SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #24

March 25, 2016

Which products can you trust for the Critical Security Controls? California's Attorney General, Kamala Harris, issued a report concluding that failing to implement the Critical Security Controls "constitutes a lack of reasonable security." A wide range of businesses and government agencies have reached the same conclusion, and to aid deployment efforts SANS will distribute a poster, "Monitoring and Measuring the Critical Security Controls" this summer that will highlight products that enterprise can use to accelerate and enhance their efforts in implementing the Critical Security Controls. Vendors with products that have capabilities in that area should send email trends@sans.org to receive a copy of the product survey.
Alan

---

TOP OF THE NEWS

Intruders Altered Chemical Settings at Water Treatment Plant
Grand Jury Indicts Seven Iranians in Connection with Attacks on Banks and Dam
Oracle Says Patch Java Now

THE REST OF THE WEEK'S NEWS

DOJ Charges Three Alleged Members of Syrian Electronic Army
Man Pleads Guilty to Stealing US Military Data
POS Attackers May Have Exploited CCTV DVR Firmware Flaw to Access Networks
Critical File Sharing Flaw in Windows and Samba
Macro Blocking Now Available in Office 2016
Three More US Hospitals Infected with Ransomware
Anita Borg Institute ABIE Award Winners Announced
DoD Temporarily Blocked Access to Personal Webmail
Apple Updates Operating Systems
CORRECTION: UKRAINE REPORT: ICS SECURITY EXPERTS

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************* Sponsored By Trend Micro Inc. **********************

See why Trend Micro Endpoint Security moved furthest to the right in the 2016 Gartner MQ Endpoint Protection Platforms leadership quadrant. From new, advanced detection technologies to seamless cloud security solutions, Trend Micro endpoint security is delivering next generation endpoint security to our customers.
http://www.sans.org/info/184382

***************************************************************************

TRAINING UPDATE

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of Summit talks featuring a keynote by Dr. Eric Cole, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Canberra, Copenhagen, Prague and Houston all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Intruders Altered Chemical Settings at Water Treatment Plant (March 22 and 23, 2016)

One of the incidents described in Verizon's Data Breach Digest involved a hacktivist group that gained access to an ICS/SCADA system at a water treatment facility and altered the levels of chemical used to treat drinking water. The intruders gained access through phishing and SQL injection attacks. The country in which the incident occurred was not specified. The attackers were able to gain access to the system through unpatched flaws in the Internet facing customer payment portal.
-http://www.theregister.co.uk/2016/03/24/water_utility_hacked/
-http://news.softpedia.com/news/hackers-modify-water-treatment-parameters-by-acci
dent-502043.shtml
-http://www.zdnet.com/article/the-future-of-our-city-services-cyberattackers-targ
et-core-water-systems/
[Editor's Note (Assante): We are still trying to do our own homework on this published incident. One common weakness in the water sector is web-based remote access to plant systems. There are a growing number of ICS-focused actors that are developing competency around exploiting Internet-facing attack surfaces. (Williams): That the attackers gained access through the internet facing payment portal suggests an inadequate separation between IT (information technology) and OT (operational technology) assets. Utilities in particular must ensure that there are limited points where the two networks meet and heavily monitor those choke points. ]

Grand Jury Indicts Seven Iranians in Connection with Attacks on Banks and Dam (March 24, 2016)

A federal grand jury in New York has issued indictments for seven people employed at two Iran-based technology companies for a "campaign of cyberattacks" against US bank websites and an intrusion into a supervisory control and data acquisition (SCADA) system at a suburban New York dam. The seven people were allegedly working on behalf of the Iranian government.
-https://www.washingtonpost.com/world/national-security/justice-department-to-uns
eal-indictment-against-hackers-linked-to-iranian-goverment/2016/03/24/9b3797d2-f
17b-11e5-a61f-e9c95c06edca_story.html
-http://www.darkreading.com/cloud/doj-indicts-7-iranian-hackers-for-attacks-on-us
-banks-and-new-york-dam/d/d-id/1324834?
-http://arstechnica.com/tech-policy/2016/03/federal-grand-jury-indicts-7-iranians
-for-campaign-of-cyber-attacks/
-https://fcw.com/articles/2016/03/24/iran-hacker-indict.aspx
[Editor's Note (Assante): The DOJ action supports a broader strategy that spans diplomacy to enforcement. What have we learned from DOJ's earlier charges filed against Chinese individuals? Another interesting area focuses on damages; the banks clearly can present damages, but how about a dam where the claim is that the attacker had the potential to maliciously operate the infrastructure? (Henry): I have to comment on this and the other two stories about criminal charges. This week a PRC national, seven Iranians, and three Syrians were all charged with crimes related to unauthorized access into US computer networks. Wait, what? When the US indicted 5 Chinese nationals a year and a half ago, there was a lot of criticism that it was useless, and more optics than tactics. I said at the time that, while it was highly unlikely anyone would ever be extradited to the US in that case, it did change the game. I think we're now beginning to see the fruits of that change. Investigations against foreign intelligence services and terrorist groups have escalated. There has been enhanced cooperation with allied nations against organized crime groups. We've seen extensive discussion with Chinese president Xi and other foreign leaders, and the USG is using multiple tools in its arsenal to try and disrupt and deter those targeting intellectual property and critical infrastructure. While not the "be all, end all," these efforts are helping to move the debate forward, and are new tactics in the long-term objective to better secure our networks.]

