SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #4
January 15, 2016
ICS insecurity is top of the news in all three stories. The best place
to get more data on the threats, vulnerabilities and countermeasures is
next month's ICS Cyber Summit. Information: http://www.sans.org/u/aBM
TOP OF THE NEWS
20 Countries Lack Cybersecurity Rules for Nuclear FacilitiesUS Nuclear Regulatory Commission Audit Finds Computers Not Adequately Protected
DHS ICS-CERT Director Says Critical Infrastructure ICS Need to be Better Protected
THE REST OF THE WEEK'S NEWS
OpenSSH Flaw FixedFormer CIA and NSA Director Says there's Too Much Secrecy Around Cyberattacks
Cisco Fixes Backdoors in Wi-Fi Access Points
More Bad Ransomware
Survey: Credential Theft, Alert Volumes Top List of Concerns
First Patch Tuesday of 2016 for Microsoft and Adobe
Reminder: Most Versions of IE Now Retired
Easily Exploitable Vulnerability Could Cause Physical Damage to Industrial Motors
STORM CENTER TECH CORNER
STORM CENTER TECH CORNER*********************** Sponsored By Alien Vault ************************
New! Beginner's Guide to Open Source Intrusion Detection Tools:
http://www.sans.org/info/182862
***************************************************************************
TRAINING UPDATE
- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl
- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 4 courses.
http://www.sans.org/u/aBH
- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM
- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj
- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy
Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
20 Countries Lack Cybersecurity Rules for Nuclear Facilities (January 14, 2016)
The Nuclear Threat Initiative has released a report showing that 20 countries that have nuclear plants and/or atomic material have not established rules to protect those facilities from cyberattacks. The study asked whether there were laws or regulations requiring cyber protections at the facilities, and whether cyberattacks are considered in the overall threat assessments of the facilities.-http://www.nytimes.com/2016/01/15/world/nuclear-threat-initiative-cyberattack-st
udy.html
-http://www.nbcnews.com/tech/security/nuclear-facilities-around-world-vulnerable-
cyber-attacks-watchdog-n496661
-http://www.ntiindex.org/behind-the-index/about-the-nti-index/
US Nuclear Regulatory Commission Audit Finds Computers Not Adequately Protected (January 11, 12 and 13, 2016)
According to an audit report from the Office of the Inspector General of the US Nuclear Regulatory Commission (NRC), security contracts related to unclassified nuclear computer systems do not specify who is responsible for protecting them from attacks. The NRC's Security Operations Center (SOC) is not "optimized to protect the agency's network in the current cyber treat environment." The report did not examine classified NRC networks.-http://www.nbcnews.com/news/us-news/nuclear-computers-especially-vulnerable-cybe
rattacks-rise-watchdog-says-n495156
-http://www.scmagazine.com/audit-network-of-us-nuclear-regulatory-commission-not-
optimized-against-cyberthreats/article/464944/
-http://pbadupws.nrc.gov/docs/ML1601/ML16011A319.pdf
DHS ICS-CERT Director Says Critical Infrastructure ICS Need to be Better Protected (January 13, 2016)
The director of the US Department of Homeland Security's (DHS's) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says the number of successful cyberattacks against industrial control systems at critical infrastructure entities is increasing. Marty Edwards said that there are "more and more[attacks ]
that are gaining access to that control system layer," and that he is "dismayed at the accessibility of some of these networks."
