3 Days Left to Save $400 on SANSFIRE 2017

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #6

January 22, 2016


Update: The PIVOT project, providing free realistic, hands-on exercises
for aspiring cyber pros, got more than 2,000 visitors in its first 7
days. Many were not members of college cyber clubs and asked if they
could still use the exercises and win the Amazon gift certificates. The
answer is yes and the updated information is in the last news item of
this newsletter and also at http://pivotproject.org.
Alan

TOP OF THE NEWS

Ukrainian Power Plants Targeted in Another Round of Attacks
Ukraine Power Plant Attack
Shares of Boeing Supplier FACC AG Drop After Cyberattack
Safe Harbor Deadline Looming

THE REST OF THE WEEK'S NEWS

Oracle Patches 248 Flaws, Urges Customers to Apply Updates "Without Delay"
Symantec Finds a RAT
Dridex Now Targeting UK Bank Accounts
Cisco Updates
NSA Director: "Encryption is Foundational to the Future"
FOIA Request Yields Documentation of Vulnerabilities Equities Process
Apple Releases Updates for OS X, iOS, and Safari
Intel Issues Update to Fix Driver Flaw
Linux Kernel Flaw

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


************************* Sponsored By Splunk **************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180747

***************************************************************************

TRAINING UPDATE

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 4 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

Ukrainian Power Plants Targeted in Another Round of Attacks (January 20 and 21, 2016)

Ukrainian power plants are coming under attack again, this time from malware that is based on a freely-available open-source backdoor - something no one would expect from an alleged state-sponsored malware operator," according to ESET. The malware attempted to gain initial purchase in the systems through a malicious XLS file in spearphishing email messages.
-http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-indust
ry/

-http://www.theregister.co.uk/2016/01/21/ukraine_energy_utilities_attacked_again_
with_open_source_trojan_backdoor/

-http://www.scmagazine.com/new-wave-of-attacks-on-ukrainian-power-plants/article/
466473/

-http://thehill.com/policy/cybersecurity/266603-security-researcher-ukraine-power
-grid-facing-new-wave-of-cyberattacks

Ukraine Power Plant Attack (January 20, 2016)

Kim Zetter's comprehensive article presents "everything we know about Ukraine's power plant hack" and answers questions the incident raises. The article also addresses what is still not known about the attack.
-http://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/

Shares of Boeing Supplier FACC AG Drop After Cyberattack (January 20, 2016)

After the financial accounting department of Austria's FACC AG was hit with cyberfraud, company's stock value dropped more than 15 percent. The company is a supplier of parts for Boeing and Airbus. FACC estimated the loss at 50 million euros (US $54 million).
-http://www.bloomberg.com/news/articles/2016-01-20/cyberattack-sends-shares-of-ae
rospace-supplier-facc-19-lower

-http://www.facc.com/en/News/News-Press/EANS-Adhoc-FACC-AG-UPDATE-FACC-AG-Cyber-F
raud

[Editor's Comment (Northcutt): This may be the only way to get the boardroom's attention. Enough FACC AGs, TalkTalks and Targets and this will add up to real money:
-http://www.telegraph.co.uk/technology/internet-security/11951797/TalkTalk-share-
prices-drop-almost-11pc-as-Metropolitan-Police-investigation-continues.html

-http://www.wsj.com/articles/SB10001424052702304255604579406694182132568]

Safe Harbor Deadline Looming (January 20 and 21, 2016)

Privacy regulators in the European Union (EU) may restrict US/EU data transfers unless negotiators reach a deal that satisfies EU data security and privacy concerns by January 31, 2016. Late last year, the European Court of Justice invalidated a Safe Harbor agreement between the US and EU due to concerns about US surveillance practices. The decision about whether to restrict data transfers will be made at a February 2, 2016 plenary meeting of the Article 29 Working Party
-http://thehill.com/policy/cybersecurity/266572-eu-regulators-could-freeze-safe-h
arbor-alternatives

-http://www.csmonitor.com/World/Passcode/2016/0120/What-the-end-of-Safe-Harbor-me
ans-for-the-digital-economy

