Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #35

May 03, 2016


Threat Information Sharing Will Help Protect Critical Infrastructure
Legislators Seek Social Security Administration Pen Test Results
Samsung SmartThings Vulnerabilities
Proposed Michigan Bills Would Have Car Hackers Face Life in Prison


Windows 10 Summer Update Marks the Beginning of the End for SHA-1 Support
Google Releases May's Android Fixes
NHS to Share 1.6 Million Health Records with Google AI Company
Man Charged in Alleged Theft of Frequent Flyer Miles
Pentagon Bug Bounty Program Underway
Michigan Company Loses US $495,000 to Transfer Fraud
HTTPS Now Available for all Google Blogspot Users
Gozi Malware Creator Sentenced



************************** Sponsored By RSA *****************************

See How Advanced Analytics Helps Unmask Threats. Speed threat detection and response with complete visibility and advanced analytics. Learn more during the RSA Security Analytics demo.
Register now: http://www.sans.org/info/185417



- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!

- --SANS Baltimore Spring 2016 | Baltimore, MD | May 9-14 | 9 courses in IT security, cyber defense, incident handling, security management, and Windows forensics plus multiple SANS@Night talks.

- --SANS Houston 2016 | Houston, TX | May 9-14 | 7 courses including the NEW Network Penetration Testing & Ethical Hacking course.

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!

- --DFIR Summit & Training | Austin, TX | June 23-30, 2016 DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Prague, Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:



Threat Information Sharing Will Help Protect Critical Infrastructure (April 29, 2016)

The Undersecretary of the US Department of Homeland Security's (DHS) National Protection and Programs Directorate told an audience at a conference in Washington, DC last week that cyberthreat information sharing between private companies and government would help reduce cyber risks to critical infrastructure. Suzanne Spaulding also said that within organizations, cybersecurity should not be isolated within the IT department, and that "it has to be part of that broader conversation about functionality within those critical infrastructure sectors."

[Editor's Note (Murray): DHS is learning at great expense what the intelligence community would have told them for free: trust is essential for intelligence sharing; trust is fragile and does not scale. ]

Legislators Seek Social Security Administration Pen Test Results (April 29, 2016)

The chairman and ranking member of the US House Oversight Committee have requested the complete, unredacted results of a penetration test conducted against the systems of the Social Security Administration. The request follows a November 2015 report from the Office of the Inspector General (OIG) regarding SSA's compliance with the Federal Information Security Modernization Act (FISMA), which found that "the weaknesses they identified constituted a significant deficiency in internal controls."

[Editor's Note (Murray): What a great way to discourage penetration testing. ]

Samsung SmartThings Vulnerabilities (May 2, 2016)

Researchers from the University of Michigan have published an "in-depth empirical security analysis" of the Samsung's SmartThings smart home platform, a program that allows people to use SmartApps to control all sorts of Internet-connected devices in their home from their smartphone. The researchers found they could trigger false smoke alarms and plant code in digital locks that would allow them access to the house. They noted that the SmartApps are capable of gaining privileges they do not need, and that the SmartThings event subsystem offers inadequate protection of events that transmit sensitive data.



Security Analysis of Emerging Smart Home Applications:
[Editor's Note (Liston): I think it's incredibly important to "juxtapose" this article with the next story below about Michigan's Legislature attempting to criminalize exactly this type of research when performed against automobiles. The University of MICHIGAN's research resulted in Samsung taking action that significantly increased the security of their products - a huge win for consumers. ]

Proposed Michigan Bills Would Have Car Hackers Face Life in Prison (May 2, 2016)

State legislators in Michigan have introduced two bills that would impose a life prison sentence for anyone who maliciously accesses automobile computer systems. One of the bills reads, in part, "a person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle."


[Editor's Note (Pescatore): On long airline flights I actually read some of these draft bills, great sleep inducement aids... In order to determine punishment, this one seems to attach dollar values to car hacking attempts. That approach invariably fails, but I guess Michigan legislators are using this mainly for publicity value for their car industry anyway. (Honan): Making it illegal to carryout security research on any platform, automobiles or otherwise, will not make those devices any more secure. In most cases it will have the opposite effect. (Williams): Stunt hacking like last year's on highway disabling of car controls and the public's fear of what they don't understand gives rise to bad laws like this one. ]

************************** SPONSORED LINKS ********************************
1) Stay ahead of cybercrime. See how smart business leaders are taking action with LifeLock. http://www.sans.org/info/185422

