SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #21

March 15, 2016

TOP OF THE NEWS

Analog Equipment is Added Layer of Security
Government and Encryption: Who's Next?
FBI v. Apple: A Solution or A Precedent?

THE REST OF THE WEEK'S NEWS

Malicious Macros in Word Documents
White House Draft Source Code Policy
Ottawa Hospital Successfully Fights Ransomware
SAP Java Flaw: Fix Available
Old Java Patch Faulty
Fighting Patch Fatigue
Marcher Trojan Pretends to be Adobe Flash Installer
Day in Life of a CISO: Virginia Tech's Randy Marchany

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Lancope **************************

NetFlow Security Monitoring For Dummies - FREE DUMMIES eBOOK! Download our Dummies eBook to learn how NetFlow intelligence plays a role in network security and best practices for developing and implementing a scalable NetFlow-based monitoring strategy. Download the DUMMIES eBook today!
http://www.sans.org/info/184212

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Canberra, Copenhagen, Prague and Houston all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Analog Equipment is Added Layer of Security (March 10, 2016)

Following the Ukraine power utility attack, operators were able to restore power relatively quickly by manually resetting breakers. As more and more devices are connected to the Internet, the risk of attacks grows, and "physical backup hardware" becomes a security asset. Richard Danzig, former secretary of the Navy and senior fellow at the Johns Hopkins Applied Physics Lab says it this way: "If your main system is digital, you're stronger if your safeguard is analog."
-http://www.bloomberg.com/news/articles/2016-03-10/cybersecurity-the-best-insuran
ce-may-be-analog
[Editor's Note (Assante): The reduction and removal of attack surfaces, by minimizing system complexity and implementing difficult to observe or discover physical or electro-mechanical safeguards, may be the last line of defense where it really counts. This is not retreating from technology; it is simply not stepping into the future with reckless abandonment. (Williams): According to this Wired article (
-http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-gr
id/)
many US utilities would have more trouble restoring power in the wake of a Ukraine style attack. Analog backup systems are critical for safety in the event disruption to our digital systems occur. (Murray): Utilities connect controls to the Internet and the PSTN, often both, to enable remote operation by the responsible operators. It is that capability that makes them vulnerable to remote attacks. One more time, the solution has become the problem. ]

Government and Encryption: Who's Next? (March 12 and 14, 2016)

WhatsApp appears to be the next target in the government's fight to access encrypted information. The messaging service has told a court it is unable to comply with a law enforcement wiretap warrant because it does not hold the keys to the encrypted data in question.
-http://www.nytimes.com/2016/03/13/us/politics/whatsapp-encryption-said-to-stymie
-wiretap-order.html?_r=0
-http://www.wired.com/2016/03/fbi-crypto-war-apps/
-http://www.scmagazine.com/the-next-encryption-debate-whatsapp-v-feds/article/483
069/
-http://www.cnet.com/news/facebook-google-whatsapp-to-beef-up-data-encryption/
-http://www.zdnet.com/article/facebook-google-among-tech-giants-expanding-encrypt
ion-in-wake-of-apple-battle/
-http://www.zdnet.com/article/after-apple-is-whatsapp-us-governments-next-crypto-
target/
[Editor's Note (Honan): This is an issue that many governments are struggling to grasp and the onus is on us as experts in the field to communicate clearly to our governments on the technical implications of what they are looking for. For example in Brazil a Senior Facebook Executive was arrested in relation to a drug case involving a WhatsApp user.
-http://fortune.com/2016/03/01/brazil-facebook-arrest/]

FBI v. Apple: A Solution or A Precedent? (March 14, 2016)

In a related story, former White House special advisor on cybersecurity Richard Clarke told National Public Radio (NPR) that the NSA could break the encryption on the iPhone in the San Bernardino case, but the FBI is "not as interested in solving the problem as they are in getting a legal precedent."
-http://www.npr.org/2016/03/14/470347719/encryption-and-privacy-are-larger-issues
-than-fighting-terrorism-clarke-says
-http://arstechnica.com/tech-policy/2016/03/former-cyber-czar-says-nsa-could-crac
k-the-san-bernadino-shooters-phone/

---

************************** SPONSORED LINKS ********************************
1) EMA Research Report: Closing the Endpoint Security Gap - Download Now: http://www.sans.org/info/184217

2) Speed Detection and Response with Real-time Behavior Analytics. RSA Security Analytics Webcast March 22. http://www.sans.org/info/184222

