SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #23

March 22, 2016

SANS FLASH: Ukraine Electric Grid Attack Techniques Revealed and Explained

The first in-depth report on the Ukraine hack was published this morning by NERC's Electricity Sector Information Sharing and Analysis Center. Infrastructure companies can use the report to perform gap analyses matching their defenses against the attack vectors that have now been clarified by the three top technical experts in industrial control systems security: Michael Assante, Tim Conway and Robert M. Lee. Given that level of expertise and transparency, regulatory agencies will quickly begin asking utility CEOs to demonstrate how they are closing the gaps that would make their companies vulnerable to life-changing power outages. Without power, the economies and governments of developed countries would be immobilized. Suzanne Spaulding, DHS Undersecretary for National Protection concurs, saying she hopes the report will be a reality-check for US critical infrastructure owners. "I want ... [executives to say], 'what are we doing about this?'" to prevent similar attacks. http://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-el
ectric-grid-hack/d/d-id/1324743 The full report is the first document in the "Public Document Library" at https://www.esisac.com/
Alan

---

TOP OF THE NEWS

OMB Annual Report on Agency Security
FBI Postpones Apple Hearing
SWIFT Issues Warning After Bangladesh Bank Theft

THE REST OF THE WEEK'S NEWS

FBI and NHTSA Issue PSA About Internet Connected Cars
Paris Attackers Used Disposable Phones
New eMail Security Standard Proposed
Sieve Cloud Service Would Let Users Decide What Data to Share with Apps
Emergency Android Update: Local Elevation of Privilege Vulnerability
in Linux Kernel
Apple Encryption Hole Fixed in iOS 9.3
NIST Telework Guidance

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Anomali ************************

Anomali delivers earlier detection and identification of adversaries in your organizations network by making it possible to correlate tens of millions of threat indicators against your real time network activity logs and up to a year or more of forensic log data. Anomali's approach enables detection at every point along the kill chain, making it possible to mitigate threats before material damage to your organization has occurred.
http://www.sans.org/info/184342

***************************************************************************

TRAINING UPDATE

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of Summit talks featuring a keynote by Dr. Eric Cole, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- - --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Canberra, Copenhagen, Prague and Houston all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

OMB Annual Report on Agency Security (March 21, 2016)

According to a report from the US Office of Management and Budget (OMB), US government agencies reported 77,138 cybersecurity incidents in FY 2015, 10 percent higher than in FY 2014. The report, Annual Report to Congress: Federal Information Security Modernization Act, also notes that 21 of 24 agencies, received a two or lower on a five-point scale measuring real-time continuous monitoring of security controls.
-http://www.nextgov.com/cybersecurity/2016/03/white-house-says-agencies-experienc
ed-77200-cyber-incidents-2015/126810/?oref=ng-channeltopstory
-https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy_201
5_fisma_report_to_congress_03_18_2016.pdf
[Editor's Note (Pescatore): For the first time, this reports shows the results Inspectors General assessing the maturity of agency continuous monitoring efforts. Only 2 of 24 agencies were at the Consistent level (3) while 15 were at the lowest level (1) Ad Hoc. While some individual ISCM scores (asset management, vulnerability management) went up, it looks like most of those gains were due to the "Cybersecurity Sprint" - a good thing, but pretty much a one time, Ad Hoc effort. Government agencies have not made much progress in increasing basic security hygiene in any sustainable way. (Murray): The report itself defies comment. However, industry should take more caution than comfort. (Williams): We focus, too often, on phishing attacks that deploy malware, ignoring those that solicit sensitive data that may be used by an attacker to later breach the network. ]

FBI Postpones Apple Hearing (March 21, 2016)

The FBI has been granted a continuance on its hearing regarding Apple's refusal to break into a suspect's iPhone. The agency now says it may be able to access the data on the iPhone without Apple's help. In the court filing, the FBI noted that "an outside party demonstrated to the FBI a possible method for unlocking" the device.
-http://www.wired.com/2016/03/fbi-now-says-may-crack-iphone-without-apples-help/
-http://thehill.com/policy/cybersecurity/273828-doj-asks-to-cancel-apple-hearing-
may-be-able-to-hack-iphone
-http://www.theregister.co.uk/2016/03/21/fbi_apple_iphone/
-http://arstechnica.com/tech-policy/2016/03/fbi-says-it-might-be-able-to-break-in
to-seized-iphone-wants-hearing-vacated/
-http://www.computerworld.com/article/3046682/security/fbi-says-it-may-have-found
-a-way-to-crack-shooters-iphone.html
FBI's Filing:
-https://regmedia.co.uk/2016/03/21/applefbivacate.pdf

SWIFT Issues Warning After Bangladesh Bank Theft (March 20 and 21, 2016)

