SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #52

July 01, 2016

TOP OF THE NEWS

Critical Vulnerabilities in Symantec and Norton Products
US Courts 2015 Wiretap Report
Ukrainian Bank Takes a SWIFT Hit

THE REST OF THE WEEK'S NEWS

UK Government Websites Must Switch to HTTPS with HSTS
Cisco Patches Authentication Bypass Vulnerabilities
ACLU Files Legal Challenge to Computer Fraud and Abuse Act
Congressional Subcommittee Publishes "A Primer on the Encryption Debate"
Noodles & Company Payment Card Breach
CCTV Camera Botnet
IRS Cybersecurity Improvements
Pending Russian Legislation Would Require Companies to Decrypt Communications
New US-EU Data Transfer Agreement Expected to Win Approval

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

******************** Sponsored By Cisco Systems *************************

Do you know who is lurking on your network? Several high-profile data breaches have reminded us that devastating attacks do not always involve scheming criminals and sophisticated malware. Sometimes it's your own employees or trusted vendors who are exposing confidential data - whether they mean to or not. To learn more, download "Combating the Insider Threat," an e-book brought to you by Lancope, now part of Cisco.
http://www.sans.org/info/186932

***************************************************************************

TRAINING UPDATE

--SANS London Summer 2016| London, UK | July 9-16 | https://www.sans.org/event/london-in-the-summer-2016

--SANS Rocky Mountain | Denver, CO | July 11-16 | https://www.sans.org/event/rocky-mountain-2016

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 | https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

***************************************************************************

---

TOP OF THE NEWS

Critical Vulnerabilities in Symantec and Norton Products (June 28 and 30, 2016)

Symantec has fixed eight vulnerabilities in its security software. The critical flaws could be exploited without user interaction to allow remote code execution or damage default configurations of the affected products. In all, 17 Symantec products and eight Norton products are affected. Google's Project Zero notified Symantec of the vulnerabilities; the fixes were released before Project Zero released details of the flaws. The fixes are included in product updates, but some products cannot be automatically updated, so administrators will need to update manually.

[Editor Comments ]
(Northcutt): The majority of organizations represented by the GIAC Advisory Board chose to do out-of-cycle patches. In fact, many of them reported patching before DevOps had even read about the problems. This is that serious; do not delay.
(Ullrich): Update affected Symantec products as soon as possible. Proof of concept exploits have been released, and exploits taking advantage of these vulnerabilities may already have been released. It isn't really all that surprising that security software has problems securely implementing features like decompression which are notoriously difficult to implement and cause many of the vulnerabilities in software like image and video decoders.
Read more in: Ars Technica: High-severity bugs in 25 Symantec/Norton products imperil millions
-http://arstechnica.com/security/2016/06/25-symantec-products-open-to-wormable-at
tack-by-unopened-e-mail-or-links/
ZDNet: Symantec security flaws are "as bad as they get," says researcher
-http://www.zdnet.com/article/symantec-antivirus-product-bugs-as-bad-as-they-get/
BBC: Symantec security software had 'critical' flaws
-http://www.bbc.com/news/technology-36672002
Symantec Advisory: Security Advisories Relating to Symantec Products - Symantec Decomposer Engine Multiple Parsing Vulnerabilities
-https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securi
ty_advisory&pvid=security_advisory&year=&suid=20160628_00

US Courts 2015 Wiretap Report (June 30, 2016)

According to the US Courts 2015 Wiretap Report, the total number of federal and state wiretaps issued in 2015 was 4,148, a 17 percent increase from the number granted in 2014. No requests were reported as denied in 2015. While law enforcement encountered encryption in just 13 of those cases, the FBI indicated that it does not seek wiretap orders in cases where it knows it will encounter encryption. The report does not include wiretap requests made to the Foreign Intelligence Surveillance Court.