3) What were the top threats in 2015? Read Trend Micro's 2015 roundup report, Setting the Stage: Landscape Shifts Dictate Future Threat Response Strategies: http://www.sans.org/info/184227
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Malicious Macros in Word Documents (March 14, 2016)

Malicious macros embedded in Word documents are increasingly being used as an attack vector. Researchers have now found a variant in which the documents use fileless malware; in other words, they place malware directly into the device's memory. The attack was delivered through targeted spam that contains a malicious document. If the macros are permitted to run, they use PowerShell to gather information about the computer. The malware looks for machines where financial transactions are conducted.
-http://www.computerworld.com/article/3043570/security/documents-with-malicious-m
acros-deliver-fileless-malware.html
[Editor's Note (Murray): Twenty years ago Word Macros
[and other "escape" features ]
were already a favorite vector for spreading viruses. Thirty years ago, the infamous "All Souls Worm" used the sendmail debug feature. Forty years ago there was a major flap when someone demonstrated embedding commands to a terminal in messages to the terminal. Today one sees malicious URLs in SMS messages. One process's data is another's program. "Those who do not remember the past are condemned to repeat it." ]

White House Draft Source Code Policy (March 14, 2016)

The White House's draft Source Code Policy would require federal agencies to share custom code funded by the government with other agencies, and for agencies to share at least 20 percent of third-party custom code with the open-source community. One of the policy's goals is to reduce duplicative spending. The draft policy is available for public comment until April 11, 2016.
-http://www.scmagazine.com/white-house-requires-agencies-to-share-custom-code-wit
h-open-source-community/article/483084/
-https://sourcecode.cio.gov
[Editor's Note (Pescatore): My comment on the GitHub site on this: Many tools and services exist to test source code or binaries for well-known vulnerabilities. Government use of these tools, or government agencies requiring contractors or software suppliers, has been minimal and inconsistent. The world does not need more insecure code - this process needs to as a minimum require common process for code to be tested for "basic app development hygiene" before being submitted or at least before being accepted. NIST had fiddled around with such tools for over a decade now, this would be a good vehicle for them to move towards actual operational improvements in government software security. (Williams): While an admirable move to reduce spending, this may cause problems as well. Organizations should carefully consider the decision to open source their existing code base. There are reputational issues to consider if independent audits of your code uncover vulnerabilities that are not fixed in a timely manner. Attackers also gain insight into your code base and vulnerabilities that exist in your environment. ]

Ottawa Hospital Successfully Fights Ransomware (March 13 and 14, 2016)

The Ottawa Hospital in Ottawa, Canada, said that four of its 9,800 computers at the facility became infected with ransomware, but the incident was detected quickly, the infected computers isolated, and their drives wiped. The hospital paid no ransom and no data were lost.
-http://www.scmagazine.com/the-ottawa-hospital-fends-off-ransomware-attack/articl
e/482921/
-http://www.cbc.ca/news/canada/ottawa/hospital-cyber-attack-1.3489388
-http://news.nationalpost.com/news/canada/ottawa-hospital-hit-with-ransomware-inf
ormation-on-four-computers-locked-down
[Editor's Note (Murray): In a hospital setting, most terminals should be locked down in such a way that their privileges and capabilities cannot be locally modified, mission critical data stored only on servers, and those servers managed and routinely backed up. Now that one thinks about it, that strategy would improve the security of most enterprises. (Honan): The Computer Incident Response Centre Luxembourg (CIRCL) have published an excellent guide on defending and preventing ramsomware
-https://www.circl.lu/pub/tr-41/
Kaspersky, The National High Tech Crime Unit (NHTCU) of the Netherlands' police, and the Netherlands' National Prosecutors Office have launched a website with a free decryption tool to decrypt all files for Coinvault and Bitcryptor victims
-https://noransom.kaspersky.com/]

SAP Java Flaw: Fix Available (March 11, 2016)

A vulnerability in a SAP Java application could be exploited to steal access credentials. The app, SAP Download Manager, is used to download software and support notes. The flaw is not remotely exploitable. SAP has released an update for Download Manager that fixes the problem.
-http://www.scmagazine.com/exploiting-sap-download-manager-bug-can-yield-password
s/article/482629/
-http://www.theregister.co.uk/2016/03/11/sap_software_download_app_exposed_passwo
rds/
-https://support.sap.com/software/download-manager.html

