The Most Comprehensive DFIR Event of the Year: SANS DFIRCON! Save $200 thru 10/3.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #43

May 31, 2016

TOP OF THE NEWS

EU Data Protection Supervisor Rejects Privacy Shield Agreement
SWIFT Security Enhancements
Fourth Bank Targeted by SWIFT Fraud
ICS-CERT Warns of Unpatchable SCADA Flaw

THE REST OF THE WEEK'S NEWS

Iran Orders Messaging Apps to Move Data to Iranian Servers
Jail Time for Bitcoin Botnet Thief
Chrome 51 Moved to Stable Channel
Hardcoded Credential Flaw in Patient Care App
Proposed Senate Bill Requiring Backdoors in Encryption Appears to be Dead
Bill Would Put FAA in Charge of Industry Threat Information Sharing for Aviation Industry
JavaScript Spam Spreading Locky
DOD is Creating an Insider Threat Database
Google May Call Out Companies for Android Update Delays
FACC Fires CEO After Breach

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

*********************** Sponsored By Trend Micro Inc. ********************

Learn the latest trends with crypto-ransomware by watching this Trend Micro webinar featuring Ed Cabrera, former CISO of US Secret Service, and Jon Clay sharing their insights and information on how best to protect your organization from this threat.
http://www.sans.org/info/186302

***************************************************************************

TRAINING UPDATE

--SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

--DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

--SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

--SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

--Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human
http://www.sans.org/u/i2j

--Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community?
Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

TOP OF THE NEWS

EU Data Protection Supervisor Rejects Privacy Shield Agreement (May 30, 2016)

The European Union Data Protection Supervisor has rejected the EU-US Privacy Shield Agreement, saying that it "is not robust enough to withstand future legal scrutiny." Privacy Shield that was drafted to replace the Safe Harbor pact, which was ruled invalid last year.
-http://www.bbc.com/news/technology-36414264
[Editors Note (Honan): Another alternative to Safe Harbor are Model Contracts which are now also being challenged on the grounds of their legality.
-http://techcrunch.com/2016/05/25/more-uncertainty-over-eu-us-data-flows-as-irish
-dpa-warns-on-legality-of-model-contract-clauses/
These two issues could have big implications for US companies wishing to do business in Europe because without a suitable replacement for Safe Harbor it will become illegal for European companies to export personal data to the US. (Murray): The EU repudiated the Safe Harbor agreement because a court found that it did not provide EU citizens with the redress for compromise of privacy that they would have in Europe. While this negotiation has been going on, the US Congress passed the Computer Information Sharing Act (CISA) which further reduced the accountability available, even to citizens of the US, for deliberate compromises of their privacy. Little wonder that the Europeans are unhappy. This is a win for the individual citizen in Europe but a big blow to American Enterprise who will now have to both change the way that they do business and change their terms of service. ]

SWIFT Security Enhancements (May 28, 2016)

SWIFT has released some details of its plan to enhance security. The organization says it will expand the use of two-factor authentication for funds transfers and "will also increase remote monitoring capabilities of customer environments."
-http://www.theregister.co.uk/2016/05/28/swift_finally_pushes_twofactor_auth/
[Editor's Note (Ullrich): SWIFT for the longest time relied on "security through obscurity". The recent breaches showed that there are people familiar with the current procedures willing to use their knowledge against the system. Two factor authentication seems like a reasonable "new step". Like usual, two factor authentication is seen as too inconvenient and expensive until after the breach happens. ]

Fourth Bank Targeted by SWIFT Fraud (May 27, 2016)

A SWIFT transfer fraud attack against a bank in the Philippines last fall appears to be the work of the same group of criminal that targeted banks in Bangladesh, Vietnam and Ecuador. The Philippines bank attack, conducted in October 2015, predates the attack against the bank in Vietnam by two months. The Bangladesh attack occurred in February 2016.
-http://www.theregister.co.uk/2016/05/27/fourth_bank_hit_by_swift_hackers/

ICS-CERT Warns of Unpatchable SCADA Flaw (May 30, 2016)

The Industrial Control Systems Computer Emergency Management Team (ICS-CERT) has released an advisory warning of two vulnerabilities in the Environmental Systems Corporation 8832 Data Controller. Users are urged to upgrade their devices because the 8832 lacks sufficient memory for firmware updates.
-http://www.zdnet.com/article/thousands-of-web-connected-industrial-systems-can-b
e-remotely-hacked-yet-wont-be-patched/
-http://www.itwire.com/business-it-news/security/73090-a-scada-system-that-cannot
-be-patched.html
-http://news.softpedia.com/news/cert-warns-companies-about-the-unupgradeable-esc-
8832-scada-system-504649.shtml
-https://ics-cert.us-cert.gov/advisories/ICSA-16-147-01
[Editor's Note (Honan): Patching and updating ICS systems and also Internet of Things (IoT) devices will present many challenges as by their nature these devices "lacks sufficient memory for firmware updates". We will end up with a very insecure Internet over the coming years and decades if security is not built into these devices from the very beginning. ]