2) WEBCAST: 5 Ways to Reject Attacker Behavior. May 5th @ 2pm ET. Learn how to harden your systems to stop attackers in their tracks. http://www.sans.org/info/185427

3) LIVE WEBCAST: Next-Gen Now: Outsmarting ransomware, rootkits, and zero-day attacks. Register today! https://attendee.gotowebinar.com/register/2836320359312459524?source=SANS


Windows 10 Summer Update Marks the Beginning of the End for SHA-1 Support (May 2, 2016)

Microsoft plans to release its first major update for Windows 10 this summer. With this update, Microsoft's IE and Edge browsers will stop showing a lock icon when users access websites with SHA-1 certificates. The plan is for the browsers to block sites using SHA-1 certificates as of February 14, 2017. Google, and Mozilla also plan to drop SHA-1 support by January 1, 2017, and are considering moving that date up to July 1, 2016.

Microsoft SHA-1 Deprecation Roadmap:
[Editor's Note (Ullrich): Some sites will have to make the tough decision to leave older browsers behind. For most developed-country consumer sites, this will not be a big issue, but for those doing business in developing countries, it may become a problem. For example, Windows XP SP2 does not support SHA-2. Cloudflare, Facebook and Alibaba have been vocal about this issue, and offer a "fallback" technique to offer SHA2 certificates to new browsers, and SHA1 to old browsers.

Google Releases May's Android Fixes (May 2, 2016)

On Monday, May 2, Google released its monthly security update for Android. This batch of patches addresses 40 vulnerabilities. Google has pushed the fixes out to Nexus devices, and the firmware images have been released to the Google Developer site. Partners were notified of the issues on or before April 4.

[Editor's Note (Williams): Just because Google is releasing patches for Nexus, don't expect them for your other branded phone. Unfortunately, carriers are often lax to build and push patches, leaving their customers vulnerable. ]

NHS to Share 1.6 Million Health Records with Google AI Company (April 29 and May 2, 2016)

Google's artificial intelligence company DeepMind has struck a deal with the UK's NHS to access healthcare data of 1.6 million people. The agreement allows DeepMind access to current and historical data for patients at three London hospitals to develop an app to help monitor patients with kidney disease. The access granted in the agreement covers all health data, not just kidney disease data.




Man Charged in Alleged Theft of Frequent Flyer Miles (April 30 & May 2, 2016)

A former Florida International University student has been charged with 19 felony counts for allegedly stealing US $260,000 worth of frequent flyer miles. Authorities allege that Milad Avazdavani broke into American Airlines AAdvantage accounts to steal the miles, and allegedly used them to take trips.

[Editor's Note (Ullrich): This has been an ongoing issue, and many airlines have increased their requirements to log in to frequent flyer accounts over the last years. It used to be that a 4 digit numeric PIN is sufficient. Also note that many boarding passes display frequent flyer numbers, which are often used as user id to identify to the airlines website, or used to authenticate phone transactions. ]

Pentagon Bug Bounty Program Underway (May 1, 2016)

More than 500 people are already participating in the Pentagon's first bug bounty program. The "Hack the Pentagon" program started on April 18 and will end on May 12. The US Department of Defense (DoD) has set aside US $150,000 to pay for the flaws found.

[Editor's Note (Pescatore): I mentioned last week that well-managed bug bounty programs are showing very positive ROI compare to traditional consulting services. A secondary effect: professional application vulnerability testers should raise the bar and update the quality of their services to deal with this new competition. Too many cookie-cutter, low value application security engagements have enabled well-managed bug bounty programs to easily show higher value. ]

Michigan Company Loses US $495,000 to Transfer Fraud (May 3 and 5, 2016)

A Troy, Michigan investment company recently lost US $495,000 to email fraud. An employee at Pomeroy Investment Corp. received an email that appeared to be from another employee, directing them to transfer the funds to a bank in Hong Kong. The company did not realize that the transfer request was fraudulent until days later.


[Editor's Note: (Ullrich): This is a pretty modest sum compared to other business e-mail compromises. In particular if your business uses web based / cloud based email systems like Office365, simple phishing is usually used to obtain email credentials, and these services should be used only with two factor authentication. ]

Apple Updates Xcode Development Tool (May 5, 2016)

Apple has updated its Xcode git implementation to address a pair of critical flaws that could be exploited to allow remote code execution. The update for OS X El Capitan v10.11 and later is Xcode version 7.3.1.

