SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #1
January 05, 2016
The Ukrainian hacker-caused power blackout (the top story this week) may provide a window on the future of cyberwarfare.
Alan
TOP OF THE NEWS
Cyber Attacks Allegedly Targeted Power Stations in UkraineDefault ICS/SCADA Passwords Disclosed
JavaScript Ransomware Spreading
Dutch Government Rejects Backdoors in Encryption
THE REST OF THE WEEK'S NEWS
US Defense Department Grants Contractors Cybersecurity Rule ExtensionBlackBerry Will Remain in Pakistan
Cisco Warns of STARTTLS Downgrade Flaw in Jabber
Google Releases Android Updates
Attacks Targeted BBC Websites
Tor Project Bug Bounty Program
Microsoft Patches Browsers to Fix Flash Flaws
Steam Attack Details
Microsoft to Warn of State-Sponsored Attacks
Free Public Wi-Fi in NYC
Former Yandex Employee Sentenced for Code Theft
Linode Outages (Mostly) Over
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER******************* Sponsored By Palo Alto Networks *********************
Know Before You Go: Key AWS Security Considerations. Tuesday, January 12 at 1:00 PM EDT (18:00:00 UTC) with Dave Shackleford and Matt Keil. If your data center expansion plans include Amazon Web Services (AWS), then please join SANS and Palo Alto Networks for an interactive webinar that will cover key security considerations to protect your applications and data from cyber criminals.
http://www.sans.org/info/182757
***************************************************************************
TRAINING UPDATE
- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6
- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl
- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses including the new FOR578: Cyber Threat Intelligence course.
http://www.sans.org/u/aBH
- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM
- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy
Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
Cyber Attacks Allegedly Targeted Power Stations in Ukraine (January 1 and 4, 2016)
A cyber attack last month in Ukraine caused a significant portion of the country's power grid to go offline. The SANS Industrial Control System (ICS) team has obtained a sample of the malware allegedly used in the attack.-http://motherboard.vice.com/read/malware-found-inside-downed-ukrainian-power-pla
nt-points-to-cyberattack
-https://ics.sans.org/blog/2016/01/01/potential-sample-of-malware-from-the-ukrain
ian-cyber-attack-uncovered
-http://www.wired.co.uk/news/archive/2016-01/05/cyberattack-power-electricity-ukr
aine
-http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-s
ignals-troubling-escalation/
-http://www.v3.co.uk/v3-uk/news/2440469/ukraine-investigating-suspected-russian-c
yber-attack-on-power-grid
[Editor's Note (Assante): The ICS Team at SANS has been researching this one since Dec 24th (an unplanned Holiday challenge and it was not Ed Skoudis - this we know). A big unknown remains: how the electric service was actually disrupted? A file wiper function can certainly disrupt the SCADA system, but that alone does not account for the outage. The SSH capability is probably a "tell" here as we suspect an attacker manually interacted with an infected machine, like an HMI (human machine interface), to command breakers to open (just a theory at this point). The wiper function could then have been used to extend the outage by denying the SCADA system, but the impacted Ukrainian utility was still capable of resorting to manual operations to (re-close breakers) and energize their system. (Paller): This attack, if verified, is a window into the future of cyber warfare. At the start of any modern military campaign, a primary objective of the aggressor is to "take out power and communications" by blowing up power plants and communications hubs. This is a top priority because, once power and communications are disabled, a country's ability to coordinate defense and mount counter attacks is severely disabled. Cyber weapons can be pre-positioned inside power companies to do the job of a missile, before a nation even knows it is under attack. U.S. Power systems' computers have been breached and infected first by Russian hackers and later by other adversaries. Some of the malware they installed is likely still in place and being updated as more attackers attempt to gain control. That's one of the big reasons that SANS is investing so heavily in developing and updating advanced techniques and immersion training courses for people involved in protecting power and other control systems. Examples at
-http://www.sans.org/u/aBM]
Default ICS/SCADA Passwords Disclosed (January 4, 2015)
A list of default Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) system default passwords has been published online. The people responsible for making the information available say they did so to urge the vendors of those products to change their practices. The list does not include hardcoded passwords.-http://www.darkreading.com/endpoint/researchers-out-default-passwords-packaged-w
ith-ics-scada-wares/d/d-id/1323755?
