SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #31

April 19, 2016

TOP OF THE NEWS

60 Minutes Segment Demonstrates Ease of Tracking Smartphones
US and Russia Officials Meeting on Cybersecurity Issues
US Cyberoffense Against ISIS

THE REST OF THE WEEK'S NEWS

Google/Berkeley Study on Efficacy of Web Hijacking Notification Methods
Google Beefs Up Chrome Web Store User Data Policy
Newark, New Jersey Police Department Computers Infected with Malware
IT Engineer Gets Prison Sentence for Damaging Former Employer's Systems
BlackBerry Confirms Helping RCMP Decrypt BlackBerry Messenger Chats
MIT AI Platform Aims to Help detect More Threats
Ransomware Targeting Out-of-Date Versions of JBoss
Homeland Security: Uninstall Windows Quicktime
Fake LinkedIn Profile Leads To Malware

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************** Sponsored By AlienVault *************************

Learn how to detect signs and symptoms of botnet infiltration and communication with command and control servers. Download your free white paper.
http://www.sans.org/info/184877

***************************************************************************

TRAINING UPDATE

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Copenhagen, Prague, Houston, Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

60 Minutes Segment Demonstrates Ease of Tracking Smartphones (April 18, 2016)

US television investigative news magazine 60 Minutes ran a segment showing just how vulnerable smartphones are to tracking and eavesdropping. US Senator Ted Lieu (D-California) participated in the demonstration. Using just the 10-digit number associated with the smartphone, Security Research Labs' Karsten Nohl was able to record calls made to and from the device and track its precise location. Nohl exploited a weakness in the Signaling System No. 7 (SS7) routing protocol to access the phone Lieu was using.
-http://arstechnica.com/security/2016/04/how-hackers-eavesdropped-on-a-us-congres
sman-using-only-his-phone-number/
-http://www.computerworld.com/article/3058020/security/hackers-only-need-your-pho
ne-number-to-eavesdrop-on-calls-read-texts-track-you.html
-http://www.theregister.co.uk/2016/04/18/ss7_60_minutes_iphone/
-http://thehill.com/blogs/ballot-box/276626-60-minutes-hacks-congressmans-phone-f
or-security-report

US and Russia Officials Meeting on Cybersecurity Issues (Apr. 17, 2016)

Senior cybersecurity officials from the U.S. and Russia are holding meetings this week in Geneva on cybersecurity, renewing efforts to prevent the countries from mistakenly getting into a cyber war, U.S. officials say. The meetings will include a review of cybersecurity agreements signed in 2013 by the two countries.
-http://www.cnn.com/2016/04/17/politics/us-russia-meet-on-cybersecurity/

US Cyberoffense Against ISIS (April 14 and 18, 2016)

A US military official says that the US is launching "cyber bombs" against ISIS. According to unnamed sources, the US Cyber Command is infiltrating ISIS computers to plant malware, exfiltrate information, and interrupt communications.
-http://www.cnn.com/2016/04/13/politics/robert-work-cyber-bombs-isis-sucks/index.
html
-http://www.scmagazine.com/us-cyber-soldiers-hitting-isis-hard/article/490354/
-http://www.thedailybeast.com/articles/2016/04/17/u-s-ratchets-up-cyber-attacks-o
n-isis.html
[Editor's Note (Ranum): As I predicted a decade ago, the US' strategy is to make cyberwar a "weapon of privilege" - i.e.: we can use it against you but don't you DARE use it against us. That works only until weapons parity is achieved, which is going to be relatively quick given economic pressures. ]

---

************************** SPONSORED LINKS ********************************
1) Don't let a security breach harm customer trust. Learn how to protect your relationships with LifeLock. http://www.sans.org/info/184882

2) Overcome Privilege Management Obstacles with CSC v. 6. Tuesday, April 26, 2016 at 11:00 AM EDT (15:00:00 UTC) with John Pescatore and Jon Wallace. http://www.sans.org/info/184822

3) How to Produce a World-Class Threat Intelligence Capability From Scratch. Wednesday, April 27, 2016 at 3:00 PM EDT (19:00:00 UTC) with Levi Gundert and John Pescatore. http://www.sans.org/info/184887
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Google/Berkeley Study on Efficacy of Web Hijacking Notification Methods (April 18, 2016)