[Editor Comments ]
(Henry): During my 24-year career in the FBI I've worked many cases that utilized wiretaps. The technique has been incredibly effective in uncovering wide-scale criminal activity, and was critical in demonstrating proof beyond a reasonable doubt to a judge and/or jury. This sensitive investigative technique is highly regulated within the Department of Justice and the FBI, and the requirements to obtain one are rigorous. Unlike movies and television, FBI agents can't just decide they want to "go up on a wire" and have a title III intercept within minutes. The process often requires weeks or even months of investigation to demonstrate that a particular device (a specific phone, for example) is being used for criminality. The request/affidavit then goes through multiple reviews by FBI attorneys and Assistant United States Attorney's, before it is even further reviewed at FBI headquarters and at the Department of Justice. After it is authorized, agents are mandated to regularly demonstrate to the court that the technique is uncovering criminal activity; if not, it must cease.
I can't speak for state and local wiretaps, but many FBI wiretap requests were "denied" during this internal process before they ever were presented to a federal judge. Only those that had rock solid probable cause, and would sustain the justified scrutiny of the judicial branch, were ever put forward. The FBI was very serious about civil liberties, and in my experience, always balanced the needs of security against privacy, in accordance with applicable laws and the US constitution. As it should be.
Read more in: The Register: Encryption, wiretaps and the Feds: THE TRUTH
-http://www.theregister.co.uk/2016/06/30/us_government_reports_encrypted_wiretaps
_declining/
ZDNet: US courts didn't reject a single wiretap request in 2015, says report
-http://www.zdnet.com/article/us-courts-did-not-reject-a-single-wiretap-last-year
-says-new-report/
The Hill: Wiretaps harvest fewer encrypted communications
-http://thehill.com/policy/cybersecurity/286177-wiretaps-harvest-fewer-encrypted-
communications
US Courts : Wiretap Report 2015
-http://www.uscourts.gov/statistics-reports/wiretap-report-2015

Ukrainian Bank Takes a SWIFT Hit (June 28, 2016)

Attackers stole US $10 million from a Ukrainian bank earlier this year through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging network. While the Ukrainian breach is the fifth publicly disclosed SWIFT-related theft, there are likely others that have not been reported.
Read more in: The Register: SWIFT hackers nick $10m from Ukraine bank
-http://www.theregister.co.uk/2016/06/28/swift_victim_ukraine/
SC Magazine: SWIFT robbers swoop on Ukrainian bank
-http://www.scmagazine.com/swift-robbers-swoop-on-ukrainian-bank/article/506352/
Reuters: Ukraine central bank flagged cyber-attack in April: memo
-http://www.reuters.com/article/us-cyber-heist-ukraine-idUSKCN0ZG2P1

---

*************************** SPONSORED LINKS *****************************
1) Don't Miss: Case Study: How a Managed Bug Bounty Program Enabled Faster Software Vulnerability Discovery and Mitigation at Aruba Solutions. Thursday, July 14th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with John Pescatore, Leif Dreizler, and Jon Green. http://www.sans.org/info/186937

2) Ransomware & Malvertising: Dominating the Threat Landscape. Thursday, July 14th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Pescatore, Dana Torgersen, and Adam Kujawa. Register: http://www.sans.org/info/186942

3) Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card! http://www.sans.org/info/186947
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

UK Government Websites Must Switch to HTTPS with HSTS (June 30, 2016)

All UK Government Digital Services websites will be required to adopt HTTPS encryption by October 1, 2016. The sites will also be required to use HTTP Strict Transport Security (HSTS) to protect them from downgrade attacks, and to publish a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy for email systems.
Read more in: V3: GDS to demand that all government websites go HTTPS from 1 October
-http://www.v3.co.uk/v3-uk/news/2463410/gds-to-demand-that-all-government-website
s-go-https-from-1-october
Tom's Hardware: UK Government Websites To Be Secured By HTTPS, HSTS, DMARC By October 2016
-http://www.tomshardware.com/news/uk,32174.html
GDS Guidance (February 2016): Domain-based Message Authentication, Reporting and Conformance (DMARC))
-https://www.gov.uk/government/publications/email-security-standards/domain-based
-message-authentication-reporting-and-conformance-dmarc

Cisco Patches Authentication Bypass Vulnerabilities (June 30, 2016)

Cisco has released fixes for three vulnerabilities that could be exploited to bypass authentication and obtain full administrative privilege. The flaws affect Cisco's Lightweight Directory Access Protocol (LDAP) authentication; APIs used by Cisco Prime Infrastructure and Evolved Programmable Network Manager (EPNM); and Firepower System Software.
Read more in: SC Magazine: Cisco patches critical flaws affecting device software
-http://www.scmagazine.com/cisco-patches-critical-flaws-affecting-device-software
/article/506818/
Cisco Advisories: Cisco Prime Collaboration Provisioning Lightweight Directory Access Protocol Authentication Bypass Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160629-cpcpauthbypass
Cisco Prime Infrastructure and Evolved Programmable Network Manager Authentication Bypass API Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160629-piauthbypass
Cisco Firepower System Software Static Credential Vulnerability
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160629-fp

ACLU Files Legal Challenge to Computer Fraud and Abuse Act (June 29, 2016)

