SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #16

February 26, 2016

Be nice to your security awareness manager; the job is really hard. They have to get thousands of people to do something many would rather not do. They have to make sure the whole system works perfectly and doesn't waste the employees' time, and that the administration and record keeping are done right. I was meeting with four people responsible for awareness programs who were telling me about the challenges they face, and I asked whether SANS' Securing the Human actually helps with all that. They said it was the only system they had seen that fully supports them and makes administration easy with its new learning management system. They also said very nice things about how it can make their users happy with the new interactivity and updated content in the 2016 edition. One mentioned that she knew she was right because Gartner selected SANS as the one vendor with the highest "ability to execute" of all the companies in the "leaders" quadrant in the security awareness field. That Gartner report is posted at https://securingthehuman.sans.org/gartner

Alan

---

TOP OF THE NEWS

California Data Breach Report Identifies Exploited Flaws and Defines Legal Minimum Standard of Due Care for Cyber Security
Navy Admirals Want SCADA on Agency Scorecard
Judge Finds DoD Funded Carnegie Mellon University Tor Research

THE REST OF THE WEEK'S NEWS

OpenSSL Updates Will be Released on March 1
German Police May Use Spyware
PwC Report: Cybercrime Second Most Reported Economic Crime
Mozilla Allows SHA-1 Exception
Nissan Pulls Leaf App Over Security Concerns
Google Offers Project Shield DDoS Protection to News Sites
Former Employee Deletes Data, Gets Prison Sentence
Asus Settles FTC Charges Over Unsecure Home Routers

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By Trend Micro Inc. ************************

Trend Micro's Raimund Genes (CTO) provides predictions of how he sees the security landscape shaping up each year. We've developed a readiness survey for organizations to take as an assessment of their security posture against Raimund's predictions. Take the survey and find out how well your organization is ready for the 2016 security trends.
http://www.sans.org/info/183680

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Philadelphia, London, Singapore, Amsterdam, Prague, and Stockholm all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

California Data Breach Report Identifies Exploited Flaws and Defines Legal Minimum Standard of Due Care for Cyber Security (February 23 and 24, 2016)

The California Data Breach Report "provides an analysis of the data breaches reported to the California attorney general from 2012-2015." In nearly all cases, the breaches exploited vulnerabilities for which fixes had been available for more than a year. California state law states, "A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature if the information." The report goes on to say that organizations that do not implement the Center for Internet Security's (CIS) 20 Critical Security Controls would be found to demonstrate "a lack or reasonable security."
-http://www.nextgov.com/cybersecurity/2016/02/california-says-companies-should-em
brace-nsa-developed-data-protections/126151/
-http://www.natlawreview.com/article/reasonable-data-security-defined-california-
attorney-general
[Editor's Note (Pescatore): CISOs and other State and Local agencies - draft behind California's move here! It worked with disclosure laws; it can work here. The Critical Controls represent an easy way to say to disparate state agencies and companies in your state "to be eligible to connect to state resources you have to at least be at a basic security hygiene level. Only after you've demonstrated that will it be possible to see if you meet data/application specific security requirements. (Murray): We should be grateful for California's effective leadership. Their initiatives have had national impact without national danger. Their initiatives have been narrowly tailored and have not had unintended consequences. Unlike Federal initiatives errors would be easy to correct. The initiatives have not been tainted with the hidden agendas that have created so much suspicion and resistance to Federal proposals. They have not been laden with the potential for abuse and misuse. (Williams): California regularly leads the way in privacy legislation and the rest of the country follows. While not legislation, this report establishes a legal standard. Organizations, especially those doing business in California, should consider how well their current security programs map to the critical security controls and establish plans to correct any deficiencies. ]

Navy Admirals Want SCADA on Agency Scorecard (February 25, 2016)

Two US Navy admirals have asked Defense Secretary Ash Carter to add industrial control systems (ICS) to the monthly scorecard that defense agencies submit to Carter's office. If left unaddressed, the issue could affect the "ability to execute assigned missions."
-https://fcw.com/articles/2016/02/25/commanders-cyber-pentagon.aspx
-https://drive.google.com/file/d/0B7HRgICvsyVKRHpFS0JnWGZ1eWc/view
[Editor's Note (Assante): Recent ICS attacks with physical impacts in Ukraine underscore the urgency of developing effective defenses against targeted attacks. The letter identifies foundational challenges that have delayed progress to include "establishing clear ownership" and the lack of "detection...and baselining normal". The ICS community is starting to make the difficult transition from the first phase of establishing security architectures and some passive defenses to the second phase of skills-based and technology supported active defense outside and inside operational systems. (Murray): A large part of the SCADA problem is that we do not know where all the sensitive controls are. Therefore, recognition of some kind for discovery and identification may be helpful. ]

