SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #18

March 04, 2016

TOP OF THE NEWS

Verizon Breach Report
Report: Businesses Reluctant to Report Attacks
Windows 10 Will Add APT Protection
DROWN Vulnerability Affects SSLv2

THE REST OF THE WEEK'S NEWS

Dwolla Will Pay Fine to Settle Charges of Misrepresenting Cybersecurity
Guilty Plea in US $55 Million ATM Theft Scheme
Cisco Updates Fix Remotely Accessible Admin Account
Cox Communications Investigating Possible Breach
Eric Schmidt to Chair Defense Innovation Advisory Board
US Defense Department Announces 'Hack the Pentagon' Bug Bounty Program
US House Committee Chairman Issa Questions FBI's Comey in House Hearing
RSA Panel on Hacking Back
Most Innovative and Damaging Attacks of 2015

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By AlienVault ***************************

Learn how AlienVault can help to implement the CIS Critical Security Controls. Free Guide!
http://www.sans.org/info/183770

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Amsterdam, Canberra, Prague, and Stockholm all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Verizon's Data Breach Digest Report (March 3, 2016)

For this first time, Verizon has released a Data Breach Digest Report, a set of 18 case studies that comprise common scenarios that the majority of breaches fall into. The incidents include a water utility at which intruders managed to manipulate water treatment processes and flow; a developer who outsourced his work to China; and pirates (the seafaring variety) who used information stolen from a shipping company's computers to target specific containers on vessels they boarded.
-http://www.eweek.com/security/hackers-helping-pirates-rob-ships-among-incidents-
verizons-tracking.html
-http://www.darkreading.com/operations/pirates-ships-and-a-hacked-cms--inside-ver
izons-breach-investigations/d/d-id/1324474
-http://arstechnica.com/security/2016/03/pirates-hack-into-shipping-companys-serv
ers-to-identify-booty/
-http://www.csoonline.com/article/3039555/investigations-forensics/verizon-releas
es-first-ever-data-breach-digest-with-security-case-studies.html
[Editor's Note (Paller): This report is a gift to the security community - - a valuable teaching tool. Verizon includes in its full report on data breaches a mapping that shows the vast majority of data breaches can be stopped if organizations implement the 20 Critical Security Controls. Just a few weeks ago the Attorney General of California published a data breach report that concluded "not implementing
[the 20 Critical Security Controls ]
would be indicative of an organization's failure to provide reasonable security."
-https://www.oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pd
f]

Report: Businesses Reluctant to Report Attacks (March 3, 2016)

According to a report from the Institute of Directors and Barclays bank, many organizations do not report cyberattacks to law enforcement. Just 28 percent of cyberattacks are reported. The report also found that while most business leaders believe cybersecurity is important, just half have established plans to protect themselves from attacks.
-http://www.zdnet.com/article/businesses-are-still-scared-of-reporting-cyberattac
ks-to-the-police/
[Editor's Note (Pescatore): I think the 28% lines up pretty well with how many businesses see actual shareholder/customer value in notifying law enforcement. That fraction might change if ransomware attacks continue to be effective. Involving law enforcement could help to regain access to locked/encrypted data or systems - *if* law enforcement gets the budget to increase staff and skills. I'd rather see enterprises have effective defense and backup processes to thwart ransomware, than to depend on external help to restore operations *after* disruption. ]

Windows 10 Will Add APT Protection (March 1 and 2, 2016)

At the RSA conference in San Francisco, Microsoft revealed that it would be adding protection against advanced persistent threats (APTs) to Windows 10. The service, Windows Defender Advanced Threat Protection, detects anomalous system activity. It is currently in private beta on about 500,000 systems.
-http://www.nextgov.com/cybersecurity/2016/03/windows-10-adding-apt-protection-he
res-why-s-big-deal/126372/?oref=ng-channelriver
-http://arstechnica.com/information-technology/2016/03/windows-defender-advanced-
threat-protection-uses-cloud-power-to-figure-out-youve-been-pwned/
[Editor's Note (Pescatore): Notice you don't see Apple or Google rolling out this kind of post-incident detection and response services for iOS or Android. Instead they continue to focus on maturing App Store/Google Play to raise the bar against malicious apps, support near continuous and nearly transparent updates vs. lumpy/monthly/disruptive patch releases, etc., and continue to reduce attack surface and make malware a well bounded (but still existing) problem. Microsoft seems to be saying "security will pretty much be the same when you move to Windows 10 but we will include more functions to tell you more quickly when your Windows PC has been penetrated." This is too depressingly similar to back in 2003 when Microsoft decided to buy an anti-virus vendor and join the AV world, rather than focus on making game changing security leaps in Windows 7, which was in early development at the time. ]

DROWN Vulnerability Affects SSLv2 (March 1 and 2, 2016)

