SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #28

April 08, 2016

THE NEXT CYBER CAREER FAIR
On May 19, SANS will host its fifth online career fair to help employers and cybersecurity jobseekers connect in a virtual setting. The SANS CyberTalent Fair (https://app.brazenconnect.com/events/sans-cybertalent-fair-may2016)">https://app.brazenconnect.com/events/sans-cybertalent-fair-may2016) opened registration last week and includes employers such as the 780th Military Intelligence Cyber Brigade, Bechtel Marine Propulsion Corp., Solutionary, and others. The CyberTalent Fair is open to interested jobseekers and any employer who has cyber vacancies. Please contact mshuftan@sans.org or visit https://app.brazenconnect.com/events/sans-cybertalent-fair-may2016

---

TOP OF THE NEWS

Cybersecurity Courses Largely Missing at Top Computer Science Schools
ICS-CERT Warns of Security Flaws in Industrial Control Systems

THE REST OF THE WEEK'S NEWS

Ubuntu Patches Linux Kernel Flaws
Google Enhances Safe Browsing Alerts for Network Administrators
MedStar Health Systems Back Online
Guilty Plea in DDoS Case
Firefox Browser Extension Flaw
Apple Patches iPhone Lockscreen Bypass Flaw
Breached Panamanian Law Firm Says Attack Came from Europe
Emergency Flash Patch Coming
Maryland Appeals Court Upholds Lower Court Stingray Ruling
WhatsApp Bolsters Encryption
Correction: ICS/SCADA Threat Intelligence Sharing Portal

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By MalwareBytes ************************

Securing the Internet of Old Things (IoOT). Wednesday, April 20, 2016 at 2:00 PM EDT (18:00:00 UTC). Malwarebytes and G.W. Ray Davidson with SANS drill down on recent findings from the SANS 2016 Endpoint Security Survey. Learn how time is critical in incident response capabilities, the importance of focusing on IoOT and IoT, and how to prevent malicious attacks and simplify remediation efforts.
http://www.sans.org/info/184677

***************************************************************************

TRAINING UPDATE

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Canberra, Copenhagen, Prague, Houston, and Berlin all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Cybersecurity Courses Largely Missing at Top Computer Science Schools (April 7, 2016)

According to a report from CloudPassage, just one of the 36 top ranked college and university computer science programs requires students to take cybersecurity classes. Three of the top ten programs do not even offer cybersecurity classes.
-http://www.darkreading.com/vulnerabilities---threats/top-us-undergraduate-comput
er-science-programs-skip-cybersecurity-classes/d/d-id/1325024?
-http://www.scmagazine.com/cybersecurity-being-overlooked-by-american-universitie
s-report/article/488233/
[Editor's Note (Murray): Indeed our schools are granting degrees to people they have not taught to validate inputs, to those we have not taught strong data typing, or early testing. On the other hand they are turning out skilled hackers. (Paller): SANS did a similar survey five years ago after Oracle's Mary Ann Davidson published a blog about how colleges professors were completely unresponsive to Oracle's request to ensure people learning programming also learned secure programming (
-https://blogs.oracle.com/maryanndavidson/entry/the_supply_chain_problem).
Our survey found the heads of computer science departments to be uniformly disdainful of the need, saying employers should do that kind of "training." That's the equivalent of medical schools training surgeons but not teaching them about infections. Good "surgical outcomes;" but dead patients. ]

ICS-CERT Warns of Security Flaws in Industrial Control Systems (April 7, 2016)

The US Department of Homeland Security's (DHS) ICS-CERT has issued advisories about vulnerabilities in industrial control systems from Eaton Lighting Systems, Pro-face, and Rockwell Automation. The security issues are: an authentication bypass vulnerability in Eaton Web Control v.4.04P and earlier; information disclosure and buffer overflow vulnerabilities in several versions of Pro-face GP Pro-EX; and an access violation memory error in Rockwell Automation Integrated Architecture Builder versions 9.6.0.7 and earlier, and 9.7.0.0 and 9.7.0.1. All three companies have released mitigations.
-http://www.scmagazine.com/dhs-issues-three-advisories-warning-of-vulnerabilities
-in-industrial-control-systems/article/488409/
Eaton:
-https://ics-cert.us-cert.gov/advisories/ICSA-16-061-03
Pro-face:
-https://ics-cert.us-cert.gov/advisories/ICSA-16-096-01
Rockwell:
-https://ics-cert.us-cert.gov/advisories/ICSA-16-056-01

---

************************** SPONSORED LINKS ********************************
1) Overcome Privilege Management Obstacles with CSC v. 6. Tuesday, April 26, 2016 at 11:00 AM EDT (15:00:00 UTC) with John Pescatore and Jon Wallace. http://www.sans.org/info/184682

2) Analyzing Analytics: Turning Big Data into Security Intelligence. Thursday, April 28, 2016 at 11:00 AM EDT (15:00:00 UTC) with TK Keanini. http://www.sans.org/info/184687

