SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #96

December 11, 2015

The Holiday Hack Challenge Opens Today

Want to have some holiday fun while building great hands-on cyber
security skills? SANS just launched its 12th annual FREE Holiday Hack
Challenge. Whether you are brand new to infosec or a seasoned cyber
warrior, Ed Skoudis and his team pulled out all the stops on this one.
It feels like a video game and focuses on great cutting-edge
technologies planted around the world. You'll tackle the Internet of
Things, vulnerability analysis, packet analysis, command-and-control,
attribution, and tons more. You'll unravel a holiday mystery, match
wits with a super villain, and thwart a dastardly plot. It's fun for
the whole family! Check it out at https://HolidayHackChallenge.com.

Grand prize is a free SANS OnDemand course of your choice!

Alan

---

TOP OF THE NEWS

FBI Official Says the Agency Uses Zero-Days, StingRays
SHA-1 Retirement Could Prevent Millions of Users from Accessing Websites
Difference Makers Awards

THE REST OF THE WEEK'S NEWS

Cisco Developing Fixes for Java Deserialization Flaw
Flaw Fixed in Multiple Anti-Virus Products
DNS Root Servers Attacked
Wyndham Settles FTC Charges
Adobe Updates Flash
Apple Releases Updates for OS X and iOS
Ship Voyage Data Recorder Vulnerabilities
IBM Security App Exchange
Microsoft Patch Tuesday
Google's Monthly Android Update Includes Fixes for Stagefright Flaws
Vulnerabilities in Industrial Gas Detectors
Nemesis Malware

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Splunk ****************************

Have you implemented the SANS Top 20 Critical Security Controls? This time-proven, what works list of 20 controls can be used to minimize security risks to enterprise systems and the critical data they maintain. Learn how Splunk software can provide new insights to verify, execute and support requirements for the SANS Top 20 CSC.
http://www.sans.org/info/182202

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Get a MacBook Air or $750 Discount with OnDemand and vLive online courses now through Dec. 2- http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

FBI Official Says the Agency Uses Zero-Days, StingRays (December 8, 2015)

FBI executive assistant director for science and technology Amy Hess acknowledged that her agency uses zero-day vulnerabilities in the course of its investigations. Hess also said that the FBI has never issued a gag order to police regarding the use of cell-site simulator technology, often referred to as StingRay. What the FBI does not want disclosed are the "engineering schematics," or technical details about how the device works.
-https://www.washingtonpost.com/world/national-security/meet-the-woman-in-charge-
of-the-fbis-most-contentious-high-tech-tools/2015/12/08/15adb35e-9860-11e5-8917-
653b65c809eb_story.html
-http://arstechnica.com/tech-policy/2015/12/fbi-admits-it-uses-stingrays-zero-day
-exploits/
[Editor's Note (Honan): The hoarding and use of Zero-Days by government agencies is not a new issue. In 20114 President Obama admitted that US government agencies do use zero-day vulnerabilities
-http://www.wired.com/2014/04/obama-zero-day/
It is time that a proper debate is held on the controversial topic as to whether government agencies ability to use zero-day exploits to attack systems should be balanced against the overall safety of the Internet community. ]

SHA-1 Retirement Could Prevent Millions of Users from Accessing Websites (December 10, 2015)

Millions of users could find themselves unable to access websites with certificates signed only with the SHA-2 cryptographic algorithm. Several major browser makers have indicated that they are considering retiring the SHA-1 as soon as June 2016.
-http://www.computerworld.com/article/3014162/security/sha-1-cutoff-could-block-m
illions-of-users-from-encrypted-websites.html
-http://arstechnica.com/security/2015/12/sha1-sunset-will-block-millions-from-enc
rypted-net-facebook-warns/
[Editor's Note (Pescatore): E.coli and the Norovirus prevented millions from accessing Chipolte, too, but cleanup was needed. (Murray): Adi Shamir is an exception to the rule that cryptographers do not give good security advice. He says people do not attack crypto, they bypass it. ]

Difference Makers Awards (November 23, 2015)

The SANS Institute has named the winners of the SANS 2015 Difference Makers Award. The individuals were chosen for their "innovation, skill, and effort
[that ]
have driven real advances in information security." The winners will be honored on December 15, 2015, at the SANS Cyber Defense Initiative Training Event in Washington, DC.
-http://news.sys-con.com/node/3569764
[Editor's Note (Pescatore): This has been one of the most fun things I get to do at SANS. Any of you who will be at SANS CDI are invited to drop by and help celebrate all the quiet successes in our field. (Honan): Congrats to all involved and well deserved. ]

---

THE REST OF THE WEEK'S NEWS

Cisco Developing Fixes for Java Deserialization Flaw (December 10, 2015)

