Final Week! Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends May 24!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #22

March 18, 2016

TOP OF THE NEWS

Malvertising Campaign Hits Major Media Sites
Cybercriminals Stealing Code-Signing Certificates
Keystroke Logger Malware Targets Businesses
Pescatore First Look: Sowing Security Actually Matters

THE REST OF THE WEEK'S NEWS

Limiting Use of Encryption is Futile
Proton Mail Out of Beta
vRealize Patches for Cross-Site Scripting (XSS) Issues
Coding Bootcamps May Not Deliver on Promises
American Express Discloses Breach
Suspect Will Plead Guilty in iCloud Account Theft
Ransomware Used Backdoored Encryption
AceDeceiver Trojan Targets iOS Devices

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER


*************** Sponsored By Blue Coat Systems, Inc. *****************

What Works: Inspecting Encrypted Traffic with the Blue Coat SSL Visibility Appliance. Wednesday, March 23, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Michael Weinstein. Learn how a system integrator tasked with increasing their ability to inspect encrypted traffic selected the Blue Coat SSL Visibility Appliance.
http://www.sans.org/info/184322

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Canberra, Copenhagen, Prague and Houston all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

Malvertising Campaign Hits Major Media Sites (March 15 and 16, 2016)

Malicious advertisements were recently detected on several major news and entertainment sites, including the BBC, the New York Times, Newsweek, and MSN. The malicious advertisements tried to infect site visitors' computers with ransomware.
-http://www.computerworld.com/article/3044565/security/advertising-based-cyberatt
acks-hit-bbc-new-york-times-msn.html

-http://www.bbc.com/news/technology-35821276
-http://www.cnet.com/news/new-york-times-bbc-dangerous-ads-ransomware-malvertisin
g/

-http://www.scmagazine.com/new-york-times-bbc-and-newsweek-dish-up-malvertising/a
rticle/483473/

-http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-
ads-spreading-crypto-ransomware/

-http://www.zdnet.com/article/malvertising-campaign-strikes-top-websites-worldwid
e/

-https://blog.malwarebytes.org/malvertising-2/2016/03/large-angler-malvertising-c
ampaign-hits-top-publishers/

[Editor's Note (Murray): A recent article
-https://www.technologyreview.com/s/601057/are-ad-blockers-needed-to-stay-safe-on
line/

from MIT Technology Review suggests that ads are a major vector for contaminating systems and that "adblockers" are an essential security mechanism. ]

Cybercriminals Stealing Code-Signing Certificates (March 16, 2016)

Cyberespionage groups are stealing digital code-signing certificates to help their malware appear to be legitimate software. One of those groups, known as the Suckfly APT group, has been launching attacks against businesses and government organizations with certificates stolen from companies in South Korea.
-http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-si
gning-certificates

-http://www.computerworld.com/article/3044728/security/cyberespionage-groups-are-
stealing-digital-certificates-to-sign-malware.html

-http://www.scmagazine.com/suckfly-in-the-ointment-chinese-apt-group-steals-code-
signing-certificates/article/483480/

-http://arstechnica.com/security/2016/03/to-bypass-code-signing-checks-malware-ga
ng-steals-lots-of-certificates/

[Editor's Note (Murray): We sign with private keys, not certificates; certificates bind the key to the identity of the signer. Signing keys should not be stored online. (Williams): This was seen previously in Stuxnet and other nation state attacks, but may be extending to commodity malware as attackers strive to win the arms race against antivirus detection. I recommend that organizations with code signing certificates migrate to extended validation code signing certificates that live on external USB tokens. These tokens will not export the certificates, meaning that only those with the token can sign code. While attackers could steal the token, the theft is much easier to detect than with a software based certificate. ]

Keystroke Logger Malware Targets Businesses (March 17, 2016)

Malware with keystroke-logging capability has infected businesses in 18 countries. The malware also gathers information about the targeted computer's configuration with the goal of identifying users who are responsible for conducting financial transactions.
-http://www.computerworld.com/article/3045540/security/keylogger-hijacks-key-busi
ness-email-accounts.html

Pescatore First Look: Sowing Security Actually Matters

Here in the Washington DC area, the General Manager of the Washington Metro (subway) system, Paul J. Wiedefeld, made the difficult and disruptive decision to shut the entire system down all day Wednesday, after an early morning fire in track jumper cables convinced him that a previous inspection for vulnerabilities in those cables must have missed some cables in dangerous condition. During the shutdown, inspectors identified 26 areas where electrical cables or the boots that connect them to the third rails were damaged or frayed, three of which Wiedefeld called "show stoppers" that would have caused a shutdown of train service in those areas if discovered in the course of routine inspections.

