Save $200 on Cyber Security Training at SANS Miami 2018. Ends 12/27.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #49

June 21, 2016

TOP OF THE NEWS

More Data Saying Chinese Attacks Are Slowing Down
Acer Payment Card Information Stolen
Pentagon to Launch New Security Clearance Database

THE REST OF THE WEEK'S NEWS

VA Chooses Medical Device UL Certification Program
Bad Tunnel Vulnerability in Windows
T-Mobile Czech Republic Customer Records Stolen
Hack the Pentagon Program Will be Expanded
Citrix Forces Password Reset Following GoToMyPC Attack
Tesco Bank App Won't Run on Phones with Tor Installed
RAA Ransomware Coded in JavaScript
Former Cybersecurity Officials Argue for Formalizing Vulnerability Purchase Policy

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored by Splunk *******************************

Security and operational visibility are critical in AWS deployments. That's where Splunk can help. Splunk offers solutions that deliver end-to-end visibility on AWS. Learn more:
(http://www.sans.org/info/185792)

***************************************************************************

TRAINING UPDATE

--DFIR Summit & Training | Austin, TX | June 23-30, 2016 |
https://www.sans.org/event/digital-forensics-summit-2016

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 |
https://www.sans.org/event/salt-lake-city-2016

--SANS Rocky Mountain | Denver, CO | July 11-16 |
https://www.sans.org/event/rocky-mountain-2016

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 |
https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 |
https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 |
https://www.sans.org/event/ics-houston-summit-training-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 |
https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 |
https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | August 22-27, 2016 | Anchorage, AK |
https://www.sans.org/event/alaska-2016

***************************************************************************

TOP OF THE NEWS

More Data Saying Chinese Attacks Are Slowing Down (June 21, 2016)

More data from FireEye (Mandiant) saying Chinese hacking of corporate and government networks in the U.S. and other countries has declined by more than 80%. CrowdStrike also noticed the drop.
-http://www.wsj.com/articles/china-based-hacking-incidents-see-dip-cybersecurity-
experts-say-1466467316

-http://thehill.com/policy/cybersecurity/284235-security-firm-sees-sharp-decline-
in-chinese-hacking

[Editor's Note (Paller): For more than a decade, China used a noisy approach, vacuuming up everything that might be interesting and taking it all, relying on thousands of humans to sift through it to find what was most valuable. (The CIA appropriately dubbed China's approach "a thousand grains of sand.") Russia, on the other hand, uses stealthy techniques for hacking, going after only what they needed and hiding below the sensitivity of most commercial tools. Now that there is high-level pressure (from the White House) on the noisy approach, odds are China has moved to stealthier methods which are harder for companies to notice and therefore provide fewer opportunities to call in outside incident handlers. ]

Acer Payment Card Information Stolen (June 17 and 20, 2016)

Acer says that a breach that compromised personal information of more than 34,000 customers was due to the fact that the data were stored "in an unsecured format." The compromised data include payment card numbers and associated CVC security codes. ZDNet: Acer store flaw let a hacker steal a year's worth of credit cards
-http://www.zdnet.com/article/acer-online-store-flaw-let-hackers-steal-a-years-wo
rth-of-credit-cards/

Computerworld: Acer security breach exposes data of 34,500 online shoppers
-http://www.computerworld.com/article/3086155/security/acer-security-breach-expos
es-data-of-34500-online-shoppers.html

SC Magazine: Acer breach caused by improperly stored data
-http://www.scmagazine.com/345k-affected-in-acer-breach/article/504337/
[Editor's Note (Murray): One waits with growing impatience for a plan from the credit card brands and issuers to eliminate the magnetic stripe and the replacement of credit card numbers with digital tokens. Systems like Apple, Android, and Samsung Pay can protect those consumers that employ them but leave the merchants exposed as long as they must maintain backwards compatibility to credit card numbers in the clear. In the meantime, the protection of PCI must not be entrusted to amateurs. Most online merchants should consider employing proxies like PayPal, Amazon, Visa Checkout, and Master Pass to process customer credit card numbers. ]

Pentagon to Launch New Security Clearance Database (June 20, 2016)

The Pentagon plans to launch a new database that will be used for comprehensive background checks of people seeking security clearances. Known as the Defense Information System for Security (DISS), the database will incorporate two tools currently used to preform this function: the Joint Personnel Adjudication System, now known as the Joint Verification System; and the Case Adjudication Tracking System. DISS will help support the use of continuous evaluation of personnel. Currently, personnel are re-investigated every five years.
Nextgov: Pentagon Prepares to Launch a Mega Database for Screening National Security Workers

-http://www.nextgov.com/defense/2016/06/pentagon-prepares-launch-mega-database-sc
reening-national-security-workers/129212/?oref=ng-channelriver



*************************** SPONSORED LINKS *****************************
1) Watch this webinar and learn how to achieve a new level of security for your Office 365 deployment: (https://www.brighttalk.com/webcast/13361/201387?cid=70138000000eMqdAAE&mc=19
9237&ot=wc&tt=tp)


