OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #53

July 05, 2016


DHS Secretary Pushes Critical Infrastructure Cyber Reorganization Plan
DoJ Official Says Cooperation Could Help Thwart Ransomware
FOIA Improvement Act Becomes Law


Vulnerabilities in Siemens SICAM PAS
Lenovo ThinkPad Firmware Exploit
Qualcomm Processor Flaw Affects Android Phone Encryption
LizardStresser Botnet
Two-Hour Cyberattack Turnaround for Clearinghouses and Payment Systems
SQLite Patch
Satana Ransomware Encrypts Master Boot Record



******************** Sponsored By Cisco Systems *************************

Who's lurking on your network? Several high-profile data breaches reminded us that devastating attacks don't always involve scheming criminals and sophisticated malware. Sometimes it's your own employees or trusted vendors exposing confidential data - whether they mean to or not. Download "Combating the Insider Threat," an e-book from Lancope, now part of Cisco



--SANS London Summer 2016| London, UK | July 9-16 | https://www.sans.org/event/london-in-the-summer-2016

--SANS Rocky Mountain | Denver, CO | July 11-16 | https://www.sans.org/event/rocky-mountain-2016

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 | https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016



DHS Secretary Pushes Critical Infrastructure Cyber Reorganization Plan (June 30 and July 1, 2016)

US Department of Homeland Security (DHS) Secretary Jeh Johnson told the Senate Judiciary Committee that he has "asked Congress to authorize the establishment of a new operational Component within DHS, the Cyber and Infrastructure Protection Agency." The new agency would replace the National Protection and Programs Directorate.

[Editor Comments ]
(Paller): This is DHS's most important cyber mission - the only one where DHS's continuing failure to lead places the nation at risk. DHS's own data shows that, on average, power companies do not discover they have been penetrated for 15 months - enough time for attackers to burrow deep and establish pathways for disrupting and destroying massive generators in case hostilities break out or a non-state actor just decides to cause havoc. DHS has not done well because the skills of the managers and staff are a mismatch for the challenges of industrial control system security. Reorganizing won't help; that's just rearranging chairs on the Titanic. If the Secretary believes the problem is real, he needs an outside oversight board of technical and management wizards who know how those attacks are carried out -- that he charges with questioning strategies and forcing rapid skills improvement for employees and contractors.
Read more in: The Hill: DHS head pushes cyber reorganization

FCW: Johnson: Biometric exit moving ahead
US Senate Judiciary: Oversight of the Department of Homeland Security

DHS: Written testimony of DHS Secretary Jeh Johnson

DoJ Official Says Cooperation Could Help Thwart Ransomware (June 28, 2016)

Speaking at the Center for Strategic and International Studies (CSIS), assistant US attorney general for national security John Carlin said that improved communication between law enforcement and companies could help thwart ransomware attacks. Carlin said, "As long as people are handling
[ransomware attacks ]
on their own and making payments, we're funding the development of more of these tools and more of these actors."

[Editor Comments ]
(Ullrich): People pay for ransomware for the same reason that they pay ransom in kidnappings: They don't believe law enforcement is efficient in countering the threat fast enough. In order for law enforcement to become relevant to ransomware victims, law enforcement would need to take an active role in helping victims restore operations. For example, law enforcement (e.g DoJ or DHS) would have to assist in the development of decryption tools for various ransomware strains.
(Honan): Ransomware can be prevented by following many simple security principles. The fact that it is so widespread highlights how we have failed as an industry to promote good security hygiene amongst businesses and individuals.
Read more in: FCW: To fight ransomware, DOJ wants companies to talk more

FOIA Improvement Act Becomes Law (June 30 and July 1, 2016)

President Obama has signed the Freedom of Information Act (FOIA) Improvement Act into law. It "codifies a statutory presumption of openness," clarifying the need for agencies to justify their decision to withhold information rather than placing the burden of justification on the entity making the request. The bill also places a 25-year limit on the length of time agencies may keep internal deliberations confidential, and it requires the Office of Management and Budget (OMB) to create a single-access website for making FOIA requests.