-http://www.reuters.com/article/us-eu-dataprotection-usa-idUSKCN0UY2Y7
[Editor's Note (Murray): The Safe Harbor agreement was invalidated because it left the citizen whose privacy was violated "no recourse," such as is provided to him under European law. He probably would not even have the recourse that an American citizen would have, a right to sue. Americans have not been very successful in suing because of the difficulty of showing damage. No such showing is required for resource under European law. It seems unlikely that we will grant a remedy to European citizens a remedy that is not available to our own. (Liston): The biggest sticking point in the negotiations around this deadline comes down to a fundamental difference in the level of "damage" that must shown in order organizations to be liable for information disclosures. I sincerely doubt the US will bow to pressure to lower the "damage bar" for lawsuits from the EU. ]


************************** SPONSORED LINKS ********************************
1) Why You Need Application Security. Thursday, January 28, 2016 at 1:00 PM EST (18:00:00 UTC) with Johannes B. Ullrich, Ph.D. and Joseph Feiman. http://www.sans.org/info/182952

2) Is Active Breach Detection the Next-Generation Security Technology? Thursday, March 10, 2016 at 1:00 PM EST (18:00:00 UTC). Join Dave Shackleford and Paul Kraus to explore this relevant topic. http://www.sans.org/info/182957

3) What are the most useful APPSEC processes/tools for your org? Take Survey - Enter to Win $400 Amazon Card http://www.sans.org/info/182962
***************************************************************************

THE REST OF THE WEEK'S NEWS

Oracle Patches 248 Flaws, Urges Customers to Apply Updates "Without Delay" (January 20, 2016)

Oracle's first quarterly security update for 2016 addresses nearly 250 issues in more than 50 products. The release was accompanied by a warning from Oracle that some vulnerabilities for which the company had already issued fixes have been exploited, suggesting that updates had not been installed. "Oracle strongly recommends that customers remain on actively-supported versions and apply critical patch update fixes without delay."
-http://www.theregister.co.uk/2016/01/20/oracle_q1_2016_patch_release/
-http://www.computerworld.com/article/3024288/security/oracle-releases-a-record-2
48-patches.html

-http://www.scmagazine.com/oracle-patches-248-bugs/article/466355/
-http://www.v3.co.uk/v3-uk/news/2442619/oracle-unleashes-248-security-updates-in-
first-patch-release-of-2016

-http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
[Editor's Note (Ullrich): If you are overwhelmed by Oracle's quarterly critical patch update, remember that you probably only run a small number of the products being patched. Start with the Java update if you are still using Java as this is probably the widest deployed Oracle software and the one most likely going to be attacked. (Pescatore): Having patches come out quarterly seems so outdated, but most enterprises still can't QA, release and install patches to data center systems even that fast. This is an area where using cloud-based Infrastructure-as-a-Service offerings, to have a full production environment that can be spun up to QA the patches more quickly and switch over more quickly, has become a best of breed approach. (Liston): Oracle's patch cycle is pretty well broken. Oracle rolls out these crazily complex bulk-patches quarterly, IT departments pull their hair out trying to apply them without breaking mission-critical applications (and all too often fail), and pre-patching mitigations are often so onerous as to be useless. The entire process needs to be overhauled. ]

Symantec Finds a RAT (January 21, 2016)

Symantec has issued a warning about a remote access Trojan (RAT) that is targeting small and mid-sized businesses (SMBs) in India, the UK, and the US. This particular variant uses the Backdoor.Breut and Trojan.Nancrat RAT tools; it has been active since early last year. The malware is spreading through phishing emails. No zero-days are being used in the attack, to systems that are up to date on patches should be protected.
-http://www.eweek.com/security/symantec-finds-a-rat-going-after-u.s.-uk-and-india
-smbs.html

Dridex Now Targeting UK Bank Accounts (January 21, 2016)

According to the IBM X-Force research team, the Dridex Trojan horse program is being used in attacks against banks in the UK. The latest iteration of Dridex, v.3.161, was detected on January 6, 2016. The malware has been used to steal as much as GBP 20 million (US $28.4 million) over the past few years. Dridex spreads through phishing emails.
-http://www.v3.co.uk/v3-uk/news/2442758/dridex-trojan-targeting-uk-banks-with-dyr
e-like-redirection-techniques