2) It's hard to regain customers trust once broken. Protect your relationships with LifeLock. Learn How: (https://www.lifelockbusinesssolutions.com/industries/lifelock-breach-solutions/?
utm_source=sans&utm_medium=newsletter_textad&utm_content=newsletter_text
ad&utm_campaign=2016H1)


3) Beyond Infiltration: Conquering all Stages of the Attack Lifecycle. Tuesday, July 12th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Lotem Guy and John Pescatore. Register here: (https://www.sans.org/webcasts/infiltration-conquering-stages-attack-lifecycle-10
2457)

***************************************************************************

THE REST OF THE WEEK'S NEWS

VA Chooses Medical Device UL Certification Program (June 20, 2016)

The US Department of Veterans Affairs has entered into an agreement to use Underwriters Laboratories (UL) standards to test the security of Internet-connected medical devices. According to the Cooperative Research and Development Agreement, the VA will use UL's Cybersecurity Assurance Program to establish cybersecurity requirements for network-enabled medical devices as well as for associated IT equipment. Dark Reading: Veterans Administration Adopts UL Security Certification Program For Medical Devices
-http://www.darkreading.com/vulnerabilities---threats/veterans-administration-ado
pts-ul-security-certification-program-for-medical-devices/d/d-id/1325968?

[Editor's Note (Pescatore): Many medical device manufacturers have hidden behind the FDA device certificate as the reason they can't patch medical devices/machinery, even though the FDA has issued multiple guidance memos saying patching does *not* necessarily require recertification, and that manufacturers are required to address known vulnerabilities. This long-running, active ignoring of security issues in medical devices is spawning multiple certification efforts, such as this CRADA and ICSA's IoT Certification program. Anything that puts pressure on the manufacturers to reach basic security hygiene levels is a good thing. ]

Bad Tunnel Vulnerability in Windows (June 20, 2016)

A security flaw that could be exploited to intercept and decrypt digital traffic affects all versions of Microsoft Windows back to Windows 95. The man-in-the-middle vulnerability, known as Bad Tunnel, allows NetBIOS spoofing across networks. The flaw was patched in Microsoft's June 14 batch of fixes; users running Windows XP are urged to disable NetBIOS over TCP/IP. SC Magazine: BadTunnel flaw affects every Windows OS
-http://www.scmagazine.com/badtunnel-flaw-affects-every-windows-os/article/504170
/

International Business Times: BadTunnel: Critical vulnerability affects every version of Microsoft's OS since Windows 95
-http://www.ibtimes.co.uk/badtunnel-critical-vulnerability-affects-every-version-
microsofts-os-since-windows-95-1566458

T-Mobile Czech Republic Customer Records Stolen (June 20, 2016)

A T-Mobile employee in the Czech Republic reportedly stole and tried to sell customer marketing information. According to news stories, the compromised data affect roughly 1.5 million T-Mobile customers. The T-Mobile Czech Republic managing director said that there was "no actual data leak." The Register: T-Mobile Czech ad man steals, sells, 1.5 million customer records
-http://www.theregister.co.uk/2016/06/20/tmobile_czech_breach/
SC Magazine: 1.5M T-Mobile records likely exposed in Czech Republic
-http://www.scmagazine.com/15m-t-mobile-records-likely-exposed-in-czech-republic/
article/504162/

ZDNet: T-Mobile insider steals customer data to make a quick koruna
-http://www.zdnet.com/article/t-mobile-insider-steals-data-of-over-one-million-cu
stomers-to-make-a-quick-koruna/

Hack the Pentagon Program Will be Expanded (June 20, 2016)

US Defense Secretary Ash Carter has announced the results of the first Hack the Pentagon bug bounty competition. More than 250 participants submitted vulnerability reports, and 138 vulnerabilities were found to be "legitimate, unique, and eligible for a bounty." The pilot program, which ran from April 18 through May 12, involved five public-facing DoD websites; the program will be expanded to cover more systems. Federal News Radio: DoD plans expansion of government's first-ever 'bug bounty'
-http://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2016/06/dod-plans
-expansion-governments-first-ever-bug-bounty/

ZDNet: The Department of Defense wants more of you to hack the Pentagon
-http://www.zdnet.com/article/the-department-of-defense-wants-more-of-you-to-hack
-pentagon-systems/

US Department of Defense: Carter Announces 'Hack the Pentagon' Program Results
-http://www.defense.gov/News-Article-View/Article/802828/carter-announces-hack-th
e-pentagon-program-results

Citrix Forces Password Reset Following GoToMyPC Attack (June 19, 2016)

Citrix is making users of its GoToMyPC tool change their password after the service was the target of a "very sophisticated attack." Users will be unable to log in until they reset their password. GoToMyPC is a service that allows users to access their PCs remotely. ZDNet: GoToMyPC resets user accounts amid "very sophisticated password attack"
-http://www.zdnet.com/article/citrix-confirms-gotomypc-hit-by-very-sophisticated-
password-attack/

CNET: Citrix's GoToMyPC user passwords compromised after hack attack
-http://www.cnet.com/news/citrix-gotomypc-user-passwords-hack/
V3: Citrix orders customers to change passwords after GoToMyPC data breach
-http://www.v3.co.uk/v3-uk/news/2462117/citrix-orders-customers-to-change-passwor
ds-after-gotomypc-data-breach

KrebsOnSecurity: Citing Attack, GoToMyPC Resets All Passwords
-http://krebsonsecurity.com/2016/06/citing-attack-gotomypc-resets-all-passwords/
[Editor's Note (Ullrich): A number of sites (for example Github) use publicly available password dumps to verify that users do not share passwords. If a password is found to be re-used, then the account is locked. This comes after password reuse has been found to be a major cause of some recent account compromises in sites like Teamviewer. This is a good step by Citrix and others, and does not imply that Citrix got breached (quite the opposite: They do the right thing proactively).

