Final Days to get an iPad Mini 4, a Galaxy Tab A, or Take $250 Off with Online Training - Register by 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #2

January 08, 2016

TOP OF THE NEWS

Ukraine Power Attack Wider Than Thought
Dell Customer Data May Have Been Breached
Time Warner Customer Data Breached
Bad Apps in Google Play

THE REST OF THE WEEK'S NEWS

Draft Investigatory Powers Bill Draws criticism from ICO, US Tech Companies
Let's Encrypt Won't Revoke Certificate Used in Malware
Mozilla Temporarily Suspends Firefox Ban on SHA-1 Certificates
Schein Fined for Misrepresenting Data Protection in its Software
Comcast Home Security System Vulnerabilities
Linux Ransomware Thwarted Again
FTC Chair Sees Progress on Safe Harbor Agreement with EI
Microsoft is Retiring Older Versions of Internet Explorer
Linode Forces Password Reset

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


********************* Sponsored By Arbor Networks ***********************

SANS 2016 IT Security Spending Strategies Survey. Wednesday, February 03, 2016 at 1:00 PM EST (18:00:00 UTC) with Barbara Filkins, G. Mark Hardy (moderator) and Simon Gibson. During Q4 of 2015, SANS conducted a survey of security professionals involved in the budgeting process. The goal of the survey is to help establish key trends and strategies for security spending to eventually help directors set correct spending priorities and levels for their organizations.
http://www.sans.org/info/182797

***************************************************************************

TRAINING UPDATE

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

Ukraine Power Attack Wider Than Thought (January 5, 2016)

ESET reported that multiple other utilities, all customers of ESET, were affected by malware similar to the software found on the systems of Prykarpattyaoblenergo, although the latter was the only Ukraine electric firm that reported a power outage.
-http://fortune.com/2016/01/05/cyber-attack-ukraine/

Dell Customer Data May Have Been Breached (January 6, 2016)

An emerging tech support scam targeting Dell users suggests that its customer data were breached. The callers appear to know computer model and serial numbers, as well as past issues for which users have contacted Dell support.
-http://arstechnica.com/security/2016/01/latest-tech-support-scam-stokes-concerns
-dell-customer-data-was-breached/

-http://www.10zenmonkeys.com/2016/01/04/dell-computers-has-been-hacked/

Time Warner Customer Data Breached (January 6 and 7, 2016)

Time Warner cable has acknowledged that intruders may have stolen email passwords of as many as 320,000 of its customers. The company is alerting customers through email or the post.
-http://thehill.com/policy/cybersecurity/265042-time-warner-cable-warns-320000-cu
stomers-of-hack

-http://www.theregister.co.uk/2016/01/07/twc_customer_hack/
-http://www.nbcnews.com/tech/security/time-warner-warns-customers-their-emails-pa
sswords-may-have-been-n491686

Bad Apps in Google Play (January 7, 2016)

Several apps available from the Google Play store have been found to make downloads without permission and to attempt to gain root access to the devices on which they are running. Google has removed 13 malicious apps from the store; at least one of them had been downloaded nearly one million times.
-http://arstechnica.com/security/2016/01/malicious-apps-in-google-play-made-unaut
horized-downloads-sought-root/



************************** SPONSORED LINKS ********************************
1) What Works in Threat Prevention: Detecting and Stopping Attacks More Accurately and Quickly with Threatstop. Friday, February 12, 2016 at 1:00 PM EST (18:00:00 UTC)with John Pescatore and Ken Compres. http://www.sans.org/info/182802

2) Don't Miss: Threat Hunting. Tuesday, February 02, 2016 at 1:00 PM EST (18:00:00 UTC) with Rob Lee, Robert M. Lee and Luis Maldonado. http://www.sans.org/info/182807

3) What are the most useful APPSEC processes/tools for your org? Take Survey - Enter to Win $400 Amazon Card. http://www.sans.org/info/182812
***************************************************************************

THE REST OF THE WEEK'S NEWS

Draft Investigatory Powers Bill Draws criticism from ICO, US Tech Companies (January 7, 2016)

UK Information Commissioner Christopher Graham told the Draft Investigatory Powers Bill Select Committee that there is no apparent justification for the proposed 12-month data retention period. Graham also said that the bill should include a sunset clause, so that legislators can re-evaluate and amend the data collection provisions.
-http://www.v3.co.uk/v3-uk/news/2440887/ico-questions-12-month-data-retention-pla
ns-under-snoopers-charter-draft

