SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #32

April 22, 2016

More than 12,000 technical cybersecurity people get a daily, 5-6 minute technical update through Dr. Johannes Ullrich's Internet Storm Center podcast. You may, too. His podcasts are deep, accurate, timely, and free. Podcast: https://ISC.sans.edu/podcast.html">https://ISC.sans.edu/podcast.html (or on iTunes search for Internet Storm Center) Blog: https://ISC.sans.edu

The NASA stories at the Top of the News today, combined with data on deep breaches at NASA that OMB and Congressional committees can easily obtain, provide the clearest evidence yet of OMB's negligence in its mismanagement of federal cybersecurity. NASA is one of 6 agencies that OMB rated as having the best cybersecurity (green) for 2012, 2013, and 2014, and NASA was still ranked 6th among all agencies in 2015. (see table on page 35 at https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy_201
5_fisma_report_to_congress_03_18_2016.pdf). The bottom line: Strong evidence that OMB guidance, made mandatory in OMB A130, forces agencies to measure the wrong indicators. Does anyone with a responsible role in government care?

Alan

---

TOP OF THE NEWS

NASA Networks Neglected; Ranks At The Bottom
US Energy Bill Includes Cyberattack Provisions
UK Surveillance Bill Would Require Government Vetting of New
Communications Technology
US Cybersecurity Officials Speak to Difficulties of Continuous Monitoring

THE REST OF THE WEEK'S NEWS

Another Adobe Update
Mac Ransomware Blocker Utility
US Legislators Lack Unbiased Scientific and Technical Advice
FCC to Examine Mobile Network Security
60 Minutes Australia Covered SS7 Vulnerability Last Year
Legislators Seek Answers in Juniper Software Backdoor Case
Oracle's Quarterly Update Marks Move to CVSS 3.0
Prison Sentences for SpyEye Creators
Data Breaches and Cybersecurity Company Valuations
Tallinn Hosts Cyberdefense Exercise

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By Cisco Systems ************************

Build an Effective Incident Response Plan: Trying to build an effective incident response plan, but not sure how? Today's attacks demand a strong response. It is no longer enough to just identify and remediate a threat. Download this complimentary white paper to learn about the critical components of incident response and how they can strengthen your network defenses.
http://www.sans.org/info/185157

***************************************************************************

TRAINING UPDATE

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Copenhagen, Prague, Houston, Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

NASA Networks Neglected; Ranks At The Bottom (March 15 and 28, and April 4, 2016)

According to documents obtained by Federal News Radio, NASA computer systems are seriously vulnerable to attacks. IT operations are not keeping up with patches for applications and operating systems, and the company contracted to manage protection of the agency's desktops and end-user services, including some patching, acknowledges that it lacks the resources to stay current with patches. "NASA lacks a focus on cyber and there is no real strategy for dealing with internal weaknesses," according to a NASA engineer. Other sources noted that NASA culture places mission before cybersecurity.
-http://federalnewsradio.com/cybersecurity/2016/03/widespread-neglect-puts-nasas-
networks-jeopardy/

US Energy Bill Includes Cyberattack Provisions (April 20, 2016)

The US Senate has approved an energy bill that grants the Department of Energy (DOE) the authority to step in during a cyberattack and tell electric companies what to do to protect the grid. The bill also authorizes funding for cyber research and testing, and more clearly defines DOE's role in power grid defense.
-http://thehill.com/policy/cybersecurity/276979-energy-bill-gives-doe-greater-pow
er-to-fight-grid-hackers
[Editor's Note (Weatherford): The glaring assumption here is that DOE has the expertise to tell the very diverse electricity industry in North America (includes both US and Canadian companies) how to run their business. I suppose because it, ahem, works in all the other instances where government thinks they are smarter than the private sector. ]

UK Surveillance Bill Would Require Government Vetting of New Communications Technology (April 19, 2016)

Draft surveillance legislation in the UK would require technology and telecommunications companies to run new products, services, and features by the government prior to their release, to ensure that they provide capability for the government to intercept communications or access stored data.
-http://www.zdnet.com/article/uk-spy-bill-will-force-tech-firms-to-disclose-futur
e-products-before-launch/
[Editor's Note (Honan): Should this pass I envisage a major impact on the UK tech industry as clients turn away from using those products, and competitive advantage for UK companies against companies elsewhere is lost as they await the green light from the government review. ]

US Cybersecurity Officials Speak to Difficulties of Continuous Monitoring (April 15, 2016)