-http://thehill.com/policy/cybersecurity/265753-critical-infrastructure-cyberatta
cks-rising-says-us-official
-http://www.theregister.co.uk/2016/01/13/internet_connected_utilities_insecure/
************************** SPONSORED LINKS ********************************
1) Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices. Tuesday, February 09, 2016 at 1:00 PM EST (18:00:00 UTC) with Lee Neely. http://www.sans.org/info/182867
2) Infosec Pros: Are your threat hunting efforts beneficial? Take 2016 Survey & enter to win $400 Amazon Gift Card. Happy New Year!! http://www.sans.org/info/182872
3) What are the most useful APPSEC processes/tools for your org? Take Survey - Enter to Win $400 Amazon Card. http://www.sans.org/info/182877
***************************************************************************
THE REST OF THE WEEK'S NEWS
OpenSSH Flaw Fixed (January 14, 2016)
A serious flaw in the OpenSSH protocol has been fixed. The vulnerability could be exploited to steal sensitive data, including cryptographic keys. The flaw exists in code for a roaming feature in Open SSH versions 5.4 to 7.1. The vulnerability affects the version of OpenSSH used by end users to connect to servers, but not in the version used by the servers themselves.-http://www.eweek.com/security/openssh-flaw-exposes-linux-servers-to-roaming-risk
.html
-http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-just-fixed
-in-widely-used-openssh/
-http://www.zdnet.com/article/serious-security-flaw-found-in-openssh-puts-private
-keys-at-risk/
Advisory:
-http://www.openssh.com/txt/release-7.1p2
[Editor's Note (Murray): The vulnerabilities in SSH that are being exploited are weak, default, and shared passwords. Please fix those first. ]
Former CIA and NSA Director Says there's Too Much Secrecy Around Cyberattacks (January 13 and 14, 2016)
Former National Security Agency (NSA) and Central Intelligence Agency (CIA) director General Michael Hayden told reporters that private companies and the US government do not acknowledge cyberattacks, which leaves both sectors inadequately prepared to manage the attacks when they do occur. Hayden said that "the government hideously over-classifies it," and that private companies are reluctant to share information about cyberattacks because of concerns that it will have a negative impact on their business.-http://money.cnn.com/2016/01/14/technology/secret-hacks/index.html
-http://www.darkreading.com/attacks-breaches/former-director-of-nsa-and-cia-says-
us-cybersecurity-policy-mia/d/d-id/1323888
[Editor's Note (Murray): The government "hideously" over-classifies everything to the point that, while most things are over-protected, the really sensitive stuff is under protected. (Henry): As the former head of the FBI's Cyber Division, I agree with much of what General Hayden is saying here. The old adage "where you stand depends upon where you sit" is appropriate here. In the government, things were classified to protect "sources and methods." It's what was done, and continues to be routinely done at all the three-letter agencies, and it's necessary when appropriately applied. In THIS space however, computer network exploitation and computer network attack, the risk is too high to withhold information. Additionally, adversary tactics and techniques are so prolific that revealing the intelligence, much of the time, will not seriously jeopardize "sources and methods." The value in sharing this intelligence between the public and private sector, calling out adversaries, and shining a light on this problem, far outweighs the potential pitfalls. I have spoken to many current and former colleagues across the government who agree with this. The challenge is understanding that this domain as different from all the others we've traditionally fought in, and changing the mindset from "we've always done it this way." There needs to be a paradigm shift in the way we share intelligence, and IMHO it starts with how we classify government collection. ]
Cisco Fixes Backdoors in Wi-Fi Access Points (January 13 and 14, 2016)
Cisco has released an advisory warning of hardcoded passwords in the company's Aironet 1800 series Wi-Fi access points. Network administrators are being urged to update affected devices. Cisco has also released updates for vulnerabilities in its Identity Services Engine and Wireless LAN Controller.-http://www.zdnet.com/article/cisco-fixes-wi-fi-access-points-with-hard-coded-bac
kdoor-access/
-http://www.theregister.co.uk/2016/01/13/cisco_admins_gear_up_for_a_late_night/
Aironet 1800 Advisory:
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160113-air
Identity Services Engine Advisories:
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160113-ise
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160113-ise
2 Wireless LAN Controller Advisory:
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160113-wlc
[Editor's Note (Murray): If your WiFi is Cisco based, be sure to read the entire report; the problems are not limited to "Aironet 1000." ]
More Bad Ransomware (January 13, 2016)