*************************** SPONSORED LINKS ****************************
1) Stay ahead of cybercrime. See how smart business leaders are taking action with LifeLock. http://www.sans.org/info/186307

2) The Case for PIM/PAM in Todays Infosec. Tuesday, June 14th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Barbara Filkins and Ken Ammon. http://www.sans.org/info/186312

3) What types of CYBER THREATS are driving the IT community to take action?? Tell us in SANS Survey http://www.sans.org/info/186317
***************************************************************************

THE REST OF THE WEEK'S NEWS

Iran Orders Messaging Apps to Move Data to Iranian Servers (May 30, 2016)

Iran's Supreme Council of Cyberspace has ordered foreign messaging apps holding data about Iranian citizens to transfer the information to servers within that country. The companies have one year to comply with the order.
-http://www.cnet.com/news/iran-orders-messaging-apps-to-store-data-in-iran/
-http://www.computerworld.com/article/3076151/security/iran-orders-messaging-apps
-to-store-data-of-in-country-users.html

Jail Time for Bitcoin Botnet Thief (May 25 and 30, 2016)

Rory Stephen Guidry has been sentenced to 366 days in prison for trying to sell a botnet and for stealing US $80,000 in bitcoins. Guidry's sentence is for one count of obtaining information by computer from a protected computer.
-http://www.theregister.co.uk/2016/05/30/darkode_bitcoin_bot_bandit_gets_year_and
_a_day_in_us_cooler/
-https://www.justice.gov/usao-wdla/pr/opelousas-man-sentenced-year-prison-role-ma
jor-computer-hacking-forum

Chrome 51 Moved to Stable Channel (May 25, 26, 29 and 30, 2016)

Google has updated Chrome to version 51 for Windows, Mac OS X, and GNU/Linux to address a total of 42 vulnerabilities, 23 of which earned bug bounties totaling more than US $65,000. In addition to the security fixes, Chrome 51 offers new features, including the Credential Management API to simplify website logins, and an off-screen rendering feature that claims to reduce power consumption by up to 30 percent when displaying certain websites.
-http://www.zdnet.com/article/googles-chrome-51-less-battery-drain-from-video-sim
pler-site-logins-plus-42-bug-fixes/
-http://news.softpedia.com/news/google-chrome-51-hits-the-stable-channel-improves
-the-website-login-experience-504490.shtml
-http://www.theregister.co.uk/2016/05/30/google_pays_65k_to_shutter_23_chrome_bug
s/
-http://www.scmagazine.com/chrome-51-serves-up-42-security-fixes-65k-in-bug-bount
ies/article/499519/

Hardcoded Credential Flaw in Patient Care App (May 26, 27 and 30, 2016)

The US Computer Emergency Readiness Team (US-CERT) has issued a warning regarding an app used by medical professionals to manage patient care prior to surgery. The MEDHOST Perioperative Information Management System (PIMS), which can be remotely hosted and managed, contains hardcoded admin credentials. The flaw affects versions of PIMS older than 2015R1. The flaw was disclosed earlier this year and the company has issued a fix.
-http://www.theregister.co.uk/2016/05/30/cert_warns_of_hardcoded_creds_in_medical
_app/
-http://www.zdnet.com/article/widely-used-clinical-service-found-to-include-hidde
n-backdoor-account/
-https://www.kb.cert.org/vuls/id/482135
[Editor's Note (Murray): Some of these instances of hard coded backdoors result from a failure to remove testing scaffolding prior to shipment. However, many result from a developer's fear of surrendering control. Taken across all products, and even across known breaches, they represent a serious and systemic vulnerability. ]

Proposed Senate Bill Requiring Backdoors in Encryption Appears to be Dead (May 27 and 29, 2016)

A proposed anti-encryption bill has stalled out in the US Senate. The draft legislation would have required that encryption be breakable so investigators could access communications. The bill lacked White House support, and the intelligence community were reportedly "ambivalent" because the law could have impeded their own encryption efforts.
-http://www.reuters.com/article/usa-encryption-legislation-idUSL2N18O0BM
-http://www.theregister.co.uk/2016/05/27/backdoor_bill_dead/
-http://www.cnet.com/news/push-for-encryption-back-doors-looks-dead-in-the-water/
-http://www.computerworld.com/article/3075549/security/senate-proposal-to-require
-encryption-workarounds-may-be-dead.html
-http://www.zdnet.com/article/senate-bill-that-would-outlaw-encryption-and-break-
the-internet-is-dead/
[Editor's Note (Honan): Last week The European Union Agency for Network and Information Security (ENISA) and Europol issued a joint statement on lawful criminal investigation that respects 21st Century data protection.
-https://www.enisa.europa.eu/news/enisa-news/enisa-europol-issue-joint-statement]

Bill Would Put FAA in Charge of Industry Threat Information Sharing for Aviation Industry (May 27, 2016)

