SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #20

March 11, 2016

TOP OF THE NEWS

US Justice Dept. Preparing to Indict Iranian Cyber Intruders for 2013 Dam Attack
FCC Moves To Force ISPs To Do More Than Just Talk About Security for Customers
IRS Suspends Identity Theft Get IP PIN Tool Due to Security Issues

THE REST OF THE WEEK'S NEWS

Cisco Patches Cable Modem Flaws
Industrial Vehicle (In)security
Chrome Update
Typo Alerted Banks to Fraudulent SWIFT Transactions
Water Reclamation District May Have Been Hit With Ransomware Attack
Mozilla Releases Firefox 45
CORRECTION: ICIT Ransomware Report
Microsoft Patch Tuesday
Adobe Patch Tuesday
Google Releases Android Security Update

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk ***************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180747

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Amsterdam, Canberra, Prague, and Stockholm all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

- US Justice Dept. Preparing to Indict Iranian Cyber Intruders for 2013 Dam Attack (March 10, 2016)

The US Justice Department is reportedly readying an indictment against an unspecified number of Iranians for allegedly launching a cyberattack against a dam in New York in 2013. The incident was made public only last December, although it occurred in 2013. The Bowman Avenue Dam in Rye Brook, NY is a flood control dam. The intruders breached the system through a broadband cellular modem that the facility uses to connect to the Internet. Those who will be named in the indictment are believed to be part of the group that launched attacks against SunTrust and PNC Financial Services Group.
-http://www.nytimes.com/reuters/2016/03/10/world/middleeast/10reuters-usa-iran-cy
ber.html
-http://www.cnn.com/2016/03/10/politics/iran-us-dam-cyber-attack/
-http://thehill.com/policy/cybersecurity/272563-report-us-preparing-to-publicly-b
lame-iran-for-cyberattack-on-dam
-http://arstechnica.com/security/2016/03/dam-you-justice-dept-to-indict-iranians-
for-probing-flood-control-network/
[Editor's Note (Assante): It will be interesting to see whether the indictment provides any additional information about the nature of the compromise and activity. The sluice gate was installed around the time the adversary appeared to gain access. However, the automated controls were not active, and therefore there was low risk to the operation of the gate. Just remember, adversary groups are actively targeting facilities, you do not get to choose if you are a target, you only get to choose how difficult a target you will be. See the SANS Defense Use Case #4
-http://ics.sans.org/media/SANSICS_DUC4_Analysis_of_Attacks_on_US_Infrastructure_
V1.1.pdf]

- FCC Moves To Force ISPs To Do More Than Just Talk About Security for Customers (March 8, 2016)

FCC Chairman Tom Wheeler has circulated for consideration by the full Commission a Notice of Proposed Rulemaking (NPRM) to ensure consumers have the tools they need to make informed choices about how and whether their data is used and shared by their broadband providers. The proposal would apply the privacy requirements of the Communications Act to the most significant communications technology of today: broadband Internet access service
-http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0310/DOC-338159A1
.pdf
[Editor's Note (Pescatore): The major ISPs have had years to make progress on raising the bar on security for their customer services and talked a lot, walked little. There will likely be a lot of lobbying against this, regulations are rarely the most efficient or effective way to drive security increases and should be the last resort. But as the item below on the Cisco cable modem patch points out, the ISPs seem to need external regulatory pressure to make security advances. ]

IRS Suspends Identity Theft Get IP PIN Tool Due to Security Issues (March 7 and 8, 2016)

The US Internal Revenue Service (IRS) has suspended a tool that was misused by attackers to steal tax information that could be used to file fraudulent returns. The Get IP PIN (Identity Protection PIN) feature was created to allow people who have been victims of tax fraud to file their taxes electronically. The IRS says that at least IP PINs have been stolen.
-http://www.nextgov.com/cybersecurity/2016/03/irs-finally-pulls-offline-id-protec
tion-service-exploited-hackers/126509/?oref=ng-channelriver
-http://thehill.com/policy/finance/272131-irs-suspends-online-tool-during-securit
y-review
-http://krebsonsecurity.com/2016/03/irs-suspends-insecure-get-ip-pin-feature/
-https://www.washingtonpost.com/news/the-switch/wp/2016/03/08/the-irs-suspends-ha
cked-tool-meant-to-help-identity-theft-victims/

