SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #99

December 22, 2015

For Juniper users, it is too late to patch!
See Johannes Ullrich's Editor's Note after the first story in Top of the News.

Industrial control security is also top of the news this week. The
nation's most respected ICS security expert, Mike Assante, comments:
"ICS can be protected, and it is time we mount a credible defense." The
ICS Summit (www.sans.org/u/aHb) in Orlando in February is the place ICS
experts go each year to be sure they know the most up to date defenses.

The Summit is also the place where you will find the new ICS Active
Defense and Incident Response Course as well as the ICS/SCADA Security
Essentials Course needed to prepare for the GICSP certification. Passing
the GICSP is increasingly being recognized as the minimum standard of
due care for ICS control system engineers and IT security people working
in ICS. Courses:
https://www.sans.org/event/ics-security-summit-2016/courses/

Alan

---

TOP OF THE NEWS

Juniper Backdoor
Former National Security Officials: Encryption is Here to Stay
Intruders Gains Access to Dam's Industrial Control System, US Power Grid

THE REST OF THE WEEK'S NEWS

Microsoft Will Ban Man-in-the-Middle Ad Injection Software
Oracle Reaches Settlement with FTC Over Java SE Security
Google Says it May Retire Support for SHA-1 Early
Facebook Drops Flash for HTML5
New Code Will Indicate When Web Content is Being Censored
US Justice Department is Investigating Uber Breach
Hello Kitty User Database Unprotected
Guilty Pleas in Massive Software Piracy Case
National Guard Cyber Protection Teams

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By AlienVault ***********************

New! Beginner's Guide to Open Source Intrusion Detection Tools:
http://www.sans.org/info/181927

**************************************************************************

TRAINING UPDATE

--SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

--SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

--Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH

--ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

--Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community? Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Juniper Backdoor (December 18 and 21, 2015)

Networking equipment manufacturer Juniper has confirmed the existence of the backdoor, which they call unauthorized code, in several of its products. Outside researchers confirm the backdoor which was designed to look like debug code. Juniper has released a list of affected products.
-https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-jun
iper-screenos-authentication-backdoor
-http://www.pcworld.com/article/3016915/security/juniper-warns-of-spying-code-in-
firewalls.html
-http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-password-in
-juniper-firewall-code/
-http://www.zdnet.com/article/juniper-screenos-devices-had-default-backdoor-passw
ord-rapid7/
-http://www.computerworld.com/article/3016811/security/juniper-updates-list-of-ba
ckdoored-enterprise-firewall-os-versions.html
-http://www.darkreading.com/vulnerabilities---threats/juniper-discovers-unauthori
zed-code-in-its-firewall-os-/d/d-id/1323622?
-http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-
government-backdoors/
-http://www.v3.co.uk/v3-uk/news/2439783/juniper-networks-finds-unauthorised-code-
decrypting-vpn-traffic-in-its-firewall-os
[Editor's Note (Ullrich): If your Juniper firewall is exposed to the Internet and unmatched, then it is too late to patch now. Starting Monday afternoon we detected continuous exploit attempts for this vulnerability from multiple sources that appear to scan the internet for vulnerable systems. (if anybody is willing to "donate" a device as a honeypot, please contact me). The Internet Storm Center went to Infocon "Yellow" on Monday to alert users of Juniper equipment of the imminent danger after the backdoor password was revealed by Rapid7.
-https://isc.sans.edu/forums/diary/First+Exploit+Attempts+For+Juniper+Backdoor+Ag
ainst+Honeypot/20525/
-https://isc.sans.edu/forums/diary/Infocon+Yellow+Juniper+Backdoor+CVE20157755+an
d+CVE20157756/20521/
-https://www.sans.org/webcasts/101482]

Former National Security Officials: Encryption is Here to Stay (December 15, 2015)

Some former US national security officials say the government needs to accept the presence of strong encryption, despite the government's concerns that it will prevent communications monitoring. The former officials, who held positions at the National Security Agency, the CIA, the Pentagon, and the Office of the Director of National Intelligence, maintain that there are economic and security concerns that outweigh the government's need for surveillance. Former NSA head Mike McConnell said, "Technology will advance, and you can't stop it. Learn how to deal with it."
-https://www.washingtonpost.com/world/national-security/former-national-security-
officials-urge-government-to-embrace-rise-of-encryption/2015/12/15/3164eae6-a27d
-11e5-9c4e-be37f66848bb_story.html
[Editor's Note (Murray): The popular use of strong encryption raises the cost of both surveillance and investigation but the assertion by the government that it makes either impossible is simply not true. The government remains able to read any message that it wants to badly enough. What they are complaining about is that they cannot read every message that they want to. The government tried to make this case in the 1990s and failed, yet today its capabilities dwarf anything it might have hoped for then. The open question is not whether to grant the state more power but whether or not the power that it now exercises is consistent with constitutional democracy and the Rule of Law. ]