[Editor's Note: (Ullrich) Very much overdue. This vulnerability has been known for several months. Apple keeps delaying these updates to open source software it includes. ]

Microsoft Security Intelligence Report Includes Cloud Data (May 5, 2016)

According to Microsoft's most recent Security Intelligence Report, cybercriminals are becoming faster and more efficient at launching attacks. However, the number of ways they use to compromise computers has not grown much. The report, which covers the second half of the 2015 calendar year, also notes that "high severity vulnerability disclosures were up more than 40%." This iteration of the report marks the first time Microsoft has incorporated security data from its cloud services.



Microsoft Security Intelligence Report:
[Editor's Note (Pescatore): I've been reading Microsoft's SIR reports for close to 10 years now and there is always great data, once you get past the increasing amount of "Here's how Microsoft software (and now cloud services) protects you against attacks against vulnerabilities in Microsoft software...") Two consistent observations I make: (1) For the past several years, the most commonly exploited Windows vulnerabilities have had patches that came out in 2009 and 2010, pointing out old versions of IE still in use and/or just really, really bad patching.; and (2) if Windows had an App Store or Google-play like mechanism built in like the iOS and Android whitelist feature, most of the data would go away because 99% of the malware wouldn't have had any impact. (Murray): No new attack vectors are needed. As long as "Social Engineering," bait attacks, particularly "phishing," continue to work so well, no new methods are needed. It used to be that bait appealed to the "Seven Deadly Sins," but curiosity and familiarity seem to work even better. That said, yesterday I got an e-mail that combined curiosity with fear of the IRS. ]

OpenSSL Update Fixes Six Security Issues (May 3 and 5, 2016)

The OpenSSL project has released an update that patches six vulnerabilities in the open-source cryptographic library. Two of the flaws are rated critical; one could be exploited to decrypt login credentials, the other to execute malicious code. The updated versions of OpenSSL are 1.0.1t and 1.0.2h.

[Editor's Note (Murray): "Open Source" is failing to produce the improvement in quality promised by its proponents. Developers continue to incorporate code without inspecting it or determining its quality or suitability for their application. In complex areas like cryptography or even mathematical functions, they may not be competent to judge. We need research into and documentation of "strength of (software engineering) materials." ]

Locky Command-and-Control Server Breached (May 5, 2016)

Someone gained access to a command and control (C&C) server for Locky ransomware and exchanged the malicious payload for a benign file that displays the message, "Stupid Locky." Earlier this year, a Dridex C&C server was similarly compromised.

[Editor's Note (Honan): While some may welcome this type of "vigilante" approach, we need to be wary that C&C servers can hold very valuable intel and information for Law Enforcement Agencies. Compromising such systems could in turn compromise potential evidence that LEA may require to charge a suspect or such a compromise could disrupt a LEA led operation against those behind the C&C. ]

Michigan Company Loses US $495,000 to Transfer Fraud (May 3 and 5, 2016)

A Troy, Michigan investment company recently lost US $495,000 to email fraud. An employee at Pomeroy Investment Corp. received an email that appeared to be from another employee, directing them to transfer the funds to a bank in Hong Kong. The company did not realize that the transfer request was fraudulent until days later.


[Editor's Note: (Ullrich): This is a pretty modest sum compared to other business e-mail compromises. In particular if your business uses web based / cloud based email systems like Office365, simple phishing is usually used to obtain email credentials, and these services should be used only with two factor authentication. ]

HTTPS Now Available for all Google Blogspot Users (May 4, 2016)

All blogs hosted on Google's blogspot.com can now be accessed over an HTTPS connection. Google began offering users the HTTPS option in September, and recently made an HTTPS version of the blogs available to all users, who may choose to have readers redirected to the HTTPS version automatically.



Gozi Malware Creator Sentenced (May 4, 2016)

Nikita Kuzmin, the man who is believed to be the developer behind the Gozi malware, has been sentenced to time served, 37 months, and ordered to pay nearly US $7 million in damages. Gozi spread through maliciously crafted .pdf documents that arrived as email attachments. Gozi harvested online bank account access credentials. One other person associated with Gozi has been sentenced, and another has been arrested in Romania and is awaiting extradition to the US.



ATM Jackpotting: Analysis of ATM APIs

Reverse Engineering An ATM Machine Skimmer

Bathroom Scale Vulnerability

Fake Mobile Payment Apps in Google Play Store

Fake Google Chrome Update Installs Malware on Android

Pwned List Got Pwned

Alphalocker: Affordable Ransom Ware

JAKU Botnet

Juniper Update

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/