Oracle Says Patch Java Now (March 24, 2016)

Oracle has released an out-of-cycle patch for a flaw in Java SE in desktop and browser plug-ins. The flaw could be exploited over a network without authentication to "impact the availability, integrity, and confidentiality of the user's system." The newly updated version of Java is Java SE 8u77. The SC magazine story also notes updates from Cisco for IOS and IOS XE to address six high-priority vulnerabilities in multiple products.
-http://www.theregister.co.uk/2016/03/24/java_flaw_cve_2016_0636/
-http://www.scmagazine.com/oracle-and-cisco-both-released-critical-security-updat
es-affected-several-products/article/485316/
-http://www.computerworld.com/article/3047528/security/emergency-java-update-fixe
s-two-year-old-flaw-after-researchers-bypass-old-patch.html
Oracle Alert:
-http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.ht
ml
US-CERT on Cisco Updates:
-https://www.us-cert.gov/ncas/current-activity/2016/03/23/Cisco-Release-Security-
Updates
[Editor's Note (Murray): Patching is expensive; non-routine patching even more so. We expedite patching because OUR risk of penetration in the window between availability of the patch and our normal schedule is high AND the consequences grave. We do not do it to save the product vendor embarrassment.]

---

************************** SPONSORED LINKS ********************************
1) Don't Miss: Mapping Attack Infrastructure: Leave Your Foe With Nowhere to Hide. Thursday, March 31, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Steve Ginty, Co-Founder of RiskIQ's PassiveTotal. http://www.sans.org/info/184387

2) Once Box collaborators obtain files, governance is gone. FinalCode for Box mitigates data leakage risks. http://www.sans.org/info/184392

3) Tell us about the role and value of Cyber Insurance in the 2016 Survey. http://www.sans.org/info/184397
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

DOJ Charges Three Alleged Members of Syrian Electronic Army (March 22, 2016)

The US Justice Department (DoJ) has charged three people who are allegedly members of the Syrian Electronic Army (SEA) with multiple counts involving conspiracy to commit computer crimes. SEA, which has been active since 2011, allegedly launched spear phishing campaigns against various US government, media, and private sector organizations. SEA also allegedly hijacked social media accounts.
-https://www.washingtonpost.com/news/the-switch/wp/2016/03/22/u-s-charges-three-s
uspected-syrian-electronic-army-hackers/
-https://fcw.com/articles/2016/03/22/justice-syrian-hackers.aspx
-http://www.scmagazine.com/doj-charges-three-syrian-electronic-army-members/artic
le/484876/
-http://www.zdnet.com/article/us-charges-three-suspected-members-of-the-syrian-el
ectronic-army/
-https://www.justice.gov/opa/pr/computer-hacking-conspiracy-charges-unsealed-agai
nst-members-syrian-electronic-army

Man Pleads Guilty to Stealing US Military Data (March 23 and 24, 2016)

A Chinese man has "admitted to playing an important role in a conspiracy, originating in China, to illegally access sensitive
[US ]
military data," according to the US assistant Attorney general for national security. Su Bin, who is a Chinese citizen, was arrested in Canada in 2014, where he is a permanent resident. He was extradited to the US in February 2016.
-http://www.bbc.com/news/technology-35888106
-http://www.zdnet.com/article/chinese-citizen-pleads-guilty-to-hacking-us-defense
-contractor-systems/
-http://www.cbc.ca/news/canada/british-columbia/b-c-man-su-bin-pleads-guilty-to-s
tealing-u-s-military-secrets-1.3505571
-https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-conspiring-hack-us
-defense-contractors-systems-steal-sensitive

POS Attackers May Have Exploited CCTV DVR Firmware Flaw to Access Networks (March 24, 2016)

RSA researcher Rotem Kerner used information he found in a 2014 RSA paper on point-of-sale (POS) malware known as Backoff to investigate the possibility that closed circuit television (CCTV) DVR equipment often used by brick-and-mortar retailers provided attackers a way into the retailers' systems, allowing them to place point-of-sale malware on them and steal payment card data. The technical data used in the paper showed that many of the computers infected with Backoff were running small servers with certain open ports that correspond to software used for CCTV DVR equipment.
-http://www.computerworld.com/article/3048155/security/firmware-bug-in-cctv-softw
are-may-have-given-pos-hackers-a-foothold.html
-http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

Critical File Sharing Flaw in Windows and Samba (March 23 and 24, 2016)

A patch coming in April will fix a critical flaw affecting the Server Message Block (SMB) protocol in Windows and Samba. The flaw, known as Badlock, will be disclosed on April 12. Members of the information security community have been critical of the decision to publicize the vulnerability and forthcoming fix so far in advance.
-http://www.computerworld.com/article/3047227/security/prepare-to-patch-a-critica
l-flaw-in-windows-and-samba-file-sharing.html
-http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism
/
-http://badlock.org

