OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVII - Issue #71

September 11, 2015

In the plethora of stories this week, you might miss the Netflix decision to drop anti-virus tools. (Third story in Top of the News) Pescatore's comment explains why it matters. We are seeing large organizations rethinking their entire security budget around the questions like "have we layered too many things? Can we replace our expensive foundation tools (AV, weak NOCs, etc) with much more effective technology at lower costs. One government agency has announced it will revert to zero-based budgeting this year on over $110 million in cybersecurity spending. As news of these decisions spread, cybersecurity managers might want to start rethinking their architecture so they can prove the tools they deploy reflect the best use of their corporate resources.



First Round of Monthly Android Updates
Android Ransomware Resets Lockscreen PINs
Netflix Dumps Anti-Virus to Invest In Important Defenses


DHS Officials' Advice Sounds Counterintuitive
GM and OnStar Vulnerabilities and Patches
Apple to DoJ: We Can't Give You Real-time Access to iMessage
Microsoft eMail Warrant Case: Attorney Says a Decision in Favor of Government Could Start a "Global Free-for-All"
Turla Malware Group Hid Command-and-Control Traffic in Satellite Links
Stagefright Exploit Code Made Public
Excellus Bluecross BlueShield Breach Affects 10.5 Million
Akamai Says Bitcoin Ransom DDoS Group Targeting Financial Services Companies
Documents Show DoE Computer Systems Breached 159 Times in Four Years
DHS Warns of Spear Phishing Attack Targeting Critical Infrastructure Organizations
US Justice Department Wants to Clarify Intent of CFAA
WhatsApp vCard Vulnerabilities
Microsoft Patches Flaws in Windows, Office, and Edge
Man Sentenced for Running Illegal Movie Streaming Site



********************* Sponsored By Sophos Inc. ***************************

Dance like no one's watching. Encrypt like everyone is! You know you have sensitive data, but what's the best way to go about protecting it? To help you get started we've put together a straightforward encryption guide that you don't need an Enigma machine to decipher. Download Whitepaper >>



- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses

- --Data Breach Investigation Summit | Dallas, TX | September 21-26, 2015 | Data Breach Investigation Summit and Training Dallas. TX September 21-26 4 courses

- --SANS Baltimore 2015| Baltimore, MD | September 21-26, 2015 | 4 courses

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses

- --SANS Tysons Corner 2015 | Tysons Corner, VA | October 12-17, 2015 | 8 courses

- --SANS DFIR Prague 2015 | Prague, Czech Republic | October 5-17, 2015 | 11 courses

- --SOS: SANS October Singapore | Singapore, Singapore | October 12-24, 2015 | 8 courses

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI



First Round of Monthly Android Updates (September 10, 2015)

Google has posted its first set of what are expected to be monthly updates for the Android mobile operating system. Google has made available updates for Nexus users. There is not an overarching system for Android updates; OEMs (original equipment manufacturers) and carriers must cooperate to make the fixes work for their own particular combinations of service and devices.

Android Ransomware Resets Lockscreen PINs (September 10, 2015)

Ransomware targeting Android phones locks users out of their devices by changing the lockscreen PIN, according to researchers at ESET. Victims can pay the US $500 to unlock the device or do a factory reset, which will delete all the data the device holds. It is currently spreading through unofficial app stores as a pornography viewer app.


[Editor's Note (Northcutt): I wrote a LinkedIn Pulse article on this yesterday morning. The folks that discovered the problem, Zscaler, suggest getting your apps only from Google Play or the Amazon Appstore:

Netflix Dumps Anti-Virus to Invest In Important Defenses (August 27, 2015)

Netflix says it is dumping anti-virus technology for "next generation protection."

[Editor's Note (Pescatore): This type of movement is great to see and long overdue. What Netflix is really saying is "signature based AV is still needed for what it does well but that part of protecting Windows PCs needs to be much cheaper, our desktop security dollars need to go to higher value protection." Signatures aren't dead, they are a very efficient way of dealing with easy problems - the emphasis and spending has to shift to the harder problems. The Windows PC portion of the security problem is flat to declining and the value of AV has been dropping rapidly as threats became more targeted. Pricing has been dropping but the traditional AV vendors had become addicted to what I've long called "signature crack" - an addictive business model that provides revenue for the dealer but little nutrition for the buyer. ]

**************************** SPONSORED LINKS ******************************
1) Threats in the Unknown: Applied intelligence-driven approaches to real-time threat detection. Thursday, September 17 at 1:00 PM EDT (17:00:00 UTC) with Jasper Graham. http://www.sans.org/info/180212

