SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #36

May 06, 2016

TOP OF THE NEWS

DHS to Offer Cybersecurity Salary Incentives for New Hires
Critical Flaws in ImageMagick
Serious Flaw Affects Android Devices with Qualcomm Chips

THE REST OF THE WEEK'S NEWS

Cisco Updates TelePresence, FirePOWER, and Adaptive Security Appliance
Apple Updates Xcode Development Tool
Microsoft Security Intelligence Report Includes Cloud Data
OpenSSL Update Fixes Six Security Issues
Locky Command-and-Control Server Breached
Michigan Company Loses US $495,000 to Transfer Fraud
HTTPS Now Available for all Google Blogspot Users
Gozi Malware Creator Sentenced

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

********************* Sponsored By Bracket Computing *********************

GARTNER REPORT DOWNLOAD: COOL VENDORS IN CLOUD INFRASTRUCTURE, 2016: Whether you're building your cloud strategy, or you're already there, you're going to want to learn who Gartner thinks are essential for successful cloud adoption. One of only three Cool Vendors is Bracket Computing and their Cloud Workload Protection Platform. Get the report here.
http://www.sans.org/info/185452

***************************************************************************

TRAINING UPDATE

- --SANS Baltimore Spring 2016 | Baltimore, MD | May 9-14 | 9 courses in IT security, cyber defense, incident handling, security management, and Windows forensics plus multiple SANS@Night talks.
http://www.sans.org/u/gR7

- --SANS Houston 2016 | Houston, TX | May 9-14 | 7 courses including the NEW Network Penetration Testing & Ethical Hacking course.
http://www.sans.org/u/dzE

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

- --DFIR Summit & Training | Austin, TX | June 23-30, 2016 DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- - -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Prague, Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

DHS to Offer Cybersecurity Salary Incentives for New Hires (May 3, 2016)

The US Department of Homeland Security (DHS) is expanding a program that offers bonus pay to attract talented cybersecurity employees to government positions, which traditionally pay less than private industry. The bonus program was piloted at the DHS's National Protection and Programs Directorate (NPPD) and will now be available to "the rest of its headquartered elements."
-http://federalnewsradio.com/cybersecurity/2016/05/dhs-sweetens-cyber-workforce-r
ecruiting-new-bonuses/
[Editor's Note (Henry): The salary incentives offered here by DHS are valuable, in principle, but they need to be administered in a way that is both effective and consistent. I've seen similar government programs where people are put into a certain category because they've got the proper "credentials" check mark, but not necessarily the required experience or skillset. This has the potential to create a division in the ranks, whereby those who are already doing the job successfully but don't have the requisite accreditation are underpaid, while those brought in because they fit the bill on paper, but don't always have the full capabilities as others are more highly compensated. Certifications are a good start, but incenting employees based on actual skills, real-world experience, technical prowess and successful results is critically important. (Paller): Echoing Shawn Henry's remarks (recalling that he ran the cyber division at the FBI where technical skills' excellence mattered), DHS's bonus program will be a grave error if the certifications it uses measure the ability to talk about security rather than the hands-on skills needed to fix the problems or show organizations how to fix them. DHS has a history of misusing cybersecurity hiring authorities to hire general purpose IT people. If DHS misuses this new authority to reward people who can admire the problems but don't have the skills to correct the problems, Secretary Johnson should be called before Chairman Issa's Committee for an even tougher grilling than the one given to the OPM chief after the breach that hit her agency. (Pescatore): When I graduated college with an Electrical Engineering degree, NSA had salary incentives for EEs. The 25% increase made the grade 7 salary competitive with private industry back then. But, as this article notes, DHS really needs to look at why their turnover seems to be so high. Keeping good security people is probably more critical than hiring new college grads and giving them on the job training just to see them go to other agencies or private industry. ]

Critical Flaws in ImageMagick (May 4, 2016)

Critical vulnerabilities in the widely used ImageMagick image-processing library could be exploited to execute code hidden in malicious images. A proof-of-concept exploit has been released, but there are currently no patches available. ImageMagick developers have recommended using a policy-based mitigation until a fix is released.
-http://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number
-of-sites-to-code-execution-attacks/
-http://www.zdnet.com/article/imagemagick-vulnerability-exposes-countless-website
s-to-exploit/
-http://www.computerworld.com/article/3065854/security/critical-flaws-in-imagemag
ick-library-expose-websites-to-hacking.html
ImageMagick Policy Mitigation Information:
-https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
[Editor's Note (Liston): These vulnerabilities allow four different types of remote exploitation: code execution, file deletion, file moving, and file content disclosure. Looking at the code, ImageMagick is really just a set of command-line tools and the various "libraries" are, essentially, wrappers for running the command-line stuff. Expect that there will be many more vulnerabilities discovered in ImageMagick now that it has garnered so much attention. (Williams): The challenge with this vulnerability will be locating all of the impacted applications. ImageMagik is usually installed on the system as part of another application to provide library support rather than as a standalone application. System owners, particularly those with Internet facing web applications, should contact their vendors and ask if they are vulnerable. If so, schedules for patch release and any mitigation steps should be discussed. (Ullrich): If your web sites processes images, you are likely vulnerable. This is a "must patch" vulnerability. Luckily, there is a workaround that you can apply by adjusting configuration files for ImageMagick. ]