---

************************** SPONSORED LINKS ********************************
1) Protect your organization. Join Symantec on March 17 to learn about the future of security. http://www.sans.org/info/184157

2) Bring Your Own Collaboration Technical Control Tradeoffs. Wednesday, March 16, 2016 at 1:00 PM EDT (17:00:00 UTC). Join Dave Shackleford and Scott Gordon as they examine wasy to secure sensitive files being shared within and outside organizations. http://www.sans.org/info/184162

3) What Works: Inspecting Encrypted Traffic with the Blue Coat SSL Visibility Appliance Wednesday, March 23, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Michael Weinstein. http://www.sans.org/info/184167
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

- Cisco Patches Cable Modem Flaws (March 9 and 10, 2016)

Cisco has released security updates to address vulnerabilities in some of its cable modem and residential gateway devices. The devices in question are distributed to customers by Internet service providers (ISPs). The issues include a buffer overflow flaw in the embedded web server in Cisco Cable Modem with Digital Voice models DPC2203 and EPC2203, and an information disclosure vulnerability in the web-based administration interfaces of Cisco DPC3941 Wireless Residential Gateway with Digital Voice and Cisco DPC3939B Residential Voice Gateway.
-http://www.theregister.co.uk/2016/03/10/cisco_patches_a_bunch_of_cable_modem_vul
ns/
-http://www.computerworld.com/article/3042599/security/cisco-patches-serious-flaw
s-in-cable-modems-and-home-gateways.html
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0160309-cmre
[Editor's Note (Pescatore): If you take any major ISP's home page URL and add /security, you come to a page where they try to sell you additional security services. That is an indication of the problem here - - Cisco (or any other router) manufacturer can release a patch for serious vulnerabilities like this one, but for most home users their ISP is the channel. ISPs are doing very little to help their consumer users get more secure. That is one reason why the FCC has proposed stricter privacy and security regulations for ISPs - the industry has failed to do more than talk about security improvements, no progress on "self-regulation." (Murray): The now common practice of embedding a web-server in appliances to facilitate administration saves development time and resources at the expense of dramatically increasing the attack surface and including vulnerabilities in the server code. These embedded servers are unlikely to be patched in the procedures for maintaining servers. ]

- Industrial Vehicle (In)security (March 10, 2016)

A researcher has found that some telematics gateway units (TGU), which are used to monitor vehicles - primarily industrial vehicles like ambulances, trucks, and buses - do not require any sort of authentication. The devices track the vehicles' locations, gas mileage, and other data. The researcher believes that access to the devices could be used to issue commands on the vehicles' internal networks, known as CAN buses, which could allow them to control brake, steering, or transmission.
-http://www.wired.com/2016/03/thousands-trucks-buses-ambulances-may-open-hackers/
-http://jcarlosnorte.com/security/2016/03/06/hacking-tachographs-from-the-interne
ts.html

- Chrome Update (March 10, 2016)

On Tuesday, March 8, Google released a new stable version of its Chrome browser. Chrome 49.0.2623.87 for Windows, Mac, and Linux addresses three critical security issues, including a type confusion flaw and a use-after-free flaw in the Blink rendering engine and an out-of-bounds write issue in the PDFium PDF library.
-http://www.zdnet.com/article/google-fixes-severe-vulnerabilities-in-chrome-brows
er-update/
-http://googlechromereleases.blogspot.co.uk/2016/03/stable-channel-update_8.html

- Typo Alerted Banks to Fraudulent SWIFT Transactions (March 10, 2016)

