SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #27
April 05, 2016
A teachable moment for your CIOs and web site managers: The first two stories (and editors' comments) illuminate the central error that tens of thousands of hospitals and state and local governments and businesses are making: Using flawed (out-of-date) content management software on their web sites. The cost in this case and in many similar cases: injecting ransomeware into the computers of untold numbers of visitors to the hospital's web sites.
Alan
TOP OF THE NEWS
Ransomware Hits Another (Canadian) HospitaljQuery JavaScript Library Attack
'Hack the Pentagon' Launches
THE REST OF THE WEEK'S NEWS
Google Releases Monthly Android UpdateMicrosoft Patches Account Hijacking Flaw
Cyber Insurance Rates Drop
Optus Cable Modems Patched
Alleged Data Thief Extradited from Romania
The Art of Privacy
Defense Department Cyber Event Purview Vague
Lhasa Library Flaw
ICS/SCADA Threat Intelligence Sharing Portal
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER********************** Sponsored By Carbon Black *********************
The Most Dangerous Game; Evolving Threat Hunting to Keep Up with Skilled Adversaries. Tuesday, April 12, 2016 at 1:15 PM EDT (17:15:00 UTC) with Ryan Cason, Marc Brawner. Speakers share insight into what skills and tools you need to hunt effectively, how the security team can unite to collectively defend against bad actors and share insight into the returns your team will get from honing the craft of threat hunting.
http://www.sans.org/info/184637
***************************************************************************
TRAINING UPDATE
- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course www.sans.org/u/dzf - --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP
- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0
- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM
- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk
- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz
- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh
- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV
- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy
Plus Canberra, Copenhagen, Prague, Houston, and Berlin all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
Ransomware Hits Another (Canadian) Hospital (March 24 and April 1, 2016)
Earlier this year, the website of a Canadian hospital in Ontario was found to be spreading TeslaCrypt ransomware. Norfolk General Hospital's site was running an outdated version of Joomla content management software; the hospital was running version 2.5.6, while the most up-to-date version is 3.4.8. The ransomware was spread through a drive-by download attack.-http://www.cbc.ca/news/technology/norfolk-general-hospital-hack-1.3504229
-http://www.scmagazine.com/attackers-targeted-another-canadian-medical-facility-t
argeted/article/487154/
[Editor's Note (Williams): Ransomware isn't the real story here; rather it's the significantly out-of-date Joomla CMS running the hospital's website. Joomla and other content management systems can actually boost security over custom web sites that may not be coded with security best practices in mind. But like any other software, CMS must be patched regularly to be secure. ]
jQuery JavaScript Library Attack (April 4, 2016)
Attackers are using the jQuery JavaScript library to inject malicious code into websites running Joomla and WordPress content management systems. The jQuery library is used to help different implementations of JavaScript seem transparent across browsers.-http://www.zdnet.com/article/wordpress-joomla-domains-under-attack-through-jquer
y-security-flaw/
-https://blog.avast.com/wordpress-and-joomla-users-get-hacked-be-aware-of-fake-jq
uery
[Editor's Note (Williams): Don't get lost in the hype on this story, query itself is not vulnerable. Vulnerable websites, most running outdated Joomla and Wordpress, have been hacked and include rogue copies of the jQuery library. This should not be confused for a vulnerability in jQuery itself. ]
'Hack the Pentagon' Launches (April 1 and 4, 2016)
The US Department of Defense (DoD) has launched its "Hack the Pentagon" bug bounty program. The pilot program will run from April 18 through May 12. DoD has set aside US $150,000 for flaws found during that period. People wishing to participate must submit to a criminal background check and meet a list of requirements, including being eligible to work in the US and not residing in a country currently under US trade sanctions. DoD has not yet identified the sites and systems that the participants will be allowed to target.-http://www.zdnet.com/article/hack-the-pentagon-first-us-government-bug-bounty-pr
ogramme-opens-for-business/
-http://arstechnica.com/security/2016/04/dod-invites-you-well-some-of-you-to-hack
-the-pentagon-this-month/
************************** SPONSORED LINKS ********************************
1) Gamification of a Fortune 20 SOC. Thursday, April 07, 2016 at 1:00 PM EDT (17:00:00 UTC) with Marcel Hoffmann and Josh Stevens. http://www.sans.org/info/184642
2) 2016 SANS ICS Security Survey -- Take Survey for Chance to Win $400 Amazon Card. http://www.sans.org/info/184647
3) Survey: Help SANS assess state of infosec in healthcare -- Chance to win $400 Amazon gift card. http://www.sans.org/info/184652
***************************************************************************
THE REST OF THE WEEK'S NEWS
Google Releases Monthly Android Update (April 5, 2016)
Google's April Android security update includes fixes for 39 vulnerabilities, 15 of which are rated critical. The updates have been released to Nexus devices over the air; the firmware images have been released to the Google developer site. Partners were notified of the issue in March.-https://source.android.com/security/bulletin/2016-04-02.html
-http://www.theregister.co.uk/2016/04/05/android_security_patch/
-http://www.cso.com.au/article/597289/google-fixes-15-critical-android-flaws-apri
l-patch/
Microsoft Patches Account Hijacking Flaw (April 5, 2016)