Two US cybersecurity officials speaking on a panel at the Security Through Innovation Summit told the audience that government agencies are struggling with continuous monitoring of large computer networks. Roger Greenwell, chief of cybersecurity for the Defense Information Systems Agency (DISA) said that within the Department of Defense, "Every service has their own unique way of doing things," which complicates Continuous Diagnostics and Monitoring (CDM)/ Shaun Khalfan, Chief Systems Security Officer senior cybersecurity executive at the US Department of Homeland Security (DHS) Customs and Border Patrol noted that his agency has "a lot of third party customers, and breaches are now coming from third party entities."
-http://fedscoop.com/dhs-disa-cybersecurity-chiefs-cdm-is-still-a-challenge
[Editor's Note (Murray): We already know that this is a hard job but somebody has to do it. When will it be time to stop whining and start doing? IT in general, and security in particular, remain the least measured function in both government and enterprise. What one does not measure, one cannot manage. (Paller): CDM was hijacked by well-meaning consultants at DHS to make it an upward reporting system in which agency cybersecurity management problems are exposed and the agencies are embarrassed. Agency managers will find reasons to delay any program that is misdirected like the hijacked CDM program. On the other hand, there is an easy way to get the benefits of CDM without embarrassing agencies. The model on which CDM was based used the easy method. Sadly, DHS executives lost control of CDM and it took on a life of its own going in the wrong direction. The result: over $200 million dollars wasted. It can still be salvaged. ]

---

************************** SPONSORED LINKS ********************************
1) Cracking the Code on SaaS Security & Compliance. Thursday, April 28, 2016 at 1:00 PM EDT (17:00:00 UTC) with Brandon Cook. http://www.sans.org/info/185162

2) Mark Your Calendars for April 27th Webcast: Managing Applications Securely: A SANS Survey: http://www.sans.org/info/185167

3) New Survey: Tell us how the IT community consumes AND uses cyber threat intel. Chance to win $400 Amazon Gift Card OR a FREE Summit Pass! http://www.sans.org/info/185172
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Another Adobe Update (April 21, 2016)

Adobe has released a third security update this month, this time for the Adobe Analytics AppMeasurement for Flash Library. The flaw, which affects versions 4.0 and earlier, could be exploited to launch cross-site scripting attacks.
-http://www.scmagazine.com/adobe-issues-third-update-for-april/article/491436/
-https://helpx.adobe.com/security/products/analytics/apsb16-13.html

Mac Ransomware Blocker Utility (April 21, 2016)

Patrick Wardle has created a utility that detects and blocks ransomware activity on Macs. The application, RansomWhere?, monitors home directories; if files inside those directories are being created rapidly, RansomWhere? will identify and suspend the responsible process. The tool reduces false positives by whitelisting most existing applications when it is installed; to be effective, the tool must be installed on a ransomware-free computer.
-http://www.zdnet.com/article/former-nsa-security-expert-builds-ransomware-blocke
r-for-mac/
-http://www.computerworld.com/article/3059997/security/this-tool-can-block-ransom
ware-on-mac-os-x-for-now.html
[Editor's Note (Ullrich): Ransomware hasn't been a huge issue yet for OS X. But I really like the approach this tool takes to detect possible infections. Certainly worth trying it out. (Williams): Detecting bulk file write operations is the same general technique used by LightCyber to detect ransomware at the file server level -
-https://www.sans.org/reading-room/whitepapers/detection/detecting-targeted-data-
breach-ease-product-review-36337]

US Legislators Lack Unbiased Scientific and Technical Advice (April 21, 2016)

Budget cuts more than twenty years ago eliminated the US Office of Technology Assessment (OTA), which provided legislators with unbiased scientific and technological information. Former congressman Rush Holt, a trained research physicist, tried to bring OTA back, but did not succeed. He noted, "Most members of Congress don't know enough about science and technology to know what questions to ask, and so they don't know what answers they're missing."
-http://www.wired.com/2016/04/office-technology-assessment-congress-clueless-tech
-killed-tutor/
[Editor's Note (Weatherford): The Burr-Feinstein bill is a good example of this. We don't expect the Senators and House members to be experts on everything but we should expect their staffs and advisors to find the right kind of experts to validate what they put into legislation, even 'draft' legislation, without embarrassing the sponsors. ]

FCC to Examine Mobile Network Security (April 20 and 21, 2016)

Following a 60 Minutes television news magazine segment that demonstrated a vulnerability that could be exploited to eavesdrop on phone calls, the head of the US Federal Communications Commission's (FCC) Public Safety Bureau has directed his staff to look into the Signal System 7 (SS7) vulnerability.
-http://www.scmagazine.com/update-hacker-taps-congressmans-cellphone-investigatio
n-called-for/article/490826/
-http://thehill.com/policy/technology/277063-fcc-to-take-look-at-mobile-networks-
security
[Editor's Note (Ullrich): Does it really take a 60 Minutes segment to educate the FCC about the issues surrounding SS7? How are they going to stay ahead of more modern issues? It now costs only about $500 to build a fake cell tower. (Pescatore): Amazing that 60 Minutes still has the power to get politicians excited about vulnerabilities when actual research doesn't. I guess this is related to the item that points out that budget cuts to OTA have reduced unbiased technical advice. The good news: at least they aren't getting their info from Twitter. The bad news: in security the FCC's CSRIC committee has a history of producing many yearly reports but rarely driving any action in the telecoms world.]