Old Java Patch Faulty (March 11, 2016)

A patch for Java that Oracle released in October 2013 has been found to be ineffective. The flaw that the patch was supposed to address can be remotely exploited without authentication. Oracle was not notified prior to the disclosure of the patch's problem.
-http://www.computerworld.com/article/3042590/security/two-year-old-java-flaw-re-
emerges-due-to-broken-patch.html
-http://arstechnica.com/security/2016/03/botched-java-patch-leaves-millions-vulne
rable-to-30-month-old-attack/

Fighting Patch Fatigue (March 11, 2016)

Keeping up with software patches at organizations can easily become overwhelming: patches are released at a brisk rate and high volume, or are released out of the regular patch cycle. Compounding the headache is the variety of different patch distribution systems. Tripwire recommends developing a "mature patch management program."
-http://www.scmagazine.com/half-of-it-pros-overburdened-when-trying-to-keep-up-wi
th-patches-study-says/article/482810/
-http://media.scmagazine.com/documents/216/wpcpf1a_tripwire_combating_pat_53903.p
df

Marcher Trojan Pretends to be Adobe Flash Installer (March 11 and 14, 2016)

A new variant of the Marcher Trojan horse program spreads in the guise of an Adobe Flash Player installer. Marcher, which targets Android devices, attempts to get users to hand over financial data.
-http://www.eweek.com/security/marcher-trojan-uses-new-tactic-to-infect-android-u
sers.html
-http://www.scmagazine.com/scammers-push-android-marcher-trojan-using-porn/articl
e/483083/
[Editor's Note (Honan): My favorite bait message continues to be "Click here to update Adobe Reader." Adobe has trained the community to accept that message without question. What is more, Adobe seems to lack a fundamental strategy for protecting its own code, and the systems hosting it, from contamination by its data. It is sad that one must avoid Reader and run Acrobat in a sand-box. ]

Day in Life of a CISO: Virginia Tech's Randy Marchany (March 10, 2016)

Virginia Tech Chief Information Security office (CISO) Randy Marchany describes his job at the university as being "responsible for the data protection and security of a 'small city' comprised of various business operations." The biggest threat is the theft of intellectual property and sensitive data. Marchany also says that, "the CISO position needs to be elevated to the management team."
-http://www.silverbull.co/a-day-in-the-life-of-a-ciso-virginia-tech/
[Editor's Note (Honan): This is a good read for everyone responsible for security in their organisations. Universities have been dealing for many years with many of the challenges organisations face today, such as Bring Your Own Device, protecting intellectual property, and dealing with users who "know more" that the security team. (Pescatore): I ran a panel at the RSA Conference called "Lessons from Real World CISOs" and had invited the Randy Marchany shown in that picture to be on a CISO panel. A much scruffier, but just as eloquent, version showed up... ]

---

STORM CENTER TECH CORNER

Powershell Malware
-https://isc.sans.edu/forums/diary/Powershell+Malware+No+Hard+drive+Just+hard+tim
es/20823/

Recent Examples of KaiXin Exploit Kit
-https://isc.sans.edu/forums/diary/Recent+example+of+KaiXin+exploit+kit/20827/

Adobe Flash Patch
-https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
-https://technet.microsoft.com/en-us/library/security/ms16-036

OTR Memory Corruption Vulnerability
-https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/

Mac Cryptoransomware KeRanger Derived From Linux Malware
-https://labs.bitdefender.com/2016/03/keranger-is-actually-a-rewrite-of-linux-enc
oder/

Forensicating Docker
-https://isc.sans.edu/forums/diary/Forensicating+Docker+Part+1/20835/

Samsung Laptop Update Tool Vulnerability
-http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm

Tracing Back Crypto Ransomware
-http://phishme.com/ransomware-rising-criakl-osx-others/

SSRF In imgur.com
-https://hackerone.com/reports/115748

SSH Forwarding Abuse
-https://isc.sans.edu/forums/diary/SSH+Honeypots+Abused+as+Proxy/20837/

Encrypt Files On Cloud Services
-https://cryptomator.org/

Typosquatting in .om
-https://www.endgame.com/blog/what-does-oman-house-cards-and-typosquatting-have-c
ommon-om-domain-and-dangers-typosquatting

Automatic Vulnerablity Scanners and False Positives
-http://www.theregister.co.uk/2016/03/14/cheap_auto_vulnerability_scanners_can_ha
ve_a_16000_opex_tag/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/