SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #30

April 15, 2016

TOP OF THE NEWS

White House Names Ten To Commission on Enhancing Cybersecurity
Federal Appeals Court Says Warrants Not Needed for Stingray Use
Critical Flaw in VMWare Client Integration Plugin

THE REST OF THE WEEK'S NEWS

Apple Ends Support for QuickTime on Windows
SAP Flaws Patched
Blackhole Exploit Kit Author Sentenced to Prison
GozNym Trojan Targeting Banks in US and Canada
Junos OS Privilege Elevation Vulnerabilities
UL Not Freely Sharing IoT Cybersecurity Standard
Microsoft Patch Tuesday
Matthew Keys Sentenced to Two Years in Prison
Threat Hunting (Pro-active Security) Moving Into Mainstream

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

******************** Sponsored By Malwarebytes *************************

Securing the Internet of Old Things (IoOT). Wednesday, April 20, 2016 at 2:00 PM EDT (18:00:00 UTC). Malwarebytes and G.W. Ray Davidson with SANS drill down on recent findings from the SANS 2016 Endpoint Security Survey. Learn how time is critical in incident response capabilities, the importance of focusing on IoOT and IoT, and how to prevent malicious attacks and simplify remediation efforts.
http://www.sans.org/info/184817

***************************************************************************

TRAINING UPDATE

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Canberra, Copenhagen, Prague, Houston, and Berlin all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

White House Names Ten To Commission on Enhancing Cybersecurity (April 14, 2016)

President Obama has named 10 people to the Commission on Enhancing National Cybersecurity. The new members are in addition to the commission's co-chairs, former national security advisor Tom Donilon and former IBM CEO Sam Palmisano. The commission was established earlier this year in the wake of several high-profile attacks, including the massive data breach at the Office of Personnel Management (OPM).
-http://www.nbcnews.com/tech/security/obama-names-former-nsa-chief-microsoft-uber
-execs-cybersecurity-panel-n555811
-https://www.whitehouse.gov/the-press-office/2016/04/13/president-obama-announces
-more-key-administration-posts
[Editor's Note (Paller): I spoke at some length with Kiersten Todt, the new commission's executive director, and was encouraged when she said the commission would take a hard look at mistakes that were made that led to the OPM breach and to thousands of other unwanted cyber events. A few days later I learned that a government agency was being funded to provide staffing for the new commission - the same agency that provided the guidance that OPM relied upon and that a technically competent, independent commission would find to have facilitated most of the errors that were made. In light of that discovery, it doesn't look like the government's key mistakes will be clearly identified by the commission; so its recommendations are likely to be ineffective. (Murray): It is unfortunate that the charter of this commission is "national" rather than "Federal." It is the inability of the Federal government to protect its citizens' information and its mission that provoked the commission. Widening its remit way beyond that issue will not prove effective in securing either the state or the nation. ]

Federal Appeals Court Says Warrant Not Needed for Stingray Use (April 14, 2016)

The 6th US Circuit Court of Appeals has agreed with the federal government that a warrant is not necessary when using cell-site location technology like Stingrays. The majority of federal appeals court rulings share this position; the only federal appeals court that sided against has agreed to rehear the case, so the opinion has been set aside. The issue is unlikely to head to the Supreme Court anytime soon unless more federal appeals courts disagree with the government.
-http://arstechnica.com/tech-policy/2016/04/us-court-agrees-with-feds-warrants-ar
ent-needed-for-cell-site-location-data/

Critical Flaw in VMWare Client Integration Plugin (April 14, 2016)

According to a security advisory from VMware, a critical vulnerability in the VMware Client Integration Plugin means that the plugin "does not handle session content in a safe way." The flaw could be exploited to allow session hijacking. Fixing the issue requires both server side and client side updates.
-http://www.theregister.co.uk/2016/04/14/critical_vmware_bug/
-http://www.vmware.com/security/advisories/VMSA-2016-0004.html

---

************************** SPONSORED LINKS ********************************
1) Overcome Privilege Management Obstacles with CSC v. 6. Tuesday, April 26, 2016 at 11:00 AM EDT (15:00:00 UTC) with John Pescatore and Jon Wallace. http://www.sans.org/info/184822

2) In case you missed it: Bring Your Own Collaboration Technical Control Tradeoffs, featuring Dave Shackleford and Scott Gordon. http://www.sans.org/info/184827

3) New Survey: Tell us how the IT community consumes AND uses cyber threat intel. Chance to win $400 Amazon Gift Card OR a FREE Summit Pass! http://www.sans.org/info/184832
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Apple Ends Support for QuickTime on Windows (April 14 and 15, 2016)

