SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #53

July 05, 2016

TOP OF THE NEWS

DHS Secretary Pushes Critical Infrastructure Cyber Reorganization Plan
DoJ Official Says Cooperation Could Help Thwart Ransomware
FOIA Improvement Act Becomes Law

THE REST OF THE WEEK'S NEWS

Vulnerabilities in Siemens SICAM PAS
Lenovo ThinkPad Firmware Exploit
Qualcomm Processor Flaw Affects Android Phone Encryption
LizardStresser Botnet
Two-Hour Cyberattack Turnaround for Clearinghouses and Payment Systems
SQLite Patch
Satana Ransomware Encrypts Master Boot Record

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

******************** Sponsored By Cisco Systems *************************

Who's lurking on your network? Several high-profile data breaches reminded us that devastating attacks don't always involve scheming criminals and sophisticated malware. Sometimes it's your own employees or trusted vendors exposing confidential data - whether they mean to or not. Download "Combating the Insider Threat," an e-book from Lancope, now part of Cisco
http://www.sans.org/info/186952

***************************************************************************

TRAINING UPDATE

--SANS London Summer 2016| London, UK | July 9-16 | https://www.sans.org/event/london-in-the-summer-2016

--SANS Rocky Mountain | Denver, CO | July 11-16 | https://www.sans.org/event/rocky-mountain-2016

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 | https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

***************************************************************************

---

TOP OF THE NEWS

DHS Secretary Pushes Critical Infrastructure Cyber Reorganization Plan (June 30 and July 1, 2016)

US Department of Homeland Security (DHS) Secretary Jeh Johnson told the Senate Judiciary Committee that he has "asked Congress to authorize the establishment of a new operational Component within DHS, the Cyber and Infrastructure Protection Agency." The new agency would replace the National Protection and Programs Directorate.

[Editor Comments ]
(Paller): This is DHS's most important cyber mission - the only one where DHS's continuing failure to lead places the nation at risk. DHS's own data shows that, on average, power companies do not discover they have been penetrated for 15 months - enough time for attackers to burrow deep and establish pathways for disrupting and destroying massive generators in case hostilities break out or a non-state actor just decides to cause havoc. DHS has not done well because the skills of the managers and staff are a mismatch for the challenges of industrial control system security. Reorganizing won't help; that's just rearranging chairs on the Titanic. If the Secretary believes the problem is real, he needs an outside oversight board of technical and management wizards who know how those attacks are carried out -- that he charges with questioning strategies and forcing rapid skills improvement for employees and contractors.
Read more in: The Hill: DHS head pushes cyber reorganization
-http://thehill.com/policy/cybersecurity/286277-dhs-head-pushes-cyber-reorganizat
ion
FCW: Johnson: Biometric exit moving ahead
-https://fcw.com/articles/2016/06/30/johnson-nppd-judiciary.aspx
US Senate Judiciary: Oversight of the Department of Homeland Security
-http://www.judiciary.senate.gov/meetings/06/23/2016/oversight-of-the-department-
of-homeland-security
DHS: Written testimony of DHS Secretary Jeh Johnson
-https://www.dhs.gov/news/2016/06/30/written-testimony-dhs-secretary-jeh-johnson-
senate-committee-judiciary-hearing

DoJ Official Says Cooperation Could Help Thwart Ransomware (June 28, 2016)

Speaking at the Center for Strategic and International Studies (CSIS), assistant US attorney general for national security John Carlin said that improved communication between law enforcement and companies could help thwart ransomware attacks. Carlin said, "As long as people are handling
[ransomware attacks ]
on their own and making payments, we're funding the development of more of these tools and more of these actors."