The American Civil Liberties Union (ACLU) has filed a lawsuit challenging the Computer Fraud and Abuse Act (CFAA) on behalf of journalists, computer scientists, and academic researchers investigating online discrimination. The lawsuit focuses on a problematic CFAA provision: the prohibition against "exceeding authorized access" has often been interpreted to include violations of websites' terms of service.
Read more in: Washington Post: Does this cybercrime law actually keep us from fighting discrimination?
-https://www.washingtonpost.com/news/the-switch/wp/2016/06/29/does-this-cybercrim
e-law-actually-keep-us-from-fighting-discrimination/
Computerworld: ACLU lawsuit challenges U.S. computer hacking law
-http://www.computerworld.com/article/3089478/security/aclu-lawsuit-challenges-us
-computer-hacking-law.html
Wired: Researchers Sue the Government Over Computer Hacking Law
-https://www.wired.com/2016/06/researchers-sue-government-computer-hacking-law/
CNET: ACLU sues to kill decades-old hacking law
-http://www.cnet.com/news/aclu-sues-to-kill-decades-old-hacking-law/
SC Magazine: ACLU suit challenges CFAA for thwarting studies on discrimination
-http://www.scmagazine.com/aclu-suit-challenges-cfaa-for-thwarting-studies-on-dis
crimination/article/506511/
ACLU: ACLU Challenges Law Preventing Studies on 'Big Data' Discrimination
-https://www.aclu.org/news/aclu-challenges-law-preventing-studies-big-data-discri
mination
ACLU: SANDVIG V. LYNCH - COMPLAINT
-https://www.aclu.org/legal-document/sandvig-v-lynch-complaint

Congressional Subcommittee Publishes "A Primer on the Encryption Debate" (June 29, 2016)

The US House Subcommittee on Homeland Security has published a "primer" regarding the encryption debate in the legislature. The paper is based on "extensive discussions with stakeholders," and says that no legislation yet proposed adequately addresses the issue, noting that, "Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix."
Read more in: Wired: Even Congress Is Slamming That Crummy Crypto Bill
-https://www.wired.com/2016/06/congressional-report-latest-slam-bad-crypto-bill/
US House: Going Dark, Going Forward: A Primer on the Encryption Debate
-https://homeland.house.gov/wp-content/uploads/2016/06/Going-Dark-Going-Forward.p
df

Noodles & Company Payment Card Breach (June 29, 2016)

US restaurant chain Noodles & Company has acknowledged that its registers were infected with malware, allowing thieves to steal customers' payment card details. The registers were leaking data between January 31 and June 2, 2016.

[Editor Comments ]
(Murray): As long as the card brands and issuers continue to publish credit card numbers in the clear on magnetic stripes, those numbers will continue to leak. A system that relies for its security and integrity on the diligence and competence of millions of non-expert merchants will fail routinely. It is time for the brands and issuers to acknowledge that their system is broken and announce a plan and schedule for fixing it.
Read more in: The Register: While you filled your face at Noodles and Co, malware was slurping your bank cards
-http://www.theregister.co.uk/2016/06/29/noodles_and_companys_limp_security_leads
_to_payment_card_breach/
Fortune: Noodles & Company Payment Data May Have Been Hacked
-http://fortune.com/2016/06/29/noodles-company-reports-possible-data-breach/
Noodles & Company: Notice of Data Security Incident
-http://www.noodles.com/security/

CCTV Camera Botnet (June 28, 2016)

Attackers are using a botnet made up of more than 25,000 closed-circuit television (CCTV) cameras to launch distributed denial-of-service (DDoS) attacks against websites. US security company Sucuri detected the botnet while investigating an attack against the website of one of its customers.

[Editor Comments ]
(Williams): During penetration tests, we regularly use video teleconferencing and/or security systems as initial entry points since they are infrequently patched. Patching programs must include these non-standard (and often unmanaged) devices as well.
Read more in: The Register: 25,000 malware-riddled CCTV cameras form network-crashing botnet
-http://www.theregister.co.uk/2016/06/28/25000_compromised_cctv_cameras/
Computerworld: Thousands of hacked CCTV devices used in DDoS attacks
-http://www.computerworld.com/article/3089365/security/thousands-of-hacked-cctv-d
evices-used-in-ddos-attacks.html
SC Magazine: Malware spawns botnet in 25,000 connected CCTV cameras
-http://www.scmagazineuk.com/malware-spawns-botnet-in-25000-connected-cctv-camera
s/article/505932/