The US Department of Homeland Security's (DHS) US-CERT is urging Windows users to uninstall Apple's QuickTime video player because Apple will cease supporting the product. The alert comes after the discovery of two critical flaws in QuickTime that could be exploited to allow arbitrary code execution.
-http://arstechnica.com/security/2016/04/apple-stops-patching-quicktime-for-windo
ws-despite-2-active-vulnerabilities/
-http://www.zdnet.com/article/apple-deprecates-quicktime-for-windows-with-two-sec
urity-holes-unpatched-trend-micro/
-https://www.us-cert.gov/ncas/alerts/TA16-105A
-https://support.apple.com/HT205771
-http://zerodayinitiative.com/advisories/ZDI-16-241/
[Editor's Note (Williams): As with any unsupported software, organizations need to begin (rapid) mitigation plans to get rid of QuickTime in their networks. This is especially true with unsupported software where known vulnerabilities exist. ]

SAP Flaws Patched (April 14, 2016)

On Tuesday, April 12, SAP released 19 security notes to address a total of 26 vulnerabilities. Two of the flaws could potentially be "daisy-chained" to take control of vulnerable systems.
-http://www.theregister.co.uk/2016/04/14/erp_sap_patch/
-https://erpscan.com/press-center/blog/dos-vulnerabilities-on-the-rise-sap-securi
ty-notes-april-2016/
-http://scn.sap.com/community/security/blog/2016/04/12/sap-security-patch-day--ap
ril-2016
[Editor's Note (Murray): The problem of "daisy-chaining" results from inappropriate trust between systems. This is an easier problem to address than trying to secure every system. ]

Blackhole Exploit Kit Author Sentenced to Prison (April 14 and 15, 2016)

A court in Russia has sentenced Dmitry Fedotov to seven years in prison for authoring the Blackhole exploit kit. In all, seven people have been convicted and sentenced in connection with Blackhole. The other six people received sentences of between five-and-a-half and eight years.
-http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/

GozNym Trojan Targeting Banks in US and Canada (April 14, 2016)

The GozNym Trojan horse program has been used to steal US $4 million from bank accounts of customers whose systems were infected by the Trojan. GozNym is a hybrid pieced together from two other strains of malware, Nymaim and Gozi IFSB.
-http://www.scmagazine.com/new-goznym-banking-malware-steals-millions-in-just-day
s/article/489933/

Junos OS Privilege Elevation Vulnerabilities (April 14, 2016)

Flaws in the Junos operating system could be exploited to gain elevated privileges. According to Juniper Networks, "Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow root access to the operating system." Juniper found the vulnerabilities during internal testing.
-http://www.scmagazine.com/flaw-in-junos-os-detected-fixed/article/489913/
-http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10739&cat=SIRT
_1&actp=LIST
[Editor's Note (Williams): Many organizations allow large numbers of limited access service accounts to routers, firewalls, and switches, ostensibly for monitoring purposes. But privilege escalation vulnerabilities such as these in infrastructure devices show how that can open the network up to significant exposure. Organizations should patch immediately and examine whether their architecture decisions expose them to additional risk. ]

UL Not Freely Sharing IoT Cybersecurity Standard (April 13, 2016)

UL (formerly Underwriters Laboratories) will sell interested parties the text of its UL 2900 certification standard for the Internet of Things (IoT) for US $800, but will not allow researchers to examine it otherwise. UL chief of cybersecurity technical services said that the organization's objective is to provide "the ability for a vendor to have some repeatable and reproducible way to evaluate their product to ensure it meets some minimum requirements." Pieter "Mudge" Zatko, the former head of cybersecurity research at DARPA who is currently establishing the Cyber Independent testing Laboratory (CITL) is concerned that a pass/fail model will allow "too many unhealthy products
[to ]
pass the bare-minimum certification process." Mudge would like to see a more granular approach to security, like a nutritional label or new car stickers.
-http://arstechnica.com/security/2016/04/underwriters-labs-refuses-to-share-new-i
ot-cybersecurity-standard/
[Editor's Note (Pescatore): The International Standards Organization charges about $125 US for each of the ISO 27000 series of security standards, so this is not all that unusual. UL has been a for-profit company since 2012 and really has not made much penetration into cybersecurity, but acquired Infogard (a long time NIST-accredited test lab for crypto and Common Criteria certification) in December 2015 and in April 2016 announced the Cybersecurity Assurance Program. There is much competition in this area (there are 9 other NIST accredited Common Criteria test labs), as well as numerous government efforts like the CITL - all can choose to make their standards free (or at least less expensive...) and compete. But, forward progress (walk, not talk) is necessary. A validation of "things" at least meeting widely agreed upon "basic security hygiene" standards that can be done a market speeds is badly needed, just as it was needed in the early days of electric appliances. (Murray): The test for "things," appliances, ought to be that the device is "resistant to use for any but its intended purpose or by anyone but its owner" or "safe for its intended use." This is the appropriate "granularity" for appliances. Consumers ought not have to, cannot be expected to, make complex decisions over hundreds of appliances. ]