Microsoft has patched an account-hijacking vulnerability just days after learning of the flaw. The authentication vulnerability could have been exploited to create phishing sites for Outlook and other Microsoft services and use those sites to capture tokens. The issue was reported to Microsoft on January 24, 2016; the company patched the flaw on January 26, 2016.-http://www.theregister.co.uk/2016/04/05/microsoft_brews_serves_accounthijack_hol
e_patch_in_two_days/
Cyber Insurance Rates Drop (March 30, 2016)
The rates for cyber insurance for organizations usually deemed to be high risk, such as retailers and healthcare organizations, fell during the first three months of 2016 because of a drop in high-profile breaches. The average price for US $1 millions in insurance fell to US $18,756. Last year, in the wake of high profile breaches like those at Target and Home Depot, the average premium was as high as US $21,642.-http://www.reuters.com/article/us-cyber-insurance-idUSKCN0WW1X4
[Editor's Note (Pescatore): Like any insurance, the premium is only one factor in the complicated calculus around cybersecurity insurance. The most important factor is actually the most complicated: the contract language defining what is covered and what isn't. Pre-existing conditions, third party risks, errors vs. attacks, etc. - lots of variance across policies. Also important to realize cybersecurity insurance only reduces risk by the policy amount, vs. bounding or capping risk, let alone actually transferring risk. The premiums dropping are more about sales dropping due to these factors than it is due to lack of high profile incidents. (Murray): This market can be expected to become more efficient and competitive now that there are tens of underwriters and most enterprises recognize the efficiency of assigning residual risk. Many enterprises are still not capable of shopping the market. "Cyber" insurance complements, but does not include or replace, business interruption coverage. ]
Optus Cable Modems Patched (April 4, 2016)
Optus has fixed a security issue in some of its routers that could be exploited to change administrator passwords without the need to know current passwords. The issue affects CG300v2 modems. The patch was pushed out to affected routers. The updated firmware is version 2.08.05.-http://www.theregister.co.uk/2016/04/04/optus_patches_crap_credential_cockup_in_
cable_modems/
Alleged Data Thief Extradited from Romania (April 1 and 4, 2016)
Marcel Lehel Lazar has been extradited from Romania to the US. He faces charges of wire fraud, unauthorized access to protected computers, identity theft, cyberstalking, and obstruction of justice in a total of nine cases. Lazar has made his initial appearance in federal court in Virginia. Lazar allegedly broke into email and social media accounts belonging to high-profile individuals and leaked correspondence and other personal information.-http://www.darkreading.com/threat-intelligence/hacker-guccifer-extradited-to-us/
d/d-id/1324964?
-http://www.zdnet.com/article/romanian-national-extradited-to-us-on-hacking-charg
es/
-https://www.justice.gov/opa/pr/romanian-national-guccifer-extradited-face-hackin
g-charges
The Art of Privacy (April 1, 2016)
Artist Trevor Paglen has exhibited a sculpture called the Autonomy Cube at museums around the world. The sculpture houses a custom wi-fi router. Museum visitors who connect to it will have their data redirected through the Tor network. The router also serves as a Tor relay. Paglen aims to install Autonomy Cubes in any museum that will pay for their creation.-http://www.wired.com/2016/04/sculpture-lets-museums-amplify-tors-anonymity-netwo
rk/
Defense Department Cyber Event Purview Vague (April 4, 2016)
It is unclear which organization within the US Department of Defense (DoD) would be in charge of military support in the event of cyber incidents. Until the Pentagon "clarified the roles and responsibilities of its components,[it ]
may not be positioned to effectively employ its forces and capabilities to support civil authorities in a cyberincident," according to Government Accountability Office (GAO) director for defense capabilities and management Joseph W. Kirschbaum.
-http://www.nextgov.com/cybersecurity/2016/04/military-commands-tussle-over-cyber
-power/127218/?oref=ng-channeltopstory
Lhasa Library Flaw (April 1, 2016)
An integer underflow vulnerability in the Lhasa LZA/LHA decompression tool and library could be exploited to allow remote code execution. Users are urged to upgrade to the most recent version of Lhasa.-http://www.scmagazine.com/researchers-discover-vulnerability-in-lhasas-decompres
sion-tool-and-library/article/487144/
-http://www.theregister.co.uk/2016/04/01/lhasa_flaw/
-http://blog.talosintel.com/2016/03/vulnerability-lhasa.html
[Editor's Note (Williams): This vulnerability is likely to create exploitable issues in file scanning programs (e.g. security software). Watch carefully for patches, particularly in products that serve Japanese market where Lhasa compression is most popular. ]
ICS/SCADA Threat Intelligence Sharing Portal (March 31, 2016)
The EastWest Institute and the US Department of Homeland Security's ICS-CERT have launched a portal for operators of critical infrastructure around the world to share threat information.-http://www.darkreading.com/threat-intelligence/new-portal-launched-for-ics-scada
-threat-intelligence-sharing-among-nations/d/d-id/1324931
-http://ics-isac.org/blog/store-2/
STORM CENTER TECH CORNER
Tips for Stopping Ransomware-https://isc.sans.edu/forums/diary/Tips+for+Stopping+Ransomware/20903/
How to Decrypt Kimcilware Encrypted Files
-http://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-fil
es-and-who-is-behind-it
Fileless Malware
-http://blog.airbuscybersecurity.com/post/2016/03/FILELESS-MALWARE---A-BEHAVIOURA
L-ANALYSIS-OF-KOVTER-PERSISTENCE
Jenkins Continuous Integration Tool Leaks Anonymous Usage Data
-https://jenkins.io/blog/2016/03/30/usage-statistics-privacy-advisory/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
