SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Sign Up Now
• Editorial Board

Volume XVII - Issue #67

August 28, 2015

TOP OF THE NEWS

Healthcare Cybersecurity Survey - 80% Compromised
Chrome Will Block Flash Advertisements
Defense Contractor Cybersecurity Rules

THE REST OF THE WEEK'S NEWS

BitTorrent DRDoS Flaw Fixed
Apple Patches Ins0mnia Vulnerability with iOS 8.4.1
CERT/CC Alert: DSL Routers Have Hard-Coded Passwords
Dendroid Creator Pleads Guilty
Dark Market Agora is Going Dark
GitHub Fighting DDoS
NIST Releases Draft Cybersecurity Guidance for Electric Utilities
Auto Industry Groups Will Establish Industry ISAC

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By DomainTools ************************

Making DNS Your Greatest Ally in Active Defense. Thursday, September 03 at 1:30 PM EDT (17:30:00 UTC) with Dave Shackleford and Tim Helming. This webcast will cover ways to better defend against attacks and data exfiltration using DNS and large-scale threat intelligence.
http://www.sans.org/info/179872

***************************************************************************

TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact. http://www.sans.org/u/53N

- --SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 | 13 courses
http://www.sans.org/u/5Zz

- --SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 | 8 courses
http://www.sans.org/u/5ZO

- -- SANS Baltimore 2015| Baltimore, MD | September 21-26, 2015 | 4 courses
http://www.sans.org/u/7tq

- -- SANS DFIR Prague 2015 | Prague, Czech Republic | October 5-17, 2015 | 11 courses
http://www.sans.org/u/7tF

- -- SOS: SANS October Singapore | Singapore, Singapore | October 12-24, 2015 | 8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Healthcare Cybersecurity Survey - 80% Compromised (August 27, 2015)

According to the 2015 Healthcare Cybersecurity Survey, more than 80 percent of healthcare organizations said that their systems have been compromised within the past two years. Attacks on healthcare IT systems have increased compared with the figures in earlier years. Among the reasons cited for the increase are the adoption of digital patient records and automated clinical systems; the use of outdated electronic medical records (EMRs) and clinical applications that were not designed to function in current networked environments; and networks that include patient data, medical device controls, and that are Internet connected.
-http://www.computerworld.com/article/2975988/healthcare-it/more-than-80-of-healt
hcare-it-leaders-say-their-systems-have-been-compromised.html
[Editor's Note (Murray): This is more evidence of the perverse effects of HIPAA. By requiring security for electronic records that were not applied to paper, HIPAA has left us with the worst of both worlds. The Veracode study found that the healthcare industry ranked below all others except government. ]

Chrome Will Block Flash Advertisements (August 28, 2015)

As of September 1, 2015, Google's Chrome browser will freeze "non-essential" Flash advertisements by default. The ads will play only if users click on the "Run This Plugin" button that will appear with the ad. "Essential" Flash content, including embedded video players, will be permitted to run automatically.
-http://www.theregister.co.uk/2015/08/28/google_says_flash_ads_out_september/
[Editor's Note (Pescatore): Adobe had a decade to try to make Flash secure, didn't. In any event, hard to think of any animated advertisement I would miss if it went away. (Murray): Opt-in is the right default. That said, our tolerance for Flash is a measure of our tolerance for risk. By that measure we are not very serious. Flash is "historically broken," not getting better, a weak point in the browser, the desktop, ubiquitous, persistent, and ultimately a risk to the infrastructure. ]

Defense Contractor Cybersecurity Rules (August 26, 2015)

New cybersecurity rules for US government defense contractors are now in effect. There is some concern among contractors that the government will amend past contracts to make the new rules retroactive. Over the past several years, the Defense Department has published three other policies laying out cybersecurity policies for vendors. The new regulation from the Pentagon, "Network Penetration Reporting and Contracting for Cloud Services," is more comprehensive than the earlier policies.
-http://www.nextgov.com/cybersecurity/2015/08/pentagon-tries-harmonize-contractor
-data-breach-rules/119498/?oref=ng-channelriver
[Editor's Note (Pescatore): One thing I learned after 11 years working in the defense contractor industry: no contractor ever lost money due to a contract change. There are lots of nice fishing boats out there with names like "Change Request." That said, the proposed rules have definitions of "compromise" and "cyber incident" that are way too broad - - strict interpretation would mean every contractor would need to be forwarding floods of false positives to the DIBnet web site essentially every 72 hours. ]