Last year, Google detected nearly 800,000 websites that had been infected with malware. Google has released a study it conducted with University of California Berkeley about how best to help webmasters address these breaches. The study, Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension, found that 75 percent of webmasters who received email notifications that their site was infected were able to fix the problem; browser warnings and Google search warnings followed at 54 percent and 43 percent, respectively. The email notification included advice and examples of malicious activity.
-http://www.darkreading.com/cloud/google-finds-800000-websites-breached-worldwide
-/d/d-id/1325169?
-http://news.softpedia.com/news/google-detected-760-000-compromised-websites-duri
ng-one-year-503140.shtml
Study:
-http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/4
4924.pdf
[Editor's Note (Pescatore): The study cites a survey that showed only 6% of webmasters discovered an infection via proactive monitoring for suspicious activity. 49% learned about the compromise when they received a browser warning while attempting to view their own site, and 35% found out through other third-party reporting channels, such as contact from their web hosting provider or a notification from a colleague or friend who received a browser warning. This says that not much continuous monitoring of web sites going on - unless you count webmasters surfing their own site with a browser. Logs from Web Application Firewalls and load balancers are good sources of monitoring data that don't require touching the host, many good host-based monitoring solutions out there, too. (Henry): The notification program appears to be proven effective, so kudos to Google and Berkeley for implementing it. It begs the question, though - if 75% of webmasters were able to fix the problem when notified - - so they had the capability - why was it infected in the first place? It implies many of these breaches were via exploitation of previously identified vulnerabilities, which could have been mitigated if standard patching had been applied. ]

Google Beefs Up Chrome Web Store User Data Policy (April 18, 2016)

Google has made changes to the Chrome Web Store User Data Policy to protect users from data theft. Third-party developers must encrypt personal data that they transmit. The revised policy also requires developers to create and publish a privacy policy explaining which data they collect and how it is used.
-http://www.theregister.co.uk/2016/04/18/google_revises_chrome_web_store_conditio
ns/
-https://developer.chrome.com/webstore/program_policies#userdata
[Editor's Note (Pescatore): Encrypting PII in motion is a good thing, but there does not appear to be any requirement on the server side of Chrome Web Store apps for encrypting that data when stored, which is the higher risk part. I'm surprised a privacy policy wasn't already required as part of the submission process; the Apple App Store has had that for a while. I don't think there is much testing of apps against the policies, but this makes it easier for them to remove apps from the Store that do violate policies. (Murray): One hopes Google will make available suitable services to the third party developers. Crypto implemented by amateurs will be vulnerable. ]

Newark, New Jersey Police Department Computers Infected with Malware (April 18, 2016)

Some computer systems at the Newark, New Jersey Police Department were hit with cyberattacks last week. The affected systems are used to track and analyze crime data. The malware reportedly locked down servers, so that the department was unable to track and analyze crime data and had to use a backup system to dispatch police and other first responders. The systems were unavailable for three days.
-http://www.scmagazine.com/newark-pd-hit-with-cyberattack-systems-down-for-three-
days/article/490359/
-http://www.nj.com/essex/index.ssf/2016/04/cyber_attack_shuts_down_newark_police_
computer_sys.html#incart_river_index

IT Engineer Gets Prison Sentence for Damaging Former Employer's Systems (April 18, 2016)

Anastasio N. Laoutaris has been sentenced to more than nine years in prison and fined US $1.7 million for attacking his former employer's computer system. Laoutaris worked as an IT engineer for a Texas law firm. Several months after he stopped working at the firm, Laoutaris accessed the systems and caused damage, "deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user email accounts."
-http://www.darkreading.com/operations/9-years-prison-$17-million-fine-for-malici
ous-insider-/d/d-id/1325166?
-https://www.justice.gov/usao-ndtx/pr/former-law-firm-it-engineer-convicted-compu
ter-intrusion-case-sentenced-115-months
[Editor's Note (Williams): Failure to terminate access during employee separation continues to be a weakness at many organizations. Just having a policy is not enough. Organizations should ensure that supervisors at every level know that it is their responsibility to notify IT to suspend access for separated employees as soon as possible. ]

BlackBerry Confirms Helping RCMP Decrypt BlackBerry Messenger Chats (April 18, 2016)

