SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #33

April 26, 2016

Although not "Top of the News," the two stories on Bug Bounties illuminate the value that organizations are seeing in well-managed bug bounty programs and the growing acceptance of this approach as a far more effective way to find critical vulnerabilities than relying exclusively on commercial software and/or red team services.

Alan

---

TOP OF THE NEWS

FBI: Response Takes Precedence Over Attribution
DHS Red Teams Conduct Penetration Tests on Government Agencies
US Cyber Command Using Cyber Capabilities Against ISIS
More Bad News for NASA Cybersecurity

THE REST OF THE WEEK'S NEWS

MIT Bug Bounty Program
Facebook Bug Bounty Hunter Found Evidence of Earlier Intrusion
Crop Databases Face Cyberthreats
US Military Wants Secure Messaging Platform
Two Plead Guilty in Connection with IRS "Get Transcript" Fraud
Bangladesh Bank Breach Factors
Cisco Releases Updates to Fix Denial-of-Service Flaws
DHS Wants to Improve Private Company Critical Infrastructure Data Storage
Judy Novak's PCAP Riddle Contest - Innovative Solutions Open To All

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Splunk ***************************

On AWS, you can't secure what you can't see. That's where Splunk can help. Splunk offers solutions that deliver end-to-end visibility on AWS. Register for our upcoming webinar to hear from a leading customer, AWS, and Splunk about how to better secure and manage your AWS environment.
http://www.sans.org/info/185222

***************************************************************************

TRAINING UPDATE

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Baltimore Spring 2016 | Baltimore, MD | May 9-14 | 9 courses in IT security, cyber defense, incident handling, security management, and Windows forensics plus multiple SANS@Night talks.
http://www.sans.org/u/gR7

- --SANS Houston 2016 | Houston, TX | May 9-14 | 7 courses including the NEW Network Penetration Testing & Ethical Hacking course.
http://www.sans.org/u/dzE

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy Plus Prague, Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

FBI: Response Takes Precedence Over Attribution (April 21, 2016)

Donald Freese, director of the FBI's National Cyber Investigative Joint Task Force, told attendees at Akamai's Government Forum last week that his team's approach to cyberattacks is to focus on response rather than attribution.
-http://www.nextgov.com/cybersecurity/2016/04/fbi-official-recovering-cyber-attac
k-who-isnt-so-important/127697/?oref=ng-channelriver
[Editor's Note (Pescatore): I like the talk - Freese is quoted as saying the FBI will work to do more blocking of attacks and less "hand-wringing." There is a definite need for more "I am certain that is an attack, so I blocked it" and less "I am certain this is an attack, so I let it continue so I could watch it do damage so I could write a report about who caused the damage." (Northcutt): That is sensible. This approach enables desist and recovery countermeasures to release as fast as possible and avoids the embarrassment of sustaining significant damage while waiting to "nail the bad guy". Take a quick look at page 38 of the CREST IR guide which builds on many guides before it and think about how to cause those actions to happen; fast:
-http://www.crest-approved.org/wp-content/uploads/CSIR-Procurement-Guide.pdf
(Honan): I hope many others follow the FBI's example. Too many people focus on the who of a breach and not on the how. ]

DHS Red Teams Conduct Penetration Tests on Government Agencies (April 25, 2016)

The US Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has conducted penetration tests on three unnamed US government civilian agencies. The red teams were able to "own those agencies from top to bottom and side-to-side." NCCIC now plans to help those agencies fix their network weaknesses. The agencies will also have help developing internal cybersecurity talent so they can continue to conduct similar assessments more frequently.
-http://federalnewsradio.com/cybersecurity/2016/04/dhs-gives-cyber-hunters-better
-type-license/
[Editor's Note (Assante): Let's pause the tactical remediation game and red team scoreboard exercise just long enough to ask ourselves why these repeated results don't necessitate a strategy change? 100% failure from incidents to red team tests should shake up the cybersecurity leadership and put a concerted effort in place to re-tool a failed strategy. (Honan): Red teaming is an effective way of identifying weaknesses in your security but do balance their findings with someone with experience in implementing secure defences. Having a pure red team person recommend defence strategies can be like having a forward in soccer be the goalkeeper for your team. Just because you excel at scoring goals, does not necessarily mean that forward will make a great goalkeeper. ]

