SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #17

March 01, 2016

FLASH: NY Judge Rules in 2nd FBI-Apple Iphone Unlocking Case

---

TOP OF THE NEWS

New York Court Rejects FBI Argument for Breaking iPhone Lockscreen in 2nd Case
US Military Using Cyberweapons Against Islamic State
DHS ICS-CERT Report Confirms Ukraine Attack Scenario

THE REST OF THE WEEK'S NEWS

Tor Working with Princeton to Identify and Secure Malicious Nodes
CTB Locker Ransomware Targeting Websites
German Hospitals Hit with Ransomware
US Will Renegotiate Intrusion Software Portions of Wassenaar
VA to Tackle Cyber Problems
Berkeley Breach
Privacy Shield Deal Revealed
German Privacy Watchdog Plans to Fine US Companies
IRS Breach Now Estimated to Affect 724,000 People
Legislators Speak Out in Support of Apple

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By Splunk ******************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180747

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Amsterdam, Canberra, Prague, and Stockholm all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

New York Court Rejects FBI Argument for Breaking iPhone Lockscreen in 2nd Case (Feb. 29, 2016)

Apple just won a victory in an iPhone warrant case although it may not help the company in its San Bernardino trial. The victory comes from a New York district court that's been facing something legally similar to the higher-profile warrant case playing out in San Bernardino. In a 50-page ruling, Magistrate Judge Orenstein found that the All Writs Act did not justify the government's request, and denied the government's request to legally compel Apple's help.
-http://www.theverge.com/2016/2/29/11135986/new-york-apple-fbi-iphone-encryption-
ruling

US Military Using Cyberweapons Against Islamic State (February 29, 2016)

Pentagon officials said that US Cyber Command is using cyberweapons to disrupt Islamic State's ability to communicate, manage finances, and control forces. The effort is "the first major integration of US Cyber Command into a major battlefield operation since the command was established in 2009." (Please note: the WSJ site requires a subscription.)
-http://www.wsj.com/articles/pentagon-deploys-cyberweapons-against-islamic-state-
1456768428
-http://www.latimes.com/nation/la-fg-isis-cyber-20160228-story.html
[Editor's Note (Assante): The use of cyber weapons to accomplish the stated goal of "degrading and destroy ISIS" makes complete sense. Cyber weapons may be one of the more power options in our arsenal that aligns with hitting one of ISIS' strengths of using the Internet to spread their message of hatred, recruit, and coordinate support and resources. I suggest procedures are employed to limit the risk of third-parties or the target learning too much from our cyber campaign. (Williams): "Its effect and extent are difficult to assess." Expect this to be the new normal for "cyberwar." Unlike conventional warfare, the effects of network attack are often difficult to assess because cyber attack and intelligence gathering are mutually exclusive activities. ]

DHS ICS-CERT Report Confirms Ukraine Attack Scenario (February 25 and 26, 2016)

A recently published report from the US Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) concludes that the December 2015 power outage in Ukraine was caused by outside attackers. The outage affected 225,000 customers. The incident is believed to be the first time attackers have successfully launched an attack against a power grid.
-http://www.nytimes.com/2016/03/01/us/politics/utilities-cautioned-about-potentia
l-for-a-cyberattack-after-ukraines.html?_r=0
-http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukrainian-power
-outage-us-report-concludes/
-http://www.newsweek.com/ukraine-power-outage-cyber-attack-russia-putin-sandworm-
430556
-http://www.bbc.com/news/technology-35667989
[Editor's Note (Assante): It is important to emphasize that the attackers successfully conducted successful cyber operations across multiple power companies, accounting for differences, in a highly coordinated and synchronized manner. The other element that can't be overlooked is the use of destructive techniques overwriting files and loading malicious firmware to field devices. This set of attacks need to be deconstructed so defenders can evaluate how they can best prepare for this type level of attack orchestration. The SANS ICS team will release such a document in the next few days that can be found here
-http://ics.sans.org/duc5]

---

************************** SPONSORED LINKS ********************************
1) Free Download: The Definitive Guide to Next-Generation Endpoint Security. http://www.sans.org/info/183700

2) Benchmarking AppSec: A Metrics Pyramid. Tuesday, March 15, 2016 at 1:00 PM EDT (17:00:00 UTC) featuring SANS Instructor Jim Bird and Tim Jarrett. http://www.sans.org/info/183705

3) What Works: Inspecting Encrypted Traffic with the Blue Coat SSL Visibility Appliance. Wednesday, March 23, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Michael Weinstein. http://www.sans.org/info/183710
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Tor Working with Princeton to Identify and Secure Malicious Nodes (February 29, 2016)

