SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #29

April 12, 2016

The FBI's statement on the cyber threat to the U.S. power grid is the top story this week. FBI executives don't release information like this unless they have solid evidence of a clear and present danger.

NERC CIP Update: In less than 80 days, all North American Bulk Electric System entities with facilities identified as high or medium impact must be in compliance with NERC CIP 5/6. The folks who played central roles in supporting the standards put together a great course on the "What" and the "How" of the NERC CIP Version 5/6 standards. The course's inaugural presentation is in 5 weeks; save 25% with discount code ICS456-BETA2. Agenda and registration info:
https://www.sans.org/event/beta-2-ics456/courses/
Alan

---

TOP OF THE NEWS

FBI Warning Power Companies of Cyber Threats to the US Grid
Adobe Releases Flash Update Early

THE REST OF THE WEEK'S NEWS

Petya Ransomware Cracked
WordPress Now Enables Encryption by Default for Custom Domain
Malware in Surveillance Cameras
Government Mandates Stronger Security at US Nuclear Facilities
Mumblehard Botnet Shutdown
Draft Crypto Bill Criticized as 'Ludicrous, Dangerous, Technically Illiterate'
US Military Commissaries Seek Emergency Response Contractor
Modems Vulnerable to Denial-of-Service Attack

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Splunk ****************************

On AWS, you can't secure what you can't see. That's where Splunk can help. Splunk offers solutions that deliver end-to-end visibility on AWS.

Register for our upcoming webinar to hear from a leading customer, AWS, and Splunk about how to better secure and manage your AWS environment.
http://www.sans.org/info/184697

***************************************************************************

TRAINING UPDATE

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Canberra, Copenhagen, Prague, Houston, and Berlin all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

FBI Warning Power Companies of Cyber Threats to the US Grid (April 9, 2016)

The FBI and the US Department of Homeland Security (DHS) has begun warning companies that operate elements of the country's critical infrastructure about cyber threats to the power grid. The program started after the December attacks against power companies in Ukraine. The campaign includes webinars and briefings about the attacks and offers suggestions for mitigating risk and bolstering cybersecurity.
-http://freebeacon.com/issues/fbi-warns-cyber-threat-electric-grid/
-http://thehill.com/policy/cybersecurity/275723-fbi-warning-power-companies-of-cy
ber-threats-to-electric-grid-report
[Editor's Note (Assante): The warning is valid, as there have been multiple access campaigns and successful intrusions into infrastructures by well-resourced cyber actors. The problem here is the accompanying DHS assessment that claims the threat to the energy sector is low with their rationale being that successful intruders are both simply pre-positioning themselves to be able to act if contingencies should warrant action and to further their own espionage goals. This thinking is intellectually dishonest as it promotes a "to be accepted" or it's to be expected that someone else is in our critical systems. Let us consider this proposition in abstract. Would you be comfortable if I told you that the plane you are about to board, as a passenger, has a compromised remote connection that allows anyone to access and manipulate the aircrafts flight control system? In fact, we go through great lengths to ensure someone can't gain physical access to the cockpit to maintain its integrity and ensure only authorized and well-meaning people have hands on the stick. Access by actors capable of damaging and disrupting infrastructures like electricity, means both the capability and opportunity exists, ceding the determination to actualize a threat to the adversary. In this case I would have said the potential threat of damaging and disruptive attacks exist. (Henry): This has been a concern for more than a decade. There's been a lot of discussion in the media and by pundits that it's not a real threat, and those that say it is are 'fear mongering.' I think this public statement is a paradigm shift in strategy and philosophy, and it validates this as a legitimate risk, which must be immediately addressed. (Northcutt): This is important and far more important to people that live in major cities. Ted Koppel did a well researched book on the subject trying to increase awareness, here is a link to a book review and a pointer to a SANS related class:
-http://www.sans.edu/research/book-reviews/article/lights-out
-https://www.linkedin.com/pulse/i-just-read-lights-out-ted-koppel-stephen-northcu
tt?trk=hp-feed-article-title-comment]

Adobe Releases Flash Update Early (April 8 and 11, 2016)