Tesco Bank App Won't Run on Phones with Tor Installed (June 18, 2016)

UK retailer Tesco's banking app will not run on smartphones that have Tor installed. The app displays a message telling users that the Tor client must be completely removed from the device for the Tesco app to operate; turning it off is not adequate. According to Tesco's website, the issue is security; the app checks for malware and Tor triggers an alert. The Register: Tor torpedoed! Tesco Bank app won't run with privacy tool installed
-http://www.theregister.co.uk/2016/06/18/tor_tesco_bank_app/

RAA Ransomware Coded in JavaScript (June 17 and 20, 2016)

Ransomware known as RAA encrypts files, demands a ransom of US $250, and installs a password-stealing application on infected computers. RAA is written entirely in JavaScript, which could increase the likelihood of infection as JavaScript documents do not always trigger security alerts or require administrator access to run on Windows machines. SC Magazine: New RAA ransomware written in JavaScript discovered
-http://www.scmagazine.com/new-raa-ransomware-written-in-javascript-discovered/ar
ticle/504029/

The Register: Ransomware scum build weapon from JavaScript
-http://www.theregister.co.uk/2016/06/20/ransomware_scum_build_weapon_from_javasc
ript/

BBC: New ransomware strain coded entirely in Javascript
-http://www.bbc.com/news/technology-36575687
[Editor's Note (Murray): It bears repeating that "ransom ware" requires "write" access to the data and the ability to install and execute itself. It follows that there should be a restrictive policy, "white listing," for executing programs, including scripts. ]

[Editor's Note (Northcutt): Consider setting your default browser to Firefox running NoScript. That is a real pain sometimes, but it also means when you first get up and are checking your email before drinking that first cup of coffee you are safe from attacks such as these:
-https://noscript.net/]

Former Cybersecurity Officials Argue for Formalizing Vulnerability Purchase Policy (June 17, 2016)

Two former US government cybersecurity officials have published a paper, Government's Role in Vulnerability Disclosure, in which they express their concern about the FBI having purchased a vulnerability to break into an iPhone. The paper, from Ari Schwartz and Rob Knake, examines the vulnerabilities equities process (VEP), which the US government acknowledged using two years ago. VEP is not a formalized process, an issue the authors find problematic. They say the policy should be formalized and available for public scrutiny and comment. The paper also argues that government agencies should be "prohibited from entering into non-disclosure agreements with vulnerability researcher and resellers." The Register: FBI's iPhone paid-for hack should be barred, say ex-govt officials
-http://www.theregister.co.uk/2016/06/17/fbis_iphone_hack_should_be_barred_says_f
ormer_usg_officials/

Belfer Center (Paper): Government's Role in Vulnerability Disclosure (PDF)
-http://belfercenter.ksg.harvard.edu/files/vulnerability-disclosure-web-final3.pd
f

[Editor's Note (Williams): A more transparent vulnerabilities equities process (VEP) is good for everyone in security. US tax dollars fund the research into vulnerabilities and offensive use will always be at odds with defensive use. Removal of non-disclosure agreements with vulnerabilities brokers will doubtlessly increase prices, but perhaps that's worth it. Without public pressure, the vulnerability equity process will continue to be shrouded in secrecy. If you work in infosec (particularly in the US) read this paper and make your voice heard to your elected officials, many of whom have never even thought of the VEP. ]

INTERNET STORM CENTER TECH CORNER

Avoiding Javascript Malware
-https://isc.sans.edu/forums/diary/Controlling+JavaScript+Malware+Before+it+Runs/
21171/

LogMeIn Joining Other Sites in Proactively Resetting Passwords
-https://blog.logmeininc.com/password-reuse-issue-affecting-logmein-users/

Kaspersky Publishes Details Around Recent Flash Vulnerability
-https://securelist.com/blog/research/75100/operation-daybreak/

CSRF Vulnerability in Democratic Party Donation Platform
-http://rajk.me/actblue/#intro

Fake SWIFT Payment Notices Used in Malicious E-Mail Campaign
-https://isc.sans.edu/forums/diary/Ongoing+Spam+Campaign+Related+to+Swift/21177/

RedHat Fixes Various OpenSSL Integer Overflows
-https://github.com/openssl/openssl/commit/a004e72b95835136d3f1ea90517f706c24c03d
a7

Triada/Horde Mobile Malware Updates
-http://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-
features/



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create