BlackBerry has confirmed that it helped the Royal Canadian Mounted Police (RCMP) access encrypted BlackBerry Messenger (BBM) chats sent through the BlackBerry Internet Server (BIS). The messages were related to a major organized crime ring. Communications sent through BES (BlackBerry Enterprise Server) were not affected.
-http://www.cnet.com/news/blackberry-defends-giving-police-access-to-phone-messag
es/
-http://www.cbc.ca/news/technology/john-chen-blackberry-encryption-1.3541169
-http://www.theregister.co.uk/2016/04/18/blackberrys_john_chen_security_response/
John Chen's Blog:
-http://blogs.blackberry.com/2016/04/lawful-access-corporate-citizenship-and-doin
g-whats-right/

MIT AI Platform Aims to Help detect More Threats (April 18, 2016)

Researchers at the Massachusetts Institute of Technology (MIT) have developed an artificial intelligence platform that improves threat detection. AI2, developed by MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL), detects 85 percent of attacks, a percentage three times greater than current analytics provides. It also reduces false positive by a factor of five.
-http://www.darkreading.com/operations/mit-ai-researchers-make-breakthrough-on-th
reat-detection/d/d-id/1325160?
-http://www.zdnet.com/article/mit-reveals-ai-platform-which-detects-85-percent-of
-cyberattacks/

Ransomware Targeting Out-of-Date Versions of JBoss (April 15, 18, and 19, 2016)

Samsam ransomware has been targeting systems running outdated versions of Red Hat JBoss enterprise server. Cisco's Talos security team estimates that as many as 3.2 million serves may be running old versions of JBoss. Although the flaw that Samsam exploits has been patched, there are older versions of JBoss that have not been patched; some third-party apps require those older versions.
-http://www.computerworld.com/article/3056829/security/schools-put-on-high-alert-
for-jboss-ransomware-exploit.html
-http://arstechnica.com/security/2016/04/3-million-servers-are-sitting-ducks-for-
crypto-ransomware-infection/
-http://www.zdnet.com/article/out-of-date-apps-put-three-million-servers-at-risk-
of-ransomware/
-http://www.theregister.co.uk/2016/04/19/samsam_ransomware_in_hospitals_schools/
Cisco Talos Blog:
-http://blog.talosintel.com/2016/04/jboss-backdoor.html
[Editor's Note (Williams): Dependencies on out-of-date software will continue to represent a major risk to organizations. If you have licensed software that requires you to run vulnerable software, use your contract purchasing power to look elsewhere. Vendors that rely on insecure software libraries do not have your best interests at heart and are likely not practicing SDLC, exposing you to additional vulnerabilities. ]

Homeland Security: Uninstall Windows Quicktime

Apple is no longer issuing updates for the Windows version of Quicktime. Flaws in the software are being discovered. The only scalable resolution is to uninstall.
[Editor's note (Northcutt): This pretty much means the end of Quicktime and Apple does not disagree:
-http://www.engadget.com/2016/04/18/apple-ends-quicktime-for-windows-support/
-http://appleinsider.com/articles/16/04/18/apple-confirms-quicktime-for-windows-e
nd-of-life
-http://www.inc.com/joseph-steinberg/why-you-must-remove-quicktime-from-your-wind
ows-computer-right-now.html
-http://www.wired.com/2016/04/uninstall-quicktime-on-windows/]

Fake LinkedIn Profile Leads To Malware (April 18, 2017)

A common LinkedIn Profile named "Diane" has a picture that is on at least 146 Internet web sites. Most of them are designed to sell email marketing lists. However, further down in the reverse image search results are a large number of "Free" software utilities, many containing malware.
-http://iwperceptionmanagement.blogspot.com/2016/04/fake-diane-on-linkedin.html
-http://www.darkreading.com/cloud/google-finds-800000-websites-breached-worldwide
-/d/d-id/1325169?

---

STORM CENTER TECH CORNER

Implementing "bash_history" for cmd.exe
-https://isc.sans.edu/forums/diary/Windows+Command+Line+Persistence/20949/

Mixed encoding in Malicious Documents
-https://isc.sans.edu/forums/diary/VBS+VBE/20953/

Swedish Air Traffic Control Outage Result of Solar Flares
-http://www.lfv.se/en/news/news-2016/full-capacity-after-90-minutes-radar-loss

Why you should not require password changes
-https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry

Bypassing Microsoft Edge XSS Filter
-http://blog.portswigger.net/2016/04/edge-xss-filter-bypass.html

Retefe Banking Malware Appearing Again
-https://isc.sans.edu/forums/diary/Retefe+is+back+in+town/20957/

Git on OS X Vulnerable
-https://rachelbythebay.com/w/2016/04/17/unprotected/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/