Adobe released its scheduled security update for Flash Player on Thursday, April 7, five days ahead of schedule. The decision was made to push up the release date because Adobe wanted to address a critical flaw that was being actively exploited. The update fixes a total of 24 security issues in Flash. Users running Flash versions 21.0.0.197 and earlier are urged to update.
-http://www.theregister.co.uk/2016/04/08/update_flash_now_or_kill_it/
-http://www.computerworld.com/article/3053959/malware-vulnerabilities/adobe-flash
-player-cerber-ransomware-itbwcw.html
-http://www.computerworld.com/article/3053548/security/adobe-fixes-24-vulnerabili
ties-in-flash-player-including-an-actively-exploited-one.html
-http://krebsonsecurity.com/2016/04/adobe-patches-flash-player-zero-day-threat/
-http://arstechnica.com/security/2016/04/adobe-flash-update-ransomware-windows-10
/
-http://www.eweek.com/security/adobe-patches-zero-day-flaw-used-by-exploit-kit.ht
ml
-http://www.theregister.co.uk/2016/04/11/mindless_flash_masses_saved_as_magnitude
_mongrels_bork_0day/
-http://www.zdnet.com/article/cyberattackers-botch-integration-of-adobe-flash-zer
o-day-vulnerability-in-exploit-kits/
-https://helpx.adobe.com/security/products/flash-player/apsa16-01.html
-https://helpx.adobe.com/security/products/flash-player/apsb16-10.html
-http://blog.trendmicro.com/trendlabs-security-intelligence/look-adobe-flash-play
er-cve-2016-1019-zero-day-vulnerability/
[Editor's Note (Williams): With the vulnerability being actively exploited in the wild, this should be patching priority #1 for anyone still running Flash. ]

---

************************** SPONSORED LINKS ********************************
1) Free Threat Advisor: How to Stop Ransomware - Download Now: http://www.sans.org/info/184702

2) Securing the Internet of Old Things (IoOT). Wednesday, April 20, 2016 at 2:00 PM EDT (18:00:00 UTC) with Dana Torgersen, Jean-Philippe Taggart and Ray Davidson. http://www.sans.org/info/184707

3) Overcome Privilege Management Obstacles with CSC v. 6. Tuesday, April 26, 2016 at 11:00 AM EDT (15:00:00 UTC) with John Pescatore and Jon Wallace. http://www.sans.org/info/184712

***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Petya Ransomware Cracked (April 11, 2016)

A programmer has developed a technique to unlock computers infected with Petya ransomware and has made it available at no cost. The technique requires extracting information from the computer's hard drive, which may be beyond the scope of some users' abilities. Another tool, which is somewhat simpler to use, extracts the required data. It has also been posted to the Internet. Internet Storm Center:
-https://isc.sans.edu/forums/diary/Tool+Released+to+Decrypt+Petya+Ransomware+Infe
cted+Disks/20929/
-http://www.computerworld.com/article/3054518/cybercrime-hacking/petya-ransomware
-cracked-get-password-to-decrypt-hard-drive-for-free.html
-http://www.computerworld.com/article/3054593/security/experts-crack-petya-ransom
ware-enable-hard-drive-decryption-for-free.html
-http://www.bbc.com/news/technology-36014810
-http://arstechnica.com/security/2016/04/experts-crack-nasty-ransomware-that-took
-crypto-extortion-to-new-heights/
[Editor's Note (Ullrich): Lucky break if attackers get crypto wrong for a change. But remember that the real defense against crypto ransom ware is offline backups (which also helps against a number of other disasters). ]

WordPress Now Enables Encryption by Default for Custom Domain (April 11, 2016)

WordPress has turned on HTTPS encryption by default for custom domains that are associated with users' WordPress websites. HTTPS was implemented for WordPress subdomains in 2014. HTTPS for custom domains requires a certificate for each domain, a more complicated and expensive endeavor. WordPress worked with the Let's Encrypt project, which offers free SSL/TLS certificates, to add HTTPS encryption to custom domains. The Let's Encrypt project also automates the certificates' deployment, configuration, and renewal.
-http://www.computerworld.com/article/3054047/security/wordpresscom-turns-on-defa
ult-encryption-for-hosted-domains.html
-http://www.scmagazine.com/wordpress-sets-up-default-https-encryption-for-custom-
domains/article/488962/
-https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wor
dpress-com-sites/
[Editor's Note (Pescatore): Since login sessions were already encrypted sessions, doesn't seem like encrypting public blog traffic actually adds any meaningful security, but defaulting to encrypting all bits in motion is in general a good thing. However, Let's Encrypt doesn't do any entity validation other than checking the Google Safe Browsing API before issuing a certificate to a domain. So, doesn't raise the bar against phishing or drive-by malware attacks, a much more serious threat than eavesdropping on people uploading information to blogs that are public anyway. (Ullrich): You may not consider the content you read at WordPress confidential, but recall that SSL is about more then confidentiality. Integrity of the content is another important goal. Internet Service Providers keep getting caught injecting tracking headers (Verizon) or even JavaScript (Comcast) into content users access. SSL is the simplest defense against having content manipulated in transit. ]

Malware in Surveillance Cameras (April 11, 2016)

