SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #3

January 12, 2016

If you have tried to hire cybersecurity people with solid hands-on
skills you know how hard that is. A largely untapped source of
promising candidates is collegiate cybersecurity clubs. See Top of the
News story on the Pivot Project for a promising approach to increasing
the supply of hands-on cyber skills in America.
(http://pivotproject.org)
Alan

---

TOP OF THE NEWS

Ukrainian Power Company Attack Was Coordinated Effort
Interior Department IG Finds Laptop Encryption Ineffective
PIVOT Enables Collegiate Cyber Clubs To Advance Hands On Skills
General Motors Seeking Vulnerability Submissions

THE REST OF THE WEEK'S NEWS

Arrests Made in Connection with DD4BC Gang
NHTSA Says Fiat-Chrysler Security Flaws Limited to Recalled Cars
US House to Hold Wassenaar: Cybersecurity & Export Control Hearing
Juniper Networks Will Replace Questionable Components from its Products
Cybercrime Sentencing Questions
QuickTime Updates
Rovnix Trojan Spreading in Japan
Former Cardinals Exec Pleads Guilty to Accessing Astros Database
Tyupkin Trojan Arrests
RealID Requirements Just Became Real

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By RecordedFuture ***********************

Learn how Levi Strauss applies real-time threat intelligence to monitor the most critical risks, direct threats, and emerging trends that could impact the organization. Attend this free webinar by Recorded Future on January 26, 2016 at 2:00 PM ET:
http://www.sans.org/info/182817

***************************************************************************

TRAINING UPDATE

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Ukrainian Power Company Attack Was Coordinated Effort (January 10 & 11, 2016)

The attack against systems at Ukrainian power companies comprised "multiple elements," according to a blog post from SANS Industrial Control Systems (ICS) director Michael Assante. "The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers," hindering system restoration. Internet Storm Center:
-https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the
-ukrainian-power-grid
-http://www.computerworld.com/article/3020732/security/malware-wasnt-sole-cause-o
f-ukraine-power-station-outage.html
-http://thehill.com/policy/cybersecurity/265394-cyberattack-on-ukrainian-power-co
mpany-a-coordinated-effort
-http://arstechnica.com/security/2016/01/analysis-confirms-coordinated-hack-attac
k-caused-ukrainian-power-outage/
[Editor's Note (Assante): There are many different aspects to these attacks to learn from. I was initially surprised with how quickly one of the affected utilities linked their system outage to a cyber attack, until we analyzed a malware sample that was suggested to have come from one of the networks. The wiper module and later comments about the impacted SCADA systems made it clear that the attackers did not mind or possibly wanted the utilities to know they had been hit after they recognized the outage. ]

Interior Department IG Finds Laptop Encryption Ineffective (January 6 and 7, 2016)

According to an advisory from the US Interior Department's Deputy Inspector General, misconfigured software on nearly 15,000 department laptops could lead to data theft. Although the full-disk encryption software was initially configured to run pre-boot authentication, settings have been altered so the computers run post-boot authentication, making the data on the systems vulnerable to a specific attack. The advisory recommends that Interior's CIO "mandate the use of pre-boot authentication on all laptops and implement a monitoring and enforcement program that mitigates noncompliant systems."
-http://www.deseretnews.com/article/865645041/Inspector-general-Thousands-of-Inte
rior-Department-laptops-vulnerable-to-cyber-attack.html?pg=all
-http://fedscoop.com/interior-dept-laptops-security-configuration-authentication
-https://www.doioig.gov/sites/doioig.gov/files/ISDINMOA00042014HPublic.pdf
[Editor's Note (Paller): IG teams in the federal government are increasingly developing in-depth expertise that enables them to do expert analyses like the one done here by Interior. Well done! (Honan): From working with a number of clients we often see its not how the disk encryption is implemented but rather how it is used. Users utilizing weak passwords or not locking their workstation when leaving the device unattended are classic problems. Next time you are in a public place where a lot of business people mingle notice how many do leave their laptops unattended and unlocked. ]

PIVOT Enables Collegiate Cyber Clubs To Advance Hands On Skills (January 12, 2016)

The PIVOT project for collegiate cyber clubs launched today. If you have tried to hire cybersecurity people with solid hands-on skills you know how hard that is. Club programs are effective when they have regular meetings where participants learn about a tool or technique and then have an hour or more of hands-on exercise. Putting together weekly programs like that was very challenging for most schools until the PIVOT project was launched. PIVOT is a growing collection of short briefings with fun and challenging on-line or downloadable exercises that have been gathered and curated by BSides, several colleges, CounterHack Challenges, SANS, and with a little financial help from NSF. The PIVOT exercises are available free to collegiate clubs throughout the U.S., and today PIVOT launched a contest with substantial Amazon gift certificates as prizes, for clubs that try out a couple of exercises in the current collection and provide feedback and make suggestions for additions, within 33 days. If you have a relationship with a local college tell them about PIVOT and the contest. You'll be especially popular if you also offer to buy the pizza and soft drinks for their next club meeting. More information on PIVOT:
-http://pivotproject.org,
and on the contest:
-http://pivotproject.org/contest.

