SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #25

March 29, 2016

TOP OF THE NEWS

FBI Unlocks iPhone Without Apple's Help
MedStar Health System Infected with Malware
Verizon Customer Data Breach

THE REST OF THE WEEK'S NEWS

Google Enhances Gmail Security
FBI Seeking Help with Ransomware Investigation
Ransomware Uses Windows PowerShell
Apple Fixes iOS Update Problem
USB Thief Trojan
Keystroke Loggers Found at Concordia University
Google Updates Chrome 49
Microsoft Transparency Report for Second Half of 2015

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk ***************************

Security and operational visibility are critical in AWS deployments. That's where Splunk can help. Splunk offers solutions that deliver end-to-end visibility on AWS. Register for our upcoming webinar to hear how a leading AWS & Splunk customer seamlessly transforms data from their AWS environment into real-time security insights.
http://www.sans.org/info/184457

***************************************************************************

TRAINING UPDATE

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of Summit talks featuring a keynote by Dr. Eric Cole, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Canberra, Copenhagen, Prague, Houston, and Berlin all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

FBI Unlocks iPhone Without Apple's Help (March 28, 2016)

The FBI has managed to crack the iPhone in the San Bernardino case without intervention from Apple. The Justice Department has dropped its legal case against Apple and "has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone."
-http://www.csmonitor.com/Technology/2016/0328/Justice-Department-cracks-iPhone-w
ithout-help-from-Apple
-http://www.zdnet.com/article/fbi-gets-access-to-seized-iphone-without-apples-hel
p-drops-legal-case/
-http://arstechnica.com/tech-policy/2016/03/feds-break-through-seized-iphone-stan
d-down-in-legal-battle-with-apple/
-http://www.bloomberg.com/news/articles/2016-03-28/u-s-drops-apple-case-after-suc
cessfully-accessing-iphone-data-imcj88xu
-http://www.wired.com/2016/03/fbi-drops-case-apple-finding-way-iphone/
-http://www.computerworld.com/article/3048837/security/doj-cracks-san-bernardino-
shooters-iphone.html
[Editor's Note (Honan): Aside from the law enforcement backdoor arguments, this case is a prime example of why we should never think of security controls, such as encryption, being unbreakable. Time and advances in technology will make today's protection mechanisms obsolete and we therefore need to plan and amend our defences accordingly. Encryption, like all security controls, does not prevent a security breach but simply delays it long enough for you to detect and respond. ]

MedStar Health System Infected with Malware (March 28, 2016)

Washington-Baltimore area healthcare provider MedStar Health has shut down some of its computer systems following a malware infection. The organization says its clinical facilities are still open. MedStar operates 10 hospitals and more than 250 outpatient facilities. The FBI is investigating.
-http://www.eweek.com/security/verizon-acknowledges-breach-of-basic-customer-cont
act-data.html
-http://thehill.com/policy/cybersecurity/274491-computer-virus-forces-dc-health-c
are-giant-offline-reports
-http://www.reuters.com/article/us-usa-cyber-medstar-idUSKCN0WU1O9
[Editor's Note (Williams): This case again highlights the need for good disaster recovery plans. Organizations should be planning today for how they will deal with ransomware and other destructive attacks - these are no longer black swan events. ]

Verizon Customer Data Breach (March 24, 2016)

Verizon has acknowledged that a breach of its Verizon Enterprise Solutions unit compromised customer data. Verizon Enterprise Solutions helps companies respond to data breaches. Last week, a post on an underground cybercrime forum offered 1.5 million Verizon Enterprise Solutions customer records for sale. Verizon says the compromised data are "basic contact information
[of ]
enterprise customers."
-http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer
-data/
-http://www.eweek.com/security/verizon-acknowledges-breach-of-basic-customer-cont
act-data.html

---

************************** SPONSORED LINKS ********************************
1) EMA Research Report: Next-Generation Endpoint Security Market Sizing and Forecast 2016-2020 - Download Free Now: http://www.sans.org/info/184462

2) Evolving from cyber Gatherers to cyber Hunters - Darwin was wrong about APTs. Tuesday, March 29, 2016 at 1:00 PM EDT (17:00:00 UTC) with Darren Anstee and John Pescatore. http://www.sans.org/info/184467

3) Tell us about the role and value of Cyber Insurance in the 2016 Survey. http://www.sans.org/info/184472
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Google Enhances Gmail Security (March 25, 2016)

Google has made some changes to Gmail to protect users from malicious links and state-sponsored attacks. When users click on suspicious links that arrive in email, Gmail will display a full-page warning them that visiting the site could harm their computer. Users will be able to choose to click through to the site. Google will also display a full-page warning when it believes state-sponsored attackers have targeted users. Google's blog post also notes the company's participation in submitting a draft IETF specification for SMTP Strict Transport Security, which aims to "ensure TLS encryption works as intended."
-http://www.scmagazine.com/google-enhances-gmail-security-to-thwart-malicious-lin
ks-state-sponsored-cyberattacks/article/485604/
Google Blog:
-https://security.googleblog.com/2016/03/more-encryption-more-notifications-more.
html
[Editor's comment (Northcutt): Gmail is starting to become the de facto mail client in the same way Internet Explorer was the standard browser 15 years ago and it is good to see thought leadership in email security. - From the blogpost: "In the 44 days since we introduced it,
[visual element to notify user recipient does not support encryption ]
, the amount of inbound mail sent over an encrypted connection increased by 25%. We're very encouraged by this progress! Given the relative ease of implementing encryption and its significant benefits for users, we expect to see this progress continue."

