SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #45

June 07, 2016

TOP OF THE NEWS

Senate Defense Bill Does Not Currently Include Cyber Command Elevation Provision
Angler Exploit Kit Now Evades EMET
SWIFT May Ban Banks Without Strong Cybersecurity

THE REST OF THE WEEK'S NEWS

Google Releases June Android Security Update
Bill Proposes Studying Replacing Grid Systems with Older Technology
Air Gapping SCADA Systems Will Not Work
Bing Malware Warnings Get More Specific
Charges Underscore Problems with CFAA
Possible Payment Card Breach at CiCi's Pizza
Legislators Investigating Federal Reserve Security
Microsoft Unveils Office 365 Threat Detection

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*************************** Sponsored By RSA *****************************

Try RSA's Endpoint Security Solution Free for 30 Days. Detect and block targeted, previously unknown endpoint threats with precision. See for yourself with a 30 day free trial.
Sign up: http://www.sans.org/info/186422

***************************************************************************

TRAINING UPDATE

--SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

--DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

--SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

--SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

--Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human
http://www.sans.org/u/i2j

--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community?
Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI
***************************************************************************

---

TOP OF THE NEWS

Senate Defense Bill Does Not Currently Include Cyber Command Elevation Provision (June 6, 2016)

The issue of the authority of the Pentagon's Cyber Command unit is notably absent from the US Senate's annual defense bill. The House's version of the bill would elevate Cyber Command to a standalone entity within the military. Although the Senate's version of the bill does not currently provide for the same change, there are Senate members who want to see it added. The Cyber Command is currently under the aegis of US Strategic Command and must obtain permission before conducting operations. The White House opposes the change.
-http://thehill.com/policy/cybersecurity/282133-week-ahead-lawmakers-divided-over
-pentagons-cyber-unit
[Editor's Note (Murray): Hopefully, this can be remedied in the conference committee. To understand why this is necessary see the remarks of the Chairman and Ranking Member of the Senate Armed Services at
-https://youtu.be/Q4jQ4gjDE50
The present arrangement is not working. ]

Angler Exploit Kit Now Evades EMET (June 6, 2016)

The Angler Exploit Kit has added features that allow it to evade detection by Microsoft's Enhanced Mitigation Experience Toolkit (EMET). FireEye has detected exploits that target flaws in Silverlight and Adobe Flash Player specifically designed to remain undetected by EMET features.
-http://www.scmagazine.com/fireeye-finds-angler-evading-microsoft-emet-on-windows
-7/article/501244/
-http://www.computerworld.com/article/3079826/security/widespread-exploits-evade-
protections-enforced-by-microsoft-emet.html
FireEye Blog:
-https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html
[Editor's Note (Murray): This can be fixed. However, the real problem with EMET is not that it is not perfect but that it is not enabled. Without really knowing, administrators fear that EMET might break ill-behaved legacy applications. Instead of identifying and fixing or replacing these applications, they tolerate the class of vulnerabilities that EMET addresses and put their enterprise and their neighbors at risk. (Nice people do not connect weak systems to the Internet.) It is time that, if not mandatory, EMET at least be enabled by default. (Williams): Stories like this are problematic in that they diminish confidence in exploit mitigations like EMET. But the reality is that EMET Is *highly* effective at raising the bar for exploit developers. Organizations that have not deployed EMET should definitely consider doing so post haste. Export Address Filtering (EAF) is particularly effective at disrupting shellcode. ]

SWIFT May Ban Banks Without Strong Cybersecurity (June 3, 2016)

The head of SWIFT says that banks without adequate cybersecurity measures in place could find themselves suspended from using the SWIFT financial transfer communication network. The announcement follows a series of fraudulent transactions made through the SWIFT system, including the US $81 million theft from the Bangladesh Central Bank.
-http://thehill.com/policy/cybersecurity/282114-transactions-network-threatens-to
-cut-off-insecure-banks
-http://www.theregister.co.uk/2016/06/03/swift_threatens_insecure_bank_suspension
s/
[Editor's Note (Pescatore): I wish I could applaud this, but SWIFT has only said it "might consider banning member banks that do not adequately address security concerns" vs announcing any hard plans, and the public information about SWIFT's plans for a Customer Security Programme makes it sound like very PCI-like, not a good thing. It would be nice to see some near term "basic security hygiene" spot checks resulting in temporary disconnection to convince CEOs and directors at member banks that this is something stronger than "might consider someday" business penalty. (Williams): Removing a bank from SWIFT would require a more manual (and hence more error prone) process to transfer money to and from that institution. ]