Macro Blocking Now Available in Office 2016 (March 23, 2016)

Microsoft has added a feature to Office 2016 that allows enterprise administrators to block macros from executing. The feature can be configured for each application and is controlled through Group Policy. It can be used to disable macros in documents that come from the Internet zone.
-http://www.theregister.co.uk/2016/03/23/ms_macro_blocking_tech/
-http://www.computerworld.com/article/3047249/security/microsoft-adds-macros-lock
down-feature-in-office-2016-in-response-to-increasing-attacks.html
-https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-c
an-block-macros-and-help-prevent-infection/

Three More US Hospitals Infected with Ransomware (March 22 and 23, 2016)

Three more US hospitals have disclosed that their systems were hit with ransomware. Methodist Hospital in Henderson, Kentucky information systems director Jaime Reid said the cause of the "Internal State of Emergency" at the hospital was Locky ransomware. Chino Valley Medical Center and Desert Valley Hospital in California were also struck with ransomware; both were operating normally by Wednesday, March 23.
-http://krebsonsecurity.com/2016/03/hospital-declares-internet-state-of-emergency
-after-ransomware-infection/
-http://www.bbc.com/news/technology-35880610
-http://arstechnica.com/security/2016/03/kentucky-hospital-hit-by-ransomware-atta
ck/
-http://www.nbcnews.com/tech/security/three-u-s-hospitals-hit-string-ransomware-a
ttacks-n544366

Anita Borg Institute ABIE Award Winners Announced (March 22, 2016)

The Anita Borg Institute's Women of Vision ABIE Awards honor women making significant contributions to technology. This year's winners are Michele Guel, Distinguished Engineer and Chief Security Architect of Cisco's Security & Trust Organization; Pooja Sankar, CEO and Founder of Piazza; and Alyssia Jovellanos, a computer science student at McMaster University.
-http://wov.anitaborg.org/news/the-anita-borg-institute-honors-visionary-women-in
-technology/

DoD Temporarily Blocked Access to Personal Webmail (March 22 and 23, 2016)

Late last week, the US Department of Defense (DoD) temporarily blocked access to private webmail due to concerns about "a recent, widespread phishing effort." DoD restored access to the services over the weekend.
-http://www.nextgov.com/cybersecurity/2016/03/pentagon-cut-access-personal-email-
fight-malicious-messages/126902/?oref=ng-channelriver
-http://thehill.com/policy/cybersecurity/273907-military-temporarily-shuts-down-p
ersonal-email-access
[Editor's Note (Murray): Email is email; personal not more likely to contain bait than enterprise. As long as we continue to do e-mail and mission critical applications in the same domain of trust, just so long will we remain vulnerable to attacks along this vector. Hardware is cheap; let us sacrifice some of it to security. ]

Apple Updates Operating Systems (March 22, 2016)

Apple has updated its desktop and mobile operating systems to address a number of security issues, including a cryptographic vulnerability in Apple's Messages app that could be exploited to decrypt encrypted communications. That issue and others are fixed in OS X 10.11.4 and iOS 9.3.
-http://www.eweek.com/security/apple-updates-os-x-10.11.4-and-ios-9.3-to-boost-se
curity.html

CORRECTION:

TOP 3 ICS SECURITY EXPERTS The last issue of NewsBites excluded one member of a team of security experts who jointly produced the authoritative after action report on the Ukraine cyber attack that took the power out. The list of authors should have been: Michael Assante, Tim Conway and Robert M. Lee. The full report published by the Electricity ISAC and SANS is available at
-https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

---

STORM CENTER TECH CORNER

IP Address Triage
-https://isc.sans.edu/forums/diary/IP+Addresses+Triage/20865/

Microsoft Revises MS16-029 to Include OS X
-https://technet.microsoft.com/library/security/ms16-029

Yahoo Expanding Account Key Passwordless Login
-https://yahoo-security.tumblr.com/post/141266516770/kill-your-password-with-yaho
o-account-key

Abusing Encryption Oracles
-https://isc.sans.edu/forums/diary/Abusing+Oracles/20875/

Comodo Antivirus Vulnerabilities
-https://bugs.chromium.org/p/project-zero/issues/detail?id=769

Facebook iOS Messenger Certificate Validation Vulnerability
-https://www.secureworks.com/research/swrx-2016-001

Ransom Malware Spreading via TeamViewer
-https://www.secureworks.com/research/swrx-2016-001

iMessage Login Issues After Applying Latest Update to OS X
-http://www.macrumors.com/2016/03/23/mac-users-facetime-imessage-login-issues/

The Importance of Ongoing Dialog
-https://isc.sans.edu/forums/diary/The+importance+of+ongoing+dialog/20881/

Abusing Bugs in Locky To Create A Vaccine
-https://www.lexsi.com/securityhub/abusing-bugs-in-the-locky-ransomware-to-create
-a-vaccine/?lang=en

OS X / iOS Memory Corruption Bug Can Lead to SIP Bypass
-https://www.syscan360.org/en/speakers/#issue-edd5

Generic Top Level Domain Statistic
-https://namestat.org

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/