Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #95

December 08, 2015

TOP OF THE NEWS

France Considers Blocking Tor, Public Wi-Fi
DHS Offering Free Pen Tests

THE REST OF THE WEEK'S NEWS

CyberRX 2.0 Health Insurer Cybersecurity Exercise
Support for Old Internet Explorer Sunsets
Windows XP Embedded Extended Support Expires Next Month
Pentagon IG: DoD Cyber Experts Need More Resources
Senate Committee Asks About Government's Response to Ransomware
Senator Asks Airlines and Plane Manufacturers About Their Cyber Defense
Naval Research Lab Unclassified Network Attack
CERT Warns of Medical System Flaws
Linen Company Stole Customer Invoices from Competitor
JD Wetherspoon Data Breach
Reader's Digest Fixes Malware Problem on Website

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


******************** Sponsored By Symantec ****************************

Symantec is focused on ensuring you have the ability to Uncover and Respond to Cyber Threats across your endpoints, Email and the Network. Use this quick and easy resource to gather information on Threat Protection from Symantec.
http://www.sans.org/info/182127

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

France Considers Blocking Tor, Public Wi-Fi (December 7, 2015)

The French government may be considering banning public Wi-Fi networks and Tor, according to documents leaked from the country's Ministry of Interior. One of the bills that may be introduced to French Parliament next month would prohibit free and shared Wi-Fi during states of emergency. The other bill seeks to "block or forbid communications of the Tor network."
-http://arstechnica.com/tech-policy/2015/12/france-looking-at-banning-tor-blockin
g-public-wi-fi/

-http://www.zdnet.com/article/france-considers-public-wi-fi-tor-network-ban-in-wa
ke-of-terror-attacks/

DHS Offering Free Pen Tests (December 1, 2015)

The US Department of Homeland Security's (DHS's) National Cybersecurity Assessment and Technical Services (NCATS) offers penetration tests to private US companies, including banks and energy firms. According to a document published by DHS, NCATS offers a "Risk and Vulnerability Assessment" and a "Cyber Hygiene Evaluation."
-http://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/
-http://krebsonsecurity.com/wp-content/uploads/2015/11/Agency-Acceptance-Letter-C
H-Service-SLTT_PS.pdf



************************** SPONSORED LINKS ********************************
1) Download the free eBook: Breach Preparation - Plan for the Inevitability of Compromise: http://www.sans.org/info/182132

2) Learn more about Blue Coat's Innovation for the Cloud Generation: http://www.sans.org/info/182137

3) Do Not Miss: Five Critical Factors Healthcare Providers Must Know When Partnering with a Cyber Security Vendor. Wednesday, December 16 at 1:00 PM EDT (18:00:00 UTC) featuring Barbara Filkins, John McNeice, and Charlie Mallio. http://www.sans.org/info/182142
***************************************************************************

THE REST OF THE WEEK'S NEWS

CyberRX 2.0 Health Insurer Cybersecurity Exercise (December 6, 2015)

Twelve US health insurance companies participated in a cyber security exercise. The dozen organizations cover more than half of the US population. With the companies responses were evaluated, the exercise was used to identify areas that the companies need to address to improve their security posture. The simulated attack involved forged healthcare claim submissions and theft of patient data.
-http://www.eweek.com/security/health-insurers-test-their-security-capability-wit
h-cyber-exercise.html

Support for Old Internet Explorer Sunsets (December 4, 2015)

After January 12, 2016, Microsoft will no longer provide updates for older versions of Internet Explorer (IE). One estimate suggests that as many as 124 million users are running Internet Explorer versions 10 and earlier. The only version of IE that will continue to receive updates after January 12, 2016 is IE 11.
-https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
-http://www.zdnet.com/article/millions-of-internet-explorer-users-face-patch-secu
rity-showdown/

Windows XP Embedded Extended Support Expires Next Month (December 4, 2015)

Microsoft is scheduled to end Extended Support Windows XP Embedded, which is still running on many of the UK's 70,000 cash machines. ATM owners are urged to upgrade their systems prior to January 12, 2016, after which time Microsoft will no longer provide updates.
-http://www.v3.co.uk/v3-uk/news/2437880/uk-cash-machines-at-risk-as-windows-xp-em
bedded-support-cut-off-looms

[Editor's Note (Pescatore): That support end date has been published for a long time but many businesses kept buying "Things" running XP Embedded. Where replacement isn't possible, on-device whitelisting or external shielding will be needed to mitigate the risk. ]

Pentagon IG: DoD Cyber Experts Need More Resources (December 4, 2015)

The US Defense Department's (DoD's) Office of Inspector General (OIG) has published the title of an audit report, "Cyber Mission Force Teams Need Resources to Perform Missions," suggesting that teams working in this capacity lack sufficient resources to do their jobs. The audit report is classified.
-http://www.nextgov.com/cybersecurity/2015/12/pentagon-watchdog-cyberspace-fighte
rs-need-more-resources/124188/?oref=ng-channelriver

-http://www.dodig.mil/pubs/report_summary.cfm?id=6702

Senate Committee Asks About Government's Response to Ransomware (December 3 and 4, 2015)

The chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee are seeking information about the government's efforts to fight ransomware. In a letter to Attorney General Loretta Lynch and Homeland Security Secretary Jeh Johnson, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware) ask how many ransomware-related cases each agency has investigated and how the government coordinates such investigations. The letter also asks whether "federal, state, or local governments sought DOJ or FBI's help to remove ransomware from their computers."
-http://www.nextgov.com/cybersecurity/2015/12/has-government-paid-hackers-remove-
malware-agency-computers/124227/?oref=ng-channeltopstory