3) Cracking the Code on SaaS Security & Compliance. Thursday, April 28, 2016 at 1:00 PM EDT (17:00:00 UTC) with Brandon Cook. http://www.sans.org/info/184692
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Ubuntu Patches Linux Kernel Flaws (April 6 and 7, 2016)

Ubuntu has released updates to fix four vulnerabilities in the Linux kernel. The most current version is now Ubuntu 14.04 LTS. The flaws could be exploited to trigger crashes, allow remote code execution, and cause denial-of-service conditions.
-http://www.theregister.co.uk/2016/04/07/ubuntu_kernel_patch/
-http://www.ubuntu.com/usn/usn-2946-1/

Google Enhances Safe Browsing Alerts for Network Administrators (April 7, 2016)

Google is providing additional information to administrators through its Safe Browsing Alerts. In addition to alerting network administrators when unsafe URLs are detected on the networks, it now provides data about more threats, including drive by downloads, adware, and suspected social engineering.
-http://www.zdnet.com/article/google-boosts-safe-browsing-with-malware-social-eng
ineering-alerts/
[Editor's Note (Northcutt): And this is on top of the warnings for fake download buttons back in February. Google is really starting to put the dampers on some of this Internet crime and none too soon; one of my neighbors got scarewared just this morning:
-https://security.googleblog.com/2016/02/no-more-deceptive-download-buttons.html
-https://security.googleblog.com/2016_04_01_archive.html]

MedStar Health Systems Back Online (April 6 and 7, 2016)

MedStar Health says its systems are once again up and running after a ransomware attack in March. A spokesperson has denied allegations in news stories that the attack was successful because the organization's IT department had not applied patches for the JBoss web application server that had been available for years.
-http://arstechnica.com/security/2016/04/maryland-hospital-group-denies-ignored-w
arnings-allowed-ransomware-attack/
-http://www.scmagazine.com/medstar-hit-with-samsam-ransomware-source/article/4880
81/

Guilty Plea in DDoS Case (April 7, 2016)

Benjamin Earnest Nichols has pleaded guilty to violating the Computer Fraud and Abuse Act for launching a distributed denial-of-service (DDoS) attack against a "security researcher"'s website in 2010.
-http://www.scmagazine.com/eta-hacking-group-member-pleads-guilty-to-ddos-against
-security-researcher/article/488408/
-http://www.darkreading.com/vulnerabilities---threats/hacker-from-oklahoma-pleads
-guilty-in-ddos-attack-case/d/d-id/1325020

Firefox Browser Extension Flaw (April 5 and 6, 2016)

A vulnerability in Firefox's extension structure allows attackers to execute code under the guise of trusted extensions. The problem is believed to be the result of Firefox failing to isolate extensions. Malicious extensions can exploit the situation by operating through the capabilities of trusted extensions.
-http://www.v3.co.uk/v3-uk/news/2453607/millions-of-firefox-users-vulnerable-to-b
rowser-extension-flaw
-http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-o
ns-open-millions-to-new-attack/
[Editor's Note (Murray): It becomes increasingly difficult to prefer one browser over another on the basis of their ability to resist contamination of themselves by their data or their host systems by embedded code. While it is rarely accepted, I continue to recommend that browsing and e-mail be isolated from mission-critical or otherwise sensitive systems. ]

Apple Patches iPhone Lockscreen Bypass Flaw (April 5 and 6, 2016)

Apple has patched a security issue affecting the iPhone 6S and 6S Plus running iOS 9.3.1 that can be exploited to access the address book and pictures in the device without entering the password. All that is necessary is that the device has Siri and the 3D Touch feature installed. Apple's fix was done server-side. Users can also revoke permissions for Siri to access the device's Twitter account information, contact list, and pictures.
-http://www.computerworld.com/article/3052821/security/apple-fixes-ios-lock-scree
n-bypass-that-gives-access-to-photos-contacts.html
-http://www.v3.co.uk/v3-uk/news/2453440/siri-flaw-in-ios-931-allows-access-to-pho
tos-on-locked-iphone-6s-and-6s-plus
-http://www.zdnet.com/article/apple-goes-server-side-to-fix-siri-lock-screen-bypa
ss-security-flaw/
-https://www.washingtonpost.com/news/the-switch/wp/2016/04/05/a-newly-found-apple
-bug-lets-anyone-look-at-your-photos-and-contacts-by-using-siri/
-http://seclists.org/fulldisclosure/2016/Apr/19

Breached Panamanian Law Firm Says Attack Came from Europe (April 6, 2016)

A co-founder of Mossack Fonseca, the Panamanian law firm that experienced a massive data breach, has filed complaints with the Attorney General's office in Panama. Ramon Fonseca said in an interview that the breach came from Europe. Mossack Fonseca specializes in helping clients set up offshore companies to avoid taxes on assets.
-http://www.darkreading.com/threat-intelligence/panama-papers-law-firm-we-were-ha
cked/d/d-id/1325007?
-http://www.scmagazine.com/mossack-fonseca-files-complaint-with-ag-founder-blames
-hackers-in-europe/article/488090/
-http://www.nbcnews.com/storyline/panama-papers/panama-papers-law-firm-says-data-
hack-came-outside-n551556
[Editor's Note (Williams): The real story here is that an organization was likely compromised because they forgot to patch their content management systems. There are numerous good write-ups on this, but the one here is easily digestible
-http://www.infoworld.com/article/3053654/security/sloppy-patching-insecure-plugi
ns-made-panama-papers-leak-possible.html]

