SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #14
February 19, 2016
California leads the way in cybersecurity, again, with the Attorney
General's declaration of what constitutes a minimum standard of due
care. See the first story in Top of the News.
Hands on exercises are the only effective way to develop important
skills in security. See the last story (about PIVOT) for a way to get
access to high quality exercise and a free subscription to NetWars
Continuous.
Alan
TOP OF THE NEWS
California AG Says Not Adopting Critical Security Controls Indicates 'Failure to Provide Reasonable Security'DoD Will Exploit Windows 10 Upgrade For Massive Security Improvements and Lower Costs
California Hospital Paid Ransom to Regain Access to Data
THE REST OF THE WEEK'S NEWS
Xen Hypervisor Maintenance Release Missing Some PatchesChanging the Cyber Command Hiring Culture
Locky Ransomware
President Obama Names Cyber Commission Heads
IoT: SimpliSafe Alarms Transmit Codes in Plaintext
Apple Opposes Judge's Order to Help FBI Access iPhone
US Developed Plan for Cyberattacks Against Iran
Researchers Say They Breached Air Gapped Computer
NEXT PIVOT PROJECT CONTEST: FREE HANDS-ON SKILLS DEVELOPMENT
Next Pivot Project Contest: Free Hands-On Skills DevelopmentSTORM CENTER TECH CORNER
STORM CENTER TECH CORNER********************** Sponsored By Lancope ****************************
Protect Your Network from Insider Threats: Several high-profile data breaches have reminded us that devastating attacks do not always involve scheming criminals and sophisticated malware. Sometimes it's your own employees or trusted vendors who are exposing confidential data, whether they mean to or not. To learn more, download "Combating the Insider Threat," an e-book brought to you by Lancope.
http://www.sans.org/info/183505
***************************************************************************
TRAINING UPDATE
- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM
- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG
- --SANS Northern Virginia - Reston | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf
- -- SANS Atlanta | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0
- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM
- -- SANS Pen Test Austin | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk
- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy
Plus Anaheim, Philadelphia, London, Singapore, and Amsterdam all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
California AG Says Not Adopting Critical Security Controls Indicates 'Failure to Provide Reasonable Security' (February 16, 2016)
A report from the California Attorney General's Office includes recommendations for organizations to protect their systems from breaches. The "report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security." The report recommends organizations adopt the Center for Internet Security's Critical Security Controls as the start of a comprehensive information security program. The Attorney General's Office stated "not doing so would be indicative of an organization's failure to provide reasonable security."-http://www.turlockjournal.com/section/15/article/31313/
[Editor's Note (Pescatore): California led the way in requiring data breach notification, nice to see them taking a lead role in recognizing the Critical Security Controls as widely supported basic security hygiene. (Northcutt): Here is the source document:
-https://www.oag.ca.gov/sites/all/files/agweb/pdfs/dbr/breachreport2016.pdf
A number of scholars, many of them from the SANS Technology Institute, are researching various aspects of implementing the 20 Critical Controls, here is where some of them are published and more of them are in the pipeline, check back often:
-https://www.sans.org/reading-room/whitepapers/critical
SANS offers a course as well that is well attended, up to date and scoring well:
-https://www.sans.org/course/implementing-auditing-critical-security-controls]
DoD Will Exploit Windows 10 Upgrade For Massive Security Improvements and Lower Costs (February 17 and 18, 2016)
The US Defense Department (DoD) plans to upgrade approximately four million devices running older versions of Windows to Windows 10 by February 2017. DoD Secretary Ashton Carter has directed all DoD agencies running legacy versions of Windows to begin the migration right away. In a November 2015 memo, DoD CIO Terry Halvorsen said the move aims to "improve[DoD's ]
cybersecurity posture, lower the cost of IT, and streamline the IT operating environment."