Microsoft Patch Tuesday (April 12 and 13, 2016)

Microsoft's batch of security updates for April includes 13 bulletins. The patched flaws include one in the implementation of the SMB, CIFS protocol. The flaw, known as "Badlock," was disclosed several weeks ago despite the fact that a patch was unavailable at the time. The flaw has also been fixed in Samba 4.4.2, 4.3.8, and 4.2.11.
-http://krebsonsecurity.com/2016/04/badlock-bug-tops-microsoft-patch-batch/
-http://www.computerworld.com/article/3055587/security/critical-updates-for-ie-ed
ge-and-adobe-flash-for-april-patch-tuesday.html
-http://www.computerworld.com/article/3055917/security/microsoft-samba-badlock-fl
aw-not-critical-but-serious-enough.html
-http://arstechnica.com/security/2016/04/yes-badlock-bug-was-shamelessly-hyped-bu
t-the-threat-is-real/
-http://www.wired.com/2016/04/badlock-bug-hype-hurt/
-https://technet.microsoft.com/en-us/library/security/mt637763.aspx
Internet Storm Center:
-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+Summary+for+April+2016
/20935
[Editor's Note (Honan): The "BadLock" flaw is a prime example of how we as an industry cry wolf over security issues. Badlock came with its own logo, its own website, and a PR campaign for a number of weeks before it was launched, leading to much speculation over its impact. In the end, it was deemed as not a major issue. This kind of behaviour reflects badly on us as an industry and makes raising awareness of more genuine issues even more difficult. ]

Matthew Keys Sentenced to Two Years in Prison (April 13 and 14, 2016)

Matthew Keys has been sentenced to two years in prison for providing members of Anonymous with login credentials that they used to alter a headline on the Los Angeles Times website. Keys, who was working as a social media editor for Reuters at the time, had formerly worked as a web producer for a television station owned by the Tribune Company, which also owns the Los Angeles Times.
-http://www.wired.com/2016/04/journalist-matthew-keys-sentenced-two-years-aiding-
anonymous/
-http://www.scmagazine.com/former-reuters-editor-sentenced-to-two-years-for-helpi
ng-anonymous/article/489930/

Threat Hunting (Pro-active Security) Moving Into Mainstream (April 12, 2016)

Dr. Eric Cole's Paper on the state of threat hunting is released with some surprising results. 86% of nearly 500 respondents state their organization is already involved in threat hunting. However, more than 40% do not have a formal program in place. That means Ad Hoc results which are not repeatable. The way forward to a systematic data driven approach is fairly clear:
-https://www.sans.org/reading-room/whitepapers/analyst/threat-hunting-open-season
-adversary-36882
">https://www.sans.org/reading-room/whitepapers/analyst/threat-hunting-open-season
-adversary-36882
[Editor's Note (Northcutt): The first step is to define the term and then begin to focus on the ROI. Dr. Cole's paper does a great job of exploring the current state and makes recommendations to where we should go:
-https://www.sans.org/reading-room/whitepapers/analyst/threat-hunting-open-season
-adversary-36882
">https://www.sans.org/reading-room/whitepapers/analyst/threat-hunting-open-season
-adversary-36882
However, in terms of a maturity model many organizations don't have a solid understanding of what it is and why it matters. A paper by Rob Lee and Robert M. Lee helps with that:
-https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effect
ive-threat-hunting-36785]
We are going to be exploring Threat hunting, Browser insecurity and much more at SANS Boston 2016, August 1 - 6. I hope to see you there:
-http://www.sans.org/u/cBk]

---

STORM CENTER TECH CORNER

Badlock not so bad
-https://isc.sans.edu/forums/diary/BadLock+Vulnerability+CVE20162118/20933/

PFSense DShield Client Updated for PFSense Version 2.3
-https://isc.sans.edu/forums/diary/Updated+PFSense+Client/20937/

JigSaw Decryption Tool Released
-http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-d
elete-your-files-until-you-pay-the-ransom/

Android Bluetooth Pairing Vulnerability
-https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-android-bluetooth-pairing
-bypass-2016-04-12.pdf

Samsung Galaxy Phones Expose Modem via USB Port
-https://github.com/ud2/advisories/tree/master/android/samsung/nocve-2016-0004

Doing HTTP Key Pinning Right
-https://isc.sans.edu/forums/diary/HTTP+Public+Key+Pinning+How+to+do+it+right/209
43/

Identify Ransomware
-https://id-ransomware.malwarehunterteam.com

Another Fake Flash Update For OS X
-https://www.intego.com/mac-security-blog/mac-users-attacked-fake-adobe-update/

Chrome 50 Released
-http://googlechromereleases.blogspot.com/2016/04/stable-channel-update_13.html

URL Shorteners Weaken Random URLs
-http://arxiv.org/pdf/1604.02734v1.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/