-http://www.zdnet.com/article/dridex-trojan-targets-uk-banksdridex-trojan-targets
-uk-banks-avoids-2fa-checks/

Cisco Updates (January 21, 2016)

Cisco has issued updates for several of its products to address flaws that could be exploited to compromise vulnerable systems. Cisco Modular Encoding Platform D9036 has been updates to version 02.04.70 to fix a flaw that could be exploited to gain root access. Cisco Unified Computing System Manager has been updated to versions 2.2(4b), 2.2(5a), and 3.0(2e). Cisco Firepower 9000 has been updated to version 1.1.2. Both sets of updates address a CGI script that allows shell command execution and can be accessed without authentication.
-http://www.computerworld.com/article/3025344/security/cisco-fixes-critical-flaws
-in-digital-encoder-unified-computing-manager-and-security-appliance.html

-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160120-d9036

-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160120-ucsm

NSA Director: "Encryption is Foundational to the Future" (January 21, 2016)

US National Security Agency (NSA) director Admiral Michael Rogers told an audience at the Atlantic Council, "Encryption is foundational to the future," and that trying to get rid of it is "a waste of time." Rogers spoke to the seemingly opposed "Imperatives" of security and privacy, noting that both need to be met. At the same event, Rogers said that US Cyber Command is starting to mature and is developing "tangible" offensive and defensive capabilities.
-http://thehill.com/policy/cybersecurity/266624-nsa-chief-encryption-is-foundatio
nal-to-the-future

-https://fcw.com/articles/2016/01/21/rogers-nsa-lyngaas.aspx
-http://www.nbcnews.com/tech/security/nsa-chief-mike-rogers-encryption-foundation
al-future-n501391

[Editor's Note (Murray): This discussion can be found at
-http://www.atlanticcouncil.org/events/webcasts/us-cybercom-and-the-nsa-a-strateg
ic-look-with-adm-michael-s-rogersa

and I recommend it to you. (Must watch for policy makers.) The context and audience are almost as important as what Rodgers said. Rodgers understands the principal of proportionality and the distinction between what is legal and what is good policy, but the law is his compass. ]

FOIA Request Yields Documentation of Vulnerabilities Equities Process (January 21, 2016)

The Electronic Frontier Foundation (EFF) has obtained documents through a Freedom of Information Act (FOIA) request that describe the government's process for deciding whether a software vulnerability should be disclosed to manufacturers and/or the public, of if it should be withheld for use by intelligence and law enforcement operations.
-http://www.scmagazine.com/vep-documents-describes-govt-process-for-determining-z
ero-day-exploitation/article/466646/

-https://www.eff.org/document/vulnerabilities-equities-process-january-2016

Apple Releases Updates for OS X, iOS, and Safari (January 20, 2015)

Apple has issued updates for iOS, OS X, and Safari. The most current versions of the operating systems are now OS X 10.11.3 and iOS 9.2.1; the most current version of Safar is 9.0.3. The OS X and iOS updates each address nine security issues; the Safari update addresses six flaws.
-http://www.scmagazine.com/apple-updates-ios-os-x-and-safari/article/466312/
-http://arstechnica.com/security/2016/01/ios-cookie-theft-bug-allowed-hackers-to-
impersonate-users/

-http://www.zdnet.com/article/apple-fixes-iphone-cookie-theft-security-bug-three-
years-later/

-http://www.zdnet.com/article/apple-updates-os-x-ios-9-with-security-fixes/
-http://www.eweek.com/security/apple-issues-first-os-x-ios-security-updates-for-2
016.html

-http://techcrunch.com/2016/01/20/apple-releases-ios-and-os-x-updates-with-bug-fi
xes-and-performance-improvements/?ncid=tcdaily#.hahog3:IENF

[Editor's Note (Ullrich): One of the more "interesting" flaws fixed in this update allowed Safari cookies to leak when the user connected to a WiFi network. OS X's "Captive Portal Assistant" will display web pages that are returned by wireless networks to request the user to log in. The captive portal assistant shared a cookie store with Safari which allowed cookies to leak if the captive portal played man-in-the-middle. ]