JavaScript Ransomware Spreading (January 4, 2016)
What is believed to be the first JavaScript-based ransomware-as-service is spreading. Because of the way it works, Ransom32 is likely to be able to infect multiple operating systems.-http://www.computerworld.com/article/3018972/security/ransom32-first-of-its-kind
-javascript-based-ransomware-spotted-in-the-wild.html
-http://www.theregister.co.uk/2016/01/03/happy_2016_and_heres_the_years_first_ran
somware_story/
-http://www.scmagazine.com/novel-javascript-ransomware-could-be-an-equal-opportun
ity-infecter/article/462915/
-http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomwar
e
Dutch Government Rejects Backdoors in Encryption (January 4, 2016)
The Dutch government has published a position paper in which it opposes the ideas of creating backdoors in encryption products. The paper says, in part, "The government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability, and use of encryption within the Netherlands." The paper notes that placing backdoors in the products "would also make encrypted files vulnerable to criminals, terrorists, and foreign intelligence services."-http://thehill.com/policy/cybersecurity/264701-dutch-government-rejects-encrypti
on-laws
-http://www.theregister.co.uk/2016/01/04/dutch_government_says_no_to_backdoors/
************************** SPONSORED LINKS ********************************
1) Don't Miss: From the Front Lines: Practical Application of DNS Threat Intel Data. Wednesday, January 13 at 1:00 PM EDT (18:00:00 UTC) featuring Tim Helming and Robert M. Lee. http://www.sans.org/info/182762
2) Why You Need Application Security: Thursday, January 28 at 1:00 PM EDT (18:00:00 UTC) with Johannes Ullrich. http://www.sans.org/info/182767
3) Infosec Pros: Are your threat hunting efforts beneficial? Tell us in the new SANS Survey & enter to win $400 Amazon Gift Card. Thanks and Happy Holidays!! http://www.sans.org/info/182772
***************************************************************************
THE REST OF THE WEEK'S NEWS
US Defense Department Grants Contractors Cybersecurity Rule Extension (January 4, 2015)
The Pentagon is giving military contractors an 18-month extension to comply with certain cybersecurity requirements in the Defense Federal Acquisition Regulation Supplement (DFARS). The decision to allow contractors a grace period was made following comments from the public heard last month.-http://www.nextgov.com/cybersecurity/2016/01/pentagon-grants-contractors-extensi
on-hack-detection-rule/124846/?oref=ng-channeltopstory
-http://www.natlawreview.com/article/department-defense-provides-government-contr
actors-grace-period-compliance-key
[Editor's Note (Murray): So much for the "buying power" of DoD. (Henry): "Now, contract awardees, within 30 days of winning work, must notify the department's chief information officer if any of the required NIST security controls are lacking." Hey, here's a novel idea: how about you don't get AWARDED a contract UNLESS the required security controls are in place first? ]
BlackBerry Will Remain in Pakistan (January 4, 2015)
BlackBerry will not leave Pakistan as it had planned. Last year, Pakistan's government demanded the ability to monitor all BlackBerry BES traffic in that country. BlackBerry COO Marty Beard refused, saying that the company would leave Pakistan if the government demands persisted. BlackBerry now plans to continue to operate in Pakistan, following "productive discussions" with the government there.-http://www.zdnet.com/article/blackberry-to-stay-in-pakistan-despite-security-con
cernsblackberry-to-stay-in-pakistan-after/
Cisco Warns of STARTTLS Downgrade Flaw in Jabber (January 4, 2016)
Cisco has issued an advisory warning of a vulnerability in Jabber for Windows. The flaw could be exploited to launch a STARTTLS man-in-the-middle downgrade attack, causing communications to be transmitted in cleartext.-http://www.theregister.co.uk/2016/01/04/cisco_jabbers_in_the_clear_due_to_startt
ls_bug/
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
151224-jab
Google Releases Android Updates (January 4, 2016)
Google has released an update for Android to address 12 vulnerabilities, including five that are rated critical. Google will push out the update to Nexus devices. Other devices using the Android operating system will need to be updated by associated vendors and carriers. Google provided the updates to those entities on December 7, 2015.-http://www.zdnet.com/article/google-fixes-five-critical-android-flaws-in-monthly
-updates/
-http://www.theregister.co.uk/2016/01/04/android_january_fixes/
Attacks Targeted BBC Websites (December 31, 2015 and January 1, 2016)
All BBC websites were unavailable for a period on Thursday, December 31, due to a distributed denial-of-service (DDoS) attack. The attack began at 0700 GMT; by 1145 GMT, the sites were reportedly running normally.-http://www.bbc.com/news/technology-35204915
-http://www.computerworld.com/article/3018738/cloud-computing/bbc-ddos-fail-itbwc
w.html
-http://www.nbcnews.com/tech/security/bbc-websites-taken-down-cyberattack-n488536
Tor Project Bug Bounty Program (December 31, 2015)
The Tor Project plans to launch a bug bounty program this year. The Open Technology Fund (OTF) will sponsor the program. In its initial phase, the program will be by invitation only.-http://www.darkreading.com/vulnerabilities---threats/tor-project-to-launch-bug-b
ounty-program/d/d-id/1323738?
