dell's Dodgy Certificate
Cable Router Double Backdoor
Hilton Confirms Point-of-Sale System Breach
Sony Breach Settlement Gets Preliminary Approval
Lenovo Patches Flaw in Update Tool
LANDESK Breach May Have Serious Implications
Microsoft Releases Revised Update for Windows 10
Developing Technical Standards for Insulin Pumps

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Symantec ***************************

The average enterprise uses 75 distinct security products - that overload creates huge opportunities for attackers because it slows detection. With new Symantec Advanced Threat Protection, you can quickly discover and remediate attacks. Join our webcast on December 8th and see how Symantec Advanced Threat Protection does this:
http://www.sans.org/info/181867

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS San Francisco 2015 | San Francisco, CA | Nov. 30-Dec. 5, 2015 | 8 courses.
http://www.sans.org/u/9c7

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Dallas, Brussels, Scottsdale, Munich, and Tokyo all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Dept. of Interior Networks Breached by Foreign Intelligence (November 24 and 25, 2015)

Networks at the US Department of the Interior (DOI) were breached nearly 20 times over the last several years. A report from the Office of Inspector General (OIG) says, "hackers and foreign intelligence services have compromised DOI's computer networks by exploiting vulnerabilities in publicly accessible systems, ... result
[ing ]
in the loss of sensitive data and disruption of bureau operations."
-http://thehill.com/policy/cybersecurity/261313-ig-chinese-hackers-hit-interior-d
epartment-in-2013
-http://www.nextgov.com/cybersecurity/2015/11/interior-department-hacked-china-ot
hers-19-times/123990/?oref=ng-channelriver
OIG Report:
-https://www.doioig.gov/sites/doioig.gov/files/2015ER068Public.pdf
(Discussion of breaches starts on page 23.)
[Editor's Note (Henry): The OIG report says "There was no evidence indicating any loss, theft or compromise of any other sensitive information." That shouldn't provide any comfort, as adversaries are very capable of hiding their efforts - demonstrated by the fact that there were 19 breaches, undetected at the time of breach. (Paller): Kudos to Interior's OIG for bringing the Department of Interior into the modern security era where incidents are not hidden but rather analyzed and their lessons used to help shape security investments. That's what nearly every major Silicon Valley technology company and many financial organizations are now doing, and it is what federal agencies have not been doing. Whenever we hear a federal CISO or CIO saying something like "We've been lucky and haven't had any substantial breaches, yet," let's all say, in unison, those immortal words from Lake Wobegon Days, "Liar, liar, pants on fire." ]

VTech Breach Affects Five Million People (November 27 and 30, 2015)

Electronic toy company VTech has "temporarily suspended" its Learning Lodge app store after discovering a database breach that compromised records of more than five million people, 200,000 of whom are children.
-http://www.wired.com/2015/11/vtech-childrens-gadget-maker-hack-5-million-account
s/
-http://www.bbc.com/news/technology-34963686
-http://www.cnet.com/news/hack-of-toy-maker-vtech-exposes-families/
-http://arstechnica.com/security/2015/11/when-children-are-breached-inside-the-ma
ssive-vtech-hack/
-http://arstechnica.com/security/2015/11/hacked-toymaker-leaked-gigabytes-worth-o
f-kids-headshots-and-chat-logs/
-http://www.computerworld.com/article/3009236/cybercrime-hacking/massive-vtech-ha
ck-exposes-data-of-nearly-5-million-parents-and-over-200-000-kids.html
-http://www.vtech.com/en/press_release/2015/statement/
[Editor's Note (Ullrich): This breach is particularly troubling for the large number of minors who not only had credentials exposed, but pictures taken with VTech devices as well. Might make you think twice before connecting playroom with the cloud via devices from other manufacturers, not just VTech (Hello Barbie.) ]

FBI Investigating Massive Account Credential Theft and Sale (November 27 and 30, 2015)

The FBI is investigating an individual who allegedly played a role in the theft of billions of login credentials for more than 400,000 websites. The information was offered for sale on several underground websites.
-http://www.scmagazineuk.com/fbi-investigates-russian-hacker-that-stole-billions-
of-login-credentials/article/456482/
-http://www.theregister.co.uk/2015/11/27/mr_grey_the_russian_hacker_who_helped_ha
ul_in_12_billion_logins/

---

************************** SPONSORED LINKS ********************************
1) Download the free eBook: Cracking the Endpoint - Insider Tips for Endpoint Security: http://www.sans.org/info/181872

2) Learn more about the Blue Coat Security Platform, Blue Coat's Innovation for the Cloud Generation: http://www.sans.org/info/181677

3) Don't Miss: Scaling Big Data Analytics: SANS Review of LogRhythm 7 Analytics and Intelligence Upgrades. Friday, December 11 at 1:00 PM EST (18:00:00 UTC) featuring Dave Shackleford and Erick Ingleby. http://www.sans.org/info/181877
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