US technology companies Facebook, Google, Microsoft, Twitter and Yahoo have provided a joint submission to the British government in which they offer their criticism of the bill. Among other concerns, they object to a provision that would require tech companies to help intelligence agencies access computers and phones.
-http://www.v3.co.uk/v3-uk/news/2440963/microsoft-google-and-facebook-slam-govern
ments-encryption-plans-in-snoopers-charter

-http://www.nbcnews.com/tech/security/u-s-tech-giants-warn-u-k-s-proposed-spying-
n492301

Text of Joint Submission:
-http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument
/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/writt
en/26367.html

Let's Encrypt Won't Revoke Certificate Used in Malware (January 7, 2016)

A malvertising campaign that attempted to install malware to steal financial account credentials on users' computers has been found to be using a SSL/TLS certificate from the Let's Encrypt project, which offers free SSL/TLS certificates. While revoking certificates is technically possible, Let's Encrypt's policy is not to do so. The organization said that certificate authorities (CAs) are not meant to be "content watchdogs."
-http://www.computerworld.com/article/3019947/security/malvertising-campaign-used
-a-free-certificate-from-lets-encrypt.html

-https://letsencrypt.org/2015/10/29/phishing-and-malware.html
-http://blog.trendmicro.com/trendlabs-security-intelligence/lets-encrypt-now-bein
g-abused-by-malvertis

[Editor's Note (Pescatore): I'd like to see Let's Encrypt's sponsors (like Cisco, Facebook, Chrome, Mozilla, etc.) rethink this position because I think their logic is flawed here - because they are almost exclusively focusing on the "encrypt the bits on the wire" side of security vs. security overall. I would hate to see all CAs say "we will never revoke certs that are maliciously used." Doesn't mean CAs have to be "content police" - even for simple Domain Verification certs. Everyone switching to HTTPS makes it harder for governments to bulk collect but does little to nothing about real world attacks outside of that - unless TLS is thought of as needing stronger authentication on each end along with encrypting the bits that flow in between. (Murray): CAs are "not intended to be content watchdogs." They are intended to vouch for identity. That is an expensive process; it cannot be done for free. To paraphrase Gresham, cheap certificates will drive dear ones from the public space. What am I missing? ]

Mozilla Temporarily Suspends Firefox Ban on SHA-1 Certificates (January 7, 2016)

Mozilla has temporarily lifted its ban on SHA-1 certificates after some Firefox users reported being unable to connect to encrypted HTTPS sites. The issue does not affect the majority of Firefox users; others can address the problem by upgrading to Firefox version 43.0.4, which Mozilla released on Wednesday, January 6.
-http://www.zdnet.com/article/firefox-ban-on-sha-1-dropped-after-some-are-locked-
out-of-https-sites/

-http://www.theregister.co.uk/2016/01/07/mozilla_warns_firefox_users_that_sha1_ba
n_could_bork_their_security/

-http://arstechnica.com/security/2016/01/firefoxs-ban-of-sha-1-certs-causing-some
-security-issues-mozilla-warns/

-https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-
increased-security/

[Editor's Note (Murray): It was a given that a minority of users would be impacted but that most would only have to move to a current version. Inconvenience to a minority is too often a justification for tolerating vulnerabilities. (Northcutt): I have done the update on both El Capitan Mac and Windows 10. All plugins are intact, this is my default browser on both operating systems and so far, no problems. ]

Schein Fined for Misrepresenting Data Protection in its Software (January 5 and 7, 2016)

The US Federal Trade Commission (FTC) has fined a dental software company US $250,000 for misrepresenting the level of protection it provided for patient data. Henry Schein Practice Solutions claimed its Dentrix G5 software included encryption that would protect customer data in accordance with Health Insurance Portability and Accountability Act (HIPAA) requirements. In fact, Dentrix G5 did not meet the standards Schein claimed it did.
-http://www.darkreading.com/risk/on-heels-of-oracle-settlement-ftc-burns-company-
for-security-practices/d/d-id/1323797?

-http://www.scmagazine.com/schein-to-pay-250k-to-ftc-for-misleading-encryption-cl
aims/article/463824/

-https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-
provider-settles-ftc-charges-it-misled

">https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-
provider-settles-ftc-charges-it-misled
-https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-
provider-settles-ftc-charges-it-misled

">https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-
provider-settles-ftc-charges-it-misled

Comcast Home Security System Vulnerabilities (January 5 and 6, 2016)

Vulnerabilities in Comcast's XFINITY home security system could be exploited to trick the system into thinking that a home is protected when it is not. The flaws could be manipulated to make the system report that doors and windows are secured when they are not. The system could also be tricked into not detecting an intruder's motion.
-http://www.scmagazine.com/flaw-found-in-comcasts-xfinity-home-security-system/ar
ticle/463488/