Firmware in security cameras being sold online was found to contain a malicious iframe that redirects to a site linked to malware distribution. The site was shut down in 2009, but became active again in 2011.
-http://www.zdnet.com/article/amazon-surveillance-cameras-infected-with-malware/
-http://www.scmagazine.com/researcher-finds-malware-in-usg-sony-chip-hd-6-camera-
surveillance-kit/article/489002/
[Editor's Note (Ullrich): We found that malware in "brand new" devices is sometimes due to devices being returned and sold as new without properly resetting them. Sadly, with devices like this, flashing the firmware from a trusted source is not always an option. But you should certainly consider it if you have the ability. Verify the firmware offered on the manufacturers website is not older then the one that came with the device. (Williams): This story highlights the need to verify security for COTS products. Just because it says secure on the box doesn't mean that it isn't calling back to a known malware command and control server. At a minimum, network monitoring is required for all COTS devices placed on your trusted networks. ]

Government Mandates Stronger Security at US Nuclear Facilities (April 11, 2016)

The US Nuclear Regulatory Commission (NRC) has released a regulatory basis document to support rulemaking regarding new cybersecurity requirements at nuclear facilities. The NRC is already implementing physical security measures.
-http://thehill.com/regulation/cybersecurity/275831-feds-pushing-stronger-cyber-p
rotections-at-nuclear-sites

Mumblehard Botnet Shutdown (April 9, 2016)

The Mumblehard botnet, malware for which has infected an estimated 4,000 Linux machines, has been shut down. Mumblehard used the infected machines to send spam. Mumblehard was first detected in 2014. Its command-and-control servers were able to ensure the botnet's health by sending delist requests to Spamhaus for Mumblehard IP addresses that made their way onto the organization's composite blocking list.
-http://arstechnica.com/security/2016/04/researchers-help-shut-down-spam-botnet-t
hat-enslaved-4000-linux-machines/
[Editor's Note (Honan): The fact a botnet was shutdown is not the interesting snippet from this story, but rather those infected devices were Linux machines. Malware is no longer restricted to just the Wintel platform. ]

Draft Crypto Bill Criticized as 'Ludicrous, Dangerous, Technically Illiterate' (April 8, 2016)

US senators have introduced legislation that would require technology companies to comply with requests from law enforcement to unlock encrypted devices. A "discussion draft" of the bill was leaked last week. It has been criticized for weakening security and hindering competitiveness. The bill requires compliance with court orders for information, and if the information is "unintelligible," the bill requires that the information be made "intelligible."
-http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/
-http://www.scmagazine.com/encryption-bill-draft-muddled-imposing/article/488780/
-http://www.cnet.com/news/encryption-bill-would-skip-legal-battle-force-companies
-to-surrender-user-data/
-http://www.informationweek.com/government/mobile-and-wireless/senators-push-for-
tech-firms-to-decrypt-smartphones/a/d-id/1325046
[Editor's Note (Liston): What makes Washington lawmakers believe that they can regulate a technology that they obviously don't understand? ]

US Military Commissaries Seek Emergency Response Contractor (April 8, 2016)

The US military's Defense Commissary Agency, which oversees the 250 commissaries at military bases, is looking for on-call emergency computer incident response services. In "Priority One" cases, such as payment card breaches, the team would be expected to respond to breaches within an hour.
-http://www.nextgov.com/cybersecurity/2016/04/military-hiring-rapid-response-team
-triage-hacked-commissaries/127346/?oref=ng-channeltopstory

Modems Vulnerable to Denial-of-Service Attack (April 8, 2016)

A vulnerability in the Arris Surfboard SB6141 modem could be exploited to cut entire networks off from the Internet. Attackers could potentially remotely reset the router, which erases the Internet service provider's settings, causing denial-of-service conditions. Connection cannot be reestablished until the modem's owner contacts the ISP. The issue lies in the modem's handling of authentication and cross-site requests. Arris has developed a firmware update to address the problem and is "in the process of working with our Service Provider customers to make
[it ]
available to subscribers."
-http://www.zdnet.com/article/millions-of-routers-vulnerable-to-unpatched-reboot-
flaw/
[Editor's Note (Liston): What's particularly sad in this case is that these flaws are so obvious that they would have almost certainly been discovered had security testing been done as a part of the development process. ]

---

STORM CENTER TECH CORNER

iMessage Vulnerablitiy Allows Access To Chat History
-https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client
-recovery-of-plaintext-imessage-data/

Ubuntu on Windows 10: Not as Insecure as Some Think
-http://www.pcworld.com/article/3051604/windows/linuxs-deadliest-command-doesnt-f
aze-bash-on-windows-10.html

Special Badlock Webcast
-https://www.sans.org/webcasts/badlock-102107

Malware Creator Bribes Anti-Virus Vendors
-http://blog.checkpoint.com/2016/04/08/qihoo-360-just-the-tip-of-the-whitelisted-
malware-iceberg/

Users Will Plug In USB Drives They Find In The Parking Lot
-https://www.elie.net/publication/users-really-do-plug-in-usb-drives-they-find

Ruby Gems Replacement Vulnerability
-http://blog.rubygems.org/2016/04/06/gem-replacement-vulnerability-and-mitigation
.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/