The Tor Project and researchers from Princeton University are working to identify Tor nodes that are vulnerable to Sybil attacks, in which the Tor reputation system is gamed. By controlling multiple accounts, a user could attract traffic to certain nodes and alter their reputation.
-http://www.theregister.co.uk/2016/02/29/tor_takes_aim_against_sybils_on_the_netw
ork/
-http://news.softpedia.com/news/tor-project-enlists-princeton-univeristy-to-help-
them-detect-sybil-attacks-501112.shtml

CTB Locker Ransomware Targeting Websites (February 29, 2016)

A new variant of CTB Locker ransomware is now targeting WordPress-based websites. The malware's source code has been uploaded for researchers to examine, but there is currently no way to decrypt the files without paying the ransom. The ransomware will not work if the sites do not use PHP.
-http://www.theregister.co.uk/2016/02/29/reinvented_ransomware_shifts_from_pwning
_pc_to_wrecking_websites/
[Editor's Note (Ullrich): We are seeing more and more ransomware attacking servers. CBT locker isn't actually "that bad" in that it makes itself known very quickly. But more severe forms of ransomware targeting servers can linger for months, making backups useless as they only back up encrypted files. ]

German Hospitals Hit with Ransomware (February 26 and 29, 2016)

Computer systems at two hospitals in Germany were infected with ransomware. The cleanup process is expected to take several weeks. At Lukas Hospital in Neuss, the attack affected an x-ray system, an email server, and other network components. At Klinikum Arnsberg in North Rhine-Westphalia, the attack was detected after it infected one server. There are reports that a third hospital was targeted as well.
-http://www.zdnet.com/article/cybercriminals-hold-german-hospitals-to-ransom/
-http://www.theregister.co.uk/2016/02/26/german_hospitals_ransomware/
-http://www.scmagazine.com/ransomware-holds-data-hostage-in-two-german-hospitals/
article/479835/
-http://www.dw.com/en/hackers-hold-german-hospital-data-hostage/a-19076030?maca=e
n-rss-en-all-1573-rdf
[Editor's Note (Northcutt): This isn't going away anytime soon. Two of the upcoming SANS.EDU research projects are dedicated to this problem but this is what we have to date. I realize it is basic advice, but recent backups and then removing those drives from being physically connected is still the best answer:
-http://securitywa.blogspot.com/2016/02/javascript-ransomware-attack.html
(Murray): As our file systems grow larger and larger, backup grows more difficult but no less essential. If the ransomware can see it, one can back it up. Backup is the security measure of last resort but must be first on our list. ]

US Will Renegotiate Intrusion Software Portions of Wassenaar (February 27, 2016)

The US plans to renegotiate certain terms of the Wassenaar Arrangement, which places restrictions on the export of dual-use technologies that could be dangerous if they fell into the wrong hands. The changes will affect intrusion software, which was added to Wassenaar in a 2013 amendment. Civil liberties groups and the technology sector have expressed frustration with the software's inclusion in the agreement because it limits companies' ability to use the tools to evaluate their own security. Wassenaar has 41 participating nations.
-https://www.eff.org/deeplinks/2016/02/victory-state-department-will-try-fix-wass
enaar-arrangement
-http://thehill.com/policy/cybersecurity/271204-obama-administration-to-renegotia
te-international-anti-hacking-regs
[Editor's Note (Williams): This story shows what can happen when we band together as an industry to effect changes in policy. If we as infosec professionals don't speak to policy makers in terms that they can understand, we are doomed to be governed by ineffective and harmful legislation and government regulation. ]

VA to Tackle Cyber Problems (February 26, 2016)

The US Department of Veterans Affairs (VA) new enterprise cybersecurity team has a plan in place to address 30 long-standing security issues by the end of 2017. The VA's inspector general has noted the material weaknesses the agency plans to address in audit reports for 16 years in a row.
-http://federalnewsradio.com/cybersecurity/2016/02/va-sets-goal-eliminating-cyber
-material-weaknesses-2017/

Berkeley Breach (February 26 and 29, 2016)

The University of California, Berkeley, has disclosed that a data breach exposed personal information of 80,000 people. The breach, which occurred in December 2015, affects current and former students, employees, and vendors. The attackers exploited a flaw in the Berkeley Financial System software, which stored Social Security numbers (SSNs) and bank account information. Berkeley also suffered a breach in December 2014, when personal information of 1,600 people was compromised.
-http://www.nytimes.com/reuters/2016/02/26/technology/26reuters-sanfrancisco-cybe
r.html?_r=0
-http://www.zdnet.com/article/university-of-california-berkeley-once-again-become
s-victim-of-cyberattack/

Privacy Shield Deal Revealed (February 29, 2016)