In the wake of an US $81 million theft from Bangladesh's central bank, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) is urging financial institutions conducting international transactions to adopt security measures, including monitoring internal security. SWIFT can advise member institutions on security practices, but there is no enforceable security standard and security varies from bank to bank.
-http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0WM0ZS
-http://www.darkreading.com/cloud/swift-to-issue-warning-in-wake-of-cyberattack-o
n-bagladesh-central-bank-/d/d-id/1324767?
[Editor's Note (Murray): The kind of instant and trusted, but difficult to reverse, international transfers offered by S.W.I.F.T. are valuable. However, the safer national transfers offered by our Federal Reserve are, for most purposes, as fast and trusted. (Williams): "Advise" and "enforce" are two completely different things and have dramatically different outcomes for security. ]

---

************************** SPONSORED LINKS ********************************
1) What Works: Inspecting Encrypted Traffic with the Blue Coat SSL Visibility Appliance. Wednesday, March 23, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Michael Weinstein. http://www.sans.org/info/184347

2) Mobile Data Loss - Threats & Countermeasures. Thursday, March 24, 2016 at 1:00 PM EDT (17:00:00 UTC) with Michael Raggo. http://www.sans.org/info/184352

3) 2016 SANS Cyber Insurance Survey. How do YOU define RISK?? Take Survey Here: http://www.sans.org/info/184357

***************************************************************************

---

THE REST OF THE WEEK'S NEWS

FBI and NHTSA Issue PSA About Internet Connected Cars (March 18 and 21, 2016)

The FBI and the US National Highway Traffic Safety Administration released a joint public service announcement (PSA) warning consumers about cyber threats facing automobiles. The message urges drivers to "take appropriate steps to minimize risk." Recommendations include keeping software up-to-date, paying attention to who has access to the car, and being careful about connecting third-party devices to the car's system.
-http://www.csmonitor.com/Technology/2016/0318/What-the-FBI-wants-you-to-know-abo
ut-vehicle-cybersecurity
-http://www.eweek.com/security/its-time-to-pay-attention-to-connected-car-cyber-t
hreats.html
-http://www.zdnet.com/article/fbi-to-drivers-watch-out-for-these-malware-attacks-
on-your-car/
-https://fcw.com/articles/2016/03/18/car-hacking.aspx
-http://www.nextgov.com/defense/2016/03/fbi-warning-drivers-your-car-may-be-vulne
rable-hacking/126788/?oref=ng-channelriver
-http://www.scmagazine.com/fbi-dot-psa-motor-vehicles-increasingly-vulnerable-to-
remote-exploit/article/484178/
-http://www.cnet.com/roadshow/news/fbi-says-car-hacking-is-a-real-risk/
[Editor's Note (Williams): "Paying attention to who has access to the car" is easier said than done. What about when you get your oil changed? Drop the car off for detailing? Ask yourself whether you'd give a parking valet, mechanic or car detailer your unlocked phone or laptop and you'll see there are dimensions of risk we're only beginning to consider. (Murray): This remains a vulnerability without a problem. While the vulnerability may be wide-spread, thus far the "cyber threat" is limited to hackers out to get their "fifteen minutes." The FBI and NHTSA hope that such warnings might resist the emergence of a problem. However, the fables of Aesop suggest that warnings given in an excess of caution may be counter-productive. ]

Paris Attackers Used Disposable Phones (March 19 and 21, 2016)

According to a story the New York Times, people responsible for planning and carrying out bombings in Paris last fall used disposable cell phones, known as burner phones. They also used phones taken from victims. No email or chats were found on the phones. The New York Times obtained a copy of a report compiled by French antiterrorism police for the French Interior Ministry.
-http://thehill.com/policy/cybersecurity/273747-paris-attackers-relied-on-burner-
phones-not-encryption-report
-http://arstechnica.com/tech-policy/2016/03/paris-terrorist-attacks-burner-phones
-not-encryption/
-http://www.nytimes.com/2016/03/20/world/europe/a-view-of-isiss-evolution-in-new-
details-of-paris-attacks.html

New eMail Security Standard Proposed (March 21, 2016)

Engineers from major email service providers, including Google, Microsoft, and Comcast, have developed a new standard to bolster email security. The SMTP Strict Transport Security "is a mechanism enabling email service providers to declare their ability to receive TLS-secured connections, to declare particular methods for certificate validation, and to request sending SMTP servers to report upon and/or refuse to deliver messages that cannot be delivered securely."
-http://www.computerworld.com/article/3046444/security/google-microsoft-yahoo-and
-others-publish-new-email-security-standard.html
STMP Strict Transport Security Standard Draft:
-https://tools.ietf.org/html/draft-margolis-smtp-sts-00
[Editor's Note (Pescatore): For many years Internet email has had no underlying Internet support for encryption, or since 2002 or so only "opportunistic encryption" support - where only highly motivated senders/receivers could do encrypted mail and attackers could pretty easily subvert. The Strict Transport Security standard would begin needed movement towards mandatory transport encryption. A good thing, but not to be confused with movement towards persistent email content encryption. ]