Judge Finds DoD Funded Carnegie Mellon University Tor Research (February 24 and 25, 2016)

A US federal judge has found that the US Department of Defense (DoD) funded research at Carnegie Mellon University's Software Engineering Institute (SEI) on the Tor network. That research was subpoenaed by the FBI and used to determine the identity of a suspect in the Silk Road 2.0 case.
-https://assets.documentcloud.org/documents/2719591/Farrell-Weds.pdf
-http://www.zdnet.com/article/judge-confirms-cmu-researchers-were-paid-to-unmask-
tor-users/
-http://www.bbc.com/news/technology-35658761
-http://arstechnica.com/tech-policy/2016/02/judge-confirms-what-many-suspected-fe
ds-hired-cmu-to-break-tor/
-http://www.scmagazine.com/us-dod-funds-carnegie-mellon-project-to-hack-tor/artic
le/479257/
-http://www.wired.com/2016/02/fbis-tor-hack-shows-risk-subpoenas-security-researc
hers/
[Editor's Note (Murray): The significance of the ruling that the defendant and the community are not entitled to know how CMU/SEI accomplished what they accomplished, or what vulnerability they exploited. We are left to assume that the government has compromised Tor and that it may be only as reliable as its least trustworthy node. While the disclosure that it suborned a research university does not reflect well on the Government, it has succeeded in casting doubt on Tor security. They may consider that a good trade. ]

---

************************** SPONSORED LINKS ********************************
1) Is Active Breach Detection the Next-Generation Security Technology? Thursday, March 10, 2016 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Paul Kraus. http://www.sans.org/info/183685

2) Benchmarking AppSec: A Metrics Pyramid. Tuesday, March 15, 2016 at 1:00 PM EDT (17:00:00 UTC) featuring SANS Instructor Jim Bird and Tim Jarrett. http://www.sans.org/info/183690

3) What Works: Inspecting Encrypted Traffic with the Blue Coat SSL Visibility Appliance. Wednesday, March 23, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Michael Weinstein. http://www.sans.org/info/183695
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

OpenSSL Updates Will be Released on March 1 (February 25, 2016)

In a pre-release advisory, OpenSSL developers say they will release patches for several security issues, some high severity, on Tuesday, March 1. The versions of the cryptographic library scheduled for release next week are 1.0.2g and 1.0.1s. The advisory also reminds users that support for OpenSSL version 1.0.1 will end on December 31, 2016.
-http://www.theregister.co.uk/2016/02/25/openssl_bug_fix_headsup/
-https://mta.openssl.org/pipermail/openssl-announce/2016-February/000063.html
[Editor's Note (Ullrich): The "high" (not "critical") security rating usually implies that it is ok to wait for vendors to release patches, in particular for the major Linux distributions. Vulnerabilities rated "high" are usually only present in less common configurations or difficult to exploit. (Murray): Crypto is MUCH harder than it looks. It is past high time to teach Crypto Engineering. ]

German Police May Use Spyware (February 25, 2016)

Police in Germany now have the authority to use spyware to infiltrate suspects' computers and mobile devices under certain circumstances. Police must obtain a court order to use the spyware, and may use it only in cases where life is at risk or a threat to the state. Some are skeptical about the malware's ability to be used in a targeted way that does not infringe on users' privacy.
-http://arstechnica.com/tech-policy/2016/02/german-police-can-now-use-spying-malw
are-to-monitor-suspects/
-http://www.dw.com/en/german-government-to-use-trojan-spyware-to-monitor-citizens
/a-19066629

PwC Report: Cybercrime Second Most Reported Economic Crime (February 25, 2016)