-http://www.scmagazine.com/with-cybersecurity-in-mind-dod-commences-year-long-win
dows-10-deployment/article/477832/
-http://blog.executivebiz.com/2016/02/terry-halvorsen-orders-microsoft-windows-10
-updates-on-4m-dod-seats/
-http://www.computerworld.com/article/3033984/microsoft-windows/defense-departmen
t-to-put-windows-10-on-4m-computers.html
-http://www.zdnet.com/article/u-s-department-of-defense-to-upgrade-4-million-devi
ces-to-windows-10-by-february-2017/
Halvorsen Memo:
-http://1yxsm73j7aop3quc9y5ifaw3.wpengine.netdna-cdn.com/wp-content/uploads/2015/
12/121815_dod_windows10_memo.pdf
[Editor's Note (Paller): The DoD CIO's initiative is the most important effort to improve government cybersecurity while lowering costs. Air Force CIO Gilligan proved it was possible; NSA helped; now DoD is going all in. And for non-DoD CIOS, now that there is a clear, CIO-led path forward, other CIOs who do not quickly parallel Halverson's efforts will be personally pilloried (and some will be fired) when their systems are exploited. (Pescatore): The Windows 10 migration is a good opportunity to make security advances but it should be more of a "zero-based" review approach, not just "port our bloated Win 7 security stack to Win 10." The real gains will come from first working to limit admin privileges and add application control in the standard role-based images. Then look at the security stack and say what do we need to add to that. For the same (or even lower!) spending per desktop, big leaps in security possible without increasing user/business disruption. (Murray): While necessary, this will be harder than it looks. Much of the hardware running XP or Windows 7, even those systems that Microsoft says will run Windows 10 will not. I have half a day invested in unsuccessfully trying to upgrade this Dell to Windows 10. ]
California Hospital Paid Ransom to Regain Access to Data (February 16, 17, and 18, 2016)
Hollywood Presbyterian Medical Center in southern California paid a 40 Bitcoin (US $16,850; 15,150 euro) ransom for the cryptographic key to restore access to its files. The hospital's systems had remained largely inaccessible for 10 days. Access was restored on Monday, February 15.-https://www.washingtonpost.com/news/morning-mix/wp/2016/02/18/after-computer-hac
k-l-a-hospital-pays-17000-in-bitcoin-ransom-to-get-back-medical-records/
-http://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-
key/
-http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/
">
-http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/
-http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/
">
-http://www.theregister.co.uk/2016/02/18/la_hospital_bitcoins/
-http://www.computerworld.com/article/3034736/security/hospital-pays-17k-ransom-t
o-get-back-access-to-encrypted-files.html
************************** SPONSORED LINKS ********************************
1) Are you struggling to put the value of proactive threat hunting in language your executives can actually grok? This white paper on the Continuous Security Model can help: http://www.sans.org/info/183510
2) Don't Miss: Bring Your Own Collaboration Technical Control Tradeoffs. Thursday, February 25, 2016 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Scott Gordon. http://www.sans.org/info/183515
3) InfoSec Pros: Give us an update on your Incident Response policies & practices in the 2016 Survey. http://www.sans.org/info/183520
***************************************************************************
THE REST OF THE WEEK'S NEWS
Xen Hypervisor Maintenance Release Missing Some Patches (February 16 and 18, 2016)
The Xen Project has acknowledged that its most recent maintenance release is missing complete fixes for two vulnerabilities. The issue affects version 4.6.1 of the virtualization software, which allows users to run multiple instances of an operating system on one host machine. One of the unpatched flaws affects the backend drivers and could potentially be exploited to allow remote code execution. The other flaw is a heap buffer overflow that could be exploited to alter backend configuration settings. The issue also affects version 4.4.4.-http://www.zdnet.com/article/xen-project-explains-missing-security-patch-update-
failure/
-http://www.computerworld.com/article/3033070/security/xens-latest-hypervisor-upd
ates-are-missing-some-security-patches.html
-http://www.theregister.co.uk/2016/02/16/xen_4_6_1_release/
Changing the Cyber Command Hiring Culture (February 17, 2016)
The 2016 defense authorization bill signed into law last November provides "additional compensation, incentives, and allowances" to help attract skilled cybersecurity personnel to the US military. However, human resources (HR) employees do not know about the incentives they are allowed to offer. The Senate Armed Services Committee is considering legislation requiring HR employees to be trained in that area.-http://www.nextgov.com/cybersecurity/2016/02/congress-member-says-cybercom-hr-ne
eds-schooling-legal-pay-packages/125997/?oref=ng-channeltopstory
Locky Ransomware (February 17 and 18, 2016)
Ransomware called Locky spreads via a malicious macro in a Word document. The malware demands a ransom of half a Bitcoin for the key to unlock the encrypted files. Locky has infected machines in Europe, Russia, Pakistan, Mali, and the US.-http://www.theregister.co.uk/2016/02/17/locky_ransomware/
-http://www.computerworld.com/article/3033941/security/locky-ransomware-which-inf
ects-like-dridex-hits-the-unlucky.html
-http://arstechnica.com/security/2016/02/locky-crypto-ransomware-rides-in-on-mali
cious-word-document-macro/
-http://www.darkreading.com/vulnerabilities---threats/advanced-threats/here-comes
-locky-a-brand-new-ransomware-threat/d/d-id/1324371?