A bill in the US Senate would require the Federal Aviation Administration (FAA) "to establish comprehensive cybersecurity standards" and would require that airlines report all attempted cyberattacks to the FAA. The bill is currently in committee.
-http://federalnewsradio.com/legislation/2016/05/senate-bills-tasks-faa-oversee-s
haring-cyber-threat-information/
[Editor's Note (Murray): The FAA is already the exemplar of effective and efficient intelligence sharing. It has only taken them seventy-five years to create a program, a network, and a culture that DHS, CIA, and NSA can only envy. However, good a job these agencies may do of collecting intelligence, they do not do nearly so good a job of getting the intelligence to the right customer on a timely basis as the FAA. (Pescatore): In April 2015, a GAO report said the FAA still has "significant security control weaknesses remain that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system." I'd rather see the FAA incentivized to focus first on getting to basic security hygiene on this end of the problem vs. get distracted with more threat sharing initiatives. ]

JavaScript Spam Spreading Locky (May 27, 2016)

A spam campaign targeting users in Europe, the US, and Canada is being used to spread Locky ransomware through malicious JavaScript attachments. The downloader, JS/Danger.ScriptAttachment, has been used to deliver other malware in the past.
-http://www.computerworld.com/article/3075771/security/new-javascript-spam-wave-d
istributes-locky-ransomware.html
[Editor's Note (Murray): Enterprises and individuals should be "white listing" scripts, and indeed applications, at both the network and desktop layers. That said, this restrictive policy is still rare and the default permissive policy is widely exploited by attackers and implicated in breaches. ]

DOD is Creating an Insider Threat Database (May 27, 2016)

The US Defense Department (DOD) is creating a system that contains information about national security personnel and other people with security clearances to help identify potential insider threats. The DOD Component Insider Threat Records System was created in response to the Pfc. Chelsea Manning data leaks that occurred in 2010.
-http://www.nextgov.com/defense/2016/05/pentagon-building-massive-hub-insider-thr
eat-data/128645/?oref=ng-HPtopstory

Google May Call Out Companies for Android Update Delays (May 25, 2016)

Last summer, Google began releasing monthly security updates for its Android mobile operating system. However, the company is growing frustrated with the fragmentation created by phone makers' and carriers' erratic adoption of Android updates. Google keeps a list that ranks phone makers based on how up-to-date their operating systems are. Customers are voicing their concerns, too: a consumer group in the Netherlands sued Samsung earlier this year for not updating devices.
-http://www.bloomberg.com/news/articles/2016-05-25/google-steps-up-pressure-on-pa
rtners-tardy-in-updating-android
[Editor's Note (Pescatore): There is definitely room for the carriers and phone manufacturers to patch faster but there is also a lot of room for Google to make Android patches less disruptive - particularly by reducing Android complexity, jamming fewer apps into the OS, etc. Google seems to be making some steps in this direction. Google could also ramp up the patching pressure as part of vendors getting licensed to use Google Mobile Services. These are areas where big gains could be made but Android market share might be impacted. ]

FACC Fires CEO After Breach (May 25, 2016)

The CEO of Austrian aerospace parts manufacturer FACC was fired following a cyberfraud scheme that cost the company 42 million euros (US $46.8 million). The scheme involved a phony email from someone who pretended to be the CEO instructing an employee to make a funds transfer. The board decided to fire the CEO, determining that he had "severely violated his duties." FACC fired its chief financial officer earlier this year, shortly after the incident.
-http://www.reuters.com/article/us-facc-ceo-idUSKCN0YG0ZF

INTERNET STORM CENTER TECH CORNER

Analysis of a Distributed Denial of Service Attack
-https://isc.sans.edu/forums/diary/Analysis+of+a+Distributed+Denial+of+Service+DD
oS/21109/

Bluecoat CA
-http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/

Google Requires Symantec CAs to Comply With Certificate Transparency
-https://cabforum.org/pipermail/public/2016-May/007573.html

PA DSS Update
-https://www.pcisecuritystandards.org/document_library

JetPack WordPress Plugin XSS vulnerabilties
-https://jetpack.com/2016/05/27/jetpack-4-0-3-critical-security-update/

Tor Browser Fingerprinting Site
-https://tor.triop.se

Anti-Pastejacking Browser Plugin
-https://github.com/rocketshipapps/hardenedpaste

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
Newsletters: Newsbites
Additional
Latest Whitepapers

All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System
By David Kennel

SANS 2018 Threat Hunting Survey Results
By Robert M. Lee

The Need for Speed: Integrated Threat Response A SANS Whitepaper
By Matt Bromiley

Last 25 Papers »

Latest Tweets @SANSInstitute

Be sure to sign up for Tuesday's Networking Lunch when you c [...]
September 23, 2018 - 1:52 PM

Did you know SANS offers #InfoSec training in over 35 cities [...]
September 23, 2018 - 12:15 PM

Looking for practical #cybersecurity training taught by indu [...]
September 23, 2018 - 1:15 AM

Contact Us

301-654-SANS(7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU