SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #40

May 20, 2016

TOP OF THE NEWS

Federal Procurement Regs Adopt Simple Security Controls
SEC Chair: Cybersecurity is Biggest Risk to Financial Systems
Defense Authorization Bill Would Elevate US Cyber Command to Standalone Unit

THE REST OF THE WEEK'S NEWS

TeslaCrypt Key Released
Drones Drive Up Interest in STEM
Noodles & Company Launches Investigation into Reported Payment Card Breach
Google's Allo Messaging App Will Offer End-to-End Encryption
Prestel Hacking Story Archive Given to UK's National Museum of Computing
Magento Patch
Cisco Patches DoS Vulnerabilities in Adaptive Security Appliances
US Weather Satellite System Experienced Malicious Probes
Symantec Patches AV Engine Flaw
Apple iOS Update Causing Problems for Some iPad Pros
Trial for British Airways DDoS Suspect
Cybersecurity Certification for Teachers

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************ Sponsored By ThreatSTOP *************************

Dont Miss: What Works in Threat Prevention: Detecting and Stopping Attacks more Accurately and Quickly with ThreatSTOP. Thursday, May 26th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with John Pescatore and Ken Compres.
http://www.sans.org/info/186005

***************************************************************************

TRAINING UPDATE

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Security Operations Center Summit (Crystal City, VA)
www.sans.org

Information Security Training Crystal City, VA from SANS Institute.

Cybersecurity training courses in Crystal City

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

- --DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

- --SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

- --SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

- --SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

- --SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

- --Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Federal Procurement Regs Adopt Simple Security Controls (May 16, 2016)

This week the Federal Acquisition Regulations were updated to focus on basic security hygiene.
-https://www.federalregister.gov/articles/2016/05/16/2016-11001/federal-acquisiti
on-regulation-basic-safeguarding-of-contractor-information-systems
Pescatore blog:
-http://www.sans.org/security-trends/2016/05/19/progress-in-using-the-critical-se
curity-controls-to-sort-out-security-bad-apples
[Editor's Note (Pescatore): The wheels of procurement change turn slowly (I think this effort started in 2012), but on June 15th 2016 the government's Federal Acquisition Regulations will be amended to include requiring any contractor (not vendors selling commercial off the shelf products) handling government information to meet "basic security hygiene" requirements, essentially a subset of the Critical Security Controls. There have been other efforts to include contract language to show compliance with NIST 800-53 or the NIST Cybersecurity framework, but embedding basic security hygiene into the FAR bakes the highest payback areas right into the procurement machinery for all projects and services contracts. ]

SEC Chair: Cybersecurity is Biggest Risk to Financial Systems (May 18, 2016)

US Securities and Exchange Commission (SEC) chair Mary Jo White told the Reuters Financial Regulation Summit that cyberthreats are the greatest risk to financial systems, and that many organizations do not have appropriate measures in place. White notes that the SEC has seen that financial organizations have "a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks."
-http://www.reuters.com/article/us-finance-summit-sec-idUSKCN0Y82K4
-http://www.zdnet.com/article/sec-warns-hackers-are-the-biggest-threat-to-financi
al-system/
-http://www.theregister.co.uk/2016/05/18/sec_warns_cybersecurity_biggest_threat_t
o_financial_system/

Defense Authorization Bill Would Elevate US Cyber Command to Standalone Unit (May 19, 2016)

The US House of Representatives has approved the National Defense Authorization Act (NDAA), which would make the US Cyber Command its own unified command unit, a move the White House opposes. Currently, Cyber Command falls under the purview of Strategic Command, which means that it must seek and receive permission prior to launching cyber operations.
-http://thehill.com/policy/cybersecurity/280491-house-defense-bill-elevates-cyber
-force-defying-white-house
In a related story, Representative Ted Lieu (D-California) proposed an amendment to the NDAA that would prohibit the use of federal funds to put back doors into devices, but House leaders refused to allow it to come to a vote.
-http://thehill.com/policy/cybersecurity/280581-house-dem-hits-gop-for-skipping-c
yber-defense-vote

---

************************** SPONSORED LINKS ********************************
1) In case you missed it: How Aruba leveraged bug bounty hunters to battle test their networking solutions. http://www.sans.org/info/186010

2) A New Perspective on Patch Management. Tuesday, May 24th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Marcelo Pereira and John Pescatore. http://www.sans.org/info/186015

3) What types of CYBER THREATS are driving the IT community to take action?? Tell us in SANS Survey. http://www.sans.org/info/186025
**************************************************************************

---

THE REST OF THE WEEK'S NEWS

TeslaCrypt Key Released (May 19, 2016)