US Cyber Command Using Cyber Capabilities Against ISIS (April 24 and 25, 2016)

The New York Times reports that the US military's Cyber Command has been directed to launch cyberattacks against ISIS. These attacks are in concert with traditional weapons attacks. One reason the plan to use cyberweapons has been made public is to undermine the Islamic State's confidence in the integrity of its data and make potential recruits wary of communications.
-http://www.nytimes.com/2016/04/25/us/politics/us-directs-cyberweapons-at-isis-fo
r-first-time.html
[Editor's Note (Murray): Sounds like espionage, not sabotage. I find that comforting. We are much better at the one than the other. Dramatically lower potential for "blow-back." ]

More Bad News for NASA Cybersecurity (April 25, 2016)

Two more reports have found serious cybersecurity problems at NASA. The agency's inspector general found that NASA needs to improve continuous monitoring management, configuration management, and risk management. And a private security company, Security Scorecard, ranked NASA last among 600 federal, state, and local government agencies surveyed in its report. Security Scorecard found that NASA had issues with secure sockets layer (SSL) certificates, unsecure open ports, and misconfigured email sender policy frameworks.
-http://federalnewsradio.com/cybersecurity/2016/04/nasa-continues-take-cyber-lump
s/
NASA IG Report:
-https://oig.nasa.gov/audits/reports/FY16/IG-16-016.pdf
[Editor's Note (Assante): I would be productive to compare the relative cyber security posture and performance of private sector space firms doing business with the US Government versus these NASA findings. These results would concern me if I was sharing sensitive and proprietary data with NASA. (Murray): These findings are not unique to NASA. Private industry may take comfort in that they are subjected to a lower level of scrutiny but should assume that the findings also apply to them. (Honan): I recommend that if you have responsibility for security in your organisation that you read this report about NASA, not to gloat over how poor their security may or may not be, but rather to look for lessons learnt to improve the security in your organisation. ]

---

************************** SPONSORED LINKS ********************************
1) Mark Your Calendars for April 27th Webcast: Managing Applications Securely: A SANS Survey: http://www.sans.org/info/185227

2) Cracking the Code on SaaS Security & Compliance. Thursday, April 28, 2016 at 1:00 PM EDT (17:00:00 UTC) with Brandon Cook. http://www.sans.org/info/185232

3) New Survey: Tell us how the IT community consumes AND uses cyber threat intel. Chance to win $400 Amazon Gift Card OR a FREE Summit Pass! http://www.sans.org/info/185237
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

MIT Bug Bounty Program (April 25, 2016)

The Massachusetts Institute of Technology (MIT) has launched an experimental bug bounty program. Participation is limited to MIT affiliates, including students, who have valid certifications. The program is looking for specific categories of vulnerabilities in the school's web domains. Prizes for finding flaws will be paid in TechCASH, which can be used on campus, and the top contributors will get to keep their Kerberos accounts after they graduate.
-http://www.scmagazine.com/mit-launches-bug-bounty-program/article/491878/
[Editor's Note (Pescatore): Well-managed bug bounty programs are showing value in a lot of use cases, with emphasis on the "well managed". The use of "TechCASH" is a unique slant - limits the pool of interested testers, but I guess reduces cost. Odds are the first target will be the TechCASH system... ]

Facebook Bug Bounty Hunter Found Evidence of Earlier Intrusion (April 22 and 25, 2016)

