OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #57

July 19, 2016


Ponemon Study: Companies Lack Resources to Spot Cyberattacks
Critical Infrastructure Control Systems Need Hardening
UK Rail Cyberattacks


Ammyy Admin Watering Hole Attack
HTTPoxy Man in the Middle and Denial of Service Vulnerability
Ubuntu Forums Breach
Delilah Malware
Former Baseball Scout Gets Prison Time for Unauthorized Computer Access
ICO Offers Guidance for General Data Protection Regulation Compliance
Android Trojan Blocks Calls to Banks
Cisco Releases Fixes for Flaws in Several Products
Legislators Want Celestial Navigation for All US Navy Personnel



************************* Sponsored By Sophos **************************

NEW Whitepaper - Keeping threats away from your network is a critical first line of defense. A sandbox automatically isolates files to determine if they're safe, providing an instant additional layer of detection and protection. Find out why conventional defenses don't protect you from APT s and how sandboxing can help. Learn More:



--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Boston 2016 | Boston, MA | August 1-6 | https://www.sans.org/event/boston-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016| https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-201

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19| https://www.sans.org/event/network-security-201

--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX| https://www.sans.org/event/security-leadership-summit-2016



Ponemon Study: Companies Lack Resources to Spot Cyberattacks (July 18, 2016)

According to a report from the Ponemon Institute, nearly 80 percent of businesses say they do not have sufficient infrastructure or personnel to monitor their networks for and defend their networks against cyberattacks. Only 17 percent say they have established formal, company-wide intelligence gathering processes.

[Editor Comments ]

[Assante ]
The reason stated is a lack of risk understanding and technically skilled staff required to anticipate and monitor for cyber threats. You can obtain the required knowledge and train the team you have to support these activities.
Read more in:
ZDNet: Most companies still can't spot incoming cyberattacks

Critical Infrastructure Control Systems Need Hardening (July 18, 2016)

German law enforcement officials investigated control systems at several critical infrastructure organizations in Europe, as well as an apartment building in Israel. They were able to access control systems at a district heating organization in Rome, heat and power plants in Germany and Austria, and a luxury apartment building with smart technology in Israel, at which they were able to disable elevators and alarms, and take control of air conditioning units.
Read more in:
SC Magazine UK: Critical infrastructure in Europe exposed to hackers

UK Rail Cyberattacks (July 12 and 15, 2016)

The UK's railway network was targeted in four cyberattacks over the past year, according to Darktrace, the company responsible for defending a large portion of that network. The intruders did not attempt to cause disruptions; instead, they appear to have conducted network surveillance.

[Assante ]
A great deal of recent research provides a map of critical operational systems and necessary functions for reliable and safe rail operations. Focused access efforts and broad discovery attempts are more than concerning as they point well beyond criminal cyber activity and demonstrate that some actors are comfortable with the risk of intruding upon a lifeline civilian infrastructure.
Read more in:
Telegraph: UK rail network hit by multiple cyber attacks last year

The Week: Cyber attacks on UK railways pose 'real disaster' risk

SC Magazine UK: UK rail network suffers four cyber-attacks in past 12 months

*************************** SPONSORED LINKS *****************************
1) Don't let a security breach harm customer trust. Learn how to protect your relationships with LifeLock. http://www.sans.org/info/187310

2) Don't Miss: What Works: A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon. Thursday, July 28th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187315

3) "Illuminate Your Network with Security Analytics." Thursday, July 28th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Andrew Wild. http://www.sans.org/info/187320


Ammyy Admin Watering Hole Attack (July 18, 2016)

A group intent on spreading malware managed to hide it in a legitimate administrative tool that allows users to access their computers remotely. A group known as Lurk altered the installer for Ammyy Admin to make it install the malware along with the tool when users downloaded it.

[Editor Comments ]

[Williams ]
: If organizations would start requiring installation packages to be signed, this attack vector would be all but dead. Ammy Admin has a reputation as being good to use for free one-time remote access support and attackers know that we'll cut corners on security to save a few dollars. A little security due diligence here will go a long way.
Read more in:
Ars Technica: Criminals plant banking malware where victims least expect it

HTTPoxy Man in the Middle and Denial of Service Vulnerability (July 18, 2016)

Researchers released details of a new vulnerability HTTPoxy allowing man in the middle and denial of service for some applications using HTTP. The vulnerability stems from the inappropriate use of the non-standard HTTP header "Proxy" being stored in the environment variable HTTP_PROXY and reused without being checked (a classic case of using untrusted input). System owners are encouraged to block HTTP Proxy headers using a reverse proxy and/or updating server configurations to ignore the Proxy header and not store it in the HTTP_PROXY environment variable.
More information can be found here:




Ubuntu Forums Breach (July 18, 2016)