2) Critical Security Controls Update: How to Keep Pace with Advanced Endpoint Threats. Wednesday, September 16 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Hermes Bojaxhi. http://www.sans.org/info/180217

3) A Proactive Approach to Incident Response. Tuesday, September 22 at 1:00 PM EDT (17:00:00 UTC) featuring Jacob Williams and Alan Hall. http://www.sans.org/info/180222


DHS Officials' Advice Sounds Counterintuitive (September 10, 2015)

A US Department of Homeland Security (DHS) official said that federal agencies should not try to boot attackers out of their computer networks on their own. Ann Barron-DiCamillo, director of the DHS US Computer Emergency Readiness Team, said that agencies should bring in outside investigators quickly. If the agencies take steps on their own too soon, they risk alerting the intruders that their presence has been detected, and they risk destroying valuable information. DHS CIO Richard Spires said that all federal data centers should be shut down. Many data centers are on legacy systems that are no longer supported and are therefore vulnerable to attacks. Spires recommends that agencies outsource data centers to FedRAMP certified cloud services providers.

[Editor's Note (Pescatore): Imagine if the Fire Department said, "don't use your home fire extinguisher" because it might destroy evidence of arson. That said, the basic DHS advice is pretty solid: if you don't have a mature incident response process (and OPM, Sony and many others obviously did not), have professionals do it for you or you may cause more harm than good. (Northcutt): Organizations, private or government, need qualified Digital Forensic Investigative and Response, (DFIR), people on staff and they need to lead in a crisis. ]

GM and OnStar Vulnerabilities and Patches (September 10, 2015)

Five years ago, researchers found vulnerabilities in the on-board computer of a vehicle model they declined to name at the time. They informed the company of the problem; nearly five years later, GM fixed the security issue in its OnStar dashboard computer system. The researchers' exploit code, which they had shared with GM in 2009, allowed them "complete control of the car except the steering." The researchers acknowledge that the update environment five years ago differed significantly from today's environment; the automobile companies did not have the ability to address the vulnerabilities widely and quickly. GM has since developed the capacity to push out updates wirelessly. When GM learned of a vulnerability earlier this summer, it was able to push out a fix within two days.

[Editor's Note (Murray): In the "Internet of Things (IoT)" the capability that is included to facilitate late change is proving to be the weak link. While the "thing" is purpose built, the late change code is being copied from other sources, large, gratuitous, and vulnerable. ]

Apple to DoJ: We Can't Give You Real-time Access to iMessage (September 7, 8, & 9, 2015)

Over the summer, the US Justice Department served a court order on Apple, demanding that the company provide DOJ with real-time text messages sent between suspects in a case involving guns and drugs. Apple replied that it was unable to comply because the iMessage system encrypts communications on individual devices and Apple does not have the key. Apple only has copies of messages if users save them to iCloud.



[Editor's Note (Murray): We cannot expect Apple, Google, Microsoft, et. al. to put themselves between the nation states of the world and their customers, nor do we want them to be the arbiters. We need a technical solution to this dilemma like the "Lotus Notes Crypto Compromise" that removes service providers from the loop, that allows the government access to any message that it wants while denying it access to every record that it wants. ]

Microsoft eMail Warrant Case: Attorney Says a Decision in Favor of Government Could Start a "Global Free-for-All" (September 9 & 10, 2015)

In arguments in a closely-watched case now in federal court, Microsoft lawyers warned that if the court forces the company to comply with the US government's request for email messages stored on a server in Ireland, it could instigate a "global free-for-all," with other countries demanding the same sort of access to data. Microsoft has the support of many in the technology industry.


[Editor's Note (Pescatore): Not really a free-for-all coming but things like treaties or consensus agreements where global partners who share common values (NATO, the G-8, etc.) agree on some rules for common law enforcement mechanisms that will invariably have some impact on privacy. Most societies consistently decide that with every new technology there is a societal need for monitoring criminals, and a compromise is made between the total access governments would like and the technology sellers' desire for zero access. (Honan): From discussions with clients here in Ireland and throughout Europe if Microsoft lose their appeal that decision will have major impact for US based cloud providers and tech companies. Many organisations based outside the US will avoid using US technology while criminals will simply do the same. The only people who will suffer will be the vendors and customers. ]

Turla Malware Group Hid Command-and-Control Traffic in Satellite Links (September 8 & 9, 2015)

According to Kaspersky Lab, cyber criminals in Russia are running their attacks through satellites, making it very difficult to trace the source of an attack. The group using this tactic is known as Turla. The malware they used communicated with command-and-control servers via hijacked satellite-based Internet links. The group appears to have been using this technique for at least eight years.