IRS Cybersecurity Improvements (June 28, 2016)

The US Internal Revenue Service (IRS) is taking steps to improve its information security posture. The changes include adding 16-character verification codes for W-2 wage and tax forms. The agency also plans to increase public education about tax security.
Read more in: The Hill: IRS unveils new cyber safeguards
-http://thehill.com/policy/cybersecurity/285167-irs-unveils-new-cyber-safeguards
Federal News Radio: IRS to step up its cyber, fraud detection game after recent successes
-http://federalnewsradio.com/cybersecurity/2016/06/irs-step-cyber-identity-theft-
detection-game-recent-successes/

Pending Russian Legislation Would Require Companies to Decrypt Communications (June 27 and 28, 2016)

Members of Russia's Duma, the country's lower house of parliament, have passed legislation that would require telecommunications companies to help the government decrypt communications upon request. The bill would also require the companies to store three years' worth of phone call and messaging metadata, and six months worth of phone call and text message content. The bill now goes to the Federation Council, the upper house of Russia's parliament.

[Editor Comments ]
(Williams): Anticipating that other countries may pass similar laws, application developers that offer service platforms might start now considering how they would comply with this law, if passed. Too many application service providers lack the infrastructure to store 6 months of content.
Read more in: SC Magazine: Russia's Duma approves bill requiring decryption backdoors
-http://www.scmagazine.com/russias-duma-approves-bill-requiring-decryption-backdo
ors/article/506169/
ZDNet: Snowden to Putin: Reject surveillance plans to store all phone calls, data
-http://www.zdnet.com/article/snowden-to-putin-reject-surveillance-plans-to-store
-all-phone-calls-data/

New US-EU Data Transfer Agreement Expected to Win Approval (June 6 and 29, 2016)

The New York Times is reporting that the EU is expected to approve the new draft of the US-EU Privacy Shield data transfer agreement. The new framework, developed to replace the Safe Harbor agreement that the European Court of Justice struck down last year, "protects the fundamental rights of Europeans and ensures legal certainty for businesses," according to European Commission spokesman Christian Wigand. The absence of an agreement has left US companies in limbo regarding European customer data. In early June, the Hamburg (Germany) Data Commissioner fined three companies for using the defunct Safe Harbor agreement to transfer European customer data to the US.

[Editor Comments ]
(Honan): While agreement may have been reached, a number of hurdles stand in the way of passage. The first is that each of the member states of the EU have to pass the agreement. From there it will then be passed on to the College of Commissioners who will then validate the adequacy of the agreement.
Read more in: New York Times: Europe Is Expected to Approve E.U.-U.S. Data Transfer Pact
-http://www.nytimes.com/2016/06/30/technology/europe-is-expected-to-approve-eu-us
-data-transfer-pact.html?mod=djemCIO_h&_r=0
Reuters: German privacy regulator fines three firms over U.S. data transfers
-http://www.reuters.com/article/us-germany-dataprotection-usa-idUSKCN0YS23H

---

INTERNET STORM CENTER TECH CORNER

Odd User-Agents
-https://isc.sans.edu/forums/diary/What+is+your+most+unusual+UserAgent/21203/

ZimbraCrypt Ransomware
-http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-pytho
n-targets-zimbra-mail-store/

Hard Drives Still Not Wiped Before Selling Them on EBay
-http://www2.blancco.com/en-rs-leftovers-a-data-recovery-study

PhotoLogin Option For LogmeOnce
-https://www.logmeonce.com/photologin/

Critical Symantec AV Vulnerabilities
-http://googleprojectzero.blogspot.ca/2016/06/how-to-compromise-enterprise-endpoi
nt.html

Google "My Activity"
-https://myactivity.google.com/myactivity

Hashcat/OCLHashcat 3.0 Released
-https://hashcat.net/forum/thread-5559.html

Lenovo Thinkpad Firmware Reverse Analysis
-http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html

Linux Privilege Escalation Vulnerabilities
-http://www.openwall.com/lists/oss-security/2016/06/24/5

Phishing Campaign with Blurred Images
-https://isc.sans.edu/forums/diary/Phishing+Campaign+with+Blurred+Images/21207/

FoxIT Patches PDF Reader Security Flaws
-https://www.foxitsoftware.com/support/security-bulletins.php#content-2016

Vulnerabilities in StartCom's API
-https://www.computest.nl/blog/startencrypt-considered-harmful-today/

Hummer Trojan Leads Android Malware
-http://www.cmcm.com/blog/en/security/2016-06-29/995.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create