The authors of the TeslaCrypt ransomware have released a master key, which was quickly developed into a universal decryption tool. A researcher at ESET posed as a victim of the malware and asked the developers to release the key. Surprisingly, they agreed and apologized.
-http://www.zdnet.com/article/teslacrypt-no-more-ransomware-master-decryption-key
-released/
-http://www.theregister.co.uk/2016/05/19/white_hats_bake_teslacrypt_master_key_in
to_universal_decryptor/
-http://www.ibtimes.co.uk/teslacrypt-ransomware-shut-down-by-developers-sorry-rut
hless-extortion-campaign-1560942
[Editor's comment (Honan): Let's remember that this is just one family of Ransomware and that there are still a number of other such threats out there. We should not let down our guard just because one Ransomware strain is obsolete. ]

Drones Drive Up Interest in STEM (May 19, 2016)

Robots and drones are attracting students into Science, Technology, Engineering and Mathematics, (STEM) academic disciplines. However, to be truly successful in the cutting edge fields, employees need a diverse skills inventory that support innovative approaches to problem-solving, such as "engineers who have studied art or ... lawyers who know programming."
-http://www.usnews.com/news/stem-solutions/articles/2016-05-19/drones-are-giving-
rise-to-a-new-space-race-and-new-interest-in-stem
[Editor's Note (Northcutt): US News also ran a piece on the 25 best STEM jobs and make the same observation about diverse skill sets. I have noticed that very few applicants to STI (SANS's cybersecurity graduate school) have a computer science or cybersecurity undergrad degree. Most of them changed career paths to become security professionals:
-http://money.usnews.com/careers/best-jobs/rankings/best-stem-jobs
-http://www.sans.edu]

Noodles & Company Launches Investigation into Reported Payment Card Breach (May 19, 2016)

Noodles & Company has hired an outside company to investigate reports that payment cards used at some of its stores were compromised. Sources at several financial institutions informed Brian Krebs of a pattern of fraudulent activity on cards that had been used at Noodles restaurants. The possibly compromised cards were used at Noodles locations starting in January 2016.
-http://krebsonsecurity.com/2016/05/noodles-company-probes-breach-claims/#more-34
851

Google's Allo Messaging App Will Offer End-to-End Encryption (May 18, 2016)

A forthcoming messaging system from Google, called Allo, will offer end-to-end encryption. Google will not be able to access the content of communications sent with Allo. The encryption will not be switched on by default; users will have to deliberately choose "incognito" mode. Google is also releasing a new video calling app called Duo will also offer end-to-end encryption as its default state.
-http://thehill.com/policy/cybersecurity/280422-new-google-messaging-app-to-offer
-optional-end-to-end-encryption
-https://www.wired.com/2016/05/allo-duo-google-finally-encrypts-conversations-end
-end/
[Editor's Note (Murray): Device to device encryption (by default) resists widespread surveillance while only marginally increasing the cost of intelligence collection. However, most messaging is destination device agnostic, where device-to-device encryption does not work. In life and death applications device to device encryption is not a substitute for device agnostic, person to person, or app to app encryption. Unlike Apple's iMessage, Allo "incognito mode" is an option, not on by default, because it would interfere with Google's business model. It is not yet clear how sticky and broad the setting will be. (Williams): With every week bringing a new story about end to end encryption, it's a good time to remind readers that end to end encryption means nothing if attackers control the communication endpoints. Expect sophisticated attackers to move to the endpoints as their eavesdropping capabilities dry up due to end-to-end encryption. Aggressive endpoint monitoring is a key to success here. (Honan): Having encryption off by default is an unwelcome move from Google as many users may assume its turned on by default and hence think they can communicate securely. It also means that users will have to configure the service which in turn could lead to users misconfiguring the service and making it insecure. Services such as these should have their security settings turned on by default. ]

Prestel Hacking Story Archive Given to UK's National Museum of Computing (May 18, 2016)

The UK's National Museum of Computing at Bletchley Park has received a set of documents regarding the mid-1980's attack of online service Prestel that exposed Prince Philip's personal message box.
-http://www.theregister.co.uk/2016/05/18/prince_philip_prestel_hack/

Magento Patch (May 18, 2016)

Earlier this week, Magento released version 2.0.6 of the e-commerce platform. The newest version fixes a flaw that could be exploited to execute PHP code on vulnerable servers.
-http://www.theregister.co.uk/2016/05/18/magento_patches_php_shopper_popper/
-http://www.scmagazine.com/magento-flaw-allowed-hackers-to-execute-code-using-api
s/article/497165/
Magento patches:
-https://magento.com/security/patches/magento-206-security-update
[Editor's Note (Williams): If you are using Magenta, stop reading this and patch now. This vulnerability allows unauthenticated users to execute code on your systems via APIs that are enabled by default on most installation types. Unauthenticated remote code execution is the worstcase scenario for vulnerabilities - all the worse when it is enabled in default installations. ]

Cisco Patches DoS Vulnerabilities in Adaptive Security Appliances (May 18 and 19, 2016)

Cisco has released security updates to fix four flaws in its Adaptive Security Appliances that could be exploited to cause denial-of-service conditions.
-http://www.computerworld.com/article/3072845/security/cisco-patches-high-severit
y-flaws-in-its-web-security-appliance.html
-http://www.theregister.co.uk/2016/05/18/cisco_patches_security_appliance_bugs/
-http://www.scmagazine.com/cisco-patch-blocks-dos-vulnerability/article/497148/

