SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #10

February 06, 2016

CISO Hot Topic: Communicating With CEOs and Boards of Directors: What
Works and What to Avoid. A SANS executive briefing on Tuesday, February
09, 2016 at 6:00 PM EST (23:00:00 UTC) featuring John Pescatore and Alan
Paller as well as a CISO with hard won experience. Real world data on
what works for CISOs on how to make the most of opportunities to
interact with top management to increase the effectiveness (and funding)
of their security programs. This session is live in Scottsdale and
streamed around the world. Register (no cost) at
https://www.sans.org/event/scottsdale-2016/bonus-sessions/8857/#bonus-box

---

TOP OF THE NEWS

Former Federal Employee Pleads Guilty to Spear Phishing
Google Expanding Safe Browsing in Chrome
WordPress Sites Delivering Ransomware
GPS Satellites Broadcast Incorrect Time

THE REST OF THE WEEK'S NEWS

Univ. of Central Florida Data Breach
Netgear NMS300 Flaw
Dridex Botnet Distributing Antivirus Installer
OpenELEC Password Vulnerability
EFF and ACLU Say Milwaukee Police Used Stingray Without a Warrant
Malwarebytes Will Fix Flaws Found by Project Zero
eBay Fix Addresses Part of Severe Vulnerability
Safe Harbor Agreement Replaced with "Privacy Shield"

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By ALienVault ************************

New to SIEM? Check out the Beginner's Guide to SIEM:
http://www.sans.org/info/183307

***************************************************************************

TRAINING UPDATE

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Former Federal Employee Pleads Guilty to Spear Phishing (February 2, 3, and 4, 2016)

A former US Department of Energy (DOE) and Nuclear Regulatory Commission (NRC) employee has pleaded guilty to charges of unauthorized access and intentional damage to a protected computer for a spear phishing campaign targeting DOE employees. Charles Harvey Eccleston was trying to get the recipients to click on links that would allow malware onto the DOE's network and expose sensitive information. Eccleston worked at the Nuclear Regulatory Commission (NRC) until he was fired in 2010. In 2013, Eccleston began attempting to sell sensitive energy data to people he believed to be foreign agents.

Google Expanding Safe Browsing in Chrome (February 3, 2016)

Google's safe browsing technology will now cover online advertisements that try to trick people into entering account access credentials or downloading malware that pretends to be a legitimate software update. If a site is deemed to be deceptive, Chrome will display a red screen and a text warning.
-http://www.computerworld.com/article/3029735/internet/google-expands-chromes-saf
e-browsing-defenses-to-sniff-out-ad-scams.html
[Editor's Note (Pescatore): Google has a pretty good track record over the 8 years or so that Chrome has offered the Safe Browsing functionality. It would be much more effective if ISPs would agree to do something similar at their gateways, vs. leaving to the browser vendors. The FCC Communications Security, Reliability, and Interoperability Council (CSRIC) Working Groups seem do much talking about this, no visible action. (Paller): Good idea, John, but . . . I had the honor of co-chairing the FCC CSRIC working group on effective security practices and learned that the FCC staff is deathly afraid of asking the ISPs to do anything that would have a major positive impact on security. Why? Because the large ISPs pay their government affairs people more than $1 million each year in salary and bonus to make sure that the FCC does nothing that would cost the ISPs money. One method they use is distributing money to political action committees, and they use the resulting political power to bully the FCC staff. Sad. ]

Google Expanding Safe Browsing in Chrome (February 3, 2016)

Google's safe browsing technology will now cover online advertisements that try to trick people into entering account access credentials or downloading malware that pretends to be a legitimate software update. If a site is deemed to be deceptive, Chrome will display a red screen and a text warning.
-http://www.computerworld.com/article/3029735/internet/google-expands-chromes-saf
e-browsing-defenses-to-sniff-out-ad-scams.html
[Editor's Note (Pescatore): Google has a pretty good track record over the 8 years or so that Chrome has offered the Safe Browsing functionality. It would be much more effective if ISPs would agree to do something similar at their gateways, vs. leaving to the browser vendors. The FCC Communications Security, Reliability, and Interoperability Council (CSRIC) Working Groups seem do much talking about this, no visible action. (Paller): Good idea, John, but . . . I had the honor of co-chairing the FCC CSRIC working group on effective security practices and learned that the FCC staff is deathly afraid of asking the ISPs to do anything that would have a major positive impact on security. Why? Because the large ISPs pay their government affairs people more than $1 million each year in salary and bonus to make sure that the FCC does nothing that would cost the ISPs money. One method they use is distributing money to political action committees, and they use the resulting political power to bully the FCC staff. Sad. ]

WordPress Sites Delivering Ransomware (February 4, 2016)

