SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #47

June 14, 2016

TOP OF THE NEWS

North Korean Hack Breached 140,000 South Korean Systems
US Health and Human Services IG to Assess Medical Device Security Monitoring
NSA Could Use Internet-Connected Medical Devices for Surveillance
FAA Panel Agrees on Airliner Cybersecurity Standards

THE REST OF THE WEEK'S NEWS

US House of Representatives Reject Amendment that Would Revive the Office of Technology Assessment
South Korea Says North Korea Stole Fighter Jet Plans
Processor-Level Malware Detection
Necurs Botnet Goes Mysteriously Silent
Zbot Botnet Uses Fast Flux Technique
Mozilla Establishes Secure Open Source Fund
ICS Domain Name Squatting
Senator Proposes Single Cybersecurity IG for Federal Civilian Agencies

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored by AlienVault **************************

Learn how to better equip your incident response team with best practices, procedures, tools and training. Download your copy of The Insider's Guide to Incident Response.
http://www.sans.org/info/186597

***************************************************************************

TRAINING UPDATE

--DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

--SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

--SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

--Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human
http://www.sans.org/u/i2j

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 |Join top leaders for in-depth discussions and advance exercises focused on data breach preparation and response.
http://www.sans.org/u/i2y

--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community?
Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

North Korean Hack Breached 140,000 South Korean Systems (June 13, 2016)

North Korea-based hackers targeted the network management software used by approximately 160 companies and government agencies in South Korea and breached more than 140,000 computers. The attackers allegedly planted malicious software in the systems. The hack, which was intended to lay the ground for an overall massive cyberattack "has been thwarted," according to authorities in Seoul.
-http://www.ibtimes.co.uk/south-korea-thwarted-massive-cyberattack-by-north-targe
ting-140000-government-private-systems-1565107

US Health and Human Services IG to Assess Medical Device Security Monitoring (June 9, 2016)

The US Department of Health and Human Services (HHS) Office of Inspector General's Fiscal Year 2016 Mid-Year Work Plan calls for an assessment of the Food and Drug Administration's (FDA's) review of cybersecurity control on wireless and Internet-connected medical devices. The HHS IG also plans to look into state Medicaid agency and contractor breach notification practices and responses.
-http://www.govinfosecurity.com/monitoring-medical-device-security-to-be-scrutini
zed-a-9189

NSA Could Use Internet-Connected Medical Devices for Surveillance (June 10 and 13, 2016)

NSA Deputy Director Richard Ledgett told an audience at the Defense One Tech Summit in Washington, DC, last week that the agency is examining ways to exploit the Internet of Things (IoT) to conduct covert monitoring. Ledgett said that the NSA is "looking at it sort of theoretically from a research point of view right now," and noted that conducting surveillance through medical devices could be "a tool in the toolbox."
-http://www.computerworld.com/article/3082162/security/nsa-interested-in-exploiti
ng-internet-connected-medical-devices-spying-on-iot.html
-https://theintercept.com/2016/06/10/nsa-looking-to-exploit-internet-of-things-in
cluding-biomedical-devices-official-says/

FAA Panel Agrees on Airliner Cybersecurity Standards (June 12, 2016)

A panel of government and aviation-industry experts reached preliminary agreement on cybersecurity standards for airliners, including cockpit alerts in the event that critical safety systems are hacked. The concern addressed by the panel was described by the chair: "You have to worry about the direct attack, you have to worry about the indirect attack" from ancillary operations.
-http://www.wsj.com/articles/panel-reaches-preliminary-agreement-on-airliner-cybe
rsecurity-standards-1465848030

---

*************************** SPONSORED LINKS *****************************
1) Download the free eBook: Application Control for Dummies: http://www.sans.org/info/186602

2) Don't let a security breach harm customer trust. Learn how to protect your relationships with LifeLock. http://www.sans.org/info/186607

3) MobileIron Mobile Security and Risk Review Research Results. Wednesday, June 15th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with David Schwaartzberg. http://www.sans.org/info/186612
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

US House of Representatives Reject Amendment that Would Revive the Office of Technology Assessment (June 13, 2016)

US legislators voted down a measure that would have reestablished the Office of Technology Assessment. The advisory organization was originally created in 1972 to provide lawmakers with unbiased research and information to inform their legislative actions, but was dismantled in 1995 due to budget cuts.
-https://www.wired.com/2016/06/lawmakers-reject-proposal-wouldve-schooled-tech/

South Korea Says North Korea Stole Fighter Jet Plans (June 13, 2016)

According to South Korean officials, attackers from North Korea stole thousands of defense industry documents, including designs for a US fighter jet. South Korea says that North Korea broke into more than 160,000 computers at 160 companies over a two-year period. The breaches were discovered in February.
-http://thehill.com/policy/cybersecurity/283237-north-korean-hackers-steal-fighte
r-jet-plans-seoul-says
-http://www.reuters.com/article/us-northkorea-southkorea-cyber-idUSKCN0YZ0BE

Processor-Level Malware Detection (June 13, 2016)