FBI Seeking Help with Ransomware Investigation (March 28, 2016)

Reuters obtained a copy of a confidential "Flash" advisory, dated March 25, 2016, in which FBI asked companies and security experts for help in its investigation of ransomware known as MSIL/Samas.A. This particular malware tries to encrypt data on an entire network rather than encrypting data on an individual computer.
-http://www.reuters.com/article/us-usa-cyber-ransomware-idUSKCN0WU1GB
[Editor's Note (Honan): Ransomware, like all other malware, should be prevented using multiple layers of protection such as those outlined in the SANS Critical Security Controls. With regards to Ransomware The Computer Incident Response Center Luxembourg (CIRCL) have released an excellent guide on "Proactive defenses and incident response"
-https://www.circl.lu/pub/tr-41/]

Ransomware Uses Windows PowerShell (March 25, 2016)

Ransomware known as PowerWare spreads through phishing messages as a malicious macro in Word documents. It launches two instances of PowerShell to download and then execute the PowerWare script. PowerWare was detected by Carbon Black on a healthcare client's system.
-http://www.computerworld.com/article/3048282/security/new-ransomware-abuses-wind
ows-powershell-word-document-macros.html
-https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-wri
tten-in-powershell-targets-organizations-via-microsoft-word/

Apple Fixes iOS Update Problem (March 25 and 28, 2016)

Apple has reissued iOS 9.3, which it initially released last week, to fix a device activation problem that was locking users out of their devices if they did not know their AppleID and password. There have also been reports that the update made Safari unusable.
-http://www.computerworld.com/article/3048767/apple-ios/apple-re-issues-ios-93-af
ter-crippling-older-devices-confusing-customers.html
-http://arstechnica.com/apple/2016/03/apple-pulls-ios-9-3-update-for-older-device
s-following-activation-problems/
-http://www.computerworld.com/article/3048228/apple-ios/ios-apple-activation-upda
te-itbwcw.html
-http://www.bbc.com/news/technology-35898788
-http://www.forbes.com/sites/gordonkelly/2016/03/28/apple-ios-9-3-safari-link-pro
blem/#198ae375797f
-http://www.macrumors.com/2016/03/28/apple-releases-updated-ios-9-3/

USB Thief Trojan (March 24 and 25, 2016)

As its name suggests, the USB Thief Trojan horse program infects computers that are not connected to the Internet. USB Thief is sophisticated malware; it is crafted to avoid detection and thwart reverse engineering. Because the malware resides in a USB device, it leaves no footprint on the computer from which it steals data.
-http://www.darkreading.com/attacks-breaches/dangerous-new-usb-trojan-discovered/
d/d-id/1324853?
-http://arstechnica.com/security/2016/03/stealthy-malware-targeting-air-gapped-pc
s-leaves-no-trace-of-infection/
[Editor's Note (Williams): While this is certainly interesting malware, it must first trick the user into executing the malware stored on the USB - it has no automatic execution capabilities like those seen in Stuxnet. Good user education should mitigate this threat completely. ]

Keystroke Loggers Found at Concordia University (March 25, 2016)

Keystroke logging devices were found on several workstations in the Webster and Vanier libraries at Concordia University in Montreal, Quebec. School officials have notified local authorities.
-http://www.scmagazine.com/concordia-university-discovers-keylogger-security-inci
dent/article/485609/
University Notice:
-https://www.concordia.ca/students/cunews/main/stories/2016/03/21/security-breach
-involving-some-library-standing-express-workstations-keylogger.html

Google Updates Chrome 49 (March 25, 2016)

Google has updated the Chrome stable channel to version 49.0.2623.108 for Windows, Mac, and Linux. The update comprises five fixes, including four high severity fixes submitted by external researchers.
-http://www.scmagazine.com/google-patches-chrome-49-vulnerabilities/article/48544
1/
-http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_24.html

Microsoft Transparency Report for Second Half of 2015 (March 25, 2016)

Microsoft's transparency report for the second half of 2015 shows that the company received 11 percent more legal requests for information than it did in the first half of last year. In all, law enforcement agencies made 39,083 requests for information regarding 64,614 accounts. Microsoft provided subscriber data for two-thirds of the requests. In two percent of the cases, Microsoft surrendered content, such as email, instant messages, and data stored in OneDrive. Microsoft also received 505 emergency requests for information.
-http://www.zdnet.com/article/microsoft-sees-rise-in-demands-for-data-but-fewer-n
ational-security-orders/
-http://blogs.microsoft.com/on-the-issues/2016/03/25/microsoft-updates-and-expand
s-latest-biannual-reports-on-our-transparency-hub/

---

STORM CENTER TECH CORNER

Instagram Authentication Bypass Vulnerability
-https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-ac
counts/

HTTP Public Key Pinning
-http://www.theregister.co.uk/2016/03/24/see_a_pin_and_pick_it_up_for_the_sake_of
_security/

Manipulating Lottery Tickets
-http://www.courant.com/breaking-news/hc-more-5-card-cash-arrests-0323-20160322-s
tory.html

Improving Bash Forensics
-https://isc.sans.edu/forums/diary/Improving+Bash+Forensics+Capabilities/20887/

TrueCaller App Leaks Personal Data
-http://www.cmcm.com/blog/en/security/2016-03-28/974.html

Mobile Malware Uses GPS To Send Fake Traffic Tickets
-https://chester.crimewatchpa.com/tredyffrinpd/7372/post/scam-alert-speeding-tick
et-email-scam

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/