BlackBerry to Leave Pakistan Over Privacy Issues (November 30 and December 1, 2015)

BlackBerry says it will no longer operate in Pakistan after December 30, 2015 due to the Pakistani government's demands to intercept communications over the network. There are indications that the parties may reach a compromise.
-http://www.bloomberg.com/news/articles/2015-11-30/blackberry-exits-pakistan-to-a
void-e-mail-monitoring-by-state
-http://www.cnet.com/au/news/blackberry-leaves-pakistan-after-refusing-to-comprom
ise-user-privacy/
-http://www.computerworld.com/article/3009994/data-privacy/blackberry-to-quit-pak
istan-over-government-surveillance-demands.html
-http://arstechnica.com/security/2015/11/blackberry-says-no-to-pakistani-backdoor
-gambit/

FISC Names Friends of the Court (November 25 and 28, 2015)

The Foreign Intelligence Surveillance Court (FISC) has named five amici curae, or friends of the court, who will act as outside public advocates. The five were appointed as required by the USA Freedom Act, which passed earlier this year. In September, FISC appointed a public advocate for a particular case.
-http://arstechnica.com/tech-policy/2015/11/americas-super-secret-court-names-fiv
e-lawyers-as-public-advocates/
-http://www.cio.com/article/3008900/us-spy-court-appoints-lawyers-to-panel-of-adv
isers.html

Amazon Password Reset (November 27, 2015)

Amazon has reset passwords for an unspecified number of customers. The company notified users with an email that says that it "recently discovered that your password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party."
-http://www.zdnet.com/article/amazon-is-resetting-account-passwords-for-some-acco
unts/
-http://www.scmagazine.com/amazon-force-resets-passwords/article/456353/
-https://www.washingtonpost.com/news/the-switch/wp/2015/11/24/amazon-forces-some-
customers-to-reset-passwords/
[Editor Comment (Murray): Amazon is one of my payment proxies of choice, in part because of their incredible record, because they confirm all activity out of band, and because of this kind of proactive security. Perhaps in response to this problem, they have recently made strong authentication available as an option to their customers. I have opted in but would like to see them promote the option. In any case, Amazon's record is evidence that this job is only difficult, not impossible. (Northcutt): Both Kathy and my accounts still work. Perhaps they noticed this when testing their Two Factor Authentication because it is fairly comprehensive:
-https://aws.amazon.com/iam/details/mfa/]

Microsoft Security Tools Remove Dell's Dodgy Certificate (November 26, 2015)

Microsoft has updated several security tools so they remove questionable certificates that were preloaded on some Dell computers. The most recent versions of Windows Defender for Windows 10 and Windows 8.1; Microsoft Security Essentials for Windows 7 and Windows Vista; and Microsoft Safety Scanner and Malicious Software Removal Tool will remove the certificates as well as the .dll plug-in that reinstalls them.
-http://www.theregister.co.uk/2015/11/26/dell_cert_windows_defender/
-http://www.computerworld.com/article/3009644/security/microsoft-zaps-dodgy-dell-
digital-certificates.html

Cable Router Double Backdoor (November 26, 2015)

A double backdoor in certain Arris cable modems could be exploited to rewrite the device's firmware. The problem lies with an undocumented library discovered in three models of Arris modems.
-http://www.scmagazine.com/600000-cable-routers-found-to-have-a-backdoor-within-a
-backdoor/article/456352/
[Editor's Note (Murray): Weaknesses in routers (and other "things") are too often related to reuse of existing code. Software developers cannot pretend to be "engineers" until they take responsibility for the choice of "materials" that they use in their products. "Researchers" need to apply the engineering principles of Strength of Materials to enable developers to understand the appropriate use of existing libraries. Until better standards and measurements are available, reuse of code must be extremely cautious. ]

Hilton Confirms Point-of-Sale System Breach (November 24 and 25, 2015)

Hilton has acknowledged that point-of-sale (PoS) systems at some of its properties were compromised, leading to theft of customer data. The stolen information includes names, payment card numbers, security codes, and expiration dates. News of the breach comes less than a week after Starwood properties disclosed a similar breach. Brian Krebs reported in September that several banks suspected there had been a breach of Hilton's systems.
-http://www.darkreading.com/attacks-breaches/hilton-data-breach-focuses-attention
-on-growing-pos-malware-threat/d/d-id/1323326?
-http://krebsonsecurity.com/2015/11/hilton-acknowledges-credit-card-breach/
[Editor's Note (Murray): The Hospitality industry continues to be a target. The Verizon Data Breach Incident report not only provides evidence of this but also of why. It would have been much cheaper for these chains to avoid the vulnerability than to find and eliminate them, cheaper to eliminate them than to tolerate them. ]