A bug bounty hunter searching for vulnerabilities on a Facebook's internal network found evidence that a server had already been compromised. The individual found the telltale files in February, but waited until Facebook has fixed the problem to disclose details. He was awarded US $10,000 for finding the vulnerability in the server.
-http://www.bbc.com/news/technology-36128184
-http://www.cnet.com/news/facebook-hacker-finds-another-intruder-beat-him/
-http://www.theregister.co.uk/2016/04/22/i_hacked_facebook_and_found_someone_had_
beaten_me_to_it/
[Editor's Note (Williams): When conducting penetration tests, we regularly find evidence of previous or even ongoing intrusions. When negotiating a penetration test, ask your provider if they've ever seen this (if not, question why) and how it will be addressed if it happens during your penetration test. If your penetration tester gets in by exploiting a vulnerability, they may not be the first. ]

Crop Databases Face Cyberthreats (April 25, 2016)

Last month, the FBI sent a Private Industry Notification to farmers, warning that data used in precision agriculture technology, or smart farming, could be targeted by data thieves. Farmers using the technology are urged to make sure that the companies that manage those data have established cybersecurity and breach response plans.
-https://fcw.com/articles/2016/04/25/rockwell-fbi-farm-data.aspx
-https://info.publicintelligence.net/FBI-SmartFarmHacking.pdf

US Military Wants Secure Messaging Platform (April 25, 2016)

The US military's Defense Advanced Research Projects Agency (DARPA) is seeking suppliers to develop an encrypted messaging platform based on blockchain technology. One of the goals for the new platform is to allow DoD to communicate more quickly than it does now with centralized, legacy messaging systems.
-http://www.zdnet.com/article/the-us-military-wants-its-own-encrypted-messaging-a
pp-that-uses-blockchain/
-https://sbir.defensebusiness.org/(X(1)S(dougahnan4h4d0uuwifnxln5))/topics?AspxAu
toDetectCookieSupport=1#topic27859#topic27859
[Editor's Note (Pescatore): I think this is really more DARPA looking to do something with buzz-heavy block chain technology using small business funding methods, vs. anything serious about moving DoD to be able to communicate more quickly/securely. ]

Two Plead Guilty in Connection with IRS "Get Transcript" Fraud (April 22 and 25, 2016)

Two people have pleaded guilty to charges of conspiracy to commit money laundering and illegally structuring cash withdrawals to evade bank reporting requirements for their roles in a scheme to defraud the US Internal Revenue Service (IRS). The scheme involved exploited the "Get Transcript" tool to obtain taxpayers' personal information and filing fraudulent returns to obtain refunds. Another person involved in the scheme pleaded guilty to money laundering earlier this year.
-http://thehill.com/policy/cybersecurity/277338-two-plead-guilty-in-irs-data-brea
ch
-http://www.scmagazine.com/husband-and-wife-plead-guilty-in-irs-breach-that-compr
omised-700k-accounts/article/492035/
DoJ Press Release:
-https://www.justice.gov/opa/pr/georgia-husband-and-wife-plead-guilty-stolen-iden
tity-tax-refund-fraud-scheme-involving-irs

Bangladesh Bank Breach Factors (April 22 and 25, 2016)

According to Reuters, some of the contributing factors in the US $80 million theft from the Bangladesh central bank included the use of inexpensive, second-hand routers and the lack of a firewall. In addition, an investigation conducted by BAE Systems suggests the attackers tricked the SWIFT financial software with custom malware.
-http://www.darkreading.com/attacks-breaches/malware-at-root-of-bangladesh-bank-h
eist-lies-to-swift-financial-platform/d/d-id/1325254?
-http://arstechnica.com/security/2016/04/billion-dollar-bangladesh-hack-swift-sof
tware-hacked-no-firewalls-10-switches/
-http://www.scmagazine.com/bangladesh-banking-hack-due-to-swift-vulnerability/art
icle/491854/
-http://www.bbc.com/news/technology-36110421
-http://www.bbc.com/news/technology-36129370
-http://thehill.com/policy/cybersecurity/277489-bangladesh-bank-hackers-exploited
-common-financial-industry-software
-http://baesystemsai.blogspot.de/2016/04/two-bytes-to-951m.htm
[Editor's Note (Liston): For those of us who cut our reverse-engineering teeth on these kinds of things, the malware bypassed an integrity check by creating an in-memory patch of liboradb.dll - overwriting a JNZ check with NOPs. +ORC would be proud:
-http://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html]

