SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #11

February 09, 2016

FLASH REPORT: TUESDAY 2-9-16
(1) President Obama today proposed $19 billion (35% increase) for
cybersecurity with his 2017 budget request along with a federal CISO and
cybersecurity commission.
https://www.washingtonpost.com/world/national-security/obama-seeks-big-35-percen
t-hike-in-federal-cyber-budget-to-boost-defense/2016/02/08/6b98ea10-ceaa-11e5-b2
bc-988409ee911b_story.html
(2) OMB's Tony Scott today called for consolidation of federal security
operations:
https://www.washingtonpost.com/politics/obama-administration-to-create-new-high-
level-cyber-official/2016/02/09/98db52d2-cf14-11e5-90d3-34c2c42653ac_story.html
[Editor's note (Paller): Tony Scott has the right idea. With the
government so desperately short of high-level technical talent (reverse
engineering, application vulnerability analysis, intrusion detection,
memory and network forensics, etc.), agencies are demonstrating every
day they cannot protect their data and systems. OPM was the tip of a
very large, unreported iceberg of exploited U.S. government systems. A
centralized program COULD succeed, where the agencies are failing, if
it is staffed with extraordinary technical talent.]

---

TOP OF THE NEWS

NSA Reorganization
Removing Administrator Rights Could Mitigate Most Windows Vulnerabilities
DHS, FBI Employee Data Exposed

THE REST OF THE WEEK'S NEWS

Cyber Criminals Using More Sophisticated Techniques
Barclays Analyst to Join INTERPOL Cybercrime Centre
T9000 Trojan Steals Skype Communications
Oracle Releases Emergency Patch for Java SE
Attackers Used Malware in Scheme to Manipulate Russian Currency
UK and US Negotiating on Wiretap Orders and Warrants
Energy Bill Includes Provisions to Improve Grid Cybersecurity

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Sophos Inc. ************************

Finally, your Endpoint Protection is talking to your Firewall. Advanced attacks are more coordinated than ever before. Now, your defenses are too. Sophos is revolutionizing security by synchronizing next-generation network and next-generation endpoint security, giving you unparalleled protection.

The beauty is, the integration happens automatically - no need to buy extra hardware or software. Find out more:
http://www.sans.org/info/183325

***************************************************************************

TRAINING UPDATE

--Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses.
http://www.sans.org/u/aBH

--ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

--Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

--Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community?
Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

NSA Reorganization (February 2, 2016)

The US's National Security Agency (NSA) is planning a reorganization that will include merging the Signals Intelligence and Information Assurance directorates into a new Directorate of Operations. While combining offensive and defensive cyber operations provides opportunities for "collaboration and integration," there are concerns that "they are very much two different cultures."
-https://www.washingtonpost.com/world/national-security/national-security-agency-
plans-major-reorganization/2016/02/02/2a66555e-c960-11e5-a7b2-5a2f824b02c9_story
.html

Removing Administrator Rights Could Mitigate Most Windows Vulnerabilities (February 4, 2016)

According to a recent report, 85 percent of critical vulnerabilities in Windows last year could have been mitigated by eliminating administrator rights. Nearly all critical flaws affecting Internet Explorer (IE) could have been mitigated with the same action.
-http://www.zdnet.com/article/most-windows-flaws-mitigated-by-removing-admin-righ
ts-says-report/
[Editor's Note (Pescatore): I have to make the usual observation about vendor reports showing that their product area solves problems, but: Version 6 of the Critical Security Controls moved Controlled Use of Admin Privileges from #12 in V5 up to #5 in V6. Reducing admin rights to the bare minimum number of people and even limiting the scope of admin rights for those with legitimate business need isn't that hard to do anymore - way less pushback from management and business users who really aren't installing much software (other than malware...) on their work PCs anymore. The app battles have moved to mobile devices. (Murray): We continue to have too much administrator and root ID and password sharing. We end up with limited to no accountability over the most sensitive acts. (Weatherford): I've long advocated for flashing lights and alarms any time an Admin account is created or changed. (Ranum): I would title this one: "85% of computer security breaches are self-inflicted; root cause analysis is stupidity and laziness." (Honan): This is not really a new story, a report published in 2009 states that 92% of critical vulnerabilities would be mitigating by reducing the privileges for users on their systems (
-http://www.zdnet.com/article/report-92-of-critical-microsoft-vulnerabilities-mit
igated-by-least-privilege-accounts/)
and this guide from the NSA in 2013 also recommends reducing the use of local admin accounts. The use of local admin accounts is a prime example of how ease of use wins out over security. Microsoft has published some guides on how to manage this issue.
-https://technet.microsoft.com/library/cc700846.aspx
and
-http://blogs.technet.com/b/rhalbheer/archive/2010/12/05/mitigating-the-use-of-lo
cal-admin.aspx]