Intel Issues Update to Fix Driver Flaw (January 20, 2016)

Intel has released a software update for its Intel Drive Update Utility to fix a vulnerability that could be exploited to install malware. The issue lies in the way the tool requests new drivers from Intel. Versions 2.0 through 2.3 of the utility check the servers over an unencrypted connection. Version 2.4 communicates with Inter servers over a secure SSL connection.
-http://www.zdnet.com/article/major-security-flaw-patched-in-intel-driver-softwar
e/

-https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00048&langu
ageid=en-fr

Linux Kernel Flaw (January 19,20, and 21 2016)

Google has developed a fix for Android devices to address a flaw in the Linux kernel. The vulnerability has been present for nearly three years. The issue is in the kernel's keyring facility and could be exploited to gain root privileges on vulnerable systems.
-http://www.computerworld.com/article/3025292/security/google-creates-fix-for-zer
o-day-kernel-flaw-says-effect-on-android-is-exaggerated.html

-http://www.computerworld.com/article/3024254/security/linux-kernel-flaw-endanger
s-millions-of-pcs-servers-and-android-devices.html

-http://www.v3.co.uk/v3-uk/news/2442582/linux-kernal-zero-day-flaw-puts-tens-of-m
illions-of-pcs-servers-and-android-devices-at-risk

-http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-millions-of-p
cs-servers-and-android-phones/

-http://www.zdnet.com/article/new-zero-day-flaw-hits-millions-of-linux-servers-al
so-affects-most-android-devices/

-http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kerne
l-vulnerability-cve-2016-0728/

- PIVOT Enables Collegiate Cyber Clubs To Advance Hands On Skills (January 12, 2016)

The PIVOT project for collegiate cyber clubs launched today. If you have tried to hire cybersecurity people with solid hands-on skills you know how hard that is. Club programs are effective when they have regular meetings where participants learn about a tool or technique and then have an hour or more of hands-on exercise. Putting together weekly programs like that was very challenging for most schools until the PIVOT project was launched. PIVOT is a growing collection of short briefings with fun and challenging on-line or downloadable exercises that have been gathered and curated by BSides, several colleges, CounterHack Challenges, SANS, and with a little financial help from NSF. The PIVOT exercises are available free to collegiate clubs throughout the U.S., and today PIVOT launched a contest with substantial Amazon gift certificates as prizes, for ANYONE who completes at least ONE exercise (each additional entry gets you an extra chance to win the Amazon gift certificates) in the current collection and provides feedback within 33 days.

STORM CENTER TECH CORNER

HTTPS Request in Powershell With Invalid Server Certificates
-https://isc.sans.edu/forums/diary/Powershell+and+HTTPS+It+Aint+All+Rainbows+And+
Lollipops+or+is+it/20627/

FDA Publishes Draft Directive For Comment
-http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm

The Risk Of Temporary Files
-https://isc.sans.edu/forums/diary/tmp+TEMP+Desktop+T+A+goldmine+for+pentesters/2
0631/

"Hot Potato" Tool Simplifies Windows Priviledge Escalation Attacks
-https://github.com/foxglovesec/Potato

cPanel Update Fixes Critical Vulnerabilities
-https://news.cpanel.com/wp-content/uploads/2016/01/TSR-2016-0001-Announcement.tx
t

Current "Worst Password" List Same as Old
-http://www.prweb.com/releases/worst/passwords/prweb13170789.htm

Exploit Attempts for Fortigate Backdoor
-https://isc.sans.edu/forums/diary/Scanning+for+Fortinet+ssh+backdoor/20635/

AMX/HARMAN Video Conferencing Backdoor
-http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html

Details About iOS Shared Cookie Vulnerablity
-https://www.skycure.com/blog/shared-cookie-stores-bug-fixed-in-ios-9-2-1/

Erasing Modern Drives
-http://www.zdnet.com/article/how-to-really-erase-any-drive-even-ssds-in-2016


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at Dark Matter, a security consulting firm in the UAE. He is also a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/