SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #12

February 12, 2016

TOP OF THE NEWS

IRS Acknowledges Attackers Obtained eFile PINs
Google is Saying Goodbye to Flash in Advertisements
Chrome Update

THE REST OF THE WEEK'S NEWS

White House Posts Job Listing for CISO
Report: A Worldwide Survey of Encryption Products
Cisco Releases Fix for Remote Code Execution Flaw in ASA Software
NYPD Used Stingrays
SAP Fixes Critical Flaw
FBI Seeks US $38 Million to Help Defeat Encryption
February's Patch Tuesday
Wendy's Breach Update
Linode SSH Key Error Leaves Users Vulnerable to Man-in-the-Middle Attacks

---

************************ Sponsored By Splunk **************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180747

***************************************************************************

TRAINING UPDATE

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- -- SANS Atlanta | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- -- SANS Pen Test Austin | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

IRS Acknowledges Attackers Obtained eFile PINs (February 10 and 11, 2016)

The US Internal Revenue Service says that cybercriminals obtained personal identification numbers (PIN) from the IRS.gov website and tried to use them to file fraudulent tax returns. The attackers used a bot to enter Social Security numbers (SSN) into the system and were successful in more than 10,000 instances. The attackers tried more than 450,000 SSNs.
-http://www.nextgov.com/cybersecurity/2016/02/crooks-tricked-irs-system-providing
-them-false-ids/125860/?oref=ng-channelriver
-http://www.eweek.com/security/irs-confirms-it-was-a-victim-of-an-automated-attac
k.html
-https://fcw.com/articles/2016/02/10/irs-pin-attack.aspx
-http://www.darkreading.com/endpoint/over-100000-e-file-pins-fraudulently-accesse
d-in-automated-attack-on-irs-app/d/d-id/1324266?
[Editor's Note (Ulrich): As a consumer, your best bet is to "outrun" the bad guys. Either file your taxes early, or apply for a e-Filing PIN to prevent others from doing it. All SSN's have been stolen, yours too. It is just a matter of "luck of the draw" if your information is used or not at this point. (Murray): Not only does Google offer their users a very well designed strong authentication implementation but they offer that implementation to the IRS and other government agencies. The Federal Government has put the country and citizens at unnecessary, not to say unacceptable, risk by failing to implement strong authentication. ]

Google is Saying Goodbye to Flash in Advertisements (February 10, 2016)

Starting June 30, 2016, Google will no longer accept advertisements that use Flash on the AdWords and DoubleClick networks. Instead, advertisers, or those who create the online ads, are being urged use HTML5 instead. And as of January 2, 2017, any ads with Flash still in the systems will no longer play on DoubleClick or Google Display Network.
-http://www.theregister.co.uk/2016/02/10/google_orders_advertisers_to_adopt_html5
/
-http://www.computerworld.com/article/3031908/security/google-will-stop-accepting
-new-flash-ads-on-june-30.html
-http://www.v3.co.uk/v3-uk/news/2446512/google-to-ban-flash-ads-from-its-network
[Editor's Note (Murray): This is an admission that the continued toleration of Flash is an accommodation to advertisers. I have used a browser that does not support Flash (Thanks, Steve!) for more than five years and have not missed it. Needless to say, I also block scripts in the browser. Our vulnerabilities invite the threat; they persist not because we do not know what to do about them but because we lack the will. (Pescatore): And not one actual user will mourn the passing of Flash in ads, any more than they did the blinking URL tag... (Ullrich): I hope that by removing Flash advertisements, web sites relying on advertisements for revenue will start to discontinue Flash as well. In some cases, sites did keep Flash around for content in order to prevent users from disabling Flash for their site (and in turn disabling advertisements). ]

Chrome Update (February 10, 2016)

An updated version of Google's Chrome browser addresses half a dozen vulnerabilities that could be exploited to take control of unpatched systems. The issues affect Chrome for Windows, Mac, and Linux. The updated stable channel version of Chrome is 48.0.2564.109.
-http://www.scmagazine.com/google-issues-chrome-update-to-fix-windows-mac-and-lin
ux-bugs/article/473340/
-http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html

---

************************** SPONSORED LINKS ********************************
1) Case Study: How the City of Lewiston Improved Threat Detection with AlienVault USM. Wednesday, February 17, 2016 at 11:00 AM EDT (16:00:00 UTC) with Danny Santiago and Dave Shackleford. http://www.sans.org/info/183350