DHS, FBI Employee Data Exposed (February 7 and 8, 2016)

Someone posted personal information that seems to cover more than 9,000 US Department of Homeland Security (DHS) employees and 20,000 FBI employees online. The self-proclaimed attacker said that the information was taken from a Department of Justice (DOJ) computer using a compromised DOJ email account.
-http://www.cnet.com/news/need-to-call-the-fbi-hacker-offers-you-20000-numbers/
-http://www.darkreading.com/attacks-breaches/us-doj-dhs-yet-to-confirm-breach-lea
k/d/d-id/1324224?
-http://thehill.com/policy/cybersecurity/268037-senate-energy-bill-aims-to-fight-
power-grid-hackers
-http://thehill.com/policy/cybersecurity/268594-hacker-dumps-10k-dhs-employees-da
ta-threatens-fbi-next
-http://www.computerworld.com/article/3030983/security/hackers-breach-doj-dump-de
tails-of-9-000-dhs-employees-plan-to-leak-20-000-from-fbi.html
-http://motherboard.vice.com/read/hacker-plans-to-dump-alleged-details-of-20000-f
bi-9000-dhs-employees

---

************************** SPONSORED LINKS ********************************
1) Hunting and Farming : Concepts and Strategies to Improve Your Cyber Defenses. Wednesday, February 24, 2016 at 1:00 PM EDT (18:00:00 UTC) with Ben Johnson, Co-founder and Chief Security Strategist for Carbon Black. http://www.sans.org/info/183312

2) Don't Miss: Bring Your Own Collaboration Technical Control Tradeoffs. Thursday, February 25, 2016 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Scott Gordon. http://www.sans.org/info/183317

3) NOW OPEN: 2016 SANS ICS Security Survey - Take Survey and Enter to Win $400 Amazon Card. http://www.sans.org/info/183322

***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cyber Criminals Using More Sophisticated Techniques (February 8, 2016)

Cyber criminals are starting to adapt techniques that have normally been exploited by state-sponsored APT groups for use in their own attacks. Among the groups using the newer, sophisticated malware are Carbanak, Metel, and GCMAN. Carbanak has been used to steal more than US $1 billion over two years. Metel's methods include gaining access to bank call center administrative accounts to manipulate transaction data. GCMAN attacks banks' own web servers; the group had a presence in one bank's system for 18 months before the intrusion was detected.
-http://www.darkreading.com/endpoint/cybercrime-gangs-blend-cyber-espionage-and-o
ld-school-hacks-in-bank-heists/d/d-id/1324222?
-http://arstechnica.com/security/2016/02/clever-bank-hack-allowed-crooks-to-make-
unlimited-atm-withdrawals/
-http://www.zdnet.com/article/metel-apt-group-rolls-backs-atm-transactions-to-dup
e-financial-sector/

Barclays Analyst to Join INTERPOL Cybercrime Centre (February 8, 2016)

A cybercrime analyst from Barclays bank will join experts from industry, academia, and law enforcement at INTERPOL's Cyber Fusion Centre in Singapore. The Barclays analyst will be the first representative from the financial sector at the Centre, which "provides a neutral, global platform for law enforcement, the private sector, and academia to work collaboratively, sharing actionable threat information and developing operational responses."
-http://www.zdnet.com/article/bank-joins-interpol-cyber-crime-fighting-centre/
-http://www.interpol.int/News-and-media/News/2016/N2016-017
[Editor's Note (Honan): This is a good move and this merging of domain expertise should improve information sharing flows between the financial sector and law enforcement. ]

T9000 Trojan Steals Skype Communications (February 8, 2016)