Serious Flaw Affects Android Devices with Qualcomm Chips (May 5, 2016)

A vulnerability in Android devices with Qualcomm chips could be exploited to expose users' data. The flaw was introduced five years ago in a set of APIs for Qualcomm's "network_manager" system service. While Qualcomm has released fixes and notified customers, the original equipment manufacturers must release patches, which means that many devices will not be patched.
-http://arstechnica.com/security/2016/05/5-year-old-android-vulnerability-exposes
-texts-and-call-histories/
-http://www.zdnet.com/article/qualcomm-security-flaw-impacts-android-devices-proj
ect-apis/
-http://www.scmagazine.com/lingering-android-flaw-exposes-sms/article/494635/

---

************************** SPONSORED LINKS ********************************
1) How Aruba Leveraged Bug Bounty Hunters to Battle Test their Networking Solutions. Thursday, May 12, 2016 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore, Leif Dreizler, and Jon Green. http://www.sans.org/info/185457

2) LIVE WEBCAST: Next-Gen Now: Outsmarting ransomware, rootkits, and zero-day attacks. Register today! https://attendee.gotowebinar.com/register/2836320359312459524?source=SANS

3) Who's Using Cyberthreat Intel & How? Take Survey for Chance to Win a $400 Gift Card or Summit Pass!!! http://www.sans.org/info/185462
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cisco Updates TelePresence, FirePOWER, and Adaptive Security Appliance (May 5, 2016)

Cisco Systems has released a fix for a critical flaw affecting its TelePresence videoconference systems. Cisco also released fixes for vulnerabilities in FirePOWER and Adaptive Security Appliance devices. The TelePresence update addresses a flaw that could be exploited to allow remote code execution. The FirePOWER and Adaptive Security Appliance updates address flaws that could be exploited to trigger denial-of-service conditions that crash the devices.
-http://www.computerworld.com/article/3066692/security/cisco-patch-stops-attacker
s-from-taking-over-telepresence-systems.html
-http://www.theregister.co.uk/2016/05/04/cisco_trio_of_flaws/

Apple Updates Xcode Development Tool (May 5, 2016)

Apple has updated its Xcode git implementation to address a pair of critical flaws that could be exploited to allow remote code execution. The update for OS X El Capitan v10.11 and later is Xcode version 7.3.1.
-http://www.zdnet.com/article/apple-patches-xcode-fixes-severe-vulnerabilities/
-http://www.computerworld.com/article/3065987/security/apple-patches-vulnerable-o
s-x-git-version.html
[Editor's Note: (Ullrich) Very much overdue. This vulnerability has been known for several months. Apple keeps delaying these updates to open source software it includes. ]

Microsoft Security Intelligence Report Includes Cloud Data (May 5, 2016)

According to Microsoft's most recent Security Intelligence Report, cybercriminals are becoming faster and more efficient at launching attacks. However, the number of ways they use to compromise computers has not grown much. The report, which covers the second half of the 2015 calendar year, also notes that "high severity vulnerability disclosures were up more than 40%." This iteration of the report marks the first time Microsoft has incorporated security data from its cloud services.
-http://www.reuters.com/article/us-microsoft-cybersecurity-idUSKCN0XW154
-http://www.darkreading.com/endpoint/microsoft-windows-malware-up-stuxnet-shell-a
ttack-most-popular/d/d-id/1325393?
-http://www.infosecurity-magazine.com/news-features/microsofts-machine-learning/
-http://thehill.com/policy/cybersecurity/278823-microsoft-hackers-getting-faster-
more-targeted
-http://arstechnica.com/information-technology/2016/05/microsoft-blocked-4-billio
n-malicious-login-attempts-in-2015/
Microsoft Security Intelligence Report:
-https://www.microsoft.com/security/sir/default.aspx
[Editor's Note (Pescatore): I've been reading Microsoft's SIR reports for close to 10 years now and there is always great data, once you get past the increasing amount of "Here's how Microsoft software (and now cloud services) protects you against attacks against vulnerabilities in Microsoft software...") Two consistent observations I make: (1) For the past several years, the most commonly exploited Windows vulnerabilities have had patches that came out in 2009 and 2010, pointing out old versions of IE still in use and/or just really, really bad patching.; and (2) if Windows had an App Store or Google-play like mechanism built in like the iOS and Android whitelist feature, most of the data would go away because 99% of the malware wouldn't have had any impact. (Murray): No new attack vectors are needed. As long as "Social Engineering," bait attacks, particularly "phishing," continue to work so well, no new methods are needed. It used to be that bait appealed to the "Seven Deadly Sins," but curiosity and familiarity seem to work even better. That said, yesterday I got an e-mail that combined curiosity with fear of the IRS. ]

OpenSSL Update Fixes Six Security Issues (May 3 and 5, 2016)

