SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #94

December 04, 2015

TOP OF THE NEWS

China Arrests OPM Breach Suspects
Free TLS Certificates Now Available to Public
Kazakhstan Law Requires Back Doors

THE REST OF THE WEEK'S NEWS

Stolen Bank Data Leaked After Ransom Not Paid
Ransomware Steals Passwords before Encrypting Files
National Security Letter Content Revealed
OpenSSL Won't Update Older Branches Beyond End of Year
Huawei Will Not Issue Fixes for Older WiMax Routers
Microsoft Helps Take Down Dorkbot Botnet
VTech Breach Affects More Than Six Million Children

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

**************** Sponsored By Blue Coat Systems, Inc. *******************
Innovation for The Cloud Generation: The days of managing multiple vendors to implement your cloud strategy are over. Blue Coat now offers the most complete and intuitive cloud security solution: with cloud access security (CASB), advanced threat protection, integrated web application firewall, and encrypted traffic management. Welcome to enterprise-class security for The Cloud Generation.http://www.sans.org/info/182017
***************************************************************************
TRAINING UPDATE


- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx


- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6


- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl


- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH


- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions. http://www.sans.org/u/aBM


- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!


- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org


- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj


- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Dallas, Brussels, Scottsdale, Munich, and Tokyo all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

China Arrests OPM Breach Suspects (December 2 & 3, 2015)

The Chinese government says it has arrested several people allegedly connected to the massive Office of Personnel Management (OPM) data breach. The arrests reportedly occurred just prior to President Xi Jinping's visit to the US in September.
-https://www.washingtonpost.com/world/national-security/chinese-government-has-ar
rested-hackers-suspected-of-breaching-opm-database/2015/12/02/0295b918-990c-11e5
-8917-653b65c809eb_story.html
-http://www.scmagazine.com/china-announces-it-arrested-hackers-connected-to-opm-b
reach/article/457694/
-http://thehill.com/policy/cybersecurity/261813-china-arrests-opm-hackers-report
[Editor's Note (Ullrich): The sad truth in internet security is that often the same techniques are used by nation states, criminal gangs and teenagers living in mom's basement down the block. The cost of entry to break into databases of national importance is surprisingly low. The only difference between a nation state actor and a criminal is that the criminal is more likely going to be arrested. ]

Free TLS Certificates Now Available to Public (December 3, 2015)

The Let's Encrypt project is now offering free TLS certificates to the general public. The project, which is run by the Internet Security Research Group, initially ran a trial for a small group of volunteers earlier this fall. The certificates are trusted by all major browsers.
-http://www.theregister.co.uk/2015/12/03/letsencrypt_public_beta/
[Editor's Note (Ullrich): Even more important then "free" is the scripting interface that letsencrypt provides to automatically manage certificates. Free SSL certificates have been available before. Automation is in particular important for letsencrypt as the certificates are only valid a few months, so they need to be renewed fairly often and without scripting, you will end up with expired certificates. As a result, letsencrypt does not address invalid and self signed certificates on the myriad of devices which are not supported by its scripts (but maybe someone well step up to provide such a script for some popular devices)
(Vautrinot): Certificates need to be managed, so while free is a move in the right direction to enhance the span of security...the management still needs to be accomplished and can be complex for businesses.
(Northcutt): This is HUGE. The Northcutt household just donated 250.00 to the cause using paypal. The previous model, where sellers pay X dollars to certificate granting authorities who took money but were not transparent and did not particularly care about security could not work. I like the new model, I am a consumer of *hopefully* secure transactions. If you notice you are doing a transaction from an ISRG cert, (click on the lock), think about giving a few dollars, we might just make a difference:
-https://letsencrypt.org/]

Kazakhstan Law Requires Back Doors (December 3, 2015)

A new law in Kazakhstan requires all Internet users in that country to install a "national security certificate" on all Internet connected devices; the certificate will allow the government to intercept secure Internet connections and access browsing histories, access credentials, and HTTPS encrypted traffic. Telecommunications companies will be required to monitor which users have not installed the certificate. The law takes effect on January 1, 2016.
-http://www.zdnet.com/article/kazakhstan-forces-its-citizens-into-installing-inte
rnet-backdoors/
-http://bits.blogs.nytimes.com/2015/12/03/kazakhstan-moves-to-tighten-control-of-
internet-traffic/?_r=0
[Editor's Note (Assante): Such a decision should leave a foul taste in one's mouth as the argument for practicality wins the day over ideals. Requiring an open door is one small step away from garrisoning cyber troops - today it is mandated access; tomorrow it may be hosting a kill or attack module. Little red buttons are far more practical than a big red button anyway.
(Ullrich): Unlike many other governments, Kazakhstan is in the unfortunate position to not already have a trusted certificate authority under its control. However, certificate pinning for example can be used to alert users of man-in-the-middle attacks using rogue but valid certificates. ]

---

************************** SPONSORED LINKS ********************************
1) The Top 20 Security Controls Adapted to ICS. Wednesday, December 09 at 3:00 PM EST (20:00:00 UTC) with Wm. Arthur Conklin. This webinar will look at the overall problem and dive into the controls; control by control, aligning them to an ICS environment. http://www.sans.org/info/182022