US Weather Satellite System Experienced Malicious Probes (May 18, 2016)

According to a report from the Government Accountability Office's director of IT management issues, the US's weather satellite program was targeted by 10 security incidents over the course of 12 months. The incidents include "hostile probes, improper usage, unauthorized access,
[and ]
password sharing."
-http://www.nextgov.com/cybersecurity/2016/05/audit-finds-hostile-probes-breaches
-commerce-satellite-system/128393/?oref=ng-channelriver

Symantec Patches AV Engine Flaw (May 17, 2016)

Symantec has released an updated version of its Anti-Virus Engine (AVE) to address a buffer overflow flaw that could be exploited to remotely execute code and could lead to a full kernel compromise. The vulnerability, which is simple to exploit, is fixed in Symantec AVE 20151.1.1.4.
-http://www.scmagazine.com/symantecs-anti-virus-engine-updated-flaw-could-cause-b
lue-screen-of-death/article/496853/
-http://www.computerworld.com/article/3071385/security/a-critical-flaw-in-symante
c-antivirus-engine-puts-computers-at-risk-of-easy-hacking.html

Apple iOS Update Causing Problems for Some iPad Pros (May 17 and 18, 2016)

The most recent iOS update, iOS 9.3.2, is reportedly causing problems for some iPads. The update addressed a number of issues, including a distortion problem with Bluetooth calls on iPhone SE, and a dictionary failure problem. Users have reported that the update has made their iPad Pros unusable. Apple is likely to address the issue soon.
-http://www.forbes.com/sites/amitchowdhry/2016/05/18/apple-ios-9-3-2-bug/#d4d5ccb
ecd5a
-http://www.informationweek.com/apple-os-updates-fix-bugs-brick-some-ipads--/a/d-
id/1325554

Trial for British Airways DDoS Suspect (May 17, 2016)

The trial has begun for Paul Dixon, who is accused of launching distributed denial of service (DDoS) attacks against British Airways, the Durham Police, Police Scotland, and video game retailer CeX in October 2014. Dixon has been charged with five counts of unauthorized acts to impair the operation of or access to a computer.
-http://www.mirror.co.uk/news/uk-news/hacker-cost-british-airways-100000-7993002

Cybersecurity Certification for Teachers (May 10, 2016)

The Computer Science Teachers Association (CSTA) is developing a cybersecurity certification program for secondary school teachers. The majority of educators teaching computer science courses do not have computer science degrees. The program covers a variety of topics, including authentication, encryption, penetration testing, and security architecture.
-http://www.techrepublic.com/article/cs-teachers-ramping-up-cybersecurity-educati
on/
[Editor's Note (Williams): Programs like this are critical to properly prepare the future cybersecurity workforce. Even at the university level, far too many teachers don't understand basic computer security - and it shows in their lesson plans. Topics like input sanitization are often missing from programming courses and fundamental understanding of encryption is often non-existent. ]

---

INTERNET STORM CENTER TECH CORNER

Exploit for Recently Patched Cisco IKEv1/v2 Bufferoverflow Published
-https://isc.sans.edu/forums/diary/Exploit+Available+For+Cisco+IKEv1+and+IKEv2+Bu
ffer+Overflow+Vulnerability/21065/

Symantec Antivirus Engine Malformed PE Header Parser Vulnerability
-https://isc.sans.edu/forums/diary/CVE20162208+Symantec+Antivirus+Engine+Malforme
d+PE+Header+Parser+Memory+Access+Violation/21069/

New CryptXXX Decryption Tool From Kaspersky
-https://blog.kaspersky.com/cryptxxx-decryption-20/12091/

More Malware in Google Play Store
-http://blog.checkpoint.com/2016/05/09/viking-horde-a-new-type-of-android-malware
-on-google-play/

iPadPro Crashes After Updating to iOS 9.3.2
-http://www.macrumors.com/2016/05/17/9-7-inch-ipad-pro-crashing-issues-safari/

New Remote Code Execution in Magento E-Commerce Software
-http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/

Office 365 Risks
-https://www.skyhighnetworks.com/cloud-security-blog/7-charts-reveal-the-meteoric
-rise-of-office-365/

LinkedIn Data Leaked From Past Breach
-https://twitter.com/troyhunt/status/732838759390191617

Google Discontinuing SSLv3/RC4 Support for SMTP
-http://googleappsupdates.blogspot.ro/2016/05/disabling-support-for-sslv3-and-rc4
-for.html

EITest Campaign Still Going Strong
-https://isc.sans.edu/forums/diary/EITest+campaign+still+going+strong/21081/

Android Malware Affecting Google Pay Acceptance
-http://www.theregister.co.uk/2016/05/19/android_pay_analysis/

OS 9.3 Restricts Use Of Fingerprint
-https://www.apple.com/business/docs/iOS_Security_Guide.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/