************************** SPONSORED LINKS ********************************
1) Mobile Data Loss - Threats & Countermeasures. Thursday, March 24, 2016 at 1:00 PM EDT (17:00:00 UTC) with Michael Raggo. http://www.sans.org/info/184327

2) Evolving from cyber Gatherers to cyber Hunters - Darwin was wrong about APTs Tuesday, March 29, 2016 at 1:00 PM EDT (17:00:00 UTC) with Darren Anstee and John Pescatore. http://www.sans.org/info/184332

3) 2016 SANS Cyber Insurance Survey. How do YOU define RISK?? Take Survey Here: http://www.sans.org/info/184337
***************************************************************************

THE REST OF THE WEEK'S NEWS

Proton Mail Out of Beta (March 17, 2016)

ProtonMail, which offers encrypted email, is out of beta and is offering open registration. There are free apps in Google Play and the iOS App Store. When ProtonMail launched in 2014, accounts were in such high demand, that when sign-ups exceeded 10,000 a day, ProtonMail moved to an invitation only model. The beta program has more than one million users.
-http://www.zdnet.com/article/encrypted-email-service-protonmail-comes-out-of-bet
a-unveils-ios-and-android-apps/

-http://www.theregister.co.uk/2016/03/17/protonmail_launches_open_registrations_a
head_of_snoopers_charter/

[Editor's Note (Honan): The move our of Beta for Proton Mail highlights two very important issues. The first is that there is a large demand by people to have the ability to communicate in a secure and private manner. The second shows that governments looking to put backdoors in secure products and services will only impact those services and products within their own countries, there will always be viable alternatives available in other countries. ]

vRealize Patches for Cross-Site Scripting (XSS) Issues (March 17, 2016)

VMware has released an advisory to fix two vulnerabilities in its vRealize software. The flaws could be exploited through cross-site scripting (XSS) attacks to allow remote code execution. The issue affects VMware's vRealize Automation 6.x older than 6.2.4, and vRealize Business Advanced and Enterprise 8.x older than 8.2.5.
-http://www.zdnet.com/article/vmware-patches-severe-xss-flaws-in-vrealize-softwar
e/

-http://www.vmware.com/security/advisories/VMSA-2016-0003.html?ClickID=cxsvspxv4w
eqlnp4snea7qlnqz74fsznfnea

Coding Bootcamps May Not Deliver on Promises (March 17, 2016)

Coding bootcamps have become popular over the past several years. These programs promise to teach people how to be coders and suggest that they are the path to a steady job with a good salary. The time frame is short: most bootcamps run from three to six months. However, companies seeking to hire capable coders are finding that those who have attended bootcamp do not meet their hiring needs. Four-year computer science programs offer far greater depth and breadth for students, increasing the likelihood that they will be suited for jobs in the industry when they graduate.
-https://www.washingtonpost.com/news/the-switch/wp/2016/03/17/why-students-are-th
rowing-tons-of-money-at-a-program-that-wont-give-them-a-college-degree/

[Editor's Note (Murray): On the other hand, CS programs are not doing a good job of teaching secure coding. As a developer, I preferred to train my own. (Honan): As with quality, there are no shortcuts to good security. ]

American Express Discloses Breach (March 17, 2016)

American Express has acknowledged that some cardholder account information was compromised in a breach. The breach reportedly occurred through a merchant's system in December 2013. American Express reported the incident to the California Attorney General on March 10, 2016.
-http://www.theregister.co.uk/2016/03/17/american_express_cardholder_data_breach/
-http://www.scmagazine.com/update-amex-warns-of-breach-cardholders-should-protect
-data/article/483764/

[Editor's Note (Murray): I wish that American Express offered me a strong authentication option, I continue to do business with them because I see all transactions in my account as they take place. This is a very powerful detective control and I would have to reconcile these transactions in any case. However, I am a "belt and suspenders" man; I would like to have a preventative control as well as a detective one. ]

Suspect Will Plead Guilty in iCloud Account Theft (March 15 and 16, 2016)

The US Justice Department (DoJ) has charged Ryan Collins with felony violation of the Computer Fraud and Abuse Act for launching a phishing campaign for iCloud account information, which he allegedly used to obtain celebrities' personal photographs. Collins has agreed to plead guilty to a felony violation of the Computer Fraud and Abuse Act.
-http://www.eweek.com/security/department-of-justice-charges-apple-icloud-hacker.
html

-https://www.washingtonpost.com/news/morning-mix/wp/2016/03/16/feds-finally-charg
e-man-who-stole-nude-photos-of-celebrities-in-2014/