-http://www.wired.com/2016/01/xfinitys-security-system-flaws-open-homes-to-thieve
s/

-http://www.zdnet.com/article/comcast-xfinity-home-security-system-flaw-lets-a-ha
cker-become-a-thief/

Linux Ransomware Thwarted Again (January 6 and 7, 2016)

The group behind the Linux.Encoder malware has tried for a third time to infect Linux machines with ransomware, and once again, the malware uses poorly implemented encryption. Researchers have been able to develop tools to decrypt affected files without paying ransom.
-http://www.theregister.co.uk/2016/01/07/plain_cruelty_boffins_flay_linux_ransomw
are_for_the_third_time/

-http://www.computerworld.com/article/3019676/security/third-time-is-no-charm-for
-failed-linux-ransomware-creators.html

FTC Chair Sees Progress on Safe Harbor Agreement with EI (January 6, 2016)

US Federal Trade Commission (FTC) chair Edith Ramirez told an audience at the CES trade show that the US is "well on
[its ]
way" to reaching a new safe harbor agreement with the European Union (EU). Last fall, a EU court rejected an agreement because it did not satisfy EU privacy requirements for storing personal data. The agreement would apply to US companies doing business in the EU. Ramirez expects an agreement will be reached by the end of the month.
-http://thehill.com/policy/technology/264977-ftc-chair-says-us-well-on-our-way-to
-new-data-pact-with-europe

Microsoft is Retiring Older Versions of Internet Explorer (January 6 and 7, 2016)

Microsoft's upcoming January 12 updates for older versions of Internet Explorer (IE) will be the last; after the January updates, IE 8, 9, and 10 will no longer be supported. Users will be asked to upgrade to IE 11 or to Edge. There are several exceptions, including IE 9 running on Windows Vista SP2; IE 9 running on Windows Server 2008 SP2; and IE 10 running on Windows Server 2012.
-http://www.theregister.co.uk/2016/01/06/ie_versions_retiring_soon/
-https://www.washingtonpost.com/news/the-switch/wp/2016/01/06/microsoft-will-stop
-updating-anything-older-than-internet-explorer-11-but-millions-are-still-using-
the-old-browsers/

-http://www.csmonitor.com/Technology/2016/0107/Microsoft-is-pulling-the-plug-on-o
ld-versions-of-Internet-Explorer

-https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-exp
lorer/

[Editor's Note (Pescatore): It is pretty much time for IT to think of software the way pharmacies think of pills - there is a one year "use by" date stamped on it, not a three/five/ten years stamp... ]

Linode Forces Password Reset (January 5 and 6, 2016)

Cloud-hosting company Linode is requiring all users to change their passwords in the wake of a series of distributed denial-of-service (DDoS) attacks that began on December 25. The password change was prompted by "the discovery of two Linode.com user credentials on an external machine."
-http://www.theregister.co.uk/2016/01/05/linode_resets_passwords_after_credential
_leak/

-http://www.eweek.com/security/linode-resets-passwords-as-ddos-attacks-continue.h
tml

-http://status.linode.com/incidents/dpdldmhgjbhl

STORM CENTER TECH CORNER

LastPass 4.0 Emergency Password Recovery
-https://blog.lastpass.com/2016/01/introducing-lastpass-4-0.html/

Comcast Alarm System Does Not Detect DoS
-https://community.rapid7.com/community/infosec/blog/2016/01/05/r7-2015-23-comcas
t-xfinity-home-security-system-insecure-fail-open

Node.js memory disclosure via "ping"
-https://nodesecurity.io/advisories/67

Wire Transfer Fraud Example
-https://isc.sans.edu/forums/diary/A+recent+example+of+wire+transfer+fraud/20581/

Red vs. Blue: PowerSploit vs. PowerForensics
-https://isc.sans.edu/forums/diary/toolsmith+112+Red+vs+Blue+PowerSploit+vs+Power
Forensics/20579/

Vulnerability in Silent Circle "Blackphone"
-https://www.sentinelone.com/blog/vulnerability-in-blackphone-puts-devices-at-ris
k-for-takeover/

Transcript Collision Attack
-http://www.mitls.org/downloads/transcript-collisions.pdf

Changes to Retrieving Data with Automated Scripts from ISC/DShield
-https://isc.sans.edu/forums/diary/Site+Updates+ISCDShield+API+and+ipinfoasciihtm
l+Page/20577/

More Trouble For Drupal
-http://blog.ioactive.com/2016/01/drupal-insecure-update-process.html


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/