[Editor Comments ]
(Ullrich): People pay for ransomware for the same reason that they pay ransom in kidnappings: They don't believe law enforcement is efficient in countering the threat fast enough. In order for law enforcement to become relevant to ransomware victims, law enforcement would need to take an active role in helping victims restore operations. For example, law enforcement (e.g DoJ or DHS) would have to assist in the development of decryption tools for various ransomware strains.
(Honan): Ransomware can be prevented by following many simple security principles. The fact that it is so widespread highlights how we have failed as an industry to promote good security hygiene amongst businesses and individuals.
Read more in: FCW: To fight ransomware, DOJ wants companies to talk more
-https://fcw.com/articles/2016/06/28/carlin-ransomware-justice.aspx

FOIA Improvement Act Becomes Law (June 30 and July 1, 2016)

President Obama has signed the Freedom of Information Act (FOIA) Improvement Act into law. It "codifies a statutory presumption of openness," clarifying the need for agencies to justify their decision to withhold information rather than placing the burden of justification on the entity making the request. The bill also places a 25-year limit on the length of time agencies may keep internal deliberations confidential, and it requires the Office of Management and Budget (OMB) to create a single-access website for making FOIA requests.

[Editor Comments ]
(Pescatore): FOIA is about 50 years old now and it was one of the early examples that proved "security through obscurity doesn't work." For the actual sensitive stuff, just saying "we won't mention it" never works - and in the long run it doesn't work for the weak and squishy and embarrassing stuff, either. Over 100 years ago Supreme Court Justice Louis Brandeis said "Sunlight is said to be the best of disinfectants; electric light the most efficient policeman" - of course, now we know that ultraviolet light and other new technologies are even *better* but the principle still holds.
Read more in: SC Magazine: Obama signs FOIA reform bill into law
-http://www.scmagazine.com/obama-signs-foia-reform-bill-into-law/article/506958/
Federal News Radio: Obama celebrates 50th anniversary of FOIA by signing update into law
-http://federalnewsradio.com/omb/2016/06/obama-celebrates-foias-50th-anniversary-
signing-update-law/
White House: Fact Sheet: New Steps Toward Ensuring Openness and Transparency in Government
-https://www.whitehouse.gov/the-press-office/2016/06/30/fact-sheet-new-steps-towa
rd-ensuring-openness-and-transparency

---

*************************** SPONSORED LINKS *****************************
1) SANS 2016 Financial Security Survey - Help SANS determine strengths and weaknesses in financial info systems. http://www.sans.org/info/186957

2) Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card! http://www.sans.org/info/186962

3) Case Study: How a Managed Bug Bounty Program Enabled Faster Software Vulnerability Discovery and Mitigation at Aruba Solutions. Thursday, July 14, 2016 at 11:00am (EDT/US Eastern) with John Pescatore, Leif Dreizler and Jon Green. http://www.sans.org/info/186967
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Vulnerabilities in Siemens SICAM PAS (July 5, 2016)

The US Industrial Control System Computer Emergency Response Team (ICS-CERT) has issued an advisory warning regarding a pair of vulnerabilities in Siemens's SICAM Power Automation System substation control software. According to a Siemens advisory, a fix is currently available for one of the two flaws; a fix for the second is in development.

[Editor Comments ]
(Murray): Most vulnerabilities have "work-arounds." Vendors and others need to be identifying and publishing these while awaiting "patches."
Read more in: The Register: Vuln drains energy sector control kit
-http://www.theregister.co.uk/2016/07/05/vuln_drains_energy_sector_control_kit/
ICS-CERT Advisory: Advisory (ICSA-16-182-02) Siemens SICAM PAS Vulnerabilities
-https://ics-cert.us-cert.gov/advisories/ICSA-16-182-02
Siemens Advisory: SSA-444217: Information Disclosure Vulnerabilities in SICAM PAS
-https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-444217.pdf

Lenovo ThinkPad Firmware Exploit (July 3 and 4, 2016)

A privilege elevation vulnerability in a Unified Extensible Firmware Interface (UEFI) could be exploited to disable firmware write protection on Lenovo ThinkPads. The issue may affect other devices as well, because the problem lies in code that came from Intel. The ThinkPwn exploit takes advantage of a driver that could allow "execution of code in system management mode (SMM) ... with local administrative access." Lenovo is working on a fix.