A vulnerability in the SSLv2 protocol could be exploited to intercept encrypted TLS connections. Known as DROWN, for Decrypting RSA with Obsolete and Weakened Encryption, the flaw is not as widespread as Heartbleed. SSLv2. "which no one should be running at all" according to Red Hat's Josh Bressers, was deprecated in 2011. It is still present "in many servers, either in default or active mode, due to misconfiguration, neglect, or older embedded services." A new version of OpenSSL is available in which SSLv2 is disabled.
-http://www.eweek.com/security/drown-vulnerability-hits-ssltls-but-its-no-heartbl
eed.html
-http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-impe
riled-by-new-decryption-attack/
-http://www.computerworld.com/article/3040206/security/attack-against-tls-shows-t
he-pitfalls-of-weakening-encryption.html
-http://www.darkreading.com/attacks-breaches/ssl-drowns-in-yet-another-serious-se
curity-flaw/d/d-id/1324521?
-http://www.scmagazine.com/drown-attack-could-break-tls-for-third-of-websites/art
icle/480464/
[Editor's Note (Williams): It's official, SSL is dead. This is a good time for organizations to look at where they have reused certificates and where they have wildcard SSL certificates installed. Wildcard SSL certificates should be deployed with extreme care and forethought since a compromise of the certificate allows the attacker to mimic any host on the domain. (Honan): The Dutch National Cyber Security Centre has a very good factsheet ton this vulnerability at
-https://www.ncsc.nl/english/current-topics/factsheets/factsheet-disable-ssl-2.0-
and-upgrade-openssl.html
(Murray): The vulnerability is not in the protocol but in the implementation. "Cryptography
[implementation ]
is
[much ]
more difficult than it looks." "There are an infinite number of possible implementations, most of them wrong." If any developer is going to do it, we need to do a better job of preparing them. ]

---

************************** SPONSORED LINKS ********************************
1) Is Active Breach Detection the Next-Generation Security Technology? Thursday, March 10, 2016 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Paul Kraus. http://www.sans.org/info/183775

2) Benchmarking AppSec: A Metrics Pyramid. Tuesday, March 15, 2016 at 1:00 PM EDT (17:00:00 UTC) featuring SANS Instructor Jim Bird and Tim Jarrett. http://www.sans.org/info/183780

3) What Works: Inspecting Encrypted Traffic with the Blue Coat SSL Visibility Appliance. Wednesday, March 23, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Michael Weinstein. http://www.sans.org/info/183785
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Dwolla Will Pay Fine to Settle Charges of Misrepresenting Cybersecurity (March 3, 2016)

The US Consumer Financial Protection Bureau (CFPB) has reached a settlement with online payment company Dwolla regarding deceptive claims the company made about its security practices. CFPB alleged that between 2010 and 2014, Dwolla misrepresented the amount of data that they encrypted, and misled customers about the level of security it used. One of the issues identified was that Dwolla transmitted or encouraged consumers to transmit sensitive data in the clear. Dwolla will pay US $100,000.
-http://thehill.com/policy/cybersecurity/271636-feds-go-after-online-payment-firm
-for-deceptive-cybersecurity
-http://www.theregister.co.uk/2016/03/03/dwolla_slapped_for_slack_security/
CFPB Dwolla Report:
-http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf

Guilty Plea in US $55 Million ATM Theft Scheme (March 3, 2016)

Ercan Findikoglu has pleaded guilty to charges stemming from a series of cyberattacks that stole more than US $55 million using prepaid debit cards at ATMs. Findikoglu and his co-conspirators broke into computer systems to increase balances on the cards and remove daily withdrawal limits; they then had money mules withdraw funds from ATMs around the world. Findikoglu pleaded guilty to computer intrusion conspiracy, access device fraud conspiracy, and effecting transactions with unauthorized access devices.
-http://www.theregister.co.uk/2016/03/03/turkish_hacker_pleds_guilty_to_massive_5
5m_maniac_global_atm_hiest/
-http://www.bbc.com/news/technology-35716150
-http://www.zdnet.com/article/turkish-mastermind-of-55m-atm-skimming-spree-pleads
-guilty/
-https://www.justice.gov/usao-edny/pr/leader-global-cybercrime-campaigns-pleads-g
uilty-computer-intrusion-and-access-device
[Editor's Note (Honan): It is interesting to note that in 2011 the FBI estimated traditional bank robberies amounted to US $30 million for that year. Given that this one incident allowed for US $55 million to be stolen with little risk of being shot or otherwise harmed it is easy to see what criminals are moving to the online world to commit crime.
-https://www.fbi.gov/about-us/investigate/vc_majorthefts/bankrobbery]

Cisco Updates Fix Remotely Accessible Admin Account (March 3, 2016)

Cisco has released patches for its Nexus 3000 and 3500 switches. The updates fix an administrative account that was remotely accessible, which could give attacker root access. The account "has a default and static password." Admins can also disable Telnet to protect vulnerable systems.
-http://www.computerworld.com/article/3040540/security/cisco-issues-critical-patc
h-for-nexus-switches-to-remove-hardcoded-credentials.html
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0160302-n3k

Cox Communications Investigating Possible Breach (March 3, 2016)

Cox Communications is investigating reports that someone is selling personal information of 40,000 Cox employees. Cox has "engaged a third-party forensic team to conduct a comprehensive investigation." Law enforcement is also involved.
-http://thehill.com/policy/cybersecurity/271604-cox-investigates-possible-data-br
each-report