Intruders Gains Access to Dam's Industrial Control System, US Power Grid (December 21, 2015)

According to the Wall Street Journal, cyber intruders based in Iran managed to gain access to an industrial control system of a flood control dam near New York City. They found an opening through a cellular modem. While the intruders did not take control of the dam, they did look around inside the system. In a related story, intruders also gained access to networks that operate the US power grid and stole passwords and power plant schematics.
-http://hosted.ap.org/dynamic/stories/U/US_INFRASTRUCTURE_POWER_GRID_CYBERATTACKS
_ABRIDGED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2015-12-21-03-
26-40
-http://www.theregister.co.uk/2015/12/21/iranian_hackers_target_new_york_dam/
-http://www.bbc.com/news/technology-35151492
-http://www.scmagazine.com/american-infrastructures-cybervulnerabilities-again-in
-the-spotlight/article/461043/
[Editor's Note (Assante): The stories reach a bit in their suggested implications of the specific dated incidents, but let it not be lost that organized and targeted cyber operations are directed at US infrastructure. By surrendering time and vital information to attackers we put these infrastructures at greater risk. Defense of ICS is doable and it is time we mount a credible defense. Join us at the ICS Summit (www.sans.org/u/aHb) this Feb to learn how! (Murray): The most efficient way to improve the security of the power generating and distribution system to use strong authentication whenever its controls connect to the public networks. ]

---

************************** SPONSORED LINKS ********************************
1) Know Before You Go: Key AWS Security Considerations. Tuesday, January 12 at 1:00 PM EDT (18:00:00 UTC) with Dave Shackleford and Matt Keil. http://www.sans.org/info/182497

2) Infosec Pros: Are your threat hunting efforts beneficial? Tell us in the new SANS Survey & enter to win $400 Amazon Gift Card. Thanks and Happy Holidays!! http://www.sans.org/info/182502

3) Don't Miss: Why You Need Application Security: Thursday, January 28 at 1:00 PM EDT (18:00:00 UTC) with Johannes Ullrich. http://www.sans.org/info/182507
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft Will Ban Man-in-the-Middle Ad Injection Software (December 21 and 22, 2015)

Microsoft will block ad injection software that makes use of man-in-the-middle (MiTM) techniques. The company says it aims "to keep the user in control of their browsing experience." Microsoft will begin enforcing the changes on March 31, 2016.
-http://www.zdnet.com/article/microsoft-to-ban-man-in-the-middle-adware-from-marc
h-31/
-https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-
in-users-hands/
[Editor's Note (Murray): Browsers should favor security over ads. It is "features" that make browsers the weak link in the desktop. ]

Oracle Reaches Settlement with FTC Over Java SE Security (December 21, 2015)

Oracle has reached a settlement with the US Federal Trade Commission (FTC) over charges that it misled consumers about the security of its Java SE software. In the terms of the settlement, Oracle does not admit to wrongdoing, and the company will pay no fines, but it will be required to notify users if they are running unsecure versions of Java SE and help them remove those versions. Java SE is installed on about 850 million computers.
-https://www.washingtonpost.com/news/the-switch/wp/2015/12/21/nearly-a-billion-pc
s-run-this-notoriously-insecure-software-now-oracle-has-to-clean-it-up/

Google Says it May Retire Support for SHA-1 Early (December 21, 2015)

Google is considering joining Microsoft and Mozilla in banning SHA-1-signed certificates as soon as July 1, 2016. Initially, browser vendors had said that they would stop trusting the certificates on January 1, 2017, but recent studies have shown that the algorithm is vulnerable to cracking. Mozilla and Microsoft have already indicated that they may ban the certificates in their browsers early.
-http://www.computerworld.com/article/3017612/security/google-joins-mozilla-micro
soft-in-pushing-for-early-sha-1-crypto-cutoff.html
[Editor's Note (Ullrich): Facebook and other large web sites noted that many users, in particular in developing countries, use browsers and operating systems that do not support anything beyond SHA-1. Facebook published code that would allow web servers to offer SHA-1 signed certificates to these legacy users. Certificate authorities are considering the option to still provide SHA-1 signed certificates (in addition to "modern" SHA-256 signed certs) to sites that implement this fall back mechanism. ]

Facebook Drops Flash for HTML5 (December 21, 2015)