A massive cyberheist at a bank in Bangladesh was detected when the thieves misspelled a word in the name of one of the organizations the funds were supposed to be transferred to. Deutsche Bank, one of the routing banks, noticed the misspelling and sought clarification from the Bangladesh bank. By the time the scheme was detected, the thieves had already purloined more than US $80 million, but transfers totaling more than US $850 million were stopped. The incident occurred in early February.
-http://arstechnica.com/security/2016/03/a-typo-costs-bank-hackers-nearly-1b/
-http://www.reuters.com/article/us-usa-fed-bangladesh-typo-insight-idUSKCN0WC0TC
-http://www.bbc.com/news/technology-35773061
-http://www.darkreading.com/operations/hackers-typo-foils-their-$1-billion-wire-t
ransfer-heist/d/d-id/1324640?
-http://www.nytimes.com/reuters/2016/03/10/business/10reuters-usa-fed-bangladesh-
probe.html
[Editor's Note (Murray): SWIFT transactions are "forward wire transfers." Among other things, this means that, unlike ACH transfers, they are not normally reversible. They may be reversed when fraud is demonstrated but it is neither routine or certain. (Williams): This is a great example of defender attention-to-detail thwarting an attack. Reminds me of The Cuckoo's Egg where a small accounting error caught foreign cyber attackers in the days of dial up modems. Most systems admins don't know what normal looks like on their own Windows machines. To help, SANS created the "Know normal, find evil" poster -
-https://digital-forensics.sans.org/media/poster_2014_find_evil.pdf]

- Water Reclamation District May Have Been Hit With Ransomware Attack (March 7 and 9, 2016)

The Clark County (Nevada) Water Reclamation District has shut down computers while investigating reports that its systems were infected with ransomware. The FBI has been notified.
-http://www.scmagazine.com/fbi-asked-to-investigate-clark-county-water-reclamatio
n-district-cyberattacks/article/482185/
-http://www.reviewjournal.com/news/las-vegas/clark-county-water-reclamation-distr
ict-computer-system-hacked
[Editor's Note (Williams): This story is a great example of why it may make sense to include the public relations people on a modern incident response plan. "Multiple sources" reported ransomware attacks to the media, but the media relations spokesperson "was unaware of the claims." The same media relations contact later said multiple systems had been taken off line. Inconsistent messaging during an incident can have serious impacts on the credibility of an organization. ]

- Mozilla Releases Firefox 45 (March 9 and 10, 2016)

Mozilla has released Firefox 45. The newest version of the browser includes fixes addressed in 23 advisories, nine of which are rated critical. The critical flaws include out-of-bounds write with malicious fonts in Graphite 2 and font vulnerabilities in the Graphite 2 library; and several use-after-free vulnerabilities.
-https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45
-http://www.eweek.com/cloud/mozilla-firefox-45-removes-tab-groups-provides-securi
ty-updates.html
-http://www.scmagazine.com/mozilla-issues-22-security-patches-for-firefox/article
/482142/
-http://www.zdnet.com/article/firefox-44-browser-update-patches-22-critical-vulne
rabilities/
[Editor's Note (Northcutt): Firefox with NoScript, Ghostery and Qualys Browser Check plugins is my default browser setting. I did the update and all three plugins are intact which is always nice to see. Silverlight did not make it, so I moved it to the never activate list. ]

- CORRECTION: ICIT Ransomware Report (March 7, 2016)

A story we ran on Tuesday, March 8 that said the FBI and DHS paid cybercriminals to remove ransomware from their computers is inaccurate. The FBI and the Department of Homeland Security (DHS) did not pay cybercriminals to remove malware from their computers. The ransomware report from Institute for Critical Infrastructure and Technology (ICIT) warns that the malware will "wreak havoc on America's critical infrastructure community" in 2016.
-http://www.nextgov.com/cybersecurity/2016/03/fbi-and-dhs-paid-crooks-get-back-th
eir-hacked-data-report-says/126479/?oref=ng-channelriver
-http://www.scmagazine.com/report-ransomware-will-wreak-havoc-on-critical-infrast
ructure/article/482175/
-http://icitech.org/wp-content/uploads/2016/03/ICIT-Brief-The-Ransomware-Report.p
df