Sieve Cloud Service Would Let Users Decide What Data to Share with Apps (March 21, 2016)

Computer scientists from MIT and Harvard are developing a cloud service designed to give people greater control over their personal data. Sieve would allow users to decide exactly which pieces of information they want to share with apps. Sieve would store users' personal information encrypted in the cloud. When apps want data, they would send a request to the user, and then receive a key that allows them access to just the data the user wishes to disclose. Users could also revoke the app's access to the data by having Sieve re-encrypt them with a new key.
-http://www.zdnet.com/article/could-this-encrypted-cloud-service-make-apps-take-y
our-privacy-seriously-again/

Emergency Android Update: Local Elevation of Privilege Vulnerability in Linux Kernel (March 18 and 21, 2016)

Google has released an out-of-band patch for Nexus devices to address a critical flaw in the Linux kernel. The flaw could be exploited to cause "local permanent device compromise;" fixing infected devices would require reflashing the operating system. Google had planned to include the fix in its next monthly security update for Nexus, but the company decided to issue the emergency patch after learning that the flaw was being actively exploited. The flaw affects "all unpatched Android devices on kernel versions 3.4, 3.10, and 3.14. ... Android devices using Linux kernel version 3.18 or higher are not vulnerable."
-http://www.zdnet.com/article/google-rushes-out-emergency-fix-for-android-rooting
-exploit-but-most-phones-remain-at-risk/
-http://www.eweek.com/security/google-updates-android-for-linux-kernel-flaw.html
Android Security Advisory:
-https://source.android.com/security/advisory/2016-03-18.html
[Editor's Note (Murray): In his comments yesterday, Tim Cook suggested that perhaps as few as 2% of Android devices are current; his audience snickered. However, vulnerable appliances, including but not limited to "smartphones," resistant to late fixes, put the entire community at risk. If Android were a Steve Jobs product, he would abandon it and start over. ]

Apple Encryption Hole Fixed in iOS 9.3 (March 21, 2016)

A flaw in Apple's iMessage can be exploited to decrypt images and videos stored in iCloud. The flaw has been addressed in iOS 9.3, which was released on Monday, March 21. Updates have also been released for El Capitan versions 11 through 13.
-http://www.zdnet.com/article/apple-releases-ios-9-3-fixing-a-major-imessage-encr
yption-flaw/
-http://www.darkreading.com/vulnerabilities---threats/imessage-encryption-cracked
-but-fixed-in-new-ios-93-/d/d-id/1324776?
-https://www.washingtonpost.com/world/national-security/johns-hopkins-researchers
-discovered-encryption-flaw-in-apples-imessage/2016/03/20/a323f9a0-eca7-11e5-a6f
3-21ccdbc5f74e_story.html
-http://www.theregister.co.uk/2016/03/21/zero_day_apple_grapple_dredges_imessage_
photos_videos_in_ios_9/
-http://arstechnica.com/security/2016/03/crypto-vulnerability-lets-attackers-decr
ypt-imessage-photo-article-warns/

NIST Telework Guidance (March 21, 2016)

The National Institute of Standards and Technology (NIST) has released draft guidance for telework protocol. The update recommends that agencies should establish virtual mobile infrastructure (VMI) technology and implement mobile device management tools that would prevent users from accessing sensitive data and networks from devices that are not properly configured. The original version of the guidance was drafted in 2009.
-http://www.scmagazine.com/nist-releases-updated-telework-guidance/article/484286
/

---

STORM CENTER TECH CORNER

Mitre Releases Proposal To Update CVE System
-http://common-vulnerabilities-and-exposures-cve-editorial-board.1128451.n5.nabbl
e.com/Very-Important-Message-for-the-Editorial-Board-td131.html

Google Releases Surprise Patch for Android
-http://source.android.com/security/advisory/2016-03-18.html

Pwn2Own Day 2 Summary
-http://blog.trendmicro.com/pwn2own-day-2-event-wrap/

Apple Updates
-https://support.apple.com/en-us/HT201222

How To Fall For Ransomware and Why Anti-Virus isn't Protecting You
-https://isc.sans.edu/forums/diary/Why+Users+Fall+For+Ransomware/20867/

Domain Spoofing Possible with StartSSL
-http://oalmanna.blogspot.com/2016/03/startssl-domain-validation.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/