SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #15

February 23, 2016

Which security products actually made a major difference in improving
the effectiveness and/or lowering the cost of security for your
organization? To vote, go to
https://www.surveymonkey.com/r/SANSBestof2015.
Results to be announced at the SANS 2016 Summit in Orlando FL during the
week of March 14th, 2016

---

TOP OF THE NEWS

OPM CIO and Inspector General Out. Appropriate Accountability At Last
Obama's National Action Plan on Cybersecurity Addresses IoT
DoJ Files Motion to Compel Apple to Cooperate in iPhone Case

THE REST OF THE WEEK'S NEWS

Linode Breaches Prompt Changes
FAA Pre-Solicitation for Cybersecurity Security Operations Center
GMBot Source Code Leaked
Apple Pulls App Offering Pirated Software
Linux Mint 17.3 Cinnamon Compromised
Another Teenager Arrested in Connection with FBI Data Theft
Eliminating Browser Plugins Improves Security, Decreases Functionality
Xbot Trojan

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Sophos Inc. **************************

Finally, your Endpoint Protection is talking to your Firewall. Advanced attacks are more coordinated than ever before. Now, your defenses are too. Sophos is revolutionizing security by synchronizing next-generation network and next-generation endpoint security, giving you unparalleled protection. The beauty is, the integration happens automatically - no need to buy extra hardware or software. Find out more:
http://www.sans.org/info/183535

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Atlanta | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- -- SANS Pen Test Austin | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Philadelphia, London, Singapore, Amsterdam, Prague, and Stockholm all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

OPM CIO and Inspector General Out. Appropriate Accountability At Last. (February 22, 2016)

The chief information officer of the U.S. Office of Personnel Management (OPM) quit today, under pressure, two days before she was due to testify before a Congressional panel. She was responsible for cybersecurity programs at OPM that followed NIST guidance but did not implement and measure the Critical Security Controls, which are widely recognized as the minimum standard of due care. Her resignation follows the resignation of the OPM Inspector General (IG) who was equally responsible for forcing the agency to follow guidelines (from OMB and NIST) that documented the cybersecurity gaps but did not close those gaps. CIO:
-http://thehill.com/policy/cybersecurity/270305-top-opm-tech-official-resigns-und
er-pressure
IG:
-http://www.federaltimes.com/story/government/management/agency/2016/02/03/opm-in
spector-general-resigns-leaving-february/79756822/

Obama's National Action Plan on Cybersecurity Addresses IoT (February 18, 2016)

The White House's national action plan on cybersecurity addresses concerns about the security of the Internet of Things (IoT). According to the plan, the US Department of Homeland Security (DHS) is working with Underwriters Laboratories to develop a cybersecurity assurance program that could evaluate IoT devices before they go to market.
-http://www.nextgov.com/cybersecurity/2016/02/what-white-house-cybersecurity-plan
-says-about-internet-things/126032/?oref=ng-HPtopstory
(Northcutt): I guess it would be close to criminal neglect if they didn't address this facet of our shared digital ecosystem. I just finished reading the book Abundance. The premise is things are better than we expect because technology has the potential to change our world for the better. The argument is compelling. However, the counter-argument is that this technology is hackable. And that there is a growing machine focused on hacking, harvesting, and plundering this technology and that battleground will happen in the IoT world:
-http://www.sans.edu/research/book-reviews/article/abundance]

DoJ Files Motion to Compel Apple to Cooperate in iPhone Case (February 19 and 21, 2016)

The US Department of Justice (DoJ) has filed a motion asking that a federal court compel Apple to comply with a federal magistrate's order to aid the FBI in gaining access to the contents of a suspect's iPhone.
-http://www.theregister.co.uk/2016/02/19/us_doj_apple/
-http://www.wired.com/2016/02/doj-files-motion-to-compel-apple-to-cooperate-in-sa
n-bernardino-case/
-http://www.scmagazine.com/doj-slams-apple-demands-court-make-company-comply/arti
cle/478111/
DoJ Motion to Compel:
-http://www.wired.com/wp-content/uploads/2016/02/Apple-iPhone-access-MOTION-TO-CO
MPEL.pdf
-http://www.wired.com/2016/02/apple-says-the-government-bungled-its-chance-to-hac
k-that-iphone/
-http://krebsonsecurity.com/2016/02/the-lowdown-on-the-apple-fbi-showdown/
[Editor's Note (Williams): If the FBI is successful with their request to Apple, it will fundamentally change the software update trust model we rely on for enterprise security. Most commenting on this issue don't actually understand the technology. This important debate needs application of reason, not hyperbole. Dave Kennedy explained this topic well on Fox News (recording at
-https://vimeo.com/156260338).

