SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #97

December 15, 2015

If you are one of the 30,000 security pros who visit Internet Storm
Center (isc.sans.org) every day, you'll be pleased to know that Johannes
and the ISC team have added some great new features. They are described
at the end of this issue "INTERNET STORM CENTER UPDATE."
Alan

---

TOP OF THE NEWS

Moonfruit Takes Sites Offline While Ramping Up Protections Against DDoS
Boards Urged to Appoint Younger Directors to Tackle Cyber Threat
Visa Launches Token Service in Singapore

THE REST OF THE WEEK'S NEWS

Google to Revoke Trust for Symantec PCA3-G1 Certificate
Five Arrested in Norway in Connection with Remote Access Trojan
MacKeeper Data Exposed
Fix Available for Joomla Flaw
Twitter Warns Users of State-Sponsored Account Compromise
France Will Not Ban Tor or Block Public Wi-Fi
NIST Wants Cybersecurity Framework Feedback
Former IBM Employee Arrested for Alleged Theft of Proprietary Source Code

INTERNET STORM CENTER UPDATE

INTERNET STORM CENTER UPDATE

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Symantec **************************

Symantec is focused on ensuring you have the ability to Uncover and Respond to Cyber Threats across your endpoints, Email and the Network. Use this quick and easy resource to gather information on Threat Protection from Symantec.
http://www.sans.org/info/182222

***************************************************************************

TRAINING UPDATE

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Moonfruit Takes Sites Offline While Ramping Up Protections Against DDoS (December 14, 2015)

Moonfruit (a subscription web hosting company) has taken thousands of websites offline. The company began experiencing the attacks last week; the attackers demanded a ransom, but Moonfruit refused to pay. Moonfruit said that the sites would "remain offline for up to 12 hours" while the company makes changes to its infrastructure to protect sites from similar attacks in the future.
-http://www.scmagazine.com/moonfruit-takes-down-customer-sites-for-up-to-12-hours
-after-attack-threat/article/459511/
-http://www.v3.co.uk/v3-uk/news/2439205/moonfruit-takes-thousands-of-websites-off
line-after-cyber-attack-threat
-http://www.bbc.com/news/technology-35091534
[Editor's Note (Ullrich): The "Armada Collective" has been quite successful in getting companies to pay up to avoid DDoS attacks. Sadly, the only way to prevent these attacks is to either pay the Armada Collective, or an Anti DDoS vendor. Yes, it would be nice if "the Internet" implemented BCP-38, but that isn't going to happen. (Honan): A good example of why proactive security controls are important to identify and implement before an attack, or a threat of an attack, occurs. In essence Moonfruit customers became victims of a Denial of Service attack through Moonfruit's efforts to protect those same customers from a Denial of Service attack. Incident response planning and prevention is always best before an attack occurs. (Murray): The right time for Internet-based companies to arrange for DoS mitigation is before the attack, when it is cheap, easy, and not disruptive to customers. ]

Boards Urged to Appoint Younger Directors to Tackle Cyber Threat (December 14, 2015)

Companies should hire a younger generation of boardroom directors to head off the "systemic threat" that cyber risk poses to the financial system, according to City of London bosses polled by the Financial Times.
-http://www.ft.com/cms/s/0/66e4c356-a27a-11e5-bc70-7ff6d4fd203a.html

Visa Launches Token Service in Singapore (December 15, 2015)