A significant number of websites that run on the WordPress content management system appear to have been compromised so that they infect site visitors' computers with ransomware and other malware. The attacks affect machines that are running versions of Adobe Flash, Adobe Reader, Microsoft Silverlight, and Internet Explorer that are not up to date on patches.
-http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-hacks-sile
ntly-delivers-ransomware-to-visitors/
In a related story, WordPress is automatically pushing out updates to address two vulnerabilities and 17 bugs.
-http://www.eweek.com/security/wordpress-update-patches-pair-of-vulnerabilities.h
tml

GPS Satellites Broadcast Incorrect Time (February 4, 2016)

On January 26, 2016, 15 global positioning system (GPS) satellites were found to be broadcasting the incorrect time. The problem was triggered when an old GPS satellite was decommissioned, which threw off the coordinated universal timing signal by 13 microseconds. Time measurement is used to control data flow through telecommunications companies' networks. The issue seems to have caused problems with digital radio broadcasts.
-http://www.airtrafficmanagement.net/2016/02/glitch-in-time/
-http://www.navcen.uscg.gov/pdf/gps/AirForceOfficialPressRelease.pdf
-http://www.bbc.com/news/technology-35491962
-http://www.bbc.com/news/technology-35463347
[Editor's Note (Northcutt): GPS is also employed in Network Time Protocol (NTP) used to synch the sensors that report to log servers that report to SIEMs. When you are trying to determine a sequence of events in an incident, if you can't trust your time source, you have a lot of manual work and reduced evidence admissibility. It is a good idea to detect, report and react to loss of synchronization:
-http://www.gpsntp.com/
-http://www.ntp.org/ntpfaq/NTP-s-refclk.htm
-http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-tr
ouble-ntp-00.html]

---

************************** SPONSORED LINKS ********************************
1) Hunting and Farming : Concepts and Strategies to Improve Your Cyber Defenses. Wednesday, February 24, 2016 at 1:00 PM EDT (18:00:00 UTC) with Ben Johnson, Co-founder and Chief Security Strategist for Carbon Black. http://www.sans.org/info/183312

2) Don't Miss: Bring Your Own Collaboration Technical Control Tradeoffs. Thursday, February 25, 2016 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Scott Gordon. http://www.sans.org/info/183317

3) NOW OPEN: 2016 SANS ICS Security Survey - Take Survey and Enter to Win $400 Amazon Card. http://www.sans.org/info/183322
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Univ. of Central Florida Data Breach (February 4, 2016)

The University of Central Florida (ECF) has disclosed that its computer systems were breached, compromising the personal information of 63,000 current and former students, staff, and faculty. The breach was detected last month and is being investigated by law enforcement and a digital forensics company.
-http://www.scmagazine.com/student-ssns-exposed-in-university-of-central-florida-
breach/article/471439/
-http://www.nbcnews.com/tech/security/university-central-florida-hack-exposes-63-
000-ssn-n511366

Netgear NMS300 Flaw (February 3 and 4, 2016)

Flaws in Netgear's NMS300 ProSafe network management system could be exploited to take control of vulnerable servers. NMS300 is available for Windows XP, 7, 8, and 10, and Windows Server 2003, 2008, and 2012. The web interface has a vulnerability that allows unauthenticated users to upload and execute Java files. Carnegie Mellon University's Computer Emergency Response Team Coordination Center (CERT/CC) has released an advisory about the issue. The advisory suggests "enable
[ing ]
firewall rules to restrict untrusted sources from accessing the web management interface."
-http://www.computerworld.com/article/3030024/security/serious-flaws-discovered-i
n-netgears-nms300-network-management-system.html
-https://www.kb.cert.org/vuls/id/777024
[Editor's Note (Williams): Access to network management servers should be restricted to authorized users through firewall rules and IP access control lists. This isn't the only network management server attack in the news recently. WhatsUp Gold had a SQL injection via SOAP recently that allowed attackers access (
-https://www.kb.cert.org/vuls/id/753264).
This trend should be a wakeup call to organizations that they need network segmentation around this highly critical network management servers. ]

Dridex Botnet Distributing Antivirus Installer (February 4, 2016)

Someone appears to have altered the distribution channel for the Dridex Trojan botnet so that links now lead to Avira Antivirus installers. Dridex was the target of a takedown operation late last year. An Avira malware expert says the company is not responsible for the activity.
-http://www.theregister.co.uk/2016/02/04/dridex_botnet_pwned/

OpenELEC Password Vulnerability (February 2 and 3, 2016)