---

************************** SPONSORED LINKS ********************************
1) Free eBook Download: An IT Auditor's Guide to Security Controls and Risk Compliance: http://www.sans.org/info/183540

2) Predicting Future Attacks and Breaches: Analytics in Action. Friday, February 26, 2016 at 11:00 AM EST (16:00:00 UTC) with Dave Shackleford and Christopher Smith. http://www.sans.org/info/183545

3) What Works: Inspecting Encrypted Traffic with the Blue Coat SSL Visibility Appliance. Wednesday, March 23, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Michael Weinstein. http://www.sans.org/info/183550
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Linode Breaches Prompt Changes (February 22, 2016)

Following a pair of breaches, Linode is changing user procedures to improve security. The web hosting company was the target of two breaches over the past year. Both incidents, one in July 2015, the other in December 2015, involved stolen customer account access credentials. In response to the December breach, Linode force-reset all customer passwords. The company is changing authentication procedures to separate customer application from credentials. Linode is also employing credit card tokenization, and altering its internal policies with guidance from a NIST framework.
-http://www.theregister.co.uk/2016/02/22/linode_lines_up_new_policy_features_afte
r_2015s_breaches/
Linode Security Investigation Retrospective:
-https://blog.linode.com/2016/02/19/security-investigation-retrospective/
[Editor's Note (Pescatore): Good example of using a breach to gain support to transition to much higher levels of security, including hiring a full time security lead. ]

FAA Pre-Solicitation for Cybersecurity Security Operations Center (February 22, 2016)

The Federal Aviation Administration (FAA) has published a pre-solicitation notice saying that it "intends to award a single source contract action ... for Cybersecurity Security Operations Center Methodology Support Services." Because of "evolving and potential cyber events, the FAA requires critical and immediate cybersecurity methodology support to protect FAA infrastructure from malicious activities."
-http://www.nextgov.com/cybersecurity/2016/02/faa-concerned-about-evolving-cyber-
events/126102/?oref=ng-channeltopstory
-https://www.fbo.gov/?s=opportunity&mode=form&id=39a5926449e837667332da24
99a109c1&tab=core&_cview=0
[Editor's Note (Paller): FAA should be wary of contractors who send in resumes of experts who have not actually agreed to work for the contractor. To stop this common practice, at a minimum FAA should require that each resume includes a current email and then confirm all persons' commitment to the contractor. If the Agency fails to do this simple check, it will get a contractor who delivers far less effective talent than they promised with their proposal and will waste taxpayer money they were trusted to spend wisely. ]

GMBot Source Code Leaked (February 22, 2016)

Source code for the GMBot Trojan has been leaked online. The malware targets Android devices. Its wider availability means it is likely that criminals are more likely to refine the code and that it will be more widely used in attacks.
-http://www.zdnet.com/article/android-gm-bot-malware-bot-source-code-leaked-onlin
e/
[Editor's Note (Williams): Every time popular malware source code is leaked (e.g. Zeus, SpyEye), we see an explosion in variants released to market. This is a great time to educate your users again on the risks of installing untrusted applications. More than users devices are at risk. In many organizations, user owned devices are connected to the internal networks - malicious code on a user device can impact the business network. ]

Apple Pulls App Offering Pirated Software (February 22, 2016)

Apple has removed from its App Store an app that was being used to smuggle pirated software into China. What appeared to be an app for studying English actually offers an assortment of pirated iOS apps and games for Chinese users.
-http://www.scmagazineuk.com/apple-finds-app-store-within-an-app-on-chinese-app-s
tore/article/478209/