-http://thehill.com/policy/cybersecurity/262053-homeland-security-leaders-press-f
or-ransomware-data

Senator Asks Airlines and Plane Manufacturers About Their Cyber Defense (December 2, 2015)

Senator Ed Markey (D-Massachusetts) has sent letters to a dozen airlines and two plane manufacturers, seeking "information regarding
[their ]
protections and protocols against the threat of cyber-attacks in relation to the integration of new technologies on board
[their ]
aircraft," and about how they manage customer data privacy and security.
-http://thehill.com/policy/cybersecurity/261865-senator-pressures-airlines-for-cy
ber-defense-details

-http://www.markey.senate.gov/news/press-releases/senator-markey-queries-airlines
-and-airplane-manufacturers-about-aircraft-cybersecurity-defenses

-http://www.markey.senate.gov/markey-airline-cybersecurity

Naval Research Lab Unclassified Network Attack (December 3, 2015)

An attack on an unclassified network of the US Naval Research Laboratory exploited a previously undisclosed vulnerability. The issue has been resolved. Commanding Officer Captain Mark Bruington told an audience at a national Defense Industrial Association Event in Washington, DC, last week that the incident "became almost a science experiment unto itself," and that NRL network defenders used it as a learning opportunity.
-https://fcw.com/articles/2015/12/03/navy-research-lab-zero-day.aspx

CERT Warns of Medical System Flaws (December 4, 2015)

Carnegie Mellon's CERT has issued a warning of two vulnerabilities in the Epiphany Cardio Server ECG Management System v. 3.3 that could be exploited to access patient and modify patient data. Users are urged to update to more recent versions.
-http://www.scmagazine.com/cert-warning-flags-vulnerabilities-in-medical-data-sys
tem/article/457920/

-http://www.kb.cert.org/vuls/id/630239

Linen Company Stole Customer Invoices from Competitor (December 4, 2015)

New Hampshire company General Linen Services, LLC (DBA General Linen Somersworth) admitted to stealing invoices from competitor Genera Linen Services Co. Inc. in an attempt to steal that company's customers. The targeted company's computer system was accessed without authorization more than 150 times between September 2009 and April 2010; most of the breaches originated from General Linen Somersworth.
-http://www.scmagazine.com/new-hampshire-company-hacks-smaller-competitor-for-cus
tomer-list/article/457932/

-https://www.fbi.gov/boston/press-releases/2015/new-hampshire-company-pleads-guil
ty-to-hacking-into-a-competitors-computer-system-for-commercial-advantage

JD Wetherspoon Data Breach (December 4, 2015)

The UK's JD Wetherspoon pub chain in the UK was hit with a cyberattack that compromised customer records and some payment card information. The majority of the compromised data were names, birthdates, and email addresses of 650,000 customers; roughly 100 payment cards were compromised as well. The attack occurred in June, but the company discovered the attack only recently.
-http://www.v3.co.uk/v3-uk/news/2437884/jd-wetherspoon-hack-exposes-over-650-000-
customer-records

-http://www.zdnet.com/article/jd-wetherspoon-loses-data-of-over-650000-customers-
in-cyberattack/

-http://www.nytimes.com/reuters/2015/12/04/business/04reuters-jd-wetherspoon-cybe
rsecurity.html

Reader's Digest Fixes Malware Problem on Website (November 30, 2015)

Reader's Digest has removed malware from its website. The site was found to be hosting malware from the Angler exploit kit. The malware could have infected site visitors whose computers were running unpatched versions of Flash, Internet Explorer, and other software.
-http://arstechnica.com/security/2015/11/hey-readers-digest-your-site-has-been-at
tacking-visitors-for-days/

[Editor's Note (Northcutt): Security researcher Joanne Ashland has been collecting Angler mutants and sent me the link on bitdefender below. In the meantime, I am racing to get up to speed on Windows 10 because of a project some of the students at SANS.EDU are working on:
-http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cry
ptowall-vaccine/

-https://www.linkedin.com/pulse/windows-10-1-stephen-northcutt]

STORM CENTER TECH CORNER

IRMA Incident Response and Malware Analysis Sandbox
-http://irma.quarkslab.com

Lenovo LSCTaskService Vulnerabilities
-http://www.kb.cert.org/vuls/id/294607

Dell/Toshiba/Lenovo Bloatware Exploits
-http://rol.im/oemdrop/
(warning: exploit code and crappy music)

Old libupnp Vulnerability Plagues Routers/Smart TVs
-http://blog.trendmicro.com/trendlabs-security-intelligence/high-profile-mobile-a
pps-at-risk-due-to-three-year-old-vulnerability/#

Hello Barbie Vulnerable To Poodle
-http://www.theregister.co.uk/2015/12/04/wireless_barbie_slipshod_security/

OpenSSL Update
-https://openssl.org/news/secadv/20151203.txt

Fast Frequency Analysis For Random Search with freq_server.py
-https://isc.sans.edu/forums/diary/Continuous+Monitoring+for+Random+Strings/20451
/

Java Deserialization Vulnerability Affecting More Libraries
-https://blog.srcclr.com/commons-collections-deserialization-vulnerability-resear
ch-findings/

XSS in Mobile Yahoo Mail Client
-https://blog.srcclr.com/commons-collections-deserialization-vulnerability-resear
ch-findings/

Boot Record Malware Found in PoS Attacks
-https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.ht
ml



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/