Carnegie Mellon University's Computer Emergency Response Team Coordination Center (CERT/CC) has published an alert warning of a password vulnerability in the Open Embedded Linux Entertainment Center (OpenELEC) operating system. The flaw also affects RasPlex for Raspberry Pi devices, as it is based on the open-source OpenELEC distribution. A hard-coded root password for the Secure Shell (SSH) encryption protocol could be used to gain root access to vulnerable devices. CERT recommends several mitigations, including disabling SSH passwords access and restricting network access.
-http://www.scmagazine.com/cert-poor-password-policy-leaves-openelec-operating-sy
stem-vulnerable-to-hackers/article/470962/
-http://www.kb.cert.org/vuls/id/544527
[Editor's Note (Williams): Seriously? Another hard-coded password? This product is geared towards home markets, so the vulnerability probably represents little risk to enterprise networks. ]

EFF and ACLU Say Milwaukee Police Used Stingray Without a Warrant (February 3, 2016)

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have filed an amicus brief in the US Court of Appeals for the Seventh Circuit, alleging that the Milwaukee, Wisconsin police department used a stringray without first obtaining a warrant.
-http://www.scmagazine.com/the-eff-and-aclu-allege-milwaukee-police-hid-stingray-
use-from-court-and-defendant/article/470827/

Malwarebytes Will Fix Flaws Found by Project Zero (February 3, 2016)

Google's Project Zero team has disclosed vulnerabilities in Malwarebytes that could be exploited to launch man-in-the-middle attacks. Project Zero discovered that Malwarebytes updates were being downloaded over an unsecure, HTTP channel and that they were not signed. Malwarebytes was notified of the issue in November, but did not fix the issue within Project Zero's 90-day window. A Malwarebytes executive says the issues will be fixed within the next several weeks.
-http://www.v3.co.uk/v3-uk/news/2444776/googles-project-zero-reveals-update-flaws
-in-malwarebytes-antivirus-software
-http://www.zdnet.com/article/google-lays-bare-security-flaws-in-anti-malware-pro
duct-with-250-million-users/
-https://code.google.com/p/google-security-research/issues/detail?id=714
-https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerabili
ty-disclosure/

eBay Fix Addresses Part of Severe Vulnerability (February 3, 2016)

eBay has issued a partial fix for a vulnerability in its active content that could be exploited to trick users into revealing account access credentials and downloading malware. In January, eBay said it was not planning to fix the issue, but now the company has partially remedied the problem by deploying content filters.
-http://www.bbc.com/news/technology-35491834
-http://arstechnica.com/security/2016/02/ebay-has-no-plans-to-fix-severe-bug-that
-allows-malware-distribution/
-http://www.scmagazine.com/update-ebay-cesspit-has-no-plans-to-fix-severe-vulnera
bility/article/470737/

Safe Harbor Agreement Replaced with "Privacy Shield" (February 2 and 4, 2016)

US and European Union (EU) regulators have reached a tentative data protection agreement to replace the invalidated Safe Harbor agreement. Privacy Shield Still needs approval EU member states. It is also likely to face analysis by EU courts.
-http://www.scmagazine.com/privacy-shield-is-here-now-orgs-lawmakers-must-take-ac
tion/article/471452/
-https://www.washingtonpost.com/news/the-switch/wp/2016/02/02/the-massive-new-pri
vacy-deal-between-u-s-and-europe-explained/
-http://www.darkreading.com/cloud/eu-us-agree-on-new-data-transfer-pact-but-will-
it-hold/d/d-id/1324150

---

STORM CENTER TECH CORNER

Shodan Uses pool.ntp.org to Find IPv6 Hosts
-https://isc.sans.edu/forums/diary/Targeted+IPv6+Scans+Using+poolntporg/20681/

Android Monthly Update
-https://source.android.com/security/bulletin/2016-02-01.html

EMET 5.5 Released
-http://blogs.technet.com/b/srd/archive/2016/02/02/enhanced-mitigation-experience
-toolkit-emet-version-5-5-is-now-available.aspx

Automating Vulnerability Scans with OpenVAS
-https://isc.sans.edu/forums/diary/Automating+Vulnerability+Scans/20685

"Chromodo" Browser Less Security than "Chrome/Chromium"
-https://code.google.com/p/google-security-research/issues/detail?id=704

Fake Flash Installer OS X Malware
-https://isc.sans.edu/forums/diary/Fake+Adobe+Flash+Update+OS+X+Malware/20693/

Dridex Botnet Installing Avira Antivirus
-http://www.theregister.co.uk/2016/02/04/dridex_botnet_pwned/

Avast Antivirus Installing Vulnerable Version of Chromium
-https://code.google.com/p/google-security-research/issues/detail?id=679

German Federal Office for Information Security Publishes Audit Results For OpenSSL
-https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/OpenSSL
-library/DocumentationOpenSSL.pdf?__blob=publicationFile&v=2

Security Blogger Awared Voting (Please only vote once)
-http://www.ashimmy.com/2016/01/2016-social-security-blogger-award-voting-is-open
-now.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/