Visa has launched the Visa Token Service, which replaced payment card data with a digital token, in Singapore. Visa is partnering with United Overseas Bank to implement the technology, which allows payments to be processed without exposing account information.
-http://www.zdnet.com/article/visa-brings-token-service-to-singapore-with-uob-par
tnership/
[Editor's Note (Ullrich): Traditional credit card numbers are a flawed concept. We have one, pretty simple all numeric password that we share with hundreds of merchants. One leak at one merchant puts the system at risk. Tokenization is finally convenient and possible using mobile payment systems. I hope it will ultimately replace traditional credit card numbers. (Murray): This is the technology that was introduced with Apple Pay and which provides the back-end processing for such mobile computer based payment systems as Samsung Pay, Android Pay and others. Similar services are now offered by MasterCard and American Express. They hide the credit card number from merchants; what they cannot see they cannot store or compromise. However, the vulnerable to fraudulent replay credit card number remains the default. While tokenization of the credit card number has significant potential to improve the security of our broken retail payment system, realization depends upon consumer adoption of mobile payments. This adoption is discouraged by the popular media coverage that hypes the unknown risk of mobile payment systems and the convenience of the credit card. ]

---

************************** SPONSORED LINKS ********************************
1) Download the free eBook: Next-Generation Endpoint Security for Dummies: http://www.sans.org/info/182227

2) Don't Miss: Five Critical Factors Healthcare Providers Must Know When Partnering with a Cyber Security Vendor. Wednesday, December 16 at 1:00 PM EST (18:00:00 UTC) featuring Barbara Filkins, John McNeice, and Charlie Mallio. http://www.sans.org/info/182272

3) The North American cybercriminal underground market is unique from others, learn about it in a recently released report from Trend Microthreat research. http://www.sans.org/info/182237
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Google to Revoke Trust for Symantec PCA3-G1 Certificate (December 14, 2015)

Google products will no longer trust digital certificates from an old Symantec root certificate because of security concerns. Google made the decision to revoke trust for the certificate after Symantec announced that the VeriSign Class 3 Public Primary Certificate Authority G1 (PCA3-G1) certificate is no longer in compliance with the CA/Browser Forum's Baseline Requirements.
-http://www.eweek.com/security/google-pulls-trust-for-symantec-root-certificate.h
tml
-http://www.computerworld.com/article/3014591/security/google-to-revoke-trust-in-
a-symantec-root-certificate.html
-http://www.zdnet.com/article/google-strips-chrome-android-trust-for-symantec-roo
t-certificate/
-http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certific
ate/article/459688/
[Editor's Note (Ullrich): Google is pushing hard for certificate transparency, a process that may bring some limited accountability to certificate authorities. Symantec has been a hold out to embrace certificate transparency and has recently been caught issuing unauthorized certificates for Google domains, putting it on Google's naughty list. So no surprise that Google is trying to put the spotlight on Symantec certificate practice. ]

Five Arrested in Norway in Connection with Remote Access Trojan (December 14, 2015)

Authorities in Norway have arrested five people in connection with the possession, use, and distribution of a remote access Trojan, or RAT. Norway's national criminal investigation service, Kripos, has seized computer equipment and taken control of a number of Internet accounts. The arrests are part of a larger Europol initiative to fight cybercrime known as OP Falling sTAR; arrests in other cases were made in Romania and France.
-http://www.zdnet.com/article/rat-trap-norway-police-nab-five-in-remote-access-tr
ojan-europol-swoop/
-http://www.scmagazine.com/kripos-arrests-five-men-for-pushing-rat/article/459518
/
[Editor's Note (Honan): Another great example of how Europol are coordinating and sharing data amongst various law enforcement agencies, both within the EU and outside it, to tackle cybercrime. One look at Europol's press release page shows the impact these operations are having.
-https://www.europol.europa.eu/latest_press_releases
There is still a long way to go but well done to all involved on the great work so far. ]

MacKeeper Data Exposed (December 14, 2015)