[Editor Comments ]
(Ullrisch): This vulnerability very likely affects systems well beyond ThinkPad's and Lenovo. The code in question was derived from Intel's sample code, and the company that wrote this part of the BIOS (not Lenovo) likely delivered the same code to other OEMs as well. Watch for firmware updates and apply them soon. This vulnerability would allow an attacker to gain persistent access to a compromised system by overwriting the firmware.
(Williams): Lenovo is relying on code written by another organization, but it suffering all of the bad PR. You can delegate authority but never responsibility.
Read more in: Computerworld: Firmware exploit can defeat new Windows security features on Lenovo ThinkPads
-http://www.computerworld.com/article/3090950/security/firmware-exploit-can-defea
t-new-windows-security-features-on-lenovo-thinkpads.html
The Register: Lenovo scrambling to get a fix for BIOS vuln
-http://www.theregister.co.uk/2016/07/04/lenovo_scrambling_to_get_a_fix_for_bios_
vuln/
Lenovo Advisory: System Management Mode (SMM) BIOS Vulnerability
-https://support.lenovo.com/us/en/solutions/LEN-8324

Qualcomm Processor Flaw Affects Android Phone Encryption (July 1 and 4, 2016)

A flaw affecting some Qualcomm Snapdragon processors in Android phones could be exploited to break full disk encryption. The problem lies in a flaw in the TrustZone within the Qualcomm processor's kernel. The problems were patched in January and May of this year, but not all Android devices have received the update.
Read more in: Ars Technica: Android's full-disk encryption just got much weaker-here's why
-http://arstechnica.com/security/2016/07/androids-full-disk-encryption-just-got-m
uch-weaker-heres-why/
SC Magazine: Kernel vulnerability in Qualcomm processors weakens Android phone encryption
-http://www.scmagazine.com/kernel-vulnerability-in-qualcomm-processors-weakens-an
droid-phone-encryption/article/506966/
CIO: Android full disk encryption can be brute-forced on Qualcomm-based devices
-http://www.cio.com/article/3091087/android-full-disk-encryption-can-be-brute-for
ced-on-qualcomm-based-devices.html

LizardStresser Botnet (June 30 and July 2, 2016)

The LizardStresser botnet has been used to launch 400Gbps distributed denial-of-service (DDoS) attacks against websites using bandwidth of compromised Internet of Things (IoT) devices. The number of LizardStresser command-and-control servers has grown recently, likely because the botnet source code was made public last year.

[Editor Comments ]
(Honan and Murray): We are going to see a significant increase in insecure devices on the Internet thanks to the Internet of Things. In the rush to get products to market many vendors are overlooking simple and basic security principles. This will be further compounded when these devices need to have a security update applied as many consumers won't have the skills or the inclination to do so. The answer to this does not rely on the consumer having to learn how to secure their devices but on responsibility and liability for insecure devices being placed squarely on the shoulders of the vendors.
Read more in: eWeek: LizardStresser Botnet Launches 400G-bps Attack on IoT Devices
-http://www.eweek.com/security/lizardstresser-botnet-launches-400g-bps-attack-on-
iot-devices.html
ZDNet: LizardStresser botnet targets IoT devices to launch 400Gbps attacks
-http://www.zdnet.com/article/lizardstresser-botnet-targets-iot-devices-to-launch
-400gbps-attacks/

Two-Hour Cyberattack Turnaround for Clearinghouses and Payment Systems (June 29, 2016)

The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commission (Iscso) have published cyber resilience guidelines for the world's financial market infrastructures. The guidelines require that by June 2017, payment systems and financial clearinghouses establish plans for restoring core operations from cyberattacks within two hours.

