OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #42

May 27, 2016

Looking to build your cybersecurity skills? Searching Google to build your hands-on skills can be frustrating. The quality is hit-and-miss, the content is often out of date, and the whole exercise eats up a lot of your valuable time. Visit http://pivotproject.org to find a growing variety of challenges created and curated by like-minded professionals. Like what you see? Learn how you can contribute your own challenges http://pivotproject.org/contribute


CIOs Say Organized Cybercrime is Top Threat to Business Operations
SWIFT Security Plans
Bangladesh Central Bank Investigation Looking at 12 More Banks


US Nuclear Weapons Running on 1970s Computers
FBI Issues Warning About KeySweeper Keystroke Loggers
Medical Devices Could be Used as Point of Entry into Healthcare Networks
ICSA Launches IoT Certification Testing Program
Some Visa Inc.'s Sites Are Vulnerable to 'Forbidden Attack'
Collaborative Project Maps Areas Where Governments Spy on People
Attacks Exploiting Microsoft Office Flaw on Unpatched Systems
US-CERT Warns of Domain Name Collision Flaw
DNS Provider Targeted by DDoS Attack
IETF Publishes RFC for DNS Encryption
Guilty Plea in Celebrity Account Break-ins
Boomers Create Stronger Passwords than Millennials



******************* Sponsored By Bracket Computing ************************

WEBINAR: THE DATA CENTER OF THE FUTURE with Adam Mattina, VP at THE BLACKSTONE GROUP and Tom Gillis, CEO at BRACKET COMPUTING. If you're building your cloud strategy or are already there, join our webinar to learn about the top challenges Wall Street firms are encountering on the cloud - and how F500 security teams are beating them.



--SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!

--DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.

--SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.

--SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.

--Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human

--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community?
Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:



CIOs Say Organized Cybercrime is Top Threat to Business Operations (May 25, 2016)

According to the Harvey Nash/KPMG 2016 CIO Survey, one-third of the respondents said they had dealt with a significant IT emergency or a cyberattack over the past two years. CIOs say organized cybercrime is the biggest cyber-threat to their organizations. The report found that 46 percent of CDOs (chief digital officers) report to their organization's CEO, while just 21 percent report to the CIO. And 65 percent of respondents said they believe that a shortage of technical talent will hinder their ability to keep pace with the changing digital landscape. The survey comprises data gathered from 3,352 CIOs and technology leaders in 82 countries.


[Editor's Note (Pescatore): The details of this survey aren't out yet, but I will bet that the vast majority of those "significant IT emergencies and cyberattacks" were enabled by deficiencies in IT operations that were not mitigated by "basic security hygiene." If I ever see one of these Chief Digital Officers, I'd like to see if they are aware of that (after I ask "What does a CDO actually DO?") (Williams): The most interesting takeaway from this survey is that outsourcing is being used to increase skills flexibility, not to save money. Many organizational leaders are afraid to outsource if they are paying more to contractors than they would to internal staff, but that line of thinking is invalid if you don't currently have internal staff with those skills. This is especially true in infosec where we have a huge staffing skills shortage. (Murray): This is all true, by definition. Our ability to exploit technology has always been limited by the available talent. The market tends to compensate for this but it takes time to recognize and respond to market signals. That is why the identification, nurturing, and conservation of talent is an essential management function. It is cheaper to develop and retain than to recruit. (Eubanks): Two takeaways to consider this holiday weekend - If cybercrime is a top threat as this survey indicates, what are you doing to treat it that way in your organization? If we are experiencing a shortage of technical talent, what creative methods are you using to avoid admiring this problem? ]

SWIFT Security Plans (May 24, 2016)

Society for Worldwide Interbank Financial Telecommunication (SWIFT) CEO Gottfried Leibbrandt has revealed details of a strategy to help member banks improve cybersecurity. The five-point plan includes improving information sharing among the global financial community; hardening security requirements for customer-managed software; enhancing guidelines and developing security audit frameworks for customers; supporting increased use of payment pattern controls; and establishing certification requirements for third-party vendors.


SWIFT Press Release:

[Editor's Note (Murray): Over the last few years, we have seen enterprises compromised by their vendors. This is a case where a vendor of an essential service is compromised by its customers. International banking operates on a web of trust as a bank must know its customers, it must know its endorsers and its correspondents. SWIFT plays a major role in enabling banks to recognize one another instantly and across borders. SWIFT must protect this role, for if it breaks down, international trade and commerce will slow. ]

Bangladesh Central Bank Investigation Looking at 12 More Banks (May 26, 2016)

The company investigating the fraudulent transactions at Bangladesh central bank has been contacted by a dozen more banks, all of which use the SWIFT payment communications network that was exploited to steal US $81 million from the Bangladesh bank.