The company that makes MacKeeper has acknowledged a breach that exposed usernames, passwords, and other data for 13 million customers. Someone found the data while "searching for database servers that require no authentication and are open to external connections." That person notified MacKeeper maker Kromtech; the company quickly blocked public access to the databases.
-http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-exposed/
-http://www.cnet.com/news/mackeeper-exposes-personal-data-of-13-million-users/
[Editor's Note (Ullrich): MacKeepers response to increase the hash strength from MD5 to SHA256, but not mentioning other measures (salting hashes, encrypting them... or a more appropriate algorithm) shows how the controversial company doesn't get application security. (Murray): Security is harder than it looks. As the number of devices that we use increases, cloud based solutions to the password management problem become the problem. (Honan): This is a great example as to why you should regularly run vulnerability tests against your internet facing systems or after any major changes to the infrastructure or applications. (Northcutt): Unnecessary software that sells primarily using scare tactics. I am surprised there were 13 million users, (the first two links are the most balanced reviews I have been able to find):
-http://macnetized.com/no-fluff-mackeeper-review-is-it-worth-it/
-http://www.makeuseof.com/tag/mac-really-need-tools-like-mac-keeper/
-https://discussions.apple.com/docs/DOC-3036
-http://www.imore.com/avoid-mackeeper]

Fix Available for Joomla Flaw (December 14 and 15, 2015)

Joomla developers have released an update for the content management system to address a flaw that is being actively exploited. The remote code execution flaw has been present for nearly eight years; it affects Joomla versions 1.5 through 3.4.5. Users are urged to upgrade to version 3.4.6.
-https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execu
tion-vulnerability.html
-http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulner
ability-in-sites-running-joomla/
-http://www.theregister.co.uk/2015/12/15/joomla_vuln/
[Editor's Note (Ullrich): Must patch now! This has been exploited for a week now, and the exploit is trivial. ]

Twitter Warns Users of State-Sponsored Account Compromise (December 13 and 14, 2015)

Twitter has notified some users that their accounts may have been compromised as part of a state-sponsored attack. The message went out to more than 20 Twitter users, warning that "a small group of accounts ... may have been targeted by state-sponsored actors ...
[who ]
may have been trying to obtain information such as email addresses, IP addresses, and/or phone numbers." Many of those receiving the warning appear to have ties to IT security.
-http://www.theguardian.com/technology/2015/dec/14/twitter-warns-users-hacked-sta
te-sponsored-actors?CMP=twt_gu
-http://www.nextgov.com/cybersecurity/2015/12/twitter-notifies-users-state-sponso
red-hacks/124464/?oref=ng-channeltopstory
-http://www.darkreading.com/endpoint/twitter-says-nation-state-hackers-targeted-s
ome-accounts/d/d-id/1323556?
-http://www.bbc.com/news/business-35089309
-http://www.computerworld.com/article/3014642/security/twitter-warns-users-target
ed-by-state-sponsored-hackers.html
[Editor's Note (Murray): One would expect that those who have "ties to IT Security" would be using the Twitter strong authentication option. ]

France Will Not Ban Tor or Block Public Wi-Fi (December 11, 2015)

Despite recent stories in Le Monde indicating that France was considering banning the use of Tor and blocking pubic Wi-Fi during states of emergency, the country's Prime Minister Manuel Valls said neither action will be undertaken.
-http://arstechnica.com/tech-policy/2015/12/france-wont-block-public-wi-fi-or-ban
-tor-pm-says/
-http://www.theregister.co.uk/2015/12/11/no_wifi_tor_restrictions_after_france_te
rror_attack/

NIST Wants Cybersecurity Framework Feedback (December 10, 2015)

The National Institute of Standards and Technology (NIST has posted a request for information (RFI) in the Federal Register seeking feedback on how private sector organizations are using its cybersecurity framework, and how the framework could be improved. The framework was developed in accordance with an Executive Order, "Improving Critical Infrastructure Cybersecurity," and was released in February 2014.
-http://fedscoop.com/nist-looking-for-addtional-feedback-on-cybersecurity-framewo
rk
-https://www.federalregister.gov/articles/2015/12/11/2015-31217/views-on-the-fram
ework-for-improving-critical-infrastructure-cybersecurity
[Editor's Note (Murray): While not a flaw of the Framework, it has been a flaw of the program, identified early by critics, that the program lacked any measurement component other than that it responded to a White House directive. ]