The recently disclosed Java deserialization vulnerability affects multiple Cisco products. The company has released a warning about the issue and says it is developing fixes.
-http://www.theregister.co.uk/2015/12/10/cisco_java_deserialisation_bug/
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
151209-java-deserialization

Flaw Fixed in Multiple Anti-Virus Products (December 8 and 10, 2015)

A flaw disclosed earlier this year in AVG anti-virus software has now been found to affect other anti-virus products, including products from Kaspersky Lab and Intel McAfee. The flaw lies in the way the anti-virus products allocate memory for read, write, and execute permissions. AVG patched the flaw months ago; Kaspersky and Intel McAfee have now patched their products as well.
-http://www.darkreading.com/endpoint/known-security-flaw-found-in-more-antivirus-
products/d/d-id/1323480?
-http://www.theregister.co.uk/2015/12/10/kaspersky_mcafee_avg_vulnerable/

DNS Root Servers Attacked (December 9, 2015)

On November 30 and December 1, most of the Internet's 13 root name server networks came under distributed denial-of-service attacks. At their peak, the attacks were flooding the networks with five million queries per second.
-http://arstechnica.com/security/2015/12/attack-flooded-internet-root-servers-wit
h-5-million-queries-a-second/
-http://www.zdnet.com/article/mystery-attackers-bombard-servers-at-the-internets-
core/

Wyndham Settles FTC Charges (December 9 and 10, 2015)

The Wyndham Worldwide hotel chain has agreed to settle charges brought by the US Federal Trade Commission (FTC) that the company did not employ adequate security to protect customer data. Wyndham challenged the FTC's authority to impose penalties, but a federal appeals court sided with the FTC earlier this year. The settlement requires Wyndham to "establish a comprehensive information security program designed to protect cardholder data," undergo audits, and take other precautions.
-http://thehill.com/policy/cybersecurity/262635-breached-hotel-chain-settles-with
-ftc-in-landmark-case
-http://www.theregister.co.uk/2015/12/10/wyndham_hotels_settles_with_ftc/
-https://www.washingtonpost.com/news/the-switch/wp/2015/12/09/wyndham-agrees-to-s
ettle-with-ftc-in-case-that-challenged-agencys-data-security-enforcement-powers/
Settlement:
-https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyex
ecuted.pdf
[Editor's Note (Pescatore): The amount Wyndham spent on lawyers to fight the ruling probably exceeds how much they would have spent to just quickly fix the basic security hygiene problems. ]

Adobe Updates Flash (December 8 and 9, 2015)

Adobe has released a security update for Flash Player to address 78 vulnerabilities, including seven rated high-risk. The most current versions of Flash are now 20.0.0.228 for Internet Explorer and Chrome for Mac OS X and Windows; and 20.0.0.235 for Safari and Firefox for Mac OS X and Windows.
-http://www.zdnet.com/article/adobes-final-patch-update-this-year-78-bugs-squashe
d/
-http://www.v3.co.uk/v3-uk/news/2438709/adobe-updates-flash-player-to-resolve-79-
security-flaws
-http://www.scmagazine.com/adobe-patches-78-bugs-in-last-patch-tuesday-of-2015/ar
ticle/458571/
-http://krebsonsecurity.com/2015/12/adobe-microsoft-each-plug-70-security-holes/
[Editor's Note (Pescatore): I've been trying out a "Flash-free" browsing diet and it is much less painful than trying to go gluten-free, actually very little disruption. About the same annoyance level of avoiding eating anything with mushrooms in it, which I started doing as a small child... ]

Apple Releases Updates for OS X and iOS (December 9, 2015)

Apple has updated its desktop operating system to OS X version 10.11.2 and its mobile operation system to iOS version 9.2.
-http://www.eweek.com/security/apple-updates-os-x-ios-with-numerous-security-fixe
s.html
-http://www.scmagazine.com/apple-security-updates-a-sign-of-things-to-come/articl
e/458850/

Ship Voyage Data Recorder Vulnerabilities (December 9 and 10, 2015)

Vulnerabilities in the systems used as virtual logbooks for ships could be exploited alter the data they store. Voyage data recorders act "as an automated version of a ship's logbook," recording information about the vessel's navigation, radio communications, radar, and other data from the ship's on-board systems.
-http://www.darkreading.com/iot/sea-craft-voyage-data-systems-vulnerable-to-tampe
ring-spying/d/d-id/1323495?
-http://arstechnica.com/information-technology/2015/12/hacked-at-sea-researchers-
find-ships-data-recorders-vulnerable-to-attack/

IBM Security App Exchange (December 9 and 10, 2015)