*************************** SPONSORED LINKS ****************************
1) Webcast: A Blueprint to Secure SAP Applications Using CIS Controls As a Guide Thursday, June 2nd, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Barbara Filkins and Alex Horan. http://www.sans.org/info/186290

2) Don't Miss: How is User Risk Mitigation achieved? Achieving user risk mitigation-stopping the insider threat Friday, June 10th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Daniel Velez and Dr. Eric Cole. http://www.sans.org/info/186295

3) What types of CYBER THREATS are driving the IT community to take action?? Tell us in SANS Survey http://www.sans.org/info/186300


US Nuclear Weapons Running on 1970s Computers (May 25 and 26, 2016)

According to a US Government Accountability Office (GAO) report titled "Federal Agencies need to Address Aging Legacy Systems," the Department of Defense's Strategic Automated Command and Control System "runs on an IBM Series/1 Computer - a 1970s computing system - and uses 8-inch floppy disks." One security benefit to this system is that it is not Internet connected. Other issues described in the report include several agencies that are running applications and systems written in COBOL, and others run on systems written in assembly language.



GAO Report:
[Editor's Note (Honan): Old legacy systems in organisations is not an uncommon occurrence, although still using an IBM PC1 is a new one on me. I know of one client still using a DEC Alpha system as one of their main systems. For various business or application legacy reasons these systems often remain within an organisation. ]

FBI Issues Warning About KeySweeper Keystroke Loggers (May 23, 2016)

The FBI has sent out a Private Industry Notification warning its partners to be on the lookout for KeySweeper devices. KeySweeper appears to be a USB charger, but contains hardware that can log keystrokes from some wireless keyboards.

FBI Private Industry Notification:

[Guest Editor Comment (Joshua Wright): This attack has been known since at least 2010. Wireless keyboard manufacturers did not respond with improved security then, and continue to produce cheap wireless keyboards that don't protect against this attack. I believe this is one of the benefits we get from public disclosure and simple-to-use exploit tools: long outstanding vulnerabilities get widely publicized, prompting industry change. ]

Medical Devices Could be Used as Point of Entry into Healthcare Networks (May 25, 2016)

The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient's treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments.

[Editor's Note (Murray): It is fundamental that networks can be compromised by their weakest links: this vulnerability is not unique to medical appliances or healthcare networks. Anytime one attaches an appliance into a network, one has introduced a potential target and increased the attack surface. That is why it is becoming increasingly important that networks be segmented and that mission critical applications use end-to-end encryption. ]

ICSA Launches IoT Certification Testing Program (May 25 and 26, 2016)

ICSA Labs has launched its IoT (Internet of Things) Certification Testing program. The devices that pass muster will receive the ICSA seal of approval. The ICSA program will test both consumer products and enterprise products over six components: alerts and logging; cryptography; authentication; communications; physical security, and platform security. Earlier this year, Underwriters Laboratories launched its Cybersecurity Assurance Program (UL CAP).


[Editor's Note (Pescatore): A big part of making a certification program meaningful is creating recognition of and demand for the certification by buyers of products so that sellers feel they need to get certified. ICSA Labs (a unit of Verizon) does good work in many areas but it is very low visibility in the market. ICSA has had Network Attached Peripheral certification since 2009 but only has two products on their current certified list after 7 years. It will take a big investment by Verizon for this to be meaningful. ]

Some Visa Inc.'s Sites Are Vulnerable to 'Forbidden Attack' (May 26, 2016)

Flaws that could be exploited to launch what has been called the "forbidden attack" were found on close to 200 servers, affecting a number of Visa Inc.'s HTTPS websites. The "forbidden attack" can be exploited to inject JavaScript into web pages. The issue lies in transport layer security (TLS) protocol implementations that reuse cryptographic nonces, which are arbitrary numbers that should be used only once in a cryptographic communication.

Collaborative Project Maps Areas Where Governments Spy on People (May 26, 2016)

The Digital Freedom Alliance has launched a collaborative open source project to map places in the world where governments use malware to conduct surveillance on journalists, activists, lawyers, and NGOs. The project gathers information from a variety of sources and maps the locations, noting the dates, targets, and type of malware used.

