SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #48

June 17, 2016

FLASH: Amazing! The leader of most skilled people at NSA who carry out nation-state attacks (Rob Joyce of TAO) shared the techniques his team would use to stop nation-state attackers like themselves, in a briefing that was recorded and is a 35-minute YouTube video at https://www.youtube.com/watch?v=bDJb8WOJYdA.
This is the most authoritative talk on offense informing defense I have ever seen. It is FLASH status because it's useful enough that someone may try to remove it from YouTube thinking it gives away too much. It doesn't do that. What it does do is provide the best evidence yet explaining why the CIS Critical Security Controls (https://www.sans.org/critical-security-controls) and very specific guides on how to implement those controls are the best (only) way to make NIST or ISO frameworks and guidance useful in organizations that take security seriously. Excerpt: "I am going to use best practices for exploitation; are you going to use best practices for defense? It comes down to that."
Alan

---

TOP OF THE NEWS

Pentagon's Bug Bounty Contest
US Defense Department Will Eliminate Common Access Cards for Network Access
Siemens Releases Update for Weak Credentials Issue in ICS Equipment

THE REST OF THE WEEK'S NEWS

Flaws in Cisco Wireless VPN devices
GitHub Resets Some User Passwords
Verizon Fixes Flaw in eMail System
Man With Links to Terrorist Group Pleads Guilty to Stealing Data and Providing Material Support
SAP Patches 21 Flaws
Adobe Flash Update Fixes 36 Flaws
Air Force Data Corrupted, Recovered
Microsoft's Patch Tuesday

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

********************** Sponsored by Sophos Inc. *************************

Make a Clean Break from Symantec: Find out why companies are leaving Symantec for a more innovative next-gen endpoint protection. Simple onboarding, lower risks and higher rewards. The switch couldn't be easier. Learn More:
http://www.sans.org/info/186617

***************************************************************************

TRAINING UPDATE

--DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

--SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

--SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human
http://www.sans.org/u/i2j

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | Join top leaders for in-depth discussions and advance exercises focused on data breach preparation and response.
http://www.sans.org/u/i2y

--SANS Alaska | August 22-27, 2016 | Anchorage, AK | Take SEC504: Hacker Tools, Techniques, Exploits and Incident Handling or ICS410: ICS/SCADA Security Essentials and attend SANS@Night bonus sessions delivered by the SANS ICS team. http://www.sans.org/u/iHj

--Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community?
Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Pentagon's Bug Bounty Contest (June 15, 2016)

More than 1,400 applied to take part in the US Department of Defense's (DoD's) first bug bounty program, Hack the Pentagon, which took place over a 24-day period earlier this spring. Defense Secretary Ash Carter said that the participants found more than 100 security issues.
-http://www.eweek.com/security/pentagon-bug-bounty-contest-uncovers-at-least-100-
vulnerabilities.html
[Editor's Note (Pescatore): Once again, a well managed "bug bounty" program is raising the bar for application vulnerability testing engagements. For a $150K traditional engagement, all too often the deliverable was mostly a boilerplate document with the results of a commercially available app vulnerability testing tool cut and pasted in, and a few pages of custom text. Conversely, badly managed bug bounty programs are likely to be worse than badly performed traditional engagements - choosing a quality supplier is still the key. ]

US Defense Department Will Eliminate Common Access Cards for Network Access (June 14 and 15, 2016)

US Department of Defense (DoD) CIO Terry Halvorsen says the DoD plans to phase out the Common Access Card (CAC) over the next two years. Halvorsen said that the "cards are not agile enough to do what we want," and that access to IT systems will use multi-factor authentication that will likely include behavioral and biometric components. The CAC could still be used for building access.
-http://federalnewsradio.com/defense/2016/06/dod-plans-bring-cac-cards-end/
-http://fedscoop.com/dod-plans-to-eliminate-login-with-cac-cards
-http://www.nextgov.com/defense/2016/06/dod-plans-eliminate-common-access-cards/1
29102/?oref=ng-channelriver
[Editor's Note (Northcutt): Dumping and phase out are unfortunate word choices. The idea is to upgrade one of the most successful PKI implementations from two-factor to multi-factor and to do it across the "5Is" allies. I understand the biometric component, I had a fingerprint reader on my laptop five years ago. Behavioral, while very interesting, is still in its infancy and will not be ready for prime time in two years and maybe never; you do not behave the same when you are first settling down to your workstation in the morning with a cup of coffee as you do when mortar shells are dropping in on your position:
-http://www.isy.vcu.edu/~gdhillon/Old2/secconf/pdfs/22.pdf]