Sony Breach Settlement Gets Preliminary Approval (November 25 and 26, 2015)

A federal judge in California has given preliminary approval to a settlement in a case involving the Sony Pictures breach. The terms of the settlement call for Sony to pay up to US $8 million: US $4.5 million for employee reimbursements for losses incurred due to identity fraud, and US $3.5 million for legal fees.
-http://www.nbcnews.com/tech/security/judge-gives-preliminary-ok-8m-settlement-ov
er-sony-hack-n469791
-http://www.bbc.com/news/entertainment-arts-34931148

Lenovo Patches Flaw in Update Tool (November 25, 2015)

Lenovo has released Lenovo System Update 5.07.0019 to address a pair of privilege elevation vulnerabilities. The tool was previously known as ThinkVantage System Update, and is preinstalled on Lenovo PCs.
-http://www.computerworld.com/article/3008630/security/lenovo-patches-serious-fla
ws-in-pc-system-update-tool.html
-https://support.lenovo.com/us/en/documents/ht080136

LANDESK Breach May Have Serious Implications (November 25, 2015)

LANDESK recently notified its employees that their personal data may have been compromised in a breach. According to a LANDESK employee, the breach may be more serious. Although the breach was detected recently, intruders gained purchase in the company's network in June 2014, nearly a year and a half ago. The intrusion was found when employees noticed slowed Internet speeds. A software developer at the company noticed that someone from the IT department had been logging into the build server, but no one in that department was aware of the situation. Investigation found evidence that the intruders had been gathering data from build and source code servers.
-http://krebsonsecurity.com/2015/11/breach-at-it-automation-firm-landesk/

Microsoft Releases Revised Update for Windows 10 (November 24, 2015)

Microsoft has released a fix for a problem caused by November's Windows 10 update. The initial update was released on November 12; Microsoft took it down on November 23 after learning that it was resetting some users' privacy settings. A fixed version of the update is now available online. Microsoft says that users whose settings were affected by the buggy version of the update will have their preferred settings restored.
-https://support.microsoft.com/en-us/kb/3121244
-https://support.microsoft.com/en-us/kb/3120677
-http://www.zdnet.com/article/microsoft-reverses-course-restores-downloads-of-win
dows-10-november-update/
-http://www.computerworld.com/article/3008712/microsoft-windows/microsofts-novemb
er-windows-10-screwed-up-some-users-privacy-settings.html

Developing Technical Standards for Insulin Pumps (November 24, 2015)

Dr. David Klonoff is working with patients and technology companies to develop a technical standard for securing insulin pumps. Both the pumps currently in use and new ones still in development have wireless capability, but do not encrypt or authenticate data. The pumps can be accessed with a device's serial number, which is printed on the device itself and transmitted in cleartext with communications the device sends. Adding a layer of complexity to the development of the standard is the fact that some savvy patients tinker with their devices to better suit their needs; Dr. Klonoff said, "We have to keep in mind the trade-off between wanting security and maintaining usability." The standard is expected to be complete by July.
-http://www.wired.com/2015/11/the-doctor-on-a-quest-to-save-our-medical-devices-f
rom-hackers/
[Editor's Note (Ullrich): Great to see some progress on this front. But overall, there is an overdue discussion about security standards for the IoT to make it more manageable in enterprise environment. Currently, there are no standards for patching, logging or remote configuration and each vendor invents their own, often without much attention to security. (Murray): Given a limited application and a well understood environment, security should be tractable. The difficulty here is not the application; it is relatively simple. Rather it is in the environment. Securing the application against malice while reserving "usability" to the vendor, the physician, and the patient may be a over-constrained problem. Something has to give. Think, design, and build like Steve. ]

---

STORM CENTER TECH CORNER

Privacy Concerns about "Hello Barbie"
-http://www.nbcchicago.com/investigations/WEB-10p-pkg-Surveillance-Toy_Leitner_Ch
icago-353434911.html

Microsoft Increases Protections From Potentially Unwanted Applications
-http://blogs.technet.com/b/mmpc/archive/2015/11/25/shields-up-on-potentially-unw
anted-applications-in-your-enterprise.aspx

Widespread Use of Static Known Secret Keys in Devices
-http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html

SHA1 Phase Out Summary
-https://isc.sans.edu/forums/diary/SHA1+Phase+Out+Overview/20423/

OpenSSL Patch Pre-Announcement
-https://mta.openssl.org/pipermail/openssl-announce/2015-November/000045.html

Cisco ASR1000 Privilege Escalation Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
151130-asa

Belkin N150 Vulnerabilities
-https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerab
ilities/

Lancom Routers Use Predictable SSH/SSL Keys (German Only)
-https://www.lancom-systems.de/service-support/soforthilfe/aktuelle-support-hinwe
ise/allgemeine-sicherheitshinweise/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/