[Editor Comments ]
(Honan): Anyone responsible for high availability systems and/or networks should read the IOSCO Guidance on Financial Resilience for Financial Market Infrastructures as many of the principles outlined are applicable across various industries and not just financial clearing systems.
-https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf
">
-https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf

Additional excellent resources on the ENISA website at
-https://www.enisa.europa.eu/
(Northcutt): The "two hours" is significant because it appears to be the only hard and fast metric in the document. Most of the recommendations are cast as "should" and "may" and that means you can't reliably reach the requirement of a two-hour return to operations.
(Ullrich): This goal sounds very ambitious. A rushed restoration plan could in some cases lead to incomplete containment of the threat and lead to further service interruption.
(Pescatore): The IOSCO guidance report is pretty much YALLOSTTD - Yet Another Long List of Security Things to Do, layered across the usual Protect/Detect/Respond timeline. The 2-hour goal for restoration is a good thing - whether 2 hours is too long/too short isn't as important as at least having a measurable and consistent metric on that. They should have agreed on a similar number for Time to Detect, which is one of the biggest drivers in Time to Restore.
(Williams): Cost and time to recover from an incident is directly proportional to the time that an attacker is allowed to dwell in the network before detection. Organizations should focus first on detection since recovery only begins after detection occurs.
Read more in: The New York Times: Clearing Houses Must Be Able to Recover From Hacking in Two Hours
-http://www.nytimes.com/reuters/2016/06/29/business/29reuters-exchange-cyber-regu
lations.html
IOSCO: Press Release
-https://www.iosco.org/news/pdf/IOSCONEWS433.pdf
IOSCO: Guidance on Financial Resilience for Financial Market Infrastructures
-https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf
">
-https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf

SQLite Patch (July 4, 2016)

Open source database project SQLite has released a security update to fix a problem in the way it creates tempfiles. Because the tempfiles are created in a directory with incorrect permissions, SQLite libraries could leak data and behave in other unsafe ways.

[Editor Comments ]
(Williams): Although SQLite is used and embedded in many applications, this vulnerability is unlikely to be exploited in any practical setting. The vulnerability is only exploitable when none of /tmp, /var/tmp, and /usr/tmp are set to have read, write, and execute permissions (a non-default configuration). Even then, exploitation is complex.
Read more in: The Register: SQLite developers need to push the patch
-http://www.theregister.co.uk/2016/07/04/sqlite_developers_need_to_push_the_patch
/
SQLite: SQLite Release 3.13.0 On 2016-05-18
-https://www.sqlite.org/releaselog/3_13_0.html

Satana Ransomware Encrypts Master Boot Record (June 29 and July 1, 2016)

Ransomware known as Satana encrypts not only user files, but also the computer's master boot record (MBR), which makes it impossible to load the operating system. According to Malwarebytes, Satana is still under development. It is the second known strain of ransomware that targets MBRs; the first was Petya, which was detected in March.

[Editor Comments ]
Read more in: Computerworld: Satana ransomware encrypts user files and master boot record
-http://www.computerworld.com/article/3090543/security/satana-ransomware-encrypts
-user-files-and-master-boot-record.html
Malwarebytes Blog: Satana ransomware - threat coming soon?
-https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/

---

INTERNET STORM CENTER TECH CORNER

Change in patterns for the pseudoDarkleech Campaign
-https://isc.sans.edu/forums/diary/Change+in+patterns+for+the+pseudoDarkleech+cam
paign/21217/

Thinkpad SMS Arbitrary Code Execution Exploit
-https://github.com/Cr4sh/ThinkPwn

SQLLite Temp File Vulnerability
-http://seclists.org/fulldisclosure/2016/Jul/0

AVG Publishes Mulit-Ransomware Decryption Tool
-http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to
-retrieve-your-files/

Euro 2016 App Leaks User's Data
-http://wandera.com/downloads/Euro_Paper.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create