2) Predicting Cyber Security Trends in 2016. Tuesday, December 15 at 11:00 AM EDT (16:00:00 UTC) with Tim (TK) Keanani, Chief Technology Officer at Lancope. In this webcast, TK will look back on this year in cyber security and make predictions on what challenges to expect in 2016. http://www.sans.org/info/182027

3) Five Critical Factors Healthcare Providers Must Know When Partnering with a Cyber Security Vendor. Wednesday, December 16 at 1:00 PM EDT (18:00:00 UTC) with Barbara Filkins, John McNeice, and Charlie Mallio. http://www.sans.org/info/182032
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Stolen Bank Data Leaked After Ransom Not Paid (December 3, 2015)

An attacker broke into a system at a bank in the United Arab Emirates (UAE), stole customer data, and demanded payment of roughly US $3 million in ransom. When the bank refused to pay, the attacker leaked some of the stolen information, including payment card numbers, recent transactions, and balances.
-http://www.wired.com/2015/12/hacker-leaks-customer-data-after-a-united-arab-emir
ates-bank-fails-to-pay-ransom/

Ransomware Steals Passwords before Encrypting Files (December 3, 2015)

A new ransomware first uses malware known as Pony to steal account login credentials from targeted computers before encrypting files. The ransomware is spreading through websites infected with the Angler exploit kit.
-http://arstechnica.com/security/2015/12/newest-ransomware-pilfers-passwords-befo
re-encrypting-gigabytes-of-data/
-http://www.zdnet.com/article/new-ransomware-grabs-users-passwords-before-locking
-files/

National Security Letter Content Revealed (November 30 & December 3, 2015)

A US District court judge has allowed former ISP owner Nicholas Merrill to disclose the content of a National Security Letter he received in 2004. NSLs come with gag orders, forbidding recipients from disclosing their contents or even revealing that they have been received. The document reveals that the FBI sought the target's entire web browsing history, the IP addresses of everyone the target corresponded with, and a record of all the target's online purchases.
-http://www.v3.co.uk/v3-uk/news/2437584/us-court-exposes-content-of-secret-fbi-na
tional-security-letters
-http://arstechnica.com/tech-policy/2015/11/the-national-security-letter-spy-tool
-has-been-uncloaked-and-its-bad/
-http://isp.yale.edu/sites/default/files/page-attachments/merrill_v._lynch_-_unre
dacted_attachment_to_2004_nsl.pdf

OpenSSL Won't Update Older Branches Beyond End of Year (December 3, 2015)

Older branches of the OpenSSL open source cryptographic library will no longer be receiving updates after the end of this calendar year. The 0.9.8zh and 1.0.0t updates, which were released on December 3, will be the last updates for those branches.
-http://www.computerworld.com/article/3011889/security/no-more-security-fixes-com
ing-for-older-openssl-branches.html

Huawei Will Not Issue Fixes for Older WiMax Routers (December 3, 2015)

Huawei says it will not patch vulnerabilities in its BM635, BM632, B631a, BM632w, and BM652 WiMax routers. Several flaws were disclosed (when?), but Huawei said "that the products ... have reached End of Service," and recommends that users replace the older devices.
-http://www.scmagazine.com/telecom-maker-tells-users-to-ditch-replace-flawed-rout
ers/article/457680/
-http://www.techweekeurope.co.uk/mobility/huawei-vulnerable-wimax-routers-181549

Microsoft Helps Take Down Dorkbot Botnet (December 3, 2015)

Microsoft helped law enforcement agents worldwide take down the Dorkbot botnet, which has infected more than one million computers over the past four years. The malware tries to steal account access credentials for Gmail, Facebook, PayPal, eBay and others.
-http://www.computerworld.com/article/3012077/security/microsoft-joins-law-enforc
ement-to-disrupt-dorkbot-botnet.html

VTech Breach Affects More Than Six Million Children (December 2, 2015)

The number of children whose personal data were compromised in the VTech breach is far greater than initially stated. Instead of 220,000, the figure is close to 6.4 million children. The breach targeted the database of VTech's "Learning Lodge" app. VTech stock prices have dropped to a three-year low.
-http://www.theregister.co.uk/2015/12/02/vtech_breach_breakdown/
-https://www.washingtonpost.com/news/the-switch/wp/2015/12/01/vtech-says-6-4-mill
ion-children-were-caught-up-in-its-data-breach/
-http://www.bloomberg.com/news/articles/2015-12-02/vtech-hack-accessed-6-million-
kids-profiles-mainly-in-the-u-s-

---

STORM CENTER TECH CORNER

Tracking SSL Certificates
-https://isc.sans.edu/forums/diary/Tracking+SSL+Certificates/20427/

Google Phasing Out Support for 32 Bit Chrome on Linux
-https://groups.google.com/a/chromium.org/forum/?pli=1#!topic/chromium-dev/FoE6sL
-p6oU

Conficker Returns (again)
-https://www.checkpoint.com/ThreatPortal/livemap.html

How to Use Powershell to Make Nessus Reports Usefull
-https://isc.sans.edu/forums/diary/Nessus+and+Powershell+is+like+Chocolate+and+Pe
anut+Butter/20431/

3G/4G Modem Vulnerability Roundup
-http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-3g4g-modems.html

Exfiltrating Data Using ICMP Echo Requests
-http://blog.safebreach.com/2015/12/02/i-see-your-true-echo_request-patterns-ping
ing-data-away/

Lets Encrypt Starting Open Service
-https://letsencrypt.org

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/