IBM has launched the Security App Exchange, which allows users to create and share security applications. There are currently 14 apps available in the exchange.
-http://www.v3.co.uk/v3-uk/news/2438755/ibm-launches-app-exchange-to-bolster-secu
rity-collaboration
-http://www.eweek.com/security/ibm-launches-security-app-exchange-marketplace.htm
l
-http://www-03.ibm.com/security/engage/app-exchange/
[Editor's Note (Honan): I had a look at the Exchange and the Apps all seem to focus on the IBM Qradar product. In other words these Apps only work with IBM. Should we be promoting such a narrow focused vendor solution? ]

Microsoft Patch Tuesday (December 8 and 9, 2015)

On Tuesday, December 8, Microsoft issued 12 security bulletins to address multiple vulnerabilities in a variety of products. Microsoft also released three security advisories, including one regarding the inadvertent disclosure of private encryption keys for a SSL/TLS certificate used for the xboxlive.com domain. The certificate has been revoked on Microsoft's Certificate Trist list.
-https://technet.microsoft.com/library/security/ms15-dec
-http://arstechnica.com/security/2015/12/december-patch-tuesday-avalanche-of-patc
hes-includes-leaked-xbox-certificate/
-http://www.zdnet.com/article/december-2015-patch-tuesday/
-http://www.v3.co.uk/v3-uk/news/2438437/microsoft-passes-130-security-fixes-for-2
015-with-final-patch-tuesday-update
-http://www.scmagazine.com/patch-tuesday-microsoft-publishes-12-bulletins-8-criti
cal/article/458580/
-http://www.zdnet.com/article/microsoft-warns-attacks-possible-after-xbox-certifi
cate-leaked/
-https://technet.microsoft.com/library/security/3123040.aspx
[Editor's Note (Honan): If you run and manage a Windows DNS server there is a critical patch you need to apply to your system to prevent remote code execution
-https://technet.microsoft.com/en-us/library/security/ms15-127.aspx]

Google's Monthly Android Update Includes Fixes for Stagefright Flaws (December 8, 2016)

Google's December update for Android addresses 18 security issues. Among those vulnerabilities are four flaws related to libstagefright. Google made the move to monthly Android updates after the Stagefright was first disclosed.
-http://www.eweek.com/security/google-continues-to-patch-stagefright-flaws-in-and
roid.html

Vulnerabilities in Industrial Gas Detectors (December 7, 2015)

According to an advisory from the Industrial Control Systems Computer Emergency Response Team (ICS-CERT), certain gas detectors used in industrial settings contain vulnerabilities that could be used to sabotage the devices. A path traversal flaw could allow attackers to bypass authentication; furthermore, sensitive information is transmitted in cleartext.
-http://arstechnica.com/security/2015/12/vulnerabilities-in-industrial-gas-detect
ors-require-little-skill-to-exploit/
-https://ics-cert.us-cert.gov/advisories/ICSA-15-309-02

Nemesis Malware (December 7, 2015)

Malware known as Nemesis takes control of the boot process on PCs to evade detection. Nemesis steals payment card data from the PC's memory; the malware loads before the operating system does.
-http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process
-to-gain-stealth-persistence/

---

STORM CENTER TECH CORNER

December Microsoft Patch Tuesday
-https://isc.sans.edu/forums/diary/December+2015+Microsoft+Patch+Tuesday/20461/

Adobe Flash Update
-https://helpx.adobe.com/security/products/flash-player/apsb15-32.html

Apple Updates
-https://support.apple.com/en-us/HT201222

MSFT Internet Explorer <11 Phase Out and Others
-https://isc.sans.edu/forums/diary/Patch+Tuesday+Warmup+Internet+Explorer+Sunset+
and+Windows+XP+Embedded+End+of+Support/20459/

Enforcing USB Storage Policy With Powershell and Python
-https://isc.sans.edu/forums/diary/Enforcing+USB+Storage+Policy+with+PowerShell/2
0469/

Microsoft Withdraws Outlook Patch
-https://support.microsoft.com/en-us/kb/3114409

PoC For MS15-134 (Windows Media Center)
-https://blog.coresecurity.com/2015/12/09/exploiting-windows-media-center/

xboxlive.com Certificate Revoked
-https://support.microsoft.com/en-us/kb/2677070

Google Extending Safebrowing to Mobile Version of Chrome
-https://googleonlinesecurity.blogspot.co.uk/2015/12/protecting-hundreds-of-milli
ons-more.html

Webkit Leaking Browsing History
-http://blog.appgrounds.com/content-blockers-track-browser-history/

Uninstalling Problem Applications using Powershell
-https://isc.sans.edu/forums/diary/Uninstalling+Problem+Applications+using+Powers
hell/20473/

Holiday Hack Challenge is Out
-https://www.holidayhackchallenge.com

Cisco Software Affected By Java De-Serialization Bug
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
151209-java-deserialization

Root Name Server Attack
-http://root-servers.org/news/events-of-20151130.txt

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/