General Motors Seeking Vulnerability Submissions (January 8, 2016)

General Motors (GM) is working with HackerOne to develop a vulnerability submission program. GM does not at this point offer money for the information, but it does assure researchers that they will be protected from legal action as long as they abide by a set of rules, which include not causing harm, not breaking existing criminal laws, and not disclosing information about the vulnerabilities before GM has completed remediation.
-http://arstechnica.com/security/2016/01/gm-embraces-white-hats-with-public-vulne
rability-disclosure-program/
-http://www.scmagazine.com/gm-teams-with-hackerone-on-vulnerability-submission-pr
ogram/article/464113/
-http://www.wired.com/2016/01/gm-asks-friendly-hackers-to-report-its-cars-securit
y-flaws/
[Editor's Note (Pescatore): These "managed bounty" programs are proving to be very effective when compared with traditional external consulting engagements for code vulnerability analysis. However, vulnerabilities are still being discovered in products that are shipping. GM should first invest in improving its secure development life cycle to drastically reduce the number of vulnerabilities that make it that far. Experience has shown this *reduces* the cost per line of code overall. ]

---

************************** SPONSORED LINKS ********************************

1) Learn how to Reduce Your Incident Response Costs Download the Free White Paper. http://www.sans.org/info/182822

2) Don't Miss: Threat Hunting. Tuesday, February 02, 2016 at 1:00 PM EST (18:00:00 UTC) with Rob Lee, Robert M. Lee and Luis Maldonado. http://www.sans.org/info/182827

3) What are the most useful APPSEC processes/tools for your org? Take Survey - Enter to Win $400 Amazon Card. http://www.sans.org/info/182832

***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Arrests Made in Connection with DD4BC Gang Europol Cybercrime Centre (Europol EC3)

announced today that a joint task force of various European police forces have arrested two individuals in Bosnia and Herzegovina suspected of being involved in the DD4BC DDOS extortion gang. The task force was led by Austrian police with input from police forces in Australia, France, Japan, Romania, Switzerland, as well as the U.S. Secret Service and FBI, and Interpol. Europol's press release is available at
-https://www.europol.europa.eu/content/international-action-against-dd4bc-cybercr
iminal-group
-http://www.databreachtoday.com/europol-announces-dd4bc-arrests-a-8794
-http://www.net-security.org/secworld.php?id=19314
-http://news.softpedia.com/news/members-of-dd4bc-the-group-that-blackmailed-compa
nies-with-ddos-attacks-arrested-by-europol-498797.shtml
-http://www.csoonline.com/article/3021812/security/europol-confirms-raid-against-
ddos-extortion-ring-dd4bc.html
Editor's Note (Honan): Well done to all the law enforcement agencies involved in this operation and also kudos to all those victim organisations who shared the data relating to the attacks with law enforcement. Without that data law enforcement would have found it more difficult to build enough intelligence to identify the suspects. Even if the data you share with law enforcement does not directly help with your case, that information you share could be the small piece of the jigsaw puzzle that unlocks the full picture. ]

NHTSA Says Fiat-Chrysler Security Flaws Limited to Recalled Cars (January 11, 2016)

Federal regulators say that the security issues that resulted in recalls for 1.4 million Fiat-Chrysler automobiles affect only those cars and no others. An investigation conducted by the National Highway Traffic Safety Administration (NHTSA) concluded that while other automobiles had radios similar to those in the recalled cars, the other automobiles also had security systems in place that prevented attacks.
-http://thehill.com/policy/cybersecurity/265398-chrysler-was-only-automaker-with-
cyber-vulnerability-feds-say
-http://www.computerworld.com/article/3021139/security/feds-say-only-chryslers-we
re-vulnerable-to-hacks-via-radio-not-audi-or-volkswagen.html

US House to Hold Wassenaar: Cybersecurity & Export Control Hearing (January 11, 2016)

US legislators plan to discuss proposed regulations that aim to keep certain cyber tools away from those who control repressive regimes. Critics of the proposed rules, which were drafted to implement the Wassenaar Agreement, say that they would hinder innovation and weaken security.
-http://thehill.com/policy/cybersecurity/265479-house-to-discuss-controversial-an
ti-hacking-regs
-https://homeland.house.gov/hearing/cybersecurity-and-export-control/
[Editor's Note (Weatherford): For those of you who don't remember, the Wassenaar Agreement (officially the Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies) is an international treaty to limit who is allowed to purchase things like military hardware, airplanes, guns, ships, etc. A few years ago, it was broadened to include IT stuff since, just like military hardware, many security tools can be used either for good or for evil. The Wassenaar Agreement may work with large defense contractors but it's hard to see how it can be enforced within the IT security research community without making criminals out of the hacker community and security professionals trying to do good. It will be a deterrent to better security. ]

Juniper Networks Will Replace Questionable Components from its Products (January 8, 10, and 11, 2016)