Stagefright Exploit Code Made Public (September 9 & 10, 2015)

Exploit code for the Stagefright vulnerability that affects Android devices has been made public. Fixes for the flaw have been developed, but Google and other companies are still distributing them. Some of the patches are reportedly flawed.



Excellus Bluecross BlueShield Breach Affects 10.5 Million (September 9 & 10, 2015)

A New York state-based healthcare insurance company Excellus Bluecross BlueShield and its affiliate, Lifetime Healthcare, have experienced a data breach. Excellus learned last month that intruders had initially accessed the system in December 2013. As many as 10.5 million people may be affected by the breach.



[Editor's Note (Honan): Apparently Excellus decided to examine their network for intruders based on information shared with them by the FBI following the Anthem breach. A good example of how effective information sharing can help other affected organisations. ]

Akamai Says Bitcoin Ransom DDoS Group Targeting Financial Services Companies (September 10, 2015)

Akamai says that a group of cybercriminals is threatening banks, media companies, and gaming companies with distributed denial-of-service (DDoS) attacks unless they pay a ransom in bitcoins. The particular group that Akamai has been tracking has launched more than 140 attacks in the past 10 months. The ransoms vary; the highest one reported was 50 bitcoins.


Documents Show DoE Computer Systems Breached 159 Times in Four Years (September 9 & 10, 2015)

According to information obtained by USA Today through a Freedom of Information Act (FOIA) request, the US Department of Energy's computer systems were breached by attackers more than 150 times between 2010 and 2014. There were many failed attempts to break into the systems; the success rate was roughly 15 percent.


DHS Warns of Spear Phishing Attack Targeting Critical Infrastructure Organizations (September 9, 2015)

The US Department of Homeland Security has warned providers of the country's critical infrastructure that a spear-phishing campaign targeting their networks has been detected. DHS did not identify the suspected source of the attacks.

[Editor's Note (Assante): DHS is shinning a spotlight on the use of spear phishing to intrude upon infrastructure organizations. This technique is being successfully used by a diverse set of threat actors. More concerning is the focus by some to exploit the inherent trust between suppliers and ICS end user. Phishing is but one delivery method as trojanizing ICS software and water-holing have also been observed. ]

US Justice Department Wants to Clarify Intent of CFAA (September 9, 2015)

The US's Computer Fraud and Abuse Act (CFAA) was enacted in 1986. Its intent was to provide for punishments for people who broke into someone else's computer network and stole information. The law has been criticized for being overly broad. There are concerns that people could be prosecuted for activity that is not actually harmful but which technically meets the criteria for a violation. DoJ want to make it clear that to be prosecuted under CFAA, the attacker has to "exceed access for nefarious purposes."

WhatsApp vCard Vulnerabilities (September 9, 2015)

WhatsApp developers have fixed vulnerabilities in its web app that could be exploited to manipulate users into executing arbitrary code on their devices. To exploit the flaw, an attacker would need to send the target a vCard that contains malicious code.



Microsoft Patches Flaws in Windows, Office, and Edge (September 8 & 9, 2015)

On Tuesday, September 8, Microsoft released a dozen security bulletins to address 56 security issues in Windows, Microsoft Office, and its new Edge browser. The patches include fixes for five critical flaws, two of which affect all supported versions of Windows.



Man Sentenced for Running Illegal Movie Streaming Site (September 8, 2015)

A judge in Ireland has sentenced Paul Mahoney to two years in prison and two years of supervised release for operating a website that streamed pirated versions of movies as well as sites that provided links to pirated content. Mahoney earned nearly GBP 300,000 (US $463,000) from advertisements on his websites. The prosecutor in the case noted that if each of the views had been a legitimate purchase, they would have generated GBP 120 million (US $185.2 million) but because the majority of those who viewed the movies would not have made a purchase, the losses were estimated at GBP 12 million (US $18.5 million).



TSA Luggage Master Keys Replicated

Malicious vCard Exploit for WhatsApp Web

Yahoo! Messenger Exploit

Wikipedia Publishes SSL Cipher Dashboard

A look through the spam filter

More on .ZIP URLs

Police Officer in Iowa Uses WiFi Sniffer to Find Stolen Devices

FireEye Published Patch for HX Series of Devices

Stagefright Exploit Now Available Public

Craigslist/Paypal Advance Fee Scam

Microsoft September Patch Tuesday

Adobe Shockwave Player Patch

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/