---

**************************** SPONSORED LINKS ******************************
1) Don't Miss: Securing Your Cloud Apps - Understanding the Shared Responsibility Model. Tuesday, September 01 at 1:00 PM EDT (17:00:00 UTC)featuring John Pescatore and John Yun. http://www.sans.org/info/179877

2) Help SANS map the future use of Security Analytics and Intelligence. Take 2015 survey and enter to win $400 Amazon gift card. Results Webcast in two parts 11/11 and 11/12. http://www.sans.org/info/179882

3) Learn the best practices for securing content in private & public clouds on 9/23 @ 1pm ET -- the Cloud Security Survey Results Webcast. Register: http://www.sans.org/u/7FG
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

BitTorrent DRDoS Flaw Fixed (August 27 & 28, 2015)

BitTorrent has fixed a vulnerability in its file sharing protocol that could be misused to launch distributed reflective denial-of-service (DRDoS) attacks. The flaw was traced to a problem in the libuTP reference implementation.
-http://www.theregister.co.uk/2015/08/28/bittorrent_blasts_bug/
-http://arstechnica.com/security/2015/08/bittorrent-patched-against-flaw-that-all
owed-crippling-dos-attacks/
-http://www.computerworld.com/article/2976590/security/bittorrent-patches-flaw-th
at-could-amplify-distributed-denial-of-service-attacks.html

Apple Patches Ins0mnia Vulnerability with iOS 8.4.1 (August 27, 2015)

Apple has fixed a flaw in its mobile iOS operating system that allows malicious applications to run continuously in the background. The Ins0mnia vulnerability, as it has been named by FireEye, lets apps run even when users terminate them and they do not appear in the task switcher. iOS normally lets apps run in the background for three minutes before suspending them; the vulnerability allows apps to bypass this restriction. Users are urged to update to iOS 8.4.1.
-http://www.zdnet.com/article/apple-ios-flaw-ins0mnia-hides-malicious-apps-which-
run-forever/
-http://www.theregister.co.uk/2015/08/27/ins0mnia_bug_means_malicious_ios_apps_ne
ver_die/

CERT/CC Alert: DSL Routers Have Hard-Coded Passwords (August 27, 2015)

The CERT Coordination Center (CERT/CC) has issued an alert warning that several DSL routers have hidden administrator accounts with easy to guess, hard-coded passwords. The affected routers are Asus DSL-N12E; Digicom DG-5524T; Observa Telecom RTA01N; Philippine Long Distance Telephone (PLDT) SpeedSurf 505AN; and ZTE ZXV10 W300. CERT/CC recommends that users "enable firewall rules so the telnet of the device is not accessible to untrusted sources
[as well as ]
rules that block SNMP."
-http://www.computerworld.com/article/2976935/security/some-routers-vulnerable-to
-remote-hacking.html
-https://www.kb.cert.org/vuls/id/950576

Dendroid Creator Pleads Guilty (August 25, 26 & 27, 2015)

Morgan Culbertson has pleaded guilty in federal court to conspiracy to damage protected computers for creating and selling the Dendroid malware tool. Dendroid was designed to allow users to take control of other people's Android devices.
-http://www.theregister.co.uk/2015/08/27/fireeye_intern_vxer_pleads_guilty_for_da
rkode_droid_rat_ruse/
-http://arstechnica.com/security/2015/08/former-security-intern-admits-developing
-super-stealthy-android-spyware/
-http://www.scmagazine.com/guilty-plea-by-malware-author-culbertson-for-peddling-
dendroid-rat/article/434887/
-http://www.post-gazette.com/business/tech-news/2015/08/25/Carnegie-Mellon-studen
t-Morgan-Culbertson-pleads-guilty-role-in-Darkode-marketplace/stories/2015082501
37

Dark Market Agora is Going Dark (August 26, 2015)

Tor dark market Agora will remove itself from the Internet in the wake of revelations that current security issues are exposing Tor Hidden Services. The vulnerabilities are reportedly being exploited to discover Agora's servers and operators. Agora's disappearance will likely be temporary.
-http://www.wired.com/2015/08/agora-dark-webs-biggest-drug-market-going-offline/
-http://www.computerworld.com/article/2976457/security/security-concerns-prompt-l
argest-tor-dark-market-to-suspend-operations.html
-http://arstechnica.com/security/2015/08/concerns-new-tor-weakness-is-being-explo
ited-prompt-dark-market-shut-down/

GitHub Fighting DDoS (August 26, 2015)