Juniper Networks says it will remove code developed by the National Security Agency (NSA) from its firewall products. The code was found to silently decrypt traffic sent through virtual private networks (VPNs). Juniper plans to replace a cryptography component in its ScreenOS operating system.
-http://arstechnica.com/security/2016/01/juniper-drops-nsa-developed-code-followi
ng-new-backdoor-revelations/
-http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-q
uestions-about-the-company/
-http://www.eweek.com/security/juniper-networks-moves-to-replace-vulnerable-code.
html
-http://forums.juniper.net/t5/Security-Incident-Response/Advancing-the-Security-o
f-Juniper-Products/ba-p/286383

Cybercrime Sentencing Questions (January 9, 2016)

Judges are often uncertain how to determine appropriate punishment for people convicted of cyber crimes. Sentencing Guidelines for the offenses under the Computer Fraud and Abuse Act (CFAA) are currently overly broad and carry stringent punishments. Critics of the CFAA have called for its reform.
-http://thehill.com/policy/cybersecurity/265285-judges-struggle-with-cyber-crime-
punishment
[Editor's Note (Pescatore): Society and laws always evolve more slowly than technology and the CFAA could use a dose of evolution in two areas: (1) Making it easier to punish guilty criminals' and (2) harder to thwart legitimate security actions to find vulnerabilities and force them to be fixed. ]

QuickTime Updates (January 9, 2016)

Apple has updated its QuickTime media player plugin to address nine vulnerabilities that could be exploited for remote code execution. The QuickTime 7.7.9 patch fixes flaws in the plugin for Windows 7 and Windows Vista.
-http://www.theregister.co.uk/2016/01/09/quicktime_patch/
-https://support.apple.com/en-us/HT205638

Rovnix Trojan Spreading in Japan (January 8, 2016)

The Rovnix Trojan targets customers of certain Japanese banks. It spreads by hiding in an email message that purports to be from an international transport company. It uses a web injection technique that imitates the banks' actual web pages. Rovnix has also been used in similar schemes in Europe.
-http://www.darkreading.com/vulnerabilities---threats/japanese-banks-targeted-wit
h-new-rovnix-trojan/d/d-id/1323818?
-http://www.scmagazine.com/cybergang-targets-japanese-banks-in-aggressive-infecti
on-campaign/article/464066/

Former Cardinals Exec Pleads Guilty to Accessing Astros Database (January 8, 2016)

The former St. Louis Cardinals baseball team scouting director has pleaded guilty to five counts of accessing an account belonging to a rival team without authorization. Christopher Correa guessed the password that protected a Houston Astros database known as "Ground Control."
-http://thehill.com/policy/cybersecurity/265262-former-st-louis-cardinals-officia
l-pleads-guilty-to-houston-astros-hack
-http://www.theregister.co.uk/2016/01/08/baseball_exec_cops_to_hacking/
-http://www.darkreading.com/attacks-breaches/former-st-louis-cardinals-exec-plead
s-guilty-to-cyber-espionage-charges/d/d-id/1323824?
-http://arstechnica.com/tech-policy/2016/01/federal-hacking-conviction-follows-pr
o-baseball-scouting-scandal/
-http://arstechnica.com/wp-content/uploads/2016/01/correainformation.pdf

Tyupkin Trojan Arrests (January 8, 2016)

Law enforcement agents in Europe have arrested eight people in Romania and Moldova in connection with ATM malware known as Tyupkin. The malware can be used to trick the machines into dispensing cash on demand. It is also capable of deleting itself from machines. The scheme was allegedly used to steal more than 200,000 euros (US $218,000) from ATMs in Romania, Germany, France, Norway, Sweden, Poland, and Hungary.
-http://www.theregister.co.uk/2016/01/08/romanian_cops_bust_atm_malware_jackpot_s
uspects/
-http://www.zdnet.com/article/atm-malware-gang-behind-euro-attacks-targeted-in-po
lice-swoops/

RealID Requirements Just Became Real (January 8, 2016)

As of January 10, 2016, US federal facilities will no longer accept ID cards from certain states and territories because they do not comply with the RealID Act. The Transportation Security Administration (TSA) has set a deadline of January 18, 2018 to begin enforcing RealID compliance at its checkpoints.
-http://arstechnica.com/tech-policy/2016/01/next-week-five-states-ids-will-stop-w
orking-in-federal-facilities/

---

STORM CENTER TECH CORNER

VMWare Update Fixes Privilege Escalation Flaw
-http://lists.vmware.com/pipermail/security-announce/2016/000316.html

Comprehensive Security Analysis of OAuth
-http://arxiv.org/abs/1601.01229

EZCast SmartTV Stick Vulnerabilities
-https://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point
.pdf

Analyzing Excel Malware
-https://isc.sans.edu/forums/diary/BlackEnergy+XLS+Dropper/20601/

TrendMicro node.js HTTP Server Can Execute Arbitrary Commands
-https://code.google.com/p/google-security-research/issues/detail?id=693

FastIR New Windows Artifcat Collector
-https://github.com/SekoiaLab/Fastir_Collector

Verizon CSRF Vulnerablity In Mobile App API
-http://randywestergren.com/hijacking-verizon-fios-accounts/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/