Linux Mint 17.3 Cinnamon Compromised (Cryptographic hashes posted on websites are useless) (February 21 and 22, 2016)

Attackers breached the Linux Mint distribution, compromising the Linux Mint 17.3 Cinnamon edition as well as the user forum. Anyone who downloaded that particular version during the weekend of February 21 & 22, 2016, should assume their installations are compromised. The altered version of Mint has a backdoor in it. The attackers also stole a copy of the user forum database, which contains usernames and passwords. The LinuxMint.com website is offline. The point of entry may have been a badly configured WordPress component.
-http://www.eweek.com/security/hackers-breach-linux-mint-distribution-forums.html
-http://www.zdnet.com/article/linux-mint-website-hacked-malicious-backdoor-versio
n/
-http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_isos_l
inked_from_official_site/
-http://www.theregister.co.uk/2016/02/22/linux_mint_forums_hacked/
-http://www.scmagazine.com/linux-mint-operating-system-maliciously-hacked/article
/478202/
-http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-infection-on-i
ts-website-and-forum-after-hack-attack/
-http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-
mint-backdoor/
[Editor's Note (Ullrich): One lesson learned from this incident for users downloading software (= everybody!): Cryptographic hashes posted on websites are useless. People get excited about and spend a lot of time arguing the strength of different algorithms (MD5/SHA1/SHA512...) when in the end, neither of these is sufficient if the attacker just replaces the hashes with the file like in this case. Not that anybody ever checks hashes. But you should always check a digital signature that was created with a private key. The private key of course needs to be kept away from the system hosting the files. ]

Another Teenager Arrested in Connection with FBI Data Theft (February 21, 2016)

Police in the UK have arrested another teenager in connection with a series of cyberattacks against US government targets. The group the individual is allegedly a part of claims to have broken into accounts belonging to the director of the CIA, the US Director of National Intelligence, the Department of Homeland Security Secretary, and other officials. The group also allegedly posted law enforcement and military personnel information.
-http://thehill.com/policy/cybersecurity/270034-police-arrest-second-teen-suspect
ed-of-hacks-on-cia-dhs-chiefs

Eliminating Browser Plugins Improves Security, Decreases Functionality (February 20, 2016)

In an effort to improve security, browser makers have begun disabling plugins. Oracle said last month that it would end support for its Java plugin. The plugin will be "deprecated" in the next release version of Java Development Kit, which is scheduled for release next year.
-http://www.eweek.com/security/as-plugins-disappear-browsers-gain-security-lose-f
unctionality.html
[Editor's Note (Murray): Well, duh! Generality and flexibility versus security, open versus closed, has always been the battle. The market obviously prefers "dancing pigs." The very existence of Android testifies to this preference. Thus the browser remains the Achilles heel of the desktop and the desktop that of the infrastructure. iOS demonstrates that purpose built applications in a closed system can deliver a better balance of functionality and security. ]

Xbot Trojan (February 19, 2016)

The Xbot Trojan horse program targets Android devices. It tries to steal online banking account credentials by displaying pages that spoof the Google Play payment interface and login pages for seven bank apps. Xbot also has ransomware capabilities.
-http://www.scmagazine.com/xbot-trojan-targets-russian-and-australian-android-use
rs/article/478053/

---

STORM CENTER TECH CORNER

Hunting For Executable Code in Windows Environments
-https://isc.sans.edu/forums/diary/Hunting+for+Executable+Code+in+Windows+Environ
ments/20745/

Locky Javascript Deobfuscation
-https://isc.sans.edu/forums/diary/Locky+JavaScript+Deobfuscation/20749/

Fake Magento Patch
-https://blog.sucuri.net/2016/02/fake-supee-5344-patch-steals-payment-details.htm
l

Ghost 2.0 Webcast Archive
-https://www.sans.org/webcasts/ghost-20-about-glibc-getaddrinfo-vulnerability-101
875

Reducing False Positives with Open Data Sources
-https://isc.sans.edu/forums/diary/Reducing+False+Positives+with+Open+Data+Source
s/20755/

HTTP GZIP Compression Can Aide in Locating Hidden Services in TOR
-http://jcarlosnorte.com/security/2016/02/21/date-leak-gzip-tor.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/