Privacy Shield, the proposed data transfer agreement between the European Union and the US, is being met with criticism from privacy advocates, leaving US companies in limbo regarding the handling of EU citizens' data. Privacy Shield was created as a replacement for the Safe Harbor Agreement, which the European Court of Justice nullified last October. Privacy Shield now faces scrutiny of EU regulators.
-http://arstechnica.com/tech-policy/2016/02/privacy-shield-doomed-from-get-go-nsa
-bulk-surveillance-waved-through/
-http://thehill.com/policy/cybersecurity/271233-us-eu-face-blowback-on-data-deal
-http://www.computerworld.com/article/3038690/data-privacy/eu-adds-detail-to-priv
acy-shield-agreement-prepares-to-give-it-force-of-law.html
-http://fortune.com/2016/02/29/privacy-shield-details/
[Editor's Note (Murray): What the EU demands is that the citizen has redress for breaches. It continues to be difficult for the US to craft a satisfactory remedy for the European citizen without granting a similar remedy to its own. ]

German Privacy Watchdog Plans to Fine US Companies (February 25, 2016)

The Hamburg (Germany) Data Protection Authority (DPA) plans to fine three US companies for mishandling EU citizens' data. The companies were following the Safe Harbor agreement that an EU court nullified last fall. Because there is not a firm new agreement in place, companies that are transferring data are breaking the law. Two other companies are reportedly under investigation.
-http://fortune.com/2016/02/25/safe-harbor-crackdown/?mod=djemRiskCompliance

IRS Breach Now Estimated to Affect 724,000 People (February 26 and 27, 2016)

The number of people affected by the US Internal Revenue Service (IRS) data breach keeps growing. The agency now estimates that the personal information of as many as 724,000 people has been stolen since January 2014. When the breach was first disclosed, the IRS estimated that it affected roughly 100,000 people; that figure was revised to 334,000 on August 2015.
-http://www.nextgov.com/cybersecurity/2016/02/irs-hack-was-twice-bad-we-thought/1
26258/?oref=ng-channeltopstory
-http://www.nbcnews.com/tech/security/irs-cyberattack-total-more-twice-previously
-disclosed-n526846
-http://thehill.com/policy/cybersecurity/270959-irs-reveals-taxpayer-breach-much-
larger-than-previously-reported
-http://www.computerworld.com/article/3038832/government-it/irs-actually-that-bre
ach-last-year-was-way-worse-than-we-thought.html
-http://www.theregister.co.uk/2016/02/27/now_its_700000_irs_records_illegally_acc
essed/
-http://krebsonsecurity.com/2016/02/irs-390k-more-victims-of-irs-gov-weakness/

Legislators Speak Out in Support of Apple (February 23 and 27, 2016)

Representative Darrell Issa (R-California) has published a column on Wired.com in which he writes, "The FBI cannot mandate that Apple create a backdoor to override the iPhone's encryption features without creating a dangerous precedent that could cast a long shadow over the future of how we use our phones, laptops, and the internet for years to come."
-http://www.wired.com/2016/02/forcing-apple-hack-iphone-sets-dangerous-precedent/
In a letter to FBI Director James Comey, US Congressman Ted Lieu (D-California) writes, "As a computer science major, I have seen far-reaching unintended consequences when government applies outmoded concepts to out fast changing technological world."
-https://fcw.com/articles/2016/02/23/lieu-comey-letter-lyngaas.aspx
">
-https://fcw.com/articles/2016/02/23/lieu-comey-letter-lyngaas.aspx

Congressman Lieu's Letter:
-https://lieu.house.gov/sites/lieu.house.gov/files/documents/2016.02.23%20Letter%
20to%20FBI%20Comey%20re%20Apple.pdf
-https://fcw.com/articles/2016/02/23/lieu-comey-letter-lyngaas.aspx
">
-https://fcw.com/articles/2016/02/23/lieu-comey-letter-lyngaas.aspx

---

STORM CENTER TECH CORNER

OpenSSL BIO_*printf Vulnerability
-https://git.openssl.org/?p=openssl.git;a=commit;h=a801bf263849a2ef773e5bc0c86438
cbba720835
-https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corrupt
ion-via-bio_printf/

Angler Exploit Kit on Extendoffice.com
-https://threatpost.com/angler-exploit-kit-learns-new-tricks-finds-home-on-popula
r-website/116509/

Porn Clicker Trojans Keep Evading Google Play Store Security Screening
-http://www.welivesecurity.com/2016/02/24/porn-clicker-trojans-keep-flooding-goog
le-play/

MySQL Attack
-https://isc.sans.edu/forums/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781
/

Wordpress Ransom Ware
-http://thisissecurity.net/2016/02/26/a-lockpicking-exercise/

Exfiltrating Radio Signals From PCs
-https://github.com/fulldecent/system-bus-radio

New Hacking Team OS X Exploit Leaked
-https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-t
o-this-time/

IKE/IKEv2 and other UDP-based protocols can be used to amplify denial-of-service attacks. In some scenarios, an amplification of up to 900% may be obtained from IKEv2 server implementations.
-http://www.kb.cert.org/vuls/id/419128

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/