Attacks Exploiting Microsoft Office Flaw on Unpatched Systems (May 26, 2016)

Several criminal groups are exploiting a months-old vulnerability in Microsoft Office; a fix for the flaw was released in September 2015. Systems that have not been patched are vulnerable to arbitrary code execution through malicious Encapsulated PostScript (EPS) files.


Microsoft Bulletin (from September 2015):

US-CERT Warns of Domain Name Collision Flaw (May 23 and 25, 2016)

The US Computer Emergency Readiness team (US-CERT) has issued an alert warning of a domain name collision vulnerability that causes some DNS queries to resolve on public servers instead of private or enterprise servers. The problem arises when DNS queries use the Web Proxy Auto-Discovery (WPAD) protocol along with new, publicly registered generic top-level domains. US-CERT's alert includes recommendations for mitigating the issue.

US-CERT Alert:
[Editor's Note (Williams): This is really less of a domain name collision and more of a symptom of bad network design. New top level domains are exacerbating the number of internal names that can be routed outside the network. Good DNS log auditing (or Bro NSM if you are running older MS DNS servers) will help detect internal names being resolved to external addresses. ]

DNS Provider Targeted by DDoS Attack (May 25, 2016)

DNS and traffic management provider NS1 has been the target of a distributed denial-of-service (DDoS) attack for more than a week. What has differentiated this attack is that its source has shifted between botnets in Europe, Russia, China, and the US.

IETF Publishes RFC for DNS Encryption (May 25, 2016)

The Internet Engineering Task Force has released an RFC (request for comments) proposing that DNS requests be encrypted with Transport Layer Security (TLS). DNS requests and responses are often collected by law enforcement because they are classified as metadata.

[Editor's Note (Pescatore): There are a lot of moving parts to DNS, which is one of the reasons why that after fifteen years, less than 15% of Internet nodes are using DNSEC for DNS integrity, which is actually more important in real world attacks vs. worrying about government monitoring. So, this is a good idea overall, I'd rather see the energy go to accelerating DNSSEC first, then worry about running DNS over TLS. (Williams): DNS data is tremendously rich as a monitoring resource - and governments know this. Encrypting DNS requests is a step in the right direction for privacy, but will likely result in some very difficult to troubleshoot problems. In a time when we can't even get websites to use SSL properly, I would have a hard time pushing DNS encryption even if it were available today. ]

Guilty Plea in Celebrity Account Break-ins (May 25, 2016)

A Pennsylvania man has pleaded guilty to charges stemming from the theft of private pictures and videos. Ryan Collins used phishing messages to gain access to the Apple and Gmail accounts of celebrities, then stole the content. Collins pleaded guilty to one count of unauthorized access to a protected computer to obtain information, a felony violation of the Computer Fraud and Abuse Act.

DOJ Press Release:

Boomers Create Stronger Passwords than Millennials (May 25, 2016)

A recent report from Gigya says their study shows that Baby Boomers use more care in choosing and are less likely to re-use passwords than Millennials. The report is titled Death of the Password and frowns upon the use of passwords at all.

[Editor's comment (Northcutt): It is amazing we are still using passwords at all, we knew that was flawed authentication 20 years ago. Google is expected to send a shot across the bow next year by taking the data your cell phone records about you and use that information to compute a "trust score":
(Murray): Strong passwords resist brute force attacks but we need strong authentication to resist "social engineering" and fraudulent credential replay. We now see cheap bot-nets used both to discover credentials and also where they might be reused. Many of the major players, e.g. Amazon, Bank of America, Dropbox, Google, PayPal, Twitter, offer strong authentication options but few promote them as essential and fewer still mandate them. I continue to wonder what portion of users, of whatever generation, employ these options when available. Incidentally, I now receive one-time passwords on my watch, rather than on my mobile, which improves usability considerably. ]
Guest Editor Comment (Lee Neely, Lawrence Livermore): One of the responses to the report was that Boomers were writing those good passwords on yellow sticky notes attached to the keyboard, with the response that we don't yet have malware that reads those notes, reminds us to focus on the right threats. While I don't advocate recording passwords on sticky notes, having a password management system is key component when using good passwords/passphrases until they can be replaced with better authentication systems. ]


Verisign/US-Cert Warn of The Use of Local TLDs for WPAD

Azure Blacklists Common Password

Google Attempts to Eliminate Passwords

DNS Covert Channel Used in Targeted Attacks

Genius Web Annotation Serivce Is Removing Security Headers

Canary Tokens For Windows Binaries

Cisco Patches IPv6 ND DoS Vulnerability

Keeping an Eye on Tor Traffic

Next Generation Tor Passed First Test

DDoS Prives Drop

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/