---

*************************** SPONSORED LINKS *****************************
1) Download the free eBook: Application Control for Dummies: http://www.sans.org/info/186427

2) The Case for PIM/PAM in Todays Infosec. Tuesday, June 14th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Barbara Filkins and Ken Ammon. http://www.sans.org/info/186432

3) MobileIron Mobile Security and Risk Review Research Results. Wednesday, June 15th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with David Schwaartzberg. http://www.sans.org/info/186437
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Google Releases June Android Security Update (June 6, 2016)

Google has released the June security update for its Android mobile operating system. The update includes eight critical fixes, and 28 fixes for flaws deemed high severity. While Google updates its Nexus devices immediately, some Android partners deploy the updates less quickly. Android partners were notified of the security issues on May 2. Google releases the monthly updates on the first Monday of each month.
-http://www.zdnet.com/article/android-security-googles-june-update-splats-dozens-
of-critical-high-severity-bugs/
-http://www.computerworld.com/article/3079841/security/android-gets-patches-for-m
ajor-flaws-in-hardware-drivers-and-media-server.html
-http://www.theregister.co.uk/2016/06/06/android_patches/

Bill Proposes Studying Replacing Grid Systems with Older Technology (June 6, 2016)

US Senators have introduced legislation that proposes a two-year study regarding the (feasibility of) replacing modern systems at power grid stations with older technology to help protect them. One of the bill's sponsors said, "Our legislation would reengineer the last-mile of the energy grid to isolate its most important systems, and in doing so, help defend it from a devastating blow."
-http://thehill.com/policy/energy-environment/282364-senate-bill-would-encourage-
retro-grid-security-approach
[Editor's Note (Williams): This is a myopic approach to security. Instead of investing in controls to secure and monitor existing automation technology, this study suggests removing it entirely. It would be wise to remember that we invested in automation technology at least partially because those qualified and willing to man out stations are in short supply and are expensive when they can be found. However, as the Ukraine attacks showed late last year, manual backups to digitally controlled switching gear is absolutely essential (while missing from many US substations today). ]

Air Gapping SCADA Systems Will Not Work (June 3, 2016)

Supervisory Control and Data Acquisition (SCADA) technology pioneer Faizel Lakhani says that air-gapping SCADA systems will not protect them from cyberthreats. "Most SCADA systems are theoretically air gapped but not really disconnected from the network," and noted that "power control systems were never designed with security in mind."
-http://www.theregister.co.uk/2016/06/03/airgaps_scada_systems_wont_prevent_attac
ks/
[Editor's Note (Assante): The automation train has left the station and it is providing incredible benefits. We are failing to change engineering assumptions and invest in developing credible defenses. Working over 15 years in this space taught me long ago that there is no such thing as an inaccessible air gapped system; the people who believe in those gaps as a defense are ripe targets. (Pescatore): If you don't know how to safely operate a chain saw, you are much, much safer using a handsaw. However, you won't get many trees cut and trees will still fall on your head. All systems (at least those running software) claiming "air gaps" always have had, and always will have, sneaker-net paths around them, as Conficker proved. Basic security hygiene in place to secure the technology the business needs is more effective and more efficient overall than attempts at isolation. (Murray): While SCADA systems have introduced some vulnerability into the very sensitive "power control systems," that is not their only application. It is true "that power control systems were never designed with (cyber) security in mind." Rather, they were designed with power reliability in mind. Power engineers believe, not without good cause, that system reliability depends upon their ability to manage load and respond to routine component failures and have designed accordingly. They have created a very reliable and resilient system where outages are rare and short. While both can be addressed by better design, their ability to manage the system will always trump the ability of the system to resist malicious attack. ]

Bing Malware Warnings Get More Specific (June 4 and 6, 2016)

Microsoft is increasing the depth of feedback it provides when users visit suspicious websites through the Bing search engine. Bing previously warned users when they attempted to visit a website that posed a threat; Bing now provides more detailed information about the type of threat the site is likely to contain. For example, Bing will differentiate between sites that pose a threat simply by visiting them and sites that contain links to "malicious binaries." The change also helps webmasters understand why their sites are flagged, so they can address the problems more quickly. The Bing Webmaster tool provides information webmasters can use to identify malicious links on their sites.
-http://www.eweek.com/security/bings-malware-warnings-get-more-specific.html
-http://www.theregister.co.uk/2016/06/06/redmond_adds_malware_phish_warnings_to_b
ing/

Charges Underscore Problems with CFAA (June 3, 2016)