2) Hunting and Farming : Concepts and Strategies to Improve Your Cyber Defenses. Wednesday, February 24, 2016 at 1:00 PM EDT (18:00:00 UTC) with Ben Johnson, Co-founder and Chief Security Strategist for Carbon Black. http://www.sans.org/info/183312

3) Don't Miss: Bring Your Own Collaboration Technical Control Tradeoffs. Thursday, February 25, 2016 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Scott Gordon. http://www.sans.org/info/183317
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

White House Posts Job Listing for CISO (February 9, 2016)

The White House is planning to hire a chief information security officer (CISO). Whoever is chosen to fill the new position will report to federal CIO Tony Scott.
-http://www.zdnet.com/article/white-house-wants-to-hire-its-first-chief-informati
on-security-officer/
-https://www.usajobs.gov/GetJob/ViewDetails/428904900
[Editor's Note (Murray): One is reminded of the lesson from our colleague, Peter Browne, that a CISO negotiates whatever success he is ever going to have in the hiring interviews. Ask for budget, authority, peer relations, rank, title, reporting point (not the CIO, in one case Browne negotiated a reporting point as peer to the executive that hired him) etc. Ignore compensation and perks. If one gets the former, the latter will take care of themselves. ]

Report: A Worldwide Survey of Encryption Products (February 11, 2016)

A report from Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar says that mandating backdoors in encryption products would hinder competitiveness for those countries while having little effect on criminals intent on using encryption products that are free of such weaknesses. "Anyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead."
-https://www.schneier.com/cryptography/archives/2016/02/a_worldwide_survey_o.html
-http://arstechnica.com/tech-policy/2016/02/new-report-contends-mandatory-crypto-
backdoors-would-be-futile/
-http://www.theregister.co.uk/2016/02/11/schneier_encryption_survey/
-http://www.nbcnews.com/tech/security/trying-stop-encryption-it-s-everywhere-harv
ard-study-says-n516761

Cisco Releases Fix for Remote Code Execution Flaw in ASA Software (February 11, 2016)

A critical flaw in Cisco Adaptive Security Appliance (ASA) software could be exploited to take control of vulnerable systems by sending malformed UDP packets. The issue arises from a buffer overflow flaw in the Internet Key Exchange (IKE) version 1 and version 2 of Cisco ASA software. The issue affects ASA firewalls configured as virtual private network (VPN) servers
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0160210-asa-ike
-http://www.computerworld.com/article/3032519/networking/critical-flaw-exposes-ci
sco-security-appliances-to-remote-hacking.html
-http://www.theregister.co.uk/2016/02/11/cisco_security_kit_open_to_ike_bug/
[Editor's Note (Ullrich): This vulnerability must be patched now. The day it was released, we detected a significant increase in scans for VPN servers, likely to build target lists for a yet to be released exploit. Details about this vulnerability have been published making the release of an exploit likely. At the very least, a DoS exploit should be imminent. ]

NYPD Used Stingrays (February 11, 2016)

Police in New York City used stingrays without a warrant more than 1,000 times since 2008. The New York Civil Liberties Union obtained the information about the NYPD's use of cell-site simulators. NYPD has no written policy for the technology's use.
-http://arstechnica.com/tech-policy/2016/02/nypd-used-stingrays-over-1000-times-w
ithout-warrants-since-2008/

SAP Fixes Critical Flaw (February 10, 2016)

SAP has released a fix for a critical software flaw in its Manufacturing Integration and Intelligence (xMII), which "provides a bridge between ERP and other enterprise applications with plant floor and OT (Operational Technology) devices." The directory traversal vulnerability could be exploited "to access arbitrary files and directories on a SAP fileserver," and could possibly be exploited to gain access to ICS and SCADA systems.
-http://www.theregister.co.uk/2016/02/10/sap_plugs_critical_manufacturing_vuln/
-http://www.computerworld.com/article/3032184/security/sap-slaps-a-patch-on-leaky
-factory-software.html
-http://scn.sap.com/community/security/blog/2016/02/09/sap-security-patch-day--fe
bruary-2016

FBI Seeks US $38 Million to Help Defeat Encryption (February 10, 2016)