Intel and Microsoft have worked together on the development of Control-flow Enforcement technology (CET), which would provide security at the chip level. CET aims to protect computers from attacks that exploit return-oriented programming and jump-oriented computing. These types of attacks "are particularly hard to detect or prevent because the attacker uses existing code running from executable memory in a creative way to change program behavior," according to an blog post by Baiju Patel, director of the platform security architecture and strategy team at Intel's Software and Services group. CET attempts to mitigate this problem with a shadow stack that stores control transfer operations.
-http://www.scmagazineuk.com/intel-looks-at-stopping-hackers-and-malware-at-the-p
rocessor-level/article/502573/
Intel Blog:
-http://blogs.intel.com/evangelists/2016/06/09/intel-release-new-technology-speci
fications-protect-rop-attacks/

Necurs Botnet Goes Mysteriously Silent (June 13, 2016)

The Necurs botnet, which for years has been used to distribute spam and malware, appears to have gone offline, but experts are unable to figure out exactly why. The level of malicious traffic emanating from the Necurs command-and-control network has diminished to nearly nothing.
-http://www.bbc.com/news/technology-36519044

Zbot Botnet Uses Fast Flux Technique (June 12, 2016)

RiskAnalytics has published a report on the Zbot botnet's use of "fast flux" to avoid detection. Fast flux uses the Domain Name System to hide. The technique has been known since at least 2007.
-http://www.eweek.com/security/zbot-botnet-uses-fast-flux-technique-to-avoid-dete
ction.html

Mozilla Establishes Secure Open Source Fund (June 10, 2016)

Mozilla's newly-created Secure Open Source Fund will help pay for open source software security audits. The fund has initial funding of US $500,000 to be used to pay for professional audits to detect problems like the Shellshock and Heartbleed vulnerabilities in open source software. The fund, which is part of the Mozilla Open Source Support (MOSS) program, will also help implement fixes and manage flaw disclosure.
-https://www.helpnetsecurity.com/2016/06/10/mozilla-will-fund-code-audits/
-http://www.computerworld.com/article/3082046/security/new-mozilla-fund-will-pay-
for-security-audits-of-open-source-code.html
-http://www.v3.co.uk/v3-uk/news/2461171/mozilla-foundation-creates-fund-to-improv
e-open-source-security

ICS Domain Name Squatting (June 10, 2016)

Many Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems manufacturers have not taken steps to protect their brands from domain name squatters. Researchers found more than 400 instances of domains with names similar to a number of ICS/SCADA manufacturers. Some of those hosted malware or redirected visitors to other sites.
-http://www.computerworld.com/article/3082060/security/industrial-control-systems
-vendors-get-careless-on-domain-squatting.html
[Editor's Note (Williams): Whether you work in ICS or not, typo squatting can create risk. When you discover typo squatted domains targeting your organization, work with the registrar through your legal team to seize the domain on brand infringement grounds. Most malicious actors never answer and you may be able to control the domain in the equivalent of a default judgment. At a minimum, the registrar will sinkhole the domain and you've made the Internet a safer place for everyone. ]

Senator Proposes Single Cybersecurity IG for Federal Civilian Agencies (June 6, 2016)

In a speech at the Center for Strategic and International Studies (CSIS), Senator Sheldon Whitehouse (D-Rhode Island) said that there should be a single inspector general for cybersecurity for all federal civilian networks. Currently, each agency's inspector general is responsible for cybersecurity audits. Whitehouse said after the speech that he does not believe that such a shift would cause IGs to take their focus off cybersecurity. On the contrary, "They may pick up their game a little if they're worried that the roving inspector" will disclose their security problems. Former National Security Council cybersecurity adviser Ari Schwartz expressed concern that an overarching cybersecurity IG may lack the in-depth knowledge necessary to make the right decisions for each agency.
-https://fcw.com/articles/2016/06/06/whitehouse-ig-civilian-cyber.aspx
[Editor's Note (Northcutt): This could work. Whether you love FISMA or hate it, perhaps the greatest benefit it has is giving a grade. And that grade, given systematically, helps compare one agency to another. A single inspector general would give even more of the comparison. Their methods may not be perfect, but it adds to the preponderance of evidence as to the overall security posture of an agency. ]

---

INTERNET STORM CENTER TECH CORNER

DNS Sinkhole 2.0 Released
-https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Version+20/21153/

Visual C Telemetry Library
-https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_func
tion_calls_to/

Crysis Ransomware
-http://www.eset.com/us/resources/detail/new-ransomware-threat-crysis-lays-claim-
to-teslacrypt-s-former-turf/

Intel Releases ROP Attack Protection
-http://blogs.intel.com/evangelists/2016/06/09/intel-release-new-technology-speci
fications-protect-rop-attacks/

EMC Fixes Data Domain Session ID Disclosure Vulnerability
-https://auscert.org.au/render.html?it=35618

Flocker Ransomware Locks TVs
-http://blog.trendmicro.com/trendlabs-security-intelligence/flocker-ransomware-cr
osses-smart-tv/

Samsung Updates Software Update Software
-http://seclists.org/fulldisclosure/2016/Jun/21

Lets Encrypt Messes Up Notification E-mail, Leaks Addresses
-https://community.letsencrypt.org/t/email-address-disclosures-preliminary-report
-june-11-2016/16867

ClamAV Fuzzing Finds Bugs in 7z Unpacking Code
-https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create