[Editor Comments ]
(Pescatore): FOIA is about 50 years old now and it was one of the early examples that proved "security through obscurity doesn't work." For the actual sensitive stuff, just saying "we won't mention it" never works - and in the long run it doesn't work for the weak and squishy and embarrassing stuff, either. Over 100 years ago Supreme Court Justice Louis Brandeis said "Sunlight is said to be the best of disinfectants; electric light the most efficient policeman" - of course, now we know that ultraviolet light and other new technologies are even *better* but the principle still holds.
Read more in: SC Magazine: Obama signs FOIA reform bill into law
Federal News Radio: Obama celebrates 50th anniversary of FOIA by signing update into law

White House: Fact Sheet: New Steps Toward Ensuring Openness and Transparency in Government

*************************** SPONSORED LINKS *****************************
1) SANS 2016 Financial Security Survey - Help SANS determine strengths and weaknesses in financial info systems. http://www.sans.org/info/186957

2) Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card! http://www.sans.org/info/186962

3) Case Study: How a Managed Bug Bounty Program Enabled Faster Software Vulnerability Discovery and Mitigation at Aruba Solutions. Thursday, July 14, 2016 at 11:00am (EDT/US Eastern) with John Pescatore, Leif Dreizler and Jon Green. http://www.sans.org/info/186967


Vulnerabilities in Siemens SICAM PAS (July 5, 2016)

The US Industrial Control System Computer Emergency Response Team (ICS-CERT) has issued an advisory warning regarding a pair of vulnerabilities in Siemens's SICAM Power Automation System substation control software. According to a Siemens advisory, a fix is currently available for one of the two flaws; a fix for the second is in development.

[Editor Comments ]
(Murray): Most vulnerabilities have "work-arounds." Vendors and others need to be identifying and publishing these while awaiting "patches."
Read more in: The Register: Vuln drains energy sector control kit
ICS-CERT Advisory: Advisory (ICSA-16-182-02) Siemens SICAM PAS Vulnerabilities
Siemens Advisory: SSA-444217: Information Disclosure Vulnerabilities in SICAM PAS

Lenovo ThinkPad Firmware Exploit (July 3 and 4, 2016)

A privilege elevation vulnerability in a Unified Extensible Firmware Interface (UEFI) could be exploited to disable firmware write protection on Lenovo ThinkPads. The issue may affect other devices as well, because the problem lies in code that came from Intel. The ThinkPwn exploit takes advantage of a driver that could allow "execution of code in system management mode (SMM) ... with local administrative access." Lenovo is working on a fix.

[Editor Comments ]
(Ullrisch): This vulnerability very likely affects systems well beyond ThinkPad's and Lenovo. The code in question was derived from Intel's sample code, and the company that wrote this part of the BIOS (not Lenovo) likely delivered the same code to other OEMs as well. Watch for firmware updates and apply them soon. This vulnerability would allow an attacker to gain persistent access to a compromised system by overwriting the firmware.
(Williams): Lenovo is relying on code written by another organization, but it suffering all of the bad PR. You can delegate authority but never responsibility.
Read more in: Computerworld: Firmware exploit can defeat new Windows security features on Lenovo ThinkPads

The Register: Lenovo scrambling to get a fix for BIOS vuln

Lenovo Advisory: System Management Mode (SMM) BIOS Vulnerability

Qualcomm Processor Flaw Affects Android Phone Encryption (July 1 and 4, 2016)

A flaw affecting some Qualcomm Snapdragon processors in Android phones could be exploited to break full disk encryption. The problem lies in a flaw in the TrustZone within the Qualcomm processor's kernel. The problems were patched in January and May of this year, but not all Android devices have received the update.
Read more in: Ars Technica: Android's full-disk encryption just got much weaker-here's why

SC Magazine: Kernel vulnerability in Qualcomm processors weakens Android phone encryption

CIO: Android full disk encryption can be brute-forced on Qualcomm-based devices

LizardStresser Botnet (June 30 and July 2, 2016)

The LizardStresser botnet has been used to launch 400Gbps distributed denial-of-service (DDoS) attacks against websites using bandwidth of compromised Internet of Things (IoT) devices. The number of LizardStresser command-and-control servers has grown recently, likely because the botnet source code was made public last year.