-https://www.justice.gov/usao-cdca/pr/pennsylvania-man-charged-hacking-apple-and-
google-e-mail-accounts-belonging-more-100

Ransomware Used Backdoored Encryption (March 16, 2016)

A ransomware creator made the mistake of using encryption code developed by someone who deliberately left a backdoor in the code. When the developer learned that his code was being used in ransomware, he used the backdoor to find the decryption keys, which he has made available.
-http://www.theregister.co.uk/2016/03/16/locky_ransomware_undone_for_now/
-https://www.grahamcluley.com/2016/03/ransomware-author-decryption-keys/
[Editor's Note (Williams): There's a cautionary tale here for organizations that incorporate open source code into their own projects. While I love open source code, I don't just integrate it into my own projects without testing and vetting. In this case, it's very easy to laugh at the victim (since they predators themselves). But if the headline were "backdoored encryption code library used in banking application" our response would be very different. Vigorous code auditing standards should be adopted and followed prior to including external libraries in your own projects. (Honan): A good example to the various governments looking for backdoors into encryption as to why it is such a bad idea. ]

AceDeceiver Trojan Targets iOS Devices (March 16, 2016)

Malware that targets devices running Apple iOS mobile operating system is capable of infecting devices that are not jailbroken and without users' knowledge. Known as AceDeceiver, the Trojan horse program exploits weaknesses in Apple digital rights management (DRM) system.
-http://www.theregister.co.uk/2016/03/16/acedeceiver_ios_malware/
-http://www.computerworld.com/article/3045081/security/attackers-exploit-apple-dr
m-weakness-to-infect-non-jailbroken-ios-devices.html

-http://www.cnet.com/news/apple-mobile-devices-under-threat-from-new-acedeceiver-
malware/

-http://www.zdnet.com/article/ios-malware-acedeceiver-can-infect-non-jailbroken-a
pple-devices/

-http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-
exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

Limiting Use of Encryption is Futile (March 15, 2016)

The US government's push to weaken encryption is unlikely to have any effect on terrorists or on anyone determined enough to look outside US borders for products that take privacy seriously. Any US mandate regarding encryption will apply only to products made domestically.
-https://www.washingtonpost.com/news/the-switch/wp/2016/03/15/why-the-government-
cant-actually-stop-terrorists-from-using-encryption/

In a report published in February, "A Worldwide Survey of Encryption Products," Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar concluded, "It is easy to purchase products, especially software products, that are sold anywhere in the world from everywhere in the world. Encryption products come from all over the world. Any national law mandating encryption backdoors will overwhelmingly affect the innocent users of those products. Smart criminals and terrorists will easily be able to switch to more-secure alternatives."
-https://www.schneier.com/cryptography/archives/2016/02/a_worldwide_survey_o.html
[Editor's Note (Pescatore): Even former Director of NSA Gen. Michael Hayden has come around to this reality. From as far back as the prohibition era where moonshiners souped up their cars to be faster than law enforcement, every technology will get used by both the good guys and the bad guys. Part, not all, of the reason it is still so hard for businesses to persistently encrypt data is that export controls in the 1990s set progress back for the good guys a decade or more. ]

STORM CENTER TECH CORNER

Webassembly Starts to Get Real
-https://hacks.mozilla.org/2016/03/a-webassembly-milestone/

OTP Port Knocking Implementation
-https://github.com/64b2b6d12b/otpknock

Obfuscating Malicious Code With XOR
-http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html

Snapdragon SoC Security Vulnerability
-http://blog.trendmicro.com/trendlabs-security-intelligence/android-vulnerabiliti
es-allow-easy-root-access/

Git Client and Server Heap Overflow
-http://www.openwall.com/lists/oss-security/2016/03/15/5

Google Publishing HTTPs Statistics
-https://security.googleblog.com/2016/03/securing-web-together_15.html

Flash, Safari, Chrome fall on Day 1 of Pwn2Own
-http://blog.trendmicro.com/pwn2own-day-1-recap/

Update for Symantec Endpoint Protection
-http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit
y_advisory&pvid=security_advisory&year=&suid=20160317_00

Symantec To Offer Free SSL Certificates
-https://www.symantec.com/about/newsroom/press-releases/2016/symantec_0315_01

Analyzing HTTPS Encrypted Traffic
-http://arxiv.org/abs/1603.04865

Optus Netgear CG3000v2 Cable Modem Password Reset Vulnerability
-http://seclists.org/fulldisclosure/2016/Mar/48

Keyless Entry Systems in Cars Vulnerable to "Relais Attack"
-http://www.heise.de/security/meldung/ADAC-Viele-aktuelle-Pkw-Modelle-ueber-Funk-
knackbar-3140796.html

(Germany only)

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/