A malware variant that renders files unrecoverable, even by the criminal responsible for spreading it, has been detected. The malware is a variant of a proof-of-concept file that has been tweaked so that it encrypts the decryption key, making it virtually impossible for the files to be recovered.-http://www.computerworld.com/article/3021869/security/faulty-ransomware-renders-
files-unrecoverable-even-by-the-attacker.html
Survey: Credential Theft, Alert Volumes Top List of Concerns (January 13, 2016)
A survey from Rapid7 asked nearly 300 security professionals worldwide to list their top security concerns. Ninety percent of respondents said they are worried about compromised credentials; 60 percent said they are unable to detect such attacks. Sixty-two percent of respondents said that their organizations receive more security alerts than they can manage. The 2015 Incident Detection and Response Survey also-http://www.csoonline.com/article/3021875/cyber-attacks-espionage/security-pros-w
orried-about-stolen-credentials-alert-volumes.html
-http://www.eweek.com/security/security-pros-see-compromised-credentials-as-top-c
oncern.html
-http://www.rapid7.com/company/news/press-releases/2016/rapid7-research-study-fin
ds-compromised-credentials-top-concern.jsp
First Patch Tuesday of 2016 for Microsoft and Adobe (January 12 and 13, 2016)
On Tuesday, January 12, Microsoft released nine bulletins to address 24 vulnerabilities in Windows, Office, Edge, Internet Explorer, Silverlight, Visual Basic, and Exchange Server. Adobe also released security updates on Tuesday to fix 17 vulnerabilities in Acrobat and Reader.-http://www.computerworld.com/article/3022153/security/microsoft-fixes-critical-f
laws-in-windows-office-edge-ie-and-other-products.html
-http://krebsonsecurity.com/2016/01/adobe-microsoft-push-reader-windows-fixes/
-http://www.scmagazine.com/adobe-addresses-reader-acrobat-issues-on-patch-tuesday
/article/464666/
-http://www.scmagazine.com/patch-tuesday-microsoft-rings-in-new-year-with-nine-bu
lletins/article/464679/
-https://technet.microsoft.com/library/security/ms16-jan
-https://helpx.adobe.com/security/products/acrobat/apsb16-02.html
-https://isc.sans.edu/forums/diary/January+2016+Microsoft+Patch+Tuesday/20605/
Reminder: Most Versions of IE Now Retired (January 12, 2016)
Microsoft's security updates for January mark the end of support for most versions of Internet Explorer (IE). Only IE 11 will continue to be fully supported. IE 9 will be supported on Windows Vista and Windows Server 2008; IE 10 will still be supported on Windows Server 2012. The January updates also mark the end of Microsoft's support for the original release of Windows 8; users running that OS can upgrade to Windows 8.1 at no cost.-http://www.bbc.com/news/technology-35291938
-http://www.zdnet.com/article/millions-of-internet-explorer-users-face-patch-secu
rity-showdown/
-http://www.zdnet.com/article/windows-users-face-a-dangerous-world-with-end-of-su
pport-for-older-internet-explorer-versions/
[Editor's Note (Northcutt): I have been working on research for safer browsing in the past month. Obviously part of the answer is the browser, but a large part is the web site. Some of the first code that is run on many web sites is how to treat different versions of Internet Explorer. Microsoft may have deprecated IE, but it will be with us for another decade I suspect:
-https://css-tricks.com/how-to-create-an-ie-only-stylesheet/
-https://davidwalsh.name/supporting-internet-explorer
-https://msdn.microsoft.com/en-us/library/ms531076%28v=vs.85%29.aspx]
Easily Exploitable Vulnerability Could Cause Physical Damage to Industrial Motors (January 12, 2016)
A security researcher has found a vulnerability in variable-frequency drives from at least four manufacturers. The drives "are used to set and maintain the electrical frequency fed to ... motors to control their speed." The motors are used to control "fans and pumps in water plants, mining operations, and in heating and air conditioning." The drives require no authentication to be modified; they also have accessible settings that indicate the maximum safe speed for the motors.-http://www.wired.com/2016/01/an-easy-way-for-hackers-to-remotely-burn-industrial
-motors/
STORM CENTER TECH CORNER
FortiGate Backdoor-http://seclists.org/fulldisclosure/2016/Jan/26
Facebook/WhatsApp Voicemail Malware
-https://isc.sans.edu/forums/diary/You+Have+Got+a+New+Audio+Message+Guest+Diary+b
y+Pasquale+Stirparo/20609/
Silverlight Vulnerablity (CVE-2016-0034) Exploited Before Yesterday's Patch
-https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-
the-hunt-for-a-microsoft-silverlight-0-day/
Disconnect Wifi Cameras
-https://julianoliver.com/output/log_2015-12-18_14-39
Latest Exploit Kit News From Brad
-https://isc.sans.edu/forums/diary/CryptoWall+sent+by+Angler+and+Neutrino+exploit
+kits+or+through+malicious+spam/20611/
ffmpeg Vulnerability
-https://bugs.archlinux.org/task/47738
http/2 Fuzzer
-https://yahoo-security.tumblr.com/post/134549767190/attacking-http2-implementati
ons
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at Dark Matter, a security consulting firm in the UAE. He is also a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