[Editor Comments ]
(Honan and Murray): We are going to see a significant increase in insecure devices on the Internet thanks to the Internet of Things. In the rush to get products to market many vendors are overlooking simple and basic security principles. This will be further compounded when these devices need to have a security update applied as many consumers won't have the skills or the inclination to do so. The answer to this does not rely on the consumer having to learn how to secure their devices but on responsibility and liability for insecure devices being placed squarely on the shoulders of the vendors.
Read more in: eWeek: LizardStresser Botnet Launches 400G-bps Attack on IoT Devices

ZDNet: LizardStresser botnet targets IoT devices to launch 400Gbps attacks

Two-Hour Cyberattack Turnaround for Clearinghouses and Payment Systems (June 29, 2016)

The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commission (Iscso) have published cyber resilience guidelines for the world's financial market infrastructures. The guidelines require that by June 2017, payment systems and financial clearinghouses establish plans for restoring core operations from cyberattacks within two hours.

[Editor Comments ]
(Honan): Anyone responsible for high availability systems and/or networks should read the IOSCO Guidance on Financial Resilience for Financial Market Infrastructures as many of the principles outlined are applicable across various industries and not just financial clearing systems.

Additional excellent resources on the ENISA website at
(Northcutt): The "two hours" is significant because it appears to be the only hard and fast metric in the document. Most of the recommendations are cast as "should" and "may" and that means you can't reliably reach the requirement of a two-hour return to operations.
(Ullrich): This goal sounds very ambitious. A rushed restoration plan could in some cases lead to incomplete containment of the threat and lead to further service interruption.
(Pescatore): The IOSCO guidance report is pretty much YALLOSTTD - Yet Another Long List of Security Things to Do, layered across the usual Protect/Detect/Respond timeline. The 2-hour goal for restoration is a good thing - whether 2 hours is too long/too short isn't as important as at least having a measurable and consistent metric on that. They should have agreed on a similar number for Time to Detect, which is one of the biggest drivers in Time to Restore.
(Williams): Cost and time to recover from an incident is directly proportional to the time that an attacker is allowed to dwell in the network before detection. Organizations should focus first on detection since recovery only begins after detection occurs.
Read more in: The New York Times: Clearing Houses Must Be Able to Recover From Hacking in Two Hours

IOSCO: Press Release
IOSCO: Guidance on Financial Resilience for Financial Market Infrastructures

SQLite Patch (July 4, 2016)

Open source database project SQLite has released a security update to fix a problem in the way it creates tempfiles. Because the tempfiles are created in a directory with incorrect permissions, SQLite libraries could leak data and behave in other unsafe ways.

[Editor Comments ]
(Williams): Although SQLite is used and embedded in many applications, this vulnerability is unlikely to be exploited in any practical setting. The vulnerability is only exploitable when none of /tmp, /var/tmp, and /usr/tmp are set to have read, write, and execute permissions (a non-default configuration). Even then, exploitation is complex.
Read more in: The Register: SQLite developers need to push the patch

SQLite: SQLite Release 3.13.0 On 2016-05-18

Satana Ransomware Encrypts Master Boot Record (June 29 and July 1, 2016)

Ransomware known as Satana encrypts not only user files, but also the computer's master boot record (MBR), which makes it impossible to load the operating system. According to Malwarebytes, Satana is still under development. It is the second known strain of ransomware that targets MBRs; the first was Petya, which was detected in March.

[Editor Comments ]
Read more in: Computerworld: Satana ransomware encrypts user files and master boot record

Malwarebytes Blog: Satana ransomware - threat coming soon?


Change in patterns for the pseudoDarkleech Campaign

Thinkpad SMS Arbitrary Code Execution Exploit

SQLLite Temp File Vulnerability

AVG Publishes Mulit-Ransomware Decryption Tool

Euro 2016 App Leaks User's Data

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create