Facebook has "switched to HTML5 from a Flash-based video player for all Facebook web video surfaces." The change to HTML5 for video is now the default for all browsers. Facebook is "work
[ing ]
together with Adobe to deliver a reliable and secure Flash experience for games."
-http://www.theregister.co.uk/2015/12/21/facebook_dumps_flash_for_video/
-http://www.scmagazine.com/facebook-ditches-flash-videos-to-boost-security/articl
e/461040/
-https://code.facebook.com/posts/159906447698921/why-we-chose-to-move-to-html5-vi
deo/
-http://www.zdnet.com/article/facebook-switches-to-html5-for-all-video-instead-of
-flash/

New Code Will Indicate When Web Content is Being Censored (December 21, 2015)

The Internet Engineering Steering group has approved a new HTTP code, 451, that will let users know when pages they are trying to access are unavailable for legal reasons. The new error status code aims to help users differentiate between pages that are unavailable due to technical errors and those that are unavailable due to deliberate government action.
-http://www.cnet.com/news/how-websites-will-let-you-know-when-theyre-censored/
-http://www.theregister.co.uk/2015/12/21/censorship_451_error_code_approved_by_ie
tf/

US Justice Department is Investigating Uber Breach (December 21, 2015)

The US Justice Department (DoJ) is investigating a data breach that compromised the identities and driver's license numbers of Uber drivers. An internal investigation at the company found indications that the breach was linked to rival company Lyft. Uber's investigation said the initial breach was conducted through an IP address that belongs to Lyft's chief technology officer, Chris Lambert, who has signed a sworn statement that he was not involved in the breach.
-http://thehill.com/policy/technology/263907-report-feds-probing-uber-data-breach

Hello Kitty User Database Unprotected (December 21, 2015)

A breach of sanriotown.com has exposed the personal information of 3.3 million Hello Kitty users. The database may have been open to intruders for more than a month. The vulnerable database was found by the same person who recently discovered the unprotected MacKeeper database.
-http://www.theregister.co.uk/2015/12/21/hello_kitty_hack_exposes_33_million_user
s_details/
-http://www.nbcnews.com/tech/security/hello-kitty-fan-database-leak-exposes-3-3-m
illion-users-n483976
-http://www.wired.com/2015/12/hello-kitty-hack/
[Editor's Note (Honan): This breach highlights the risks of children's personal data being held by companies. The key risk is the issue of identity theft as many of those affected may not be aware their identifies have been stolen until they reach adulthood and then apply for credit or other services. The standard "one year of free credit monitoring" will not be a sufficient salve in breaches affective children's data. ]

Guilty Pleas in Massive Software Piracy Case (December 17, 2015)

Six people have pleaded guilty to charges in what is being called "one
[of ]
the biggest software piracy cases, if not the biggest, the
[Justice ]
department has ever handled." Over six years, the fraud operation sold more than 170,000 pirated copies of Adobe and Microsoft products, amounting to more than US $100 million in sales.
-http://www.wired.com/2015/12/6-men-admit-to-running-a-giant-100m-software-piracy
-ring/

National Guard Cyber Protection Teams (December 14, 2015)

The National Guard has approved a joint cyber protection team comprising units from New Jersey and New York. The National Guard plans to activate 13 such units throughout 23 states by the end of FY 2019.
-https://gcn.com/articles/2015/12/14/national-guard-cyber-protection-team.aspx?ad
mgarea=TC_SecCybersSec
-http://www.army.mil/article/159759/National_Guard_set_to_activate_additional_cyb
er_units/

---

STORM CENTER TECH CORNER

Actor using Rig EK to deliver Qbot
-https://isc.sans.edu/forums/diary/Actor+using+Rig+EK+to+deliver+Qbot/20513/

VMWare Patches Commons Collections Library Deserialization Flaw
-http://www.vmware.com/security/advisories/VMSA-2015-0009.html

PCI Council Delays SSLv3 Abandonment
-https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FIN
AL_(002).pdf

Bypass McAfee Application Control
-http://en.wooyun.io/2015/12/15/Bypass-McAfee-Application-Control.html

Juniper Backdoor Webcast
-https://www.sans.org/webcasts/101482
(archive)

Word Update Deletes Normal.dot (Windows 10/Word 2016)
-http://answers.microsoft.com/en-us/office/forum/office_2016-word/normal-template
-wiped-again/a96dba06-68f7-40e8-a1a2-55ddef1bcca7?auth=1

Wifi Lightbulb Exploit
-http://blog.viktorstanchev.com/2015/12/20/the-many-attacks-on-zengge-wifi-lightb
ulbs/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/