A security breach of the Ubuntu Forums website resulted in the theft of two million users' email addresses. The attackers used an SQL injection attack to exploit a flaw in the vBulletin Forumrunner add-on. The vulnerability was known, but Canonical had not applied it yet. Canonical took down the compromised database and is rebuilding hosting servers from scratch to eliminate any lingering malicious code. They have also installed the most current version of vBulletin, installed a Web application firewall, and reset all usernames and passwords.
Read more in:
Computerworld: Ubuntu Forums database breached

eWeek: The Hacking of Ubuntu Linux Forums: Lessons Learned

Ubuntu: Notice of security breach on Ubuntu Forums

Delilah Malware (July 18, 2016)

Malware known as Delilah spreads through pornography and gaming websites. It lurks on the machines it infects, harvesting personal data and commandeering webcams to gather incriminating footage of users. The attackers use that information to blackmail people into disclosing company secrets.
Read more in:
Computerworld: Delilah malware secretly taps webcam, blackmails and recruits insider threat victims

The Register: Extortion trojan watches until crims find you doing something dodgy

ZDNet: This webcam malware could blackmail you into leaking company secrets

Former Baseball Scout Gets Prison Time for Unauthorized Computer Access (July 18, 2016)

A former employee of the St Louis Cardinals baseball team has been sentenced to nearly four years in prison for accessing the Houston Astros' computer network without authorization. Christopher Correa was also ordered to pay nearly US $280,000 in restitution.

[Editor Comments ]

[Pescatore ]
Stiff sentence and a good message to send out about industrial espionage being a criminal act for everyone.
Read more in:
CNET: Ex-Cardinals employee gets nearly 4 years in prison for Astros hack

ICO Offers Guidance for General Data Protection Regulation Compliance (July 15, 2016)

The UK Information Commissioner's office (ICO) is urging organizations to establish internal procedures for reporting breaches. When the General Data Protection Regulation (GDPR) takes effect in May 2018, organizations in the UK will be required to report data breaches to authorities and disclose them to the public if the breaches meet certain criteria. According to guidance from the ICO, "an internal breach reporting procedure ... will facilitate decision making about whether you need to notify the relevant supervisory authority or the public."
Read more in:
V3: ICO advises organisations to establish internal breach reporting procedures to prepare for GDPR

ICO Advisory: Breach notification

ICO: Overview of the General Data Protection Regulation (GDPR)

Android Trojan Blocks Calls to Banks (July 15, 2016)

A variant of the Android.Fakebank.B Trojan horse program blocks infected devices from calling banks to cancel compromised payment cards. Fakebank is designed to steal online banking account access credentials. The variant has been detected in Russia and South Korea.

[Editor Comments ]

[Williams ]
: As telephone networks become increasingly IP controlled, expect to see more of these converged attack vectors where attackers disrupt telephonic communications to perpetuate attacks. Traditionally, we only see attackers target confidentiality of these communications, but here we see availability targeted as well. It makes sense to have out of band communications plans ready, including email and telephone.
Read more in:
Computerworld: This Android Trojan blocks the victim from alerting banks

Cisco Releases Fixes for Flaws in Several Products (July 15, 2016)

Cisco has released patches for vulnerabilities in a number of its products, including Cisco IOS, IOS XR, ASR5000, WebEx Meetings Server, and Cisco Meeting Server. The flaws could be exploited to create denial-of-service conditions, execute arbitrary commands with root privilege, extract information, modify device configuration, and crash devices.
Read more in:
The Register: Cisco gives you two nasty bugs to fix before the weekend

Computerworld: Cisco patches serious flaws in router and conferencing server software

SC Magazine: Cisco patches and discloses XSS vulnerability in WebEx Meetings Server

Legislators Want Celestial Navigation for All US Navy Personnel (July 15, 2016)

Two US Senators have written a letter to the Secretary of the Navy, asking that all personnel be trained in celestial navigation. The Navy uses the US Air Force Global Positioning System (GPS) for navigation; that system uses satellite transmissions which are fairly easy to jam and are "susceptible to damage or inaccuracies due to naturally occurring phenomena."

[Editor Comments ]

[Pescatore ]
Now, I'm a ham radio operator and Morse code enthusiast so I'm fine with a back to the basics movement. But, in the spirit of the Critical Security Controls and the IAD Top Ten as proven means of focusing security efforts on the highest risk/highest payback areas, I'd rather see the power of our elected officials put to more fruitful use.

[Northcutt ]
It is great that the Naval Academy has reinstated training on the use of sextants in navigation. That said, trying to teach all Navy Personnel "CELNAV" is a silly idea. Only a fraction of ships company are going to be in a position to get a sighting of the stars, have access to a high quality time source, or a decent sextant. GPS is generally considered to be accurate to at least 3 meters, CELNAV, depending on who you ask is .5 - 2 nautical miles. The Navy would have to modify fleet formations and port access protocols to account for the change in accuracy. That said, it makes all the sense in the world to put an Astra III or similar on all sea going vessels with trained operators just to have a "second opinion" on position:



Read more in:
The Hill: Senators back celestial navigation for all Navy personnel

Ernst Senate: Text of Letter (PDF)


Critical Juniper Vulnerability

MS16-053 Included in Neutrino Exploit Kit

SSH Username Disclosure

httpoxy Vulnerability

Apple Security Updates

Toll Number Calling via Two Factor Authentication

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create