An IT Administrator in Texas is facing felony charges under the Computer Fraud and Abuse Act (CFAA) for deleting files prior to leaving a position at ClickMotive. Michael Thomas was charged with "unauthorized damages," a rarely used provision of the CFAA; he faces a prison sentence of up to 10 years and a fine of as much as US $250,000. While Thomas's actions may have exhibited poor judgment, Electronic Frontier Foundation (EFF) senior staff attorney Nate Cardozo called the idea of a prison sentence for his actions "insane," saying that Thomas "should be held accountable with civil law, and he should pay a price in money if what he did cost money."
-https://www.wired.com/2016/06/admin-faces-felony-deleting-files-flawed-hacking-l
aw/
[Editor's Note (Northcutt): A number of articles call the CFAA flawed, but they all seem to be copying each other. If he had destroyed the files by taking a sledge hammer to company's disk drives would that feel more like a felony? There is more to the story though, we will need to follow this one. ClickMotive originally sued him and then dropped it. He turned down a plea bargain, then fled to Brazil. This is the provision of the CFAA he is charged with, "(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;" (page 36 of the Justice Department document below):
-https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccm
anual.pdf]

Possible Payment Card Breach at CiCi's Pizza (June 3, 2016)

KrebsonSecurity has received several inquiries from financial institutions about the possibility of a payment card security breach at CiCi's Pizza. The alleged breach appears to have been perpetrated by people pretending to be technical support specialists for the company's point-of-sale provider.
-http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/
[Editor's Note (Murray): Krebs has become an important and useful part of our early warning system for merchant system breaches. That said, a system that depends for its integrity on the effective security of hundreds of thousands of unskilled merchants is broken. The retail payment system will remain vulnerable as long as the brands and issuers continue to publish credit card numbers in the clear on magnetic stripes and accept them online and at ATMs. Shaming and punishing victim merchants will not fix this. We continue to do this only for reasons of backwards compatibility. It is time for the Industry to publish a plan and a schedule for eliminating magnetic stripes. Think cardless, contactless, and (credit card) numberless. Think Apple Pay, Android Pay, Samsung Pay, etc. Even EMV chip cards would work if they did not also have magnetic stripes on them. ]

Legislators Investigating Federal Reserve Security (June 2 and 3, 2016)

The US House Technology Committee has launched an investigation into the Federal Reserve Bank's cybersecurity following revelations in a recent report that "raise
[s ]
serious concerns about the Federal Reserve's cybersecurity posture, including its ability to prevent threats from compromising highly sensitive financial information."
-http://thehill.com/policy/cybersecurity/282151-house-panel-worried-about-cyber-a
ttacks-on-the-fed
-http://www.scmagazine.com/swift-hack-spurs-house-committee-to-investigate-ny-fed
-over-80m-cybertheft/article/500563/

Microsoft Unveils Office 365 Threat Detection (June 2, 2016)

Microsoft has launched Office365 Advanced Security Management. The suite of tools is available to Office administrators Office365 Enterprise customers. Advanced Security Management allows administrators to set up anomaly detection policies. It also offers behavioral analytics.
-http://www.eweek.com/security/microsoft-enables-threat-detection-in-office-365.h
tml
[Editor's Note (Pescatore): These tools are priced at $3/user/month and only work for Office365. If you are one of the few enterprise/agencies out there using only this one cloud service, not a bad price. But, like one termite, it is rare to see only one cloud service in use - compare against cloud security tools that work across multiple cloud services. Another thing: if you are using only Office365, for about half the price of ASM, you can buy Multi-factor Authentication licenses for your Office365 users and raise the bar against phishing attacks, the dominant form of cloud service breaches. ]

---

INTERNET STORM CENTER TECH CORNER

A Recent MySQL Honeypot Compromise
-https://isc.sans.edu/forums/diary/MySQL+is+YourSQL/21117/

Team Viewer Improves Security
-http://www.teamviewer.com/en/company/press/teamviewer-launches-trusted-devices-a
nd-data-integrity/

Black Shades Ransomware
-http://www.bleepingcomputer.com/news/security/black-shades-ransomware-encrypts-y
our-pc-and-taunts-security-researchers/

NTP Update
-http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

LinkedIn Data Used to Personalize Malicious E-Mail
-https://twitter.com/certbund/status/739824856011804676?ref_src=twsrc%5Etfw

Mitsubishi Outlander Wifi Hack
-https://www.pentestpartners.com/blog/hacking-the-mitsubishi-outlander-phev-hybri
d-suv/

Using NTP to Calibrate Time Stamps in PCAP
-https://isc.sans.edu/forums/diary/What+Time+Is+It+Using+NTP+Traffic+to+Calibrate
+PCAP+Timestamps/21135/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create