[Editor's Note (Murray): Cyber currency is too slow ever to play a major role as a medium of exchange. It is too volatile to serve as a store of value. However, anonymity will serve to encourage extortion. See:
-https://www.technologyreview.com/s/600838/hollywood-hospitals-run-in-with-ransom
ware-is-part-of-an-alarming-trend-in-cybercrime/#/set/id/600843/]
President Obama Names Cyber Commission Heads (February 17, 2016)
The White House has announced the appointment of former National Security Advisor Tom Donilon to chair the Commission on Enhancing National Cybersecurity; former IMB CEO Sam Palmisano has been appointed vice chairman. The Commission will likely have additional presidential and congressional appointees. The commission's "goal is to review and issue policy recommendations to help the government, private sector, and general public beef up digital security while preserving privacy."-https://fcw.com/articles/2016/02/17/white-house-cyber-commission.aspx
IoT: SimpliSafe Alarms Transmit Codes in Plaintext (February 17 and 18, 2016)
SimpliSafe wireless home alarm systems are vulnerable to replay attacks. The system's keypad uses the same, unencrypted personal identification number each time it sends a message to the base station. Attackers could sniff the code, then replay it to trick the system into thinking that a home is secured when there is actually a break-in occurring. The microcontroller chips used in the system are write-once, which means they cannot be updated with firmware. SimpliSafe is used in more than 200,000 homes.-http://arstechnica.com/security/2016/02/hopelessly-broken-wireless-burglar-alarm
-lets-intruders-go-undetected/
-http://www.theregister.co.uk/2016/02/17/simplisafe_wireless_home_alarm_system_cr
acked/
[Editor's Note (Honan): So now we have a security product that really enables backdoors into security. :) (Murray): The role of home security systems is more to take one off the target of opportunity list than to actually deter. It is easier for the burglar to avoid one of these 200K homes than to defeat their security system. Really attractive targets are using industrial grade security systems. ]
Apple Opposes Judge's Order to Help FBI Access iPhone (February 16 and 17, 2016)
US Magistrate Judge Sheri Pym has ordered Apple to help federal agents circumvent a feature that erases the contents of an iPhone after a certain number of failed unlock attempts. The ruling does not order Apple to break the device's encryption. Apple CEO Tim Cook has published an open letter stating the company's opposition to the order.-http://www.zdnet.com/article/apple-must-to-help-fbi-unlock-san-bernardino-gunman
s-phone-judge/
-https://www.washingtonpost.com/world/national-security/us-wants-apple-to-help-un
lock-iphone-used-by-san-bernardino-shooter/2016/02/16/69b903ee-d4d9-11e5-9823-02
b905009f99_story.html
-http://www.nytimes.com/2016/02/18/technology/apple-timothy-cook-fbi-san-bernardi
no.html?smid=fb-nytimes&smtyp=cur&_r=0
-http://www.wired.com/2016/02/magistrate-orders-apple-to-help-fbi-hack-phone-of-s
an-bernardino-shooter/
-http://www.nbcnews.com/storyline/san-bernardino-shooting/apple-fights-order-unlo
ck-san-bernardino-shooters-iphone-n519881
-http://thehill.com/policy/cybersecurity/269779-white-house-fbi-not-seeking-apple
-backdoor-in-terror-case
Text of Tim Cook's Open Letter:
-http://www.nbcnews.com/storyline/san-bernardino-shooting/full-text-apple-ceo-tim
-cook-s-open-letter-fbi-n519886
-https://www.washingtonpost.com/news/post-nation/wp/2016/02/17/apple-ceo-the-u-s-