According to PwC's Global Economic Crime Survey 2016, nearly one-third of organizations surveyed said they had experienced cybercrime. The report explains the surprisingly low percentage by noting, "the insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it." The report also found that just 37 percent of organizations have established a cyber incident response plan. "Many boards are not sufficiently proactive regarding cyber threats." The report draws its statistics from responses from more than 6,000 organizations in 115 countries.
-http://www.zdnet.com/article/cybersecurity-boards-still-happy-to-pass-the-buck-t
o-the-it-department/
-http://preview.thenewsmarket.com/Previews/PWC/DocumentAssets/422882.pdf
[Editor' Note (Murray): We know from the post breach investigations by Verizon, Mandiant, et. al. that breaches are very old when discovered. PWC is justified in positing that there are many breaches yet to be detected. We also know that the first evidence of a breach often comes from outside the enterprise, suggesting that increased vigilance will be efficient. (Honan): What is frustrating about these reports is while they highlighted the high rates of cybercrime, a large amount of that criminal activity is not reported to law enforcement. Failure to report crime to law enforcement undermines our collective ability to deal with this threat. If law enforcement are not having cybercrimes reported to them, then they find it difficult to argue for the appropriate budgets and resources. It also leaves law enforcement without a lot of useful information and intelligence that could be used to track down the perpetrators of these crimes. I urge everyone to review their IR plans and include steps in that plan on when and how to contact law enforcement. ]

Mozilla Allows SHA-1 Exception (February 25, 2016)

Mozilla has granted Symantec an exception from the SHA-1 certificate ban, allowing the company to issue nine SSL/TLS certificates signed with the weak hashing algorithm to payment processor Worldpay for 10,000 payment terminals. Worldpay did not migrate all of its SSL/TLS servers to SHA-2 certificates by the January 1, 2016, deadline, and did not obtain new SHA-1 certificates prior to the end of last year.
-http://www.computerworld.com/article/3037390/security/outdated-payment-terminals
-exempted-by-mozilla-from-sha-1-certificate-ban.html
-http://www.scmagazine.com/mozilla-allows-sha1-exception-to-maintain-10k-payment-
terminals/article/479275/

Nissan Pulls Leaf App Over Security Concerns (February 24 and 25, 2016)

Nissan has pulled a mobile app for its Leaf vehicles due to unsecure APIs that could be exploited to take remote control of certain functions. The app required no authentication. Attackers would need to know only the vehicle identification number (VIN) assigned to the car to access the vehicle's climate control and battery charge management systems. Nissan plans to relaunch the app, NissanConnectEV, when it is fixed.
-http://www.computerworld.com/article/3037996/car-tech/nissan-apologizes-shutters
-mobile-app-that-left-leaf-ev-hackable.html
-http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shoc
king-vulnerability-revealed/
-http://www.darkreading.com/iot/nissan-disables-leafs-remote-telematics-system-af
ter-profoundly-trivial-hack/d/d-id/1324448?
-http://www.csmonitor.com/Technology/2016/0225/How-was-Nissan-s-electric-car-vuln
erable-to-hacking
-http://www.scmagazine.com/unpatched-vulnerability-in-nissan-leaf-allows-remote-a
ttacks/article/478986/
[Editor's Note (Ullrich): The vulnerability found in this case, which essentially allowed an attacker to control the car knowing nothing but the somewhat predictable VIN number, is very common in mobile APIs used to control devices. In particular the connection from the device to the API is often only using a serial number to authenticate, making it easy to spoof data from devices. (Pescatore): I've counted at least 5 different automotive industry consortia/ISAC/govt agency groups "revving their engines" about increasing the security level of connected vehicles, but so far none of them seems to have shifted out of neutral - noise but no movement forward. I hope the industry transfers much of the resources away from "autonomous vehicles" to "secure vehicles that could someday be safe enough to control themselves." ]

Google Offers Project Shield DDoS Protection to News Sites (February 24 and 25, 2016)

Google is offering its Project Shield distributed denial-of-service (DDoS) attack fighting service free to organizations that publish news. Project Shield debuted in 2013 as part of Google's Page Speed service. Google views DDoS attacks as a form of censorship, so protecting news sites from those attacks maintains the flow of information. Human rights websites and election-monitoring websites are also eligible for the free service.
-http://www.zdnet.com/article/project-shield-google-opens-ddos-bomb-shelter-for-a
ll-news-publishers/
-http://www.wired.com/2016/02/google-wants-save-news-sites-cyberattacks-free/
[Editor's Note (Pescatore): Google offering to have more traffic flow through them always makes me suspicious, so I checked: the Project Shield Privacy Policy explicitly states "Project Shield does not collect data to improve search results or target advertising." So, this is a good thing - ISPs (in the US especially) have been very slow to compete with each other on filtering out known bad bits coming into their customers' Internet connections. Between Denial of Service floods and well known malware, over 75% of the typical Internet traffic coming in to an enterprise is immediately discarded - imagine if your electric or water service worked that way!! ]