Eric Schmidt to Chair Defense Innovation Advisory Board (March 2, 2016)

The US Defense Department (DoD) will establish a Defense Innovation Advisory Board. The first head of the new organization will be chairman of Alphabet Eric Schmidt. "The board's mandate is to provide department leaders independent advice on innovative and adaptive means to address future organizational and cultural challenges, including the use of technology alternatives, streamlines project management processes and approaches - all with the goal of identifying quick solutions to DoD problems." The board will have up to 12 members to be selected by Schmidt and Defense Secretary Ash Carter.
-http://www.scmagazine.com/alphabets-eric-schmidt-to-head-defense-dept-advisory-b
oard/article/480704/
-http://thehill.com/policy/defense/271483-google-executive-to-head-up-pentagon-in
novation-board
-http://www.defense.gov/News/News-Releases/News-Release-View/Article/684201/state
ment-by-pentagon-press-secretary-peter-cook-on-the-establishment-of-the-de

US Defense Department Announces 'Hack the Pentagon' Bug Bounty Program (March 2, 2016)

The US Defense Department (DoD) is launching a 'Hack the Pentagon' program. Participants must register and submit to a background check. To start, the permitted space for finding vulnerabilities will be limited to DoD public-facing websites, but may eventually expand to applications and networks. The program is scheduled to start in April.
-http://www.nextgov.com/cybersecurity/2016/03/pentagon-launches-open-contest-hack
-military-websites/126383/?oref=ng-channeltopstory
-http://thehill.com/policy/defense/271471-pentagon-invites-cyber-hackers-to-find-
its-vulnerabilities
-http://www.darkreading.com/vulnerabilities---threats/hack-the-pentagon-dod-launc
hes-first-ever-federal-bug-bounty-program/d/d-id/1324542?
-http://www.bloomberg.com/news/articles/2016-03-02/uncle-sam-wants-you-to-try-hac
king-into-the-pentagon-really
-http://www.nbcnews.com/tech/tech-news/u-s-military-invites-cybersafety-experts-h
ack-pentagon-n530141
-http://www.bbc.com/news/technology-35706988
-http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hackers/
[Editor's Note (Williams): Bug bounties can be tremendous resource for finding vulnerabilities. However, when vulnerabilities are reported the organization must act. United suffered some bad press when they failed to respond to a bounty report.
-http://randywestergren.com/united-airlines-bug-bounty-an-experience-in-reporting
-a-serious-vulnerability/
Given the Pentagon is drowning in bureaucracy, it's entirely possible that they will take longer than six months to fix flaws. If your organization is considering implementing a bug bounty, consider carefully your bandwidth for fixing bugs and how you will deal with public disclosures from disgruntled bug hunters. ]

US House Committee Chairman Issa Questions FBI's Comey in House Hearing (March 2, 2016)

During a March 1 House Judiciary Committee hearing on iPhone encryption, Representative Darrell Issa (R-California) peppered FBI director James Comey with questions about what his agency had done to try to solve the problem themselves before asking Apple to break into the device.
-http://www.nextgov.com/cybersecurity/2016/03/fbi-director-gets-schooled-security
-tech-congressman/126349/?oref=ng-channelriver

RSA Panel on Hacking Back

The legal panel of experts at RSA considered the question of active defense or "hacking back". Needless to say, the consensus was "don't." Several of the reporters that attended the panel relayed observations that there are grey areas and policy vs. legal mismatches. This has been a theme at past RSA conferences as well.
-https://threatpost.com/gentle-reminder-at-rsa-hacking-back-is-a-bad-idea/116564/
-http://www.rsaconference.com/events/us13/agenda/sessions/343/is-it-whack-to-hack
-back-a-persistent-attack
-http://www.rsaconference.com/writable/presentations/file_upload/stu-m06a-cyber-v
igilante-or-self-defensev2.ppt.pdf
Editor's Note (Northcutt): If you were not able to attend the panel, SANS Faculty members and analysts, Robert M. Lee and Rob Lee just completed an excellent paper on "Threat Hunting" which is often used interchangeably with "Active Defense". On page 4 there is an excellent discussion of passive and active defense and the sliding scale from architecture to offense:
-https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effect
ive-threat-hunting-36785]

Most Innovative and Damaging Attacks of 2015 (December 2015)

-http://www.csoonline.com/article/3018343/security/the-most-innovative-and-damagi
ng-hacks-of-2015.html

---

STORM CENTER TECH CORNER

SSLv2 Drown Vulnerability
-https://drownattack.com

ESET Antivirus False Positive
-http://support.eset.com/alert5879/

Analysis of Packet Injection Attacks By ISPs
-https://www.netresec.com/?page=Blog&month=2016-03&post=Packet-Injection-
Attacks-in-the-Wild

XSS Vulnerabilities in Web Ads
-http://randywestergren.com/widespread-xss-vulnerabilities-ad-network-code-affect
ing-top-tier-publishers-retailers/

Trojan Claiming to Be Locky Removing Tools (German only)
-http://www.mimikama.at/allgemein/vorsicht-offizielle-warnung-vor-computervirus-l
ocky-ist-selber-ein-trojaner/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/