government-wants-something-we-consider-too-dangerous-to-create/
US Developed Plan for Cyberattacks Against Iran (February 16, 2016)
The US developed a plan to be used in the event of a military conflict arising with Iran over its nuclear program. The plan, code-named Nitro Zeus, was meant to be used to disable Iranian air defenses, communications systems, and power grid if diplomatic efforts to stem Iran's nuclear program were not successful and a conflict ensued.-http://www.nytimes.com/2016/02/17/world/middleeast/us-had-cyberattack-planned-if
-iran-nuclear-negotiations-failed.html
-http://thehill.com/policy/national-security/269594-us-said-to-have-had-detailed-
cyberattack-plan-for-iran
-http://arstechnica.com/tech-policy/2016/02/massive-us-planned-cyberattack-agains
t-iran-went-well-beyond-stuxnet/
Researchers Say They Breached Air Gapped Computer (February 16, 2016)
Researchers at Tel Aviv University and Technion Research and Development say they managed to break into an air-gapped computer. The researchers measured radio waves emitted by the computer and with that information, were able to discern a cryptographic key. For the attack to be successful, would-be cyberintruders would need to be within several meters of the targeted device and to have US $3,000 worth of equipment. However, the researchers required only a few seconds of monitoring to gather the information they needed.-http://www.csmonitor.com/Technology/2016/0216/How-researchers-hacked-a-computer-
that-wasn-t-connected-to-the-Internet
[Editor's Note (Williams): While this isn't the sort of attack we should expect to see frequently, it is something we need to add it to our threat models (DoD has for years with the TEMPEST program). Many organizations have leased office space and share internal office walls with untrusted parties. If the researchers can penetrate a 15cm wall and get data several meters away with a $3000 rig, imagine what a well-funded adversary can achieve.]
NEXT PIVOT PROJECT CONTEST: FREE HANDS-ON SKILLS DEVELOPMENT
--NEXT PIVOT PROJECT CONTEST: FREE HANDS ON SKILLS DEVELOPMENT Your chance to win four months of access to the premier online cyber security training simulator called SANS NetWars: Continuous (value $2,499), used to train and test security specialists of Fortune 500 companies and governments around the world. , All you need to do is complete at least one of the PIVOT Cyber Security Challenges (Labs) and answer questions about your experience. These surveys are crucial to the improvement of the PIVOT Project, which can help us all make an impact in stopping the proliferation of security breaches and the damage caused by criminals. Contest details are at:-http://pivotproject.org/contest
STORM CENTER TECH CORNER
Remote Code Execution Flaw in getaddrinfo()-https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
FireEye Detection Evasion
-https://labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/
glibc getaddrinfo POC available
-https://github.com/fjserna/CVE-2015-7547/
glibc webcast: Friday 10am ET / 3pm ET
-https://www.sans.org/webcasts/ghost-20-about-glibc-getaddrinfo-vulnerability-101
885
More Security Camera Trouble
-http://www.csoonline.com/article/3034284/security/hard-coded-password-exposes-up
-to-46000-video-surveillance-dvrs-to-hacking.html
Comodo Installs VNC
-https://code.google.com/p/google-security-research/issues/detail?id=703
WordPress Pingback Still Popular as DoS Vehicle
-https://blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns.html
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/