The T9000 Trojan horse program targets Skype, where it records calls, takes screenshots, and copies chat messages. It then stores the stolen data in a directory. Before installing itself on machines, T9000 identifies 24 different security products and tailors its installation to evade detection.
-http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdo
or-uses-complex-anti-analysis-techniques/
-http://www.zdnet.com/article/t9000-malware-records-skype-calls-screenshots-and-t
ext-messages-to-steal-data/
-http://www.scmagazine.com/skype-targeted-by-t9000-backdoor-trojan/article/471958
/

Oracle Releases Emergency Patch for Java SE (February 5 and 8, 2016)

Oracle has issued an out-of-cycle patch for Java to address a critical flaw that could be exploited to completely compromise Windows machines. The issue affects Java SE 6, 7, and 8 on Windows. Users' machines are at risk during the installation process.
-http://www.theregister.co.uk/2016/02/08/emergency_java_patch/
-http://www.computerworld.com/article/3031032/security/java-installer-flaw-shows-
why-you-should-clear-your-downloads-folder.html
-http://www.v3.co.uk/v3-uk/news/2446125/oracle-issues-emergency-java-patch-for-wi
ndows-security-flaw
-http://www.zdnet.com/article/oracle-posts-security-patch-for-bug-that-could-resu
lt-in-complete-compromise-of-windows-machines/
-https://blogs.oracle.com/security/entry/security_alert_cve_2016_0603
-http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.ht
ml
[Editor's Note (Ullrich): Interesting (strange?) that the bug is exploited on systems that do not have Oracle installed, but an Oracle patch will fix the problem. This is something where Oracle could give a bit more guidance regarding the nature of the vulnerability. ]

Attackers Used Malware in Scheme to Manipulate Russian Currency (February 8, 2016)

The Corcow Trojan horse program was reportedly used in attacks that manipulated the exchange rate for the Russian ruble against the US dollar. The attackers used Corcow to gain access to systems at Energobank and place US $500 million in orders at non-market rates, according to a security company brought in to investigate the incident. Corcow has reportedly infected more than 250,000 computers around the world.
-http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency
-rate-with-malware-group-ib-says?mod=djemRiskCompliance
-http://thehill.com/policy/cybersecurity/268588-report-hackers-use-malware-to-man
ipulate-russian-currency-value

UK and US Negotiating on Wiretap Orders and Warrants (February 4 and 5, 2016)

US and UK negotiators are working toward an agreement that would allow MI5 to serve US companies with wiretap orders for communications of British citizens in counterterrorism investigations. The arrangement would also allow Britain to serve orders for stored data. The draft proposal would allow MI5 to access data stored on overseas computers that are run by American organizations. The proposal would allow US intelligence the same access in the UK.
-http://www.theregister.co.uk/2016/02/05/uk_wants_warrantless_wiretaps/
-https://www.washingtonpost.com/world/national-security/the-british-want-to-come-
to-america--with-wiretap-orders-and-search-warrants/2016/02/04/b351ce9e-ca86-11e
5-a7b2-5a2f824b02c9_story.html

Energy Bill Includes Provisions to Improve Grid Cybersecurity (February 3, 2016)

An energy reform bill introduced in the US Senate includes provisions aimed at strengthening power grid cybersecurity. The Energy Policy Modernization Act authorizes cybersecurity research, directs the DOE to work with other countries that are part of the North American grid, and would allow DOE to instruct power companies on steps to take in the event of a major cyberattack.
-http://thehill.com/policy/cybersecurity/268037-senate-energy-bill-aims-to-fight-
power-grid-hackers

---

STORM CENTER TECH CORNER

Malware With Zip'ed Javascript Attachments
-https://isc.sans.edu/forums/diary/A+trip+through+the+spam+filters+more+malspam+w
ith+zip+attachments+containing+js+files/20697/

Netgear NMS300 Arbitrary Codes Execution Vulnerability
-https://www.kb.cert.org/vuls/id/777024

Apple Home Button "Error 53"
-http://www.theguardian.com/money/2016/feb/05/error-53-apple-iphone-software-upda
te-handset-worthless-third-party-repair

Symantec Certificate Authority Whois E-Mail Parsing Problem
-https://www.agwa.name/blog/post/domain_validation_vulnerability_in_symantec_ca

More Malicious JavaScript Obfuscation
-https://isc.sans.edu/forums/diary/More+Malicious+JavaScript+Obfuscation/20703/

Hard Coded SSH Passwords in Trane ComfortLink Thermostats
-http://blog.talosintel.com/2016/02/trane-iot.html#more

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/