Code repository GitHub has been taking steps to protect its systems and the data they hold from an ongoing distributed denial-of-service (DDoS) attack. GitHub became aware of connectivity problems late Tuesday evening (August 25).
-http://www.zdnet.com/article/github-combats-ddos-cyberattack/
-http://arstechnica.com/security/2015/08/github-attacked-again-as-chinese-develop
ers-forced-to-pull-code-by-police/
-http://www.theregister.co.uk/2015/08/26/github_wobbles_under_ddos_attack/
[Editor's Note (Northcutt): GitHub is a social-networking-based version control system used for a number of interesting distributions including one to circumvent the so-called Great Wall of China. It seems like DDoS has been around as long as any of us can remember, but there have been a number of advances of late. In the ars technica link above, they have a chart showing the network spike, and you thought the Tesla Model S could accelerate fast:
-http://www.howtogeek.com/180167/htg-explains-what-is-github-and-what-do-geeks-us
e-it-for/
-http://securitywa.blogspot.com/2015/08/ddos-arbor-style.html]

NIST Releases Draft Cybersecurity Guidance for Electric Utilities (August 25 & 27, 2015)

The US National Institute of Standards and Technology (NIST) has released "Identity and Access Management for Electric Utilities," a draft guide to cybersecurity for US electric utilities. The guide describes a centralized access control system developed by NIST's National Cybersecurity Center of Excellence's (NCCoE). NIST is accepting comments on the document until October 23, 2015.
-http://www.nextgov.com/cybersecurity/2015/08/feds-urge-energy-companies-ramp-cyb
er-protections/119594/?oref=ng-channelriver
-http://www.computerworld.com/article/2975934/security/us-agency-warns-electric-u
tilities-to-bolster-authentication.html
-https://nccoe.nist.gov/projects/use_cases/idam
-https://nccoe.nist.gov/sites/default/files/nccoe/NIST_SP1800_2a_ES_IDAM_Exec_Sum
m.pdf
[Editor's Note (Murray): NIST is recommending that all controls (connected to the public networks) use common IAM across the utility. Historically many of these controls have been deployed and connected by departments, not to say ad hoc, often with only local controls e.g., shared passwords, to limit access. The use of strong authentication is the first and most essential mechanism for protecting infrastructure controls. Google remains a strong example of how to implement strong authentication. ]

Auto Industry Groups Will Establish Industry ISAC (August 24, 2015)

Car manufacturers are working together to help each other protect vehicles from cyberthreats. The Alliance of Automobile Manufacturers and the Association of Global Automakers are cooperating to establish an industry Information Sharing and Analysis Center (ISAC) to disseminate information about industry-specific cyber threats and to share best practices.
-http://www.scmagazine.com/car-industry-bands-together-to-thwart-hacking-threats/
article/435239/
-http://www.autonews.com/article/20150824/OEM06/308249985/automakers-form-allianc
e-to-bolster-cybersecurity

---

STORM CENTER TECH CORNER

Obfuscating Malicious Word Macros Inside PDFs
-https://isc.sans.edu/forums/diary/PDF+maldoc1+maldoc2/20079/

Patch For BitTorrent Traffic Amplification Bug
-http://engineering.bittorrent.com/2015/08/27/drdos-udp-based-protocols-and-bitto
rrent/

Adobe Cold Fusion Patch
-https://helpx.adobe.com/security/products/coldfusion/apsb15-21.html

Iranian Attackers Phish Google 2FA Tokens
-https://citizenlab.org/2015/08/iran_two_factor_phishing/

TeslaCrypt 2.0 Malware Moves Back to Angler from Neutrino EK
-https://isc.sans.edu/forums/diary/Actor+that+tried+Neutrino+exploit+kit+now+back
+to+Angler/20075/

Hardcoded Default Admin Password in Serveral DSL Routers
-http://www.kb.cert.org/vuls/id/950576

Paypal Introduced "One Click" Payments
-https://stories.paypal-corp.com/home/paypal-one-touch-is-now-being-used-by-milli
ons-of-people-and-available-in-16-countries

Malware in Embeded RTF Documents
-http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-
rat-uwarrior/

GRSecurity Restricting Availability of Stable Patches
-https://grsecurity.net/announce.php

Dropbox Phishing
-https://isc.sans.edu/forums/diary/Dropbox+Phishing+via+Compromised+Wordpress+Sit
e/20073/

Recordable Activator Exploits Certifigate Vulnerability
-http://blog.checkpoint.com/2015/08/25/certifigate-statistics-exploitation-mitiga
tion/

Malware uses AutoIT to Run Macros
-https://threatpost.com/autoit-used-in-targeted-attacks-to-move-rats/114406

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/