60 Minutes Australia Covered SS7 Vulnerability Last Year

The SS7 vulnerability was demonstrated last year on a segment for Australia's 60 Minutes program, which also noted that a relatively inexpensive and readily obtainable device known as an IMSI catcher, or cell-site simulator, could be used to conduct man-in-the-middle attacks against cellphones.
-https://www.youtube.com/watch?v=7bHEp3m4HkA
-http://gadgets.ndtv.com/mobiles/news/mobile-network-flaw-lets-anyone-tap-your-ca
lls-track-your-location-729289

Legislators Seek Answers in Juniper Software Backdoor Case (April 20 and 21, 2016)

US Congressman Ted Lieu (D-California) believes Juniper Networks should be held accountable for software that contained a vulnerability that could have exposed government secrets. The backdoor was disclosed in Juniper ScreenOS in December 2015, and it is still unclear how the malicious code made its way into the firewall and virtual private network (VPN) software.
-http://www.nextgov.com/cybersecurity/2016/04/juniper-code-hack-remains-whodunit/
127668/?oref=ng-HPriver
-http://thehill.com/policy/cybersecurity/276992-house-dem-lashes-out-at-company-b
ehind-flawed-software
-http://thehill.com/policy/cybersecurity/276990-lawmakers-press-for-attribution-o
n-govt-backdoor-hack

Oracle's Quarterly Update Marks Move to CVSS 3.0 (April 20, 2016)

Oracle's quarterly Critical Patch Update fixes 136 issues in numerous products, including Oracle Database Server, Oracle E-Business Suite, Oracle Sun Products, and Oracle Java SE. This update marks Oracle's shift from the Common Vulnerability Scoring System (CVSS) version 2.0 to CVSS version 3.0.
-http://www.computerworld.com/article/3059199/security/oracle-releases-136-securi
ty-patches-for-wide-range-of-products.html
-http://www.scmagazine.com/oracle-shifts-to-cvss-30-quarterly-update-contains-136
-fixes/article/491119/
[Editor's Note (Pescatore): The changes made in CVSS 3.0 make it much more useful for application vulnerabilities, vs. OS vulnerabilities. It also added various factors that give vendors fewer excuses to customize the scores by adding proprietary factors or to avoid using CVSS completely. I'd like to see Microsoft start using CVSS either instead of, or in addition to, their Exploitability Index. ]

Prison Sentences for SpyEye Creators (April 20 and 21, 2016)

Two men have been sentenced to prison for their roles in developing and distributing SpyEye botnet malware. SpyEye infected a reported 50 million computers and could be used to steal information and to send spam. Hamza Bendelladj received a 15-year sentence; Aleksandr Andreevich Panin received a nine-and-a-half year sentence.
-http://krebsonsecurity.com/2016/04/spyeye-makers-get-24-years-in-prison/
-http://thehill.com/policy/cybersecurity/277106-hackers-sentenced-to-24-years-for
-preeminent-banking-virus
-http://www.computerworld.com/article/3059575/security/spyeye-botnet-kit-develope
r-sentenced-to-long-jail-term.html
-http://www.bbc.com/news/technology-36101078

Data Breaches and Cybersecurity Company Valuations (April 20, 2016)

According to information tracked by a venture capital firm in New York, media coverage of major data breaches has had a noticeable increase on the stock valuations of cybersecurity companies.
-http://www.scmagazine.com/data-breaches-fueled-valuations-of-cyber-firms/article
/490945/

Tallinn Hosts Cyberdefense Exercise (April 20, 2016)

The NATO Cooperative Cyber Defence Centre of Excellence is hosting a cyberdefense exercise in Tallinn, Estonia. Described as "the biggest and most advanced international live-fire cyber defense exercise in the world," Locked Shields 2016, involves 550 cybersecurity professionals from 26 countries.
-http://www.scmagazine.com/worlds-largest-international-cyber-defence-exercise-un
derway-in-tallinn/article/490938/
-https://ccdcoe.org/locked-shields-2016.html

---

STORM CENTER TECH CORNER

Flash Provides Top Targeted Vulnerabilties for 2015
-https://www.solutionary.com/_assets/pdf/research/2015-gtir.pdf

Google Publishes Data About Safe Browsing Effectiveness
-http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/4
4924.pdf

Detecting curl pipes to bash
-https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

Decoding Pseudo Darkleech
-https://isc.sans.edu/forums/diary/Decoding+PseudoDarkleech+1/20969/

Tesla Crypt 4.1
-https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslac
rypt-41a-and-malware-attack-chain

Testing TLS Libraries With TLS Attacker
-https://github.com/RUB-NDS/TLS-Attacker

Accellion Secure File Transfer Vulnerability and Facebook Exploitation
-http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoo
r-script-eng-ver/

Application Whitelisting Bypass With regsvr32
-http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html

New NetworkManager Version Released
-https://cgit.freedesktop.org/NetworkManager/NetworkManager/plain/NEWS?id=nm-1-2

Opera Includes Free VPN
-http://www.opera.com/blogs/desktop/2016/04/free-vpn-integrated-opera-for-windows
-mac/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/