Siemens Releases Update for Weak Credentials Issue in ICS Equipment (June 16, 2016)

The US Computer Emergency Response Team (US-CERT) has published an advisory warning of weak credentials in Siemens SIMATIC WinCC flexible industrial control system (ICS). Siemens has released an update to address the issue.
-http://www.theregister.co.uk/2016/06/16/dodgy_creds_found_in_siemens_ics_gear/
-http://www.scmagazineuk.com/siemens-update-advised-following-us-cert-advisory/ar
ticle/503492/
US-CERT Advisory:
-https://ics-cert.us-cert.gov/advisories/ICSA-16-161-02

---

*************************** SPONSORED LINKS *****************************
1) Malware Analysis and Adversary Infrastructutre Mapping: A One-Two Punch. Monday, June 20th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Alissa Torres and Tim Helming. http://www.sans.org/info/186622

2) Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey. Tuesday, June 21st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Barbara Filkins, Benjamin Wright, David Bradford and Julian Waits. http://www.sans.org/info/186627

3) Dealing With Threats Before They Cause Business Damage: How to Successfully Detect Attacks Earlier in the Attack Lifecycle. Tuesday, July 12th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) Lotem Guy and John Pescatore. http://www.sans.org/info/186632
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Flaws in Cisco Wireless VPN devices (June 16, 2016)

A zero-day vulnerability in some Cisco RV series products could be exploited to take control of the devices remotely. The affected devices are the Cisco RV110W Wireless-N VPN Firewall; RV130W Wireless-N Multifunction VPN Router; and RV215W Wireless-N VPN Router. The exploit is relatively simple if the devices are configured for remote management. Cisco has issued a security advisory; there are currently no fixes or workarounds.
-http://www.computerworld.com/article/3085067/security/flaws-open-cisco-small-bus
iness-routers-firewalls-to-hacking.html
-http://www.theregister.co.uk/2016/06/16/adobe_36_flash_flaws/

GitHub Resets Some User Passwords (June 16, 2016)

Some GitHub accounts were breached using username and password combinations stolen from a third-party online service. GitHub notes that it has "not been hacked or compromised." GitHub has reset passwords for affected accounts and is in the process of notifying the users.
-http://www.theregister.co.uk/2016/06/16/github_accounts_breached_password_reuse_
fail/
-http://www.zdnet.com/article/github-warns-some-accounts-compromised-after-reused
-password-attack/
[Editor's Note (Ullrich): Larger web sites have also started proactively disabling user accounts that have e-mail address / password combinations that have been leaked. Password reuse has also been identified as one reason TeamViewer accounts were compromised recently. If you reuse passwords, then stop now and get a password safe application to manage distinct passwords for different web sites. ]

Verizon Fixes Flaw in eMail System (June 16, 2016)

Verizon has fixed a vulnerability in its email system that could have been exploited to intercept messages and possibly hijack accounts. Verizon learned of the flaw on April 14 and fixed it on May 12.
-http://www.cnet.com/news/verizon-patches-email-flaw-that-exposed-user-accounts/

Man With Links to Terrorist Group Pleads Guilty to Stealing Data and Providing Material Support (June 15 and 16, 2016)

Ardit Ferizi has pleaded guilty to providing material support to a foreign terrorist organization and accessing a protected computer without authorization and obtaining information. Ferizi stole data belonging to more than 100,000 people from a US retail store, mined them for information belonging to members of the military, and provided the data to ISIL. Ferizi, who is a citizen of Kosovo, entered his plea before a federal judge in Virginia.
-http://www.scmagazine.com/hacker-pleads-guilty-to-providing-material-support-to-
isis/article/503519/
-http://www.zdnet.com/article/pro-isis-hacker-pleads-guilty-after-stealing-names-
of-1000-us-military-personnel/
-https://www.justice.gov/opa/pr/isil-linked-hacker-pleads-guilty-providing-materi
al-support
[Editor's Note (Honan): A good demonstration as to how data gathered for one purpose can be mined to be used for other more sinister purposes and reinforces why good data protection and security around all PII is critical. (Henry): This is the first time we've seen an investigation/prosecution where there's an overlap between theft of information and potential physical targeting. It is the same thing industry and national security experts have opined happened with the OPM breach...the theft of sensitive and important identifying data for potential espionage targeting. Understanding the full risk of data theft...beyond just comercial theft and financialis critically important for those responsible for protecting that data. ]