-http://www.scmagazine.com/tor-project-to-team-with-hackerone-in-exploit-bounty-i
nitiative/article/462397/
-http://www.zdnet.com/article/tor-project-launches-bug-bounty-program/
Microsoft Patches Browsers to Fix Flash Flaws (December 29 and 31, 2015)
On Tuesday, December 29, Microsoft released an out-of-cycle patch for 19 security issues in Flash that affect the company's browsers. One of the flaws was being actively exploited. Updates are available for both Internet Explorer and Edge.-https://support.microsoft.com/en-us/kb/3132372
-http://www.scmagazine.com/microsoft-issues-patches-for-flash-in-explorer-and-mic
rosoft-edge/article/462533/
[Editor's Note (Murray): Our toleration of Flash continues to be a measure of our (lack of) commitment to security. ]
Steam Attack Details (December 30 and 31, 2015)
Valve has acknowledged that its Steam store exposed the account information of 34,000 users. The issue was related to but not caused by a denial-of-service (DoS) attack. "A[caching ]
configuration error resulted in some users seeing Steam Store pages generated for other users."
-http://store.steampowered.com/news/19852/
-http://www.scmagazine.com/steam-confirms-info-on-34k-users-likely-exposed-in-chr
istmas-day-dos-attack/article/462526/
-http://arstechnica.com/gaming/2015/12/valve-explains-ddos-induced-caching-proble
m-led-to-xmas-day-steam-data-leaks-and-downtime/
-http://www.zdnet.com/article/steam-confirms-dos-revealed-34k-user-details/
Microsoft to Warn of State-Sponsored Attacks (December 30 and 31, 2015, and January 1, 2016)
Microsoft has revised its account breach notification policy to specify when it suspects that state-sponsored attackers have targeted a user's email or cloud services account. While Microsoft already has a policy in place that calls for notifying users of account breaches, the decision to identify a breach as coming from a state-sponsored entity was made "because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others."-http://www.scmagazine.com/microsoft-will-notify-users-of-state-sponsored-hacking
-attempts/article/462550/
-http://www.bloomberg.com/news/articles/2015-12-31/microsoft-to-warn-e-mail-users
-about-government-hacking-attempts
-https://www.washingtonpost.com/news/the-switch/wp/2015/12/31/microsoft-to-warn-u
sers-if-it-thinks-governments-are-trying-to-hack-into-their-accounts/
-http://blogs.microsoft.com/on-the-issues/2015/12/30/additional-steps-to-help-kee
p-your-personal-information-secure/
Free Public Wi-Fi in NYC (December 30, 2015)
New York City plans to install 10,000 free public Wi-Fi hotspots. Once operational, the kiosks will provide 2.0 strength in a 150-foot radius, as well as USB chargers, touchscreen Internet access, and free phone calls within the US. The project expected to realize US $500 million in advertising revenue over 12 years. The plan calls for the first 500 kiosks to be up within the next six months; 4,500 additional hubs are expected to be established over the next four years. The system will be encrypted.-http://www.csmonitor.com/Technology/2015/1230/NYC-begins-rolling-out-free-public
-Wi-Fi.-Will-others-follow-suit
Former Yandex Employee Sentenced for Code Theft (December 30, 2015)
Former Yandex employee Dmitry Korobov has been sentenced to two years in prison for stealing software from the company and trying to sell it. The software, known as Arcadia, contains source code and critical algorithms for the Yandex search engine. Korobov attempted to sell the information for roughly US $29,000; its value has been estimated at US $15 million. Yandex is Russia's largest search engine.-http://www.scmagazine.com/former-employee-hawked-stolen-yandex-source-code-for-2
9k/article/462416/
Linode Outages (Mostly) Over (December 29 and 31, 2015 and January 4, 2016)
Cloud hosting company Linode was targeted by a prolonged series of distributed denial-of-service (DDoS) attacks that caused service disruptions. The attacks began on December 25, 2015; as of January 4, 2016, nearly all Linode services were listed as "operational," although the company said that some users may experience "intermittent" service.-http://www.theregister.co.uk/2016/01/04/linode_back_at_last_after_ten_days_of_he
ll/
-http://www.scmagazine.com/cloud-hosting-company-linode-sees-service-interruption
s-for-ddos-attacks/article/462535/
-http://www.theregister.co.uk/2015/12/29/day_four_of_linode_data_center_attacks/
STORM CENTER TECH CORNER
Analysis of MIME Files-https://isc.sans.edu/forums/diary/A+Tip+For+The+Analysis+Of+MIME+Files/20561/
How to Improve Your Web Servers Header Security
-https://diogomonica.com/2015/12/29/from-double-f-to-double-a/
HTTPS Bicycle Attack
-https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf
Find Open Recursive Name Servers With nmap
-https://isc.sans.edu/forums/diary/Testing+for+DNS+recursion+and+avoiding+being+p
art+of+DNS+amplification+attacks/20567/
January Android Update
-http://source.android.com/security/bulletin/2016-01-01.html
New Version of OpenDNSSEC Released
-https://www.opendnssec.org
CISCO Jabber StartTLS Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
151224-jab
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, http://www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/