Former IBM Employee Arrested for Alleged Theft of Proprietary Source Code (December 8, 2015)

A former IBM software engineer has been arrested and charged with the alleged theft of proprietary source code. The charges, filed in federal court in New York, allege one count of theft of a trade secret. Xu Jiaqiang was arrested in White Plains, New York on December 7, 2015 after attempting to sell software that included the stolen code to undercover agents. IBM is not named in the complaint; Xu's LinkedIn profile says he was employed there from November 2010 until July 2014.
-http://www.reuters.com/article/us-ibm-crime-china-idUSKBN0TR2X820151208#5tJgL8o1
cKYssGdI.97
-http://www.bloomberg.com/news/articles/2015-12-08/man-arrested-in-sting-for-stea
ling-employer-s-computer-code
-https://www.fbi.gov/newyork/press-releases/2015/manhattan-u.s.-attorney-and-fbi-
assistant-director-in-charge-announce-arrest-of-individual-for-theft-of-valuable
-source-code-from-former-employer
[Editor's Note (Murray): Those who are tempted to sell proprietary data should know that it is a thin and risky market; one never knows who one is dealing with. Those with proprietary information to protect should know that, while not perfect, seeding and watermarking their data may aid in investigation of the crime, prosecution of the criminal, and recovery of their property. ]

---

INTERNET STORM CENTER UPDATE

Probably the best use of the Internet Storm Center's rich data repository is to add context to your logs. Our data should not be used as a blocklist. But it can tell you more about a particular IP address, and it will help you assess the risk a particular IP address poses to your network. In order to enhance our ability to help you adding context to your logs, we added a number of new features over the last few weeks:

* External Feeds: In addition to the hundred of users sharing data with us, we are also exporting a number of external data feeds, and data feeds we create that are not based on DShield data. For example, we do maintain a list of researchers performing internet wide scans, we import a list of IP addresses spamming forums from forumspam.com and various other lists to provide context.

* TLD Nameservers and high ranking Alexa IPs: We now also know if a particular IP address is a name server for any of the top level domains, or if it is associated with a very popular website (including mail servers and name servers for related domains)

To make it easy to explore and use the data, we offer a number of new features:

- - Threat Feeds: Displayed as a world map to show the geographic distribution (
-https://isc.sans.edu/threatmap.html)
or as a graph (
-https://isc.sans.edu/threatfeed.html)

- - "IP Info": This page has been updated to include the additional data. Just enter an IP address in our search box, or for example:
-https://isc.sans.edu/ipinfo.html?ip=89.248.172.78

- - "Color My Logs": This latest feature will allow you to past a log snippet, and have it automatically marked up with our data. See
-https://isc.sans.edu/colormylogs.html

Feedback is always welcome. Use our contact form (isc.sans.edu/contact.html) or send me an e-mail at jullrich@sans.edu

---

STORM CENTER TECH CORNER

Modified cmd.exe Makes Using Privileges Easier
-https://isc.sans.edu/forums/diary/Use+The+Privilege/20483/

Old Blackhole Exploit Kit Surfacing Again
-https://isc.sans.edu/forums/diary/Everything+old+is+new+again+Blackhole+exploit+
kit+since+November+2015/20477/

SHA-1 Expiration Pushback
-https://www.facebook.com/notes/alex-stamos/the-sha-1-sunset/10153782990367929

Vulnerability in Commonly Used Car Trackers and Control Systems
-http://ltmp.me/post/135154206076/kiwicon-9-a-bitter-story-of-aftermarket-vehicle

Unofficial Guide to Mimikatz and Command Reference
-https://adsecurity.org/?page_id=1821

Preventing Website Fingerprinting Over Tor Via Adaptive Padding
-https://securewww.esat.kuleuven.be/cosic/publications/article-2456.pdf

Second Apple Yosemite and iTunes Security Update for Windows
-https://support.apple.com/en-us/HT201222

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/