Emergency Flash Patch Coming (April 6, 2016)

Adobe is readying an out-of-cycle patch for a vulnerability in Flash Player that is being actively exploited. The critical flaw in Flash Player 21.0.0.197 can be exploited to "cause a crash and potentially allow an attacker to take control of the affected system." Adobe is accelerating its entire scheduled monthly update.
-http://www.darkreading.com/vulnerabilities---threats/adobe-warns-of-critical-new
-flash-player-bug/d/d-id/1325003?
-http://www.v3.co.uk/v3-uk/news/2453761/windows-10-users-at-risk-from-adobe-flaw-
being-exploited-in-the-wild
-http://www.eweek.com/security/adobe-working-on-zero-day-pwn2own-patches-for-flas
h.html
-http://www.theregister.co.uk/2016/04/06/adobe_prepping_outofband_flash_patch/
-http://www.zdnet.com/article/adobe-readies-emergency-patch-for-flash-zero-day-bu
g-exploited-in-the-wild/
Advisory:
-https://blogs.adobe.com/psirt/?p=1330
This vulnerability was used to spread Cerber ransomware:
-http://www.computerworld.com/article/3053523/security/the-latest-flash-zero-day-
was-used-to-spread-cerber-ransomware.html

Maryland Appeals Court Upholds Lower Court Stingray Ruling (April 6, 2016)

An appeals court in Maryland recently ruled that police should not have used a stingray cell site simulator device without a warrant. The state had argued that by turning on cell phones, people were consenting to being tracked. The ruling upholds a lower court decision to suppress information gathered with the stingray. It also addresses the obfuscation police used in obtaining a warrant to use the stingray, writing, "A non-disclosure agreement that prevents law enforcement from providing details sufficient to assure the court that a novel method of conducting a search is a reasonable intrusion made in a proper manner and 'justified by circumstances," obstructs the court's ability to make the necessary constitutional appraisal."
-http://www.wired.com/2016/04/spy-tool-ruling-inches-stingray-debate-closer-supre
me-court/
-http://www.wired.com/wp-content/uploads/2016/04/Stingray-Ruling-Maryland-Appella
te-Court.pdf

WhatsApp Bolsters Encryption (April 5, 2016)

Online messaging service WhatsApp is now fully encrypted on all platforms. The end-to-end encryption means that WhatsApp cannot access the contents of communications, and would therefore be unable to comply with court orders demanding access to that information.
-https://www.washingtonpost.com/world/national-security/whatsapp-the-messaging-se
rvice-announces-full-encryption-on-all-platforms/2016/04/05/80f071f6-fb3e-11e5-9
140-e61d062438bb_story.html
-http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encrypti
on-billion-people/
[Editor's Note (Pescatore): The real meaning of end to end encryption (when done right, which is non-trivial) is that security goes *up*. That increase in security impedes the bad guys way more often than it impacts law enforcement. National security goes *up* when the security of business and government systems increases. ]

Correction:

ICS/SCADA Threat Intelligence Sharing Portal The ICS/SCADA threat information sharing portal was launched by the EastWest Institute and ICS-ISAC, not ICS-CERT. We apologize for the error.
-http://www.darkreading.com/threat-intelligence/new-portal-launched-for-ics-scada
-threat-intelligence-sharing-among-nations/d/d-id/1324931
-http://ics-isac.org/blog/store-2/

---

STORM CENTER TECH CORNER

New Microsoft Patches API
-https://isc.sans.edu/forums/diary/New+Features+for+Microsoft+Patch+Data/20911/

BadLock Webcast
-https://www.sans.org/webcasts/badlock-102107

Microsoft Single Sign-on Vulnerable to Token Hijacking
-https://whitton.xyz/articles/obtaining-tokens-outlook-office-azure-account/

Domino's Pizza Mobile App Payment Bypass
-http://www.ifc0nfig.com/dominos-pizza-and-payments/

Cisco Security Advisory
-https://tools.cisco.com/security/center/publicationListing.x#~CiscoSecurityAdvis
ory

OSVDB Closes Down
-https://blog.osvdb.org/2016/04/05/osvdb-fin/

Securing the Human: OUCH! Newsletter
-https://securingthehuman.sans.org/resources/newsletters/ouch/2016

Google/Facebook CAPTCHA Broken Again
-https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-
Breaking-the-Google-reCAPTCHA-wp.pdf

Updated FBI Damage Numbers For Business E-Mail Compromise
-https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-i
n-business-e-mail-scams

PowerWare / PoshCoder Ransomware Decryption
-https://www.alienvault.com/open-threat-exchange/blog/powerware-or-poshcoder-comp
arison-and-decryption

Leaking Information Via Browser XSS Filters
-http://www.mbsd.jp/blog/20160407.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/