The FBI is requesting US $38 million to address the problems associated with "going dark." That amount is 23 percent greater than the amount the agency spent last year in its battle with encryption.
-http://thehill.com/policy/cybersecurity/269013-fbi-budget-calls-for-big-boost-to
-battle-encryption
-http://www.usatoday.com/story/news/2016/02/09/fbi-says-san-bernardino-terrorists
-phone-still-locked-due-encryption/80074292/
[Editor's Note (Pescatore): The US and most societies have consistently decided that under the proper conditions law enforcement agencies do need access to suspect communications. The FBI and other agencies buying tools and/or services to read encrypted communications is less costly overall in the long run than forcing weaknesses to be built into cryptography. ]

February's Patch Tuesday (February 10, 2016)

On Tuesday, February 9, Microsoft released 13 security bulletins to fix a total of 36 vulnerabilities in Windows, Internet Explorer (IE), Edge, and other products. Five of the bulletins are rated critical. On the same day, Adobe released fixes for 32 vulnerabilities in a variety of products, including Flash Player and Photoshop.
-http://krebsonsecurity.com/2016/02/criticial-fixes-issued-for-windows-java-flash
/
-http://www.computerworld.com/article/3031894/security/microsoft-delivers-major-u
pdates-to-internet-explorer-and-adobe-flash-player.html
-http://www.v3.co.uk/v3-uk/news/2446449/microsoft-issues-13-fixes-in-patch-tuesda
y-release-covering-windows-edge-and-ie
-http://www.scmagazine.com/adobe-issues-32-fixes-for-februarys-patch-tuesday/arti
cle/473065/
Microsoft:
-https://technet.microsoft.com/library/security/ms16-feb
Adobe:
-https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
[Editor's Note (Pescatore): Notice that no one has to track when the iOS or Android operating systems get updated to fix vulnerabilities - it just happens under the covers. For migrations to Windows 10, one major goal should be making sure IT plans to move to auto update and get out of this antiquated approach to patching. Start working with IT now to reach that goal! While you're at it, work in controlling admin privileges into the planning... (Williams): While most of the attention this month is on the Microsoft updates, organizations must not overlook patching Flash, which can be trickier than it seems. In many cases we see organizations patch the Internet Explorer plugin for Flash, but fail to patch the Firefox component (or vice versa). Sadly (and confusingly) these are two different patches. Extra attention to detail is required in organizations where Firefox is installed on desktops as an approved browser. ]

Wendy's Breach Update (February 10, 2016)

In a news release discussing its Preliminary 2015 Results and 2016 Long-term Outlook report, the Wendy's restaurant chain confirmed that malware was found on systems at some of its locations. The malware was found as part of the company's ongoing "investigation into unusual credit card activity."
-http://www.scmagazine.com/wendys-update-malware-found-suit-filed/article/473309/
-http://www.prnewswire.com/news-releases/the-wendys-company-reports-preliminary-2
015-results-announces-2016-and-long-term-outlook-300216774.html
[Editor's Note (Murray): Readers of the Verizon Data Breach Incident Report understand that the food and beverage industry is favored target, they know why, and they know what to do about it. This reader believes that the industry is poorly served by those vendors that supply it with point of sale systems. That said, the only way to really fix this problem is to address the fundamental vulnerability, the credit card number, by replacing it with a digital token as is done in Apple Pay, Android Pay, and particularly in Samsung Pay. ]

Linode SSH Key Error Leaves Users Vulnerable to Man-in-the-Middle Attacks (February 9, 2016)

Users who installed Linode's Ubuntu 15.10 image between November 10, 2015 and February 4, 2016 could be vulnerable to man-in-the-middle attacks because all installations of the image during that period use the same SSH server key. Linode is urging users who downloaded the problematic image to regenerate their SSH server keys.
-http://www.theregister.co.uk/2016/02/09/linode_ssh_security/
[Editor's Note (Ullrich): Secret keys you get from someone else are not secret. It should be standard procedure to recreate them for all systems you obtain "pre-built" (this applies to SSL keys as well, not just SSH keys.) (Murray): "Crypto is harder than it looks." --Bruce Schneier Implementing and operating cryptography is not for amateurs. We have a very limited number of professionals and are not developing new ones. See:
-http://www.computerworld.com/article/2941412/encryption/software-developers-aren
t-implementing-encryption-correctly.html
(Willaiams): This should be addressed immediately if you have one of these Linode instances. However, the steps fail to mention that by changing the host's SSH key, many automated processes will break since the new host key LOOKS like a man in the middle attack. Don't forget to update the new host key in any automated scripts, etc. you have running and warn impacted users that it has been changed. ]

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/