SAP Patches 21 Flaws (June 15 and 16, 2016)

SAP has released nearly two dozen patches for flaws in several products. Among the fixes is one for a flaw that was detected three years ago. The majority of the 21 patches are for issues in SAP's Business Intelligence and Business Warehouse products.
-http://www.theregister.co.uk/2016/06/15/sap_patch_batch_fixes_3_yr_old_vuln/
-http://www.scmagazine.com/sap-patches-three-year-old-vulnerability-plus-20-more-
flaws/article/503720/
SAP June critical Update:
-https://erpscan.com/press-center/blog/sap-security-notes-june-2016/
[Editor's Note (Williams): Many organizations we work with have SAP and other ERP apps in "run to fail" mode where developers and source code may be unavailable. Changes to configurations implemented through patching may break applications, leaving organizations with the bad choices of running their business critical applications or patching their servers. Organizations in such a position should adopt defense in depth models to limit risks to known vulnerable servers. ]

Adobe Flash Update Fixes 36 Flaws (June 16, 2016)

Adobe has released a security update for flash that addresses 36 flaws, including one that has been used in recent active exploits to install malware on vulnerable computers. Adobe normally issues monthly updates on the second Tuesday of the month, but delayed the June update by two days to include a fix for this flaw.
-http://www.theregister.co.uk/2016/06/16/adobe_36_flash_flaws/
-https://helpx.adobe.com/security/products/flash-player/apsa16-03.html

Air Force Data Corrupted, Recovered (June 15, 2016)

The US Air Force's Automated Case Tracking System database was corrupted earlier this spring, affecting ten years of internal investigation data. The database was administered by Lockheed Martin, which notified the Air Force of the problem on June 6. The data have since been recovered and the Air Force and Lockheed Martin are working together with Oracle to restore and stabilize the system before putting it back online. The Air Force is investigating the incident.
-http://www.cnet.com/news/a-crashed-computer-at-the-us-air-force-wiped-out-a-deca
des-worth-of-data/
-http://www.airforcetimes.com/story/military/2016/06/14/recoverable-100000-air-fo
rce-ig-reports-limbo-after-systemwide-crash/85865726/

Microsoft's Patch Tuesday (June 14 and 16, 2016)

On Tuesday, June 14, Microsoft released 16 bulletins to address at least 44 security issues in a variety of products. One of the patches, which is addressed in MS16-072, has been causing problems for users by exposing drives that are supposed to be hidden. Microsoft has acknowledged that there are permission problems with the patch as issued on June 14.
-http://krebsonsecurity.com/2016/06/microsoft-patches-dozens-of-security-holes/
-https://technet.microsoft.com/en-us/library/security/mt637763.aspx
[Editor's Note (Williams): The most significant widely applicable patch this month is the one that effectively ends WPAD MITM attacks (MS16-077,
-https://technet.microsoft.com/en-us/library/security/ms16-077.aspx).
If you are running a Windows DNS server, take an outage window and patch now. MS16-071 could allow attackers to gain remote code execution by sending a crafted DNS request (
-https://technet.microsoft.com/en-us/library/security/ms16-071.aspx).]

---

INTERNET STORM CENTER TECH CORNER

Group Policy Issues After Applying MS16-072 (KB3159398)
-https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783
dbbe34/patch-tuesday-kb3159398?forum=winserverGP

Apple Will Reject Apps Using HTTP
-https://developer.apple.com/videos/play/wwdc2016/706/

Rising AntiVirus Includes Malware (article only in german)
-http://www.heise.de/security/meldung/Virenscanner-infiziert-Systeme-mit-Sality-V
irus-3237654.html

Breached RDP Servers For Rent
-https://www.wired.com/2016/06/xdedic-server-trading-forum-kaspersky/

Adobe Patches Critiical Flash Vulnerability
-https://helpx.adobe.com/security/products/flash-player/apsb16-18.html

Teamviewer Users May be Compromised by Trojaned Client
-http://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewe
r-versions-exploited-backdoors-keylogging/

HTTP Header Injection in Python urllib
-http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create