- Microsoft Patch Tuesday (March 8, 2016)

On Tuesday, March 8, Microsoft issued 13 bulletins to address a total of 44 vulnerabilities in a variety of products. Six of the bulletins are rated critical. One of the patched flaws affects all supported versions of Windows. Storm Center:
-https://isc.sans.edu/forums/diary/March+2016+Microsoft+Patch+Tuesday/20817/
-http://www.zdnet.com/article/march-2016-patch-tuesday/
-http://www.scmagazine.com/microsofts-march-patch-tuesday-13-bulletins-covering-4
4-vulnerabilties/article/481830/
-http://krebsonsecurity.com/2016/03/adobe-microsoft-push-critical-updates/
-http://www.computerworld.com/article/3042028/microsoft-windows/5-critical-update
s-for-march-patch-tuesday.html
-http://www.computerworld.com/article/3042412/security/microsoft-patches-remote-c
ode-execution-flaws-in-windows-ie-edge-office.html
-https://technet.microsoft.com/en-us/library/security/ms16-mar.aspx

Adobe Patch Tuesday (March 8 and 10, 2016)

On Tuesday, March 8, Adobe has issued four patches, one for a critical memory corruption vulnerability in Digital Editions for Windows, Mac, iOS, and Android, and three for critical flaws in Acrobat DC, Reader DC, Acrobat XI, and Reader XI for Windows and Mac. Adobe says that an update for Flash Player will be released in several days. On Thursday, March 10, Adobe issued patches to address vulnerabilities in Flash Player for Windows, OS X, and Linux. One of the flaws is being actively exploited. StormCenter:
-https://isc.sans.edu/forums/diary/Critical+Adobe+Updates+March+2016/20815/
-http://www.scmagazine.com/adobes-patch-tuesday-update-handles-four-vulnerabiliti
es/article/481813/
-http://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for-activel
y-exploited-code-execution-bug/
-http://www.theregister.co.uk/2016/03/10/adobe_flash_march_updates/
-http://www.computerworld.com/article/3042589/security/emergency-flash-player-pat
ch-fixes-actively-exploited-flaw.html
[Editor's Note (Williams): The update from Adobe is a double whammy this month with the patch for Flash coming two days after the rest of the patches. The Flash exploit is being actively exploited in targeted attacks, according to Kaspersky. This is a great time to remind systems administrators that they must patch both the ActiveX Flash plugin for Internet Explorer, Flash plugin for Firefox, and the Flash installation for Chromium (if all are in use) to be secure. Unfortunately, these are still different installations. Also, effective this month, if you distribute the offline installer for flash internally Adobe now requires a license for redistribution.
-http://www.adobe.com/sea/products/players/flash-player-distribution.html]

Google Releases Android Security Update (March 7 and 8, 2016)

Google has released an Android update that addresses 16 vulnerabilities. Among the flaws patched are a critical remote code execution vulnerability in the operating system's Mediaserver, and an information disclosure vulnerability in the Android libstagefright media library. Google Nexus devices will be automatically updated. Partners were alerted to the issues on February 1.
-http://www.eweek.com/security/google-patches-android-for-stagefright-in-march-up
date.html
-http://www.computerworld.com/article/3041329/security/google-patches-remote-exec
ution-flaws-in-android.html
-http://www.scmagazine.com/google-patches-16-android-bugs-including-7-critical-fl
aws/article/481798/
-https://source.android.com/security/bulletin/2016-03-01.html

---

STORM CENTER TECH CORNER

Distributed Weakness Filing (DWF)
-https://github.com/distributedweaknessfiling/DWF-Documentation

TP Link NC200/220 Cloud IP Camera Vulnerability
-http://blog.ioactive.com/2016/03/got-15-minutes-to-kill-why-not-root.html

Facebook Missed Account Lockout For Password Reset Code
-http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/