The OpenSSL project has released an update that patches six vulnerabilities in the open-source cryptographic library. Two of the flaws are rated critical; one could be exploited to decrypt login credentials, the other to execute malicious code. The updated versions of OpenSSL are 1.0.1t and 1.0.2h.
-https://isc.sans.edu/forums/diary/OpenSSL+Updates/21015/
-http://www.eweek.com/security/openssl-patches-six-vulnerabilities.html
-http://arstechnica.com/security/2016/05/aging-and-bloated-openssl-is-purged-of-2
-high-severity-bugs/
[Editor's Note (Murray): "Open Source" is failing to produce the improvement in quality promised by its proponents. Developers continue to incorporate code without inspecting it or determining its quality or suitability for their application. In complex areas like cryptography or even mathematical functions, they may not be competent to judge. We need research into and documentation of "strength of (software engineering) materials." ]

Locky Command-and-Control Server Breached (May 5, 2016)

Someone gained access to a command and control (C&C) server for Locky ransomware and exchanged the malicious payload for a benign file that displays the message, "Stupid Locky." Earlier this year, a Dridex C&C server was similarly compromised.
-http://www.darkreading.com/endpoint/stupid-locky-network-breached/d/d-id/1325421
?
-http://www.theregister.co.uk/2016/05/05/locky_ramsomware_network_hacked/
[Editor's Note (Honan): While some may welcome this type of "vigilante" approach, we need to be wary that C&C servers can hold very valuable intel and information for Law Enforcement Agencies. Compromising such systems could in turn compromise potential evidence that LEA may require to charge a suspect or such a compromise could disrupt a LEA led operation against those behind the C&C. ]

Michigan Company Loses US $495,000 to Transfer Fraud (May 3 and 5, 2016)

A Troy, Michigan investment company recently lost US $495,000 to email fraud. An employee at Pomeroy Investment Corp. received an email that appeared to be from another employee, directing them to transfer the funds to a bank in Hong Kong. The company did not realize that the transfer request was fraudulent until days later.
-http://www.detroitnews.com/story/news/local/oakland-county/2016/05/03/troy-inves
tment-company-hacked/83879240/
-http://www.scmagazine.com/spearphishing-attack-nets-495k-from-investment-firm/ar
ticle/494645/
[Editor's Note: (Ullrich): This is a pretty modest sum compared to other business e-mail compromises. In particular if your business uses web based / cloud based email systems like Office365, simple phishing is usually used to obtain email credentials, and these services should be used only with two factor authentication. ]

HTTPS Now Available for all Google Blogspot Users (May 4, 2016)

All blogs hosted on Google's blogspot.com can now be accessed over an HTTPS connection. Google began offering users the HTTPS option in September, and recently made an HTTPS version of the blogs available to all users, who may choose to have readers redirected to the HTTPS version automatically.
-https://isc.sans.edu/forums/diary/ImageTragick+Another+Vulnerability+Another+Nic
kname/21023/
-http://www.computerworld.com/article/3065359/security/google-turns-on-https-for-
all-blogspot-blogs.html
-http://www.cnet.com/news/google-secures-all-blogspot-posts-with-move-to-https/
-https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
-http://www.openwall.com/lists/oss-security/2016/05/03/18

Gozi Malware Creator Sentenced (May 4, 2016)

Nikita Kuzmin, the man who is believed to be the developer behind the Gozi malware, has been sentenced to time served, 37 months, and ordered to pay nearly US $7 million in damages. Gozi spread through maliciously crafted .pdf documents that arrived as email attachments. Gozi harvested online bank account access credentials. One other person associated with Gozi has been sentenced, and another has been arrested in Romania and is awaiting extradition to the US.
-http://www.zdnet.com/article/gozi-virus-mastermind-ordered-to-pay-7-million-in-d
amages/
-https://www.justice.gov/usao-sdny/pr/nikita-kuzmin-creator-gozi-virus-sentenced-
manhattan-federal-court

---

INTERNET STORM CENTER TECH CORNER

Gerber Exploit Kit Installed By Neutrino EK
-https://isc.sans.edu/forums/diary/Neutrino+exploit+kit+sends+Cerber+ransomware/2
1017/

Microsoft Will No Longer Consider SHA-1 Certificates As Secure
-https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/

Malicious Ads Seens On CBS TV Stations
-https://blog.malwarebytes.org/threat-analysis/2016/05/cbs-affiliated-television-
stations-expose-visitors-to-angler-exploit-kit/

Fake DDoS Threats Continue
-http://www.actionfraud.police.uk/news/online-extortion-demands-affecting-busines
ses-apr16/

Cracking PeopleSoft PS_TOKEN with oclHashcat
-http://blog.gosecure.ca/2016/05/04/oracle-peoplesoft-still-a-threat-for-enterpri
ses/

Large Number of Credentials Offered For Sale
-http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6

Alphalocker: Affordable Ransom Ware
-https://blog.cylance.com/an-introduction-to-alphalocker

JAKU Botnet
-https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analy
sis_of_botnet_campaign_en_0.pdf

Juniper Update
-http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734&cat=SIRT
_1&actp=LIST

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/