Former Employee Deletes Data, Gets Prison Sentence (February 23 and 24, 2016)

A US district judge in North Carolina has sentenced Nikhil Nilesh Shah to 30 months in prison for sabotaging his former employer's servers. Shah was an IT manager at SmartOnline. He left that company in March 2012, and in June of that same year, he sent malicious code to his previous employer's servers, deleting much of the company's intellectual property.
-http://www.theregister.co.uk/2016/02/24/it_manager_goes_to_jail/
-http://www.scmagazine.com/jersey-man-gets-30-months-for-sabotaging-former-employ
ers-servers/article/478804/
-http://www.justice.gov/opa/pr/former-software-company-employee-sentenced-30-mont
hs-prison-sending-damaging-computer-code
[Editor's Note (Williams): This insider case renews the call for effective employee termination procedures, especially for system and network admins. Shah emailed himself details of the company's servers, ASA VPN and PIX firewall configurations. Additionally, the emailing of sensitive data to a gmail address should have been noted by data loss prevention software, which is part of the Data Protection Critical Security Control (#13). (Murray): We are pretty good at controlling paychecks. How about a control that says that the last check cannot issue until all privileges have been cancelled? ]

Asus Settles FTC Charges Over Unsecure Home Routers (February 23 and 24, 2016)

Asus has agreed to the terms of a settlement with the US Federal Trade Commission (FTC) regarding vulnerabilities in its home routers and cloud services. The FTC noted that Asus frequently "did not address security flaws in a timely manner and did not notify customers about the risks posed by the vulnerable routers." The settlement calls for Asus to establish and maintain a comprehensive security program and to undergo audits every two years for the next 20 years.
-https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-
insecure-home-routers-cloud-services-put
">https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-
insecure-home-routers-cloud-services-put
-http://www.eweek.com/security/asus-settles-with-ftc-over-security-of-wireless-ro
uters.html
-http://www.scmagazine.com/smoking-asus-ftc-charges-tech-vendor-for-vulns-in-rout
ers/article/478960/
-https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-
insecure-home-routers-cloud-services-put
">https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-
insecure-home-routers-cloud-services-put
-http://www.theregister.co.uk/2016/02/23/asus_router_flaws_settlement/
-http://www.computerworld.com/article/3036887/security/asus-settles-charges-over-
insecure-routers-and-cloud-services.htmlhttp://arstechnica.com/security/2016/02/
asus-lawsuit-puts-entire-industry-on-notice-over-shoddy-router-security/
[Editor's Note (Ullrich): This case is interesting as it affects vulnerabilities (for example a fixed username/password) that are very common in devices similar to the once that made ASUS a target of this investigation. I just hope that this will affect devices beyond ASUS. ]

---

STORM CENTER TECH CORNER

Andorid GM Bot Source Code Leaked
-https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-sourc
e-code-leaked/

McAfee Sitelist.xml Decryption
-http://warchest.fusionx.com/mcafee-sitelist-xml-domain-credentials-disclosure/

RSA Sessions
-http://www.rsaconference.com/speakers/johannes-ullrich

Unloading EMET Using EMET
-https://www.fireeye.com/blog/threat-research/2016/02/using_emet_to_disabl.html

Hacking Nissan Leaf
-http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html?m=1

Baidu Browser Privacy Analysis
-https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser/
-https://citizenlab.org/wp-content/uploads/2016/02/baiduresponses.pdf

Patch Now: Palo Alto PanOS
-https://isc.sans.edu/forums/diary/Critical+Vulnerabilities+in+Palo+Alto+Networks
+PANOS/20767/

ICS-CERT Released Details On Ukrainian Crtical Infrastructure Attack
-https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

Raspberry Pi Project
-https://isc.sans.edu/forums/diary/Beta+Testers+Wanted+Use+a+Raspberry+Pi+as+a+DS
hield+Sensor/20717/
-https://dshield.typeform.com/to/V8VSdy

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/