Cisco Releases Updates to Fix Denial-of-Service Flaws (April 21 and 22, 2016)

Cisco has published five security alerts regarding vulnerabilities in three products that could be exploited to create denial-of-service conditions. The flaws affect Cisco Wireless LAN Controller (WLC) software, Cisco Adaptive Security Appliance (ASA) software, and the Secure Real-Time Transport Protocol (SRTP) library.
-http://www.computerworld.com/article/3060140/security/cisco-fixes-serious-denial
-of-service-flaws.html
-http://www.scmagazine.com/cisco-flags-five-product-vulnerabilities-that-could-tr
igger-denial-of-service/article/491756/
[Editor's Note (Williams): Although these vulnerabilities are mostly rated as DoS, remember that a vendor rated DoS can quickly become a remote code execution (RCE) when the right creative mind gets ahold of it. We saw this last year with MS15-034. It was originally classified as only DoS but was updated to include RCE after exploit code was sold in exploit markets. Patch your systems now to reduce exposure. ]

DHS Wants to Improve Private Company Critical Infrastructure Data Storage (April 20, 2016)

The Department of Homeland Security wants to revamp an outdated system for holding sensitive data from private companies that operate elements of the country's critical infrastructure. The Protected Critical Infrastructure Information Program (PCII) stores security reviews, submitted as paper reports. DHS wants to move "to state-of-the-art technology that operates within a digital environment."
-http://www.nextgov.com/cybersecurity/2016/04/dhs-wants-overhaul-system-storing-s
ensitive-critical-infrastructure-data/127653/
-https://s3.amazonaws.com/public-inspection.federalregister.gov/2016-09186.pdf

Judy Novak's PCAP Riddle Contest - Innovative Solutions Open To All Readers (April 26, 2016)

Five days ago the SANS Institute sent an email to 101k security professionals as a Save the Date for an upcoming conference and to announce a security contest designed by Judy Novak. By April 25 there were four winners, all members of the GIAC Advisory Board. Their solutions are very innovative, each approached the problem differently:
-https://www.linkedin.com/pulse/what-pcap-contest-actually-tells-us-stephen-north
cutt?trk=pulse_spock-articles
-http://securitywa.blogspot.com/2016/04/david-fletcher-boston-2016-pcap-lab.html
-http://www.giac.org/certified-professionals/advisory-board
The PCAP, (network packet storage) file is available on this web page if you want to try some of their techniques:
-https://www.sans.org/event/boston-2016

---

STORM CENTER TECH CORNER

Angler EK Used to Spread CryptXXX
-https://isc.sans.edu/forums/diary/Angler+Exploit+Kit+Bedep+and+CryptXXX/20981/

Honeyports Powershell Script
-https://isc.sans.edu/forums/diary/Honeyports+powershell+script/20979/

Online Credit Card Fraud Soars
-http://www.pymnts.com/fraud-prevention/2016/online-fraud-attack-rates-soar-since
-october/

How to Trick Traffic Sensors
-https://securelist.com/blog/research/74454/how-to-trick-traffic-sensors/

Opera VPN Service Analysis
-https://gist.github.com/spaze/558b7c4cd81afa7c857381254ae7bd10
-https://www.helpnetsecurity.com/2016/04/21/opera-browser-free-vpn/

Apple Image IO Denial of Service
-https://www.landaire.net/blog/apple-imageio-denial-of-service/

Text Messages Used to Phish Apple IDs
-http://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-id-password-
expired-expiry-text-website-scam-phishing-a6991126.html

Critical HP Data Protector Patch
-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988

Armada Collection (or imposter) Making Fake DDoS Threats
-https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/